Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security waf json-validation-detection

Use this command to set JSON validation detection.

Note: This command only checks HTTP requests with content-type being application/json.

Predefined WAF profiles

Predefined Rules Required settings

High-Level-Security

format-checks — enable

set xss-checks — enable

set sql-injection-checks — enable

severity —high

action — deny

Medium-Level-Security

format-checks — enable

set xss-checks — enable

set sql-injection-checks — enable

severity — medium

action — alert

Alert-Only

format-checks — enable

set xss-checks — disable

set sql-injection-checks — disable

severity — low

action — alert

Syntax

config security waf json-validation-detection

edit <name>

set format-checks enable/disable

set limit-checks enable/disable

set limit-max-array-value-num <0-4096>

set limit-max-depth-num <0-4096>

set limit-max-object-num <0-4096>

set limit-max-string-len <0-4096>

set xss-checks enable/disable

set sql-injection-checks enable/disable

set exception <datasource>

set severity low/medium/high

set action <datasource>

set schema-checks <enable/disable>

set json-schema-id <datasource>

next

end

name

Specify the name of the JSON detection profile.

format-checks

Enable or disable JSON format checks, which are security checks for incoming HTTP requests to determine whether they are well-formed.

Note: If enabled, you must specify FortiADC response actions to malformed HTTP requests, as discussed below.

limit-checks

Enable or disable parsing limits to protect web servers from attacks, such as DDOS attacks.

Note: If enabled, you must change the configuration for the following parameters:

  • Limit max array value
  • Limit max depth
  • Limit max object member
  • Limit max string

limit-max-array-value-num

Specify the maximum value within a single array. The default value is 256. Valid values range from 0 to 4,096.

Note: This option is available only when JSON limit-checks is enabled.

limit-max-depth-num

Specify the maximum depth in a JSON value. The default value is 16. Valid values range from 0 to 4,096.

Note: This option is available only when JSON limit-checks is enabled.

limit-max-object-num

Specify the maximum number of members in a JSON object. The default value is 64. Valid values range from 0 fro 4,096.

Note: This option is available only when JSON limit-checks is enabled.

limit-max-string-len

Specify the maximum length of a string in a JSON request for a name or a value. The default value is 64. Valid values range from 0 to 4,096.

Note: This option is available only when JSON limit-checks is enabled.

xss-checks

Enable to examine the bodies of incoming JSON requests that might indicate possible cross-site scripting attacks.

Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the end of this table.

sql-injection-checks

Enable to examine the bodies of incoming requests for inappropriate SQL characters and keywords, which may indicate an SQL injection attack.

Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the beginning of this table.

exception

Optional. Select the exception profile to be applied to the JSON detection profile.

severity

Set the severity level in WAF logs for potential attacks detected by the JSON detection profile by selecting one of the following:

  • High
  • Medium
  • Low

action

Specify the action that FortiADC will take upon detecting a potential attack:

You can choose a WAF action object.

schema-checks

Enable or disable JSON schema validation detection.

Note:Before enabling JSON schema checks, you must upload a JSON schema file to check whether JSON content is well-formed.

json-schema-id

 

Select the JSON schema file that you want to use.

Example

config security waf json-validation-detection

edit "all"

set format-checks enable

set meta-os-checks disable

set limit-checks enable

set limit-max-array-value-num 1

set limit-max-depth-num 0

set limit-max-object-num 0

set limit-max-string-len 0

set xss-checks enable

set sql-injection-checks enable

unset exception

set severity high

set action alert

next

end

 

config security waf json-validation-detection

Use this command to set JSON validation detection.

Note: This command only checks HTTP requests with content-type being application/json.

Predefined WAF profiles

Predefined Rules Required settings

High-Level-Security

format-checks — enable

set xss-checks — enable

set sql-injection-checks — enable

severity —high

action — deny

Medium-Level-Security

format-checks — enable

set xss-checks — enable

set sql-injection-checks — enable

severity — medium

action — alert

Alert-Only

format-checks — enable

set xss-checks — disable

set sql-injection-checks — disable

severity — low

action — alert

Syntax

config security waf json-validation-detection

edit <name>

set format-checks enable/disable

set limit-checks enable/disable

set limit-max-array-value-num <0-4096>

set limit-max-depth-num <0-4096>

set limit-max-object-num <0-4096>

set limit-max-string-len <0-4096>

set xss-checks enable/disable

set sql-injection-checks enable/disable

set exception <datasource>

set severity low/medium/high

set action <datasource>

set schema-checks <enable/disable>

set json-schema-id <datasource>

next

end

name

Specify the name of the JSON detection profile.

format-checks

Enable or disable JSON format checks, which are security checks for incoming HTTP requests to determine whether they are well-formed.

Note: If enabled, you must specify FortiADC response actions to malformed HTTP requests, as discussed below.

limit-checks

Enable or disable parsing limits to protect web servers from attacks, such as DDOS attacks.

Note: If enabled, you must change the configuration for the following parameters:

  • Limit max array value
  • Limit max depth
  • Limit max object member
  • Limit max string

limit-max-array-value-num

Specify the maximum value within a single array. The default value is 256. Valid values range from 0 to 4,096.

Note: This option is available only when JSON limit-checks is enabled.

limit-max-depth-num

Specify the maximum depth in a JSON value. The default value is 16. Valid values range from 0 to 4,096.

Note: This option is available only when JSON limit-checks is enabled.

limit-max-object-num

Specify the maximum number of members in a JSON object. The default value is 64. Valid values range from 0 fro 4,096.

Note: This option is available only when JSON limit-checks is enabled.

limit-max-string-len

Specify the maximum length of a string in a JSON request for a name or a value. The default value is 64. Valid values range from 0 to 4,096.

Note: This option is available only when JSON limit-checks is enabled.

xss-checks

Enable to examine the bodies of incoming JSON requests that might indicate possible cross-site scripting attacks.

Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the end of this table.

sql-injection-checks

Enable to examine the bodies of incoming requests for inappropriate SQL characters and keywords, which may indicate an SQL injection attack.

Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the beginning of this table.

exception

Optional. Select the exception profile to be applied to the JSON detection profile.

severity

Set the severity level in WAF logs for potential attacks detected by the JSON detection profile by selecting one of the following:

  • High
  • Medium
  • Low

action

Specify the action that FortiADC will take upon detecting a potential attack:

You can choose a WAF action object.

schema-checks

Enable or disable JSON schema validation detection.

Note:Before enabling JSON schema checks, you must upload a JSON schema file to check whether JSON content is well-formed.

json-schema-id

 

Select the JSON schema file that you want to use.

Example

config security waf json-validation-detection

edit "all"

set format-checks enable

set meta-os-checks disable

set limit-checks enable

set limit-max-array-value-num 1

set limit-max-depth-num 0

set limit-max-object-num 0

set limit-max-string-len 0

set xss-checks enable

set sql-injection-checks enable

unset exception

set severity high

set action alert

next

end