Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security waf web-attack-signature

Use this command to configure web attack signature policies. The attack signature policy includes rules to enable scanning of HTTP headers and HTTP body content in HTTP requests, HTTP responses, or both.

Table 17 describes the predefined policies. You can select the predefined policies in your WAF profiles, or you can create policies that enable a different set of scan classes or a different action. In this release, you cannot exclude individual signatures or create custom signatures. You can enable or disable the scan classes.

Web Attack Signature predefined policies

Policy Status Action

High-Level-Security

  • Scan HTTP header—Enabled.
  • Scan HTTP Request Body—Enabled.
  • Scan HTTP Response Body—Disabled.
  • High Severity Action—Deny.
  • Medium Severity Action—Deny.
  • Low Severity Action—Alert.

Medium-Level-Security

  • Scan HTTP header—Enabled.
  • Scan HTTP Request Body—Enabled.
  • Scan HTTP Response Body—Disabled.
  • High Severity Action—Deny.
  • Medium Severity Action—Alert.
  • Low Severity Action—Alert.

Alert-Only

  • Scan HTTP header—Enabled.
  • Scan HTTP Request Body—Disabled.
  • Scan HTTP Response Body—Disabled.
  • High Severity Action—Alert.
  • Medium Severity Action—Alert.
  • Low Severity Action—Alert.

Before you begin:

  • You must have read-write permission for security settings.

After you have created a web attack signature policy, you can specify it in a WAF profile configuration.

Syntax

config security waf web-attack-signature

edit <name>

set exception <datasource>

set high-severity-action {datasource}

set request-body-detection {enable|disable}

set response-body-detection {enable|disable}

set medium-severity-action {datasource}

set low-severity-action {datasource}

set body-length-limit <integer>

set body-type-limit <string>

config category

edit <category-id>

set action [ alert | deny | block | silent-deny ]

set status [ enable | disable ]

end

config sub-category

edit <sub-category-id>

set status {enable|disable}

next

end

config signature

edit <datasource>

set status

set exception

next

end

next

end

exception

Specify an exception configuration object.

request-body-detection

Enable/disable scanning against HTTP request body signatures.

response-body-detection

Enable/disable against HTTP response body signatures.

high-severity-action

Specify a WAF action object.

medium-severity-action

Specify a WAF action object.

low-severity-action

Specify a WAF action object.

body-length-limit

Integer input. HTTP request/response body length limitation, in bytes. Default 1024, range 0-1048576.

Can only be enabled when request-body-detection or response-body-detection is enabled.

body-type-limit

String input. HTTP request/response body type limitation, reserved “default” provides default limits, “all” means no limit. More than one custom Content-Type is separated by ‘;’, total maximum length is 1024.

Can only be enabled when request-body-detection or response-body-detection is enabled.

config signature

status

Enable/disable the signature.

exception

Specify an exception configuration object.

config category

 

status

Enable/disable the category status.

action

Specify an action configuration object.

config sub-category

 

status

Enable/disable the sub-category status.

Example

FortiADC-VM # get security waf web-attack-signature High-Level-Security

status : enable

request-body-detection : enable

response-body-detection : disable

high-severity-action : deny

medium-severity-action : deny

low-severity-action : alert

exception: 

 

FortiADC-VM # get security waf web-attack-signature Medium-Level-Security

status : enable

request-body-detection : enable

response-body-detection : disable

high-severity-action : deny

medium-severity-action : alert

low-severity-action : alert

exception: 

 

FortiADC-VM # get security waf web-attack-signature Alert-Only

status : enable

request-body-detection : disable

response-body-detection : disable

high-severity-action : alert

medium-severity-action : alert

low-severity-action : alert

exception: 

 

FortiADC-docs # config security waf web-attack-signature

FortiADC-docs (web-attack-sig~a) # edit eval

FortiADC-docs (eval) # config signature

FortiADC-docs (signature) # edit 1002010728

FortiADC-docs (1002010728) # get

status : enable

description :

exception :

FortiADC-docs (1002010728) # set status disable

FortiADC-docs (1002010728) # set description "investigate false positive"

FortiADC-docs (1002010728) # end

FortiADC-docs (eval)# config category

FortiADC-docs (category)# edit 1

FortiADC-docs (1)# set action alert

FortiADC-docs (1)# set status enable

FortiADC-docs (1)# end

config security waf web-attack-signature

Use this command to configure web attack signature policies. The attack signature policy includes rules to enable scanning of HTTP headers and HTTP body content in HTTP requests, HTTP responses, or both.

Table 17 describes the predefined policies. You can select the predefined policies in your WAF profiles, or you can create policies that enable a different set of scan classes or a different action. In this release, you cannot exclude individual signatures or create custom signatures. You can enable or disable the scan classes.

Web Attack Signature predefined policies

Policy Status Action

High-Level-Security

  • Scan HTTP header—Enabled.
  • Scan HTTP Request Body—Enabled.
  • Scan HTTP Response Body—Disabled.
  • High Severity Action—Deny.
  • Medium Severity Action—Deny.
  • Low Severity Action—Alert.

Medium-Level-Security

  • Scan HTTP header—Enabled.
  • Scan HTTP Request Body—Enabled.
  • Scan HTTP Response Body—Disabled.
  • High Severity Action—Deny.
  • Medium Severity Action—Alert.
  • Low Severity Action—Alert.

Alert-Only

  • Scan HTTP header—Enabled.
  • Scan HTTP Request Body—Disabled.
  • Scan HTTP Response Body—Disabled.
  • High Severity Action—Alert.
  • Medium Severity Action—Alert.
  • Low Severity Action—Alert.

Before you begin:

  • You must have read-write permission for security settings.

After you have created a web attack signature policy, you can specify it in a WAF profile configuration.

Syntax

config security waf web-attack-signature

edit <name>

set exception <datasource>

set high-severity-action {datasource}

set request-body-detection {enable|disable}

set response-body-detection {enable|disable}

set medium-severity-action {datasource}

set low-severity-action {datasource}

set body-length-limit <integer>

set body-type-limit <string>

config category

edit <category-id>

set action [ alert | deny | block | silent-deny ]

set status [ enable | disable ]

end

config sub-category

edit <sub-category-id>

set status {enable|disable}

next

end

config signature

edit <datasource>

set status

set exception

next

end

next

end

exception

Specify an exception configuration object.

request-body-detection

Enable/disable scanning against HTTP request body signatures.

response-body-detection

Enable/disable against HTTP response body signatures.

high-severity-action

Specify a WAF action object.

medium-severity-action

Specify a WAF action object.

low-severity-action

Specify a WAF action object.

body-length-limit

Integer input. HTTP request/response body length limitation, in bytes. Default 1024, range 0-1048576.

Can only be enabled when request-body-detection or response-body-detection is enabled.

body-type-limit

String input. HTTP request/response body type limitation, reserved “default” provides default limits, “all” means no limit. More than one custom Content-Type is separated by ‘;’, total maximum length is 1024.

Can only be enabled when request-body-detection or response-body-detection is enabled.

config signature

status

Enable/disable the signature.

exception

Specify an exception configuration object.

config category

 

status

Enable/disable the category status.

action

Specify an action configuration object.

config sub-category

 

status

Enable/disable the sub-category status.

Example

FortiADC-VM # get security waf web-attack-signature High-Level-Security

status : enable

request-body-detection : enable

response-body-detection : disable

high-severity-action : deny

medium-severity-action : deny

low-severity-action : alert

exception: 

 

FortiADC-VM # get security waf web-attack-signature Medium-Level-Security

status : enable

request-body-detection : enable

response-body-detection : disable

high-severity-action : deny

medium-severity-action : alert

low-severity-action : alert

exception: 

 

FortiADC-VM # get security waf web-attack-signature Alert-Only

status : enable

request-body-detection : disable

response-body-detection : disable

high-severity-action : alert

medium-severity-action : alert

low-severity-action : alert

exception: 

 

FortiADC-docs # config security waf web-attack-signature

FortiADC-docs (web-attack-sig~a) # edit eval

FortiADC-docs (eval) # config signature

FortiADC-docs (signature) # edit 1002010728

FortiADC-docs (1002010728) # get

status : enable

description :

exception :

FortiADC-docs (1002010728) # set status disable

FortiADC-docs (1002010728) # set description "investigate false positive"

FortiADC-docs (1002010728) # end

FortiADC-docs (eval)# config category

FortiADC-docs (category)# edit 1

FortiADC-docs (1)# set action alert

FortiADC-docs (1)# set status enable

FortiADC-docs (1)# end