Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiAppSec Cloud User Guide

    Parameter Validation

    Parameter Validation

    Define validation rules to only permit requests that meet specific parameter (input) requirements to your web applications. According to the defined rules, FortiAppSec Cloud can deny any invalid requests or block the request's IP for a period of time, as well as record the invalid requests in the attack log.

    A parameter validation rule is composed of a validation operation that will be applied to a URL and one or more validation restrictions to limit parameters, such as to specify whether or not the parameter is required, its maximum allowed length, or its data type.

    note icon

    FortiAppSec Cloud requires at least one parameter rule to be added for each request URL to successfully apply parameter validations. Otherwise, FortiAppSec Cloud will accept all requests if there are no restrictions placed on any parameters.
    To create a parameter validation rule:
    1. Go to Security Rules > Parameter Validation.
      You must have already enabled this module in Add Modules. See Add and Remove Modules.
    2. Click Create Rule.
    3. Configure the following to set the validation operation.
      Name

      Enter a name for the parameter validation rule.

      Request URL

      Enter the URL to which the validation rule will be applied.

      Operation

      Select the action that will be triggered by the validation rule:

      • AlertFortiAppSec Cloud will record the invalid request in the attack log.

      • DenyFortiAppSec Cloud will block the invalid request and send a "block page" back to the browser, as well as record the request in the attack log.

      • Deny (no log)FortiAppSec Cloud will block the invalid request and send a "block page" back to the browser.

      • Period Block – Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked.

      If Period Block is selected, specify the time period between 1 to 3600 seconds.

    4. Click Add Rule.
    5. Configure the following to define the parameter restriction rule.
      Parameter Name

      Type a regular expression that matches the parameter whose values you want to validate. To create a regular expression, see Frequently used regular expressions.

      Max Length

      Specify the maximum allowed length of the parameter between 0 to 1024 characters.

      Required

      Specify whether or not the parameter is required.

      Note: If there isn't any parameter in the request URL, the parameter validation will not be triggered, which means the traffic will let go even if you have configured required parameters in the parameter restriction rule.

      Parameter validation takes effect only when there is at least one parameter in the request URL.

      Use Type Check

      Specify whether or not to check the data-type of the parameter.

      Argument Type

      Specify the argument type of the parameter:

      • Data Type

      • Regular Expression

      Available only if you enabled Use Type Check.

      Data Type

      Select a predefined data type from the drop-down list to limit the format of the parameter value.

      Available only if you enabled Use Type Check and selected Data Type as the Argument Type.

      Regular Expression

      Type a regular expression to limit the format of the parameter value. To create a regular expression, see Frequently used regular expressions.

      Available only if you enabled Use Type Check and selected Regular Expression as the Argument Type.

    6. Click Save Rule.
    7. Repeat steps 2-6 until you have added all desired rules, or click OK to save configurations and return to the Parameter Validation page.
    8. Click SAVE to apply configurations.
    Previous
    Next

    Parameter Validation

    Parameter Validation

    Define validation rules to only permit requests that meet specific parameter (input) requirements to your web applications. According to the defined rules, FortiAppSec Cloud can deny any invalid requests or block the request's IP for a period of time, as well as record the invalid requests in the attack log.

    A parameter validation rule is composed of a validation operation that will be applied to a URL and one or more validation restrictions to limit parameters, such as to specify whether or not the parameter is required, its maximum allowed length, or its data type.

    note icon

    FortiAppSec Cloud requires at least one parameter rule to be added for each request URL to successfully apply parameter validations. Otherwise, FortiAppSec Cloud will accept all requests if there are no restrictions placed on any parameters.
    To create a parameter validation rule:
    1. Go to Security Rules > Parameter Validation.
      You must have already enabled this module in Add Modules. See Add and Remove Modules.
    2. Click Create Rule.
    3. Configure the following to set the validation operation.
      Name

      Enter a name for the parameter validation rule.

      Request URL

      Enter the URL to which the validation rule will be applied.

      Operation

      Select the action that will be triggered by the validation rule:

      • AlertFortiAppSec Cloud will record the invalid request in the attack log.

      • DenyFortiAppSec Cloud will block the invalid request and send a "block page" back to the browser, as well as record the request in the attack log.

      • Deny (no log)FortiAppSec Cloud will block the invalid request and send a "block page" back to the browser.

      • Period Block – Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked.

      If Period Block is selected, specify the time period between 1 to 3600 seconds.

    4. Click Add Rule.
    5. Configure the following to define the parameter restriction rule.
      Parameter Name

      Type a regular expression that matches the parameter whose values you want to validate. To create a regular expression, see Frequently used regular expressions.

      Max Length

      Specify the maximum allowed length of the parameter between 0 to 1024 characters.

      Required

      Specify whether or not the parameter is required.

      Note: If there isn't any parameter in the request URL, the parameter validation will not be triggered, which means the traffic will let go even if you have configured required parameters in the parameter restriction rule.

      Parameter validation takes effect only when there is at least one parameter in the request URL.

      Use Type Check

      Specify whether or not to check the data-type of the parameter.

      Argument Type

      Specify the argument type of the parameter:

      • Data Type

      • Regular Expression

      Available only if you enabled Use Type Check.

      Data Type

      Select a predefined data type from the drop-down list to limit the format of the parameter value.

      Available only if you enabled Use Type Check and selected Data Type as the Argument Type.

      Regular Expression

      Type a regular expression to limit the format of the parameter value. To create a regular expression, see Frequently used regular expressions.

      Available only if you enabled Use Type Check and selected Regular Expression as the Argument Type.

    6. Click Save Rule.
    7. Repeat steps 2-6 until you have added all desired rules, or click OK to save configurations and return to the Parameter Validation page.
    8. Click SAVE to apply configurations.
    Previous
    Next