Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security waf heuristic-sql-xss-injection-detection

Use this command to configure SQL injection and cross-site scripting (XSS) detection policies.

In many cases, you can use predefined policies, and you do not need to create them. Table 14 describes the predefined policies.

Predefined SQL injection and XSS detection policies

  SQL Injection XSS
Predefined Rules Detection Action Severity Detection Action Severity

High-Level-Security

All except Body SQL Injection Detection

Deny

High

All except Body XSS Injection Detection

Deny

High

Medium-Level-Security

Only SQL URI SQL Injection Detection

Deny

High

None

Alert

Low

Alert-Only

Only SQL URI SQL Injection Detection

Alert

High

None

Alert

Low

The configurations for these policies are shown in the examples that follow. If desired, you can create user-defined policies.

Before you begin:

  • You must have read-write permission for security settings.

After you have created an SQL injection/XSS policy, you can specify it in a WAF profile configuration.

Syntax

config security waf heuristic-sql-xss-injection-detection

edit <name>

set exception <datasource>

set sql-injection-detection {enable|disable}

set sql-injection-detection-exception <datasource>

set sql-injection-action {datasource}

set sql-injection-severity {high|medium|low}

set uri-sql-injection-detection {enable|disable}

set referer-sql-injection-detection {enable|disable}

set cookie-sql-injection-detection {enable|disable}

set body-sql-injection-detection {enable|disable}

set xss-detection {enable|disable}

set xss-exception <datasource>

set xss-action {datasource}

set xss-severity {high|medium|low}

set uri-xss-detection {enable|disable}

set referer-xss-detection {enable|disable}

set cookie-xss-detection {enable|disable}

set body-xss-detection {enable|disable}

next

end

exception

Specify an exception configuration object for all modules.

sql-injection-detection

Enable/disable SQL injection detection.

sql-injection-detection-exception

Specify an exception configuration object for the SQL module.

sql-injection-action

Specify a WAF action object.

sql-injection-severity

  • high
  • medium
  • low

uri-sql-injection-detection

Enable/disable detection in the HTTP request.

referer-sql-injection-detection

Enable/disable detection in the Referer header.

cookie-sql-injection-detection

Enable/disable detection in the Cookie header.

body-sql-injection-detection

Enable/disable detection in the HTTP Body message.

xss-detection

Enable/disable XSS detection.

xss-exception

Specify an exception configuration object for the XSS module.

xss-action

Specify a WAF action object.

xss-severity

  • high
  • medium
  • low

uri-xss-injection-detection

Enable/disable detection in the HTTP request.

referer-xss-injection-detection

Enable/disable detection in the Referer header.

cookie-xss-injection-detection

Enable/disable detection in the Cookie header.

body-xss-injection-detection

Enable/disable detection in the HTTP Body message.

Example

FortiADC-docs # get security waf heuristic-sql-xss-injection-detection High-Level-Security

sql-injection-detection : enable

sql-injection-action : deny

sql-injection-severity : high

uri-sql-injection-detection : enable

referer-sql-injection-detection: enable

cookie-sql-injection-detection: enable

body-sql-injection-detection : disable

xss-detection : enable

xss-action : deny

xss-severity : high

uri-xss-detection : enable

referer-xss-detection : enable

cookie-xss-detection : enable

body-xss-detection : disable

sql-injection-detection-exception:

xss-exception :

exception :

 

FortiADC-docs # get security waf heuristic-sql-xss-injection-detection Medium-Level-Security

sql-injection-detection : enable

sql-injection-action : deny

sql-injection-severity : high

uri-sql-injection-detection : enable

referer-sql-injection-detection: disable

cookie-sql-injection-detection: disable

body-sql-injection-detection : disable

xss-detection : disable

xss-action : alert

xss-severity : low

sql-injection-detection-exception:

exception :

FortiADC-docs # get security waf heuristic-sql-xss-injection-detection Alert-Only

sql-injection-detection : enable

sql-injection-action : alert

sql-injection-severity : high

uri-sql-injection-detection : enable

referer-sql-injection-detection: disable

cookie-sql-injection-detection: disable

body-sql-injection-detection : disable

xss-detection : disable

xss-action : alert

xss-severity : low

sql-injection-detection-exception:

exception :

config security waf heuristic-sql-xss-injection-detection

Use this command to configure SQL injection and cross-site scripting (XSS) detection policies.

In many cases, you can use predefined policies, and you do not need to create them. Table 14 describes the predefined policies.

Predefined SQL injection and XSS detection policies

  SQL Injection XSS
Predefined Rules Detection Action Severity Detection Action Severity

High-Level-Security

All except Body SQL Injection Detection

Deny

High

All except Body XSS Injection Detection

Deny

High

Medium-Level-Security

Only SQL URI SQL Injection Detection

Deny

High

None

Alert

Low

Alert-Only

Only SQL URI SQL Injection Detection

Alert

High

None

Alert

Low

The configurations for these policies are shown in the examples that follow. If desired, you can create user-defined policies.

Before you begin:

  • You must have read-write permission for security settings.

After you have created an SQL injection/XSS policy, you can specify it in a WAF profile configuration.

Syntax

config security waf heuristic-sql-xss-injection-detection

edit <name>

set exception <datasource>

set sql-injection-detection {enable|disable}

set sql-injection-detection-exception <datasource>

set sql-injection-action {datasource}

set sql-injection-severity {high|medium|low}

set uri-sql-injection-detection {enable|disable}

set referer-sql-injection-detection {enable|disable}

set cookie-sql-injection-detection {enable|disable}

set body-sql-injection-detection {enable|disable}

set xss-detection {enable|disable}

set xss-exception <datasource>

set xss-action {datasource}

set xss-severity {high|medium|low}

set uri-xss-detection {enable|disable}

set referer-xss-detection {enable|disable}

set cookie-xss-detection {enable|disable}

set body-xss-detection {enable|disable}

next

end

exception

Specify an exception configuration object for all modules.

sql-injection-detection

Enable/disable SQL injection detection.

sql-injection-detection-exception

Specify an exception configuration object for the SQL module.

sql-injection-action

Specify a WAF action object.

sql-injection-severity

  • high
  • medium
  • low

uri-sql-injection-detection

Enable/disable detection in the HTTP request.

referer-sql-injection-detection

Enable/disable detection in the Referer header.

cookie-sql-injection-detection

Enable/disable detection in the Cookie header.

body-sql-injection-detection

Enable/disable detection in the HTTP Body message.

xss-detection

Enable/disable XSS detection.

xss-exception

Specify an exception configuration object for the XSS module.

xss-action

Specify a WAF action object.

xss-severity

  • high
  • medium
  • low

uri-xss-injection-detection

Enable/disable detection in the HTTP request.

referer-xss-injection-detection

Enable/disable detection in the Referer header.

cookie-xss-injection-detection

Enable/disable detection in the Cookie header.

body-xss-injection-detection

Enable/disable detection in the HTTP Body message.

Example

FortiADC-docs # get security waf heuristic-sql-xss-injection-detection High-Level-Security

sql-injection-detection : enable

sql-injection-action : deny

sql-injection-severity : high

uri-sql-injection-detection : enable

referer-sql-injection-detection: enable

cookie-sql-injection-detection: enable

body-sql-injection-detection : disable

xss-detection : enable

xss-action : deny

xss-severity : high

uri-xss-detection : enable

referer-xss-detection : enable

cookie-xss-detection : enable

body-xss-detection : disable

sql-injection-detection-exception:

xss-exception :

exception :

 

FortiADC-docs # get security waf heuristic-sql-xss-injection-detection Medium-Level-Security

sql-injection-detection : enable

sql-injection-action : deny

sql-injection-severity : high

uri-sql-injection-detection : enable

referer-sql-injection-detection: disable

cookie-sql-injection-detection: disable

body-sql-injection-detection : disable

xss-detection : disable

xss-action : alert

xss-severity : low

sql-injection-detection-exception:

exception :

FortiADC-docs # get security waf heuristic-sql-xss-injection-detection Alert-Only

sql-injection-detection : enable

sql-injection-action : alert

sql-injection-severity : high

uri-sql-injection-detection : enable

referer-sql-injection-detection: disable

cookie-sql-injection-detection: disable

body-sql-injection-detection : disable

xss-detection : disable

xss-action : alert

xss-severity : low

sql-injection-detection-exception:

exception :