Fortinet black logo

Administration Guide

Validating parameters (“input rules”)

Validating parameters (“input rules”)

You can configure rules to validate parameters (input) of your web applications.

Input rules define whether or not parameters are required, and their maximum allowed length, for requests that match:

  • Host: field in the HTTP header
  • URL

as defined in the input rule. Inputs are typically the <input> tags in an HTML form.

For example, one web page might have an HTML form with multiple inputs, including:

  • A user name
  • A password
  • A preference for whether or not to remember the login

Within the input rule for that web page, you can define separate rules for each parameter in the request: one rule for the user name parameter, one rule for the password parameter, and one rule for the preference parameter. You can use the password rule to enforce password complexity by requiring it to match a Level 2 Password data type.

Unlike hidden field rules, input rules are for visible inputs only, such as buttons and text areas. For information on constraining hidden inputs, see Preventing tampering with hidden inputs.

Each input rule contains one or more individual rules. Collectively, individual rules define all parameter restrictions that apply to requests matching the specified URL and host name combination.

If an HTTP/HTTPS request contains repeated parameters, FortiWeb enforces the input rules for all instances of the parameter—not just the first time it occurs in the request.

FortiWeb cannot enforce the rule if the parameter is bigger than the memory size you have configured for FortiWeb’s scan buffers. To configure the buffer size, see http-cachesize in the FortiWeb CLI Reference:

http://docs.fortinet.com/fortiweb/reference

If your web applications do not require requests larger than the buffer, enable Malformed Request to harden your configuration.

To configure an input rule
  1. Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected host names group (see Defining your protected/allowed HTTP “Host:” header names). If you want to define your own data types, you should also configure those first (see Validating parameters (“input rules”)).
  2. Go to Web Protection > Input Validation > Parameter Validation and select the Parameter Validation Rule tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New.
  4. Configure these settings:
  5. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Host Status

    Enable to apply this input rule only to HTTP requests for specific web hosts. Also configure Host.

    Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

    Host

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the signature exception.

    This option is available only if Host Status is enabled.

    Request URL Type Select whether the Request URL field must contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
    Request URL

    Depending on your selection in Request URL Type, type either:

    • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

    To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

    Action

    Select which action the FortiWeb appliance will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers.

    • Redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message. Also configure Redirect URL and Redirect URL With Reason.
    • Send 403 Forbidden—Reply with an HTTP 403 Access Forbidden error message and generate an alert and/or log message.

    The default value is Alert. See also Reducing false positives.

    Caution: This setting will be ignored if Monitor Mode is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

    This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 seconds (1 hour). See also Monitoring currently blocked IPs.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
  6. Click OK.
  7. Click Create New to add an entry to the set.
    Note: You can add up to 1,024.
  8. Configure these settings:
  9. Name Type

    Select one of the following options:

    • Simple StringName contains the name attribute of the parameter’s input tag exactly as it appears in the form on the web page.
    • Regular ExpressionName contains a regular expression designed to match the name attribute of the parameter’s input tag.
    Name

    Enter one of the following:

    • The value of the Name attribute of the parameter’s input tag exactly as it appears in the form on the web page if Name Type is Simple String.

      For example, for an input tag that is defined by the following HTML code, enter pwd:

      <input type="password" name="pwd" />

    • A regular expression that matches the name attribute of the parameter’s input tag if Name Type is Regular Expression.

    Note: FortiWeb does not support regular expressions that begin with an exclamation point ( ! ). For information on language and regular expression matching, see Regular expression syntax.

    Max Length

    Type the maximum length of the string that is the input’s value.

    For example, if the input’s value is always a short string like candy, the maximum length could be 5. If the value is a number less than 100 such as 42, the maximum length should be 2 (since the number “42” is 2 characters long).

    To disable the length limit, type 0.

    See also Malformed Request.

    Required Enable if the parameter is required for HTTP/HTTPS requests to this combination of Host: field and URL.
    Use Type Check Enable to validate the data type of the parameter. Also configure Argument Type.
    Argument Type

    Select one of:

    • Data Type—Select one of the predefined data types from Data Type.
    • Regular Expression—Define the data type using a regular expression in Regular Expression.
    • Custom Data Type—Select one of the custom data types from Custom Data Type.

    This option is only applicable when Use Type Check is enabled.

    Data Type

    Select a predefined data type. See Predefined data types.

    This option is only available when Argument Type is Data Type.

    Regular Expression

    Type a regular expression that matches all valid values, and no invalid values, for this input.

    This option is only available when Argument Type is Regular Expression.

    To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Custom Data Type

    Select a custom data type. For details, see Validating parameters (“input rules”).

    This option is only available when Argument Type is Custom Data Type.

  10. Click OK.
  11. Repeat the previous steps for each individual validation rule that you want to add to the group of validation rules.
  12. Go to Web Protection > Input Validation > Parameter Validation and select the Parameter Validation Policy tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  13. Click Create New.
  14. In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  15. Click OK.
  16. Click Create New to add an entry to the set.
  17. From the rule drop-down list, select the name of an existing input validation rule.
    To view or change the information associated with the rule, select the icon. The Edit Parameter Validation Rule dialog appears. Use the browser Back button to return.
  18. Click OK.
  19. Repeat the previous steps for each input rule that you want to add to the parameter validation rule.
  20. To apply the parameter validation policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
  21. Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

    If you do not want sensitive inputs such as passwords to appear in the attack logs’ packet payloads, you can obscure them. For details, see Obscuring sensitive data in the logs.
See also

Bulk changes to input validation rules

If you need to make the same change to multiple parameter validation rules, you can apply some changes as a batch instead of individually.

To apply a batch of changes
  1. Go to Web Protection > Input Validation > Parameter Validation Rule.
  2. Mark the check boxes of all rules that will receive the same change. Additional buttons will become available on the tool bar, such as Edit Action, Edit Trigger Policy, or Edit Severity.
  3. Click one of those buttons, then from the drop-down menu that appears, select the new value for setting.
To create a custom data type by modifying a predefined data type, copy the text in the Pattern column of the predefined data type, then paste it into a custom data type. For details, see Predefined data types.

Validating parameters (“input rules”)

You can configure rules to validate parameters (input) of your web applications.

Input rules define whether or not parameters are required, and their maximum allowed length, for requests that match:

  • Host: field in the HTTP header
  • URL

as defined in the input rule. Inputs are typically the <input> tags in an HTML form.

For example, one web page might have an HTML form with multiple inputs, including:

  • A user name
  • A password
  • A preference for whether or not to remember the login

Within the input rule for that web page, you can define separate rules for each parameter in the request: one rule for the user name parameter, one rule for the password parameter, and one rule for the preference parameter. You can use the password rule to enforce password complexity by requiring it to match a Level 2 Password data type.

Unlike hidden field rules, input rules are for visible inputs only, such as buttons and text areas. For information on constraining hidden inputs, see Preventing tampering with hidden inputs.

Each input rule contains one or more individual rules. Collectively, individual rules define all parameter restrictions that apply to requests matching the specified URL and host name combination.

If an HTTP/HTTPS request contains repeated parameters, FortiWeb enforces the input rules for all instances of the parameter—not just the first time it occurs in the request.

FortiWeb cannot enforce the rule if the parameter is bigger than the memory size you have configured for FortiWeb’s scan buffers. To configure the buffer size, see http-cachesize in the FortiWeb CLI Reference:

http://docs.fortinet.com/fortiweb/reference

If your web applications do not require requests larger than the buffer, enable Malformed Request to harden your configuration.

To configure an input rule
  1. Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected host names group (see Defining your protected/allowed HTTP “Host:” header names). If you want to define your own data types, you should also configure those first (see Validating parameters (“input rules”)).
  2. Go to Web Protection > Input Validation > Parameter Validation and select the Parameter Validation Rule tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New.
  4. Configure these settings:
  5. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Host Status

    Enable to apply this input rule only to HTTP requests for specific web hosts. Also configure Host.

    Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

    Host

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the signature exception.

    This option is available only if Host Status is enabled.

    Request URL Type Select whether the Request URL field must contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
    Request URL

    Depending on your selection in Request URL Type, type either:

    • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

    To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

    Action

    Select which action the FortiWeb appliance will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers.

    • Redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message. Also configure Redirect URL and Redirect URL With Reason.
    • Send 403 Forbidden—Reply with an HTTP 403 Access Forbidden error message and generate an alert and/or log message.

    The default value is Alert. See also Reducing false positives.

    Caution: This setting will be ignored if Monitor Mode is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

    This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 seconds (1 hour). See also Monitoring currently blocked IPs.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
  6. Click OK.
  7. Click Create New to add an entry to the set.
    Note: You can add up to 1,024.
  8. Configure these settings:
  9. Name Type

    Select one of the following options:

    • Simple StringName contains the name attribute of the parameter’s input tag exactly as it appears in the form on the web page.
    • Regular ExpressionName contains a regular expression designed to match the name attribute of the parameter’s input tag.
    Name

    Enter one of the following:

    • The value of the Name attribute of the parameter’s input tag exactly as it appears in the form on the web page if Name Type is Simple String.

      For example, for an input tag that is defined by the following HTML code, enter pwd:

      <input type="password" name="pwd" />

    • A regular expression that matches the name attribute of the parameter’s input tag if Name Type is Regular Expression.

    Note: FortiWeb does not support regular expressions that begin with an exclamation point ( ! ). For information on language and regular expression matching, see Regular expression syntax.

    Max Length

    Type the maximum length of the string that is the input’s value.

    For example, if the input’s value is always a short string like candy, the maximum length could be 5. If the value is a number less than 100 such as 42, the maximum length should be 2 (since the number “42” is 2 characters long).

    To disable the length limit, type 0.

    See also Malformed Request.

    Required Enable if the parameter is required for HTTP/HTTPS requests to this combination of Host: field and URL.
    Use Type Check Enable to validate the data type of the parameter. Also configure Argument Type.
    Argument Type

    Select one of:

    • Data Type—Select one of the predefined data types from Data Type.
    • Regular Expression—Define the data type using a regular expression in Regular Expression.
    • Custom Data Type—Select one of the custom data types from Custom Data Type.

    This option is only applicable when Use Type Check is enabled.

    Data Type

    Select a predefined data type. See Predefined data types.

    This option is only available when Argument Type is Data Type.

    Regular Expression

    Type a regular expression that matches all valid values, and no invalid values, for this input.

    This option is only available when Argument Type is Regular Expression.

    To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Custom Data Type

    Select a custom data type. For details, see Validating parameters (“input rules”).

    This option is only available when Argument Type is Custom Data Type.

  10. Click OK.
  11. Repeat the previous steps for each individual validation rule that you want to add to the group of validation rules.
  12. Go to Web Protection > Input Validation > Parameter Validation and select the Parameter Validation Policy tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  13. Click Create New.
  14. In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  15. Click OK.
  16. Click Create New to add an entry to the set.
  17. From the rule drop-down list, select the name of an existing input validation rule.
    To view or change the information associated with the rule, select the icon. The Edit Parameter Validation Rule dialog appears. Use the browser Back button to return.
  18. Click OK.
  19. Repeat the previous steps for each input rule that you want to add to the parameter validation rule.
  20. To apply the parameter validation policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
  21. Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

    If you do not want sensitive inputs such as passwords to appear in the attack logs’ packet payloads, you can obscure them. For details, see Obscuring sensitive data in the logs.
See also

Bulk changes to input validation rules

If you need to make the same change to multiple parameter validation rules, you can apply some changes as a batch instead of individually.

To apply a batch of changes
  1. Go to Web Protection > Input Validation > Parameter Validation Rule.
  2. Mark the check boxes of all rules that will receive the same change. Additional buttons will become available on the tool bar, such as Edit Action, Edit Trigger Policy, or Edit Severity.
  3. Click one of those buttons, then from the drop-down menu that appears, select the new value for setting.
To create a custom data type by modifying a predefined data type, copy the text in the Pattern column of the predefined data type, then paste it into a custom data type. For details, see Predefined data types.