Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security waf brute-force-login

Brute Force Attack Detection policies can prevent too many login tests. If an HTTP client tries to log into a server via FortiADC and fails too many times, Brute Force Attack Detection policies can stop it.

Syntax

configure security waf brute-force-login

edit <name>

set description <string>

set action <string>

config login-page-member

edit 1

set access-limit-ip <integer>

set request-url <regular express string>

set login-failed-code <HTTP status code>

set host-status [ enable | disable ]

set host <regular express string>

next

end

next

end

CLI specification

CLI Parameter

Help message

Type

Scope

Default

Must

set description

HTTP connection limit

string

 

Null

No

action

the action when reach the limit

object

 

Null

Yes

access-limit-ip

Login failed times limit

integer

1-65535

1

No

request-url

Type the URL that the HTTP request must match to be included in the brute force login attack’s rate calculations.

string

regular express

Null

Yes

login-failed-code

Response code which is used to judge if the login is failed or not.

integer

0-1000

0

No

host-status

Decides to match host name or not.

choice

enable

disable

disable

No

host

Host name

string

regular express

Null

No

CLI Parameter

Visible condition

Special value

Effective condition

set description

always visible

N/A

Work through the WAF framework

action

always visible

N/A

access-limit-ip

always visible

N/A

request-url

always visible

N/A

login-failed-code

always visible

0, means not match status code

host-status

always visible

N/A

host

always visible

host-status == enable

Function description

CLI Parameter

Description

set description

Save description message.

action

Brute force attack protect action.

access-limit-ip

When the count of brute force attack reaches the limit, FortiADC will take action based on the source IP.

request-url

This URL is used to identify the login request. If login-failed-code is not set, it will be used to detect the login failed event.

login-failed-code

This code is used to identify the login failed event. If login-failed-code is not set, request-url and host will be used instead.

host-status

Decides whether or not the Host field of the HTTP request will take part in the identification of the login request or login failed event together with request-url.

host

After matching url, FortiADC will match the Host.

Example

configure security waf brute-force-login

edit brute-login

set description “brute-force-login detection”

set action deny-action

config login-page-member

edit 1

set access-limit-ip 3

set request-url /login*

set login-failed-code 401

set host-status enable

set host www.xxx.com

next

end

edit 2

set access-limit-ip 5

set request-url /aaalogin*

next

end

next

end

 

WAF Profile

config security waf profile

edit <name>

set brute-force-login <name>

next

end

config security waf brute-force-login

Brute Force Attack Detection policies can prevent too many login tests. If an HTTP client tries to log into a server via FortiADC and fails too many times, Brute Force Attack Detection policies can stop it.

Syntax

configure security waf brute-force-login

edit <name>

set description <string>

set action <string>

config login-page-member

edit 1

set access-limit-ip <integer>

set request-url <regular express string>

set login-failed-code <HTTP status code>

set host-status [ enable | disable ]

set host <regular express string>

next

end

next

end

CLI specification

CLI Parameter

Help message

Type

Scope

Default

Must

set description

HTTP connection limit

string

 

Null

No

action

the action when reach the limit

object

 

Null

Yes

access-limit-ip

Login failed times limit

integer

1-65535

1

No

request-url

Type the URL that the HTTP request must match to be included in the brute force login attack’s rate calculations.

string

regular express

Null

Yes

login-failed-code

Response code which is used to judge if the login is failed or not.

integer

0-1000

0

No

host-status

Decides to match host name or not.

choice

enable

disable

disable

No

host

Host name

string

regular express

Null

No

CLI Parameter

Visible condition

Special value

Effective condition

set description

always visible

N/A

Work through the WAF framework

action

always visible

N/A

access-limit-ip

always visible

N/A

request-url

always visible

N/A

login-failed-code

always visible

0, means not match status code

host-status

always visible

N/A

host

always visible

host-status == enable

Function description

CLI Parameter

Description

set description

Save description message.

action

Brute force attack protect action.

access-limit-ip

When the count of brute force attack reaches the limit, FortiADC will take action based on the source IP.

request-url

This URL is used to identify the login request. If login-failed-code is not set, it will be used to detect the login failed event.

login-failed-code

This code is used to identify the login failed event. If login-failed-code is not set, request-url and host will be used instead.

host-status

Decides whether or not the Host field of the HTTP request will take part in the identification of the login request or login failed event together with request-url.

host

After matching url, FortiADC will match the Host.

Example

configure security waf brute-force-login

edit brute-login

set description “brute-force-login detection”

set action deny-action

config login-page-member

edit 1

set access-limit-ip 3

set request-url /login*

set login-failed-code 401

set host-status enable

set host www.xxx.com

next

end

edit 2

set access-limit-ip 5

set request-url /aaalogin*

next

end

next

end

 

WAF Profile

config security waf profile

edit <name>

set brute-force-login <name>

next

end