Fortinet black logo

CLI Reference

Home FortiWeb 7.4.1 CLI Reference
7.4.1
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.8
7.0.7
7.0.6
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.3
6.4.2
6.4.1
6.4.0
6.3.23
6.3.19
6.3.18
6.3.17
6.3.16
6.3.15
6.3.14
6.3.13
6.3.11
6.3.10
6.3.9
6.3.7
6.3.6
6.3.5
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.2
6.1.1
5.7.0
5.6.1
5.6.0

waf graphql-validation rule

waf graphql-validation rule

Use this command to create GraphQL protection rules and configure GraphQL protection policies.

Syntax

config waf graphql-validation rule

edit "<graphql_rule_name>"

set host-status {enable | disable}

set host "<host_name_str>"

set request-type {plain | regular}

set request-url <string>

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <period_int>

set severity {High Low | Medium | Info}

set trigger "<trigger_policy_name>"

set enable-introspection {enable | disable}

set enable-fragment {enable | disable}

set graphql-data-size <integer>

set field-number <integer>

set value-size <integer>

set object-depth <integer>

set alias-batch-query {enable | disable}

set alias-batch-query-number <integer>

set array-batch-query {enable | disable}

set array-batch-query-number <integer>

next

end

config waf graphql-validation policy

edit <graphql_policy_name>

set enable-signature-detection {enable | disable}

config input-rule-list

edit <graphql-rule-list_id>

set graphql_input_rule <graphql_input_rule_str>

next

end

next

end

Variable Description Default

"<graphql_rule_name>"

Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a GraphQL protection policy.

 No default.
host-status {enable | disable}

Enable to compare the GraphQL rule to the Host: field in the HTTP header. If enabled, also configure host "<host_name_str>".

disable
host "<host_name_str>"

Enter the name of a protected host that the Host: field of an HTTP request must match in order for the rule to apply. For details, see server-policy allow-hosts.

No default.

request-type {plain | regular}

Select whether request-type {plain | regular} must contain either:

  • plain—The field is a string that the request URL must match exactly.
  • regular—The field is a regular expression that defines a set of matching URLs.

No default.

request-url <string>

Depending on your selection for request-type {plain | regular}, enter either:

  • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
  • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

Do not include the domain name, such as www.example.com, which is configured separately in host "<host_name_str>".

No default.

action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

Select one of the following actions that FortiWeb performs when a request violates the rule:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <period_int>.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.

  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution:FortiWeb ignores this setting when monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

alert

block-period <period_int>

Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} is block-period.

The valid range is 1–3,600 seconds.

600

severity {High Low | Medium | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule:

  • Low
  • Medium
  • High
  • Info

Low

trigger "<trigger_policy_name>"

Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy.

To display a list of existing triggers, enter:

set trigger ?

No default.

enable-introspection {enable | disable}

Enable to allow introspection queries.

disable

enable-fragment {enable | disable}

Enable to allow fragments.

disable

graphql-data-size <integer>

It sets a limit on the size of the HTTP request body in the POST method or the size of URL parameters in the GET method.

1024

field-number <integer>

It limits the number of terminal fields within a query, thereby limiting the number of fields within objects.

256

value-size <integer>

It sets a maximum length on any user input value within a GraphQL query.

  • If the value is an array, each item in the array is evaluated against the specified value size.

  • If the value is an object, only the values contained within the object are compared to the value size, not the keys themselves.

 256

object-depth <integer>

It limits the depth of a GraphQL query, which limits how deeply nested the query can be.

32

alias-batch-query {enable | disable}

Enable this option to allow alias batching.

 disable

alias-batch-query-number <integer>

It sets a limit on the number of queries that can be found within an alias batch.

Only available when Alias Batching is enabled.

 8

array-batch-query {enable | disable}

 Enable this option to allow array batching disable

array-batch-query-number <integer>

It sets a limit on the number of queries that can be found within an array batch.

Only available when Array Batching is enabled.

 8
<graphql_policy_name> Enter the name of a GraphQL protection policy. You will use the name to select the policy in other parts of the configuration. No default.
<graphql-rule-list_id> Enter the index number of an entry to create or modify a rule for the policy. No default.
enable-signature-detection {enable | disable} Enable to scan for matches with signature attacks in GraphQL API requests. disable
graphql_input_rule <graphql_input_rule_str> Enter the sequence number of a GraphQL protection rule to add to the GraphQL protection policy. No default.

Related topics

Previous
Next

waf graphql-validation rule

Use this command to create GraphQL protection rules and configure GraphQL protection policies.

Syntax

config waf graphql-validation rule

edit "<graphql_rule_name>"

set host-status {enable | disable}

set host "<host_name_str>"

set request-type {plain | regular}

set request-url <string>

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <period_int>

set severity {High Low | Medium | Info}

set trigger "<trigger_policy_name>"

set enable-introspection {enable | disable}

set enable-fragment {enable | disable}

set graphql-data-size <integer>

set field-number <integer>

set value-size <integer>

set object-depth <integer>

set alias-batch-query {enable | disable}

set alias-batch-query-number <integer>

set array-batch-query {enable | disable}

set array-batch-query-number <integer>

next

end

config waf graphql-validation policy

edit <graphql_policy_name>

set enable-signature-detection {enable | disable}

config input-rule-list

edit <graphql-rule-list_id>

set graphql_input_rule <graphql_input_rule_str>

next

end

next

end

Variable Description Default

"<graphql_rule_name>"

Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a GraphQL protection policy.

 No default.
host-status {enable | disable}

Enable to compare the GraphQL rule to the Host: field in the HTTP header. If enabled, also configure host "<host_name_str>".

disable
host "<host_name_str>"

Enter the name of a protected host that the Host: field of an HTTP request must match in order for the rule to apply. For details, see server-policy allow-hosts.

No default.

request-type {plain | regular}

Select whether request-type {plain | regular} must contain either:

  • plain—The field is a string that the request URL must match exactly.
  • regular—The field is a regular expression that defines a set of matching URLs.

No default.

request-url <string>

Depending on your selection for request-type {plain | regular}, enter either:

  • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
  • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

Do not include the domain name, such as www.example.com, which is configured separately in host "<host_name_str>".

No default.

action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

Select one of the following actions that FortiWeb performs when a request violates the rule:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <period_int>.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.

  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution:FortiWeb ignores this setting when monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

alert

block-period <period_int>

Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} is block-period.

The valid range is 1–3,600 seconds.

600

severity {High Low | Medium | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule:

  • Low
  • Medium
  • High
  • Info

Low

trigger "<trigger_policy_name>"

Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy.

To display a list of existing triggers, enter:

set trigger ?

No default.

enable-introspection {enable | disable}

Enable to allow introspection queries.

disable

enable-fragment {enable | disable}

Enable to allow fragments.

disable

graphql-data-size <integer>

It sets a limit on the size of the HTTP request body in the POST method or the size of URL parameters in the GET method.

1024

field-number <integer>

It limits the number of terminal fields within a query, thereby limiting the number of fields within objects.

256

value-size <integer>

It sets a maximum length on any user input value within a GraphQL query.

  • If the value is an array, each item in the array is evaluated against the specified value size.

  • If the value is an object, only the values contained within the object are compared to the value size, not the keys themselves.

 256

object-depth <integer>

It limits the depth of a GraphQL query, which limits how deeply nested the query can be.

32

alias-batch-query {enable | disable}

Enable this option to allow alias batching.

 disable

alias-batch-query-number <integer>

It sets a limit on the number of queries that can be found within an alias batch.

Only available when Alias Batching is enabled.

 8

array-batch-query {enable | disable}

 Enable this option to allow array batching disable

array-batch-query-number <integer>

It sets a limit on the number of queries that can be found within an array batch.

Only available when Array Batching is enabled.

 8
<graphql_policy_name> Enter the name of a GraphQL protection policy. You will use the name to select the policy in other parts of the configuration. No default.
<graphql-rule-list_id> Enter the index number of an entry to create or modify a rule for the policy. No default.
enable-signature-detection {enable | disable} Enable to scan for matches with signature attacks in GraphQL API requests. disable
graphql_input_rule <graphql_input_rule_str> Enter the sequence number of a GraphQL protection rule to add to the GraphQL protection policy. No default.

Related topics

Previous
Next