Technical Tip: How does FortiWeb handle 'waf file-upload-restriction-rule' parameters
Description
This article describes that FortiWeb has a function to protect Web servers against a file being uploaded. The function can be configured from CLI 'waf file-upload-restriction-rule' or the Web GUI: Web Protection -> Input Validation -> File Security.
Scope
This article provides complementary information to the FortiWeb CLI and Administration guides. FortiWeb v6.x, v7.x. and v8.x.
Solution
The 'waf file-upload-restriction-rule' can have multiple rules, and one consists of parameters as follows. Parameters like host, request-type, and request-file are filters to match conditions for a policy to take effect.
config waf file-upload-restriction-rule
edit "Example_Rule"
set host-status disable
unset host
set request-type regular
set request-file /.*
set file-size-limit 1
config file-types
edit 2
set file-type-name AVI
set file-type-id 00016
next
edit 3
set file-type-name "Word Template(.dotx)"
set file-type-id 00062
next
end
next
end
edit "Example_Rule"
set host-status disable
unset host
set request-type regular
set request-file /.*
set file-size-limit 1
config file-types
edit 2
set file-type-name AVI
set file-type-id 00016
next
edit 3
set file-type-name "Word Template(.dotx)"
set file-type-id 00062
next
end
next
end
It is possible to find the information from the GUI:
The rule recognizes uploading a large file as a kind of attack, but how large is decided by the user. Its size is file-size-limit value, its thresholds might change depending on firmware version and device model, as detailed below:
If running on version 6.x to 7.4.4: from 0–30720 KB is the allowed threshold.
If running on version 7.4.5 or higher:
0-102400 KB is allowed for models: FortiWeb 100D, 100E, 100F, 400C, 400D, 400E, 400F, 600D, 600E, 600F, 1000C, 3000CFsx, 4000C.
0-204800 KB is allowed for models: FortiWeb 1000D, 2000D, 3000D, 3000DFsx, 4000D, 1000E, 2000E, 3010E, 1000F, 2000F.
0-358400 KB is allowed for models: FortiWeb 3000E, 4000E, 3000F, 4000F.
0-204800 KB is allowed for models: FortiWeb 1000D, 2000D, 3000D, 3000DFsx, 4000D, 1000E, 2000E, 3010E, 1000F, 2000F.
0-358400 KB is allowed for models: FortiWeb 3000E, 4000E, 3000F, 4000F.
If uploading a file whose size is bigger than the file-size-limit, the rule will consider it as an attack. However, when the file-size-limit is set to 0, file-size detection will not take effect.
The Maximum Antivirus Buffer Size is also dependent of the model of the FortiWeb being used, and thresholds are the same as 'file-size-limit'. File-size-limit is the size of the file that can be uploaded.
File upload detects five kinds of attacks, which are AntiVirus Scan, Trojan Detection, Scan Files with FortiSandbox, File-size Detection, and File-type Detection.
Detecting order is File-size Detection, File-type Detection, Trojan Detection, AntiVirus Scan, and Scan Files with FortiSandbox.
A 'File Upload Restriction Policy' can hold multiple 'File Upload Restriction Rules'. However, during an HTTP/HTTPS session, only one rule will take effect. Which rule will take effect depends on the host and the request URL configured in the 'File Upload Restriction Rule'.
The Maximum Antivirus Buffer Size is also dependent of the model of the FortiWeb being used, and thresholds are the same as 'file-size-limit'. File-size-limit is the size of the file that can be uploaded.
File upload detects five kinds of attacks, which are AntiVirus Scan, Trojan Detection, Scan Files with FortiSandbox, File-size Detection, and File-type Detection.
Detecting order is File-size Detection, File-type Detection, Trojan Detection, AntiVirus Scan, and Scan Files with FortiSandbox.
A 'File Upload Restriction Policy' can hold multiple 'File Upload Restriction Rules'. However, during an HTTP/HTTPS session, only one rule will take effect. Which rule will take effect depends on the host and the request URL configured in the 'File Upload Restriction Rule'.