HTTP Scripting events
HTTP Scripts are associated with a particular virtual server, and they are event-driven. A script is triggered when the associated virtual server receives an HTTP request or response. Then, it performs the programmed action.
| Event | Description |
|---|---|
| HTTP_REQUEST | The virtual server receives a complete HTTP request header. |
| HTTP_RESPONSE | The virtual server receives a complete HTTP response header. |
| RULE_INIT | The event is used to initialize global or static variables used within a script. It is triggered when a script is added or modified, or when the device starts up, or when the software is restarted. |
| VS_LISTENER_BIND | The virtual server tries to bind. |
| SERVER_BEFORE_CONNECT | The virtual server is going to connect to the backend real server. |
| SERVER_CONNECTED | The HTTP proxy deems that the backend real server is connected. |
| AUTH_RESULT | The authentication (HTML Form / HTTP-basic) is done. |
| HTTP_DATA_REQUEST | Triggered whenever an HTTP:collect command finishes processing, after collecting the requested amount of data. |
| HTTP_DATA_RESPONSE |
Triggered when an HTTP:collect command finishes processing on the server side of a connection. |
| CLIENTSSL_HANDSHAKE | The virtual server receives a complete HTTPS handshake on the client side. |
| SERVERSSL_HANDSHAKE | FortiADC receives a complete HTTPS handshake on the server side. |
| CLIENTSSL_RENEGOTIATE | The virtual server receives a re-connection request from a peer. |
| SERVERSSL_RENEGOTIATE | FortiADC sends a re-connection request to a peer. |
| TCP_ACCEPTED | The virtual server receives a complete TCP connection. |
| TCP_CLOSED | The virtual server close a TCP connection. |
|
PERSISTENCE |
Event hook inside process_sticking_rules() in httproxy. |
|
POST_PERSIST |
Event hook after LB is done and assigns real server according to ADC method. |
|
SERVER_CLOSED |
When Httproxy is going to terminate the backend real server connection. |
|
COOKIE_BAKE |
When FortiADC is done baking an authentication cookie. Allows PROXY commands, MGM commands and AUTH:get_baked_cookie/set_baked_cookie. The COOKIE_BAKE event can occur after AUTH_RESULT, HTTP_REQUEST, or HTTP_RESPONSE events. |
|
BEFORE_AUTH |
The BEFORE_AUTH event triggers right before the authentication is performed to allow the user specified user group to be used instead. The new user group will override the authentication result of the original authentication policy. HTTP: header_get_names header_get_values header_get_value header_remove header_remove2 header_insert header_replace header_replace2 header_exists header_count version_get version_set redirect_with_cookie redirect_t redirect close disable_event enable_event set_event set_auto disable_auto enable_auto rand_id get_session_id cookie cookie_list cookie_crypto respond method_get method_set uri_get uri_set path_get path_set query_get query_set client_port local_port remote_port client_addr local_addr remote_addr client_ip_ver LB: routing get_valid_routing get_current_routing method_assign_server AUTH: set_usergroup realm usergroup host SSL: renegotiate cert_request get_verify_depth set_verify_depth client_cert peer_cert cert IP: client_port local_port remote_port client_addr local_addr remote_addr client_ip_ver MGM: rand_id get_session_id disable_event enable_event set_event set_auto disable_auto enable_auto |
WAF events
Use the WAF events to insert an action before or after a WAF scan.
In FortiADC, the WAF has six stages for when modules can scan for attacks:
-
WAF_SCAN_STAGE_REQ_HEADER
-
WAF_SCAN_STAGE_REQ_BODY (streaming stage)
-
WAF_SCAN_STAGE_REQ_WHOLE_BODY
-
WAF_SCAN_STAGE_RES_HEADER
-
WAF_SCAN_STAGE_RES_BODY (streaming stage)
-
WAF_SCAN_STAGE_RES_WHOLE_BODY
The WAF event may be applied to specific WAF stages depending on their hook point.
|
Event |
Hook point |
Example |
|---|---|---|
| WAF_REQUEST_BEFORE_SCAN |
Before WAF_SCAN_STAGE_REQ_HEADER start. If WAF function is not enabled on VS, then this will not be triggered. |
when WAF_REQUEST_BEFORE_SCAN { debug("test WAF_REQUEST_BEFORE_SCAN\n") } |
| WAF_RESPONSE_BEFORE_SCAN |
Before WAF_SCAN_STAGE_RES_HEADER start. If WAF function is not enabled on VS, then this will not be triggered. |
when WAF_REQUEST_ATTACK_DETECTED { debug("test WAF_REQUEST_ATTACK_DETECTED\n") } |
| WAF_REQUEST_ATTACK_DETECTED |
After all request stages when there are attacks detected (violation). If WAF function is not enabled on VS, then this will not be triggered. If WAF module does not detect any violations, then this will not be triggered. |
when WAF_RESPONSE_BEFORE_SCAN { debug("test WAF_RESPONSE_BEFORE_SCAN\n") } |
| WAF_RESPONSE_ATTACK_DETECTED |
After all response stages when there are attacks detected (violation). If WAF function is not enabled on VS, then this will not be triggered. If WAF module does not detect any violations, then this will not be triggered. |
when WAF_RESPONSE_ATTACK_DETECTED { debug("test WAF_RESPONSE_ATTACK_DETECTED\n") } |