Prerequisite:

• The server policy is applied with the Parameter Validation policy.

1. Before creating the Parameter Validation rule, find out the list of input parameters in a web page to be validated. In the example, the input parameters can be found using the browser’s Developer Tools.

2. In FortiWeb, navigate to the Parameter Validation page and create a new Parameter Validation Rule.

3. Add a name for the Parameter Validation Rule. Enable Host Status and insert the web host domain name if hostname matching is required. Insert the URL which contains the input parameters to be validated and select the action to be applied for the violated input.

4. Select Create New to add the web page input parameter.

5. Use the parameter name found on the web page. Insert the maximum length for each parameter to set the number limit of input characters. Enable Use Type Check and select the Data Type. Use regular expression or custom data type if wish to use custom input restriction.

6. Create all the input parameter names that require to be validated and use the Data Type to restrict the input characters.

7. Next, create a Parameter Validation Policy and associate the Parameter Validation Rule with the policy.

8. Enable the created Parameter Validation policy in the custom Web Protection Profile.

9. Once the policy is applied, test by sending some invalid characters in the webpage form.

10. The request shall be blocked as the First Name parameter contains invalid characters. The Attack ID shall be 20000005 which indicates the violation of the Parameter Validation policy.

11. Check out the FortiWeb attack logs to confirm if the blockage is related to the Parameter Validation policy violation.

Related document: