Description
FortiWeb has a function to protect Web servers against a file being uploaded. The function can be configured from CLI "waf file-upload-restriction-rule" or from the Web GUI: Web Protection > Input Validation > File Upload Restriction Rule.
Scope
This article provides complementary information to the FortiWeb CLI and Administration guides. At the time of writing the latest version of FortiWeb is 5.5.4.
Solution
The "waf file-upload-restriction-rule" can have multiple rules and one consists of parameters as follows. Parameters like host, request-type and request-file are filters to match conditions for a policy to take effect.
config waf file-upload-restriction-rule
edit "Example_Rule"
set host-status disable
unset host
set request-type regular
set request-file /.*
set file-size-limit 1
config file-types
edit 2
set file-type-name AVI
set file-type-id 00016
next
edit 3
set file-type-name "Word Template(.dotx)"
set file-type-id 00062
next
end
next
end
The rule recognizes uploading a large file as a kind of attack but how large is decided by the user and its size is file-size-limit between 0 and 102,400 KBytes. If uploading a file whose size is bigger than the file-size-limit, the rule will consider it as an attack. However, when the file-size-limit is set to 0, file-size detection will not take effect.
102,400 KBytes is the maximum size of Maximum Antivirus Buffer Size, and file-size-limit is a size of the file which can be uploaded.
File upload detects five kinds of attacks, which are AntiVirus Scan, Trojan Detection, Scan Files with FortiSandbox, File-size Detection and File-type Detection.
Detecting order is File-size Detection, File-type Detection, Trojan Detection, AntiVirus Scan, Scan Files with FortiSandbox.
A "File Upload Restriction Policy" can hold multiple "File Upload Restriction Rules". However, during a HTTP/HTTPS session, only one rule will take effect. Which rule will take effect is depends on the host and the request URL configured in the "File Upload Restriction Rule".