0% found this document useful (0 votes)

12 views796 pages

Fortiweb v7.2.1 Cli Reference

The FortiWeb 7.2.1 CLI Reference document provides comprehensive guidance on using the command-line interface for FortiWeb, including connection methods, command syntax, and administrative domains. It includes a detailed change log, tips, and examples for various commands related to logging, server policies, and system settings. Additionally, it offers links to Fortinet resources such as customer support, training, and documentation.

Uploaded by

socelec367

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

12 views796 pages

Fortiweb v7.2.1 Cli Reference

Uploaded by

socelec367

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 796

CLI Reference

FortiWeb 7.2.1
FORTINET DOCUMENT LIBRARY
HTTPs://docs.fortinet.com

FORTINET VIDEO GUIDE

HTTPs://video.fortinet.com

FORTINET BLOG
HTTPs://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

HTTPs://support.fortinet.com

FORTINET COOKBOOK
HTTPs://cookbook.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

HTTPs://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
HTTPs://training.fortinet.com

FORTIGUARD CENTER
HTTPs://fortiguard.com/

END USER LICENSE AGREEMENT

HTTPs://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

December 23, 2022

FortiWeb 7.2.1 CLI Reference
1st Edition
Change log 3

Change log

December 23, Initial release.

2022

FortiWeb CLI Reference Fortinet Technologies Inc.

TABLE OF CONTENTS

Change log 3
Introduction 30
Scope 30
Conventions 31
IP addresses 31
Cautions, notes, & tips 31
Typographic conventions 32
Command syntax 32
Using the CLI 33
Connecting to the CLI 33
Connecting to the CLI using a local console 33
Enabling access to the CLI through the network (SSH or Telnet or CLI Console widget)34
Connecting to the CLI using SSH 36
Connecting to the CLI using Telnet 37
Command syntax 39
Terminology 39
Indentation 40
Notation 40
Subcommands 42
Table commands 43
Field commands 45
Permissions 46
Access profile permissions 46
Tips & tricks 48
Help 48
Shortcuts & key commands 48
Command abbreviation 49
Special characters 49
Language support & regular expressions 50
Screen paging 51
Baud rate 52
Editing the configuration file in a text editor 52
Pipeline 'grep' command 53
Administrative domains (ADOMs) 55
Differences between administrator accounts when ADOMs are enabled 55
Defining ADOMs 57
Assigning administrators to an ADOM 58
config 60
log alertMail 60
Syntax 60
Example 61
Related topics 61
log attack-log 61
Syntax 61

FortiWeb CLI Reference Fortinet Technologies Inc.

Example 63
Related topics 63
log custom-sensitive-rule 63
Syntax 64
Example 65
Related topics 65
log disk 66
Syntax 66
Example 67
Related topics 67
log email-policy 67
Syntax 67
Example 69
Related topics 70
log event-log 70
Syntax 70
Example 71
Related topics 71
log forti-analyzer 71
Syntax 72
Example 73
Related topics 73
log fortianalyzer-policy 73
Syntax 73
Example 74
Related topics 74
log ftp-policy 74
Syntax 74
Related topics 75
log reports 75
Syntax 76
Example 83
Related topics 84
log sensitive 84
Syntax 84
Example 85
Related topics 85
log siem-message-policy 85
Syntax 86
Example 86
Related topics 86
log siem-policy 86
Syntax 87
Example 88
Related topics 88
log syslogd 88
Syntax 89
Example 90

FortiWeb CLI Reference Fortinet Technologies Inc.

log syslog-policy 90
Syntax 91
Example 92
Related topics 92
log traffic-log 92
Syntax 93
Example 93
Related topics 93
log trigger-policy 93
Syntax 94
Example 95
Related topics 95
router policy 95
Syntax 95
Related topics 96
router setting 97
Syntax 98
Example 98
Related topics 98
router static 98
Syntax 99
Example 100
Related topics 100
server-policy acceleration 100
Syntax 101
Related topics 102
server-policy allow-hosts 103
Syntax 104
Example 105
Related topics 105
server-policy health 105
Syntax 106
Example 109
Related topics 110
server-policy HTTP-content-routing-policy 110
Syntax 110
Example 116
Related topics 116
server-policy ip-group 117
Syntax 117
server-policy pattern custom-data-type 117
Syntax 117
Example 118
118
server-policy pattern custom-global-allow-list-group 118
Syntax 118
Example 121
Related topics 121

FortiWeb CLI Reference Fortinet Technologies Inc.

server-policy pattern threat-score-profile 121

Syntax 121
Related Topics 124
server-policy pattern threat-weight 124
Syntax 124
Related Topics 136
server-policy persistence-policy 136
Syntax 136
Example 139
Related topics 140
server-policy policy 140
Syntax 141
Example 167
Related topics 167
server-policy server-pool 168
Syntax 168
Example 192
Related topics 192
server-policy service custom 193
Syntax 193
Example 193
Related topics 194
server-policy service predefined 194
Syntax 194
Example 194
Related topics 195
server-policy setting 195
Syntax 195
Related topics 198
server policy traffic-mirror 198
Syntax 198
Example 199
Related topics 199
server-policy vserver 199
Syntax 200
Example 201
Related topics 201
server-policy ztna-profile 201
Syntax 202
Related topics 202
server-policy ztna-rule 203
Syntax 203
Related topics 204
system accprofile 204
Syntax 205
Example 207
Related topics 207
system admin 207

FortiWeb CLI Reference Fortinet Technologies Inc.

Syntax 208
Example 212
Related topics 212
system admin-certificate ca 212
Syntax 213
Example 213
system admin-certificate intermediate-ca 213
Syntax 213
Example 214
Related topics 214
system admin-certificate intermediate-ca-group 214
Syntax 215
Related topics 215
system admin-certificate local 215
Syntax 216
Example 217
system advanced 217
Syntax 217
Related topics 219
system antivirus 220
Syntax 220
system autoupdate override 221
Syntax 221
Related topics 222
system autoupdate schedule 222
Syntax 223
Example 223
Related topics 223
system autoupdate tunneling 224
Syntax 224
Example 224
Related topics 225
system backup 225
Syntax 225
Related topics 227
system central-management 227
Syntax 227
Example 228
system certificate ca 228
Syntax 228
Example 229
Related topics 229
system certificate ca-group 230
Syntax 230
Example 231
Related topics 231
system certificate crl 231
Syntax 231

FortiWeb CLI Reference Fortinet Technologies Inc.

Syntax 250
Related topics 252
system console 252
Syntax 252
Example 253
Related topics 253
system csf 253
Syntax 253
Related topics 254
system decoding enhancement 254
Syntax 255
Example 256
Related Topic(s) 256
system dns 256
Syntax 257
Example 257
Related topics 257
system endpoint-control 258
Syntax 258
Related topics 259
system eventhub 259
Syntax 260
Related topics 260
system fail-open 260
Syntax 261
Related topics 262
system fds proxy 262
Syntax 262
Example 263
system feature-visibility 263
Syntax 264
Related Topics 265
system fips-cc 266
Syntax 266
system firewall address 267
Syntax 267
Related topics 268
system firewall service 268
Syntax 268
Related topics 269
system firewall firewall-policy 269
Syntax 269
Example 271
Related topics 271
system firewall fwmark-policy 272
Syntax 272
Example 273

FortiWeb CLI Reference Fortinet Technologies Inc.

system firewall dnat policy 273

Syntax 273
Related Topic 275
system firewall snat-policy 275
Syntax 275
Related Topic 276
system fortigate-integration 277
Syntax 277
Related topics 278
system fortisandbox 278
Syntax 278
Example 279
Related topics 279
system global 280
Syntax 280
Example 287
Related topics 287
system ha 287
Syntax 288
Example 300
Related topics 301
system ha-aa-server-policy-hlck 301
Syntax 301
Example 303
system ha-mgmt-router-static 304
Syntax 304
system ha-mgmt-router-policy 305
Syntax 305
system ha-node 306
Syntax 306
Example 306
system icapserver 307
Syntax 307
Example 308
Related topics 308
system ha-traffic-distribution 308
Syntax 308
Example 309
system hsm info 309
Syntax 310
Related topics 310
system hsm partition 310
Syntax 311
Related topics 311
system icapserver 311
Syntax 311
Example 312
Related topics 312

FortiWeb CLI Reference Fortinet Technologies Inc.

system interface 312

Syntax 313
Example 318
Example 319
Related topics 319
system ip-detection 319
Syntax 319
Related topics 320
system manager-mode 320
Syntax 320
system network-option 321
Syntax 321
Example 325
Related topics 326
system object-tagging 326
Syntax 326
system password-policy 326
Syntax 327
Example 328
system raid 328
Syntax 329
Example 329
Related topics 329
system recaptcha-api 329
Syntax 330
system replacemsg-image 330
Syntax 330
system saml 331
Syntax 331
Related topics 332
system sdn-connector 332
Syntax 332
Related topics 336
system settings 336
Syntax 337
Related topics 339
system snmp community 339
Syntax 339
Example 343
Related topics 343
system snmp sysinfo 343
Syntax 343
Example1234 344
Related topics 345
system snmp user 345
Syntax 345
Example 349
Related topics 349

FortiWeb CLI Reference Fortinet Technologies Inc.

system sso-admin 349

Syntax 349
Related topics 350
system tcpdump 350
Syntax 350
Related topics 351
system vip 351
Syntax 351
system v-zone 352
Syntax 353
Example 354
Related topics 354
system wccp 354
Syntax 354
Example 357
Related topics 357
system certificate xml-server-certificate 357
Syntax 357
Related topics 358
user admin-usergrp 358
Syntax 358
Example 359
Related topics 359
user kerberos-user 360
Syntax 360
Related topics 361
user ldap-user 361
Syntax 361
Example 364
Related topics 364
user local-user 365
Syntax 365
Example 365
Related topics 366
user ntlm-user 366
Syntax 366
Example 366
Related topics 367
user oauth-user request 367
Syntax 367
Related topics 368
user oauth-user server 368
Syntax 368
Related topics 369
user pki-user 370
Syntax 370
Example 370
user radius-user 371

FortiWeb CLI Reference Fortinet Technologies Inc.

Syntax 371
Related topics 373
user recaptcha-user 373
Syntax 373
user saml-user 373
Syntax 374
Example 375
Related topic 375
user tacacs+ user 375
Related topics 376
user user-group 376
Syntax 376
Example 378
Related topics 378
wad file-filter 378
Syntax 378
Example 379
Related topics 379
wad website 379
Syntax 380
Example 383
Related topics 383
waf allow-method-exceptions 384
Syntax 384
Example 386
Related topics 386
waf allow-method-policy 386
Syntax 387
Example 388
Related topics 388
waf api-learning-policy 389
Syntax 389
waf api-learning-rule 391
waf api-policy 392
Syntax 392
Related topics 392
waf api-rules 392
Syntax 393
Related topics 397
waf api-users 397
Syntax 397
Related topics 399
waf api-user-group 399
Syntax 400
Related topics 400
waf application-layer-dos-prevention 400
Syntax 400

FortiWeb CLI Reference Fortinet Technologies Inc.

Example 402
Related topics 402
waf base-signature-disable 402
Syntax 402
Example 403
Related topics 403
waf biometrics-based-detection 403
Syntax 403
Related topics 405
waf bot-detection-policy 405
Syntax 406
waf bot-mitigation-policy 415
Syntax 415
Related topics 416
waf cookie-security 416
Syntax 416
Related topics 420
waf csrf-protection 420
Syntax 420
Example 423
waf custom-access policy 423
Syntax 424
Example 424
Related topics 424
waf custom-access rule 425
Syntax 425
Example 440
Related topics 441
waf custom-protection-group 441
Syntax 441
Example 442
Related topics 442
waf custom-protection-rule 442
Syntax 442
Example 446
Related topics 447
waf exclude-url 447
Syntax 447
Example 448
Related topics 449
waf file-compress-rule 449
Syntax 449
Example 450
Related topics 451
waf file-upload-restriction-policy 451
Syntax 451
Related topics 454
waf file-upload-restriction-rule 454

FortiWeb CLI Reference Fortinet Technologies Inc.

Syntax 454
Example 458
Related topics 458
waf ftp-command-restriction-rule 459
Syntax 459
Related Topic 461
waf ftp-file-security 461
Syntax 461
Related Topic 463
waf ftp-protection-profile 463
Syntax 464
Related Topics 464
waf geo-block-list 465
Syntax 465
Example 466
Related topics 467
waf geo-ip-except 467
Syntax 467
Example 468
Related topics 468
waf hidden-fields-protection 468
Syntax 468
Related topics 469
waf hidden-fields-rule 469
Syntax 470
Example 473
Related topics 473
waf HTTP-authen HTTP-authen-policy 473
Syntax 473
Example 474
Related topics 475
waf HTTP-authen HTTP-authen-rule 476
Syntax 476
Example 478
Related topics 478
waf HTTP-connection-flood-check-rule 478
Syntax 478
Related topics 479
waf HTTP-constraints-exceptions 480
Syntax 480
Example 485
Related topics 485
waf HTTP-header-security 485
Syntax 486
Example 488
waf HTTP-protocol-parameter-restriction 488
Syntax 489
Example 492

FortiWeb CLI Reference Fortinet Technologies Inc.

waf machine-learning-policy 537

Syntax 537
Related Topics 543
waf mitb-policy 543
Syntax 543
Related topics 544
waf mitb-rule 544
Syntax 544
Related topics 545
waf mobile-api-protection 546
Syntax 546
waf openapi-file 548
Syntax 548
Related topics 548
waf openapi-validation-policy 548
Syntax 549
Related topics 549
waf padding-oracle 550
Syntax 550
Example 553
Related topics 553
waf parameter-validation-rule 553
Syntax 554
Example 554
Related topics 555
waf signature 555
Syntax 556
Example 563
Related topics 563
waf signature_update_policy 564
Syntax 564
Example 564
Related topics 564
waf site-publish-helper authentication-server-pool 564
Syntax 564
Example 565
Related topics 565
waf site-publish-helper form-based-delegation 565
Syntax 566
waf site-publish-helper policy 566
Syntax 567
Example 568
Related topics 569
waf site-publish-helper rule 569
Syntax 570
Example 580
Related topics 581
waf staged_signature_list 581

FortiWeb CLI Reference Fortinet Technologies Inc.

Syntax 581
Example 582
Related topics 582
waf syntax-based-attack-detection 582
Syntax 582
Related topics 599
waf threshold-based-detection 600
Syntax 600
Related Topics 605
waf url-access url-access-policy 606
Syntax 606
Example 606
Related topics 607
waf url-encryption 607
Syntax 607
Related topics 609
waf url-access-parameter 610
Syntax 610
waf url-access url-access-rule 610
Syntax 611
Example 615
Related topics 616
waf url-rewrite url-rewrite-policy 616
Syntax 616
Related topics 617
waf url-rewrite url-rewrite-rule 617
Syntax 618
Related topics 624
waf user-tracking policy 624
Syntax 624
waf user-tracking rule 625
Syntax 625
Example 630
Related topics 631
waf web-cache-exception 631
Syntax 631
Related topics 633
waf web-cache 633
Syntax 633
Related topics 636
waf web-protection-profile inline-protection 636
Syntax 637
Related topics 644
waf web-protection-profile offline-protection 645
Syntax 646
Related topics 651
waf webshell-detection-policy 651

FortiWeb CLI Reference Fortinet Technologies Inc.

Syntax 652
Related topics 654
waf websocket-security rule 654
Syntax 655
Related topics 656
waf websocket-security policy 656
Syntax 656
Related topics 657
waf ws security 657
Syntax 657
Related topics 659
waf x-forwarded-for 659
Syntax 660
Example 663
waf xml-exempted-urls 663
Syntax 663
Related topics 664
waf xml-schema 664
Syntax 665
Related topics 665
waf xml-validation 665
Syntax 665
Example 670
Related topics 671
waf xml-wsdl 671
Syntax 671
Related topics 672
wvs limit 672
Syntax 672
Example 673
Related topics 673
wvs policy 673
Syntax 673
Example 674
Related topics 675
wvs profile 675
Syntax 675
Related topics 678
wvs schedule 679
Syntax 679
Example 680
Related topics 680
wvs template 680
Syntax 680
Example 681
Related topics 681

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 682
debug 682
Syntax 683
Related topics 683
debug application 683
Syntax 684
Related topics 684
debug asan 684
Syntax 684
debug cli 685
Syntax 685
Related topics 686
debug cmdb 686
Syntax 686
Related topics 687
debug comlog 687
Syntax 687
debug console timestamp 687
Syntax 688
Related topics 688
debug coredumplog 688
Syntax 688
Related Topic 688
debug crashlog 689
Syntax 689
Example 689
debug daemonlog 689
Syntax 690
Related Topic 690
debug dnsproxy list 690
Syntax 690
Example 690
Related topics 690
debug emerglog 690
Syntax 691
debug flow filter 691
Syntax 691
Related topics 692
debug flow filter module-detail 692
Syntax 692
Related topics 693
debug flow reset 693
Syntax 693
Related topics 694
debug flow trace 694
Syntax 694
Example 694

FortiWeb CLI Reference Fortinet Technologies Inc.

hardware harddisk 707

Syntax 707
Example 707
Related topics 707
hardware interrupts 708
Syntax 708
Example 708
Related topics 709
hardware logdisk info 709
Syntax 709
Example 709
Related topics 709
hardware mem 709
Syntax 710
Example 710
Related topics 711
hardware nic 711
Syntax 711
Example 712
Related topics 713
hardware raid list 713
Syntax 713
Example 713
Related topics 713
hardware raid-card info 714
Syntax 714
index 714
Syntax 714
Example 714
Related topics 715
log 715
Syntax 715
Example 715
Related topics 716
network arp 716
Syntax 716
Example 716
Related topics 717
network ip 717
Syntax 717
Example 718
Example 718
Related topics 718
network route 718
Syntax 719
Example 719
Example 720
Related topics 720

FortiWeb CLI Reference Fortinet Technologies Inc.

system ha interface-macinfo 736

Syntax 736
Example 736
Related topics 737
system ha mac 737
Syntax 737
Example 737
Related topics 738
system ha md5fixed 738
system ha md5sum-gen 738
system ha nodes 738
Syntax 738
Example 738
system ha sessions_stat 739
Syntax 739
Example 739
system ha status 740
Syntax 740
Example 740
Related topics 740
system ha sync-config 740
Syntax 741
system ha sync-stat 741
Syntax 741
Example 741
Related topics 742
system ha traffic-distribution 742
Syntax 742
Example 742
system jeprof 743
Syntax 743
system kill 743
Syntax 743
Related topics 744
system mount 744
Syntax 744
Example 745
Related topics 745
system top 745
Syntax 745
Example 745
Related topics 746
system update info 747
Syntax 747
Example 747
test application 750

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 751
backup cert-config 751
Syntax 751
Example 751
Related topics 751
backup cli-config 752
Syntax 752
Example 753
Related topics 753
backup full-config 753
Syntax 753
Example 754
Related topics 754
backup full-config-with-ML-data 754
Syntax 754
Example 755
Related topics 755
backup web-protection-profile 755
Syntax 755
Example 756
Related topics 756
batch 756
Syntax 756
create-raid level 757
Syntax 757
Related topics 758
create-raid rebuild 758
Syntax 758
Example 758
Related topics 758
date 759
Syntax 759
Example 759
Related topics 759
db rebuild 759
Syntax 760
Related topics 760
dnscache-cleanup 760
Syntax 760
erase-disk 760
Syntax 760
factoryreset 761
Syntax 761
Related topics 761
fctems 761
Syntax 761
Related topics 762

FortiWeb CLI Reference Fortinet Technologies Inc.

fdnserver delete 762

Syntax 762
Related topics 762
fdnserver show 762
Syntax 762
Example 762
Related topics 762
formatlogdisk 763
Syntax 763
Related topics 763
ha disconnect 763
Syntax 764
Example 764
Related topics 764
ha manage 764
Syntax 765
Example 765
Related topics 765
ha md5sum 765
Syntax 766
Example 766
Related topics 766
ha synchronize 766
Syntax 766
Example 767
Related topics 767
icap-cache-clear 767
Syntax 767
Example 768
ping 768
Syntax 768
Example 768
Example 769
Related topics 769
ping6 769
Syntax 770
Example 770
Related topics 770
ping-options 770
Syntax 771
Example 772
Related topics 772
ping6-options 772
Syntax 772
Example 773
Related topics 774
reboot 774
Syntax 774

FortiWeb CLI Reference Fortinet Technologies Inc.

Example 774
Related topics 775
redis rebuild 775
Syntax 775
Related topics 775
remove vmlicense 775
Syntax 775
Example 775
Related Topics 776
restore cert-config 776
Syntax 776
Example 776
Related topics 777
restore config 777
Syntax 777
Example 777
Related topics 778
restore image 778
Syntax 778
Example 778
Related topics 779
restore secondary-image 779
Syntax 779
Example 779
Related topics 780
restore vmlicense 780
Syntax 780
Example 781
sandbox-cache-clear 781
Syntax 781
Example 781
session-cleanup 781
Syntax 782
shutdown 782
Syntax 782
Example 782
Related topics 782
telnet 783
Syntax 783
Example 783
Related topics 783
telnettest 783
Syntax 784
Example 784
Related topics 784
time 785
Syntax 785
Example 785

FortiWeb CLI Reference Fortinet Technologies Inc.

Introduction 30

Introduction

This document describes how to use the command line interface (CLI) of FortiWeb. It assumes that you have already
successfully deployed FortiWeb and completed basic setup by following the instructions in the FortiWeb Administration
Guide: HTTP://docs.fortinet.com/fortiweb/admin-guides.

Scope

At this stage:
l You have administrative access to the web UI and/or CLI.
l The FortiWeb appliance is integrated into your network.
l You have completed firmware updates, if applicable.
l The system time, DNS settings, administrator password, and network interfaces are configured.
l You have set the operation mode.
l You have configured basic logging.
l You have created at least one server policy.
l You have completed at least one phase of auto-learning to jump-start your configuration.
Once that basic installation is complete, you can use this document. This document explains how to use the CLI to:
l Update the FortiWeb appliance.
l Reconfigure features.
l Use advanced features, such as XML protection and reporting.
l Diagnose problems.
This document does not cover the web UI or first-time setup. For that information, see the FortiWeb Administration
Guide: HTTP://docs.fortinet.com/fortiweb/admin-guides.

FortiWeb CLI Reference Fortinet Technologies Inc.

Conventions 31

Conventions

This document uses the conventions described in this section.

IP addresses

To avoid IP conflicts that would occur if you used examples in this document with public IP addresses that belong to a
real organization, the IP addresses used in this document are fictional. They belong to the private IP address ranges
defined by these RFCs.
RFC 1918: Address Allocation for Private Internets
HTTPs://tools.ietf.org/html/rfc1918
RFC 5737: IPv4 Address Blocks Reserved for Documentation
HTTPs://tools.ietf.org/html/rfc5737
RFC 3849: IPv6 Address Prefix Reserved for Documentation
HTTPs://tools.ietf.org/html/rfc3849
For example, even though a real network’s Internet-facing IP address would be routable on the public Internet, in this
document’s examples, the IP address would be shown as a non-Internet-routable IP such as 192.0.2.108,
198.51.100.155, or 203.0.113.79.

Cautions, notes, & tips

This document uses the following guidance and styles for notes, tips and cautions.

Warn you about procedures or feature behaviors that could have unexpected or
undesirable results including loss of data or damage to equipment.

Highlight important, possibly unexpected but non-destructive, details about a

feature’s behavior.

Present best practices, troubleshooting, performance tips, or alternative methods.

FortiWeb CLI Reference Fortinet Technologies Inc.

Conventions 32

Typographic conventions

Convention Example

Button, menu, text box, From Minimum log level, select Notification.
field, or check box label

CLI input config system dns

set primary <address_ipv4>
end

CLI output FortiWeb# diagnose hardware logdisk info

disk number: 1
disk[0] size: 31.46GB
raid level: no raid exists
partition number: 1
mount status: read-write

Emphasis HTTP connections are not secure and can be intercepted by a third
party.

File content <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>

<BODY><H4>You must authenticate to use this service.</H4>

Hyperlink HTTPs://support.fortinet.com

Keyboard entry Enter a name for the remote VPN peer or client, such as Central_
Office_1.

Navigation Go to VPN > IPSEC > Auto Key (IKE).

Publication For details, see the FortiWeb Administration Guide:

HTTPs://docs.fortinet.com/fortiweb/admin-guides.

Command syntax

The CLI requires that you use valid syntax, and conform to expected input constraints. It will reject invalid commands.
For command syntax conventions such as braces, brackets, and command constraints such as <address_ipv4>, see
Notation on page 40.

FortiWeb CLI Reference Fortinet Technologies Inc.

Using the CLI 33

Using the CLI

The command line interface (CLI) is an alternative to the web UI.

You can use either interface or both to configure the FortiWeb appliance. In the web UI, you use buttons, icons, and
forms. In the CLI, you either type text commands or upload batches of commands from a text file, like a configuration
script.
If you are new to FortiWeb, or if you are new to the CLI, this section can help you to become familiar with using it.

Connecting to the CLI

You can access the CLI in two ways:

l Locally—Connect your computer, terminal server, or console directly to the FortiWeb appliance’s console port.
l Through the network—Connect your computer through any network attached to one of the FortiWeb appliance’s
network ports. To connect using a Secure Shell (SSH) or Telnet client, enable the network interface for Telnet or
SSH administrative access. Enable HTTP/HTTPS administrative access to connect using the CLI Console widget
in the web UI.
Local access is required in some cases, including when you're:
l Installing FortiWeb for the first time and it's not yet configured to connect to your network, unless you reconfigure
your computer’s network settings for a peer connection, you may only be able to connect to the CLI using a local
console connection. For details, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
l Restoring the firmware and FortiWeb utilizes a boot interrupt. Network access to the CLI is not available until after
the boot process completes, and therefore local CLI access is the only viable option.
Before you can access the CLI through the network, you must enable SSH, HTTP/HTTPS, and/or Telnet on the network
interface through which you will access the CLI.

Connecting to the CLI using a local console

Local console connections to the CLI are formed by directly connecting your management computer or console to the
FortiWeb appliance, using its DB-9 console port.

Requirements

l A computer with an available serial communications (COM) port

l The RJ-45-to-DB-9 or null modem cable included in your FortiWeb package
l Terminal emulation software such as PuTTY
(HTTP://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

FortiWeb CLI Reference Fortinet Technologies Inc.

Using the CLI 34

The following instructions describe connecting to the CLI using PuTTY; steps may
vary with other terminal emulators.

To connect to the CLI using a local console connection

Using the null modem or RJ-45-to-DB-9 cable, connect the FortiWeb appliance’s console port to the serial
communications (COM) port on your management computer.
On your management computer, start PuTTY.
In the Category tree on the left, go to Connection > Serial and configure these settings:

Serial line to connect to COM1 (or, if your computer has multiple serial ports, the name of the
connected serial port)

Speed (baud) 9600

Data bits 8

Stop bits 1

Parity None

Flow control None

In the Category tree on the left, go to Session (not the sub-node, Logging).
From Connection type, select Serial.
Click Open.
Press the Enter key to initiate a connection.
Enter a valid administrator account name (such as admin) then press Enter.
Enter the password for that administrator account and press Enter. By default, there is no password for the admin
account.
The CLI displays the following text, followed by a command line prompt:
Welcome!

You can now enter CLI commands, and configure access to the CLI through SSH or Telnet. For details, see Enabling
access to the CLI through the network (SSH or Telnet or CLI Console widget) on page 34.

Enabling access to the CLI through the network

(SSH or Telnet or CLI Console widget)

SSH, Telnet, or CLI Console widget (via the web UI) access to the CLI requires connecting your computer to the
FortiWeb appliance using one of its RJ-45 network ports. You can either connect directly, using a peer connection
between the two, or through any intermediary network.

FortiWeb CLI Reference Fortinet Technologies Inc.

Using the CLI 35

If you do not want to use an SSH/Telnet client and you have access to the web UI,
you can alternatively access the CLI through the network using the CLI Console
widget in the web UI. For details, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your
computer is not connected directly or through a switch, you must also configure the FortiWeb appliance with a static
route to a router that can forward packets from the FortiWeb appliance to your computer. For details, see router static on
page 98.
You can do this using either:
l A local console connection (see the following procedure)
l The web UI (see the FortiWeb Administration Guide; HTTP://docs.fortinet.com/fortiweb/admin-guides)

Requirements

l A computer with an available serial communications (COM) port and RJ-45 port
l Terminal emulation software such as PuTTY
(HTTP://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
l The RJ-45-to-DB-9 or null modem cable included in your FortiWeb package
l A crossover Ethernet cable (if connecting directly) or straight-through Ethernet cable (if connecting through a switch
or router)
l Prior configuration of the operating mode, network interface, and static route

To enable SSH or Telnet access to the CLI using a local console connection

Using the network cable, connect the FortiWeb appliance’s network port either directly to your computer’s network port,
or to a network through which your computer can reach the FortiWeb appliance.
Note the number of the physical network port.
Using a local console connection, connect and log into the CLI. For details, see Connecting to the CLI using a local
console on page 33.
Enter the following commands:
config system interface
edit <interface_name>
set allowaccess {HTTP HTTPs ping snmp ssh telnet}
end

where:
l <interface_name> is the name of the network interface associated with the physical network port, such as
port1
l {HTTP HTTPs ping snmp ssh telnet} is the complete, space-delimited list of permitted administrative
access protocols, such as HTTPs ssh telnet; omit protocols that you do not want to permit
For example, to exclude HTTP, SNMP, and Telnet, and allow only HTTPS, ICMP ECHO (ping), and SSH administrative
access on port1:
config system interface
edit "port1"

FortiWeb CLI Reference Fortinet Technologies Inc.

Using the CLI 36

set allowaccess ping HTTPs ssh

next
end

Telnet is not a secure access method. SSH should be used to access the CLI from
the Internet or any other untrusted network.

To confirm the configuration, enter the command to view the access settings for the interface.
show system interface <interface_name>

The CLI displays the settings, including the management access settings, for the interface.
If you will be connecting indirectly, through one or more routers or firewalls, configure the appliance with at least one
static route so that replies from the CLI can reach your client. See router static on page 98.
To connect to the CLI through the network interface, see Connecting to the CLI using SSH on page 36 or Connecting to
the CLI using Telnet on page 37.

Connecting to the CLI using SSH

Once you configure the FortiWeb appliance to accept SSH connections, you can use an SSH client on your
management computer to connect to the CLI.
Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. Supported SSH
protocol versions, ciphers, and bit strengths vary by whether or not you have enabled FIPS-CC mode or are using a low
encryption (LENC) version, but generally include SSH version 2 with AES-128, 3DES, Blowfish, and SHA-1.

Requirements

l A computer with an RJ-45 Ethernet port

l a crossover Ethernet cable
l a FortiWeb network interface configured to accept SSH connections (see Enabling access to the CLI through the
network (SSH or Telnet or CLI Console widget) on page 34)
l an SSH client such as PuTTY (HTTP://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

The following procedure describes connection using PuTTY software; steps may
vary with other terminal emulators.

To connect to the CLI using SSH

On your management computer, start PuTTY.

Initially, the Session category of settings is displayed.
In Host Name (or IP Address), enter the IP address of a network interface on which you have enabled SSH
administrative access.
In Port, enter 22.

FortiWeb CLI Reference Fortinet Technologies Inc.

Using the CLI 37

For Connection type, select SSH.

Click Open.
The SSH client connects to the FortiWeb appliance.
The SSH client may display a warning if this is the first time you are connecting to the FortiWeb appliance and its SSH
key is not yet recognized by your SSH client, or if you have previously connected to the FortiWeb appliance but it used a
different IP address or SSH key. If your management computer is directly connected to the FortiWeb appliance with no
network hosts between them, this is normal.
Click Yes to verify the fingerprint and accept the FortiWeb appliance’s SSH key. You will not be able to log in until you
have accepted the key.
Enter a valid administrator account name (such as admin) and press Enter.
Alternatively, you can log in using an SSH key. For details, see system admin on page 207.
Enter the password for this administrator account and press Enter.

If three incorrect login or password attempts occur in a row, you will be disconnected.
Wait one minute, then reconnect to attempt the login again.

The FortiWeb appliance displays a command prompt—its host name followed by a #. You can now enter CLI
commands.

Connecting to the CLI using Telnet

Once the FortiWeb appliance is configured to accept Telnet connections, you can use a Telnet client on your
management computer to connect to the CLI.

Telnet is not a secure access method. SSH should be used to access the CLI from
the Internet or any other untrusted network.

Requirements

l A computer with an RJ-45 Ethernet port

l A crossover Ethernet cable
l A FortiWeb network interface configured to accept Telnet connections (see Enabling access to the CLI through the
network (SSH or Telnet or CLI Console widget) on page 34)
l Terminal emulation software such as PuTTY
(HTTP://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

The following procedure describes connection using PuTTY software; steps may
vary with other terminal emulators.

FortiWeb CLI Reference Fortinet Technologies Inc.

Using the CLI 38

To connect to the CLI using Telnet

On your management computer, start PuTTY.

In Host Name (or IP Address), type the IP address of a network interface on which you have enabled Telnet
administrative access.
In Port, enter 23.
For Connection type, select Telnet.
Click Open.
Type a valid administrator account name (such as admin) and press Enter.
Type the password for this administrator account and press Enter.
The FortiWeb appliance displays a command prompt—its host name followed by a #. You can now enter CLI
commands.

If three incorrect login or password attempts occur in a row, you will be disconnected.
Wait one minute, then reconnect to attempt the login again.

FortiWeb CLI Reference Fortinet Technologies Inc.

Command syntax

When entering a command, the CLI requires that you use valid syntax and conform to expected input constraints. It will
reject invalid commands.
For example, if you do not type the entire object that will receive the action of a command operator such as config, the
CLI will return an error message such as:
Command fail. CLI parsing error

This document uses the following conventions to describe valid command syntax.

Terminology

Each command line consists of a command word followed by words for the configuration data or other specific item that
the command uses or affects, for example:
get system admin

This document uses the below terms to describe the function of each word in the command line.

Command syntax terminology

l Command—A word that begins the command line and indicates an action that FortiWeb should perform on a part
of the configuration or host on the network, such as config or execute. Together with other words, such as fields
or values, that you terminate by pressing the Enter key, it forms a command line. Exceptions include multi-line
command lines, which can be entered using an escape sequence. For details, see Shortcuts & key commands on
page 48.
Valid command lines must be unambiguous if abbreviated. For details, see Command abbreviation on page 49.
Optional words or other command line permutations are indicated by syntax notation. For details, see Notation on
page 40.
If you do not enter a known command, the CLI will return an error message such as:
Unknown action 0

FortiWeb CLI Reference Fortinet Technologies Inc.

l Subcommand—A kind of command that is available only when nested within the scope of another command. After
entering a command, its applicable subcommands are available to you until you exit the scope of the command, or
until you descend an additional level into another subcommand. Indentation is used to indicate levels of nested
commands. For details, see Indentation on page 40.
Not all top-level commands have subcommands. Available subcommands vary by their containing scope. For
details, see Subcommands on page 42.
l Object—A part of the configuration that contains tables and/or fields. Valid command lines must be specific enough
to indicate an individual object.
l Table—A set of fields that is one of possibly multiple similar sets that each have a name or number, such as an
administrator account, policy, or network interface. These named or numbered sets are sometimes referenced by
other parts of the configuration that use them. For details, see Notation on page 40.
l Field—The name of a setting, such as ip or hostname. Fields in some tables must be configured with values.
Failure to configure a required field will result in an invalid object configuration error message, and the FortiWeb
appliance will discard the invalid table.
l Value—A number, letter, IP address, or other type of input that is usually the configuration setting held by a field.
Some commands, however, require multiple input values which may not be named but are simply entered in
sequential order in the same command line. Valid input types are indicated by constraint notation. For details, see
Notation on page 40.
l Option—A kind of value that must be one or more words from a fixed set of options. For details, see Notation on
page 40.

Indentation

Indentation indicates levels of nested commands, which indicate what other subcommands are available from within the
scope.
For example, the edit subcommand is available only within a command that affects tables, and the next subcommand
is available only from within the edit subcommand:
config system interface
edit port1
set status up
next
end

For details about available subcommands, see Subcommands on page 42.

Notation

Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as
<address_ipv4>, indicate which data types or string patterns are acceptable value input.

FortiWeb CLI Reference Fortinet Technologies Inc.

If you do not use the expected data type, the CLI returns an error message such as:
object set operator error, -4003 discard the setting
The request URL must start with "/" and without domain name.

or:
invalid unsigned integer value :-:

value parse error before '-'

Input value is invalid.

and may either reject or discard your settings instead of saving them when you type
end.

Command syntax notation

Square brackets [ ] A non-required (optional) word or words. For example:

[verbose {1 | 2 | 3}]

indicates that you may either omit or type both the verbose word and its
accompanying option, such as:
verbose 3

Curly braces { } A word or series of words that is constrained to a set of options delimited
by either vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
Mutually exclusive options. For example:
{enable | disable}
Options delimited
by vertical bars |
indicates that you must enter either enable or disable, but must not
enter both.
Non-mutually exclusive options. For example:
{HTTP HTTPs ping snmp ssh telnet}

indicates that you may enter all or a subset of those options, in any order, in
a space-delimited list, such as:
ping HTTPs ssh
Options delimited
by spaces
Note: To change the options, you must re-type the entire list. For example,
to add snmp to the previous example, you would type:
ping HTTPs snmp ssh

If the option adds to or subtracts from the existing list of options, instead of
replacing it, or if the list is comma-delimited, the exception will be noted.
Angle brackets < > A word constrained by data type.
To define acceptable input, the angled brackets contain a descriptive
name followed by an underscore ( _ ) and suffix that indicates the valid
data type. For example:

FortiWeb CLI Reference Fortinet Technologies Inc.

<retries_int>

indicates that you should enter a number of retries, such as 5.

Data types include:
l <xxx_name>—A name referring to another part of the configuration,

such as policy_A.
l <xxx_index>—An index number referring to another part of the
configuration, such as 0 for the first static route.
l <xxx_pattern>—A regular expression or word with wild cards that
matches possible variations, such as *@example.com to match all
e-mail addresses ending in @example.com.
l <xxx_fqdn>—A fully qualified domain name (FQDN), such as
mail.example.com.
l <xxx_email>—An email address, such as
[email protected].
l <xxx_url>—A uniform resource locator (URL) and its associated
protocol and host name prefix, which together form a uniform
resource identifier (URI), such as HTTP://www.fortinet.com/.
l <xxx_ipv4>—An IPv4 address, such as 192.0.2.99.
l <xxx_v4mask>—A dotted decimal IPv4 netmask, such as
256.256.256.0.
l <xxx_ipv4mask>—A dotted decimal IPv4 address and netmask
separated by a space, such as 192.0.2.99 256.256.256.0.
l <xxx_ipv4/mask> — A dotted decimal IPv4 address and CIDR-
notation netmask separated by a slash, such as such as
192.0.2.99/24.
l <xxx_ipv6>—A colon(:)-delimited hexadecimal IPv6 address,
such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
l <xxx_v6mask>—An IPv6 netmask, such as /96.
l <xxx_ipv6mask>—An IPv6 address and netmask separated by a
space.
l <xxx_str>—A string of characters that is not another data type,
such as P@ssw0rd. Strings containing spaces or special characters
must be surrounded in quotes or use escape sequences. For details,
see Special characters on page 49.
l <xxx_int>—An integer number that is not another data type, such
as 15 for the number of minutes.

Subcommands

Once you connect to the CLI, you can enter commands.

Each command line consists of a command word that is usually followed by words for the configuration data or other
specific item that the command uses or affects, for example:
get system admin

FortiWeb CLI Reference Fortinet Technologies Inc.

Subcommands are available from within the scope of some commands. When you enter a subcommand level, the
command prompt changes to indicate the name of the current command scope. For example, after entering:
config system admin

the command prompt becomes:

(admin)#

Applicable subcommands are available to you until you exit the scope of the command, or until you descend an
additional level into another subcommand.
For example, the edit subcommand is available only within a command that affects tables; the next subcommand is
available only from within the edit subcommand:
config system interface
edit port1
set status up
next
end

Available subcommands vary by command. From a command prompt within config, two types of subcommands might
become available:
l Commands that affect fields (see Field commands on page 45)
l Commands that affect tables (see Table commands on page 43)

Subcommand scope is indicated in this [[[Undefined variable

FortinetVariables.Document title3]]] by indentation. For details, see Indentation on
page 40.
Syntax examples for each top-level command in this [[[Undefined variable
FortinetVariables.Document title3]]] do not show all available subcommands.
However, when nested scope is demonstrated, you should assume that
subcommands applicable for that level of scope are available.

Table commands

delete <table_name> Remove a table from the current object.

For example, in config system admin, you could delete an
administrator account named newadmin by typing delete newadmin
and pressing Enter. This deletes newadmin and all its fields, such as
newadmin’s first-name and email-address.
delete is only available within objects containing tables.

edit <table_name> Create or edit a table in the current object.

For example, in config system admin:
l Edit the settings for the default admin administrator account by

FortiWeb CLI Reference Fortinet Technologies Inc.

typing edit admin.

l Add a new administrator account with the name newadmin and edit
newadmin‘s settings by entering edit newadmin.
edit is an interactive subcommand: further subcommands are available
from within edit.
edit changes the prompt to reflect the table you are currently editing.
edit is only available within objects containing tables.

end Save the changes to the current object and exit the config command.
This returns you to the top-level command prompt.

get List the configuration of the current object or table.

l In objects, get lists the table names (if present), or fields and their

values.
l In a table, get lists the fields and their values.

For more information on get commands, see get on page 788.

purge Remove all tables in the current object.

For example, in config user local-user, you could type get to see
the list of all local user names, then type purge and then y to confirm that
you want to delete all users.
purge is only available for objects containing tables.
Caution: Back up the FortiWeb appliance before performing a purge
because it cannot be undone. To restore purged tables, the configuration
must be restored from a backup. For details, see backup cli-config on
page 752.
Caution: Do not purge system interface or system admin tables.
This can result in being unable to connect or log in, requiring the
FortiWeb appliance to be formatted and restored.

show Display changes to the default configuration. Changes are listed in the
form of configuration commands.
For more information on show commands, see show on page 794.

Example of table commands

From within the system admin object, you might enter:

edit admin_1

The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1
table:
new entry 'admin_1' added
(admin_1)#

FortiWeb CLI Reference Fortinet Technologies Inc.

Field commands

abort Exit both the edit and/or config commands without saving the fields.

end Save the changes made to the current table or object fields, and exit the
config command. To exit without saving, use abort instead.

get List the configuration of the current object or table.

l In objects, get lists the table names (if present), or fields and their

values.
l In a table, get lists the fields and their values.

next Save the changes you have made in the current table’s fields, and exit
the edit command to the object prompt. To save and exit completely to
the root prompt, use end instead.
next is useful when you want to create or edit several tables in the same
object, without leaving and re-entering the config command each time.
next is only available from a table prompt; it is not available from an
object prompt.

set <field_name> <value> Set a field’s value.

For example, in config system admin, after entering edit admin,
you could enter set password newpass to change the password of
the admin administrator to newpass.
Note: When using set to change a field containing a space-delimited list,
enter the whole new list. For example, set <field> <new-value>
will replace the list with the <new-value> rather than appending <new-
value> to the list.

show Display changes to the default configuration. Changes are listed in the
form of configuration commands.

unset <field_name> Reset the table or object’s fields to default values.

For example, in config system admin, after entering edit admin,
entering unset password resets the password of the admin
administrator account to the default (in this case, no password).

Example of field commands

From within the admin_1 table, you might enter:

set password "my1stExamplePassword"

to assign the value my1stExamplePassword to the password field. You might then enter the next command to save
the changes and edit the next administrator’s table.

FortiWeb CLI Reference Fortinet Technologies Inc.

Permissions

Depending on the account that you use to log in to the FortiWeb appliance, you may not have complete access to all CLI
commands or areas of the web UI.
Access profiles control which commands and areas an administrator account can access. Access profiles assign either:
l Read (view access)
l Both Read and Write (view access, and change and execute access)
l No access
to each area of the FortiWeb software. For details about configuring the access profile for an administrator account to
use, see system accprofile on page 204.

Access profile permissions

Admin Users System > Admin ... except Settings Web UI

admingrp config system admin CLI

config system accprofile

Auth Users User ... Web UI

authusergrp config user ... CLI

Log & Report Log&Report ... Web UI

loggrp config log ... CLI

execute formatlogdisk

Maintenance System > Maintenance except System Time tab Web UI

mntgrp diagnose system ... CLI

execute backup ...
execute factoryreset
execute reboot
execute restore ...
execute shutdown
diagnose system flash ...

Network Configuration Network ... Web UI

netgrp config router ... CLI

config system interface
config system dns
config system v-zone
diagnose network ... except sniffer ...

System Configuration System ... except Network, Admin, and Maintenance tabs Web UI

sysgrp config system except accprofile, admin, dns, interface, and v- CLI
zone
diagnose hardware ...
diagnose network sniffer ...
diagnose system ... except flash ...

FortiWeb CLI Reference Fortinet Technologies Inc.

execute date ...

execute ha ...
execute ping ...
execute ping-option ...
execute traceroute ...
execute time ...

Server Policy Policy > Server Policy ... Web UI

Configuration Server Objects ...
Application Delivery ...

traroutegrp config server-policy ... except custom-application ... CLI

config waf file-compress-rule
config waf HTTP-authen ...
config waf url-rewrite ...
diagnose policy ...

Web Anti-Defacement Web Anti-Defacement ... Web UI

Management

wadgrp config wad ... CLI

Web Protection Policy > Web Protection ... Web UI

Configuration Web Protection ...
DoS Protection ...

wafgrp config system dos-prevention CLI

config waf except:
l config waf file-compress-rule

l config waf HTTP-authen ...

l config waf url-rewrite ...

l config waf web-custom-robot

l config waf web-robot

l config waf x-forwarded-for

Machine Learning Web Protection > ML Based Anomaly Detection Web UI

Configuration Bot Mitigation > ML Based Bot Detection
API Protection > ML Based API Protection
mlgrp config waf api-learning-rule CLI
config waf api-learning-policy
config waf bot-detection-policy
config waf machine-learning-policy

Web Vulnerability Scan Web Vulnerability Scan ... Web UI

Configuration

wvsgrp config wvs ... CLI

* For each config command, there is an equivalent get/show command, unless otherwise noted.
config access requires write permission.
get/show access requires read permission.

Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted.
The admin administrator account is similar to a root administrator account. This administrator account always has full

FortiWeb CLI Reference Fortinet Technologies Inc.

permission to view and change all FortiWeb configuration options, including viewing and changing all other administrator
accounts. Its name and permissions cannot be changed. It is the only administrator account that can reset another
administrator’s password without being required to enter that administrator’s existing password.

Set a strong password for the admin administrator account, and change the
password regularly. By default, this administrator account has no password. Failure
to maintain the password of the admin administrator account could compromise the
security of your FortiWeb appliance.

For complete access to all commands, you must log in with the admin administrator account.

Tips & tricks

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.
This section includes:
l Help on page 48
l Shortcuts & key commands on page 48
l Command abbreviation on page 49
l Special characters on page 49
l Language support & regular expressions on page 50
l Screen paging on page 51
l Baud rate on page 52
l Editing the configuration file in a text editor on page 52
l Pipeline 'grep' command on page 53

Help

To display brief help during command entry, enter the question mark (?) key:
l At the command prompt to display a list of the commands available and a description of each.
l After a command keyword to display a list of the objects available with that command and a description of each.
l After entering a word or part of a word to display a list of valid word completions or subsequent words, and to display
a description of each.

Shortcuts & key commands

Action Keys

List valid word completions or subsequent words. ?

If multiple words could complete your entry, display all possible completions with
helpful descriptions of each.

Complete the word with the next available match. Tab

FortiWeb CLI Reference Fortinet Technologies Inc.

Action Keys

Press the key multiple times to cycle through available matches.

Recall the previous command. Up arrow, or

Command memory is limited to the current session. Ctrl + P

Recall the next command. Down arrow, or

Ctrl + N

Move the cursor left or right within the command line. Left or Right arrow

Move the cursor to the beginning of the command line. Ctrl + A

Move the cursor to the end of the command line. Ctrl + E

Move the cursor backwards one word. Ctrl + B

Move the cursor forwards one word. Ctrl + F

Delete the current character. Ctrl + D

Abort current interactive commands, such as when entering multiple lines. Ctrl + C
If you are not currently within an interactive command such as config or edit, this
closes the CLI connection.

Continue typing a command on the next line for a multi-line command. \ then Enter
For each line that you want to continue, terminate it with a backslash ( \ ). To
complete the command line, terminate it by pressing the spacebar and then the
Enter key, without an immediately preceding backslash.

Command abbreviation

You can abbreviate words in the command line to their smallest number of non-ambiguous characters. For example, the
command get system status could be abbreviated to:
g sy st

If you enter an ambiguous command, the CLI returns an error message such as:
ambiguous command before 's'
Value conflicts with system settings.

Special characters

Special characters <, >, (,), #, ', and " are usually not permitted in CLI. If you use them, the CLI will often return an error
message such as:
The string contains XSS vulnerability characters

value parse error before '%^@'

Input not as expected.

Some may be enclosed in quotes or preceded with a backslash ( \ ) character.

FortiWeb CLI Reference Fortinet Technologies Inc.

Entering special characters

Character Key

? Ctrl + V then ?

Tab Ctrl + V then Tab

Space Enclose the string in quotation marks: "Security Administrator"

(to be interpreted as part of a Enclose the string in single quotes: 'Security Administrator'
string value, not to end the Precede the space with a backslash: Security\ Administrator
string)

' \'
(to be interpreted as part of a
string value, not to end the
string)

" \"
(to be interpreted as part of a
string value, not to end the
string)

\ \\

Language support & regular expressions

The CLI currently supports the following languages:

l English
l Japanese
l Simplified Chinese
l Traditional Chinese
Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the nature of the
item being configured. CLI commands, objects, field names, and options must use their exact ASCII characters, but
some items with arbitrary names or values may be input using your language of choice.
For example, the host name must not contain special characters, and so the web UI and CLI will not accept most
symbols and other non-ASCII encoded characters as input when configuring the host name. This means that languages
other than English often are not supported. However, some configuration items, such as names and comments, may be
able to use the language of your choice.
To use other languages in those cases, you must use the correct encoding.
FortiWeb stores inputs using Unicode UTF-8 encoding, but it is not normalized from other encodings into UTF-8 before
stored. If your input method encodes some characters differently than in UTF-8, your configured items may not display or
operate as expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular
expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8, matches may
not be what you expect.

FortiWeb CLI Reference Fortinet Technologies Inc.

For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as yen symbols ( ¥ ) and vice versa. A
regular expression intended to match HTTP requests containing money values with a yen symbol therefore may not
work it if the symbol is entered using the wrong encoding.
For best results, you should use:
l UTF-8 encoding.
l Only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters
that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and other
encodings.
l Regular expressions that match HTTP requests.
l The same encoding as your HTTP clients.
HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by the client’s operating system
or input language. If you cannot predict the client’s encoding, you may only be able to match any parts of the request that
are in English, because regardless of the encoding, the values for English characters tend to be encoded identically. For
example, English words may be legible regardless of interpreting a web page as either ISO 8859-1 or as GB2312,
whereas simplified Chinese characters might only be legible if the page is interpreted as GB2312.
To configure your FortiWeb appliance using other encodings, you may need to switch language settings on your
management computer, including for your web browser or Telnet or SSH client. For instructions on how to configure your
management computer’s operating system language, locale, or input method, see its documentation.
If you choose to configure parts of the FortiWeb appliance using non-ASCII characters, verify that all systems interacting
with the FortiWeb appliance also support the same encodings. You should also use the same encoding throughout the
configuration if possible in order to avoid needing to switch the language settings of your web browser or Telnet or SSH
client while you work.
Similarly to input, your web browser or CLI client should usually interpret display output as encoded using UTF-8. If it
does not, your configured items may not display correctly in the web UI or CLI. Exceptions include items such as regular
expressions that you may have configured using other encodings in order to match the encoding of HTTP requests that
the FortiWeb appliance receives.

To enter non-ASCII characters in the CLI:

l CLI access via the web UI—Configure your web browser to interpret the page

as UTF-8 encoded. The console will then display non-ASCII characters in

commands in their character code equivalent.
l CLI access via a Telnet or SSH client—Configure the client to send and

receive characters using UTF-8 encoding. Depending on the client, you may
have to enter non-ASCII characters in commands in their character code
equivalent.

Screen paging

When output spans multiple pages, you can configure the CLI to pause after each page. When the display pauses, the
last line displays --More--. You can then either:
l Press the spacebar to display the next page.
l Enter Q to truncate the output and return to the command prompt.

FortiWeb CLI Reference Fortinet Technologies Inc.

This may be useful when displaying lengthy output, such as the list of possible matching commands for command
completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer of your terminal
emulator, you can simply display one page at a time.
To configure the CLI display to pause after each full screen:
config system console
set output more
end

For details, see system console on page 252.

Baud rate

You can change the default baud rate of the local console connection. For details, see system console on page 252.

Editing the configuration file in a text editor

Editing the configuration file with a plain text editor can be time-saving if:
l You have many changes to make
l Are not sure where the setting is in the CLI
l Own several FortiWeb appliances
This is true especially if your plain text editor provides advanced features such as regular expressions for find-and-
replace, or batch changes across multiple files. Several free text editors are available with these features, such as
Text Wrangler (HTTP://www.barebones.com/products/textwrangler)and Notepad++ (HTTP://notepad-plus-plus.org).

Do not use a rich text editor such as Microsoft Word. Rich text editors insert special
characters into the file in order to apply formatting, which may corrupt the
configuration file.

To edit the configuration on your computer

Use backup cli-config on page 752 or backup full-config on page 753 to download the configuration file to a TFTP server,
such as your management computer.
Edit the configuration file using a plain text editor that supports Unix-style line endings.

Do not edit the first line. The first lines of the configuration file (preceded by a #
character) contains information about the firmware version and FortiWeb model. If
you change the model number, the FortiWeb appliance will reject the configuration
file when you attempt to restore it.

Use restore config on page 777 to upload the modified configuration file back to the FortiWeb appliance.
The FortiWeb appliance downloads the configuration file and checks that the model information is correct. If it is, the
FortiWeb appliance loads the configuration file and checks each command for errors. If a command is invalid, the

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb appliance ignores the command. If the configuration file is valid, the FortiWeb appliance restarts and loads the
new configuration.

Pipeline 'grep' command

FortiWeb supports 'grep' in get and show to search for desired information and present the results in a format you
want.
The 'grep' command format is as follows:
get <xxx> [ [path] <object>] | grep [options] <search string>
show [ [path] <object>] | grep [options] <search string>

For example:

FortiWeb CLI Reference Fortinet Technologies Inc.

The following options are supported:

-n Add 'line_no:' prefix.

-o Show only the matching part of the line.

-v Select non-matching lines.

-i Ignore the case.

-w Match whole words only.

FortiWeb CLI Reference Fortinet Technologies Inc.

-x Match whole lines only.

-F PATTERN is a literal (not regexp).

-E PATTERN is an extended regexp.

Administrative domains (ADOMs)

Administrative domains (ADOMs) enable the admin administrator to constrain other FortiWeb administrators’ access
privileges to a subset of policies and protected host names. This can be useful for large enterprises and multi-tenant
deployments such as web hosting.
ADOMs are not enabled by default. Enabling and configuring administrative domains can only be performed by the
admin administrator.
Enabling ADOMs alters the structure of and the available functions in the GUI and CLI according to whether you're
logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator
account’s assigned access profile.

Differences between administrator accounts when ADOMs are enabled

admin Other
administrator administrators
account

Access to config global Yes No

Can create administrator accounts Yes No

Can create & enter all ADOMs Yes No

If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing unrestricted
access and ADOM configuration.
config global contains settings used by the FortiWeb itself and settings shared by ADOMs, such as RAID and
administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring
other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM.
If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A
subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, policies, servers, and
LDAP queries specific to your ADOM. You cannot access global configuration settings or enter other ADOMs.
By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all
policies and servers. By creating ADOMs that contain a subset of policies and servers, and assigning them to
administrator accounts, you can restrict other administrator accounts to a subset of the FortiWeb’s total protected
servers.
The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM,
and cannot configure ADOMs or global settings.

FortiWeb CLI Reference Fortinet Technologies Inc.

To enable ADOMs

Log in with the admin account.

Other administrators do not have permissions to configure ADOMs.

Back up your configuration. Enabling ADOMs changes the structure of your

configuration, and moves non-global settings to the root ADOM. For details about
how to back up the configuration, see backup full-config on page 753.

Enter the following commands:

config system global
set adom-admin enable
end

FortiWeb terminates your administrative session.

Log in again.
When ADOMs are enabled, and if you log in as admin, the top level of the shell changes: the two top level items are
config global and config vdom.
l config global contains settings that only admin or other accounts with the prof_admin access profile can
change.
l config vdom contains each ADOM and its respective settings.
This menu and CLI structure change is not visible to non-global accounts; ADOM administrators’ navigation menus
continue to appear similar to when ADOMs are disabled, except that global settings such as network interfaces, HA, and
other global settings do not appear.
Continue by defining ADOMs. For details, see Defining ADOMs on page 57.

To disable ADOMs

Delete all ADOM administrator accounts.

Back up your configuration. Disabling ADOMs changes the structure of your

configuration, and deletes most ADOM-related settings. It keeps settings from the
root ADOM only. For details about how to back up the configuration, see backup
full-config on page 753.

Enter the following commands:

config system global
set adom-admin disable
end

FortiWeb terminates your administrative session.

Continue by reconfiguring the appliance. For details, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides

FortiWeb CLI Reference Fortinet Technologies Inc.

Log in with the admin account.

Enter the following commands:

FortiWeb CLI Reference Fortinet Technologies Inc.

config vdom
edit <adom_name>

where <adom_name> is the name of your new ADOM. Alternatively, to configure the default root ADOM, type root.

The maximum number of ADOMs you can add varies by your FortiWeb model. The
number of ADOMs is limited by available physical memory (RAM), and therefore
also limits the maximum number of policies and sessions per ADOM. For details, see
the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides

The new ADOM exists, but its settings are not yet configured.
Either:
l Assign another administrator account to configure the ADOM (continue with Assigning administrators to an ADOM
on page 58), or
l Configure the ADOM yourself by entering commands such as:
config log...
config server-policy...
config system...
config waf...

l Assigning administrators to an ADOM on page 58

l Administrative domains (ADOMs) on page 55
l Permissions on page 46
l system admin on page 207
l system accprofile on page 204

Assigning administrators to an ADOM

The admin administrator can create other administrators and assign their account to an ADOM, constraining them to
that ADOM’s configurations and data.

To assign an administrator to an ADOM

If you have not yet created any administrator access profiles, create at least one. For details, see system accprofile on
page 204.
In the administrator account’s accprofile "<access-profile_name>" on page 209 setting, select the new access profile.
(Administrators assigned to the prof_admin access profile will have global access. They cannot be restricted to an
ADOM.)
In the administrator account’s domains "<adom_name>" on page 209 setting, select the account’s assigned ADOM.
Currently, in this version of FortiWeb, administrators cannot be assigned to more than one ADOM.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 60

config

The config commands configure your FortiWeb appliance’s feature settings.

Although not usually explicitly shown in each config command’s “Syntax” section, for
all config commands, there are related get on page 788 and show on page 794
commands which display that part of the configuration, either in the form of a list of
settings and values, or commands that are required to achieve that configuration
from the firmware’s default state, respectively. get and show commands use the
same syntax as their related config command, unless otherwise mentioned.

log alertMail

Use this command to enable or disable alert emails, and to choose which email policy to use with them. Alert emails
notify administrators or other personnel when an alert condition occurs, such as a system failure or network attack.
The email address information and the alert message intervals are configured separately for each email policy. For
details about the severity levels of log messages associated with an email policy, see log email-policy on page 67.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log alertMail
set status {enable | disable}
set email-policy "<policy_name>"
end

Variable Description Default

status {enable | disable} Enable to generate an alert email when the FortiWeb disable
appliance records a log message, if that log message
meets or exceeds the severity level configured in log email-
policy on page 67.

email-policy "<policy_ Enter the name of a previously configured email policy. The No default.
name>" maximum length is 63 characters.
To display a list of the existing email policies, type:
set email-policy ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 61

Example

This example enables alert email when either a system event or attack log message is logged. The alert email is sent
using the recipients configured in emailpolicy1.
config log alertMail
set status enable
set email-policy "emailpolicy1"
end

Related topics

l log email-policy on page 67

log attack-log

Use this command to configure recording of attack log messages on the local FortiWeb disk.

You must enable disk log storage and select log severity levels using log disk on
page 66 before any attack logs can be stored on disk.

Also use this command to define specific packet payloads to retain when storing attack logs.
Packet payloads can be retained for specific attack types or validation failures detected by the FortiWeb appliance.
Packet payloads supplement the log message by providing the actual data that triggered the attack log, which may help
you to fine-tune your regular expressions to prevent false positives. You can also examine changes to attack behavior
for subsequent forensic analysis. Alternatively, for more extensive packet logging, you can run a packet trace. For
details, see network sniffer on page 721.
If the offending HTTP request exceeds 4 kilobytes (KB), the FortiWeb appliance retains only 4 KB’ of the part of the
payload that triggered the log message.
You can view attack log packet payloads from the Packet Log column using the web UI. For details, see the FortiWeb
Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
Packet payloads can contain sensitive information. You can prevent sensitive data from display in the packet payload by
applying sensitivity rules that detect and obscure sensitive information. For details, see log sensitive on page 84.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log attack-log
set status {enable | disable}
set HTTP-parse-error-output {enable | disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 62

set packet-log {account-lockout-detection | anti-virus-detection | cookie-security |

credential-db-detection | csrf-detection | custom-access | custom-protection-
rule | fsa-detection | hidden-fields-failed | HTTP-protocol-constraints |
illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-
intelligence | padding-oracle | parameter-rule-failed | signature-detection |
trojan-detection | user-tracking-detection | xml-protection | machine-learning
| openapi-validation | websocket-security | mobile-api-protection | malicious-
bots | known-good-bots | syntax-based-detection}
set no-ssl-error {enable | disable}
set HTTP2-parse-error-output {enable | disable} on page 63
end

Variable Description Default

status {enable | disable} Enable to record attack log messages on the disk. enable
To record attack logs, disk log storage must be enabled, and
the severity levels selected using the log disk on page 66
command.

HTTP-parse-error-output Enable while debugging only, to log errors of the HTTP disable
{enable | disable} protocol parser.

packet-log {account- Select one or more detected attack types or validation No

lockout-detection | anti- failures. FortiWeb keeps packet payloads from its HTTP default
virus-detection | cookie- parser buffer with their associated attack log message.
security | credential-db- Separate each attack type with a space. To add or remove a
detection | csrf-detection | packet payload type, re-type the entire space-delimited list
custom-access | custom- with the new option included or omitted.
protection-rule | fsa- Some options have historical names. Correlations with
detection | hidden-fields- current feature names are:
failed | HTTP-protocol-
l custom-protection-rule—Custom signature
constraints | illegal-file-
detection (not predefined)
type | illegal-filesize | cors-
To empty this list and keep no packet payloads, effectively
protection | json-protection
disabling the feature, enter unset packet-log.
| ip-intelligence | padding-
oracle | parameter-rule-
failed | signature-detection
| trojan-detection | user-
tracking-detection | xml-
protection | machine-
learning | openapi-
validation | websocket-
security | mobile-api-
protection | malicious-bots
| known-good-bots |
syntax-based-detection}

no-ssl-error {enable | Enable to stop FortiWeb from logging SSL errors. disable
disable} This setting is useful when you use high-level security
settings, which generate a high volume of these types of
errors.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 63

Variable Description Default

HTTP2-parse-error-output Enable while debugging only, to log errors of the HTTP/2 enable
{enable | disable} protocol parser.

Example

This example enables log storage on the hard disk and sets information as the minimum severity level that a log
message must meet in order for the log to be stored. It also enables retention of packet payloads that triggered custom
protection rules along with their correlating attack logs. Conversely, it disables any other packet payload retention that
may have been enabled before, because it completely replaces the list each time it is configured.
config log disk
set status enable
set severity information
end
config log attack-log
set status enable
set packet-log custom-protection-rule
end

Related topics

l log sensitive on page 84

l log custom-sensitive-rule on page 63
l log event-log on page 70
l log traffic-log on page 92
l log on page 715

log custom-sensitive-rule

Use this command to configure custom rules to obscure sensitive information that is not obscured in log message packet
payloads by the predefined sensitivity rules.
Use this command in conjunction with log sensitive on page 84.
If enabled to do so, a FortiWeb appliance will obscure predefined data types, including user names and passwords in log
message packet payloads. If other sensitive data in the packet payload is not obscured by the predefined data types, you
can create your own data type sensitivity rules, such as ages or other identifying numbers.

Sensitive data definitions are not retroactive. They will hide strings in subsequent log
messages, but will not affect existing log messages.

This command is relevant only if you have enabled the FortiWeb appliance to keep packet payloads along with their
associated log messages, and have selected to obscure logs according to custom data types. For details, see log attack-
log on page 61 and log sensitive on page 84.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 64

To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log custom-sensitive-rule
edit "<custom-sensitive-rule_name>"
set expression "<sensitive-type_pattern>"
set field-name "<parameter-name_pattern>"
set field-value "<parameter-value_pattern>"
set type {field-mas-rule | general-mask-rule}
next
end

Variable Description Default

"<custom-sensitive-rule_ Enter the name of a new or existing rule. The maximum No default.
name>" length is 63 characters.
To display the list of existing rules, enter:
edit ?

expression "<sensitive-type_ Enter a regular expression that matches all and only the No default.
pattern>" strings or numbers that you want to obscure in the packet
payloads.
For example, to hide a parameter that contains the age of
users under 13, you could enter:
age\=[1-13]
Expressions must not start with an asterisk ( * ). The
maximum length is 256 characters.

type {field-mas-rule | Select either general-mask-rule (a regular general-

general-mask-rule} expression that will match any substring in the packet mask-rule
payload) or field-mask-rule (a regular expression
that will match only the value of a specific form input).
If you select general-mask-rule, configure
expression "<sensitive-type_pattern>" on page 64.
If you select field-mask-rule, configure field-name
"<parameter-name_pattern>" on page 64 and field-value
"<parameter-value_pattern>" on page 64.

field-name "<parameter- Enter a regular expression that matches all and only the No default.
name_pattern>" input names whose values you want to obscure. The input
name itself will not be obscured. If you wish to do this, use
general-mask-rule instead. The maximum length is
256 characters.

field-value "<parameter- Enter a regular expression that matches all and only the No default.
value_pattern>" input values that you want to obscure. The maximum
length is 256 characters.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 65

Variable Description Default

For example, to hide a parameter that contains the age of

users under 13, for field-name "<parameter-name_
pattern>" on page 64, enter age, and for field-value
"<parameter-value_pattern>" on page 64, enter [1-13].
Valid expressions must not start with an asterisk ( * ).
Caution: Field masks using asterisks are greedy: a match
for the parameter’s value will obscure it, but will also
obscure the rest of the parameters in the line. To avoid
this, enter an expression whose match terminates with,
but does not consume, the parameter separator.
For example, if parameters are separated with an
ampersand ( & ), and you want to obscure the value of the
field name username but not any of the parameters that
follow it, you could enter the field value:
.*?(?=\&)
This would result in:
username****&age=13&origurl=%2Flogin

Example

This example enables the FortiWeb appliance to keep all types of packet payloads with their associated log messages. It
also enables and defines a custom sensitive data type (applies to age 13 or less) that will be obscured in logs.
config log attack-log
set status enable
set packet-log anti-virus-detection cookie-poison custom-access custom-protection-rule
hidden-fields-failed HTTP-protocol-constraints illegal-file-type illegal-xml-format
ip-intelligence padding-oracle parameter-rule-failed signature-detection
end
config log sensitive
set type custom-rule
end
config log custom-sensitive-rule
edit rule1
set type general-mask-rule
set expression "age\\=[1-13]*$"
next
end

Related topics

l log sensitive on page 84

l log attack-log on page 61
l log traffic-log on page 92

FortiWeb CLI Reference Fortinet Technologies Inc.

config 66

log disk

Use this command to enable and configure recording of log messages to the local hard disk.

Logging must be enabled for each individual log type before log messages are
recorded to disk. For details, see log attack-log on page 61, log event-log on page
70, and log traffic-log on page 92 for details.

Each log file can have at most 51,200 logs, and each log size is limited to 4k; thus, each log file size is limited to 200M.
You can use SNMP traps to notify you when disk space usage exceeds 80%. For details, see system snmp community
on page 339.
You can generate reports based on log messages that you save to the local hard disk. For details, see log reports on
page 75.

Syntax
config log disk
set diskfull overwrite
set severity {alert | critical | debug | emergency | error | information |
notification | warning}
set status {enable | disable}
set log-used-disk <log-used-disk_int>
end

Variable Description Default

status {enable | disable} Enable to store log messages on the local hard disk. enable
Log messages are stored only if logging is enabled for
the individual log types using log attack-log on page
61, log event-log on page 70, and log traffic-log on
page 92. Also configure diskfull overwrite on page 66
and severity {alert | critical | debug | emergency | error |
information | notification | warning} on page 66.

diskfull overwrite Select overwrite to delete the oldest log file in order overwrite
to free disk space, and then store the new log
message.
This field is available only if status {enable | disable} on
page 66 is enable.

severity {alert | critical | Select the severity level that a log message must meet information
debug | emergency | error | or exceed in order to cause the FortiWeb appliance to
information | notification | record it.
warning}

log-used-disk <log-used- This field is unique for Docker platform. Enter the log 10 G
disk_int> disk size. The valid range is 10–500 G.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 67

Example

This example enables logging of event and attack logs and recording of the log messages to the local hard disk. Only the
log messages with a severity of notification or higher are recorded. If all free space on the hard disk is consumed
and a new log message is generated, the diskfull option determines that the FortiWeb will overwrite the oldest log
message. The log messages are saved to a separated log file for each message type.
config log disk
set status enable
set severity notification
set diskfull overwrite
end

Related topics

l log attack-log on page 61

l log event-log on page 70
l log traffic-log on page 92
l system snmp community on page 339
l log reports on page 75
l formatlogdisk on page 763

log email-policy

Use this command to create an email policy. An email policy identifies email recipients, email address, email connection
requirements and authentication information, if required.
You can configure multiple email policies and apply those policies as required in different situations. The FortiWeb
appliance can be configured to send email for different situations, such as to alert administrators when certain system
events or rule violations occur, or when log reports are available for distribution.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log email-policy
edit "<email-policy_name>"
set mailfrom "<address_str>"
set mailto1 "<recipient_email>"
set mailto2 "<recipient_email>"
set mailto3 "<recipient_email>"
set smtp-server {"<smtp_ipv4>" | "<smtpfqdn>"}
set smtp-port <smtp-port_int>
set smtp-auth {enable | disable}
set smtp-username "<auth_str>"
set smtp-password "<password_str>"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 68

set severity {alert | critical | debug | emergency | error | information |

notification | warning}
set interval <interval_int>
set connection-security {NONE | STARTTLS | SSL/TLS}
set send-email-based-on-interval-time {enable | disable} on page 69
set company-logo "<company-logo_str>"
set company-name "<company-name_str>"
next
end

Variable Description Default

"<email-policy_name>" Enter the name of an email policy. The maximum length No default.
is 63 characters.

mailfrom "<address_str>" Enter the sender email address, such as No default.

[email protected], that the FortiWeb appliance
will use when sending email. The maximum length is 63
characters.

mailto1 "<recipient_email>" Enter the email address of the first recipient, such as No default.
[email protected], to which the FortiWeb appliance
will send email. You must enter one email address for
alert email to function. The maximum length is 63
characters.

mailto2 "<recipient_email>" Enter the email address of the second recipient, if any, to No default.
which the FortiWeb appliance will send alert email. The
maximum length is 63 characters.

mailto3 "<recipient_email>" Enter the email address of the third recipient, if any, to No default.
which the FortiWeb appliance will send alert email. The
maximum length is 63 characters.

smtp-server {"<smtp_ Enter the IP address or fully qualified domain name No default.
ipv4>" | "<smtpfqdn>"} (FQDN) of the SMTP server, such as
mail.example.com, that the FortiWeb appliance can
use to send email. The maximum length is 63 characters.

smtp-port <smtp-port_int> Enter the port on the SMTP server that listens for alerts 25
and generated reports from FortiWeb.
The valid range is 1–65,535.

smtp-auth {enable | disable} Enable if the SMTP server requires authentication. Also disable
enable if authentication is not required but is available
and you want the FortiWeb appliance to authenticate.

smtp-username "<auth_ If you enable smtp-auth {enable | disable} on page 68, No default.
str>" enter the user name that the FortiWeb appliance will use
to authenticate itself with the SMTP relay. The maximum
length is 63 characters.
This field is available only if you enable smtp-auth
{enable | disable} on page 68.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 69

Variable Description Default

smtp-password If you enable smtp-auth {enable | disable} on page 68, No default.

"<password_str>" enter the password that corresponds with the user name.
This field is available only if you enable smtp-auth
{enable | disable} on page 68.

severity {alert | critical | Select the severity threshold that log messages must emergency
debug | emergency | error | meet or exceed in order to cause an email alert.
information | notification |
warning}

interval <interval_int> Enter the number of minutes FortiWeb waits to send an 1

additional alert if an alert condition of the specified
severity level continues to occur after the initial alert.
The valid range is 1–2,147,483,647.

connection-security Select one of the following options: NONE

{NONE | STARTTLS | l NONE—FortiWeb applies no security protocol to

SSL/TLS} email.
l STARTTLS—Encrypts the connection to the SMTP

server using STARTTLS.

l SSL/TLS—Encrypts the connection to the SMTP

server using SSL/TLS.

send-email-based-on- Enable/disable sending emails by interval time. No default.

interval-time {enable |
disable}

company-logo "<company- Set the company logo in the email policy by entering a No default.
logo_str>" Base64 string (base64 encoding) of the image. Only JPG
format is supported. Size limit is 36 KB.
You are strongly recommended to upload a company
logo through the FortiWeb GUI.

company-name Set the company name in the email policy. The maximum No default.
"<company-name_str>" length is 63 characters.

Example

This example creates email policy for use in multiple situations. When the email policy is attached to rule violations or log
reports, FortiWeb sends an email from [email protected], to [email protected] and
[email protected], using an SMTP server mail.example.com. The SMTP server requires authentication.
The FortiWeb appliance authenticates as fortiweb when connecting to the SMTP server.
FortiWeb logs messages more severe than a notification. As long as events continue to trigger notification-level log
messages, FortiWeb sends an alert email every 10 minutes. (Log messages of other severity levels trigger alert email at
their default intervals.) All the related log messages will be attached to the emails in ZIP format.
When the configuration is complete, log in to the web UI to send a sample alert email to test the configuration and the
email system.
config log email-policy

FortiWeb CLI Reference Fortinet Technologies Inc.

config 70

edit "Email_Policy1"
set mailfrom "[email protected]"
set mailto1 "[email protected]"
set mailto2 "[email protected]"
set smtp-server "mail.example.com"
set smtp-auth enable
set smtp-username "fortiweb"
set smtp-password "fortiWebPassworD2"
set severity notification
set interval 10
set attach-compression enable
next
end

Related topics

l log alertMail on page 60

l log trigger-policy on page 93
l system dns on page 256
l router static on page 98

log event-log

Use this command to configure recording of event log messages, and then use other commands to store those
messages on the local FortiWeb disk, in local FortiWeb memory, or both. Use other commands to configure a traffic log
and attack log.

You must enable disk and/or memory log storage and select log severity levels
before FortiWeb will store any event logs.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log event-log
set status {enable | disable}
set cpu-high <percentage_int>
set mem-high <percentage_int>
set logdisk-high <percentage_int>
set trigger-policy "<trigger-policy_name>"
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 71

Variable Description Default

status {enable | disable} Enable to record event log messages. enable

To select the destination and the severity threshold of the
stored log messages, see log disk on page 66.

cpu-high <percentage_int> Enter a threshold level as a percentage beyond which CPU 60

usage triggers an event log entry.
The valid range is 60–99.

mem-high <percentage_int> Enter a threshold level as a percentage beyond which 60

memory usage triggers an event log entry.
The valid range is 60–99.

logdisk-high <percentage_ Enter a threshold level as a percentage beyond which log 60

int> disk usage triggers an event log entry.
The valid range is 60–99.

trigger-policy "<trigger- Enter the name of the trigger to apply when the CPU, No
policy_name>" memory, log disk usage, or number of sessions meets or default.
exceeds the threshold (see log trigger-policy on page 93).
The maximum length is 63 characters.
To display the list of existing trigger policies, enter:
set trigger ?

Example

This example enables recording of event logs, enables disk log storage and memory log storage, and sets alert as the
minimum severity level that a log message must achieve for storage.
config log disk
set status enable
set severity alert
end
config log event-log
set status enable
end

Related topics

l log disk on page 66

l log attack-log on page 61
l log traffic-log on page 92
l log on page 715

log forti-analyzer

Use this command to configure the FortiWeb appliance to send its log messages to a remote FortiAnalyzer appliance.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 72

You must first define one or more FortiAnalyzer policies using log fortianalyzer-policy on page 73.
Logs sent to FortiAnalyzer are controlled by FortiAnalyzer policies and trigger actions that you configure on the FortiWeb
appliance, and are associated with various types of violations.
Logs stored remotely cannot be viewed from the web UI, and cannot be used by FortiWeb to build reports. If you require
these features, record logs locally as well as remotely.

Usually, you should set trigger actions for specific types of violations. Failure to do so
will result in the FortiWeb appliance logging every occurrence, which could result in
high log volume and reduced system performance. Excessive logging for an
extended period of time may cause premature hard disk failure.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log forti-analyzer
set fortianalyzer-policy "<policy_name>"
set status {enable | disable}
set severity {alert | critical | debug | emergency | error | information |
notification | warning}
end

Variable Description Default

fortianalyzer-policy Enter the name of an existing FortiAnalyzer policy to use No default.

"<policy_name>" when storing log information remotely. The maximum
length is 63 characters.
To view a list of the existing FortiAnalyzer policies, enter
:
set fortianalyzer-policy ?

status {enable | disable} Enable to record event log messages to FortiAnalyzer if disable
it meets or exceeds the severity level configured in
severity.

severity {alert | critical | Select the severity level that a log message must meet information
debug | emergency | or exceed in order to cause the FortiWeb appliance to
error | information | save it to FortiAnalyzer.
notification | warning}

traffic_packet {enable | Enable to append traffic packet log to the traffic logs sent disable
disable} to FortiAnalyzer. The packet information may be helpful
for troubleshooting.
To use this feature, you must already have enabled
packet-log in config log traffic-log.
Please note that enabling this might consume system
resources, thus decreasing the performance of sending
logs to FortiAnalyzer.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 73

Example

This example enables FortiAnalyzer logging and recording of the log messages. Only the log messages with a severity
of error or higher are recorded.
config log forti-analyzer
set status enable
set severity error
end

Related topics

l log fortianalyzer-policy on page 73

log fortianalyzer-policy

Use this command to create policies for use by protection rules to store log messages remotely on a FortiAnalyzer
appliance. For example, once you create a FortiAnalyzer policy, you can include it in a trigger policy, which in turn can be
applied to a trigger action in a protection rule.
You need to create a FortiAnalyzer policy if you also plan to send log messages to a FortiAnalyzer appliance.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log fortianalyzer-policy
edit "<policy_name>"
config fortianalyzer-server-list
edit <entry_index>
set ip-address "<forti-analyzer_ipv4>"
end
next
end

Variable Description Default

"<policy_name>" Enter the name of the new or existing FortiAnalyzer policy. No

The maximum length is 63 characters. default.
To display a list of the existing policies, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No
default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 74

Variable Description Default

ip-address "<forti-analyzer_ Enter the IP address of the remote FortiAnalyzer appliance. No

ipv4>" default.

Example

This example creates a policy entry and assigns an IP address, then enables FortiAnalyzer logging for log messages
with a severity of error or higher.
config log fortianalyzer-policy
edit "fa-policy1"
config fortianalyzer-policy
edit 1
set ip-address "192.0.2.133"
end
next
end
config log forti-analyzer
set fortianalyzer-policy "fa-policy1"
set status enable
set severity error
end

Related topics

l log forti-analyzer on page 71

log ftp-policy

Use this command to configure a connection to an FTP or TFTP server. The config log reports configuration uses
this policy to specify a server that FortiWeb sends reports to.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log ftp-policy
edit "<policy_name>"
set type {ftp | tftp}
set server "<ftp-server_ipv4>"
set ftp_auth {enable | disable}
set ftp_user "<ftp-user_str>"
set ftp_passwd "<ftp_pswd>"
set ftp-dir "<ftp-dir_str>"
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 75

Variable Description Default

"<policy_name>" Enter the name of a new or existing FTP/TFTP policy. The No default.
maximum length is 63 characters.
To display the list of existing policies, enter:
edit ?

type {ftp | tftp} Specify whether the server is FTP or TFTP. ftp

server "<ftp-server_ipv4>" Enter the IP address of the FTP or TFTP server. No default.

ftp_auth {enable | disable} Specify whether the server requires a user name and disable
password for authentication, rather than allowing
anonymous connections.

Available only if type {ftp | tftp} on page 75 is ftp.

ftp_user "<ftp-user_str>" Enter the user name that FortiWeb uses to authenticate No default.
with the server.

Available only if ftp_auth {enable | disable} on page 75 is

enable.

ftp_passwd "<ftp_pswd>" Enter the password for the specified username. No default.

Available only if ftp_auth {enable | disable} on page 75 is

enable.

ftp-dir "<ftp-dir_str>" Enter the location on the server where FortiWeb stores No default.
reports.

Related topics

l log reports on page 75

log reports

Use this command to configure report profiles.

When generating a report, FortiWeb appliances collate information collected from their log files and present the
information in tabular and graphical format.
In addition to log files, your FortiWeb appliance requires a report profile to generate a report. A report profile is a group of
settings that contains the report name, file format, subject matter, and other aspects that the FortiWeb appliance
considers when generating the report.
FortiWeb appliances can generate reports automatically, according to the schedule that you configure in the report
profile, or manually in the web UI when you click the Run now icon in the report profile list. You may want to create one
report profile for each type of report that you will generate on demand or periodically, by schedule.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 76

Generating reports can be resource intensive. To avoid email processing

performance impacts, you may want to generate reports during times with low traffic
volume, such as at night.

The number of results in a section’s table or graph varies by the report type.
Ranked reports (top x, or top y of top x) can include a different number of results per cross-section, then combine
remaining results under “Others.” For example, in “Top Attack Severity by Hour of Day,” the report includes the top x
hours, and their top y attacks, then groups the remaining results.
l scope_top1 <topX_int> on page 83 is x.
l scope_top2 <topY_int> on page 83 is y.
Before you generate a report, collect log data that will be the basis of the report. For information on enabling logging to
the local hard disk, see log attack-log on page 61 and log disk on page 66.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Creating a report profile is considerably easier in the web UI. Go to

Log&Report > Report Config.

Syntax
config log reports
edit "<report_name>"
set custom_company "<org_str>"
set custom_footer_options {custom | report-title}
set custom_header "<header_str>"
set custom_header_logo "<filename_hex_str>"
set custom_title_logo "<filename_hex_str>"
set email_attachment_compress {enable | disable}
set email_attachment_name "<filename_str>"
set email_body "<message_str>"
set email_subject "<subject_str>"
set filter_string "<log-filter_str>"
set include_nodata {yes | no}
set on_demand {enable | disable}
set output_email {html mht pdf rtf txt}
set output_email_policy "<policy_name>"
set output_file {html mht pdf rtf txt}
set output_ftp {html pdf rtf txt mht}
set output_ftp_policy "<ftp-policy_name>"
set period_end "<time_str>" "<date_str>"
set period_last_n <n_int>
set period_start "<time_str>" "<date_str>"
set period_type {last-14-days | last-2-weeks | last-30-days | last-7-days |
lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter | last-
week | other | this-month | this-quarter | this-week | thiyear | today |
yesterday}
set report_desc "<comment_str>"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 77

set report_title "<title_str>"

set report_attack_activity {attacks-type attacks-url attacks-date-type attacks-
month-type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-
type attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat attacks-
policy attacks-day attacks-ts attacks-td attacks-proto attacks-date-severity
attacks-month-severity attacks-day-severity attacks-hour-severity attacks-
sessionid attacks-srccountry attacks-signature-id attacks-type-signature-id
attacks-fortisandbox attacks-HTTPhost attacks-username attacks-HTTPrefer
attacks-HTTPversion attack-summary attack-details}
set report_event_activity {ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day
ev-warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day
ev-aler-hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-
hour ev-hour-cat ev-day ev-day-cat ev-stat ev-day-login ev-week-login ev-
user-logint}
set report_traffic_activity {net-pol net-srv net-src net-dst net-src-dst net-dst-
src net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-
hour-src net-day-src net-month-src net-srccountry net-HTTPhost net-username
net-HTTPrefer net-HTTPversion}
set report_pci_activity {pci-attacks-date-type pci-attacks-month-type pci-attacks-
day-type pci-attacks-hour-type}
set schedule_type {daily | dates | days | none}
set schedule_days {sun | mon | tue | wed | thu | fri | sat}
set schedule_dates "<dates_str>"
set schedule_time "<time_str>"
set scope_include_summary {yes | no}
set scope_include_table_of_content {yes | no}
set scope_top1 <topX_int>
set scope_top2 <topY_int>
next
end

Variable Description Default

"<report_name>" Enter the name of a new or existing report profile. The No default.
maximum length is 63 characters.
The profile name will be included in the report header.
To display the list of existing report names, enter:
edit ?

custom_company "<org_ Enter the name of your department, company, or other No default.
str>" organization, if any, that you want to include in the report
summary. If the text is more than one word or contains
special characters, enclose it in double quotes ( " ). The
maximum length is 191 characters.
For details about enabling the summary, see scope_include_
summary {yes | no} on page 82.

custom_footer_options Select either: report-

{custom | report-title} l report-title—Use "<report_name>" on page 77 as title
the footer text.
l custom—Provide different footer text.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 78

Variable Description Default

custom_footer "<footer_ Enter the text, if any, that you want to include at the bottom of No default.
str>" each report page. If the text is more than one word or
contains special characters, enclose it in double quotes ( " ).
The maximum length is 127 characters.
This setting is available only if custom_footer_options
{custom | report-title} on page 77 is custom.

custom_header "<header_ Enter the text, if any, that you want to include at the top of No default.
str>" each report page. If the text is more than one word or
contains special characters, enclose it in double quotes ( " ).
The maximum length is 127 characters.

custom_header_logo Enter the file name of a custom logo that you have previously No default.
"<filename_hex_str>" uploaded to the FortiWeb appliance. The logo image will be
included in the report header. The maximum length is 256
characters.

custom_title_logo Enter the file name of a custom logo that you have previously No default.
"<filename_hex_str>" uploaded to the FortiWeb appliance. The logo image will be
included in the report title. The maximum length is 256
characters.

email_attachment_ Enable to enclose the generated report formats in a disable

compress {enable | compressed archive attached to the email.
disable} This field is required if you have enabled email output by
enabling one or more of the file formats for email output in
output_email {html mht pdf rtf txt} on page 79.

email_attachment_name Enter the file name that will be used for the reports attached No default.
"<filename_str>" to the email. The maximum length is 63 characters.
This field is required if you have enabled email output by
enabling one or more of the file formats for email output in
output_email {html mht pdf rtf txt} on page 79.

email_body "<message_ Enter the message body of the email. The maximum length is No default.
str>" 383 characters.
This field is required if you have enabled email output by
enabling one or more of the file formats for email output in
output_email {html mht pdf rtf txt} on page 79.

email_subject "<subject_ Enter the subject line of the email. The maximum length is No default.
str>" 191 characters.
This field is required if you have enabled email output by
enabling one or more of the file formats for email output in
output_email {html mht pdf rtf txt} on page 79.

filter_string "<log-filter_ Enter a log message filter string that includes or excludes log No default.
str>" messages based upon matching log field values. The
maximum length is 1,023 characters.
For example syntax, see Example on page 83.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 79

Variable Description Default

include_nodata {yes | no} Select whether to include (yes) or hide (no) reports which no
are empty because there is no matching log data.

on_demand {enable | Enable to run the report one time only. After the FortiWeb disable
disable} appliance completes the report, it removes the report profile
from its hard disk.
Enter disable to schedule a time to run the report, and to
keep the report profile for subsequent use.

output_email {html mht pdf Select one or more file types for the report when mailing No default.
rtf txt} generated reports.

output_email_policy If you set a value for output_email, enter the name of the No default.
"<policy_name>" email policy that contains settings for sending the report by
email. The maximum length is 63 characters.
For details about email policies, see log email-policy on page
67.

output_file {html mht pdf rtf Select one or more file types for the report when saving to the html
txt} FortiWeb hard disk.

output_ftp {html pdf rtf txt Select one or more file types for the report when FortiWeb No default.
mht} sends reports to an FTP or TFTP server.

output_ftp_policy "<ftp- Enter the policy that defines a connection to the appropriate No default.
policy_name>" server. For details, see log ftp-policy on page 74.

period_end "<time_str>" Enter the time and date that define the end of the span of No default.
"<date_str>" time whose log messages you want to use when generating
the report.
The time format is hh:mm and the date format is
yyyy/mm/dd, where:
l hh is the hour according to a 24-hour clock

l mm is the minute

l yyyy is the year

l mm is the month

l dd is the day

This setting appears only when you select a period_type

{last-14-days | last-2-weeks | last-30-days | last-7-days |
lastmonth | last-n-days | last-n-hours | last-n-weeks | last-
quarter | last-week | other | this-month | this-quarter | this-
week | thiyear | today | yesterday} on page 80 of other.

period_last_n <n_int> Enter the number that defines n if the period_type {last-14- No default.
days | last-2-weeks | last-30-days | last-7-days | lastmonth |
last-n-days | last-n-hours | last-n-weeks | last-quarter | last-
week | other | this-month | this-quarter | this-week | thiyear |
today | yesterday} on page 80 contains that variable. The
valid range is from 1 to 2,147,483,647.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 80

Variable Description Default

This setting appears only when you select a period_type

of last-n-days, last-n-hours, or last-n-weeks.

period_start "<time_str>" Enter the time and date that defines the beginning of the No default.
"<date_str>" span of time whose log messages you want to use when
generating the report.
The time format is hh:mm and the date format is
yyyy/mm/dd, where:
l hh is the hour according to a 24-hour clock

l mm is the minute

l yyyy is the year

l mm is the month

l dd is the day

This setting appears only when you select a period_type

period_type {last-14-days | Select the span of time whose log messages you want to use last-7-
last-2-weeks | last-30- when generating the report. days
days | last-7-days | If you select last-n-days, last-n-hours, or last-
lastmonth | last-n-days | nweeks, you must also define n by entering period_last_n
last-n-hours | last-n- <n_int> on page 79.
weeks | last-quarter | last- If you select other, you must also define the start and end of
week | other | this-month | the report’s time range by entering period_start "<time_str>"
this-quarter | this-week | "<date_str>" on page 80 and period_end "<time_str>"
thiyear | today | yesterday} "<date_str>" on page 79.
The span of time will be included in the summary, if enabled.
For information on enabling the summary, see scope_
include_summary {yes | no} on page 82.

report_desc "<comment_ Enter a description of the report, if any, that you want to No default.
str>" include in the report summary. If the text is more than one
word or contains special characters, surround it with double
quotes ( " ). The maximum length is 63 characters.
For information on enabling the summary, see scope_
include_summary {yes | no} on page 82.

report_title "<title_str>" Enter a title, if any, that you want to include in the report No default.
summary. If the text is more than one word or contains
special characters, enclose it in double quotes ( " ). The
maximum length is 127 characters.
For information on enabling the summary, see scope_
include_summary {yes | no} on page 82.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 81

Variable Description Default

report_attack_activity Enter zero or more options to indicate which charts based No default.
{attacks-type attacks-url upon attack logs to include in the report.
attacks-date-type attacks- For example, to include “Attacks By Policy,” enter a list of
month-type attacks-day- charts that includes attacks-policy. To include “Top
type attacks-hour-type Attacked HTTP Methods by Type,” enter a list of charts that
attacks-type-dev attacks- includes attacks-method-type.
dst-type attacks-dst-ip
attacks-type-ip attacks-
method-type attacks-cat
attacks-policy attacks-day
attacks-ts attacks-td
attacks-proto attacks-date-
severity attacks-month-
severity attacks-day-
severity attacks-hour-
severity attacks-sessionid
attacks-srccountry attacks-
signature-id attacks-type-
signature-id attacks-
fortisandbox attacks-
HTTPhost attacks-
username attacks-
HTTPrefer attacks-
HTTPversion attack-
summary attack-details}

report_event_activity {ev- Enter zero or more options to indicate which charts based No default.
all ev-all-cat ev-all-type ev- upon event logs to include in the report.
crit-hour ev-crit-day ev- For example, to include “Top Event Categories by Status”,
warn-hour ev-warn-day ev- enter a list of charts that includes ev-stat.
info-hour ev-info-day ev-
emer-hour ev-emer-day
ev-aler-hour ev-aler-day
ev-err-hour ev-err-day ev-
noti-hour ev-noti-day ev-
hour ev-hour-cat ev-day
ev-day-cat ev-stat ev-day-
login ev-week-login ev-
user-logint}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 82

Variable Description Default

report_traffic_activity {net- Enter zero or more options to indicate which charts based No default.
pol net-srv net-src net-dst upon traffic logs to include in the report.
net-src-dst net-dst-src net- For example, to include “Top Sources By Day of Week”,
date-dst net-hour-dst net- enter a list of charts that includes net-day-src.
day-dst net-month-dst net-
date-src net-hour-src net-
day-src net-month-src net-
srccountry net-HTTPhost
net-username net-
HTTPrefer net-
HTTPversion}

report_pci_activity {pci- Enter zero or more options to indicate which charts based No default.
attacks-date-type pci- upon PCI attack logs to include in the report.
attacks-month-type pci-
attacks-day-type pci-
attacks-hour-type}

schedule_type {daily | Select when the FortiWeb appliance will automatically run none
dates | days | none} the report. If you reboot the FortiWeb appliance while the
report is being generated, report generation resumes after
the boot process is complete.
If schedule_type is daily, dates or days, specify the
schedule_time, schedule_days, or schedule_dates
when the report will be generated.
If schedule_type is none, the report will be generated only
when you manually initiate it.

schedule_days {sun | If schedule_type {daily | dates | days | none} on page 82 is No default.

mon | tue | wed | thu | fri | days, select the day of the week when the report should be
sat} generated.

schedule_dates "<dates_ If schedule_type {daily | dates | days | none} on page 82 is No default.

str>" dates, select the specific date of the month, from 1 to 31,
when the report should be generated. Separate multiple
dates with spaces.

schedule_time "<time_ If schedule_type {daily | dates | days | none} on page 82 is 00:00

str>" not none, select the time of day when the report should be
run.
The time format is hh:mm, where:
l hh is the hour according to a 24-hour clock

l mm is the minute

scope_include_summary Enter yes to include a summary section at the beginning of yes

{yes | no} the report. The summary includes:
l "<report_name>" on page 77

l custom_company "<org_str>" on page 77

l report_desc "<comment_str>" on page 80

FortiWeb CLI Reference Fortinet Technologies Inc.

config 83

Variable Description Default

l the date and time when the report was generated using
this profile
l the span of time whose log messages were used to
generate the report, according to period_type {last-14-
days | last-2-weeks | last-30-days | last-7-days |
lastmonth | last-n-days | last-n-hours | last-n-weeks |
last-quarter | last-week | other | this-month | this-quarter |
this-week | thiyear | today | yesterday} on page 80

scope_include_table_of_ Enter yes to include a table of contents at the beginning of yes

content {yes | no} the report. The table of contents includes links to each chart
in the report.

scope_top1 <topX_int> Enter x number of items (up to 30) to include in the first 6
cross-section of ranked reports.
For some report types, you can set the top ranked items for
the report. These reports have “Top” in their name, and will
always show only the top x entries. Reports that do not
include “Top” in their name show all information. Changing
the values for top field will not affect these reports.

scope_top2 <topY_int> Enter y number of items (up to 30) to include in the second 3
cross-section of ranked reports.
For some report types, you can set the number of ranked
items to include in the report. These reports have “Top” in
their name, and will always show only the top x entries.
Some report types have two levels of ranking: the top y sub-
entries for each top x entry.
Reports that do not include “Top” in their name show all
information. Changing the values for top field will not affect
these reports.

Example

This example configures a report to be generated every Saturday at 1 PM. The report, whose title is Report 1, includes
all available charts, and covers the last 14 days’ worth of event, traffic, and attack logs. However, it only uses logs where
the source IP address was 192.0.2.20. Each time it is generated, it will be saved to the hard disk in both HTML and PDF
file formats and will be sent by email in PDF format to recipients defined within the “Log report analysis” email policy.
config log reports
edit "eport_1"
set Report_attack_activity attacks-type attacks-url attacks-date-type attacks-month-
type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-type
attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat attacks-policy
attacks-day attacks-ts attacks-td attacks-proto attacks-date-severity attacks-
month-severity attacks-day-severity attacks-hour-severity attacks-sessionid
attacks-signature-id attacks-srccounty attacks-type-signature-id
set Report_event_activity ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day ev-
warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day ev-aler-

FortiWeb CLI Reference Fortinet Technologies Inc.

config 84

hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-hour ev-hour-

cat ev-day ev-day-cat ev-stat
set Report_traffic_activity net-pol net-srv net-src net-dst net-src-dst net-dst-src
net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-hour-src
net-day-src net-month-src
set custom_company "Example, Inc."
set custom_footer_options custom
set custom_header "A fictitious corporation."
set custom_title_logo "titlelogo.jpg"
set filter_string (and src==\'192.0.2.20\')
set include_nodata yes
set output_file html pdf
set output_email html
set output_email_policy log_report_analysis
set period_type last-n-days
set report_desc "A sample report."
set report_title Report 1
set schedule_type days
set custom_footer "Weekly report for Example, Inc."
set period_last_n 14
set schedule_days sat
set schedule_time 01:00
next
end

Related topics

l log attack-log on page 61

l log disk on page 66
l log email-policy on page 67
l log ftp-policy on page 74

log sensitive

Use this command to configure whether the FortiWeb appliance will obscure sensitive information, such as user names
and passwords, in log messages for which packet payloads are enabled. Each packet payload has predefined sensitivity
rules based on the payload data type. If needed, you can also create custom sensitivity rules to obscure other payload
data types using log custom-sensitive-rule on page 63.
This command is relevant only if you have enabled the FortiWeb appliance to keep packet payloads along with their
associated log messages. For details, see log attack-log on page 61 and log traffic-log on page 92.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log sensitive
set type {custom-rule | pre-defined-rule}
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 85

Variable Description Default

type {custom-rule | pre- Select whether the FortiWeb appliance will obscure packet No
defined-rule} payloads according to predefined data types and/or custom default.
data types.
For details, see log custom-sensitive-rule on page 63.

Example

This example enables the FortiWeb appliance to use a custom sensitive rule to obscure packet payload information that
displays information about users that are age 13 and under.
config log sensitive
set type custom-rule
end
config log custom-sensitive-rule
edit "custom-sensitive-rule1"
set type general-mask-rule
set expression "age\\=[1-13]*$"
next
end

Related topics

l log custom-sensitive-rule on page 63

l log attack-log on page 61
l log traffic-log on page 92

log siem-message-policy

Use this command to configure the FortiWeb appliance to send its log messages to one or more a remote ArcSight SIEM
(security information and event management) servers.
You must first define one or more SIEM policies using log siem-policy on page 86.
Logs sent to the ArcSight server are controlled by SIEM policies and trigger actions that you configure on the FortiWeb
appliance, and are associated with various types of violations.
Logs stored remotely cannot be viewed from the web UI, and cannot be used by FortiWeb to build reports. If you require
these features, record logs locally as well as remotely.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 86

Syntax
config log siem-message-policy
set siem-policy "<policy_name>"
set severity {alert | critical | debug | emergency | error | information |
notification | warning}
set status {enable | disable}
end

Variable Description Default

siem-policy "<policy_ Enter the name of an existing SIEM policy to use when No default.
name>" storing log information remotely. The maximum length
is 63 characters.
To view a list of the existing SIEM policies, enter:
set siem-policy ?

status {enable | disable} Enable to record event log messages to the ArcSight disable
server if it meets or exceeds the severity level specified
by severity {alert | critical | debug | emergency | error |
information | notification | warning} on page 86.

Example

This example enables ArcSight SIEM logging and recording of the log messages. Only the log messages with a severity
of error or higher are recorded.
config log siem-message-policy
set status enable
set severity error
set siem-policy SIEM_Policy1
end

Related topics

l log siem-policy on page 86

log siem-policy

Use this command to configure a connection to one or more ArcSight SIEM (security information and event
management) servers, IBM QRadar servers or Azure Security Center (if your FortiWeb-VM is deployed on Microsoft

FortiWeb CLI Reference Fortinet Technologies Inc.

config 87

Azure). The policy is used by the log syslogd configuration to define the specific ArcSight server, QRadar server or
Azure Event Hub on which log messages are stored. For details, see log syslogd on page 88.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log siem-policy
edit "<policy_name>"
config siem-server-list
edit <entry_index>
set type <arcsight-cef | qradar-leef | azure-cef>
set port <port_int>
set server "<siem_ipv4>"
end
next
end

Variable Description Default

"<policy_name>" Enter the name of a new or existing SIEM policy. The No default.
maximum length is 63 characters.
To display the list of existing policies, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the No default.
table.

type <arcsight-cef | qradar- Enter to store log messages to a SIEM (Security arcsight-
leef | azure-cef> Information and Event Management) server. According cef
to the specified SIEM policy, FortiWeb will carry out one
of the following actions:
l arcsight-cef—Store log messages remotely to

an ArcSight server
l qradar-leef—Store log messages remotely to a

QRadar server
l azure-cef—Send log messages to Azure Event

Hub (only available for FortiWeb-VM installed on

Azure)
FortiWeb sends log entries in CEF (Common Event
Format) format. There is a 256 byte limit for URLs.
If this option is enabled, but no trigger action is selected
for a specific type of violation, FortiWeb records every
occurrence of that violation to the resource specified by
SIEM Policy.
The Azure CEF policy type requires you to complete
Azure event hub settings using the system eventhub on
page 259 CLI command.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 88

Variable Description Default

Note: Before you enable this option, verify that log

frequency is not too great. If logs are very frequent,
enabling this option can decrease performance and
cause the FortiWeb appliance to send many log
messages to the resource.
Note: You cannot view logs stored remotely from the
FortiWeb web UI.

port <port_int> Enter the port where the ArcSight or QRadar server 514
listens for log output.

server "<siem_ipv4>" Enter the IP address of the ArcSight or QRadar server. No default.

Example

This example creates SIEM_Policy1. FortiWeb contacts the ArcSight server using its IP address, 192.0.2.10.
Communications occur over the standard port number for ArcSight, UDP port 514. The FortiWeb appliance sends log
messages to the server in CEF format.
config log siem-policy
edit "SIEM_Policy1"
config siem-server-list
edit 1
set type arcsight-cef
set port 514
set server "192.0.2.10"
end
next
end

Related topics

l log siem-policy on page 86

l system dns on page 256
l router static on page 98

log syslogd

Use this command to configure the FortiWeb appliance to send log messages to a Syslog server defined by log syslog-
policy on page 90 .

For improved performance, unless necessary, avoid logging highly frequent log
types. While logs sent to your Syslog server do not persist in FortiWeb’s local RAM,
FortiWeb still must use bandwidth and processing resources while sending the log
message.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 89

To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log syslogd
set status {enable | disable}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp |
kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 |
local7 | mail | ntp | user}
set severity {alert | critical | debug | emergency | error | information |
notification | warning}
set policy "<syslogd-policy_name>"
config custom-field
edit 1
set name <name1>
set value <value1>
next
edit 2
set name <name2>
set value <value2>
next
end

Variable Description Default

status {enable | disable} Enable to send log messages to the Syslog server disable
defined by log syslog-policy on page 90. Also configure:
l facility {alert | audit | auth | authpriv | clock | cron |
daemon | ftp | kernel | local0 | local1 | local2 |
local3 | local4 | local5 | local6 | local7 | mail | ntp |
user} on page 89
l policy "<syslogd-policy_name>" on page 90

l severity {alert | critical | debug | emergency | error |

information | notification | warning} on page 89

facility {alert | audit | auth | Enter the facility identifier that the FortiWeb appliance local7
authpriv | clock | cron | will use to identify itself when sending log messages to
daemon | ftp | kernel | the first Syslog server.
local0 | local1 | local2 | To easily identify log messages from the FortiWeb
local3 | local4 | local5 | appliance when they are stored on the Syslog server,
local6 | local7 | mail | ntp | enter a unique facility identifier, and verify that no other
user} network devices use the same facility identifier.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 90

Variable Description Default

policy "<syslogd-policy_ If logging to a Syslog server is enabled, enter the name No default.
name>" of a Syslog policy which describes the Syslog server to
which the log message will be sent. The maximum
length is 63 characters.
For details about Syslog policies, see log syslog-policy
on page 90.

name Set this option to add customized identifiers in syslog No default.

records, for example, add the hostname in syslogs so
that you can easily track the logs for specific hosts.
Enter a name for the identifier.

value Enter the value of the identifier. It can be a fixed value or No default.
a variable.
In the HA deployment, the configuration is synchronized
among the HA group members but meanwhile each
member should have its own hostname recorded in the
syslog. In this case, you can use the variable such as
set value $hostname to refer to the hostname
defined in config system global. Only the
hostname variable is supported.

Example

This example enables storage of log messages with the notification severity level and higher on the Syslog server.
The network connections to the Syslog server are defined in Syslog_Policy1. The FortiWeb appliance uses the
facility identifier local7 when sending log messages to the Syslog server to differentiate its own log messages from
those of other network devices using the same Syslog server.
config log syslogd
set status enable
set severity notification
set facility local7
set policy "Syslog_Policy1"
end

log syslog-policy

Use this command to configure a connection to one or more Syslog servers. Each policy can specify connections for up
to three Syslog servers. The log syslogd configuration uses the policy to define the specific Syslog server or servers
on which log messages are stored. For details, see log syslogd on page 88.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 91

Syntax
config log syslog-policy
edit "<policy_name>"
config syslog-server-list
edit <entry_index>
set port <port_int>
set proto {tcp | tls | udp}
set packet {enable | disable}
set format {cef | csv | default | json}
set server "<syslog_ipv4>"
set cus-fields <cus-fields_name>
end
next
end

Variable Description Default

"<policy_name>" Enter the name of a new or existing Syslog policy. The No

maximum length is 63 characters. default.
The name of the report profile will be included in the report
header.
To display the list of existing policies, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No
default.
You can create up to 3 connections.

port <port_int> Enter the port number on which the Syslog server listens. 514
The valid range is 1–65,535.

proto {tcp | tls | udp} Select the protocol to transfer the logs between FortiWeb udp
and the syslog server.

format {cef | csv | default | Select the format of the system log. Note that CEF is for default
json} Syslog server, not for SIEM. If your receiver is a SIEM server
such as Azure Sentinel, please refer to Configuring SIEM
policies in FortiWeb Administration Guide.

server "<syslog_ipv4>" Enter the IP address of the Syslog server. No

default.

packet {enable | disable} Enable packet to include packet payloads in the JSON disable
format logs. Packet payloads supplement the log message
by providing the actual request headers and body. This
option is available only when the Format is JSON and the
Protocol is TCP or TLS.
Please note that using JSON format or enabling packet
payloads may have negative impact on system
performance.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 92

Variable Description Default

cus-fields <cus-fields_name> Select one of the identifiers you have defined in config No
log syslogd under config custom-field. It will be default.
attached to the syslog records.

Example

This example creates Syslog_Policy1. The Syslog server is contacted by its IP address, 192.168.1.10.
Communications occur over the standard port number for Syslog, UDP port 514. The FortiWeb appliance sends log
messages to the Syslog server in CSV format.
config log syslog-policy
edit "Syslog_Policy1"
config log-server-list
edit 1
set server "192.168.1.10"
set port 514
set csv enable
end
next
end

Related topics

l log syslogd on page 88

l system dns on page 256
l router static on page 98

log traffic-log

Use this command to have the FortiWeb appliance record traffic log messages on its local disk. This command also lets
you save packet payloads with the traffic logs.

You must enable disk log storage and select log severity levels using log disk on
page 66 before any traffic logs are stored on disk.

Packet payloads supplement the log message by providing the actual data associated with the traffic log, which may
help you to analyze traffic patterns.
You can view packet payloads in the Packet Log column when viewing a traffic logs using the web UI. For details, see
the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 93

Syntax
config log traffic-log
set packet-log {enable | disable}
set status {enable | disable}
end

Variable Description Default

status {enable | disable} Enable to record traffic log messages if disk log storage is disable
enabled, and the logs meet or exceed the severity levels
selected using log disk on page 66.

packet-log {enable | disable} Enable to keep packet payloads stored with their disable
associated traffic log message.
For details about obscuring sensitive information in packet
payloads, see log sensitive on page 84.

message-event {enable | disable

disable}

Example

This example enables disk log storage, sets information as the minimum severity level that a log message must
achieve for storage, enables recording of traffic logs and retention of all packet payloads along with the traffic logs.
config log disk
set status enable
set severity information
end
config log traffic-log
set status enable
set packet-log enable
end

Related topics

l log attack-log on page 61

l log event-log on page 70
l log disk on page 66
l log sensitive on page 84
l log on page 715

log trigger-policy

Use this command to configure a trigger policy for use in the notification process.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 94

You apply trigger policies to individual conditions that have an associated action and severity, such as attacks and rule
violations. A trigger policy has the following components:
l An email policy (contains the details associated with the recipient email account)
l A Syslog policy (contains details required to communicate with the Syslog server)
l A FortiAnalyzer policy (contains the IP address of the remote FortiAnalyzer appliance)
The trigger policy determines whether an email is sent to administrators when a certain condition occurs and whether the
log messages associated with the condition are stored on a Syslog server or FortiAnalyzer.
You define the email, Syslog, and FortiAnalyzer policies before you apply the trigger policy to an individual condition. For
details, see log email-policy on page 67, log syslog-policy on page 90, and log fortianalyzer-policy on page 73.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see Permissions on page 46.

Syntax
config log trigger-policy
edit "<trigger-policy_name>"
set email-policy "<email-policy_name>"
set syslog-policy "<syslog-policy_name>"
set analyzer-policy "<fortianalyzer-policy_name>"
set siem-policy "<siem-policy_name>"
next
end

Variable Description Default

"<trigger-policy_name>" Enter the name of a new or existing trigger policy. The No

maximum length is 63 characters. default.

email-policy "<email-policy_ Enter the name of the email policy to be used with the trigger No
name>" policy. The maximum length is 63 characters. default.
If the conditions associated with the trigger policy occur, the
email policy determines the recipients of the notification
email messages associated with the condition.
For details, see log email-policy on page 67.

syslog-policy "<syslog- Enter the name of the Syslog policy to be used with the No
policy_name>" trigger policy. The maximum length is 63 characters. default.
If the conditions associated with the trigger policy occur, the
Syslog policy determines which Syslog server the messages
are sent to.
For details, see log syslog-policy on page 90.

analyzer-policy Enter the name of an existing FortiAnalyzer policy to be used No

"<fortianalyzer-policy_ with the trigger policy. The maximum length is 63 characters. default.
name>" For details, see log fortianalyzer-policy on page 73.

siem-policy "<siem-policy_ Enter the name of an existing SIEM policy to be used with No
name>" the trigger policy. The maximum length is 63 characters. default.
For details, see log siem-policy on page 86.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 95

Example

This example creates Trigger_policy1, which uses emailpolicy1 to send email notifications about the condition
to specific recipients, and Syslog_Policy1 to submit the log messages to a specific Syslog server.
config log trigger-policy
edit "Trigger_policy1"
set syslog-policy "Syslog_Policy1"
set email-policy "emailpolicy1"
next
end

Related topics

l log email-policy on page 67

l log syslog-policy on page 90
l log fortianalyzer-policy on page 73
l log siem-policy on page 86
l waf HTTP-protocol-parameter-restriction on page 488
l waf signature on page 555

router policy

Use this command to configure policy routes that redirect traffic away from a static route.
For example, you can divert traffic for intrusion protection scanning (IPS). It is also useful if your FortiWeb protects web
servers for different customers (for example, the clients of a Managed Security Service Provider).
Policy routes can direct traffic to a specific network interface and gateway based on the packet’s source and destination
IP address.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
netgrp area. For details, see Permissions on page 46.

Syntax
config router policy
edit <policy_index>
set iif "<incoming_interface_name>"
set src "<source_ip>"
set dst "<destination_ip>"
set fwmark <fwmark_int> on page 96
set set action {forward-traffic | stop-policy-routing} on page 96
set oif "<outgoing_interface_name>"
set gateway "<router_ip>"
set priority <priorty_int>
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 96

Variable Description Default

<policy_index> Enter the index number of the policy route. No default.

The valid range is 0–65,535.

"<incoming_interface_ Enter the name of the interface, such as port1, on which No default.
name>" FortiWeb receives packets it applies this routing policy to.

src "<source_ip>" Enter the source IP address and netmask to match, 0.0.0.0
separated with a space. 0.0.0.0
FortiWeb routes matching traffic through the specified
interface and gateway.

dst "<destination_ip>" Enter the destination IP address and netmask to match, 0.0.0.0
separated with a space. 0.0.0.0
FortiWeb routes matching traffic through the specified
interface and gateway.

fwmark <fwmark_int> Enter the Fwmark value specified in Firewall Fwmark

Policy. If you don't need to match traffic against the Fwmark
value, enter value 0.
The valid range is 0-255.

set action {forward-traffic | forward-traffic: FortiWeb filters traffic against the specified
stop-policy-routing} conditions and forwards the traffic to this policy route.
stop-policy-routing: FortiWeb filters traffic against the
specified conditions and forwards the traffic according to
the matched static route.

"<outgoing_interface_ Enter the name of the interface, such as port2, through No default.
name>" which FortiWeb routes packets that match the specified IP
address information.

gateway "<router_ip>" Enter the IP address of a next-hop router. 0.0.0.0

A gateway address is not required for the particular routing
policies used as static routes in an one-arm topology.
Leave this blank for a one-arm network topology.

priority <priorty_int> Enter a value between 1 and 200 that specifies the priority 200
of the route.

When packets match more than one policy route, FortiWeb

directs traffic to the route with the lowest value.

Related topics

l router static on page 98

l router setting on page 97

FortiWeb CLI Reference Fortinet Technologies Inc.

config 97

router setting

Use this command to change how FortiWeb handles non-HTTP/HTTPS traffic (for example, SSH and FTP) when it is
operating in Reverse Proxy mode.
When this setting is disabled (the default) and FortiWeb is operating in Reverse Proxy mode, the appliance drops any
non-HTTP/HTTPS traffic.
When this setting is enabled and FortiWeb is operating in Reverse Proxy mode, the appliance handles non-
HTTP/HTTPS protocols in the following ways:
l Any non-HTTP/HTTPS traffic destined for a virtual server on the appliance is dropped.
l For any non-HTTP/HTTPS traffic destined for another destination (for example, a back-end server), FortiWeb acts
as a router and forwards it based in its destination address.
This command has no effect when FortiWeb is operating in transparent modes, which allow and forward non-
HTTP/HTTPS packets by default.

Use this setting only if necessary. For security and performance reasons, if you
have a FortiGate with an Internet/public address virtual IP (VIP) that forwards traffic
to your FortiWeb, and your FortiWeb is on the same subnet as your web servers, do
not use this setting. Instead, configure the VIP to forward:
l only HTTP/HTTPS to FortiWeb, which forwards it to your servers

l specific traffic such as SSH or SFTP directly to your servers

This avoids latency related to an extra hop. It also avoids accidentally forwarding
unscanned protocols.
Routing is best effort. Not all protocols may be supported, such as Citrix Receiver
(formerly ICA).

FortiWeb appliances are designed to provide in-depth protection specifically for the HTTP and HTTPS protocols.
Because of this, when in Reverse Proxy mode, by default, FortiWeb does not forward non-HTTP/HTTPS protocols
to your protected web servers. That is, IP-based forwarding is disabled. Traffic is only forwarded if picked up and
scanned by the HTTP Reverse Proxy. This provides a secure default configuration by blocking traffic to services that
might have been unintentionally left open and should not be accessible to the general public.
In some cases, however, a web server provides more services, not just HTTP or HTTPS. A typical exception is a server
that also allows SFTP and SSH access. In these cases, enable routing to allow FortiWeb to route the non-HTTP/HTTPS
traffic to the server using the server’s IP address. For HTTP/HTTPS services, direct traffic to the IP address of the
FortiWeb virtual server, which forwards requests to the back-end server after inspection.
This command has no equivalent in the web UI.
Use the following commands to retrieve information about current static route values:
config router setting
get route static
end

Use the following commands to view the current value of ip-forward:

config router setting
get route setting
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 98

To use this command, your administrator account’s access control profile must have either w or rw permission to the
netgrp area. For details, see Permissions on page 46.

Syntax
config router setting
set ip-forward {enable | disable}
set ip6-forward {enable | disable}
end

Variable Description Default

ip-forward {enable | disable} Enable to forward non-HTTP/HTTPS traffic if its IPv4 IP disable
address matches a static route.

ip6-forward {enable | Enable to forward non-HTTP/HTTPS traffic if its IPv6 IP disable

disable} address matches a static route.

Example

This example enables forwarding of non-HTTP/HTTPS traffic, based upon whether the IP address matches a route for
the web servers’ subnet, and regardless of HTTP proxy pickup.
config router setting
set ip-forward enable
end

Related topics

l router static on page 98

l router policy on page 95
l router all on page 1

router static

Use this command to configure static routes, including the default gateway.
Static routes direct traffic existing the FortiWeb appliance—you can specify through which network interface a packet will
leave, and the IP address of a next-hop router that is reachable from that network interface. The router is aware of which
IP addresses are reachable through various network pathways, and can forward those packets along pathways capable
of reaching the packets’ ultimate destinations.
A default route is a special type of static route. A default route matches all packets, and defines a gateway router that can
receive and route packets if no more specific static route is defined for the packet’s destination IP address.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 99

During installation and setup, you should have configured at least one static route, a default route, that points to your
gateway. You may configure additional static routes if you have multiple gateway routers, each of which should receive
packets destined for a different subset of IP addresses.
For example, if a web server is directly attached to one of the network interfaces, but all other destinations, such as
connecting clients, are located on distant networks such as the Internet, you might need to add only one route: a default
route for the gateway router through which the FortiWeb appliance connects to the Internet.
The FortiWeb appliance examines the packet’s destination IP address and compares it to those of the static routes. If
more than one route matches the packet, the FortiWeb appliance applies the route with the smallest index number. For
this reason, you should give more specific routes a smaller index number than the default route.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
netgrp area. For details, see Permissions on page 46.

Syntax
config router static
edit <route_index>
set device "<interface_name>"
set dst "<destination_ip>"
set gateway "<router_ip>"
next
end

Variable Description Default

<route_index> Enter the index number of the static route. If multiple routes No default.
match a packet, the one with the smallest index number is
applied.
The valid range is 0–65,535.

device "<interface_name>" Enter the name of the network interface device, such as No default.
port1, through which traffic subject to this route will be
outbound. The maximum length is 63 characters.

dst "<destination_ip>" Enter the destination IP address and netmask of traffic that 0.0.0.0
will be subject to this route, separated with a space. 0.0.0.0
To indicate all traffic regardless of IP address and netmask
(that is, to configure a route to the default gateway), enter
0.0.0.0 0.0.0.0 or ::/0.

gateway "<router_ip>" Enter the IP address of a next-hop router. 0.0.0.0

Caution: The gateway IP address must be in the same
subnet as the interface’s IP address. If you change the
interface’s IP address later, the new IP address must also
be in the same subnet as the interface’s default gateway
address. Otherwise, all static routes and the default
gateway will be lost.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 100

Example

This example configures a default route that forwards all packets to the gateway router 192.0.2.1, through the network
interface named port1.
config router static
edit 0
set dst "0.0.0.0 0.0.0.0"
set gateway "192.0.2.1"
set device port1
next
end

Related topics

l router setting on page 97

l router policy on page 95
l system interface on page 312
l log syslog-policy on page 90
l server-policy policy on page 140
l system admin on page 207
l system dns on page 256
l system snmp community on page 339
l wad website on page 379
l traceroute on page 785
l network arp on page 716
l network ip on page 717
l network route on page 718
l "router all" on page 1

server-policy acceleration

Acceleration provides a technology solution to speed up web application response and optimize web pages and
resources in real time.
An Acceleration policy specifies the option(s) for optimizing the delivery of web applications. To take full advantage of the
benefits that Acceleration offers, you must first create your own Acceleration policy, and then select the policy in Policy
> Server Policy.
You can also specify certain URLs to be skipped for web application delivery optimization, and add the exception items
to the acceleration policy.
FortiWeb offers options for optimizing the delivery of the following web content:
l HTML
l JavaScript
l CSS

FortiWeb CLI Reference Fortinet Technologies Inc.

config 101

If Acceleration is not enabled, go to system feature-visibility to enable it first.

Syntax
config server-policy acceleration exception
edit "<exception_name>"
config list
edit "<exception-item_id>"
set host-status {enable | disable}
set host <host_int>
set url-type {plain | regular}
set url-pattern <url-pattern_str>
next
end
next
end

config server-policy acceleration policy

edit "<policy_name>"
set exception <exception_str>
set html-minify {enable | disable}
set html-combine-heads {enable | disable}
set html-css2head {enable | disable}
set js-minify {enable | disable}
set css-minify {enable | disable}
next
end

Variable Description Default

"<exception_name>" Enter a name for the exception rule. No default.

"<exception-item_id>" Enter an ID for the acceleration exception item. No default

host-status {enable | Enable to require that the Host: field of the HTTP disable
disable} request match a protected host names entry in order
to match the Acceleration exceptions rule. Also
configure host <host_int>.

host <host_int> Select which protected host names entry (either a No default.
web host name or IP address) that the Host: field of
the HTTP request must be in to match the
Acceleration exceptions rule.

url-type {plain | regular} Select whether url-pattern <url-pattern_str> will plain

contain a literal URL (plain), or a regular expression
designed to match multiple URLs (regular).

FortiWeb CLI Reference Fortinet Technologies Inc.

config 102

Variable Description Default

url-pattern <url-pattern_ Depending on your selection in url-type {plain | No default.

str> regular}, enter either:
l The literal URL, such as /index.php, that the

HTTP request must contain in order to match the

acceleration rule. The URL must begin with a
slash ( / ).
l A regular expression, such as ^/*.php,

matching all and only the URLs to which the

acceleration rule should apply. The pattern is not
required to begin with a slash ( / ). However, it
must at least match URLs that begin with a
slash, such as /index.cfm.
Note: Regular expressions beginning with an
exclamation point ( ! ) are not supported. For
information on language and regular expression
matching, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

"<policy_name>" Enter a name for the acceleration policy. No default.

exception <exception_ Select the acceleration exception rule created. No default.

str>

html-minify {enable | Enable to minify js in the script and delete the extra disable
disable} white space and comments to reduce bandwidth
utilization.

html-combine-heads Enable to combine multiple heads in HTML page to disable

{enable | disable} one.

html-css2head {enable | Enable to move CSS elements above script tags. disable
disable} Note: This ensures that the CSS styes are parsed in
the head of the HTML page before any body
elements are introduced. In so doing, it can effectively
reduce the number of times web browsers have to re-
flow HTML documents.

js-minify {enable | Enable to minify js in the script and delete the extra disable
disable} white space and comments to reduce bandwidth
utilization.

css-minify {enable | Enable to minify js in the script and delete the extra disable
disable} white space and comments to reduce bandwidth
utilization.

Related topics

l server-policy policy on page 140

FortiWeb CLI Reference Fortinet Technologies Inc.

config 103

server-policy allow-hosts

Use this command to configure protected host groups.

A protected host group contains one or more IP addresses and/or fully qualified domain names (FQDNs). Each entry in
the protected host group defines a virtual or real web host, according to the Host: field in the HTTP header of requests
from clients, that you want the FortiWeb appliance to protect.
For example, if your web servers receive requests with HTTP headers such as:
GET /index.php HTTP/1.1
Host: www.example.com

you might define a protected host group with an entry of www.example.com and select it in the policy. This would reject
requests that are not for that host.

A protected hosts group is usually not the same as a physical server.

Unlike a physical server, which is a single IP at the network layer, a protected host group should contain all network IPs,
virtual IPs, and domain names that clients use to access the web server at the application (HTTP) layer.
For example, clients often access a web server via a public network such as the Internet. Therefore the protected host
group contains domain names, public IP addresses, and public virtual IPs on a network edge router or firewall that are
routable from that public network. But the physical server is only the IP address that the FortiWeb appliance uses to
forward traffic to the server and, therefore, is often a private network address (unless the FortiWeb appliance operates
in Offline Protection or either of the transparent modes).
Protected host groups can be used by:
l Policies
l Input rules
l Server protection exceptions
l URL access rules
l Allowed method exceptions
l HTTP authentication rules
l Hidden fields rules
l Many others
Rules can use protected host definitions to apply rules only to requests for a protected host. If you do not specify a
protected host group in the rule, the rule will be applied based upon other criteria such as the URL, but regardless of the
Host: field.
Policies can use protected host definitions to block connections that are not destined for a protected host. If you do not
select a protected host group in a policy, connections will be accepted or blocked regardless of the Host: field.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 104

Syntax
config server-policy allow-hosts
edit "<protected-hosts_name>"
set default-action {allow | deny | deny_no_log}
config host-list
edit <protected-host_index>
set action {allow | deny | deny_no_log}
set host {"<host_ipv4>" | "<host_fqdn>" | "<host_ipv6>"}
set ignore-port {enable|disable}
set include-subdomains {enable|disable}
next
end
next
end

Variable Description Default

"<protected-hosts_name>" Enter the name of a new or existing group of protected hosts. No

The maximum length is 63 characters. default.
To display the list of existing groups, enter:
edit ?

default-action {allow | deny | Select whether to accept or deny HTTP requests whose allow
deny_no_log} Host: field does not match any of the host definitions that
you will add to this protected hosts group.

<protected-host_index> Enter the index number of a protected host within its group. No
Each host-list can contain up to 64 IP addresses and/or fully default.
qualified domain names (FQDNs).
The valid range is 1–9,223,372,036,854,775,807.

action {allow | deny | deny_ Select whether to accept or deny HTTP requests whose allow
no_log} Host: field matches the host definition in host {"<host_
ipv4>" | "<host_fqdn>" | "<host_ipv6>"} on page 104.

host {"<host_ipv4>" | "<host_ Enter the IP address or FQDN of a virtual or real web host, No
fqdn>" | "<host_ipv6>"} as it appears in the Host: field of HTTP headers, such as default.
www.example.com. The maximum length is 256
characters.
If clients connect to your web servers through the IP address
of a virtual server on the FortiWeb appliance, this should be
the IP address of that virtual server or any domain name to
which it resolves, not the actual IP address of the web
server.
For example, if a virtual server 192.0.2.1/24 forwards traffic
to the physical server 192.0.2.155, for protected hosts, you
would enter:
l 192.0.2.1, the address of the virtual server

l www.example.com, the domain name that resolves to

the virtual server

FortiWeb CLI Reference Fortinet Technologies Inc.

config 105

Variable Description Default

ignore-port {enable|disable} Enable ignore-port so that the host names with port No
number (for example myhost.com:443) will be protected. default.

include-subdomains Enable include-subdomains so that the sub domains of No

{enable|disable} the host (for example abc.myhost.com) will be protected. default.

Example

This example configures a protected hosts group named example_com_hosts that contains a website’s domain
names and its IP address in order to match HTTP requests regardless of which form they use to identify the host.
config server-policy allow-hosts
set default-action deny
edit "example_com_hosts"
config host-list
edit 0
set host "example.com"
next
edit 1
set host "www.example.com"
next
edit 2
set host "10.0.0.1"
next
end
next
end

Related topics

l server-policy policy on page 140

l waf allow-method-exceptions on page 384
l server-policy custom-application application-policy on page 1
l waf input-rule on page 496
l waf signature on page 555
l waf hidden-fields-rule on page 469

server-policy health

Use this command to configure server health checks.

Tests for server responsiveness (called “server health checks” in the web UI) poll web servers that are members of a
server pool to determine their availability before forwarding traffic. Server health checks can use TCP, HTTP/HTTPS,
ICMP ECHO_REQUEST (ping), TCP SSL, or TCP half-open.
The FortiWeb appliance polls the server at the frequency set in the interval <seconds_int> on page 108 option. If the
appliance does not receive a reply within the timeout period, and you have configured the health check to retry, it

FortiWeb CLI Reference Fortinet Technologies Inc.

config 106

attempts a health check again; otherwise, the server is deemed unresponsive. The FortiWeb appliance reacts to
unresponsive servers by disabling traffic to that server until it becomes responsive.

If a back-end server will be unavailable for a long period, such as when a server is
undergoing hardware repair, it is experiencing extended downtime, or when you
have removed a server from the server pool, you can improve the performance of
your FortiWeb appliance by disabling the back-end server, rather than allowing the
server health check to continue to check for responsiveness. For details, see server-
policy server-pool on page 168.

To apply server health checks, select them in a server pool configuration. For details, see server-policy server-pool on
page 168.
To use this command, your administrator account’s access control profile requires either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Syntax
config server-policy health
edit "<health-check_name>"
set trigger-policy "<trigger-policy_name>"
set relationship {and |or}
set group-id <int>
set role {master | slave | standalone}
configure health-list
edit <entry_index>
set type {icmp | tcp | HTTP | tcp-ssl | tcp-half-open}
set timeout <seconds_int>
set retry-times <retries_int>
set interval <seconds_int>
set url-path "<request_str>"
set method {get | head | post}
set host "<host_str>"
set match-type {response-code | match-content | all}
set response-code {response-code_int}
set match-content "<match-content_str>"
next
end

Variable Description Default

"<health-check_name>" Enter the name of the server health check. The maximum No default.
length is 63 characters.
To display the list of existing server health checks, enter:
edit ?

trigger-policy "<trigger- Enter the name of the trigger to apply when the health No default.
policy_name>" check detects a failed server (see log trigger-policy on
page 93). The maximum length is 63 characters.
To display the list of existing trigger policies, enter:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 107

Variable Description Default

set trigger ?

relationship {and |or} l and—FortiWeb considers the server to be and

responsive when it passes all the tests in the list.
l or—FortiWeb considers the server to be responsive
when it passes at least one of the tests in the list.

group-id <int> group-id is used together with role {master | No default.

slave}.
FortiWeb performs health check on the server pool which
has referenced a "master" health check, then synchronize
the result to all the server pools which have referenced
the "slave" health check of the same group-id.
This can avoid unnecessary health checks in certain
cases such as when different server pools sharing the
same IP address.
This option is not available if the role is standalone.

role {master | slave | If you want the health check result to be shared across standalone
standalone} multiple server pools, then specify whether this health
check is a master or a slave. This is used together with
the above command group-id <int>.
If the health check result is not to be shared, then choose
standalone.

<entry_index> Enter the index number of the individual rule in the table. No default.
The valid range is 1–16.

type {icmp | tcp | HTTP | tcp- Select either: ping

ssl | tcp-half-open} l icmp—Send ICMP type 8 (ECHO_REQUEST) and

listen for either ICMP type 0 (ECHO_RESPONSE)

indicating responsiveness, or timeout indicating that
the host is not responsive.
l tcp—Send TCP SYN and listen for either TCP SYN

ACK indicating responsiveness, or timeout indicating

that the host is not responsive.
l HTTP—Send an HTTP request and listen for the

code specified by response-code, the page

content specified by match-content, or both the
code and the content, or timeout indicating that the
host is not responsive.

Apply to server pool members only if the SSL setting

for the member is disabled.
l tcp-ssl—Send a TCP SSL request. FortiWeb
considers the host to be responsive if the SSL
handshake is successful, and closes the connection
once the handshake is complete. This type of health

FortiWeb CLI Reference Fortinet Technologies Inc.

config 108

Variable Description Default

check requires fewer resources than HTTP or HTTPs.

Apply to server pool members only if the SSL setting

for the member is enabled.
l tcp-half-open—Send TCP SYN and listen for
either TCP SYN ACK indicating responsiveness, or
timeout indicating that the host is not responsive. If
the response is SYN ACK, send TCP RST to
terminate the connection. This type of health check
requires fewer resources from the pool member than
tcp.

timeout <seconds_int> Enter the number of seconds which must pass after the 3
server health check to indicate a failed health check. The
valid range is 1–10 .

retry-times <retries_int> Enter the number of times, if any, a failed health check will 3
be retried before the server is determined to be
unresponsive. The valid range is 1–10.

interval <seconds_int> Enter the number of seconds between each server health 10
check. The valid range is from 1–10.

url-path "<request_str>" Enter the URL, such as /index.html, that FortiWeb No default.
uses in the HTTP/HTTPS request to verify the
responsiveness of the server.
If the web server successfully returns this URL, and its
content matches the expression specified by match-
content, FortiWeb considers it to be responsive.
Available when type {icmp | tcp | HTTP | tcp-ssl | tcp-half-
open} on page 107 is HTTP or HTTPs.

method {get | head | post} Specify whether the health check uses the HEAD, GET, get
or POST method.
Available when type {icmp | tcp | HTTP | tcp-ssl | tcp-half-
open} on page 107 is HTTP or HTTPs.

host "<host_str>" Optionally, enter the HTTP host header name of a No default.
specific host.

This is useful if the pool member hosts multiple websites

(virtual hosting environment).

Available when type {icmp | tcp | HTTP | tcp-ssl | tcp-half-

open} on page 107 is HTTP or HTTPs.

match-type {response-code | l response-code—If the web server successfully match-

match-content | all} returns the URL specified by url-path and the content
code specified by response-code, FortiWeb
considers the server to be responsive.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 109

Variable Description Default

l match-content—If the web server successfully

returns the URL specified by url-path and its
content matches the match-content value,
FortiWeb considers the server to be responsive.
l all—If the web server successfully returns the URL

specified by url-path and its content matches the

match-content value, and the code specified by
response-code, FortiWeb considers the server to
be responsive.
Available when type {icmp | tcp | HTTP | tcp-ssl | tcp-half-
open} on page 107 is HTTP or HTTPs.

response-code {response- Enter the response code that you require the server to 200
code_int} return to confirm that it is available, if match-type is
response-code or all.
Available when type {icmp | tcp | HTTP | tcp-ssl | tcp-half-
open} on page 107 is HTTP or HTTPs.

match-content "<match- Enter a regular expression that matches the content that No default.
content_str>" must be present in the HTTP reply to indicate proper
server connectivity, if match-type is match-content
or all.
Available when type {icmp | tcp | HTTP | tcp-ssl | tcp-half-
open} on page 107 is HTTP or HTTPs.

Example

This example configures a server health check that periodically requests the main page of the website, /index. If a
physical server does not successfully return that page (which contains the word “About”) every 10 seconds (the default),
and fails the check at least three times in a row, FortiWeb considers it unresponsive and forwards subsequent HTTP
requests to other physical servers in the server farm.
config server-policy health
edit "status_check1"
set trigger-policy "notification-servers1"
configure health-list
edit 1
set type HTTP
set retry-times 3
set url-path "/index"
set method get
set match-type match-content
set regular About
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 110

Related topics

l server-policy server-pool on page 168

l server-policy policy on page 140
l log trigger-policy on page 93

server-policy HTTP-content-routing-policy

Use this command to configure HTTP header-based routing.

Instead of dynamically routing requests to a server pool simply based upon load or connection distribution at the TCP/IP
layers, as basic load balancing does, you can forward them based on headers in the HTTP layer.
HTTP header-based routes define how FortiWeb routes requests to server pools. They are based on one or more of the
following HTTP header elements:
l Host
l URL
l Parameter
l Referer
l Cookie
l Header
l Source IP
l X.509 certificate
l Geo IP
This type of routing can be useful if, for example, a specific web server or group of servers on the back end support
specific web applications, functions, or host names. That is, your web servers or server pools are not identical, but
specialized. For example:
l 192.0.2.1—Hosts the website and blog
l 192.0.2.2 and 192.0.2.3—Host movie clips and multimedia
l 192.0.2.4 and 192.0.2.5—Host the shopping cart
If you have configured request rewriting, configure HTTP content-based routing using the original request URL and/or
Host: name, as it appears before FortiWeb has rewritten it. For details about rewriting, see waf url-rewrite url-rewrite-
policy on page 616.
To apply your HTTP-based routes, select them when you configure the server policy. For details, see server-policy
policy on page 140.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Syntax
config server-policy HTTP-content-routing-policy
edit "<routing-policy_name>"
set server-pool "<server-pool_name>"
set HTTP-content-routing-id <HTTP-content-routing-id_str>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 111

config content-routing-match-list
edit <entry_index>
set match-object {HTTP-host | HTTP-request | url-parameter | HTTP-referer |
HTTP-cookie | HTTP-header | source-ip | x509-certificate-Subject | x509-
certificate-Extension | HTTPs-sni | geo-ip | ztna-ems-tags}
set match-condition {match-begin | match-end | match-sub | match-domain |
match-dir | match-reg | ip-range | ip-range6 | equal | ip-list}
set x509-subject-name {E | CN | OU | O | L | ST | C}
set match-expression "<match-expression_str>"
set
set name "<name_str>"
set name-match-condition {match-begin | match-end | match-sub | match-reg |
equal}
set value "<value_str>"
set value-match-condition {match-begin | match-end | match-sub | match-reg |
equal}
set start-ip "<start_ip>"
set end-ip "<end_ip>"
set reverse {enable | disable}
set concatenate {and | or}
set country-list <country-list_str>
set ip-list <ip-list_str>
next
end
next
end

Variable Description Default

"<routing-policy_name>" Enter the name of the HTTP content routing policy. The No default.
maximum length is 63 characters.
To display the list of existing policies, enter:
edit ?

server-pool "<server-pool_ Enter the name of the server pool to which FortiWeb No default.
name>" forwards traffic when the traffic matches rules in this policy.
For details, see server-policy server-pool on page 168.

<entry_index> Enter the index number of the individual rule in the table. No default.
The valid range is 1–9,999,999,999,999,999,999.

HTTP-content-routing-id Enter a HTTP content routing policy sequence number. No default.

<HTTP-content-routing-id_
str>

match-object {HTTP-host | Enter the type of object that FortiWeb examines for No default.
HTTP-request | url- matching values:
parameter | HTTP-referer | l HTTP-host—Host: field

HTTP-cookie | HTTP- l HTTP-request—A URL

header | source-ip | x509- l url-parameter—A URL parameter and value

certificate-Subject | x509- l HTTP-referer—Referer: field

certificate-Extension | l HTTP-cookie—A cookie name and value

HTTPs-sni | geo-ip | ztna- l HTTP-header—A header name and value
ems-tags}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 112

Variable Description Default

l source-ip—An IPv4 address or address range or

IPv6 address or address range
l x509-certificate-Subject—A specified Relative
Distinguished Name (RDN) in the X509 certificate
Subject field. Also specify x509-subject-name.
l x509-certificate-Extension—Additional fields
that the extensions field adds to the X509 certificate
l HTTPs-sni— Select this option so that FortiWeb will
forward requests based on the SNI in the SSL
handshake.
l geo-ip— Select this option so that FortiWeb matches
against the IP addresses from specified countries.
l ztna-ems-tags— Select this option so that FortiWeb
matches against the ZTNA tags.

match-condition {match- Enter the type of value to match. Values can be a literal No default.
begin | match-end | match- value that appears in the object or a regular expression.
sub | match-domain | The value of match-object {HTTP-host | HTTP-request | url-
match-dir | match-reg | ip- parameter | HTTP-referer | HTTP-cookie | HTTP-header |
range | ip-range6 | equal | source-ip | x509-certificate-Subject | x509-certificate-
ip-list} Extension | HTTPs-sni | geo-ip | ztna-ems-tags} on page
111 determines which content types you can specify.
If match-object is HTTP-host, HTTP-request, HTTP-
referer, or x509-certificate-Extension:
l match-begin—The object to match begins with the

specified string.
l match-end—The object to match ends with the

specified string.
l match-sub—The object to match contains the

specified string.
l match-domain—The host to match contains the

specified string between the periods in a domain name.

l ip-list—The IPs to match.

If match-object is HTTP-host only: No default.

l match-domain—The object to match contains the

specified string between the periods in a domain name.

For example, if match-expression is abc, the

condition matches the following hostnames:

dname1.abc.com
dname1.dname2.abc.com

However, the same Match Simple String value does not

match the following hostnames:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 113

Variable Description Default

abc.com
dname.abc

If match-object is HTTP-request:
l match-dir—The object to match contains the

specified string between delimiting characters (slash) in

a domain name.

For example, if match-expression is abc, the

condition matches the following hostnames:

test.com/abc/
test.com/dir1/abc/

However, the same match-string value does not

match the following hostnames:

test.com/abc
test.abc.com
If match-object is source-ip:
l ip-range—The source IP to match is an IPv4 IP

address or within a range of IPv4 IP addresses.

l ip-range6—The source IP to match is an IPv6 IP

address or within a range of IPv6 IP addresses.

If match-object is HTTP-host, HTTP-request, HTTP-
referer, source-ip, or x509-certificate-
Extension:
l match-reg—The object to match has a value that

matches the specified regular expression.

ztna-ems-tag <tag_name> If match-object is ztna-ems-tags, enter the tag No default.

names.

ztna-ems-tag-combine {and Available only if match-object is ztna-ems-tags. and

| or} and means the request only matches if it has all tags
specified;
or means the request matches if it has any of the tags
specified.
Note: For ZTNA tags, when Reverse is on, it means all the
request will be matched except the ones that meet the or or
and condition.
For example, if Tag_A and Tag_B are specified, and the
Reverse is on, the matching logic will be:
l When ztna-ems-tag-combine is or, all the request will

be matched except the ones having any of the Tag_A

and Tag_B tags.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 114

Variable Description Default

l When ztna-ems-tag-combine is and, all the requests

will be matched except the ones having both Tag_A
and Tag_B tags.

x509-subject-name {E | Enter the attribute type to match. No default.

CN | OU | O | L | ST | C}
Available when match-object {HTTP-host | HTTP-request |
url-parameter | HTTP-referer | HTTP-cookie | HTTP-header
| source-ip | x509-certificate-Subject | x509-certificate-
Extension | HTTPs-sni | geo-ip | ztna-ems-tags} on page
111 is x509-certificate-Subject.

match-expression "<match- Enter a value to match in the object element specified by No default.
expression_str>" match-object {HTTP-host | HTTP-request | url-parameter |
HTTP-referer | HTTP-cookie | HTTP-header | source-ip |
x509-certificate-Subject | x509-certificate-Extension |
HTTPs-sni | geo-ip | ztna-ems-tags} on page 111 and
match-condition.
Examples:
l A literal URL, such as /index.php, that a matching

HTTP request contains.

l An expression, such as ^/*.php, that matches a URL.

Tip: When you enter a regular expression using the web UI,
you can validate its syntax.

value-match-condition Enter the type of value to match. The value refers to the No default.
{match-begin | match-end | x509-subject-name and can be a literal value that
match-sub | match-reg | appears in the object or a regular expression.
equal} l match-begin—The name to match begins with the

specified string.
l match-end—The name to match ends with the

specified string.
l match-sub—The name to match contains the

specified string.
l equal—The name to match is the specified string.

l match-reg—The name to match matches the

specified regular expression.

name "<name_str>" Enter the name of the object to match. The value can be a No default.
literal value or a regular expression.
For example, the name of a cookie embedded by traffic
controller software on one of the servers.
Available only if match-object {HTTP-host | HTTP-request |
url-parameter | HTTP-referer | HTTP-cookie | HTTP-header
| source-ip | x509-certificate-Subject | x509-certificate-
Extension | HTTPs-sni | geo-ip | ztna-ems-tags} on page
111 is url-parameter, HTTP-cookie, or HTTP-header.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 115

Variable Description Default

name-match-condition Enter the type of value to match. The value is specified by No default.
{match-begin | match-end | name and can be a literal value that appears in the object or
match-sub | match-reg | a regular expression.
equal} l match-begin—The name to match begins with the

specified string.
l match-end—The name to match ends with the

specified string.
l match-sub—The name to match contains the

specified string.
l equal—The name to match is the specified string.

l match-reg—The name to match matches the

specified regular expression.

value "<value_str>" Enter the object value to match. The value can be a literal No default.
value or a regular expression.
Available if match-object {HTTP-host | HTTP-request | url-
parameter | HTTP-referer | HTTP-cookie | HTTP-header |
source-ip | x509-certificate-Subject | x509-certificate-
Extension | HTTPs-sni | geo-ip | ztna-ems-tags} on page
111 is url-parameter, HTTP-cookie, or HTTP-header.

value-match-condition Enter the type of value to match. The value is specified by No default.
{match-begin | match-end | value and can be a literal value or a regular expression.
match-sub | match-reg | l match-begin—The value to match begins with the

equal} specified string.

l match-end—The value to match ends with the

specified string.
l match-sub—The value to match contains the

specified string.
l equal—The value to match is the specified string.

l match-reg—The value to match matches the

specified regular expression.

start-ip "<start_ip>" Enter the first IP address in a range of IP addresses. No default.

Available if match-condition {match-begin | match-end |
match-sub | match-domain | match-dir | match-reg | ip-range
| ip-range6 | equal | ip-list} on page 112 is ip-range or ip-
range6.

end-ip "<end_ip>" Enter the last IP address in a range of IP addresses. No default.

Available if match-object {HTTP-host | HTTP-request | url-
parameter | HTTP-referer | HTTP-cookie | HTTP-header |
source-ip | x509-certificate-Subject | x509-certificate-
Extension | HTTPs-sni | geo-ip | ztna-ems-tags} on page
111 is source-ip

reverse {enable | disable} When enabled, FortiWeb will route requests to the server disable
pool that do not match the specified values for the Match

FortiWeb CLI Reference Fortinet Technologies Inc.

config 116

Variable Description Default

Object.

country-list <country-list_ Select countries where the IP addresses originate. No default.

str>

concatenate {and | or} Select either: and

l and—A matching request matches this entry in

addition to other entries in the HTTP content routing

list.
l or—A matching request matches this entry or other

entries in the list.

ip-list <ip-list_str> Enter multiple IPs or IP range. No default.

Example

This HTTP content routing policy routes requests for www.example.com/school to the server pool school-site.
The content routing has three rules: one matches the host (www.example.com), a second matches the sessid cookie,
and a third matches the /school URL. In combination, the first and third rules match the request for
www.example.com/school.
config server-policy HTTP-content-routing-policy
edit "content_routing_policy1"
set server-pool school-site
config content-routing-match-list
edit 1
set match-condition match-reg
set match-expression "www.example.com "
next
edit 2
set match-object HTTP-cookie
set name sessid
set value "hash[a-fA-F0-7]*"
set name-match-condition match-reg
set value-match-condition match-reg
next
edit 3
set match-object HTTP-request
set match-expression "/school"
next
end
next
end

Related topics

l server-policy server-pool on page 168

l server-policy policy on page 140
l waf url-rewrite url-rewrite-policy on page 616

FortiWeb CLI Reference Fortinet Technologies Inc.

config 117

server-policy ip-group

Use this command to group IP addresses or IP ranges, so that you can later reference them in IP Protection > IP List
(config waf ip-list).
To use this command, your administrator account’s access control profile must have both r and w permissions to items
in the traroutegrp category.

Syntax
config server-policy ip-group
edit <index>
config members
edit <index>
set ip <IP_addresses_or_ranges>
next
end
next
end

Variable Description Default

<IP_addresses_or_ranges> Enter one of the following values: No default.

l A single IP address that a client source IP must

match, such as a trusted private network IP

address (e.g. an administrator’s computer,
172.16.1.20). Multiple addresses or ranges
should be separated with comma ",".
l A range or addresses (e.g.

1.2.3.4,2001::1,1.2.3.4-1.2.3.40,2001::1-
2001::100).

server-policy pattern custom-data-type

Use this command to configure custom data types to augment the predefined data types. You can add custom data
types to input rules to define the data type of an input, and to auto-learning profiles to detect valid input parameters.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Syntax
config server-policy pattern custom-data-type
edit "<custom-data-type_name>"
set expression "<regex_pattern>"
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 118

Variable Description Default

"<custom-data-type_name>" Enter the name of the custom data type. The maximum No
length is 63 characters. default.
To display the list of existing types, enter:
edit ?

expression "<regex_ Enter a regular expression that defines the data type. It No
pattern>" should match all data of that type, but nothing else. The default.
maximum length is 2,071 characters.

Example

This example configures two custom data types.

config server-policy pattern custom-data-type
edit "Level 3 Password-custom"
set expression "^aaa"
next
edit "Custom Data Type 1"
set expression "^555"
next
end

server-policy pattern custom-global-allow-list-group

Use this command to configure objects that will be exempt from scans.
When enabled, allowlisted items are not flagged as potential problems, nor incorporated into auto-learning data. This
feature reduces false positives and improves performance.
To include allow list items during policy enforcement, you must first disable them in the global allow list.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Syntax
config server-policy pattern custom-global-allow-list-group
edit <entry_index>
set status {enable | disable}
set type {Cookie | Parameter | URL | Header_Field}
set domain "<cookie_str>"
set name "<name_str>"
set path "<url_str>"
set request-type {plain | regular}
set domain-type {plain | regular}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 119

set name-type {plain | regular}

set request-file-status {enable | disable}
set domain-status {enable | disable}
set request-file "<url_str>"
set header-type {plain | regular}
set value-status {enable | disable}
set value-type {plain | regular}
set value <header_value_string>
next
end

Variable Description Default

<entry_index> Enter the index number of the individual rule in the table. No default.
The valid range is 1–9,223,372,036,854,775,807.

status {enable | disable} Enable to exempt this object from all scans. enable

type {Cookie | Parameter | Indicate the type of the object. Depending on your URL
URL | Header_Field} selection, the remaining settings vary.

path "<url_str>" Enter the path as it appears in the cookie, such as / or No default.
/blog/folder.
This setting is available if type {Cookie | Parameter | URL |
Header_Field} on page 119 is set to Cookie.

request-type {plain | regular} Indicate whether the request-file "<url_str>" on page 120 plain
field contains a literal URL (plain), or a regular expression
designed to match multiple URLs (regular).
This setting is available if type {Cookie | Parameter | URL |
Header_Field} on page 119 is set to URL.

domain-type {plain | regular} Indicate whether the domain "<cookie_str>" field will plain
contain a literal domain/IP address (Simple String), or a
regular expression designed to match multiple domains/IP
addresses (Regular Expression).

domain "<cookie_str>" Enter the partial or complete domain name or IP address No default.
as it appears in the cookie, such as:
www.example.com
.google.com
192.0.2.50
If clients sometimes access the host via IP address instead
of DNS, create allow list objects for both.
This setting is available if type {Cookie | Parameter | URL |
Header_Field} on page 119 is set to Cookie.
Caution: Do not allowlist untrusted subdomains that use
vulnerable cookies. It could compromise the security of that
domain and its network.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 120

Variable Description Default

name-type {plain | regular} Indicate whether the name "<name_str>" field will plain
contain a literal parameter name (Simple String), or a
regular expression designed to match all parameter names
(Regular Expression).

name "<name_str>" Depending on your selection in type {Cookie | No default.

Parameter | URL | Header_Field} on page
119, either:
l Enter the name of the cookie as it appears in the HTTP

request, such as NID.

l Enter the name of the parameter as it appears in the

HTTP URL or body, such as rememberme.

This setting is available if type {Cookie | Parameter | URL |
Header_Field} on page 119 is set to Cookie, Parameter,
or Header_Field.

request-file-status {enable | Enable to apply this rule only to HTTP requests for specific disable
disable} URLs.
Configure request-file "<url_str>" if it is enabled.

domain-status {enable | Enable to apply this rule only to HTTP requests for specific disable
disable} domains.
If enabled, also configure domain "<cookie_str>".

request-file "<url_str>" Depending on your selection in the request-type {plain |

regular} on page 119 field, enter either:
l The literal URL, such as /robots.txt, that the

HTTP request must contain in order to match the rule.

The URL must begin with a backslash ( / ).
l A regular expression, such as ^/*.html, matching all

and only the URLs to which the rule should apply. The
pattern does not require a slash ( / ); however, it must
at match URLs that begin with a backslash, such as
/index.html.
Do not include the domain name, such as
www.example.com.
This setting is available if type {Cookie | Parameter | URL |
Header_Field} on page 119 is set to URL.

header-type {plain | regular} Indicate whether the type field will contain a literal name plain
(plain), or a regular expression designed to match multiple
names (regular).

value-status {enable | Enable to also check the value of the HTTP header. Only disable
disable} the HTTP headers which match both the name and the
value will be allowlisted.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 121

Variable Description Default

value-type {plain | regular} Indicate whether the header name will contain a literal plain
name (plain), or a regular expression designed to match
multiple names (regular).

value <header_value_ The value of the HTTP header. No default.

string> Depending on your selection in the value-type field,
enter either a literal value or a regular expression.

Example

This example exempts requests for robots.txt from most scans.

config server-policy pattern custom-global-allow-list-group
edit 1
set request-file "/robots.txt"
next
end

Related topics

l waf web-protection-profile inline-protection on page 636

server-policy pattern threat-score-profile

The settings in config server-policy pattern threat-weight apply to all the web protection profiles in a
ADOM. However, if you want to differentiate the Threat Score settings in different web protection profiles, you can use
server-policy pattern threat-score-profile to create multiple Threat Score profiles and apply them to
different web protection profiles.
For details about Threat Weight, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config server-policy pattern threat-score-profile
edit <name>
set low-level-score-end <level_ int>
set medium-level-score-end <level_int>
set statistics-period {one-day | three-days | one-week}
set malicious-action {none | alert | alert_deny | block-period | client-id-block-
period}
set malicious-block-period <minutes_int>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 122

set suspicious-action {none | alert | alert_deny | block-period | client-id-block-

period}
set suspicious-block-period <minutes_int>
set signature-only-threat-score {enable | disable}
set signature-score-threshold <int>
set signature-action {alert | alert_deny | block-period | client-id-block-period}
set signature-block-period <int>
set always-record-signature-alog {enable | disable}

end

Variable Description Default

low-level-score-end <level_ Set the low level threat score for different risk levels of a 100
int> client based on the threat weight sum of all the security
violations launched by the client at the time of the last
access.

medium-level-score-end Set the high threat score for different risk levels of a client 200
<level_int> based on the threat weight sum of all the security violations
launched by the client at the time of the last access.

statistics-period {one-day Select the amount of time in days that FortiWeb will store the three-
| three-days | one-week} threat score data for an active client. days
For example, when the statistics period is 3 days, and the
total threat score in this period is 150. Then 150 will be taken
as the score to compare with those set fo
thrusted/suspicious/malicious clients.

malicious-action {none | alert l block-period: Block a malicious client based on source none
| alert_deny | block-period | IP.
client-id-block-period} l client-id-block-period: Block a malicious client based
on the FortiWeb generated client ID. This is useful
when the source IP of a certain client keeps changing.
l alert: Accept the connection and generate an alert
email and/or log message.
l alert_deny : Block the request (or reset the
connection) and generate an alert and/or log message.

malicious-block-period When selecting block-period or client-id-block-period, 10

<minutes_int> you need to enter the number of minutes that you want to
block subsequent requests from the IP or client.
Valid range is 1-1440 minutes.

suspicious-action {none | l block-period: Block a suspicious client based on none

alert | alert_deny | block- source IP.
period | client-id-block- l client-id-block-period: Block a suspicious client
period} based on the FortiWeb generated client ID. This is
useful when the source IP of a certain client keeps
changing.
l alert: Accept the connection and generate an alert
email and/or log message.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 123

Variable Description Default

l alert_deny : Block the request (or reset the

connection) and generate an alert and/or log message.

suspicious-block-period When selecting block-period or client-id-block-period, 10

<minutes_int> you need to enter the number of minutes that you want to
block subsequent requests from the IP or client.
Valid range is 1-1440 minutes.

signature-only-threat-score Enable signature-only-threat-score to limit Threat Score disable

{enable | disable} threshold calculation to signature violations only.
When enabled, a single signature violation from the client
will not trigger the system to take actions according to the
settings on the Signature page. The system will calculate
threat scores and take action only when the signature-only-
threat-score threshold is reached. An exception is for the
Erase action, when means the system will take immediate
action if the client violates a signature for which the action is
Erase.

signature-score-threshold Enter a threshold value for the signature violations. 200

<int> Available only when signature-only-threat-score is
enabled.

signature-action {alert | alert_ l block-period: Block a client based on source IP. alert_deny
deny | block-period | client-id- l client-id-block-period: Block a client based on the
block-period} FortiWeb generated client ID. This is useful when the
source IP of a certain client keeps changing.
l alert: Accept the connection and generate an alert
email and/or log message.
l alert_deny : Block the request (or reset the
connection) and generate an alert and/or log message.
Available only when signature-only-threat-score is
enabled.

signature-block-period <int> When selecting block-period or client-id-block-period, 10

you need to enter the number of minutes that you want to
block subsequent requests from the IP or client.
Available only when signature-only-threat-score is
enabled.

always-record-signature- When disabled, the Signature module itself will no longer disable
alog {enable | disable} record logs. Signature log will be generated only when the
signature-only-threat-score exceeds the threshold.
When enabled, every time a signature rule is triggered, the
signature attack log will be generated.
Available only when signature-only-threat-score is
enabled.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 124

Related Topics

l waf web-protection-profile inline-protection on page 636

server-policy pattern threat-weight

Use this command to configure the global threat weight of security violations. When a security violation is detected, the
threat weight of the security violation is used to calculate the threat score of a client that launched the event.
For details about Threat Weight, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config server-policy pattern threat-weight
set allow-method-level {low | critical | informational | moderate | substantial | severe}
set allow-method-op {enable | disable}
set biometrics-based-detection -level {low | critical | informational | moderate |
substantial | severe}
set biometrics-based-detection-op {enable | disable}
set bot-deception-level {low | critical | informational | moderate | substantial |
severe}
set bot-deception-op {enable | disable}
set client-management-expire <time_int>
set concurrent-users-peraccount- exceeds-limit-level {low | critical | informational |
moderate | substantial | severe}
set concurrent-users-peraccount- exceeds-limit-op {enable | disable}
set cookie-signature-checkfailed- level {low | critical | informational | moderate |
substantial | severe}
set cookie-signature-checkfailed- op {enable | disable}
set cors-protection-level {low | critical | informational | moderate | substantial |
severe}
set cors-protection-op {enable | disable}
set credential-stuffing-defenselevel {low | critical | informational | moderate |
substantial | severe}
set credential-stuffing-defenseop {enable | disable}
set csrf-protection-level {low | critical | informational | moderate | substantial |
severe}
set csrf-protection-op {enable | disable}
set custom-policy-op {enable | disable}
set fail-to-validate-json-schemalevel {low | critical | informational | moderate |
substantial | severe}
set fail-to-validate-json-schemaop {enable | disable}
set fail-to-validate-xml-schemalevel {low | critical | informational | moderate |
substantial | severe}
set fail-to-validate-xml-schemaop {enable | disable}
set forbid-xml-entities-level {low | critical | informational | moderate | substantial |
severe}
set forbid-xml-entities-op {enable | disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 125

set format-not-allowed-inwebsocket- level {low | critical | informational | moderate |

substantial | severe}
set format-not-allowed-inwebsocket- op {enable | disable}
set geo-ip-level {low | critical | informational | moderate | substantial | severe}
set geo-ip-op {enable | disable}
set hidden-field-protection-level {low | critical | informational | moderate |
substantial | severe}
set hidden-field-protection-op {enable | disable}
set HTTP-access-limit-level {low | critical | informational | moderate | substantial |
severe}
set HTTP-access-limit-op {enable | disable}
set HTTP-flood-prevention-level {low | critical | informational | moderate | substantial
| severe}
set HTTP-flood-prevention-op {enable | disable}
set HTTP-protocol-constraints-op {enable | disable}
set illegal-file-size-level {low | critical | informational | moderate | substantial |
severe}
set illegal-file-size-op {enable | disable}
set illegal-file-type-level {low | critical | informational | moderate | substantial |
severe}
set illegal-file-type-op {enable | disable}
set ip-list-level {low | critical | informational | moderate | substantial | severe}
set ip-list-op {enable | disable}
set ip-replay-violation-level {low | critical | informational | moderate | substantial |
severe}
set ip-replay-violation-op {enable | disable}
set ip-reputation-level {low | critical | informational | moderate | substantial |
severe}
set ip-reputation-op {enable | disable}
set json-element-lengthexceeded- level {low | critical | informational | moderate |
substantial | severe}
set json-element-lengthexceeded- op {enable | disable}
set known-bots-level {low | critical | informational | moderate | substantial | severe}
set known-bots-op {enable | disable}
set low-level <level_int>
set low-level-score-end <level_ int>
set malicious-action {alert | alert_deny | block-period | client-id-block-period}
set malicious-block-period <minutes_int>
set malicious-file-detected-byfortisandbox- level {low | critical | informational |
moderate | substantial | severe}
set malicious-file-detected-byfortisandbox- op {enable | disable}
set malicious-ips-level {low | critical | informational | moderate | substantial |
severe}
set malicious-ips-op {enable | disable}
set man-in-browser-protectionlevel {low | critical | informational | moderate |
substantial | severe}
set man-in-browser-protectionop {enable | disable}
set medium-level-score-end <level_int>
set mobile-api-protection-level {low | critical | informational | moderate | substantial
| severe}
set mobile-api-protection-op {enable | disable}
set openapi-validation-level {low | critical | informational | moderate | substantial |
severe}
set openapi-validation-op {enable | disable}
set origin-not-allowed-level {low | critical | informational | moderate | substantial |
severe}
set origin-not-allowed-op {enable | disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 126

set padding-oracle-protectionlevel {low | critical | informational | moderate |

substantial | severe}
set padding-oracle-protection-op {enable | disable}
set parameter-validation-level {low | critical | informational | moderate | substantial |
severe}
set parameter-validation-op {enable | disable}
set session-fixation-protectionlevel {low | critical | informational | moderate |
substantial | severe}
set session-fixation-protectionop {enable | disable}
set session-idle-timeout-level {low | critical | informational | moderate | substantial |
severe}
set session-idle-timeout-op {enable | disable}
set signature-op {enable | disable}
set size-exceeds-limit-level {low | critical | informational | moderate | substantial |
severe}
set size-exceeds-limit-op {enable | disable}
set sql-xss-sbd-op {enable | disable}
set statistics-period {one-day | three-days | one-week}
set suspicious-action {alert | alert_deny | block-period | client-id-block-period}
set suspicious-block-period <minutes_int>
set tcp-flood-prevention-level {low | critical | informational | moderate | substantial |
severe}
set tcp-flood-prevention-op {enable | disable}
set threshold-based-detectionlevel {low | critical | informational | moderate |
substantial | severe}
set threshold-based-detection-op {enable | disable}
set threat-score-profile {enable | disable}
set trojan-detected-level {low | critical | informational | moderate | substantial |
severe}
set trojan-detected-op {enable | disable}
set url-access-level {low | critical | informational | moderate | substantial | severe}
set url-access-op {enable | disable}
set virus-detected-level {low | critical | informational | moderate | substantial |
severe}
set virus-detected-op {enable | disable}
set websocket-extensions-notallowed- level {low | critical | informational | moderate |
substantial | severe}
set websocket-extensions-notallowed- op {enable | disable}
set websocket-traffic-notallowed- level {low | critical | informational | moderate |
substantial | severe}
set websocket-traffic-notallowed- op {enable | disable}
set wsdl-validation-failed-level {low | critical | informational | moderate | substantial
| severe}
set wsdl-validation-failed-op {enable | disable}
set wsi-check-failed-level {low | critical | informational | moderate | substantial |
severe}
set wsi-check-failed-op {enable | disable}
set xml-element-lengthexceeded- level {low | critical | informational | moderate |
substantial | severe}
set xml-element-lengthexceeded- op {enable | disable}
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 127

Variable Description Default

allow-method-level {low Set the threat weight for HTTP request method moderate
| critical | informational | violations.
moderate | substantial |
severe}

allow-method-op {enable Enable to configure the threat weight for HTTP request enable
| disable} method violations.

biometrics-based- Set the threat weight for biometrics based detection substantial
detection -level {low rule violations.
| critical | informational |
moderate | substantial |
severe}

biometrics-based- Enable to configure the threat weight for biometrics disable

detection-op {enable based detection rule violations.
| disable}

bot-deception-level {low Set the threat weight for bot deception policy violations. substantial
| critical | informational |
moderate | substantial |
severe}

bot-deception-op {enable Enable to configure the threat weight for bot deception disable
| disable} policy violations.

client-management-expire Set the amount of time that FortiWeb will store the 15 days
<time_int> tracked client information.
Once the information has been stored for longer than
the set amount of time, FortiWeb will remove that
information.

concurrent-users-per- Set the threat weight for violations that the number of moderate
account-exceeds-limit- concurrent users per account exceeds the limit.
level {low | critical |
informational | moderate |
substantial | severe}

concurrent-users-per- Enable to configure the threat weight for violations that enable
account-exceeds-limit-op the number of concurrent users per account exceeds
{enable | disable} the limit.

cookie-signature-check- When the security mode is None or Signed, enable to substantial

failed-level {low | critical | configure the threat weight for cookie tampering
informational | moderate | protection rule violations.
substantial | severe}

cookie-signature-check- Enable to configure the threat weight for cookie enable

failed-op {enable | disable} tampering protection rule violations.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 128

Variable Description Default

cors-protection-level {low Set the threat weight for CORS protection rule moderate
| critical | informational | violations.
moderate | substantial |
severe}

cors-protection-op {enable Enable to configure the threat weight for CORS enable
| disable} protection rule violations.

credential-stuffing- Set the threat weight for Credential Stuffing attacks. severe
defense-level {low | critical
| informational | moderate |
substantial | severe}

credential-stuffing- Enable to configure the threat weight for Credential enable

defense-op {enable Stuffing attacks.
| disable}

csrf-protection-level {low Set the threat weight for CSRF protection rule substantial
| critical | informational | violations.
moderate | substantial |
severe}

csrf-protection-op {enable Enable to configure the threat weight for CSRF enable
| disable} protection rule violations.

custom-policy-op {enable Enable to configure the threat weight for custom policy enable
| disable} violations.

fail-to-validate-json- Set the threat weight for JSON protection rule substantial
schema-level {low | critical violations.
| informational | moderate |
substantial | severe}

fail-to-validate-json- Enable to configure the threat weight for violation of enable

schema-op {enable failing to validate JSON schema file.
| disable}

fail-to-validate-xml- Set the threat weight for violation of failing to validate moderate
schema-level {low | critical JSON schema file.
| informational | moderate |
substantial | severe}

fail-to-validate-xml- Enable to configure the threat weight for violation of enable

schema-op {enable failing to validate XML schema file.
| disable}

forbid-xml-entities-level Set the threat weight for violation of failing to validate substantial
{low | critical | informational XML schema file.
| moderate | substantial |
severe}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 129

Variable Description Default

forbid-xml-entities-op Enable to configure the threat weight for forbidden XML enable
{enable | disable} entities violations.

format-not-allowed-in- When the WebSocket connection is established, data is moderate

websocket-level {low transmitted in the form of frame.
| critical | informational | Set the threat weight for violation that frame formats are
moderate | substantial | not allowed.
severe}

format-not-allowed-in- Enable to configure the threat weight for violation that enable
websocket-op {enable frame formats are not allowed.
| disable}

geo-ip-level {low | critical | Set the threat weight for requests from blocked critical
informational | moderate | countries or regions based on the associated source IP
substantial | severe} address.

geo-ip-op {enable Enable to configure the threat weight for Geo IP block enable
| disable} policy violations.

hidden-field-protection- Set the threat weight for attempts to tamper with hidden substantial
level {low | critical | field rules.
informational | moderate |
substantial | severe}

hidden-field-protection-op Enable to configure the threat weight for hidden field enable
{enable | disable} protection rule violations.

HTTP-access-limit-level Set the threat weight for violation that the number of substantial
{low | critical | informational HTTP requests per second, per source IP address
| moderate | substantial | exceeds the limit.
severe}

HTTP-access-limit-op Enable to configure the threat weight for violation that enable
{enable | disable} the number of HTTP requests per second, per source
IP address exceeds the limit.

HTTP-flood-prevention- Set the threat weight for violation that the number substantial
level {low | critical | ofHTTP requests per second, per session, per URL
informational | moderate | exceeds the limit.
substantial | severe}

HTTP-flood-prevention-op Enable to configure the threat weight for violation that enable
{enable | disable} the number of HTTP requests per second, per session,
per URL exceeds the limit.

HTTP-protocol- Enable to configure the threat weight for HTTP protocol enable
constraints-op {enable constraints. Once enabled, the threat weight for each
| disable} HTTP protocol constraint may be set using waf HTTP-
protocol-parameter-restriction on page 488.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 130

Variable Description Default

illegal-file-size-level {low Set the threat weight for the file size detection and moderate
| critical | informational | restriction violation.
moderate | substantial |
severe}

illegal-file-size-op {enable Enable to configure the threat weight for the file size enable
| disable} detection and restriction violation.

illegal-file-type-level {low Set the threat weight for the file type detection and substantial
| critical | informational | restriction violation.
moderate | substantial |
severe}

illegal-file-type-op {enable Enable to configure the threat weight for the file type enable
| disable} detection and restriction violation.

ip-list-level {low | critical | Set the threat weight for requests from blocklisted IP critical
informational | moderate | addresses.
substantial | severe}

ip-list-op {enable | disable} Enable to configure the threat weight for requests from enable
blocklisted IP addresses.

ip-replay-violation-level When the security mode is Encrypted, select whether substantial

{low | critical | informational FortiWeb uses the IP address of a request to determine
| moderate | substantial | the owner of the cookie.
severe} Set the threat weight for IP replay violations.

ip-replay-violation-op Enable to configure the threat weight for IP replay enable

{enable | disable} violations.

ip-reputation-level {low Set the threat weight for requests from IP addresses critical
| critical | informational | with a poor reputation.
moderate | substantial |
severe}

ip-reputation-op {enable Enable to configure the threat weight for requests from enable
| disable} IP addresses with a poor reputation.

json-element-length- Set the threat weight for the violation that the JSON moderate
exceeded-level {low element length exceeds.
| critical | informational |
moderate | substantial |
severe}

json-element-length- Enable to configure the threat weight for the violation enable
exceeded-op {enable that the JSON element length exceeds.
| disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 131

Variable Description Default

known-bots-level {low Set the threat weight for the known bots attacks. substantial
| critical | informational |
moderate | substantial |
severe}

known-bots-op {enable Enable to configure the threat weight for the known bots disable
| disable} attacks.

low-level <level_int> Set the risk level value for Low level. 10

low-level-score-end Set the low level threat score for different risk levels of a 100
<level_int> client based on the threat weight sum of all the security
violations launched by the client at the time of the last
access.

malicious-action {alert | l block-period: Block a malicious client based on none

alert_deny | block-period | source IP.
client-id-block-period} l client-id-block-period: Block a malicious client
based on the FortiWeb generated client ID. This is
useful when the source IP of a certain client keeps
changing.
l alert: Accept the connection and generate an alert
email and/or log message.
l alert_deny : Block the request (or reset the
connection) and generate an alert and/or log
message.

malicious-block-period When selecting block-period or client-id-block- 10

period, you need to enter the number of minutes that
you want to block subsequent requests from the IP or
client.
Valid range is 1-1440 minutes.

malicious-file-detected-by- Set the threat weight for the violation of malicious file severe
fortisandbox-level {low detection by FortiSandbox.
| critical | informational |
moderate | substantial |
severe}

malicious-file-detected-by- Enable to configure the threat weight for the violation of enable
fortisandbox-op {enable malicious file detection by FortiSandbox.
| disable}

malicious-ips-level {low Set the threat weight for the violation that the number of substantial
| critical | informational | TCP connections per HTTP session exceeds the limit.
moderate | substantial |
severe}

malicious-ips-op {enable Enable to configure the threat weight the violation that enable
| disable} the number of TCP connections per HTTP session
exceeds the limit.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 132

Variable Description Default

man-in-browser- Set the threat weight for MiTB attacks. substantial

protection-level {low
| critical | informational |
moderate | substantial |
severe}

man-in-browser- Enable to configure the threat weight for MiTB attacks. enable
protection-op {enable
| disable}

medium-level-score-end Set the high threat score for different risk levels of a 200
<level_int> client based on the threat weight sum of all the security
violations launched by the client at the time of the last
access.

mobile-api-protection-level Set the threat weight for mobile API protection rule substantial
{low | critical | informational violations.
| moderate | substantial |
severe}

mobile-api-protection-op Enable to configure the threat weight for mobile API enable
{enable | disable} protection rule violations.

openapi-validation-level Set the threat weight for OpenAPI validation rule moderate
{low | critical | informational violations.
| moderate | substantial |
severe}

openapi-validation-op Enable to configure the threat weight for OpenAPI enable

{enable | disable} validation rule violations.

origin-not-allowed-level Set the threat weight for the violation of origin not low
{low | critical | informational allowed.
| moderate | substantial |
severe}

origin-not-allowed-op Enable to configure the threat weight for the violation of enable
{enable | disable} origin not allowed.

padding-oracle-protection- Set the threat weight for padding oracle attacks. severe
level {low | critical |
informational | moderate |
substantial | severe}

padding-oracle-protection- Enable to configure the threat weight for padding oracle enable
op {enable | disable} attacks.

parameter-validation-level Set the threat weight for parameter validation violation. moderate
{low | critical | informational
| moderate | substantial |
severe}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 133

Variable Description Default

parameter-validation-op Enable to configure threat weight for parameter enable

{enable | disable} validation violation.

session-fixation-protection- Set the threat weight for session fixation protection rule moderate
level {low | critical | violation.
informational | moderate |
substantial | severe}

session-fixation-protection- Enable to configure the threat weight for session enable

op {enable | disable} fixation protection rule violation.

session-idle-timeout-level Set the threat weight for the violation of session idle moderate
{low | critical | informational timeout.
| moderate | substantial |
severe}

session-idle-timeout-op Enable to configure the threat weight for the violation of enable
{enable | disable} session idle timeout.

signature-op {enable Enable to set the threat weight for each signature rule. enable
| disable}

size-exceeds-limit-level Set the threat weight for the violation when the moderate
{low | critical | informational maximum acceptable frame header and body size in
| moderate | substantial | bytes exceeds the limit.
severe}

size-exceeds-limit-op Enable to configure the threat weight for the violation enable
{enable | disable} when the maximum acceptable frame header and body
size in bytes exceeds the limit.

sql-xss-sbd-op {enable Enable to configure the threat weight for the SQL/XSS enable
| disable} syntax based detection rule violation.

statistics-period {one-day Select the amount of time in days that FortiWeb will three-days
| three-days | one-week} store the threat score data for an active client.
For example, when the statistics period is 3 days, and
the total threat score in this period is 150. Then 150 will
be taken as the score to compare with those set fo
thrusted/suspicious/malicious clients.

suspicious-action {alert | l block-period: Block a suspicious client based on none

alert_deny | block-period | source IP.
client-id-block-period} l client-id-block-period: Block a suspicious client
based on the FortiWeb generated client ID. This is
useful when the source IP of a certain client keeps
changing.
l alert: Accept the connection and generate an alert
email and/or log message.
l alert_deny : Block the request (or reset the
connection) and generate an alert and/or log

FortiWeb CLI Reference Fortinet Technologies Inc.

config 134

Variable Description Default

message.

suspicious-block-period When selecting block-period or client-id-block- 10

period, you need to enter the number of minutes that
you want to block subsequent requests from the IP or
client.
Valid range is 1-1440 minutes.

tcp-flood-prevention-level Set the threat weight for the violation when the number substantial
{low | critical | informational of fully-formed TCP connections per source IP address
| moderate | substantial | exceeds the limit.
severe}

tcp-flood-prevention-op Enable to configure the threat weight for the violation enable
{enable | disable} when the number of fully-formed TCP connections per
source IP address exceeds the limit.

threshold-based-detection- Set the threat weight for the threshold based detection substantial
level {low | critical | rule violation.
informational | moderate |
substantial | severe}

threshold-based-detection- Enable to configure the threat weight for the threshold disable
op {enable | disable} based detection rule violation.

threat-score-profile {enable If you want to differentiate the Threat Score settings in disable
| disable} different web protection profiles, you can enable threat-
score-profile. After enabling it, use config server-
policy pattern threat-score-profile to
create multiple Threat Score profiles and apply them to
different web protection profiles.

trojan-detected-level {low Set the threat weight for the Trojan detection rule enable
| critical | informational | violation.
moderate | substantial |
severe}

trojan-detected-op {enable Enable to configure the threat weight for the Trojan severe
| disable} detection rule violation.

url-access-level {low Set the threat weight for the URL access rule violation. substantial
| critical | informational |
moderate | substantial |
severe}

url-access-op {enable Enable to configure the threat weight for the URL enable
| disable} access rule violation.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 135

Variable Description Default

virus-detected-level {low Set the threat weight for the virus detection rule critical
| critical | informational | violation.
moderate | substantial |
severe}

virus-detected-op {enable Enable to configure the threat weight for the virus enable
| disable} detection rule violation.

websocket-extensions-not- Set the threat weight for the violation of extension substantial
allowed-level {low | critical | header in WebSocket handshake packet.
informational | moderate |
substantial | severe}

websocket-extensions-not- Enable to configure the threat weight for the violation of enable
allowed-op {enable extension header in WebSocket handshake packet.
| disable}

websocket-traffic-not- Set the threat weight for the WebSocket traffic blocking substantial
allowed-level {low | critical | violation.
informational | moderate |
substantial | severe}

websocket-traffic-not- Enable to configure the threat weight for the enable

allowed-op {enable WebSocket traffic blocking violation.
| disable}

wsdl-validation-failed-level Set the threat weight for the WSDL file validation rule substantial
{low | critical | informational violation.
| moderate | substantial |
severe}

wsdl-validation-failed-op Enable to set the threat weight for the WSDL file enable
{enable | disable} validation rule violation.

wsi-check-failed-level {low Set the threat weight for the WS-security rule violation. moderate
| critical | informational |
moderate | substantial |
severe}

wsi-check-failed-op Enable to set the threat weight for the WS-security rule enable
{enable | disable} violation.

xml-element-length- Set the threat weight for the violation that the XML moderate
exceeded-level {low element length exceeds.
| critical | informational |
moderate | substantial |
severe}

xml-element-length- Enable to configure the threat weight for the violation enable
exceeded-op {enable that the XML element length exceeds.
| disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 136

Related Topics

l waf web-protection-profile inline-protection on page 636

server-policy persistence-policy

Use this command to configure a persistence method and timeout that you can apply to server pools. The persistence
policy applies to all members of the server pool.
After FortiWeb has forwarded the first packet from a client to a pool member, some protocols require that subsequent
packets also be forwarded to the same back-end server until a period of time passes or the client indicates that it has
finished transmission.
To apply a persistence policy, select it when you configure a server pool. For details, see server-policy server-pool on
page 168.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Syntax
config server-policy persistence-policy
edit "<persistence-policy_name>"
set type { source-ip | persistent-cookie | asp-sessionid | php-sessionid | jsp-
sessionid | insert-cookie | HTTP-header | url-parameter | rewrite-cookie |
embedded-cookie | ssl-session-id }
set cookie-name "<cookie-name_str>"
set timeout "<timeout_int>"
set ipv4-netmask "<v4mask>"
set ipv6-mask-length "<v6mask>"
set HTTP-header "<HTTP-header_str>"
set url-parameter "<url-parameter_str>"
set cookie-path "<cookie-path_str>"
set cookie-domain "<cookie-domain_str>"
set secure-cookie {enable | disable}
next
end

Variable Description Default

"<persistence-policy_ Enter the name of the persistence policy. The No default.

name>" maximum length is 63 characters.
To display the list of existing persistence policies,
enter:
edit ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 137

Variable Description Default

type { source-ip | l source-ip—Forwards subsequent requests source-ip

persistent-cookie | asp- with the same client IP address and subnet as
sessionid | php-sessionid the initial request to the same pool member. To
| jsp-sessionid | insert- define how FortiWeb derives the appropriate
cookie | HTTP-header | subnet from the IP address, configure ipv4-
url-parameter | rewrite- netmask "<v4mask>" on page 138 and ipv6-
cookie | embedded- mask-length "<v6mask>" on page 139.
cookie | ssl-session-id } l persistent-cookie—If an initial request
contains a cookie whose name matches the
cookie-name "<cookie-name_str>" on page
138 value, FortiWeb forwards subsequent
requests that contain the same cookie value to
the same pool member as the initial request.
l asp-sessionid—If a cookie in the initial
request contains an ASP .NET session ID
value, FortiWeb forwards subsequent requests
with the same session ID value to the same
pool member as the initial request. FortiWeb
preserves the original cookie name.
l php-sessionid—If a cookie in the initial
request contains a PHP session ID value,
FortiWeb forwards subsequent requests with
the same session ID value to the same pool
member as the initial request. FortiWeb
preserves the original cookie name.
l jsp_sessionid—FortiWeb forwards
subsequent requests with the same JSP
session ID as the inital request to the same
pool member. FortiWeb preserves the original
cookie name.
l insert-cookie—FortiWeb inserts a cookie
with the name specified by cookie-name
"<cookie-name_str>" on page 138 to the initial
request and forwards all subsequent requests
with this cookie to the same pool member.
FortiWeb uses this cookie for persistence only
and does not forward it to the pool member.
Also specify cookie-path "<cookie-path_str>"
on page 139 and cookie-domain "<cookie-
domain_str>" on page 139.
l HTTP-header—Forwards subsequent
requests with the same value for an HTTP
header as the initial request to the same pool
member. Also configure HTTP-header.

l url-parameter—Forwards subsequent
requests with the same value for a URL

FortiWeb CLI Reference Fortinet Technologies Inc.

config 138

Variable Description Default

parameter as the initial request to the same

pool member. Also configure url-
parameter.
l rewrite-cookie—If the HTTP response has

a Set-Cookie: value that matches the value

specified by cookie-name "<cookie-name_
str>" on page 138, FortiWeb replaces the value
with a randomly generated cookie value.
FortiWeb forwards all subsequent requests
with this generated cookie value to the same
pool member.
l embedded-cookie—If the HTTP response

contains a cookie with the name specified by

cookie-name "<cookie-name_str>" on page
138, FortiWeb preserves the original cookie
value and adds a randomly generated cookie
value and a ~ (tilde) as a prefix. FortiWeb
forwards all subsequent requests with this
cookie and prefix to the same pool member.
l ssl-session-id—If a cookie in the initial

request contains an SSL session ID value,

FortiWeb forwards subsequent requests with
the same session ID value to the same pool
member as the initial request. FortiWeb
preserves the original cookie name.
For persistence types that use cookies, you can use
the sessioncookie-enforce setting to maintain
persistence for transactions within a session. For
details, see server-policy policy on page 140.

cookie-name "<cookie- Enter a value to match or the name of the cookie No default.
name_str>" that FortiWeb inserts.
Available only when the persistence type uses a
cookie.

timeout "<timeout_int>" Enter the maximum amount of time between 300

requests that FortiWeb maintains persistence, in
seconds.
FortiWeb stops forwarding requests according to
the established persistence after this amount of
time has elapsed since it last received a request
from the client with the associated property (for
example, an IP address or cookie). Instead, it again
selects a pool member using the load balancing
method specified in the server pool configuration.

ipv4-netmask Enter the IPv4 subnet used for session persistence. 256.256.256.256
"<v4mask>"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 139

Variable Description Default

For example, if IPv4 Netmask is 256.256.256.256,

FortiWeb can forward requests from IP addresses
192.0.2.1 and 192.0.2.2 to different server pool
members.
If IPv4 Netmask is 256.256.256.0, FortiWeb
forwards requests from IP addresses 192.0.2.1 and
192.0.2.2 to the same pool member.

ipv6-mask-length Enter the IPv6 network prefix used for session 128
"<v6mask>" persistence.

HTTP-header "<HTTP- Enter the name of the HTTP header that the No default.
header_str>" persistence feature uses to route requests.

url-parameter "<url- Enter the name of the URL parameter that the No default.
parameter_str>" persistence feature uses to route requests.

cookie-path "<cookie- Enter a path attribute for the cookie that FortiWeb No default.
path_str>" inserts, if type { source-ip | persistent-cookie | asp-
sessionid | php-sessionid | jsp-sessionid | insert-
cookie | HTTP-header | url-parameter | rewrite-
cookie | embedded-cookie | ssl-session-id } on page
137 is insert-cookie.

cookie-domain "<cookie- Enter a domain attribute for the cookie that No default.
domain_str>" FortiWeb inserts, if type { source-ip | persistent-
cookie | asp-sessionid | php-sessionid | jsp-
sessionid | insert-cookie | HTTP-header | url-
parameter | rewrite-cookie | embedded-cookie | ssl-
session-id } on page 137 is insert-cookie.

secure-cookie {enable | Configure the secure cookie to force browsers to disable

disable} return the cookie only for HTTPS traffic.

Example

This example creates the persistence policy ip-persistence. When this policy is applied to a server pool, FortiWeb
forwards initial requests from an IP address using the load-balancing algorithm configured for the pool. It forwards any
subsequent requests with the same client IP address as the initial request to the same pool member. After FortiWeb has
not received a request from the IP address for 400 seconds, it forwards any subsequent initial requests from the IP
address using the load-balancing algorithm.
config server-policy persistence-policy
edit "ip-persistence"
set type source-ip
set timeout 400
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 140

Related topics

l server-policy server-pool on page 168

server-policy policy

Use this command to configure HTTP, FTP, and AD FS server policies.

FortiWeb applies only one server policy to each connection.
HTTP policy behavior varies by the operation mode. FTP and AD FS server policies are available only in Reverse Proxy
mode. For details, see FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides

When you switch the operation mode, FortiWeb deletes server policies from the
configuration file if they are not applicable in the current operation mode.

To determine which type of server policy to create, configure protocol {HTTP | FTP | ADFSPIP} on page 153.
Before you configure an HTTP server policy, you can configure several policies and profiles:
l Configure a virtual server and server pool. For details, see server-policy vserver on page 199 and server-policy
server-pool on page 168.
l To route traffic based on headers in the HTTP layer, configure one or more HTTP content routing policies. For
details, see server-policy HTTP-content-routing-policy on page 110.
l To restrict traffic based upon which hosts you want to protect, configure a group of protected host names. For
details, see server-policy allow-hosts on page 103.
l If you plan to authenticate users, you need to configure users, user groups, and authentication rules and policy, and
include the policy in an inline web protection profile. For details, see user ldap-user on page 361, user local-user on
page 365, user ntlm-user on page 366, user user-group on page 376, waf HTTP-authen HTTP-authen-rule on page
476, and waf HTTP-authen HTTP-authen-policy on page 473.
l To apply a web protection profile to a server policy, you must first configure them. For details, see waf web-
protection-profile inline-protection on page 636 (Reverse Proxy mode or either of the transparent modes), or waf
web-protection-profile offline-protection on page 645 (Offline Protection mode) .
l If you want to use the FortiWeb appliance to apply SSL to connections instead of using physical servers, you must
also import a server certificate or create a Server Name Indication (SNI) configuration. For details, see system
certificate local on page 237, system certificate sni on page 243, and system certificate urlcert on page 247.
l If you want the FortiWeb appliance to verify the certificate provided by an HTTP client to authenticate themselves,
you must also define a certificate verification rule. If you want to specify whether a client is required to present a
personal certificate or not based on the request URL, create a URL-based client certificate group. For details, see
system certificate verify on page 248.
You can also use SNMP traps to notify you of policy status changes, or when a policy enforces your network usage
policy. For details, see system snmp community on page 339.
Before you configure an FTP server policy, you need to:
l Configure an FTP command restriction rule. For details, see waf ftp-command-restriction-rule on page 459.
l Configure an FTP file check rule. For details, see waf ftp-file-security on page 461.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 141

l Enable IP reputation intelligence. For details, see waf ip-intelligence on page 501.
l Create a geo IP rule. For details, see waf geo-block-list on page 465.
l Create an IP list. For details, see waf ip-list on page 505.
l Configure an FTP security inline profile. For details, see waf ftp-protection-profile.
Before you configure an AD FS server policy, you need to:
l Configure a virtual server and server pool. For details, see server-policy vserver on page 199 and server-policy
server-pool on page 168.server-policy vserver on page 199
l Import a certificate file and a CA file. For details, see system certificate local on page 237 and system certificate ca
on page 228.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Syntax
config server-policy policy
edit "<policy_name>"
set allow-hosts "<hosts_name>"
set block-port <port_int>
set case-sensitive {enable | disable}
set certificate "<certificate_name>"
set chunk-encoding {enable | disable}
set client-certificate-forwarding {enable | disable}
set server-policy policy
set client-certificate-forwarding-sub-header "<header_str>"
set client-real-ip {enable | disable}
set client-real-ip-random-port {enable | disable}
set real-ip-addr <real-ip-addr_str>
set client-timeout <seconds_int>
set comment "<comment_str>"
set data-capture-port <port_int>
set deployment-mode {server-pool | HTTP-content-routing | offline-protection |
transparent-servers | wccp-servers}
set ftp-protection-profile <profile_name>
set half-open-threshold <packets_int>
set hpkp-header "<hpkp_name>"
set hsts-header {enable | disable}
set hsts-max-age <timeout_int>
set HTTP2 {enable | disable}
set HTTP-header-timeout <seconds_int>
set HTTP-pipeline {enable | disable}
set HTTP-to-HTTPs {enable | disable}
set redirect-naked-domain {enable | disable}
set HTTPs-service "<service_name>"
set implicit_ssl {enable | disable}
set intermediate-certificate-group "<CA-group_name>"
set internal-cookie-HTTPonly {enable | disable}
set internal-cookie-secure {enable | disable}
set internal-cookie-samesite {enable | disable}
set internal-cookie-samesite-value {strict | lax | none}
set monitor-mode {enable | disable}
set noparse {enable | disable}
set prefer-current-session {enable |disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 142

set protocol {HTTP | FTP | ADFSPIP}

set server-pool "<server-pool_name>"
set service "<service_name>"
set proxy-protocol {enable | disable}
set use-proxy-protocol-addr {enable | disable} on page 151
set replacemsg <replacemsg_name>
set sessioncookie-enforce {enable | disable}
set sni {enable | disable}
set sni-certificate "<sni_name>"
set sni-strict {enable | disable}
set certificate-type {enable | disable}
set lets-certificate <name>
set ssl {enable | disable}
set ssl-cipher {medium | high | custom}
set ssl-client-verify "<verifier_name>"
set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}
set tls13-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}
set rfc7919-comply {enable | disable}
set supported-groups {X25519 | prime256v1 | secp384r1 | secp521r1 |
brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1 | ffdhe2048 | ffdhe3072 |
ffdhe4096 | ffdhe6144 | ffdhe8192}
set ssl-noreg {enable | disable}
set ssl-quiet-shutdown {enable | disable}
set ssl-session-timeout <ssl-session-timeout_int>
set status {enable | disable}
set syncookie {enable | disable}
set tcp-recv-timeout <seconds_int>
set tls-v10 {enable | disable}
set tls-v11 {enable | disable}
set tls-v12 {enable | disable}
set tls-v13 {enable | disable}
set urlcert {enable | disable}
set urlcert-group "<urlcert-group_name>"
set urlcert-hlen <len_int>
set vserver "<vserver_name>"
set v-zone "<bridge_name>"
set server-policy policy
set traffic-mirror {enable | disable}
set traffic-mirror-type {client-side | server-side| both-side}
set traffic-mirror-profile <traffic-mirror-profile_str>
set adfs-certificate-ssl-client-verify <adfs-certificate-ssl-client-verify_str>}
set adfs-certificate-service <adfs-certificate-service_str>}
set multi-certificate {enable | disable}
set certificate-group <certificate-group_str>}
set acceleration-policy <acceleration-policy_str>
set web-cache {enable | disable}
set retry-on {enable | disable}
set retry-on-cache-size <retry-on-cache-size_int>
set retry-on-connect-failure {enable | disable}
set retry-times-on-connect-failure <retry-times-on-connect-failure_int>
set retry-on-HTTP-layer {enable | disable}
set retry-times-on-HTTP-layer <retry-times-on-HTTP-layer_int>
set retry-on-HTTP-response-codes {404 | 408 | 500 | 501 | 502 | 503 | 504}
set replacemsg-on-connect-failure {disable | enable}
set tcp-conn-timeout <integer>
set ztna-profile <string>
set reply-100-continue {enable | disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 143

set forward-expect-100-continue {enable | disable}

set
config HTTP-content-routing-list
edit <entry_index>
set content-routing-policy-name "<content-routing_name>"
set is-default {yes | no}
set profile-inherit {enable | disable}
set server-policy policy
next
end
next
end

Variable Description Default

"<policy_name>" Enter the name of the policy. The maximum No default.

length is 63 characters.
To display the list of existing policies, enter:
edit ?

allow-hosts "<hosts_name>" Enter the name of a protected hosts group No default.

to allow or reject connections based upon
whether the Host: field in the HTTP header
is empty or does or does not match the
protected hosts group. The maximum length
is 63 characters.
To display the list of existing groups, enter:
edit ?
If you do not select a protected hosts group,
FortiWeb accepts pr blocks requests based
upon other criteria in the policy or protection
profile, but regardless of the Host: field in
the HTTP header.
Note: Unlike HTTP 1.1, HTTP 1.0 does not
require the Host: field. The FortiWeb
appliance does not block HTTP 1.0
requests because they do not have this
field, regardless of whether or not you have
selected a protected hosts group.

block-port <port_int> Enter the number of the physical network No default.

interface port that FortiWeb uses to send
TCP RST (reset) packets when a request
violates the policy. The valid range varies by
the number of physical ports on the NIC.
For example, to send TCP RST from port1,
enter:
set block-port port1
Available only when the operating mode is
Offline Protection.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 144

Variable Description Default

case-sensitive {enable | disable} Enable to differentiate uniform resource No default.

locators (URLs) according to upper case
and lower case letters for features that act
upon the URLs in the headers of HTTP
requests, such as block list rules, and allow
list rules.
For example, when enabled, an HTTP
request involving
HTTP://www.Example.com/ would not
match protection profile features that
specify HTTP://www.example.com
(difference highlighted in bold).

certificate "<certificate_name>" Enter the name of the certificate that No default.

FortiWeb uses to encrypt or decrypt SSL-
secured connections. The maximum length
is 63 characters.
To display the list of existing certificates,
enter:
edit ?
If sni {enable | disable} on page 154 is
enable, FortiWeb uses a Server Name
Indication (SNI) configuration instead of or
in addition to this server certificate. For
details, see sni {enable | disable} on page
154.
This option is used only if HTTPs-service
"<service_name>" on page 150 is
configured.

chunk-encoding {enable | disable} Enable to encode the response packets. disable

This option applies only to the packets sent
from FortiWeb to the clients.
After FortiWeb receives a packet from the
back-end server, it will decode the packet
first (if it's encoded), scan it against the
security rules, and then send the encoded
packet (if the chunk-encoding is set to
enable) to the clients. However, if no web
protection profile is selected in the server
policy, the chunk-encoding option won't take
effect. In this case, FortiWeb forwards
whatever it receives from the back-end
server to the clients without performing the
encoding operation.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 145

Variable Description Default

Please note in previous releases we use

chunk-decode-enabled. If you
configured chunk-decode-enabled
enable previously, then in this release it
will automatically be switched to chunk-
encoding disable, and vice versa.

client-certificate-forwarding {enable | Enable to include the X.509 personal disable

disable} certificate presented by the client during the
SSL/TLS handshake, if any, in an X-
Client-Cert: HTTP header when
forwarding the traffic to the protected web
server.
FortiWeb still validates the client certificate
itself, but this can be useful if the web server
requires the client certificate for the purpose
of server-side identity-based functionality.

client-certificate-forwarding-cert-header Enter a custom certificate header that will x-client-cert

"<header_str>" include the Base64 certificate of the X.509
personal certificate presented by the client
during the SSL/TLS handshake when it
forwards the traffic to the protected web
server.

client-certificate-forwarding-sub-header Enter a custom subject header that will x-client-dn

"<header_str>" include the subject of the X.509 personal
certificate presented by the client during the
SSL/TLS handshake when it forwards the
traffic to the protected web server.

client-real-ip {enable | disable} Enter enable to configure FortiWeb to use disable

the source IP address of the client that
originated the request when it connects to a
back-end server on behalf of that client.
By default, when the operation mode is
Reverse Proxy, the source IP for
connections between FortiWeb and
back-end servers is the address of a
FortiWeb network interface.
Note: To ensure FortiWeb receives the
server's response, configure FortiWeb as
the server’s gateway.
Available only if the operating mode is
Reverse Proxy.

client-real-ip-random-port {enable | Enable to use a random port for the client disable
disable} real IP.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 146

Variable Description Default

It recommend to enable random port if the

following configurations are set, otherwise it
may lead to traffic disruption:
l deployment-mode is HTTP-content-

routing, and;
l prefer-current-session is disabled, and;
l client-real-ip is enabled, and;
l real-ip-addr is not specified.

real-ip-addr <real-ip-addr_str> Specify an IP address or address range to No default.

directly connect to the back-end server.

client-timeout <seconds_int> Enter the amount of time (in seconds) that 0

FortiWeb will keep open a connection with
an idle client that isn't sending data. The
valid range is 1–1200. A value of 0 means
that there is no timeout.

comment "<comment_str>" Enter a description or other comment. If the No default.

comment is more than one word or contains
special characters, surround the comment
with double quotes ( " ). The maximum
length is 999 characters.

data-capture-port <port_int> Enter the network interface of incoming

traffic that the policy attempts to apply a
profile to. The IP address is ignored.
Available only if the operating mode is
offline inspection.

deployment-mode {server-pool | HTTP- Specify the distribution method that No default.

content-routing | offline-protection | FortiWeb uses when it forwards
transparent-servers | wccp-servers} connections accepted by this policy.
l server-pool—Forwards

connections to a server pool.

Depending on the pool configuration,
FortiWeb either forwards connections
to a single physical server or domain
server or distributes the connection
among the pool members. Also
configure server-pool "<server-pool_
name>" on page 153. This option is
available only if the operating mode is
Reverse Proxy mode.
l HTTP-content-routing—Use

HTTP content routing to route HTTP

requests to a specific server pool. This
option is available only if the FortiWeb

FortiWeb CLI Reference Fortinet Technologies Inc.

config 147

Variable Description Default

appliance is operating in Reverse

Proxy mode.
l offline-detection — Allows
connections to pass through the
FortiWeb appliance and applies an
Offline Protection profile. Also
configure server-pool "<server-pool_
name>" on page 153. This is the only
option available if operating mode is
Offline Protection.
l transparent-servers—Allows
connections to pass through the
FortiWeb appliance and applies a
protection profile. Also configure
server-pool "<server-pool_name>" on
page 153. This is the only option
available when the operating mode is
either True Transparent Proxy or
Transparent Inspection.
l wccp-servers—FortiWeb is a Web
Cache Communication Protocol
(WCCP) client that receives traffic from
a FortiGate configured as a WCCP
server. Also configure server-pool
"<server-pool_name>" on page 153.
This is the only option available when
the operation mode is WCCP.

ftp-protection-profile <profile_name> Enter the FTP security profile to apply to No default.

connections that this policy monitors. If you
haven't created a profile yet, see waf ftp-
protection-profile or instructions about
creating one.

half-open-threshold <packets_int> Enter the maximum number of TCP SYN 8192

packets, including retransmission, that
FortiWeb allows to be sent per second to a
destination address. If this threshold is
exceeded, the FortiWeb appliance treats
the traffic as a DoS attack and ignores
additional traffic from that source address.
The valid range is 10–10,000.
Available only when the operating mode is
Reverse Proxy or True Transparent Proxy
and syncookie {enable | disable} on page
160 is enabled.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 148

Variable Description Default

hpkp-header "<hpkp_name>" Select an HPKP profile, if any, to use to No default.

verify certificates when clients attempt to
access a server.
HPKP prevents attackers from carrying out
Man in the Middle (MITM) attacks with
forged certificates.
Available only when the operating mode is
Reverse Proxy.

hsts-header {enable | disable} Enable to combat MITM attacks on HTTP by disable

injecting the RFC 6797
(HTTP://tools.ietf.org/html/rfc6797) strict
transport security header into the reply,
such as:
Strict-Transport-Security: max-
age=31536000;
includeSubDomains;Preload
This header forces the client to use HTTPS
for subsequent visits to this domain. If the
certificate does not validate, it also causes a
fatal connection error: the client’s web
browser does not display any dialog that
allows the user to override the certificate
mismatch error and continue.
Available only if HTTPs-service "<service_
name>" on page 150 is configured.

hsts-max-age <timeout_int> Enter the time to live in seconds for the 7776000
HSTS header.
Available only if hsts-header {enable |
disable} on page 148 is enabled.
The valid range is 3,600–31,536,000.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 149

Variable Description Default

HTTP2 {enable | disable} FortiWeb's HTTP/2 security inspection is disable

only supported for Revers Proxy mode and
True Transparent Proxy mode. This option
enables FortiWeb operating in Reverse
Proxy mode (see opmode {offline-
protection | reverse-proxy | transparent |
transparent-inspection | wccp} on page 338)
to negotiate HTTP/2 with clients via SSL
ALPN (Application-Layer Protocol
Negotiation) during the SSL handshake if
the client's browser supports HTTP/2
protocol. With the HTTP/2 being enabled,
FortiWebcan recognize HTTP/2 traffic and
apply the security services to it. To enable
HTTP/2 communication between the
FortiWeb and back-end web servers for
HTTP/2 inspections in Reverse Proxy
mode, see HTTP2 {enable | disable} on
page 179.
Available only when opmode is set to
reverse-proxy, deployment-mode
{server-pool | HTTP-content-routing |
offline-protection | transparent-servers |
wccp-servers} on page 146 is set to
server-pool and HTTPs-service
"<service_name>" on page 150 is set
correctly. FortiWeb supports HTTP/2 only
for HTTPS connections and HTTP Content
Routing is not supported for HTTP/2.
When opmode is set to transparent and
deployment-mode is set to
transparent-servers, this is not
available. It only requires HTTP2 {enable |
disable} on page 179 to enable the HTTP/2
security inspections in True Transparent
Proxy mode; this option here is not
required. For more details about HTTP/2
support, see the FortiWeb Administration
Guide:
HTTP://docs.fortinet.com/fortiweb/admin-
guides

FortiWeb CLI Reference Fortinet Technologies Inc.

config 150

Variable Description Default

HTTP-header-timeout <seconds_int> Enter the amount of time (in seconds) that 0

FortiWeb will wait for the whole
HTTP request header after a client sets up a
TCP connection. The valid range is 0–1200.
A value of 0 means that there is no timeout.

HTTP-pipeline {enable | disable} Specify whether FortiWeb accelerates enable

transactions by bundling them inside the
same TCP connection, instead of waiting for
a response before sending/receiving the
next request. This can increase
performance when pages containing many
images, scripts, and other auxiliary files are
all hosted on the same domain, and
therefore logically could use the same
connection.
When FortiWeb is operating in Reverse
Proxy or True Transparent Proxy mode, it
can automatically use HTTP pipelining for
requests with the following characteristics:
l HTTP version is 1.1

l The Connection general-header field

does not include the "close" option (for

example, Connection: close)
l The HTTP method is GET or HEAD

HTTP-to-HTTPs {enable | disable} Specify enable to automatically redirect all disable

HTTP requests to the HTTPS service with
the same URL and parameters.
Also configure HTTPs-service and ensure
service uses port 443 (the default).
Available only when the operation mode is
Reverse Proxy.

redirect-naked-domain {enable | disable} Enable to redirect naked domain requests to disable

“www” domain requests.
This option is available only in Reverse
Proxy mode.

HTTPs-service "<service_name>" Enter the custom or predefined service that No default.

defines the port number on which the virtual
server receives HTTPS traffic. The
maximum length is 63 characters.
To display the list of existing services, enter:
edit ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 151

Variable Description Default

Available only when the operating mode is

Reverse Proxy. For other operation modes,
use the server pool configuration to enable
SSL inspection instead.

proxy-protocol {enable | disable} Enable this option when proxy servers or disable
load balancers are installed before
FortiWeb, for example, when a load
balancer with proxy protocol enabled is
deployed before FortiWeb-VM on AWS.
When Proxy Protocol is enabled, FortiWeb
can receive client connection
information in the proxy protocol package
passed through proxy servers and load
balancers.

use-proxy-protocol-addr {enable | Enable to use the source address of the enable

disable} proxy protocol in server policy.
If disabled, the source address of the
connection will be used.

replacemsg <replacemsg_name> Select the replacement message to apply to No default.

the policy.

intermediate-certificate-group "<CA- Enter the name of an intermediate No default.

group_name>" certificate authority (CA) group, if any, that
FortiWeb uses to validate the CA signing
chain in a client’s certificate. The maximum
length is 63 characters.
To display the list of existing groups, enter:
edit ?
Available only if HTTPs-service "<service_
name>" on page 150 is configured.

internal-cookie-HTTPonly {enable Enable to assign an HTTPonly flag to enable

| disable} internal cookies. This feature is independent
of the Cookie Security policy, if any, that you
have in use.

internal-cookie-secure {enable | disable} Enable to assign a secure flag to internal disable

cookies. This flag can only be assigned if
the connection is over SSL. This feature is
independent of the Cookie Security policy, if
any, that you have in use.

internal-cookie-samesite {enable | Enable to assign a SameSite flag to disable

disable} internal cookies. This feature is independent
of the Cookie Security policy, if any, that you
have in use.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 152

Variable Description Default

If enabled, it applies to User Tracking,

Anomaly Detection, Site Publish, and Client
Management.

internal-cookie-samesite-value {strict | l strict: any request from the third parties lax
lax | none} will not carry such cookies;
l lax: any request from the third parties
will not carry such cookies except for
GET requests that navigate to the
destination URL.
l none: set the value as none if a cookie
is required to be sent by cross origin.

monitor-mode {enable | disable} Enable to override deny and redirect actions disable
defined in the server protection rules for the
selected policy. This setting enables
FortiWeb to log attacks without performing
the deny or redirect action.
Disable to allow FortiWeb to perform attack
deny/redirect actions as defined by the
server protection rules.

noparse {enable | disable} Enable this option to apply the server policy disable
as a pure proxy, without parsing the content.
In this case, the policy allows all traffic to
pass through the FortiWeb appliance
without applying any protection rules. See
also "debug application HTTP" on page 1
and debug flow trace on page 694.
This option applies to server policy only
when the FortiWeb appliance operates in
Reverse Proxy or True Transparent Proxy
mode.
Caution: Use this only during debugging
and for as brief a period as possible. This
feature disables many protection features.
See also HTTP-parse-error-output {enable |
disable} on page 62.

prefer-current-session {enable |disable} Enable to forward subsequent requests disable

from an identified client connection to the
same server pool as the initial connection
from the client.
This option allows FortiWeb to improve its
performance by skipping the process of
matching HTTP header content to content
routing policies for connections it has
already evaluated and routed.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 153

Variable Description Default

Available only when deployment-mode

{server-pool | HTTP-content-routing |
offline-protection | transparent-servers |
wccp-servers} on page 146 is HTTP-
content-routing.

protocol {HTTP | FTP | ADFSPIP} Select one of the following: HTTP

l HTTP—Specifies that the server policy

governs HTTP traffic. Specific options

for configuring an HTTP server policy
become available.
l FTP—Specifies that the server policy

governs FTP traffic. Specific options for

configuring an FTP server policy
become available.
l ADFSPIP—Specifies that the server

policy governs AD FS traffic. Specific

options for configuring an AD FS server
policy become available.

server-pool "<server-pool_name>" Enter the name of the server pool whose No default.
members receive the connections.
To display the list of existing servers, enter:
edit ?
This field is applicable only if deployment-
mode {server-pool | HTTP-content-routing |
offline-protection | transparent-servers |
wccp-servers} on page 146 is server-
pool, offline-protection or
transparent-servers.
Caution: Multiple virtual servers/policies
can forward traffic to the same server pool.
If you do this, consider the total maximum
load of connections that all virtual servers
forward to your server pool. This
configuration can multiply traffic forwarded
to your server pool, which can overload it
and cause dropped connections.

service "<service_name>" Enter the custom or predefined service that No default.

defines the port number on which the virtual
server receives HTTP traffic. The maximum
length is 63 characters.
To display the list of existing services, enter:
edit ?
Available only when the operating mode is
Reverse Proxy.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 154

Variable Description Default

sessioncookie-enforce {enable | disable} l enable—When FortiWeb maintains disable

session persistence using cookies, it
inserts a cookie in subsequent
transactions in a session if the
transaction does not contain a control
cookie.
This option is useful if your environment
uses TCP multiplexing, which combines
HTTP requests from multiple clients in a
single session for load balancing or other
purposes.
l disable—When FortiWeb maintains

session persistence using cookies, it

tracks or inserts the cookie for the first
transaction of a session only. It does
not track or insert a cookie in
subsequent transactions in the
session, even if the transaction does
not contain a control cookie.
For details about configuring session
persistence, see server-policy persistence-
policy on page 136.

sni {enable | disable} Enable to use a Server Name Indication disable

(SNI) configuration instead of or in addition
to the server certificate specified by
certificate <certificate_name>.
The SNI configuration enables FortiWeb to
determine which certificate to present on
behalf of the members of a pool based on
the domain in the client request. For details,
see system certificate sni on page 243.
If you specify both a SNI configuration and a
certificate, FortiWeb uses the certificate
specified by certificate "<certificate_name>"
on page 144 when the requested domain
does not match a value in the SNI
configuration.
If you enable sni-strict {enable | disable} on
page 155, FortiWeb always ignores the
value of certificate "<certificate_name>" on
page 144.
Available only if HTTPs-service "<service_
name>" on page 150 is configured.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 155

Variable Description Default

sni-certificate "<sni_name>" Enter the name of the Server Name No default.

Indication (SNI) configuration that specifies
which certificate FortiWeb uses when
encrypting or decrypting SSL-secured
connections for a specified domain.
The SNI configuration enables FortiWeb to
present different certificates on behalf of the
members of a pool according to the
requested domain.
If only one certificate is required to encrypt
and decrypt traffic that this policy applies to,
specify certificate "<certificate_name>" on
page 144 instead.
Available only if HTTPs-service "<service_
name>" on page 150 is configured.

sni-strict {enable | disable} Select to configure FortiWeb to ignore the disable

value of certificate "<certificate_name>" on
page 144 when it determines which
certificate to present on behalf of server
pool members, even if the domain in a client
request does not match a value in the
specified SNI configuration.

certificate-type {enable | disable} Enable allow FortiWeb to automatically disable

retrieve CA certificates from Let's Encrypt.

lets-certificate <name> Select the Letsencrypt certificate you have No default.

created. See system certificate letsencrypt.

ssl {enable | disable} Enable so that connections between clients disable

and FortiWeb use SSL/TLS. Enabling
ssl will allow you to configure additional
SSL options and settings, including
specifying supported SSL protocols and
uploading certificates.

ssl-cipher {medium | high | custom} Specify whether the set of cipher suites that medium
FortiWeb allows creates a medium-security,
high-security, or custom configuration.
If custom, also specify ssl-custom-
cipher.
This is not allowed to set to custom if
HTTP2 is set to enable.
For details, see the FortiWeb Administration
Guide:
HTTP://docs.fortinet.com/fortiweb/admin-
guides

FortiWeb CLI Reference Fortinet Technologies Inc.

config 156

Variable Description Default

Available only if HTTPs-service "<service_

name>" on page 150 is configured.

ssl-client-verify "<verifier_name>" Enter the name of a certificate verifier, if No default.

any, to use when an HTTP client presents
their personal certificate. If you do not select
one, the client is not required to present a
personal certificate.
If the client presents an invalid certificate,
the FortiWeb appliance does not allow the
connection.
To be valid, a client certificate must:
l Not be expired

l Not be revoked by either the certificate

revocation list (CRL) (see system

certificate verify on page 248)
l Be signed by a certificate authority

(CA) whose certificate you have

imported into the FortiWeb appliance; if
the certificate has been signed by a
chain of intermediate CAs, those
certificates must be included in an
intermediate CA group (see
intermediate-certificate-group "<CA-
group_name>" on page 151)
l Contain a CA field whose value

matches the CA certificate

l Contain an Issuer field whose value

matches the Subject field in the CA

certificate
Personal certificates, sometimes also called
user certificates, establish the identity of the
person connecting to the website.
You can require that clients present a
certificate alternatively or in addition to
HTTP authentication. For details, see the
FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-
guides
The maximum length is 63 characters.
To display the list of existing verifiers, type:
edit ?
This option is used only if HTTPs-service
"<service_name>" on page 150 is
configured.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 157

Variable Description Default

The client must support TLS 1.0, TLS 1.1, or

TLS 1.2.

ssl-custom-cipher {<cipher_1> Specify one or more cipher suites that ECDHE-

<cipher2> <cipher3> ...} FortiWeb allows. ECDSA-
Separate the name of each cipher with a AES256-GCM-
space. To remove from or add to the list of SHA384
ciphers, retype the entire list. ECDHE-RSA-
Valid values are: AES256-GCM-
ECDHE-ECDSA-AES256-GCM-SHA384 SHA384

ECDHE-RSA-AES256-GCM-SHA384 ECDHE-
ECDSA-
DHE-DSS-AES256-GCM-SHA384
CHACHA20-
DHE-RSA-AES256-GCM-SHA384 POLY1305
ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-
ECDHE-RSA-CHACHA20-POLY1305 CHACHA20-
DHE-RSA-CHACHA20-POLY1305 POLY1305
ECDHE-ECDSA-AES256-CCM8 ECDHE-
ECDHE-ECDSA-AES256-CCM ECDSA-
AES128-GCM-
DHE-RSA-AES256-CCM8
SHA256
DHE-RSA-AES256-CCM
ECDHE-RSA-
ECDHE-ECDSA-AES128-GCM-SHA256
AES128-GCM-
ECDHE-RSA-AES128-GCM-SHA256 SHA256
DHE-DSS-AES128-GCM-SHA256 ECDHE-
DHE-RSA-AES128-GCM-SHA256 ECDSA-
ECDHE-ECDSA-AES128-CCM8 AES256-
ECDHE-ECDSA-AES128-CCM SHA384
DHE-RSA-AES128-CCM8 ECDHE-RSA-
AES256-
DHE-RSA-AES128-CCM
SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-
ECDHE-RSA-AES256-SHA384 ECDSA-
DHE-RSA-AES256-SHA256 AES128-
DHE-DSS-AES256-SHA256 SHA256
ECDHE-ECDSA-CAMELLIA256-SHA384 ECDHE-RSA-
ECDHE-RSA-CAMELLIA256-SHA384 AES128-
DHE-RSA-CAMELLIA256-SHA256 SHA256

DHE-DSS-CAMELLIA256-SHA256 ECDHE-
ECDSA-
ECDHE-ECDSA-AES128-SHA256
AES256-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-
DHE-RSA-AES128-SHA256 AES256-SHA
DHE-DSS-AES128-SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256

FortiWeb CLI Reference Fortinet Technologies Inc.

config 158

Variable Description Default

ECDHE-RSA-CAMELLIA128-SHA256 ECDHE-
DHE-RSA-CAMELLIA128-SHA256 ECDSA-
DHE-DSS-CAMELLIA128-SHA256 AES128-SHA

ECDHE-ECDSA-AES256-SHA ECDHE-RSA-
AES128-SHA
ECDHE-RSA-AES256-SHA
AES256-GCM-
DHE-RSA-AES256-SHA
SHA384
DHE-DSS-AES256-SHA
AES128-GCM-
DHE-RSA-CAMELLIA256-SHA SHA256
DHE-DSS-CAMELLIA256-SHA AES256-
ECDHE-ECDSA-AES128-SHA SHA256
ECDHE-RSA-AES128-SHA AES128-
DHE-RSA-AES128-SHA SHA256
DHE-DSS-AES128-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
AES256-GCM-SHA384
AES256-CCM8
AES256-CCM
AES128-GCM-SHA256
AES128-CCM8
AES128-CCM
AES256-SHA256
CAMELLIA256-SHA256
AES128-SHA256
CAMELLIA128-SHA256
AES256-SHA
CAMELLIA256-SHA
AES128-SHA
CAMELLIA128-SHA
DHE-RSA-SEED-SHA
ECDHE_RSA_DES_CBC3_SHA
DES_CBC3_SHA

tls13-custom-cipher {<cipher_1> Specify one or more TLS 1.3 cipher suites

<cipher2> <cipher3> ...} that FortiWeb allows. TLS_AES_
Separate the name of each cipher with a 256_GCM_
space. To remove from or add to the list of SHA384
ciphers, retype the entire list.
Valid values are:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256

FortiWeb CLI Reference Fortinet Technologies Inc.

config 159

Variable Description Default

TLS_AES_128_GCM_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256

rfc7919-comply {enable | disable} Enable to apply cipher suites that comply disable
with RFC-9719.

supported-groups {X25519 | prime256v1 Select the RFC-9719 ciphers to be No default

| secp384r1 | secp521r1 | supported. The Supported Group is Elliptic
brainpoolP256r1 | brainpoolP384r1 | Curve Parameters, while SSL/TLS
brainpoolP512r1 | ffdhe2048 | ffdhe3072 negotiation could choose different Elliptic
| ffdhe4096 | ffdhe6144 | ffdhe8192} Curve algorithms, so please make sure to
choose the corresponding ciphers in ssl-
custom-cipher.
l At least one FFDHE group should be

selected.
l At least one DHE cipher should be
added.

Due to design limitation, you need to

select custom in ssl-cipher
{medium | high | custom} and
make sure to include at least one DHE
cipher in the selected list. Using High
or Medium together with RFC-9719 will
lead to unexpected error. We will fix it in
the future release.
The system will return error if any of the
above two conditions is not met.
Please note RFC7919 does not comply with
TLS 1.3, so if you have only enabled tls-
v13, then RFC7919 will not take effect even
if it's enabled. To apply both TLS 1.3 and
RFC7919, it's recommended to enable a
non-TLS 1.3 protocol, then select at least
one DHE cipher.

ssl-noreg {enable | disable} Specify whether FortiWeb ignores requests enable

from clients to renegotiate TLS or SSL.
Protects against denial-of-service (DoS)
attacks that use TLS/SSL renegotiation to
overburden the server.
Available only if HTTPs-service "<service_
name>" on page 150 is configured.

ssl-session-timeout <ssl-session- When FortiWeb is configured as an SSL No default.

timeout_int> server, you can set SSL session timeout

FortiWeb CLI Reference Fortinet Technologies Inc.

config 160

Variable Description Default

intervals via the CLI. This is available only in

Reverse Proxy and True Transparent Proxy
modes.

status {enable | disable} Enable to allow the policy to be used when No default.
evaluating traffic for a matching policy.
Note: You can use SNMP traps to notify you
of changes to the policy’s status. For details,
see system snmp community on page 339.

syncookie {enable | disable} Enable to detect TCP SYN flood attacks. disable
For details, see the FortiWeb Administration
Guide:
HTTP://docs.fortinet.com/fortiweb/admin-
guides
Available only when the operating mode is
Reverse Proxy or True Transparent Proxy.

tcp-recv-timeout <seconds_int> Enter the amount of time (in seconds) that 0

FortiWeb will wait for a client to send a
request after the client sets up a
TCP connection. The valid range is 0–300.
A value of 0 means that there is no timeout.

tls-v10 {enable | disable} Specifies whether clients can connect enable

securely to FortiWeb using the TLS 1.0
cryptographic protocol.
This must be set to disable if HTTP2
{enable | disable} on page 149 is set to
enable.
Available only if HTTPs-service "<service_
name>" on page 150 is configured.

tls-v11 {enable | disable} Specifies whether clients can connect enable

securely to FortiWeb using the TLS 1.1
cryptographic protocol.
This must be set to disable if HTTP2
{enable | disable} on page 149 is set to
enable.
Available only if HTTPs-service "<service_
name>" on page 150 is configured.

tls-v12 {enable | disable} Specifies whether clients can connect enable

securely to FortiWeb using the TLS 1.2
cryptographic protocol.
Available only if HTTPs-service "<service_
name>" on page 150 is configured.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 161

Variable Description Default

tls-v13 {enable | disable} Specifies whether clients can connect enable

securely to FortiWeb using the TLS 1.3
cryptographic protocol.
Available only if HTTPs-service "<service_
name>" on page 150 is configured.

urlcert {enable | disable} Specifies whether FortiWeb uses a URL- disable

based client certificate group to determine
whether a client is required to present a
personal certificate.
Available only if HTTPs-service "<service_
name>" on page 150 is configured.

urlcert-group "<urlcert-group_name>" Enter the URL-based client certificate group No default.

that determines whether a client is required
to present a personal certificate.
If the URL the client requests does not
match an entry in the group, the client is not
required to present a personal certificate.
For details about creating a group, see
system certificate urlcert on page 247.

urlcert-hlen <len_int> Specify the maximum allowed length for an No default.

HTTP request with a URL that matches an
entry in the URL-based client certificate
group, in kilobytes.
FortiWeb blocks any matching requests that
exceed the specified size.
This setting prevents a request from
exceeding the maximum buffer size.
The valid range is 16–10240.

vserver "<vserver_name>" Enter the name of a virtual server that No default.

provides the IP address and network
interface of incoming traffic that FortiWeb
routes and to which the policy applies a
protection profile. The maximum length is
63 characters.
To display the list of existing virtual servers,
enter:
edit ?
Available only if the operating mode is
Reverse Proxy.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 162

Variable Description Default

v-zone "<bridge_name>" Enter the name of the bridge that specifies No default.
the network interface of the incoming traffic
that the policy applies a protection profile to.
The maximum length is 15 characters.
To display the list of existing bridges, enter:
edit ?
Available only if the operating mode is True
Transparent Proxy or Transparent
Inspection.

Note: If the connection fails when you have

selected a certificate verifier, verify that the
certificate meets the web browser’s
requirements. Web browsers may have
their own certificate validation requirements
in addition to FortiWeb requirements. For
example, personal certificates for client
authentication may be required to either:
l Not be restricted in usage/purpose by

the CA, or
l Contain a Key Usage field that

contains Digital Signature or

have a ExtendedKeyUsage or
EnhancedKeyUsage field whose
value contains
Client Authentication
If the certificate does not satisfy browser
requirements, although it may be installed in
the browser, when the FortiWeb appliance
requests the client’s certificate, the browser
may not display a certificate selection dialog
to the user, or the dialog may not contain
that certificate. In that case, verification fails.
For browser requirements, see your web
browser’s documentation.

<entry_index> Enter the index number of the individual No default.

entry in the table.

content-routing-policy-name "<content- Enter the name of a HTTP content routing No default.

routing_name>" policy that this server policy uses.
To display the list of existing error pages,
enter:
edit ?

is-default {yes | no} Enter yes to specify that FortiWeb applies No default.
the protection profile to any traffic that does
not match conditions specified in the HTTP

FortiWeb CLI Reference Fortinet Technologies Inc.

config 163

Variable Description Default

content routing policies.

profile-inherit {enable | disable} Enter enable to specify that FortiWeb disable

applies the web protection profile for the
server policy to connections that match the
routing policy.

implicit_ssl {enable | disable} Enable so that FortiWeb will communicate No default.

with the pool member using implicit SSL.

ssl-quiet-shutdown {enable | disable} For HTTPS connection, when disabled, disable

FortiWeb sends ssl alert message to the
client or server pool first, and then FIN.
When enabled, FortiWeb directly sends FIN
message instead of sending ssl alert
message.

traffic-mirror {enable | disable} Enable to send traffic to third party IPS/IDS disable
devices through network interfaces for
traffic monitoring.
Available only when protocol {HTTP | FTP |
ADFSPIP} on page 153 is HTTP.

traffic-mirror-profile <traffic-mirror- Select the mirror policy created. No default.

profile_str>

traffic-mirror-type {client-side | server- Select the traffic mirror type. No default.

side| both-side} For True Transparent Proxy mode, only
Client Side type is available, which only
allows traffic from client side to be sent to
IPS/IDS devices.

For Reverse Proxy mode, you can select

Client Side, Server Side, or Client and
Server.

multi-certificate {enable | disable} Enable to allow FortiWeb to use multiple disable

local certificates.

adfs-certificate-service <adfs-certificate- Configure this option if the AD FS server No default.

service_str>} requires client certificate for authentication.
Select the pre-defined service
TLSCLIENTPORT if FortiWeb uses service
port 49443 to listen the certification
authentication requests.

adfs-certificate-ssl-client-verify <adfs- Select the certificate validation rule you No default.

certificate-ssl-client-verify_str>} have created.

certificate-group <certificate-group_str>} Select the multi-certificate file you have No default.

created.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 164

Variable Description Default

acceleration-policy <acceleration- Select the acceleration policy you have No default.

policy_str> created.

web-cache {enable | disable} Enable to create a web cache policy to allow disable
FortiWeb to cache responses from your
servers.

real-ip-addr <real-ip-addr_str> Specify an IP address or address range to No default.

directly connect to the back-end server.

retry-on {enable | disable} Enable to configure whether to retry a failed disable

TCP connection or HTTP request in
Reverse Proxy mode.
A TCP connection failure retry can help
when pserver is unreachable unexpectedly,
FortiWeb will reconnect the single server or
switch to the other
server when more than one pserver is
available in the server pool.
An HTTP layer retry can help when pserver
can be connected but it returns
certain failure response codes, such as 404,
408, 500, 501, 502, 503, and 504. FortiWeb
will reconnect the single server or switch to
the other server when more than one
pserver is available in the server pool.

retry-on-cache-size <retry-on-cache- Enter a cache size limit for the HTTP 512
size_int> request packet.
HTTP failure retry will take effect once the
request packet size is smaller than this
defined size.
TCP connection failure retry will take effect
once the HTTP request packet
size in TCP connection is smaller than this
defined size.

retry-on-connect-failure {enable | Enable to configure the retry times in case disable

disable} of any TCP connection failure.

retry-times-on-connect-failure <retry- Enter the retry times when FortiWeb 3

times-on-connect-failure_int> reconnects the single server or switch to the
other pserver. The valid range is 1-5.

retry-on-HTTP-layer {enable | disable} Enable to configure the retry times and enable
failure response code in case of any HTTP
connection failure.
Only GET and HEAD methods are
supported now.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 165

Variable Description Default

retry-times-on-HTTP-layer <retry-times- Enter the retry times when FortiWeb 3

on-HTTP-layer_int> reconnects the single server or switch to the
other pserver. The valid range is 1-5.

retry-on-HTTP-response-codes {404 | Select the failure return code when pserver All values
408 | 500 | 501 | 502 | 503 | 504} can be connected to determine enabling
HTTP failure retry.

replacemsg-on-connect-failure {disable | If this option is enabled, when the health disable

enable} check is disabled and the back-end server is
not responsive, FortiWeb will send the 503
error code to the client.
When enabled, you should also configure
tcp-conn-timeout to specify the timeout
value.

tcp-conn-timeout <integer> When the health check is disabled and the 120
back-end server is not responsive, FortiWeb
will wait for the specified time until it sends
the 503 error code. It's recommended to set
a value smaller than 20 (seconds). This is to
avoid too many times of retry being
accumulated during the waiting time, which
may cause the connection to be closed
before FortiWeb has the chance to send the
error code.
This option is at the server policy level. You
can also set the tcp-usertimeout under
system network-option which affects
all server policies on FortiWeb appliance. If
the timeout is configured both at the policy
and the appliance level, FortiWeb will take
the value whichever is smaller.
Sometimes when there is a third device,
such as a gateway, deployed between
FortiWeb and the back-end server,
FortiWeb will directly get the status code
from the third device instead of waiting
along the timeout period.

The valid range for this option is 0-600

(seconds).
0 means FortiWeb will send 503 error code
as soon as it detects the back-end server is
not responsive.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 166

Variable Description Default

tlog {enable | disable} Enable to log traffic events such as HTTP disable
requests and responses, and the expiration
of HTTP sessions.
To avoid unnecessary resource
consumption, the system will not generate
traffic log for all server policies unless
specified. After enabling this option, you
also need to enable the traffic log setting in
Log&Report.
l If traffic log is disabled in Log&Report,

the system won't generate traffic log

even if you have enabled it in Server
Policy.
l If traffic log is:
l Enabled in Log&Report,
l Enabled in server policy A,
l Disabled in server policy B,
then the system will only generate
traffic log for server policy A.
Tip: Because resources for this feature
increase as your traffic increases, if you do
not need traffic data, disable this feature to
improve performance and improve
hardware life.

ldap-health {enable | disable} Enable LDAP server’s health check. disable

ztna-profile <string> Specify the ZTNA (Zero Trust Network no default

Access) profile.
For more information, see Configuring a
ZTNA Profile.

reply-100-continue {enable | disable} l When disabled, the clients should wait enable
for FortiWeb to forward the 100-
continue response sent by server.
l When enabled, FortiWeb will not wait
for the server's 100-continue
response. Instead it directly reply 100-
continue header to clients to reduce
delay.
Note:FortiWeb only supports HTTP/1.1, so
the 100-continue response sent by
FortiWeb will be HTTP/1.1 100-
continue.

forward-expect-100-continue {enable | l When disabled, FortiWeb will remove disable

disable} the Expect: 100-continue header

FortiWeb CLI Reference Fortinet Technologies Inc.

config 167

Variable Description Default

from the request packets then forward

them to servers.
l When enabled, the Expect: 100-
continue will be forwarded to server.
It's recommended to set reply-100-
continue as enabled and forward-
expect-100-continue as disabled, so
that FortiWeb can directly reply 100-
continue header to reduce delay, then
remove the Expect: 100-continue
header from request packets to avoid
unnecessary header being forwarded.

tag <tag_name> Enter the tags you want to attach to this no default
server policy. This helps in labeling server
policy for future usage such as sorting,
filtering and acknowledging policies.
It's created by config system object-
tagging.

Example

This example configures a web protection server policy. FortiWeb forwards HTTPS connections received by the virtual
server named virtual_ip1 to a server pool named apache1, which contains a single physical server. FortiWeb uses
the certificate named certificate1 during SSL negotiations with the client, then forwards traffic to the server pool.
config server-policy policy
edit "HTTPs-policy"
set deployment-mode server-pool
set vserver "virtual_ip1"
set server-pool "apache1"
set web-protection-profile "inline-protection1"
set HTTPs-service HTTPS
set certificate "certificate1"
set ssl-client-verify
set case-sensitive disable
set status enable
next
end

Related topics

l server-policy allow-hosts on page 103

l system certificate local on page 237
l system certificate ocsp-stapling on page 241
l server-policy HTTP-content-routing-policy on page 110
l server-policy server-pool on page 168

FortiWeb CLI Reference Fortinet Technologies Inc.

config 168

l server-policy service custom on page 193

l server-policy vserver on page 199
l system snmp community on page 339
l system settings on page 336
l system v-zone on page 352
l waf web-protection-profile inline-protection on page 636
l waf web-protection-profile offline-protection on page 645
l "debug application dssl" on page 1
l "debug application HTTP" on page 1
l "debug application ssl" on page 1
l "debug application ustack" on page 1
l debug flow filter on page 691
l policy on page 728

server-policy server-pool

Use this command to configure an HTTP, FTP, or AD FS server pool.

Server pools define a group of one or more physical or domain servers (web servers) that FortiWeb distributes
connections among, or where the connections pass through to, depending on the operation mode. Reverse Proxy mode
actively distributes connections; Offline Protection and either of the transparent modes do not actively distribute
connections.
To apply the server pool configuration, do one of the following:
l Select it in a server policy directly.
l Select it in an HTTP content writing policy that you can, in turn, select in a server policy.
For details, see server-policy policy on page 140 and server-policy HTTP-content-routing-policy on page 110.
To determine which type of server policy to create, configure protocol {HTTP | FTP | ADFSPIP} on page 173. If you're
planning to configure an FTP server policy, you'll need to confirm that system feature-visibility on page 263 is enabled.
For details, see system feature-visibility on page 263.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Syntax
config server-policy server-pool
edit "<server-pool_name>"
set comment "<comment_str>"
set health "<health-check_name>"
set HTTP-reuse {aggressive | always | never | safe}
set lb-algo {least-connections | round-robin | weighted-round-robin | uri-hash |
full-uri-hash | host-hash | host-domain-hash | src-ip-hash | least-response-
time | probabilistic-weighted-least-response-time}
set persistence "<persistence-policy_name>"
set protocol {HTTP | FTP | ADFSPIP}
set reuse-conn-idle-time <int>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 169

set reuse-conn-max-count <int>

set reuse-conn-max-request <int>
set reuse-conn-total-time <int>
set server-balance {enable | disable}
set server-pool-id
set type {offline-protection | reverse-proxy | transparent-servers-for-ti |
transparent-servers-for-tp | transparent-servers-for-wccp}
set proxy-protocol {enable | disable}
set proxy-protocol-version {v1 | v2}
set adfs-server-name <adfs-server-name_str>
config pserver-list
edit <entry_index>
set analyzer-policy "<fortianalyzer-policy_name>"
set backup-server {enable | disable}
set certificate "<certificate_name>"
set certificate-verify "<verifier_name>"
set client-certificate "<client-certificate_name>"
set client-certificate-forwarding {enable | disable}
set client-certificate-forwarding-cert-header "<header_str>"
set client-certificate-forwarding-sub-header "<header_str>"
set client-certificate-proxy {enable | disable}
set client-certificate-proxy-sign-ca <sign_ca>
set conn-limit <conn-limit_int>
set domain "<server_fqdn>"
set health-check-inherit {enable | disable}
set hlck-domain <hlck-domain_str>
set hpkp-header "<hpkp_name>"
set hsts-header {enable | disable}
set hsts-max-age <timeout_int>
set HTTP2 {enable | disable}
set implicit_ssl {enable | disable}
set intermediate-certificate-group "<CA-group_name>"
set ip {"address_ipv4" | "address_ipv6"}
set port <port_int>
set server-certificate-verify {enable | disable}
set server-certificate-verify-action {alert | alert_deny | redirect}
set server-certificate-verify-policy "<policy_name>"
set recover <recover_int>
set server-side-sni {enable | disable}
set server-type {physical | domain | sdn-connector}
set sdn-addr-type {private | public | all}
set sdn {aws | azure}
set filter <string>
set session-id-reuse {enable | disable}
set session-ticket-reuse {enable | disable}
set sni {enable | disable}
set sni-certificate "<sni_name>"
set sni-strict {enable | disable}
set certificate-type {enable | disable}
set lets-certificate <name>
set ssl {enable | disable}
set ssl-cipher {medium | high | custom}
set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}
set tls13-custom-cipher on page 187
set rfc7919-comply {enable | disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 170

set supported-groups {X25519 | prime256v1 | secp384r1 | secp521r1 |

brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1 | ffdhe2048 |
ffdhe3072 | ffdhe4096 | ffdhe6144 | ffdhe8192}
set ssl-noreg {enable | disable}
set ssl-quiet-shutdown {enable | disable}
set ssl-session-timeout <ssl-session-timeout_int> on page 191
set status {disable |enable | maintain}
set tls-v10 {enable | disable}
set tls-v11 {enable | disable}
set tls-v12 {enable | disable}
set tls-v13 {enable | disable} on page 189
set url-cert {enable | disable}
set urlcert-group "<urlcert-group_name>"
set urlcert-hlen <len_int>
set warm-rate <warm-rate_int>
set warm-up <warm-up_int>
set weight <weight_int>
set adfs-username <adfs-username_str>
set adfs-password <adfs-password_str>
set multi-certificate {enable | disable}
set certificate-group <certificate-group_str>
next
end
next
end

Variable Description Default

"<server-pool_name>" Enter the name of the server pool. The maximum length No default.
is 63 characters.
To display the list of existing servers, enter:
edit ?

comment "<comment_str>" Enter a description or other comment. If the comment is No default.

more than one word or contains special characters,
surround the comment with double quotes ( " ). The
maximum length is 199 characters.

health "<health-check_ Enter the name of a server health check FortiWeb uses No default.
name>" to determine the responsiveness of server pool
members. The maximum length is 63 characters.
When you specify a health check for the pool, by default,
all pool members use that health check. To select a
different health check for a pool member, in the pool
member configuration, specify disable for health-
check-inherit and the health check to use for
health.
To display the list of existing health checks, enter:
edit ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 171

Variable Description Default

Available only if type {offline-protection | reverse-proxy |

transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is reverse-
proxy and server-balance {enable | disable} on page
174 is enable.
Note: If a pool member is unresponsive, wait until the
server becomes responsive again before disabling its
server health check. Server health checks record the up
or down status of the server. If you deactivate the server
health check while the server is unresponsive, the server
health check cannot update the recorded status, and
FortiWeb continues to regard the physical server as if it
were unresponsive. You can determine the physical
server’s connectivity status using the Service Status
widget or an SNMP trap. For details, see system snmp
community on page 339.

HTTP-reuse {aggressive Configure multiplexing so that FortiWeb uses a single never

| always | never | safe} connection to a server for requests from multiple clients.
Enter one of these options:
l aggressive—The first request from a client can

use a cached server connection only when the

cached server connection has been used by more
than one client.
l always—Client requests will use an available

connection cached server connection.

l never—Disable multiplexing.

l safe—A client will establish a new connection for

the first request, but will use an available cached

server connection for subsequent requests.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

lb-algo {least-connections | Select the load-balancing algorithms that FortiWeb uses round-robin
round-robin | weighted- when it distributes new connections among server pool
round-robin | uri-hash | full- members.
l least-connections—Distributes new
uri-hash | host-hash | host-
domain-hash | src-ip-hash | connections to the member with the fewest number
least-response-time | of existing, fully-formed connections.
l round-robin—Distributes new connections to the
probabilistic-weighted-
least-response-time} next member of the server pool, regardless of
weight, response time, traffic load, or number of
existing connections. Unresponsive servers are
avoided.
l weighted-round-robin—Distributes new

connections using the round robin method, except

that members with a higher weight value receive a

FortiWeb CLI Reference Fortinet Technologies Inc.

config 172

Variable Description Default

larger percentage of connections.

l uri-hash—Distributes new TCP connections
using a hash algorithm based on the URI found in
the HTTP header, excluding hostname.
l full-uri-hash—Distributes new TCP

connections using a hash algorithm based on the full

URI string found in the HTTP header. The full URI
string includes the hostname and path.
l host-hash—Distributes new TCP connections

using a hash algorithm based on the hostname in

the HTTP Request header Host field.
l host-domain-hash—Distributes new TCP

connections using a hash algorithm based on the

domain name in the HTTP Request header Host
field.
l src-ip-hash—Distributes new TCP connections

using a hash algorithm based on the source IP

address of the request.
l least-response-time—Distributes the

incoming traffic to the server with the shortest

average response time and the lowest number of
connections, thus making the client connect to the
most efficient back-end server.
l probabilistic-weighted-least-response-

time—For the least-response-time, in

extreme cases there might be a server consistently
has relatively low response time compared to
others, which causes most of traffic to be distributed
to one server. As a solution to this case,
probabilistic-weighted-least-response-
time distributes traffic based on least response
time as well as probabilities. The least response
time server is most likely to receive traffic, while the
rest servers still have a chance to process some of
the traffic.
Note: When protocol {HTTP | FTP | ADFSPIP} on page
173 is set to FTP, only round-robin, weighted-
round-robin, least-connections, and src-ip-
hash are available.
For hash-based methods, if you specify a value for
persistence, after an initial client request, FortiWeb
routes any subsequent requests according to the
persistence method. Otherwise, it routes subsequent
requests according to the hash-based algorithm.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 173

Variable Description Default

Available only if type {offline-protection | reverse-proxy |

transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is reverse-
proxy and server-balance {enable | disable} on page
174 is enable.

persistence "<persistence- Enter the name of the persistence policy that specifies a No default.
policy_name>" session persistence method and timeout to apply to the
pool.
For details, see server-policy persistence-policy on page
136.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

adfs-server-name <adfs- Enter a name for the AD FS Server. It should be the No default.
server-name_str> federation service name. This option is mandatory if the
AD FS Server needs to verify the server name in the SSL
handshake.
This is only available if the server pool type is ADFSPIP.

protocol {HTTP | FTP | Select one of the following: HTTP

l HTTP—Specifies that the server pool governs
ADFSPIP}
HTTP traffic. Specific options for configuring an
HTTP server pool become available.
l FTP—Specifies that the server pool governs

FTP traffic. Specific options for configuring an

FTP server pool become available.
l ADFSPIP—Specifies that the server pool governs

ADFSPIP traffic. Specific options for configuring an

ADFSPIP server pool become available.

proxy-protocol {enable | If the back-end server enables proxy protocol, you need disable
disable} to enable the Proxy Protocol option on FortiWeb so that
the TCP SSL and HTTP traffic can successfully go
through. The real IP address of the client will be included
in the proxy protocol header.
Available only if the type {offline-protection | reverse-
proxy | transparent-servers-for-ti | transparent-servers-
for-tp | transparent-servers-for-wccp} is Reverse Proxy,
True Transparent Proxy, Offline Protection, or
Transparent Inspection.

proxy-protocol-version {v1 | Select the proxy protocol version for the back-end server. v1
v2} Available only if the type {offline-protection | reverse-
proxy | transparent-servers-for-ti | transparent-servers-
for-tp | transparent-servers-for-wccp} is Reverse Proxy,
or True Transparent Proxy.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 174

Variable Description Default

reuse-conn-idle-time <int> Enter an idle time limit for a cached server connection. If 10
a cached server connection remains idle for the set
duration, it will be closed. The valid range is 1–1000.

reuse-conn-max-count Enter the maximum number of allowed cached server 100

<int> connections. If FortiWeb meets the set number, no more
cached server connections will be established. The valid
range is 1–1000 for each pserver.
Note: The minimum number of cached connections
depends on the number of CPU kernels of the FortiWeb
platform. For example, a FortiWeb 4000E has 40 CPU
kernels, so there are always at least 40 reusable
connections for each pserver. In addition, the valid range
is set for each pserver; if there are two pservers and you
enter a value of 1000, there will be up to 2000 reusable
connections.

reuse-conn-max-request Enter the maximum number of HTTP responses that the 100
<int> cached server connection may handle. If a cached server
connection meets the set number, it will be closed. The
valid range is 1–1000.

reuse-conn-total-time <int> Enter the maximum time limit in which a cached server 100
connection may be reused. If a cached server
connection exists for longer than the set limit, it will be
closed. The valid range is 1–1000.

server-balance {enable | Specifies whether the pool contains a single server or disable
disable} multiple members.
If the value is enabled, FortiWeb uses the specified
load-balancing algorithm to distribute TCP connections
among the members. If a member is unresponsive to the
specified server health check, FortiWeb forwards
subsequent connections to another member of the pool.
Available only when type {offline-protection | reverse-
proxy | transparent-servers-for-ti | transparent-servers-
for-tp | transparent-servers-for-wccp} on page 175 is
reverse-proxy.

server-pool-id A 64-bit random integer assigned to each server policy. No default.

The policy-id is a unique identification number for
each server policy.
When administrative domains (ADOMs) are enabled,
ADOMs can create unique server policies with policy
names that are identical to other server policies created
by different ADOMs, so the policy-id can easily
differentiate between different policies created by
different ADOMs that may share the same policy name.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 175

Variable Description Default

type {offline-protection | Select the current operation mode of the appliance to reverse-
reverse-proxy | transparent- display the corresponding pool options. proxy
servers-for-ti | transparent- For details, see opmode {offline-protection | reverse-
servers-for-tp | transparent- proxy | transparent | transparent-inspection | wccp} on
servers-for-wccp} page 338.
Note: This option is applicable only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

<entry_index> Enter the index number of the member entry within the No default.
server pool. The valid range is 1–
9,223,372,036,854,775,807.
For round robin-style load-balancing, the index number
indicates the order in which FortiWeb distributes
connections.

backup-server {enable | Enter enable to configure this pool member as a backup disable
disable} server.

FortiWeb only routes connections for the pool to a

backup server when all the other members of the server
pool fail their server health check.

The backup server mechanism does not work if you do

not specify server health checks for the pool members.

If you select this option for more than one pool member,
FortiWeb uses the load balancing algorithm to determine
which member to use.

certificate "<certificate_ Enter the name of the certificate that FortiWeb uses to No default.
name>" decrypt SSL-secured connections.
Available only if ssl {enable | disable} on page 184 is
enable. The maximum length is 63 characters.
To display the list of existing certificates, enter:
edit ?
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

certificate-verify "<verifier_ Enter the name of a certificate verifier, if any, to use when No default.
name>" an HTTP client presents their personal certificate. If you
do not specify one, the client is not required to present a
personal certificate.
However, if ssl {enable | disable} on page 184 is enable
and the domain in the client request matches an entry in
the specified SNI policy, FortiWeb uses the SNI
configuration to determine which certificate verifier to
use.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 176

Variable Description Default

Personal certificates, sometimes also called user

certificates, establish the identity of the person
connecting to the website. For details about how the
client’s certificate is verified, see ssl-client-verify
"<verifier_name>" on page 156.
You can require that clients present a certificate
alternatively or in addition to HTTP authentication. For
details, see waf HTTP-authen HTTP-authen-rule on
page 476.
Available only if ssl {enable | disable} on page 184 is
transparent-servers-for-tp and ssl is enable.
For Reverse Proxy mode, configure this setting in the
server policy instead. See ssl-client-verify "<verifier_
name>" on page 156.
The maximum length is 63 characters.
To display the list of existing verifiers, enter:
edit ?
Note: The client must support TLS 1.0, TLS 1.1, or TLS
1.2.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

client-certificate "<client- Enter the client certificate that FortiWeb uses to connect disable
certificate_name>" to this server pool member.
Used when connections to this pool member require a
valid client certificate.
Available only if type {offline-protection | reverse-proxy |
transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is reverse-
proxy or transparent-servers-for-tp and ssl
{enable | disable} on page 184 is enable.
To upload a client certificate for FortiWeb, see the
FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

client-certificate-forwarding Enable to configure FortiWeb to include any X.509 disable

{enable | disable} personal certificates presented by clients during the
SSL/TLS handshake with the traffic it forwards to the
pool member.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 177

Variable Description Default

Available only if type {offline-protection | reverse-proxy |

transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is
transparent-servers-for-tp and ssl {enable |
disable} on page 184 is enable.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

client-certificate- Enter a custom certificate header that will include the x-client-cert
forwarding-cert-header Base64 certificate of the X.509 personal certificate
"<header_str>" presented by the client during the SSL/TLS handshake
when it forwards the traffic to the protected web server.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

client-certificate- Enter a custom subject header that will include the x-client-dn
forwarding-sub-header subject of the X.509 personal certificate presented by the
"<header_str>" client during the SSL/TLS handshake when it forwards
the traffic to the protected web server.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

client-certificate-proxy Enable to configure seamless PKI integration. When this disable

{enable | disable} option is configured, FortiWeb attempts to verify client
certificates when users make requests and resigns new
certificates that it sends to the server.
Also configure client-certificate-proxy-sign-ca <sign_ca>
on page 177.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

client-certificate-proxy-sign- Select a Sign CA FortiWeb will use to verify and resign No default.
ca <sign_ca> new client certificates.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

conn-limit <conn-limit_int> Specifies the maximum number of TCP connections that 0

FortiWeb forwards to this pool member.
For no limit, specify 0 (the default value).
The valid range is 0–1,048,576.

domain "<server_fqdn>" Enter the fully-qualified domain name of the web server No default.
to include in the pool, such as www.example.com.
Warning: Server policies do not apply features that do
not yet support IPv6 to domain servers whose DNS
names resolve to IPv6 addresses.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 178

Variable Description Default

Tip: For domain servers, FortiWeb queries a DNS server

to query and resolve each web server’s domain name to
an IP address. For improved performance, do one of the
following:
l use physical servers instead

l ensure highly reliable, low-latency service to a DNS

server on your local network

Available only if server-type {physical | domain | sdn-
connector} on page 181 is domain.

health-check-inherit Select either: enable

l enable—Use the health check specified by
{enable | disable}
health in the server pool configuration.
l disable—Use the health check specified by

health in this pool member configuration.

hlck-domain <hlck- Enter the domain name of the server pool. No default.
domain_str>

hpkp-header "<hpkp_ Enter an HPKP profile, if any, to use to verify certificates disable
name>" when clients attempt to access a server.
HPKP prevents attackers from carrying out Man in the
Middle (MITM) attacks with forged certificates.
Available only when the operating mode is True
Transparent Proxy.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

hsts-header {enable | Enable to combat MITM attacks on HTTP by injecting the disable
disable} RFC 6797 (HTTP://tools.ietf.org/html/rfc6797) strict
transport security header into the reply, such as:
Strict-Transport-Security: max-
age=31536000; includeSubDomains;Preload
This header forces the client to use HTTPS for
subsequent visits to this domain. If the certificate does
not validate, it also causes a fatal connection error: the
client’s web browser does not display a dialog that allows
the user to override the certificate mismatch error and
continue.
Available only if type {offline-protection | reverse-proxy |
transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is
transparent-servers-for-tp and ssl {enable |
disable} on page 184 is enable.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 179

Variable Description Default

hsts-max-age <timeout_ Enter the time to live in seconds for the HSTS header. 7776000
int> This setting applies only if hsts-header {enable | disable}
on page 178 is enable.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

HTTP2 {enable | disable} Enable to allow HTTP/2 communication between the disable
FortiWeb and this back-end web server for HTTP/2
security inspections in Reverse Proxy mode; or enable
HTTP/2 security inspections in True Transparent Proxy
mode.
When HTTP/2 security inspection is enabled in Reverse
Proxy mode (see server-policy policy on page 140):
1. enable—Make sure the traffic is transferred in
HTTP/2 between FortiWeb and this web server,
if this web server supports HTTP/2.
Note: Make sure that this back web server really
supports HTTP/2 before you enable this, or
connections will go failed.
2. disable—Make FortiWeb to converse HTTP/2
to HTTP/1.x for this web server, or converse
HTTP/1.x to HTTP/2 for the clients, if this web
server does not support HTTP/2.
When FortiWeb operates in True Transparent Proxy
mode( see opmode {offline-protection | reverse-proxy |
transparent | transparent-inspection | wccp} on page
338):
1. enable—Enable HTTP/2 security inspection. It
only requires this option to be enabled and the
SSL be well-configured to enable the HTTP/2
security inspection. No HTTP/2 configuration is
required for server-policy policy on page 140.
When HTTP/2 inspection is enabled in True
Transparent Proxy mode, FortiWeb performs no
protocol conversions between HTTP/1.x and
HTTP/2, which means HTTP/2 connections will
not be established between clients and back-
end web servers if the web servers do not
support HTTP/2.
2. disable—Disable HTTP/2 security inspection.
Note:
1. This option is available only if type {offline-
protection | reverse-proxy | transparent-servers-
for-ti | transparent-servers-for-tp | transparent-
servers-for-wccp} on page 175 is set to
reverse-proxy or transparent-servers-

FortiWeb CLI Reference Fortinet Technologies Inc.

config 180

Variable Description Default

for-tp; and when type is transparent-

servers-for-tp, this option is available only
if ssl {enable | disable} on page 184 is enable.
2. Please confirm your FortiWeb operation mode
and the HTTP versions your back-end web
servers are running first to make appropriate
configuration here, so that HTTP/2 inspection
can work correctly with your web servers.
3. For details about HTTP/2 support, see the
FortiWeb Administration Guide:

HTTP://docs.fortinet.com/fortiweb/admin-guides
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

implicit_ssl {enable Enable so that FortiWeb will communicate with the pool disable
| disable} member using implicit SSL.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is set to FTP.

intermediate-certificate- Enter the name of a group of intermediate certificate No default.

group "<CA-group_name>" authority (CA) certificates, if any, that FortiWeb presents
to clients to complete the signing chain for them and
validate the server certificate’s CA signature.
If clients receive certificate warnings that the server
certificate configured in certificate "<certificate_name>"
on page 175 has been signed by an intermediary CA,
rather than directly by a root CA or other CA currently
trusted by the client, configure this option.
Alternatively, include the entire signing chain in the
server certificate itself before uploading it to the FortiWeb
appliance, thereby completing the chain of trust with a
CA already known to the client. For details, see the
FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
Available only if type {offline-protection | reverse-proxy |
transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is
transparent-servers-for-tp and ssl {enable |
disable} on page 184 is enable. For Reverse Proxy
mode, configure this setting in the server policy instead.
For details, see intermediate-certificate-group "<CA-
group_name>" on page 151.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 181

Variable Description Default

ip {"address_ipv4" | Enter the IP address of the web server to include in the No default.
"address_ipv6"} pool.
Warning: Server policies do not apply to features that do
not yet support IPv6 to servers specified using IPv6
addresses.
Available only if server-type {physical | domain | sdn-
connector} on page 181 is physical.

port <port_int> Enter the TCP port number where the pool member 80 (HTTP)/21
listens for connections. The valid range is 1–65,535. (FTP)

recover <recover_int> Specify the number of seconds that FortiWeb waits 0

before it forwards traffic to this pool member after a
health check indicates that this server is available again.
The default is 0 (disabled).
The valid range is 0–86,400.
After the recovery period elapses, FortiWeb assigns
connections at the rate specified by warm-rate <warm-
rate_int> on page 190.
Examples of when the server experiences a recovery
and warm-up period:
l A server is coming back online after the health

check monitor detected it was down.

l A network service is brought up before other

daemons have finished initializing and therefore the

server is using more CPU and memory resources
than when startup is complete.
To avoid connection problems, specify the separate
warm-up rate, recovery rate, or both.
Tip: During scheduled maintenance, you can also
manually apply these limits by setting status
{disable |enable | maintain} on page 188 to maintain.

server-side-sni {enable | Specify whether FortiWeb supports Server Name disable

disable} Indication (SNI) for back-end servers that it applies this
policy to.
Enable this feature when the operating mode is
transparent proxy, end-to-end encryption is required,
and the back-end web server itself requires SNI support.
When the operating mode is Reverse Proxy, you enable
server-side SNI support using the server policy.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

server-type {physical | Specify whether to specify the pool member by IP physical

domain | sdn-connector} address, domain, or automatically pulled by SDN
connector.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 182

Variable Description Default

If your application servers are deployed on AWS or

Azure, you can select sdn-connector to authorize
FortiWeb to access the VM instances in your public cloud
account, in order to automatically obtain the IP
addresses.

sdn-addr-type {private | Select whether you want FortiWeb to get the public or private
public | all} private addresses of your application's VM instances, or
select all to get both the public and the private
addresses.
Note: Private addresses can be obtained only when
FortiWeb-VM is deployed in the same subnet with your
application's VM instances.
Available only if the server-type is sdn-connector.

sdn {aws | azure} Select the SDN connector you have created. See system No default.
sdn-connector
Available only if the server-type is sdn-connector.

Once you select the SDN collector that you have created, No default.
filter <string> the available filter options for your VMs in your public
cloud account will be listed here. You can select multiple
filter options among instance IDs, image IDs, tags, etc.
FortiWeb will find the VM instance, for example, whose
instance ID is i-12345678 in your AWS account, then
obtain the IP address of this instance and record it as the
origin server's IP.
AWS
l instance-id (e.g. instance-id=i-12345678)

l image-id (e.g. image-id=ami-123456)

l key-name (e.g. key-name=aws-key-name)

l subnet-id (e.g. subnet-id=sub-123456)

l tag:TagName (The tag attached to the instance.

TagName is a variable. It can be any value you have

named for the tag. e.g. tag:Type=appserver. Up to 8
tags are supported.)
Azure
l vm-name (e.g. vm-name=myVM01)

l tag:TagName (The tag attached to the virtual

machine. TagName is a variable. It can be any value

you have named for the tag, e.g.
tag:Type=appserver. Up to 8 tags are supported.)
Available only if the server-type is sdn-connector.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 183

Variable Description Default

session-id-reuse {enable Enable so that FortiWeb reuses the session ID when disable
| disable} establishing an SSL connection to a pserver. If the SSL
connection has a server name, FortiWeb can only reuse
a session ID for the specified pserver. If both a session
ticket and ID exist for a pserver, FortiWeb will reuse the
ticket.
Note: This option is available only when ssl {enable |
disable} on page 184 is enabled.

session-ticket-reuse Enable so that FortiWeb reuses the session ticket when disable
{enable | disable} establishing an SSL connection to a pserver. If the SSL
connection has a server name, FortiWeb can only reuse
a session ticket for the specified pserver.
Note: This option is available only when ssl {enable |
disable} on page 184 is enabled.

sni {enable | disable} Enable to use a Server Name Indication (SNI) disable
configuration instead of or in addition to the server
certificate specified by certificate "<certificate_name>"
on page 175.
The SNI configuration enables FortiWeb to determine
which certificate to present on behalf of the members of a
pool based on the domain in the client request. For
details, see system certificate sni on page 243.
If you specify both a SNI configuration and a certificate,
FortiWeb uses the certificate specified by certificate
"<certificate_name>" on page 175 when the requested
domain does not match a value in the SNI configuration.
If you enable sni-strict {enable | disable} on page 184,
FortiWeb always ignores the value of certificate
"<certificate_name>" on page 175.
Available only if type {offline-protection | reverse-proxy |
transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is
transparent-servers-for-tp and ssl {enable |
disable} on page 184 is enable.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

sni-certificate "<sni_ Enter the name of the Server Name Indication (SNI) No default.
name>" configuration that specifies which certificate FortiWeb
uses when encrypting or decrypting SSL-secured
connections for a specified domain.
The SNI configuration enables FortiWeb to present
different certificates on behalf of the members of a pool
according to the requested domain.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 184

Variable Description Default

If only one certificate is required to encrypt and decrypt

traffic that this policy applies to, specify certificate
"<certificate_name>" on page 175 instead.
Available only if sni {enable | disable} on page 183 is
enabled.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

sni-strict {enable | disable} Select to configure FortiWeb to ignore the value of disable
certificate "<certificate_name>" on page 175 when it
determines which certificate to present on behalf of
server pool members, even if the domain in a client
request does not match a value in the specified SNI
configuration.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

certificate-type {enable | Enable allow FortiWeb to automatically retrieve CA disable

disable} certificates from Let's Encrypt.

lets-certificate <name> Select the Letsencrypt certificate you have created. See No default.
system certificate letsencrypt.

ssl {enable | disable} For Reverse Proxy, Offline Protection, and Transparent No default.
Inspection modes, specifies whether connections
between FortiWeb and the pool member use SSL/TLS.
For True Transparent Proxy and WCCP modes,
specifies whether FortiWeb performs SSL/TLS
processing for the pool members and connections
between FortiWeb and the pool member use SSL/TLS.
For Offline Protection and transparent modes, also
configure certificate "<certificate_name>" on page 175.
FortiWeb uses the certificate to decrypt and scan
connections before passing the encrypted traffic through
to the pool members (SSL inspection).
For True Transparent Proxy, also configure certificate
"<certificate_name>" on page 175 and additional SSL
settings as required. FortiWeb handles SSL negotiations
and encryption and decryption, instead of the pool
member (SSL offloading).
For Reverse Proxy mode, you can configure SSL
offloading for all members of a pool using a server policy.
For details, see server-policy policy on page 140.
Note: When this option is enabled, the pool member
must be configured to apply SSL.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 185

Variable Description Default

Note: Ephemeral (temporary key) Diffie-Hellman

exchanges are not supported if the FortiWeb appliance is
operating in Transparent Inspection or Offline Protection
mode.

ssl-cipher {medium | high | For Reverse Proxy mode, specifies whether secure medium
custom} connections between FortiWeb and the server pool
member use a medium-security, high-security, or custom
set of cipher suites.
For True Transparent Proxy and WCCP modes,
specifies whether secure connections between clients
and FortiWeb and between FortiWeb and the server pool
member use a medium-security, high-security, or custom
set of cipher suites.
If custom, also specify ssl-custom-cipher {<cipher_1>
<cipher2> <cipher3> ...} on page 185.
Do not set to custom if HTTP2 {enable | disable}
on page 179 is set to enable.
For details, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
Available only if type {offline-protection | reverse-proxy |
transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is reverse-
proxy, transparent-servers-for-tp, or
transparent-servers-for-wccp, and ssl {enable |
disable} on page 184 is enable.

ssl-custom-cipher {<cipher_ Specify one or more cipher suites that FortiWeb allows. ECDHE-
1> <cipher2> <cipher3> ...} Separate the name of each cipher with a space. To ECDSA-
remove from or add to the list of ciphers, retype the entire AES256-GCM-
list. SHA384
Valid values are: ECDHE-RSA-
ECDHE-ECDSA-AES256-GCM-SHA384 AES256-GCM-
SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-
DHE-DSS-AES256-GCM-SHA384
ECDSA-
DHE-RSA-AES256-GCM-SHA384 CHACHA20-
ECDHE-ECDSA-CHACHA20-POLY1305 POLY1305
ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-
DHE-RSA-CHACHA20-POLY1305 CHACHA20-
ECDHE-ECDSA-AES256-CCM8 POLY1305
ECDHE-ECDSA-AES256-CCM ECDHE-
ECDSA-
DHE-RSA-AES256-CCM8
AES128-GCM-
DHE-RSA-AES256-CCM
SHA256
ECDHE-ECDSA-AES128-GCM-SHA256

FortiWeb CLI Reference Fortinet Technologies Inc.

config 186

Variable Description Default

ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-
DHE-DSS-AES128-GCM-SHA256 AES128-GCM-
DHE-RSA-AES128-GCM-SHA256 SHA256

ECDHE-ECDSA-AES128-CCM8 ECDHE-
ECDSA-
ECDHE-ECDSA-AES128-CCM
AES256-
DHE-RSA-AES128-CCM8 SHA384
DHE-RSA-AES128-CCM ECDHE-RSA-
ECDHE-ECDSA-AES256-SHA384 AES256-
ECDHE-RSA-AES256-SHA384 SHA384
DHE-RSA-AES256-SHA256 ECDHE-
DHE-DSS-AES256-SHA256 ECDSA-
AES128-
ECDHE-ECDSA-CAMELLIA256-SHA384
SHA256
ECDHE-RSA-CAMELLIA256-SHA384
ECDHE-RSA-
DHE-RSA-CAMELLIA256-SHA256
AES128-
DHE-DSS-CAMELLIA256-SHA256 SHA256
ECDHE-ECDSA-AES128-SHA256 ECDHE-
ECDHE-RSA-AES128-SHA256 ECDSA-
DHE-RSA-AES128-SHA256 AES256-SHA
DHE-DSS-AES128-SHA256 ECDHE-RSA-
ECDHE-ECDSA-CAMELLIA128-SHA256 AES256-SHA
ECDHE-RSA-CAMELLIA128-SHA256 ECDHE-
ECDSA-
DHE-RSA-CAMELLIA128-SHA256
AES128-SHA
DHE-DSS-CAMELLIA128-SHA256
ECDHE-RSA-
ECDHE-ECDSA-AES256-SHA AES128-SHA
ECDHE-RSA-AES256-SHA AES256-GCM-
DHE-RSA-AES256-SHA SHA384
DHE-DSS-AES256-SHA AES128-GCM-
DHE-RSA-CAMELLIA256-SHA SHA256
DHE-DSS-CAMELLIA256-SHA AES256-
ECDHE-ECDSA-AES128-SHA SHA256
ECDHE-RSA-AES128-SHA AES128-
DHE-RSA-AES128-SHA SHA256

DHE-DSS-AES128-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
AES256-GCM-SHA384
AES256-CCM8
AES256-CCM
AES128-GCM-SHA256
AES128-CCM8

FortiWeb CLI Reference Fortinet Technologies Inc.

config 187

Variable Description Default

AES128-CCM
AES256-SHA256
CAMELLIA256-SHA256
AES128-SHA256
CAMELLIA128-SHA256
AES256-SHA
CAMELLIA256-SHA
AES128-SHA
CAMELLIA128-SHA
DHE-RSA-SEED-SHA
ECDHE_RSA_DES_CBC3_SHA
DES_CBC3_SHA

tls13-custom-cipher Specify one or more TLS 1.3 cipher suites that FortiWeb TLS_AES_
allows. 256_GCM_
Separate the name of each cipher with a space. To SHA384
remove from or add to the list of ciphers, retype the entire
list.
Valid values are:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256

rfc7919-comply {enable | Enable to apply cipher suites that comply with RFC- disable
disable} 9719.

supported-groups {X25519 Select the RFC-9719 ciphers to be supported. The No default

| prime256v1 | secp384r1 | Supported Group is Elliptic Curve Parameters, while
secp521r1 | SSL/TLS negotiation could choose different Elliptic
brainpoolP256r1 | Curve algorithms, so please make sure to choose the
brainpoolP384r1 | corresponding ciphers in ssl-custom-cipher.
l At least one FFDHE group should be selected.
brainpoolP512r1 |
ffdhe2048 | ffdhe3072 | l At least one DHE cipher should be added.
ffdhe4096 | ffdhe6144 |
ffdhe8192} Due to design limitation, you need to select custom
in ssl-cipher {medium | high | custom}
and make sure to include at least one DHE cipher in
the selected list. Using High or Medium together
with RFC-9719 will lead to unexpected error. We will
fix it in the future release.
The system will return error if any of the above two
conditions is not met.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 188

Variable Description Default

Please note RFC7919 does not comply with TLS 1.3, so

if you have only enabled tls-v13, then RFC7919 will
not take effect even if it's enabled. To apply both TLS 1.3
and RFC7919, it's recommended to enable a non-TLS
1.3 protocol, then select at least one DHE cipher.

ssl-noreg {enable | disable} Select to configure FortiWeb to ignore requests from enable
clients to renegotiate TLS or SSL.
Protects against denial-of-service (DoS) attacks that use
TLS/SSL renegotiation to overburden the server.
Available only if type {offline-protection | reverse-proxy |
transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is
transparent-servers-for-tp and ssl {enable |
disable} on page 184 is enable.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

status {disable |enable | To specify the status of the pool member, enter one of enable
maintain} the following values:
l enable—Specifies that this pool member can

receive new sessions from FortiWeb.

l disable—Specifies that this pool member does

not receive new sessions from FortiWeb and

FortiWeb closes any current sessions as soon as
possible.
l maintain—Specifies that this pool member does

not receive new sessions from FortiWeb but

FortiWeb maintains any current connections.

tls-v10 {enable | disable} For Reverse Proxy mode, specifies whether secure enable
connections between FortiWeb and the server pool
member can use the TLS 1.0 cryptographic protocol.
For True Transparent Proxy and WCCP modes,
specifies whether secure connections between clients
and FortiWeb and between FortiWeb and the server pool
member can use the TLS 1.0 cryptographic protocol.
This must be set to disable if HTTP2 {enable | disable}
on page 179 is set to enable.
Available only if type {offline-protection | reverse-proxy |
transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is reverse-
proxy, transparent-servers-for-tp, or
transparent-servers-for-wccp, and ssl {enable |
disable} on page 184 is enable.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 189

Variable Description Default

tls-v11 {enable | disable} For Reverse Proxy mode, specifies whether secure enable
connections between FortiWeb and the server pool
member can use the TLS 1.1 cryptographic protocol.
For True Transparent Proxy and WCCP modes,
specifies whether secure connections between clients
and FortiWeb and between FortiWeb and the server pool
member can use the TLS 1.1 cryptographic protocol.
This must be set to disable if HTTP2 {enable | disable}
on page 179 is set to enable.
Available only if type {offline-protection | reverse-proxy |
transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is reverse-
proxy, transparent-servers-for-tp, or
transparent-servers-for-wccp, and ssl {enable |
disable} on page 184 is enable.

tls-v12 {enable | disable} For Reverse Proxy mode, specifies whether secure enable
connections between FortiWeb and the server pool
member can use the TLS 1.2 cryptographic protocol.
For True Transparent Proxy and WCCP modes,
specifies whether secure connections between clients
and FortiWeb and between FortiWeb and the server pool
member can use the TLS 1.2 cryptographic protocol.
Available only if type {offline-protection | reverse-proxy |
transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is reverse-
proxy, transparent-servers-for-tp, or
transparent-servers-for-wccp, and ssl {enable |
disable} on page 184 is enable.

tls-v13 {enable | disable} For Reverse Proxy mode, specifies whether secure disable
connections between FortiWeb and the server pool
member can use the TLS 1.3 cryptographic protocol.
For True Transparent Proxy and WCCP modes,
specifies whether secure connections between clients
and FortiWeb and between FortiWeb and the server pool
member can use the TLS 1.3 cryptographic protocol.
Available only if type {offline-protection | reverse-proxy |
transparent-servers-for-ti | transparent-servers-for-tp |
transparent-servers-for-wccp} on page 175 is reverse-
proxy, transparent-servers-for-tp, or
transparent-servers-for-wccp, and ssl {enable |
disable} on page 184 is enable.

url-cert {enable | disable} Specifies whether FortiWeb uses a URL-based client disable
certificate group to determine whether a client is required
to present a personal certificate.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 190

Variable Description Default

Available only if HTTPs-service "<service_name>" on

page 150 is configured.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

urlcert-group "<urlcert- Enter the URL-based client certificate group that No default.
group_name>" determines whether a client is required to present a
personal certificate.
If the URL the client requests does not match an entry in
the group, the client is not required to present a personal
certificate.
For details about creating a group, see system certificate
urlcert on page 247.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

urlcert-hlen <len_int> Enter the maximum allowed length for an HTTP request No default.
with a URL that matches an entry in the URL-based client
certificate group, in kilobytes.
FortiWeb blocks any matching requests that exceed the
specified size.
This setting prevents a request from exceeding the
maximum buffer size.
The valid range is 16–128.
Note: This option is available only when the protocol
{HTTP | FTP | ADFSPIP} on page 173 is HTTP.

warm-rate <warm-rate_int> Specify the maximum connection rate (per second) while 10
the pool member is starting up.
The default is 10 connections per second. The valid
range is 1–86,400.
The warm up calibration is useful with servers that bring
up the network service before other daemons are
initialized. As these types of servers come online, CPU
and memory are more utilized than they are during
normal operation. For these servers, you define separate
rates based on warm-up and recovery behavior.
For example, if warm-up <warm-up_int> on page 191 is
5 and warm-rate is 2, the maximum number of new
connections increases at the following rate:
l 1st second—Total of 2 new connections allowed

(0+2).
l 2nd second—2 new connections added for a total of

4 new connections allowed (2+2).

l 3rd second—2 new connections added for a total of

6 new connections allowed (4+2).

FortiWeb CLI Reference Fortinet Technologies Inc.

config 191

Variable Description Default

l 4th second—2 new connections added for a total of

8 new connections allowed (6+2).
l 5th second—2 new connections added for a total of
10 new connections allowed (8+2).

warm-up <warm-up_int> Specify for how long (in seconds) FortiWeb forwards 0
traffic at a reduced rate after a health check indicates
that this pool member is available again but it cannot yet
handle a full connection load.
For example, when the pool member begins to respond
but startup is not fully complete.
The default is 0 (disabled).
The valid range is 0–86,400.

weight <weight_int> If the server pool uses the weighted round robin load- 0
balancing algorithm, type the numerical weight of the
pool member. Members with a greater weight receive a
greater proportion of connections.
The valid range is 1–9,999.

ssl-session-timeout When FortiWeb is configured as an SSL server, you can No default.

<ssl-session- set SSL session timeout intervals via the CLI. This is
timeout_int> available only in Reverse Proxy and True Transparent
Proxy modes.

ssl-quiet-shutdown For HTTPS connection, when disabled, FortiWeb sends Disable

{enable | disable} ssl alert message to the client or server pool first, and
then FIN.
When enabled, FortiWeb directly sends FIN message
instead of sending ssl alert message.

server-certificate- Enable so that FortiWeb appliance will verify certificates Disable

verify {enable | presented by HTTP server.
disable}

server-certificate- Enter the certificate verity policy name. No default.

verify-policy
"<policy_name>"

server-certificate- Select which action the FortiWeb appliance will take No default.
verify-action {alert when it detects a certificate violation.
| alert_deny |
redirect}

adfs-username <adfs- Type the username that will be used by FortiWeb to No default.
username_str> connect with the AD FS server. You should include the
domain to which FortiWeb and the AD FS server belong.
For example, damain1\administrator.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 192

Variable Description Default

adfs-password <adfs- Type the password that will be used by FortiWeb to No default.
password_str> connect with the AD FS server.

multi-certificate Enable this option to allow FortiWeb to use multiple local disable
{enable | disable} certificates. Available when:
ssl {enable | disable} on page 184 is enabled, and
FortiWeb is operating in TTP or WCP mode that
performs SSL inspection.

certificate-group Select the the multi-certificate file you have created. No default.
<certificate-group_
str>

Example

This example configures a server pool named server-pool1. It consists of two physical servers: 192.0.2.10 and
192.0.2.11.
When both servers are available, FortiWeb forwards connections to the server with the smallest number of connections.
config server-policy server-pool
edit "server-pool1"
set type reverse-proxy
set server-balance enable
set lb-algo least-connections
config pserver-list
edit 1
set status enable
set server-type physical
set ip "192.0.2.10"
set ssl disable
set port 8081
next
edit 2
set status enable
set server-type physical
set ip "192.0.2.11"
set ssl disable
set port 8082
next
end
next
end

Related topics

l server-policy policy on page 140

l server-policy HTTP-content-routing-policy on page 110
l system certificate local on page 237

FortiWeb CLI Reference Fortinet Technologies Inc.

config 193

l server-policy health on page 105

l server-policy persistence-policy on page 136
l waf ftp-protection-profile on page 463
l system feature-visibility on page 263

server-policy service custom

Use this command to configure a custom service.

You can add a custom services to a policy to define the protocol and listening port of a virtual server. For details, see
server-policy policy on page 140.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Syntax
config server-policy service custom
edit "<service_name>"
set port <port_int>
set protocol TCP
next
end

Variable Description Default

"<service_name>" Enter the name of the new or existing custom network No

service. The maximum length is 63 characters. default.
To display the list of existing services, enter:
edit ?

port <port_int> Enter the port number on which a virtual server will receive No
TCP/IP connections for HTTP or HTTPS requests. The valid default.
range is 1–65,535.

Example

This example configures a service definition named SOAP1.

config server-policy service custom
edit "SOAP1"
set port 8081
set protocol TCP
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 194

Related topics

l server-policy vserver on page 199

l server-policy policy on page 140
l server-policy custom-application application-policy on page 1

server-policy service predefined

Use this command to view a predefined service.

This command only displays predefined services. It cannot be used to modify them.
If you attempt to edit the port number and protocol, the appliance will discard your
settings.

Predefined Internet services can be selected in a policy in order to define the protocol and listening port of a virtual
server. For details, see server-policy policy on page 140.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Syntax
config server-policy service predefined
edit "<service_name>"
show
next
end

Variable Description Default

"<service_name>" Enter the name of a predefined network service, such as No

HTTP or HTTPS. The maximum length is 63 characters. default.
To display the list of existing services, enter:
edit ?

Example

This example shows the default settings for all of the predefined services.
config server-policy service predefined
show

Output:
config server-policy service predefined
edit HTTP

FortiWeb CLI Reference Fortinet Technologies Inc.

config 195

set port 80
set protocol TCP
next
edit HTTPS
set port 443
set protocol TCP
next
end

Related topics

l server-policy vserver on page 199

l server-policy policy on page 140
l server-policy service custom on page 193

server-policy setting

Use this command to configure the server policy settings.

Syntax
config server-policy setting
set core-file-count <core-file-count_int>
set enable-core-file {enable | disable | enable-best-effort}
set enable-session-statistics {enable | disable}
set enable-single-worker {enable | disable}
set hsm {enable | disable}
set no-session-limit {enable | disable}
set no-ssl-encrypt-then-mac {enable | disable}
set offline-session-timeout {seconds_int}
set use-first-ack-mac {enable | disable}
set dpdk {enable | disable}
set high-compatibility-mode {enable | disable}
set graceful-shutdown {enable | disable}
set server-pool-connection-limit-log {enable | disable}
set tls13-early-data-mode {enable | disable}
set record-content-routing-error-log {enable | disable}
set server-invalid-no-reponse {enable | disable}
set using-dns-proxy {enable | disable} on page 197
set df-flag {enable | disable}
set tls12-compatible-sigalg {enable | disable}
set corefile-ha-failover {enable | disable}
set reverse-dns-cache-timeout <int>
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 196

Variable Description Default

core-file-count <core-file- The maximum core dump file number. The valid values are No default
count_int> 3 and 5.

enable-core-file {enable | disable: Disable coredump for proxyd. disable

disable | enable-best-effort} enable: Enable coredump action for proxyd. It will stop if
coredump cannot finish in hung task timeout seconds.
enable-best-effort: Enable coredump action for proxy. It
will stop until the entire core file is generated. This option is
useful to analyze a tough issue, though it may cause your
service to stop responding for a long time

enable-session-statistics Enable/disable session statistics for FortiView. No default

{enable | disable}

enable-single-worker Enable/disable single worker mode. If enabled, there will No default

{enable | disable} be only one worker thread to handle the traffic. It's usually
used for diagnose only.

hsm {enable | disable} Specifies whether the settings you use to integrate No default
FortiWeb with an HSM (hardware security module) are
displayed in the web UI.

no-session-limit {enable | Enable not to limit the maximum concurrency sessions of No default
disable} FortiWeb-VM.
If this option is disabled, the maximum concurrent sessions
for all the policies on a VM is 20,000 (2vCPUs), 50,000
(4vCPUs), or 100,000 (8vCPUs); For each policy, the
number is 8,000 (2vCPUs), 15,000 (4vCPUs), or 50,000
(8vCPUs).

no-ssl-encrypt-then-mac Disable to include the encrypt-then-mac extension in the disable

{enable | disable} packets sent by the client.

use-first-ack-mac {enable | Once enabled, machine learning only observes the source enable
disable} MAC of two ACK packets for a URL at Three-way
handshake.
If disabled, machine leaning observes all ACK packets,
which continues refreshing MAC, with the performance
affected.

dpdk {enable | disable} Enable/disable DPDK for packet processing. No default

high-compatibility-mode Enable to accelerate SSL transport. disable

{enable | disable} The setting works on certain hardware platforms which
have SSL accelerate card. When enabled, the SSL
accelerate card will do SSL traffic acceleration for SSL
encryption and decryption.

offline-session-timeout This setting only works in Offline Protection mode. No default

{seconds_int}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 197

Variable Description Default

It's a session optimization option. FortiWeb's resources will

be unnecessarily consumed if the connection always
keeps on. With this option, you can configure the session
timeout value to avoid them staying on for too long.
The valid range is seconds 30–1200 seconds.

graceful-shutdown {enable | If disabled, the peer TCP connections are reset during enable
disable} system shutdown.

server-pool-connection-limit- Enable to send a warning level event log when the disable
log {enable | disable} connection number of each real server reaches the
limitation.

tls13-early-data-mode Enable O-RTT in TLS 1.3. disable

{enable | disable}

record-content-routing-error- If enabled, the reason of the content routing failure will be disable
log {enable | disable} recorded in event log.

server-invalid-no-reponse Enable this option so that closes the client connection disable
{enable | disable} when all the servers in the server pool are unresponsive.

using-dns-proxy {enable | This option is enabled by default. If it is disabled, the enable

disable} system uses getaddrinfo to resolve the domain name.

df-flag {enable | disable} Enable to allow FortiWeb to send non DF-flag packet to disable
pass the device with low MTU.

tls12-compatible-sigalg When tls12-compatible-sigalg is enabled, disable

{enable | disable} signature algorithm negotiation in TLS handshake for
FortiWeb behaves exactly the same as OpenSSL 1.1.0.
Please note executing this command causes the proxyd to
restart so all current sessions will be dropped.
This command is specific to very rare case. Do not use it
unless suggested by Fortinet support team.

corefile-ha-failover {enable | Enable to trigger HA fail-over upon proxyd coredump, so disable

disable} that the secondary node can immediately take over the
traffic when coredump file is being generated on the
primary node.
Note the following when using this command:
l You should set enable-core-file to enable or

enable-best-effort for the corefile-ha-

failover to work.
l The enable-core-file and corefile-ha-
failover attributes will NOT be synchronized to
other devices in the same HA group, so you need to
configure these configurations on each device if
needed.
l Currently only the proxyd daemon coredump can

FortiWeb CLI Reference Fortinet Technologies Inc.

config 198

Variable Description Default

trigger corefile-ha-failover. Other daemons

can't trigger it.
l This function works in active-passive and active-active
standard HA modes. It is not suggested to enable it in
HA Manager mode on public clouds, because usually
the load balancer in front of the FortiWeb devices will
do health check and guarantee that traffic is
dispatched to the healthy nodes.
l It is recommended to enable this option only on one
FortiWeb, usually the primary device. Otherwise a
proxyd coredump occurring on both devices may lead
to HA fail-over back and forth between two devices.

reverse-dns-cache-timeout The system caches the reverse DNS lookup results. You 60
<int> can set the reverse-dns-cache-timeout value so that (minutes)
the cached items can be removed after the expiration time.
The valid value range is 1-1440.

Related topics

l server-policy vserver on page 199

l server-policy policy on page 140

server policy traffic-mirror

Use this command to configure FortiWeb to send traffic to third party IPS/IDS devices through network interfaces for
traffic monitoring in Reverse Proxy and True Transparent Proxy modes.
See system feature-visibility on page 263 for how to enable traffic mirror first.

Syntax
config server-policy traffic-mirror
edit "<traffic-mirror_name>"
config mirror-rule
edit mirror-rule <mirror-rule_str>
set mode {direct | switch | server}
set interface <interface_int>
set destination-mac <destination-mac_str>
set server-ip <server-ip_str>
set server-port <server-port_int>
next
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 199

Variable Description Default

No
"<traffic-mirror_name>" Enter a name for the traffic mirror policy.
default.
No
mirror-rule <mirror-rule_str> Select the sequence number of the mirror rule created.
default.
Select one of the three modes:
l Direct—the mirrored packets are directly sent to IPS/IDS

devices.
mode {direct | switch | server} l Switch—the mirrored packets are sent to IPS/IDS devices direct
through the switch.
l Server—the mirrored packets are sent to the designated

IP of IPS/IDS devices.
When the mode is Direct, select one FortiWeb port to connect to
IPS/IDS device. No
interface <interface_int>
When the mode is Switch, select one FortiWeb port to connect to default.
the switch.
Type the MAC of IPS/IDS interface, where the traffic from
destination-mac <destination- No
FortiWeb goes to. Available only when mode {direct | switch |
mac_str> default.
server} on page 199 is Switch.
Enter the designated IP of IPS/IDS devices. Available only when No
server-ip <server-ip_str>
mode {direct | switch | server} on page 199 is Server. default.
Enter the HTTP port that the IPS/IDS devices can listen to.
No
server-port <server-port_int> Available only when mode {direct | switch | server} on page 199
default.
is Server.

Example

This example configures a traffic mirror policy.

config server-policy traffic-mirror
edit policy1
config mirror-rule
edit 2
set mode direct
set interface port1

end
next
end

Related topics

l system feature-visibility on page 263

server-policy vserver

Use this command to configure virtual servers.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 200

Before you can create a policy, you must first configure a virtual server which defines the network interface or bridge and
IP address on which traffic destined for an individual physical server or server farm will arrive.
When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a physical
server or a server farm. The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:
l The traffic arrives on the network interface or bridge associated with the virtual server
l For Reverse Proxy mode, the destination address is the IP address of a virtual server (the destination IP address is
ignored in other operation modes, except that it must not be identical with the physical server’s IP address)

Virtual servers can be on the same subnet as physical servers. This configuration
creates a one-arm HTTP proxy. For example, the virtual server 192.0.2.1/24 could
forward to the physical server 192.0.2.2.
However, this is not recommended. Unless your network’s routing configuration
prevents it, it could allow attackers that are aware of the physical server’s IP address
to bypass FortiWeb by accessing the physical server directly.

To apply virtual servers, select them within a server policy. For details, see server-policy policy on page 140.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Syntax
config server-policy vserver
edit "<virtual-server_name>"
config vip-list
edit server-policy vserver
set interface "<interface_name>"
set status {enable | disable}
set vip "<vip_str>"
set use-interface-ip {enable | disable}
next
end
next
end

Variable Description Default

"<virtual- Enter the name of the new or existing virtual server. The maximum length disable
server_ is 63 characters.
name>" To display the list of existing servers, enter:
edit ?

"<vip-list_id>" Enter the sequence number of the virual IP in the table. No default.

status Enable to accept traffic destined for this virtual server. No default.
{enable |
disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 201

Variable Description Default

interface Enter the name of the network interface or bridge, such as port1 or No default.
"<interface_ bridge1, to which the virtual server is bound, and on which traffic
name>" destined for the virtual server will arrive. The maximum length is 63
characters.
To display the list of existing interfaces, enter:
edit ?

vip "<vip_str>" Enter the IPv4 or IPv6 address and subnet of the virtual server. 0.0.0.0
::/0

use-interface- For FortiWeb-VM on Microsoft Azure, specify whether the virtual server disable
ip {enable | uses the IP address of the specified interface, instead of an IP specified
disable} by vip or vip6.

Example

This example configures a virtual server named inline_vip1 on the network interface named port1.
The port number on which the virtual server will receive traffic is defined separately, in the policies that use this virtual
server definition.
config server-policy vserver
edit "inline_vip1"
config vip-list
edit 2
set interface port1
set status enable
set vip "192.0.2.1 256.256.256.0"
next
end
next
end

Related topics

l system interface on page 312

l server-policy policy on page 140
l server-policy service custom on page 193
l ping on page 768
l network ip on page 717

server-policy ztna-profile

Use this command to configure ZTNA profile.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 202

For more information on ZTNA, please refer to "Chapter: Zero Trust Network Access (ZTNA)" in FortiWeb Administration
Guide.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Syntax
config server-policy ztna-profile
edit <ztna-profile_name>
set action {pass | alert_deny | deny_no_log}
config rule list
edit <rule-list_index>
set rule-name <ztna-rule_name>
next
end
next
end

Variable Description Default

"<ztna-profile_name>" Enter the name of the ZTNA profile. The maximum length is No
63 characters. default.
To display the list of existing profiles, enter:
edit ?

action {pass | alert_deny | Select the specific action to be taken when the request pass
deny_no_log} matches the policy.
l pass—Accept the request.

l alert_deny—Block the request (or reset the

connection) and generate an alert email and/or log
message.
l deny_no_log—Deny a request. Do not generate a log
message.

<rule-list_index> Enter the rule list index number. No

default.

ztna-rule_name Enter the ZTNA rule name. No

See server-policy ztna-rule on page 203 for how to create default.
ZTNA rules.

Related topics

l system endpoint-control on page 730

l server-policy ztna-profile on page 201
l server-policy ztna-rule on page 203

FortiWeb CLI Reference Fortinet Technologies Inc.

config 203

server-policy ztna-rule

Use this command to configure ZTNA rule.

Syntax
config server-policy ztna-rule
edit <ztna-rule_name>
set action {pass | alert_deny | deny_no_log}
config ems-tag-condition
edit <ems-tag-condition_index>
set ems-tag <tag_name>
set combine {and | or}
next
end
config source-address-condition
edit <source-address-condition_index>
set source-address <IP_address>
next
end
config geo-condition
edit <geo-condition_index>
set country-list <country>
next
end
next
end

Variable Description Default

"<ztna-rule_name>" Enter the name of the ZTNA rule. The maximum length is 63 No
characters. default.
To display the list of existing rules, enter:
edit ?

action {pass | alert_deny | Select the specific action to be taken when the request pass
deny_no_log} matches the rule.
l pass—Accept the request.

l alert_deny—Block the request (or reset the

connection) and generate an alert email and/or log
message.
l deny_no_log—Deny a request. Do not generate a log
message.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 204

Variable Description Default

<ems-tag-condition_index> Enter the EMS tag condition index number. No

default.

ems-tag Enter the EMS tag to match. No

The EMS tags are automatically synchronized from default.
FortiClient EMS.

combine {and | or} and means the request only matches if it has all tags and
specified;
or means the request matches if it has any of the tags
specified.

<source-address-condition_ Enter the source IP address condition index number. No

index> default.

source-address <IP_ Enter one of the following values in Source IPv4/IPv6/IP No

address> Range: default.
l A single IP address that a client source IP must match,

such as a trusted private network IP address (e.g. an

administrator’s computer, 192.0.2.109).
l A range of addresses (e.g., 192.0.2.1-

192.0.2.256 or 10:200::10:1-
10:200:10:100).

<geo-condition_index> Enter the GEO country condition index number. No

default.

set country-list <country> Enter countries to match. No

default.

If multiple conditions are added in one ZTNA rule, the matching logic is:
l For conditions in different types (Source IP, GEO and ZTNA Tags), their relationship is

ALL.
l For conditions in the same type, their relationship is OR.
If a request matches with the conditions specified in the rule, FortiWeb will take corresponding
actions specified in the rule.

Related topics

l system endpoint-control on page 730

l server-policy ztna-rule on page 203
l server-policy ztna-profile on page 201

system accprofile

Use this command to configure access control profiles for administrators.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 205

If you have configured RADIUS queries for authenticating administrators, you can
override the locally-selected access profile by using a RADIUS VSA. For details, see
system admin on page 207.

Access profiles determine administrator accounts’ permissions.

When an administrator has only read access to a feature, the administrator can access the web UI page for that feature,
and can use the get and show CLI command for that feature, but cannot make changes to the configuration. There are
no Create or Apply buttons, or config CLI commands. Lists display only the View icon instead of icons for Edit, Delete
or other modification commands. Write access is required for modification of any kind.
In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job
that each administrator does (“role”), such as user account creation or log auditing. Access profiles can limit each
administrator account to their assigned role. This is sometimes called role-based access control (RBAC).
The prof_admin access profile, a special access profile assigned to the admin administrator account and required by
it, does not appear in the list of access profiles. It exists by default and cannot be changed or deleted, and consists of
essentially UNIX root-like permissions.
If you create more administrator accounts, whether to harden security or simply to prevent accidental modification,
create other access profiles with the minimal degrees and areas of access that each role requires. Then assign each
administrator account the appropriate role-based access profile.
For example, for a person whose only role is to audit the log messages, you might make an access profile named
auditor that only has Read permissions to the Log & Report area.
For information on how each access control area correlates to which CLI commands that administrators can access, see
Permissions on page 46
To use this command, your administrator account’s access control profile must have both r and w permissions to items
in the admingrp category.

Syntax
config system accprofile
edit "<access-profile_name>"
set admingrp {none | r | rw | w}
set authusergrp {none | r | rw | w}
set loggrp {none | r | rw | w}
set mlgrp {none | r | rw | w}
set mntgrp {none | r | rw | w}
set netgrp {none | r | rw | w}
set sysgrp {none | r | rw | w}
set traroutegrp {none | r | rw | w}
set syncookie {enable | disable}
set webgrp {none | r | rw | w}
set wvsgrp {none | r | rw | w}
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 206

Variable Description Default

"<access-profile_name>" Enter the name of the access profile. The maximum length is No
63 characters. default.
To display the list of existing profiles, enter:
edit ?

admingrp {none | r | rw | w} Enter the degree of access that administrator accounts using none
this access profile will have to the system administrator
configuration.
Available only when administrative domains (ADOMs) are
disabled. For details, see .

authusergrp {none | r | rw | w} Enter the degree of access that administrator accounts using none
this access profile will have to the HTTP authentication user
configuration.

loggrp {none | r | rw | w} Enter the degree of access that administrator accounts using none
this access profile will have to the logging and alert email
configuration.
mlgrp {none | r | Enter the degree of access that administrator accounts using none
rw | w} this access profile will have to the machine learning
configuration.

mntgrp {none | r | rw | w} Enter the degree of access that administrator accounts using none
this access profile will have to maintenance commands.
Unlike the other rows, whose scope is an area of the
configuration, the maintenance access control area does not
affect the configuration. Instead, it indicates whether the
administrator can perform special system operations such
as changing the firmware.

netgrp {none | r | rw | w} Enter the degree of access that administrator accounts using none
this access profile will have to the network interface and
routing configuration.

sysgrp {none | r | rw | w} Enter the degree of access that administrator accounts using none
this access profile will have to the basic system configuration
(except for areas included in other access control areas such
as admingrp).

traroutegrp {none | r | rw | w} Enter the degree of access that administrator accounts using none
this access profile will have to the server policy (formerly
called traffic routing) configuration.

wadgrp {none | r | rw | w} Enter the degree of access that administrator accounts using none
this access profile will have to the web anti-defacement
configuration.

webgrp {none | r | rw | w} Enter the degree of access that administrator accounts using none
this access profile will have to the web protection profile
configuration.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 207

Variable Description Default

wvsgrp {none | r | rw | w} Enter the degree of access that administrator accounts using none
this access profile will have to the web vulnerability scanner.

Example

This example configures an administrator access profile named full_access, which permits both read and write
access to all special operations and parts of the configuration.

Even though this access profile configures full access, administrator accounts using
this access profile will not be fully equivalent to the admin administrator. The admin
administrator has some special privileges that are inherent in that account and
cannot be granted through an access profile, such as the ability to reset other
administrators’ passwords without knowing their current password. Other accounts
should therefore not be considered a substitute, even if they are granted full access.

config system accprofile

edit "full_access"
set admingrp rw
set authusergrp rw
set loggrp rw
set mlgrp rw
set mntgrp rw
set netgrp rw
set sysgrp rw
set traroutegrp rw
set wadgrp rw
set webgrp rw
set wvsgrp rw
next
end

Related topics

l system admin on page 207

l server-policy custom-application application-policy on page 1
l Permissions on page 46

system admin

Use this command to configure FortiWeb administrator accounts. In its factory default configuration, a FortiWeb
appliance has one administrator account, named admin. That administrator has permissions that grant full access to the
FortiWeb configuration and firmware. After connecting to the web UI or the CLI using the admin administrator account,
you can configure additional administrator accounts with various levels of access to different parts of the FortiWeb
configuration.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 208

Administrators can access the web UI and the CLI through the network, depending on administrator account’s trusted
hosts, ADOMs, and the administrative access protocols enabled for each of the FortiWeb appliance’s network
interfaces. For details, see system interface on page 312, , and Connecting to the CLI on page 33.

To prevent multiple administrators from logging in simultaneously, which could allow

them to inadvertently overwrite each other’s changes, enable . For details, see .

To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system admin
edit "<administrator_name>"
set accprofile "<access-profile_name>"
set accprofile-override {enable | disable}
set domains "<adom_name>"
set password "<password_str>"
set email-address "<contact_email>"
set first-name "<name_str>"
set last-name "<surname_str>"
set mobile-number "<cell-phone_str>"
set phone-number "<phone_str>"
set trusthosts "<management-computer_ipv4mask>"
set ip6trusthosts "<management-computer_ipv6mask>"
set type {local-user | remote-user}
set admin-usergroup "<remote-auth-group_name>"
set wildcard {enable | disable}
set sshkey "<sshkey_str>"
set force-password-change {enable | disable} on page 212
next
end

Variable Description Default

"<administrator_name>" Enter the name of the administrator account, such as No default.

admin1 or [email protected], that can be referenced
in other parts of the configuration.
Do not use spaces or special characters except the ‘at’
symbol ( @ ). The maximum length is 63 characters.
To display the list of existing accounts, enter:
edit ?
Note: This is the user name that the administrator must
provide when logging in to the CLI or web UI. If using an
external authentication server such as RADIUS or Active
Directory, this name will be passed to the server via the
remote authentication query.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 209

Variable Description Default

accprofile "<access-profile_ Enter the name of an access profile that gives the No default.
name>" permissions for this administrator account. See also
system accprofile on page 204. The maximum length is 63
characters.
You can select prof_admin, a special access profile used
by the admin administrator account. However, selecting
this access profile will not confer all of the same
permissions of the admin administrator. For example, the
new administrator would not be able to reset lost
administrator passwords.
To display the list of existing profiles, enter:
edit ?
Tip: Alternatively, if your administrator accounts
authenticate via a RADIUS query, you can assign their
access profile through the RADIUS server using RFC 2548
(HTTP://www.ietf.org/rfc/rfc2548.txt) Microsoft Vendor-
specific RADIUS Attributes.
On the RADIUS server, create an attribute named:
ATTRIBUTE FortiWeb-Access-Profile 6
then set its value to be the name of the access profile that
you want to assign to this account. Finally, in the CLI, use
accprofile-override {enable | disable} on page 209 to
enable the override.
If none is assigned on the RADIUS server, or if it does not
match the name of an existing access profile on FortiWeb,
FortiWeb will fail back to use the one locally assigned by
this setting.

accprofile-override {enable | Enable to use the access profile indicated by the RADIUS disable
disable} query response, and ignore accprofile "<access-profile_
name>" on page 209.
This setting applies only if admin-usergroup "<remote-
auth-group_name>" on page 211 is configured to use a
RADIUS query to authenticate this account.
This setting applies only if ADOMs are enabled. See .

domains "<adom_name>" Enter the name of the administrative domain (ADOM) to No default.
assign and restrict this administrative account to it.
You can set multiple ADOMs, each separated with comma
",".
This setting applies only if ADOMs are enabled.

password "<password_str>" Enter a password for the administrator account. The No default.
maximum length is 32 characters. The minimum length is 1
character.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 210

Variable Description Default

For improved security, the password should be at least 8

characters long, be sufficiently complex, and be changed
regularly.
This setting applies only when type is local-user. For
accounts defined on a remote authentication server, the
FortiWeb appliance will instead query the server to verify
whether the password given during a login attempt
matches the account’s definition.

email-address "<contact_ Enter an email address that can be used to contact this No default.
email>" administrator. The maximum length is 63 characters.

first-name "<name_str>" Enter the first name of the administrator. The maximum No default.
length is 63 characters.

last-name "<surname_str>" Enter the surname of the administrator. The maximum No default.
length is 63 characters.

mobile-number "<cell- Enter a cell phone number that can be used to contact this No default.
phone_str>" administrator. The maximum length is 63 characters.

phone-number "<phone_ Enter a phone number that can be used to contact this No default.
str>" administrator. The maximum length is 63 characters.

trusthosts "<management- Enter the IP address and netmask of a management 0.0.0.0

computer_ipv4mask>" computer or management LAN from which the 0.0.0.0
administrator is allowed to log in to the FortiWeb appliance.
You can specify up to 10 trusted hosts, separated with
space.
To allow login attempts from any IP address, enter
0.0.0.0/0.0.0.0. If you allow administrators to log in
from any IP address, consider choosing a longer and more
complex password, and limiting administrative access to
secure protocols to minimize the security risk. For details
about administrative access protocols, see system
interface on page 312.
Note: For improved security, restrict all three trusted host
addresses to the IP addresses of computers from which
only this administrator will log in.

ip6trusthosts Enter the IP address and netmask of a management ::/0

"<management-computer_ computer or management LAN from which the
ipv6mask>" administrator is allowed to log in to the FortiWeb appliance.
You can specify up 10 trusted hosts, separated with space.
To allow login attempts from any IP address, enter ::/0.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 211

Variable Description Default

Caution: If you allow logins from any IP address, consider

choosing a longer and more complex password, and
limiting administrative access to secure protocols to
minimize the security risk. Unlike IPv4, IPv6 does not
isolate public from private networks via NAT, and therefore
can increase availability of your FortiWeb’s web UI/CLI to
IPv6 attackers unless you have carefully configured your
firewall/FortiGate and routers. For details about
administrative access protocols, see system interface on
page 312.
Note: For improved security, restrict all three trusted host
addresses to the IP addresses of computers from which
only this administrator will log in.

type {local-user | remote- Select either: No default.

user} l local-user—Authenticate this account locally, with

the FortiWeb appliance itself.

l remote-user—Authenticate this account via a

remote server such as an LDAP or RADIUS server.

Also configure admin-usergroup "<remote-auth-
group_name>" on page 211.
If there is only one account configured on FortiWeb
(i.e. the admin user), before setting it as a remote
user, do make sure the remote authentication server
is safe and stable. Once the remote authentication
server is damaged and the account credentials are
lost, FortiWeb can't recover it, which means the only
one account that can log in to FortiWeb is lost. The
configurations will be lost and you need to re-install
FortiWeb image.

admin-usergroup "<remote- Enter the name of the remote authentication group whose No default.
auth-group_name>" settings the FortiWeb appliance will use to connect to a
remote authentication server when authenticating login
attempts for this account. The maximum length is 63
characters.
To display the list of existing groups, enter:
edit ?
For details about configuring remote authentication
groups, see user admin-usergrp on page 358.

wildcard {enable | disable} Used when administrator accounts authenticate via a No default.
RADIUS query.
This setting applies only if the value of type {local-user |
remote-user} on page 211 is remote-user.

sshkey "<sshkey_str>" The public key used for connecting to the CLI using a No default.
public-private key pair.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 212

Variable Description Default

For more information on connecting to the CLI using a

public-private key pair, see “Connecting to the CLI” in the
FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides

force-password-change Enable/disable force password change for next login. Disable

{enable | disable} This field can be configured only when Password Policy
is enabled in System > Admin > Settings.

Example

This example configures an administrator account with an access profile that grants only permission to read logs. This
account can log in only from an IP address on the management LAN (192.0.2.1/24), or from one of two specific IP
addresses (192.0.2.15 and 192.0.2.50).
config system admin
edit "log-auditor"
set accprofile "log_read_access"
set password "P@ssw0rd"
set email-address "[email protected]"
set trusthost1 "192.0.2.1 256.256.256.0"
set trusthost2 "192.0.2.15 256.256.256.256"
set trusthost3 "192.0.2.50 256.256.256.256"
set force-password-change enable
end

To display all dashboard status and widget settings, enter:

config system admin
show

Related topics

l system accprofile on page 204

l system global on page 280
l user admin-usergrp on page 358

system admin-certificate ca

When FortiWeb's certificate-based Web UI login is applied. Besides the administrators' certificates information, the
corresponding certificate authority (CA) certificates are required to be stored on the FortiWeb appliance. Certificate
authorities validate and sign other certificates in order to indicate to third parties that those other certificates are

FortiWeb CLI Reference Fortinet Technologies Inc.

config 213

authentic and can be trusted. FortiWeb authorizes the administrator's login by verifying its certificate with the
corresponding CA.
Use this command to show the names of the CA certificates that are relative to the administrators' certificates. You use
the web UI to upload these certificates.
CA certificates are not used directly here (no set operations are defined), but they are required when you create a PKI
user (an administrator that FortiWeb authorizes base on his certificate) on the FortiWeb. For details, see user pki-user on
page 370.
For information about certificate-based Web UI login, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
show system admin-certificate ca

Example
config system admin-certificate ca
edit "CA_Cert_1"
next
edit "CA_Cert_2"
next
end

system admin-certificate intermediate-ca

If the certificate you are applying for HTTPS access to FortiWeb's GUI management is signed by several intermediate
CAs, you need to import all the intermediate CA certificates of the certificate chain. FortiWeb will then send the
intermediate CA certificates together with the server certificate when administrators access FortiWeb's GUI via HTTPS.
Intermediate CAs must belong to a group in order to be selected in a certificate verification rule. For how to add the
intermediate certificates in a group, seesystem admin-certificate intermediate-ca-group.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see system accprofile on page 204

Syntax
config system admin-certificate intermediate-ca
edit "<certificate_name>"
set certificate "<certificate_str>"
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 214

Variable Description Default

"<certificate_name>" Enter the name of a certificate file. The maximum No

length is 63 characters. default.

certificate "<certificate_str>" Set the certificate. Only certificates in PEM format may No
be set. default.

Example

This example adds a certificate to Inter_Cert_1

config system certificate intermediate-certificate
edit "Inter_Cert_1"
set certificate "-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQCbXq6VYR1CijANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
SU4xEjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQmFuZ2Fsb3JlMREwDwYD
VQQKDAhGb3J0aW5ldDEMMAoGA1UECwwDTEFCMQ0wCwYDVQQDDAR0ZXN0MSMwIQYJ
KoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0LmNvbTAeFw0xMjEyMDUxMDE1NTla
Fw0xNDEyMDUxMDE1NTlaMIGKMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0
YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxETAPBgNVBAoMCEZvcnRpbmV0MQwwCgYD
VQQLDANMQUIxDTALBgNVBAMMBHRlc3QxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRA
Zm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArvHH
eXZJilTr4TbH/5O5jFxKQ5dILr/561JOJ5UZWtgs9VhXSuCzmrs6FX35vyc7NR+9
tCbMrl7qA68MxBMuu6phf2r77M9bsp3rOZE2nFR+lhjpWrXBk7/puFLBbI2yqh8d
7DB25m5pI0ClmbdJ5GGlc/1wHULQhFQSYCMSVjc34esvaLE8oAVFWHAZX14dbAbj
gC4CMbayzJZaYEfh/7suMwvdwS3sYjOwZYq6DFEF5ZPpKN+ji9J+8EmAvaZS2m3M
fFdPFf4eEAgsHmYasqxH7s4Ksc2zTm3cG5srRCqEsEddhoblI1JvmApoN2JiNiYJ
hYiEPyJdf2z+dADwXwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCbA8kKwVRPri/d
L8okLny6FygJ0auPbuRQCUGAWpfdKdXn6iyMlLuR066j82o2yrQ0ddgRcdaExT0I
RCoC2NqhzZvy8JJW2A+KTXutwdGGg8ckHQ5UVRtNo/lPZ6Quz8AsswzNk2Qx6OtF
FcTEBNxVTHKabQR46ChIa3sG032Wiuj6Y2Rv77mTmmDRZnrY8QGZd2zMm3riAqUf
IGil0/yg0AhA+ZBt5rer3X+GTknhDAPJ+yU2WS1c8pPj3A3DI0+xwTOq/sNCqTmc
xb7Q1VM/1kiOE9YaPasAJuQ7WHmnd8J0vHw1/e+whf/lsKxV0ClBNL/JdlyNAMvy
isnZYL58
-----END CERTIFICATE-----"
next
end

Related topics

l system admin-certificate intermediate-ca-group

system admin-certificate intermediate-ca-group

Use this command to group intermediate CA certificates for HTTPS access to FortiWeb's GUI management.
Intermediate CAs must belong to a group in order to be selected in a certificate verification rule.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 215

To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system admin-certificate intermediate-ca-group
edit "<admin_intermediate-ca-group_name>"
config members
edit <admin_intermediate-ca_index>
set name "<admin_intermediate_ca_name>"
next
end
next
end

Variable Description Default

"<admin_intermediate-ca- Enter the name of an admin intermediate certificate authority No

group_name>" (CA) group. The maximum length is 63 characters. default.

<admin_intermediate-ca_ Enter the index number of an admin intermediate CA within No

index> its group. The valid range is 1–9,999,999,999,999,999,999. default.

name "<admin_ Enter the name of a previously uploaded admin intermediate No

intermediate_ca_name>" CA certificate. The maximum length is 63 characters. See default.
system admin-certificate intermediate-ca.

Related topics

l system admin-certificate intermediate-ca

system admin-certificate local

The FortiWeb appliance presents its own HTTPS server certificate for secure connections (HTTPS) to its Web UI. By
default, A Fortinet factory certificate is used as the certificate, which is named defaultcert in FortiWeb. You can also
import other certifications to FortiWeb and replace the defaultcert with any of them for secure Web UI connections.
Use this command to edit the comment associated with the these FortiWeb's administration certificates that are stored
locally on the FortiWeb appliance.
To replace the certificate that FortiWeb uses for the secure accesses to its Web UI, see .
For information on how to upload a certificate file to change FortiWeb's default certificate, see the FortiWeb
Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 216

Syntax
config system admin-certificate local
edit "<certificate_name>"
set comment "<comment_str>"
set certificate "<certificate_str>"
set passwd "<passwd_str>"
set private-key "<private-key_str>"
set flag 0
set status ok
set type certificate
next
end

Variable Description Default

"<certificate_name>" Enter the name of a certificate file. The maximum No default.

length is 63 characters.

comment "<comment_str>" Enter a description or other comment. If the comment No default.

contains more than one word or contains an
apostrophe, surround the comment in double quotes
( " ). The maximum length is 127 characters.

certificate "<certificate_str>" Enter the sequence number of the certificate file. No default.

passwd "<passwd_str>" When exporting the private key file from certificate No default.
factories, you can choose to enter a password to
encrypt the file. Thus when you import the file into
FortiWeb, you shall enter this password. This is
optional.

private-key "<private-key_ Enter the sequence number of the key file. No default.
str>"

flag 0 Indicate if a password was saved. This is used by 0

FortiWeb for backwards compatibility.

status ok Indicates the status of an imported certificate: ok

l na—Indicates that the certificate was

successfully imported, and is currently selected

for use by the FortiWeb appliance.
l ok—Indicates that the certificate was

successfully imported but is not selected as the

certificate currently in use. To use the certificate,
see .
l pending—Indicates that the certificate request

was generated, but must be downloaded, signed,

and imported before it can be used as a local
certificate.

type certificate Indicates whether the file is a certificate or a certificate certificate

signing request (CSR).

FortiWeb CLI Reference Fortinet Technologies Inc.

config 217

Example

This example adds a comment to the certificate named certificate1.

config system admin-certificate local
edit "certificate1"
set comment "This is a certificate that FortiWeb uses for secure Web UI connections."
next
end

system advanced

Use this command to configure several system-wide options that determine how FortiWeb scans traffic.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system advanced
set circulate-url-decode {enable | disable}
set decoding-enhancement {enable | disable}
set max-cache-size <cache_int>
set max-dlp-cache-size <percentage_int>
set max-dos-alert-interval <seconds_int>
set share-ip {enable | disable}
set anypktstream {enable | disable}
set max-bot-alert-interval <interval_int> on page 218
set ignore-undefined-query-param {enable | disable}
set
set
set
end

Variable Description Default

circulate-url-decode Enable to detect URL-embedded attacks that are enable

{enable | disable} obfuscated using recursive URL encoding (that is, multiple
levels’ worth of URL encoding).
Encoded URLs can be legitimately used for non-English
URLs, but can also be used to avoid detection of attacks
that use special characters. Encoded URLs can now be
decoded to scan for these types of attacks. Several
encoding types are supported.
For example, you could detect the character A that is
encoded as either %41, %x41, %u0041, or \t41.
Disable to decode only one level’s worth of the URL, if
encoded.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 218

Variable Description Default

decoding-enhancement Enable to decode cookies and parameters using base64 or disable

{enable | disable} CSS for specified URLs. To configure decoding
enhancement, see system decoding enhancement on
page 254.

max-cache-size <cache_int> Type the maximum size (in KB) of the body of the HTTP 512
response from the web server that FortiWeb will cache per
URL for body compression, decompression, rewriting, and
XML detection.
Increasing the body cache may decrease performance.
Valid values range from 32 to 10240. The default value is
64.
Increasing the body cache may decrease performance.

max-dlp-cache-size Type the maximum percentage of max-cache-size 12

<percentage_int> <cache_int> on page 218—the body of the HTTP response
from the web server—that FortiWeb buffers and scans.
Responses are cached to improve performance on
compression, decompression, and rewriting on often-
requested URLs.

max-dos-alert-interval Type the maximum amount of time that FortiWeb will 180
<seconds_int> converge into a single log message during a DoS attack or
padding oracle attack.

share-ip {enable | disable} Enable to analyze the ID field of IP headers in order to disable
attempt to detect when multiple clients share the same
source IP address. To configure the difference between
packets’ ID fields that FortiWeb will treat as a shared IP,
see system ip-detection on page 319.
Enabling this option is required for features that have a
separate threshold for shared IP addresses. If you disable
the option, those features will behave as if there is only a
single threshold, regardless of whether the source IP is
shared by many clients.

anypktstream {enable | Enable to configure FortiWeb to scan partial TCP disable

disable} connections.
In some cases, FortiWeb is deployed after a client has
already created a connection with a back-end server. If this
option is disabled, FortiWeb ignores any traffic that is part
of a pre-existing session.

max-bot-alert-interval Type the maximum amount of interval time that FortiWeb 60

<interval_int> will send an attack log during a bot attack. The valid range
is 0-300 seconds.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 219

Variable Description Default

ignore-undefined-query- Enable to bypass undefined query parameters in policies. disable

param {enable | disable}

key-attr {enable | disable} To avoid obviously invalid content being processed by disable
FortiWeb for security check, you can enable this option to
bypass invalid content which has extremely long parameter
name or non-printable characters.
Please note that the invalid content check does not apply to
the following content types as well as when content
type: is not defined in the request:
l multipart

l soap+xml
l text/xml, application/xml,application/vnd.syncml+xml,
application/vnd.ms-sync.wbxml
l multipart/form-data (boundary is required)
l text/html
l application/x-www-form-urlencoded
l text/plain
l text/css
l application/x-javascript
l multipart/x-mixed-replace
l application/javascript
l text/javascript
l application/rss+xml
l message/HTTP
l application/json, text/json
l all other application/...xml

key-max-length <int> If the parameter name exceeds the max length value you 1024
have specified, FortiWeb will skip the security check and
directly pass it on to the back-end server.
The valid range is 1-1,024.

key-printable {enable | If this option is enabled, all the characters in the parameter disable
disable} name must be printable. Otherwise FortiWeb will skip the
security check and directly pass it on to the back-end
server.
If this option is disabled, regardless whether the characters
in the parameter name is printable or not, it should be
proceeded for security check.

Related topics

l server-policy policy on page 140

l system certificate local on page 237

FortiWeb CLI Reference Fortinet Technologies Inc.

config 220

l system ip-detection on page 319

l waf application-layer-dos-prevention on page 400
l waf HTTP-protocol-parameter-restriction on page 488

system antivirus

Use this command to configure system-wide FortiGuard Antivirus scan settings.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system antivirus
set default-db {basic | extended}
set scan-bzip2 {enable | disable}
set uncomp-size-limit <limit_int>
set uncomp-nest-limit <limit_int>
set use-fsa {enable | disable}
end

Variable Description Default

default-db {basic | extended} Select which of the antivirus signature databases to use basic
when scanning HTTP POST requests for viruses, either:
l basic—Select to use only the signatures of viruses

and greyware that have been detected by

FortiGuard’s networks to be recently spreading in the
wild.
l extended—Select to use all signatures, regardless

of whether the viruses or greyware are currently

spreading.

scan-bzip2 {enable | disable} Enable to scan archives that are compressed using the enable
BZIP2 algorithm.
Tip: Scanning BZIP2 archives can be very CPU-intensive.
To improve performance, block the BZIP2 file type, then
disable this option.

uncomp-size-limit <limit_int> Type the maximum size in kilobytes (KB) of the memory 5000
buffer that FortiWeb will use to temporarily undo the
compression that a client or web server has applied to
traffic, in order to inspect and/or modify it. For details, see
"waf file-uncompress-rule" on page 1.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 221

Variable Description Default

Caution: Unless you configure otherwise, compressed

requests that are too large for this buffer will pass through
FortiWeb without scanning or rewriting. This could allow
malware to reach your web servers, and cause HTTP
body rewriting to fail. If you prefer to block requests
greater than this buffer size, configure waf HTTP-protocol-
parameter-restriction on page 488. To be sure that it will
not disrupt normal traffic, first configure action to be
alert. If no problems occur, switch it to alert_deny.
The maximum acceptable values are:
102400 KB: FortiWeb 100D, 100E, 400C, 400D, 400E,
600D, 600E, 1000C, 3000CFsx, 4000C
204800 KB: FortiWeb 1000D, 2000D, 3000D, 3000DFsx,
4000D, 1000E, 2000E, 3010E, 1000F, 2000F
358400 KB: FortiWeb 3000E, 4000E, 3000F, 4000F

uncomp-nest-limit <limit_int> Type the maximum number of allowed levels of 12

compression (“nesting”) that FortiWeb will attempt to
decompress.

use-fsa {enable | disable} Enable to use the Signature Database from disable
FortiSandbox to supplement the AV Signature Database. If
enabled, FortiWeb will download the malware package
from FortiSandbox's Signature Database every minute.

system autoupdate override

Use this command to override the default Fortiguard Distribution Server (FDS) and update FortiGuard services from the
specified address.
If you cannot connect to the FortiGuard Distribution Network (FDN) or if your organization provides updates using their
own FortiGuard server, you can specify the IP address of the FDS server so that the FortiWeb appliance connects to this
server instead of the default server on Fortinet’s public FDN.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
config system autoupdate override
set status {enable | disable}
set address {"<fds_fqdn>" | "<fds_ipv4>"}
set fail-over {enable | disable}
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 222

Variable Description Default

status {enable | disable} Enable to override the default list of FDN servers, and disable
connect to a specific server.

address {"<fds_fqdn>" | Enter either the IP address or fully qualified domain name No default.
"<fds_ipv4>"} (FQDN) of the FDS override.
If you connect with a FortiWeb device who is acting as an
FDS proxy, you should enter port number 8989 after the IP
address.

fail-over {enable | disable} Enable to fail over to one of the public FDN servers if enable
FortiWeb cannot reach the server specified in your FDS
override.

Related topics

l system autoupdate schedule on page 222

system autoupdate schedule

Use this command to configure how the FortiWeb appliance will access the Fortinet Distribution Network (FDN) to
retrieve updates. The FDN is a world-wide network that delivers FortiGuard service updates of predefined robots, data
types, suspicious URLS, IP address reputations, and attack signatures used to detect attacks such as:
l Cross-site scripting (XSS)
l SQL injection
l Common exploits

Alternatively, you can manually upload update packages. For details, see the
FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides

FortiWeb appliances connect to the FDN by connecting to the Fortinet Distribution Server (FDS) nearest to the FortiWeb
appliance based on its configured time zone.
In addition to manual update requests, FortiWeb appliances support an automatic scheduled updates, by which the
FortiWeb appliance periodically polls the FDN to determine if there are any available updates.
If you want to connect to a specific FDS, you must enter system autoupdate override on page 221. If your FortiWeb
appliance must connect through a web proxy, you must also enter system autoupdate tunneling on page 224.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 223

Syntax
config system autoupdate schedule
set status {enable | disable}
set frequency {daily | every | weekly}
set time "<time_str>"
set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday}
end

Variable Description Default

status {enable | disable} Enable to periodically request signature updates from the enable
FDN.

frequency {daily | every | Select the frequency with which the FortiWeb appliance will every
weekly} request signature updates.

time "<time_str>" Enter the time at which the FortiWeb appliance will request 00:00
signature updates.
The time format is hh:mm, where:
l hh is the hour according to a 24-hour clock

l mm is the minute

day {Sunday | Monday | Select which day of the week that the FortiWeb appliance will Monday
Tuesday | Wednesday | request signature updates. This option applies only if
Thursday | Friday | frequency is weekly.
Saturday}

Example

This example configures weekly signature update requests on Sunday at 2:00 PM.
config system autoupdate schedule
set status enable
set frequency weekly
set day Sunday
set time 14:00
end

Related topics

l system autoupdate override on page 221

l system autoupdate tunneling on page 224

FortiWeb CLI Reference Fortinet Technologies Inc.

config 224

system autoupdate tunneling

Use this command to configure the FortiWeb appliance to use a proxy server to connect to the Fortinet Distribution
Network (FDN).
The FortiWeb appliance will connect to the proxy using the HTTP CONNECT method, as described in RFC 2616
(HTTP://tools.ietf.org/rfc/rfc2616.txt).
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system autoupdate tunneling
set status {enable | disable}
set address {"<proxy_fqdn>" | "<proxy_ipv4>"}
set port <port_int>
set username "<proxy-user_str>"
set password "<proxy-password_str>"
end

Variable Description Default

status {enable | disable} Enable to connect to the FDN through a web proxy. disable

address {"<proxy_fqdn>" | Enter either the IP address or fully qualified domain name No default.
"<proxy_ipv4>"} (FQDN) of the web proxy. The maximum length is 63
characters.

port <port_int> Enter the port number on which the web proxy listens for 0
connections. The valid range is 0–65,535.

username "<proxy-user_ If the proxy requires authentication, enter the FortiWeb No default.
str>" appliance’s login name on the web proxy. The maximum
length is 49 characters.

password "<proxy- If the proxy requires authentication, enter the password for No default.
password_str>" the FortiWeb appliance’s login name on the web proxy. The
maximum length is 49 characters.

Example

This example configures the FortiWeb appliance to connect through a web proxy that requires authentication.
config system autoupdate tunneling
set status enable
set address "192.168.1.10"
set port 1443
set username "fortiweb"
set password "myPassword1"
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 225

Related topics

l system autoupdate schedule on page 222

system backup

Use this command to configure automatic backups of the system configuration to an FTP or SFTP server. You can either
run the backup immediately or schedule it to run periodically.
The backup can include all uploaded files such as error pages, WSDL files, certificates, and private keys. Fortinet
recommends that if you have many such files, that you include them in the backup. This saves you valuable time if you
need to restore the configuration in an emergency.

Fortinet strongly recommends that you password-encrypt this backup, and store it in
a secure location. This backup method includes sensitive data such as your HTTPS
certificates’ private keys. Unauthorized access to private keys compromises the
security of all HTTPS requests using those certificates.

To restore a backup, see backup full-config on page 753.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
config system backup
edit "<backup_name>"
set config-type {full-config |cli-config | waf-config}
set ml-flag {disable | enable}
set encryption {enable | disable}
set encryption-passwd "<password_str>"
set ftp-auth {enable | disable}
set ftp-user "<user_str>"
set ftp-passwd "<password_str>"
set ftp-dir "<directory-path_str>"
set ftp-server {"<server_ipv4>" | "<server_fqdn>"}
set protocol-type {ftp | sftp}
set schedule_type {now | days}
set schedule_days {sun mon tue wed thu fri sat}
set schedule_time "<time_str>"
next
end

Variable Description Default

"<backup_name>" Enter the name of the backup configuration. The maximum No default.
length is 59 characters.
To display the list of existing backups, enter:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 226

Variable Description Default

edit ?

config-type {full-config |cli- Select either: cli-

config | waf-config} l full-config — Include both the configuration file config
and other uploaded files, such as certificate and error
page files, in the backup.
l cli-config — Include only the configuration file in

the backup.
l waf-config — Include only the web protection

profiles in the backup.

ml-flag {disable | enable} Enable to include machine leaning data in the backup. This disable
option takes effect only when the config-type is set to
full-config.

encryption {enable | disable} Enable to encrypt the backup file with a .zip extension. disable
Caution: Unlike when downloading a backup from the web
UI to your computer, this does include all certificates and
private keys. Fortinet strongly recommends that you
password-encrypt this backup, and store it in a secure
location.

encryption-passwd Enter the password that will be used to encrypt the backup No default.
"<password_str>" file.
This field appears only if you enable encryption {enable |
disable} on page 226.

ftp-auth {enable | disable} Enable if the server requires that you provide a user name disable
and password for authentication, rather than allowing
anonymous connections. When enabled, you must also
configure ftp-user "<user_str>" on page 226 and ftp-
passwd "<password_str>" on page 226.
Disable for FTP servers that allow anonymous uploads.

ftp-user "<user_str>" Enter the user name that the FortiWeb appliance will use to No default.
authenticate with the server. The maximum length is 127
characters.
This variable is not available unless ftp-auth {enable |
disable} on page 226 is enable.

ftp-passwd "<password_ Enter the password corresponding to the account specified No default.
str>" in ftp-user "<user_str>". The maximum length is 127
characters.
This variable is not available unless ftp-auth {enable |
disable} on page 226 is enable.

ftp-dir "<directory-path_str>" Enter the directory path on the server where you want to No default.
store the backup file. The maximum length is 127
characters.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 227

Variable Description Default

ftp-server {"<server_ipv4>" | Enter either the IP address or fully qualified domain name No default.
"<server_fqdn>"} (FQDN) of the server. The maximum length is 127
characters.

protocol-type {ftp | sftp} Select whether to connect to the server using FTP or ftp
SFTP.

schedule_type {now | days} Select one of the schedule types: now

l now—Use this to initiate the FTP backup immediately

upon ending the command sequence.

l days—Enter this to allow you to set days and a time to

run the backup automatically. You must also configure

schedule_days {sun mon tue wed thu fri sat} on page
227 and schedule_time "<time_str>" on page 227

schedule_days {sun mon tue Enter one or more days of the week when you want to run a No default.
wed thu fri sat} periodic backup. Separate each day with a blank space.
For example, to back up the configuration on Monday and
Friday, enter:
set schedule_days mon,fri
This command is available only if schedule_type {now |
days} on page 227 is days.

schedule_time "<time_str>" Enter the time of day to run the backup. 00:00
The time format is hh:mm, where:
l hh is the hour according to a 24-hour clock

l mm is the minute

This command is available only if schedule_type {now |

days} on page 227 is days.

Related topics

l restore config on page 777

l backup cli-config on page 752

system central-management

Use this command to enable cross domain access feature for central management in the web UI and CLI.

Syntax
config system central management
set cm-access {enable | disable}
set system central-management
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 228

Variable Description Default

cm-access {enable | disable} Enable/disable the cross domain access disable

feature for central management.

system central-management Enter the URL to access FortiWeb Manager. disable

Example

This example shows enabling central management feature.

config system central-management
set cm-accsss enable
set allow-origin HTTPs://10.200.111.100

end

system certificate ca

Use this command to show the names of certificates for a certificate authority (CA). You use the web UI to upload these
certificates.
Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates
are authentic and can be trusted
CA certificates are not used directly, but must first be grouped in order to be selected in a certificate verification rule. For
details, see system certificate ca-group on page 230.
For information on how to upload a certificate file, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
show system certificate ca
config system certificate ca
edit "<certificate_name>"
set certificate "<certificate_ str>"
next
end

Variable Description Default

"<certificate_name>" Enter the name of a certificate file. The maximum No

length is 63 characters. default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 229

Variable Description Default

certificate "<certificate_ str>" Set the certificate. Only certificates in PEM format may No
be set. default.

Example

This example creates two CA certificate items, CA_Cert_1 and CA_Cert_2.

config system certificate ca
edit "CA_Cert_1"
next
edit "CA_Cert_2"
next
end

This example adds a certificate to CA_Cert_1

config system certificate local
edit "CA_Cert_1"
set certificate "-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQCbXq6VYR1CijANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
SU4xEjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQmFuZ2Fsb3JlMREwDwYD
VQQKDAhGb3J0aW5ldDEMMAoGA1UECwwDTEFCMQ0wCwYDVQQDDAR0ZXN0MSMwIQYJ
KoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0LmNvbTAeFw0xMjEyMDUxMDE1NTla
Fw0xNDEyMDUxMDE1NTlaMIGKMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0
YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxETAPBgNVBAoMCEZvcnRpbmV0MQwwCgYD
VQQLDANMQUIxDTALBgNVBAMMBHRlc3QxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRA
Zm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArvHH
eXZJilTr4TbH/5O5jFxKQ5dILr/561JOJ5UZWtgs9VhXSuCzmrs6FX35vyc7NR+9
tCbMrl7qA68MxBMuu6phf2r77M9bsp3rOZE2nFR+lhjpWrXBk7/puFLBbI2yqh8d
7DB25m5pI0ClmbdJ5GGlc/1wHULQhFQSYCMSVjc34esvaLE8oAVFWHAZX14dbAbj
gC4CMbayzJZaYEfh/7suMwvdwS3sYjOwZYq6DFEF5ZPpKN+ji9J+8EmAvaZS2m3M
fFdPFf4eEAgsHmYasqxH7s4Ksc2zTm3cG5srRCqEsEddhoblI1JvmApoN2JiNiYJ
hYiEPyJdf2z+dADwXwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCbA8kKwVRPri/d
L8okLny6FygJ0auPbuRQCUGAWpfdKdXn6iyMlLuR066j82o2yrQ0ddgRcdaExT0I
RCoC2NqhzZvy8JJW2A+KTXutwdGGg8ckHQ5UVRtNo/lPZ6Quz8AsswzNk2Qx6OtF
FcTEBNxVTHKabQR46ChIa3sG032Wiuj6Y2Rv77mTmmDRZnrY8QGZd2zMm3riAqUf
IGil0/yg0AhA+ZBt5rer3X+GTknhDAPJ+yU2WS1c8pPj3A3DI0+xwTOq/sNCqTmc
xb7Q1VM/1kiOE9YaPasAJuQ7WHmnd8J0vHw1/e+whf/lsKxV0ClBNL/JdlyNAMvy
isnZYL58
-----END CERTIFICATE-----"
next
end

Related topics

l system certificate ca-group on page 230

l system certificate verify on page 248

FortiWeb CLI Reference Fortinet Technologies Inc.

config 230

system certificate ca-group

Use this command to group certificate authorities (CA).

CAs must belong to a group in order to be selected in a certificate verification rule.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate ca-group
edit "<ca-group_name>"
config members
edit <ca_index>
set type {CA | TSL}
set publish-dn {enable | disable}
set tsl "<tsl_name>"
set name "<ca_name>"
set trust-anchor {enable | disable}
next
end
next
end

Variable Description Default

"<ca-group_name>" Enter the name of a certificate authority (CA) group. The No

maximum length is 63 characters. default.

<ca_index> Enter the index number of a CA within its group. The valid No
range is 1–999,999,999,999,999,999. default.

name "<ca_name>" Enter the name of a previously uploaded CA certificate. No

default.

type {CA | TSL} Select to upload CA certificate or TSL. CA

tsl "<tsl_name>" Enter the name of a TSL. No

default.

publish-dn {enable | disable} Enable to list only certificates related to the specified CA enable
Group. This is beneficial when a client installs many
certificates in its browser or when apps don't list client
certificates. If you enable this option, also enable the option
in a certificate verification rule. For details, see system
certificate verify on page 248.

trust-anchor {enable If partial-chain is enabled in config system disable

| disable} certificate verify, you need to enable trust
anchor for the system to perform partial chain verification.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 231

Example

This example groups two CA certificates into a CA group named caVEndors1.

config system certificate ca-group
edit "caVendors1"
config members
edit 1
set name "CA_Cert_1"
next
edit 2
set "name CA_Cert_2"
next
end
next
end

Related topics

l certificate ca on page 1
l system certificate local on page 237
l system certificate verify on page 248

system certificate crl

Use this command to edit the URL associated with a previously uploaded certificate revocation list (CRL).
To ensure that your FortiWeb appliance validates only certificates that have not been revoked, you should periodically
upload a current certificate revocation list, which may be provided by certificate authorities (CA).
For information on how to upload a CRL, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate crl
edit "<crl_name>"
set certificate "<certificate_str>"
set type {HTTP | local | scep}
set url "<crl_str>"
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 232

Variable Description Default

"<crl_name>" Enter the name of a CRL. The maximum length is 63 No

characters. default.

certificate "<certificate_str>" Set the certificate. Only certificates in PEM format may be No
set. default.

type {HTTP | local | scep} Specify how you set the certificate. local
HTTP—query for the certificate from a HTTP server
local—set the certificate through certificate <certificate_
str_pem>.
scep—query for the certificate from a SCEP server

url "<crl_str>" If type {HTTP | local | scep} on page 232 is set as HTTP or No
scep, enter the URL of the certificate. The maximum length default.
is 127 characters.

Related topics

l certificate ca on page 1
l system certificate local on page 237
l system certificate crl-group on page 232
l system certificate verify on page 248

system certificate crl-group

Use this command to create a group of CRLs that you have already uploaded to FortiWeb.
To ensure that FortiWeb validates only certificates that have not been revoked, you should periodically upload current
certificate revocation lists (CRL) that may be provided by certificate authorities (CA). Once you've uploaded the CRL(s)
you want to use, create CRL groups to include in your FortiWeb configuration.
For more information about CRLs and CRL groups, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate crl-group
edit <crl_group_name>
config members
edit <entry_index>
set <crl_name>
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 233

next
end

Variable Description Default

<crl_group_name> Type the name of the CRL group. You will use this name to No
select the CRL group in other parts of the configuration. The default.
maximum length is 63 characters.

<entry_index> Type the index number of the individual entry in the table. No
default.

<crl_name> Type the name of a CRL that you want to include in the No
group. The maximum length is 63 characters. For details, default.
see system certificate crl on page 231.

Related topics

l system certificate crl on page 231

l system certificate verify on page 248

system certificate intermediate-certificate

Use this command to upload the names of uploaded intermediate CA certificate.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate intermediate-certificate
edit "<certificate_name>"
set certificate "<certificate_str>"
next
end

Variable Description Default

"<certificate_name>" Enter the name of a certificate file. The maximum No

length is 63 characters. default.

certificate "<certificate_str>" Set the certificate. Only certificates in PEM format may No
be set. default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 234

Example

This example creates three intermediate certificate items, Inter_Cert_1, Inter_Cert_2 and Inter_Cert_3.
config system certificate intermediate-certificate
edit "Inter_Cert_1"
next
edit "Inter_Cert_2"
next
edit "Inter_Cert_3"
next
end

This example adds a certificate to Inter_Cert_1

config system certificate local
edit "Inter_Cert_1"
set certificate "-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQCbXq6VYR1CijANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
SU4xEjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQmFuZ2Fsb3JlMREwDwYD
VQQKDAhGb3J0aW5ldDEMMAoGA1UECwwDTEFCMQ0wCwYDVQQDDAR0ZXN0MSMwIQYJ
KoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0LmNvbTAeFw0xMjEyMDUxMDE1NTla
Fw0xNDEyMDUxMDE1NTlaMIGKMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0
YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxETAPBgNVBAoMCEZvcnRpbmV0MQwwCgYD
VQQLDANMQUIxDTALBgNVBAMMBHRlc3QxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRA
Zm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArvHH
eXZJilTr4TbH/5O5jFxKQ5dILr/561JOJ5UZWtgs9VhXSuCzmrs6FX35vyc7NR+9
tCbMrl7qA68MxBMuu6phf2r77M9bsp3rOZE2nFR+lhjpWrXBk7/puFLBbI2yqh8d
7DB25m5pI0ClmbdJ5GGlc/1wHULQhFQSYCMSVjc34esvaLE8oAVFWHAZX14dbAbj
gC4CMbayzJZaYEfh/7suMwvdwS3sYjOwZYq6DFEF5ZPpKN+ji9J+8EmAvaZS2m3M
fFdPFf4eEAgsHmYasqxH7s4Ksc2zTm3cG5srRCqEsEddhoblI1JvmApoN2JiNiYJ
hYiEPyJdf2z+dADwXwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCbA8kKwVRPri/d
L8okLny6FygJ0auPbuRQCUGAWpfdKdXn6iyMlLuR066j82o2yrQ0ddgRcdaExT0I
RCoC2NqhzZvy8JJW2A+KTXutwdGGg8ckHQ5UVRtNo/lPZ6Quz8AsswzNk2Qx6OtF
FcTEBNxVTHKabQR46ChIa3sG032Wiuj6Y2Rv77mTmmDRZnrY8QGZd2zMm3riAqUf
IGil0/yg0AhA+ZBt5rer3X+GTknhDAPJ+yU2WS1c8pPj3A3DI0+xwTOq/sNCqTmc
xb7Q1VM/1kiOE9YaPasAJuQ7WHmnd8J0vHw1/e+whf/lsKxV0ClBNL/JdlyNAMvy
isnZYL58
-----END CERTIFICATE-----"
next
end

Related topics

l certificate inter-ca on page 1

l system certificate intermediate-certificate-group on page 234
l server-policy policy on page 140

system certificate intermediate-certificate-group

Use this command to group intermediate CA certificates.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 235

Intermediate CAs must belong to a group in order to be selected in a certificate verification rule.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate intermediate-certificate-group
edit "<intermediate-ca-group_name>"
config members
edit <intermediate-ca_index>
set name "<ca_name>"
next
end
next
end

Variable Description Default

"<intermediate-ca-group_ Enter the name of an intermediate certificate authority (CA) No

name>" group. The maximum length is 63 characters. default.

<intermediate-ca_index> Enter the index number of an intermediate CA within its No

group. The valid range is 1–9,999,999,999,999,999,999. default.

name "<ca_name>" Enter the name of a previously uploaded intermediate CA No

certificate. The maximum length is 63 characters. default.

Related topics

l certificate inter-ca on page 1

l system certificate intermediate-certificate on page 233
l server-policy policy on page 140

system certificate letsencrypt

Instead of uploading CA certificate from your local directory, an easier way is to configure FortiWeb to obtain a CA
certificate from Let's encrypt on behalf of you.
It's recommended to configure Let's Encrypt certificate through Web UI, where more functions are offered. Refer to "Let's
Encrypt certificates" in FortiWeb Administration Guide.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate letsencrypt

FortiWeb CLI Reference Fortinet Technologies Inc.

config 236

edit "<certificate_name>"
set domain "<application_domain_name>" on page 236
set renewal-period <int>
set validation-method {HTTP-01 | TLS-ALPN-01 | DNS-01}
set key-type {RSA-2048 | RSA-3072 | RSA-4096}
config subject-alternative-names
edit <index>
set san-dns <domain_name>
end
next
end

Variable Description Default

"<certificate_name>" Enter the name of a certificate file. The maximum No

length is 63 characters. default.

domain "<application_domain_ Enter the domain name of your application. FortiWeb No

name>" will then retrieve the CA certificate for this domain from default.
Let's encrypt.
For Let's encrypt certificate, it's supported to added
add up to 11 domains. One of them should be root
domain, while the rest 10 should all belong to the root
domain.
It's recommended to enter the root domain here, then
add the rest domain items in san-dns <domain_
name>.

renewal-period <int> Set how soon FortiWeb obtains the TLS certificate 30 (days)
from Let’s Encrypt. The valid range is 1-60 days.

validation-method {HTTP-01 | TLS- l HTTP-01: Let's Encrypt will send HTTP request to HTTP-01
ALPN-01 | DNS-01} FortiWeb for validation.
When in RP mode, you must select HTTP service
and uses port 80 for it in the server policy which
uses the Let's Encrypt certificate.
When in TTP mode, the back-end server which
uses Letsencrypt certificate should have port 80
enabled.
Redirect HTTP to HTTPS should not be enabled
when the validation is in process.
l TLS-ALPN-01: This method allows Let's Encrypt
to send HTTPS requests to FortiWeb for
validation. You must select HTTPS service in the
server policy which uses the Let's Encrypt
certificate.
l DNS-01: This method allows Let's Encrypt to do
validation through your DNS provider. FortiWeb
will generate a TXT record, then you need to add
this TXT record to the DNS record. Refer to
"Fulfilling the DNS-01 challenge" in FortiWeb
Administration Guide.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 237

Variable Description Default

key-type {RSA-2048 | RSA-3072 | Select Key Type. RSA algorithm with different key RSA-
RSA-4096} length can be implemented and accepted by the Let’s 2048
Encrypt Server. Those key sizes are 2048, 3072, and
4096 bits. Please note that larger keys consume more
computing resources, however, achieve better
security.

san-dns <domain_name> Enter domain names. Up to 10 items can be added No

and they all should belong to the same domain. default.

Related topics

l system certificate ca on page 228

l system certificate ca-group on page 230
l system certificate verify on page 248

system certificate local

Use this command to edit the comment associated with a server certificate that is stored locally on the FortiWeb
appliance.
You can also configure settings for a certificate that works with an HSM (hardware security module). For details about
HSM integration, see system hsm info on page 309 and the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
FortiWeb appliances require these certificates to present when clients request secure connections, including when:
l Administrators connect to the web UI (HTTPS connections only)
l Web clients use SSL or TLS to connect to a virtual server, if you have enabled SSL off-loading in the policy (HTTPS
connections and Reverse Proxy mode)
l Web clients use SSL or TLS to connect to a physical server (HTTPS connections and true transparent mode)
FortiWeb appliances also require certificates in order to decrypt and scan HTTPS connections travelling through it if
operating in Offline Protection or Transparent Inspection modes.
Which certificate will be used, and how, depends on the purpose.
l For connections to the web UI, the FortiWeb appliance presents its default certificate. The FortiWeb appliance’s
default certificate does not appear in the list of local certificates. It's used only for connections to the web UI and
cannot be removed.
l For SSL off-loading or SSL decryption, upload certificates that do not belong to the FortiWeb appliance, but instead
belong to the protected hosts. Then, select which one the FortiWeb appliance will use when configuring the SSL
option in a policy or server farm.
For information on how to upload a certificate file, see the FortiWeb Administration Guide:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 238

HTTP://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate local
edit "<certificate_name>"
set comment "<comment_str>"
set status {na | ok | pending}
set type {certificate | csr}
set flag {0 | 1}
set is-hsm {no | yes}
set partition-number "<partition_name>"
set certificate "<certificate_str>"
set private-key "<private_key_str>"
set passwd "<password>"
next
end

Variable Description Default

"<certificate_name>" Enter the name of a certificate file. The maximum length is No

63 characters. default.

comment "<comment_str>" Enter a description or other comment. If the comment No

contains more than one word or contains an apostrophe, default.
surround the comment in double quotes ( " ). The maximum
length is 127 characters.

status {na | ok | pending} Indicate the status of an imported certificate: No

l na—Indicates that the certificate was successfully default.
imported, and is currently selected for use by the
FortiWeb appliance.
l ok—Indicates that the certificate was successfully

imported but is not selected as the certificate currently in

use. To use the certificate, select it in a policy or server
farm.
l pending—Indicates that the certificate request was

generated, but must be downloaded, signed, and

imported before it can be used as a local certificate.

type {certificate | csr} Indicate whether the file is a certificate or a certificate signing No
request (CSR). default.

flag {0 | 1} Indicate if a password was saved. This is used by FortiWeb No

for backwards compatibility. default.

is-hsm {no | yes} Specify whether you configured the CSR for this certificate to no
work with an integrated HSM.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 239

Variable Description Default

partition-number "<partition_ Enter the name of the HSM partition you selected when you No
name>" created the CSR for this certificate. default.

certificate "<certificate_str>" Set the certificate. Only certificates in PEM format may be No
set. default.

private-key "<private_key_ Set the private key for the certificate. Only private keys in No
str>" PEM format may be set. default.

passwd "<password>" Enter the password for the certificate. No

default.

Example

This example adds a comment to the certificate named certificate1.

config system certificate local
edit "certificate1"
set comment "This is a certificate for the host www.example.com."
next
end

This example adds a certificate named certificate2

config system certificate local
edit "certificate2"
set private-key "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,82EAF556E3621A07
ZYqcytKrfYGksrp/6rFf4Ma3rIiW/63EiyxHFLSl8NVOLfM+AWHYm5flnKJI4Ava
iZnv64QlmLxTSDgU+/rS9XBaDlg6DKoIDtDTlVvg99vU3I9TrU+LRMPaLCidVw/h
GMlKtvF8UGFACAM1HwTJ/zBejgaAN0ZKcmxDNX0RwgHQwTP1/dwXRae+uk9dK8Ya
kw9jcu5SM7aQuUKEFdvdkhI9fo8uMH8lKwSViaDx50/BZfEQx5+cRHooS/AZfnnr
BjBlaAZA+zjuvp5mbDh76CO8+i+++09e4g5Kj83ZoRfVXkOUonfRug5FvAT7YFEi
lgnG+ChW5BrDtOq25Y4jQcPyqM9dL8lkpMhfK+rayGWVyOfQAX0AtNNM0itbjb7U
m78N71RVjjz4We2QCkIBv5AibsPgJwq54M6VDZ3CIJ+f2QVvvypnN2UjV1epih6N
yS0RxVqwC2HObwdbffviMjH1a5AOSIFnEYHOAwAxIf3nlZWAf1HhW8Oc6IofqTuO
R5SeWnoYxFVFakhGcyMRw3sd/ekTp8tRoK8QbINn3L38AEMtp8HKSHWm+MWdIQeK
WNYW4AZsrKfmXIQpGzuaan50fh6y6eVevxB9zx/uVN2XxD/TmDs5KnLjw7A4ks7V
Ds0c8bSLOT8BE+qfb7I/mUjVbsbGxgX40ducmm/C7HR/bgbSV2u6PK92ieQ22q6q
7RATzFtvHuJ3OmJtrMKhlHGMHVSA01GhheL3m2JhHMKMoJfwhYLab1+UCV4n5GOi
MogQY9UQ022WRCtpTPes5Sl5IMVY/Oj1nP/QcUMK8a7iPtAZWPYN7HEPXDfU/Urm
52HbC0fSQ/eGG5gQ7kDy9N/aLZf9wDMgj5zjX2lmnMT/h1sD29+bUCoo4ODT2Kk1
i6HyZX+J6KNDYM5aNOdhyZabVZBZOU1GvtLMzzrd5pEugFs7Rzt0+NJ54d7jGgav
0QwKCKIDevSdZG0ZeXLTvQONF9Pzo6i/E3uwIKuHFAnTAtq6UrKveRLtWWXuSBim
AAifL8s23T0BJAa75C6b3+F5IUTC/K9e5vrUbBDWDsjSjsWgbkoPBDlEpWLI+Ogu
Th6nZeQx0U+gt1bC+bJTIKdVDbxgjVGXIEvmnzc7KU0cBHmmIQggqfQwdVTeSVUx
z9JefVD9accpoem6ghdS/0xaQztbdvb5NAM9LX2o/HFECThcLWGke/jxgAKvFQX4
MZBFy1UukQeCgHfwJCIMw1D/tupKwAqzsvm351E0C8eTuC1OWFvtkzQNoFkyD2vS
gWSFKz85nswSMkobWFNJxMmDuS1QlAHUFuzpcVOJgrE6DMpdYE3DeKmsVMsLsNM/
l7H3SlnvEptVf3fm5PpCxtOM60nqsQuveHEgkmk5gt8CLtE8bV81yv7JDvkXUFV2
5HlFRZ/RZAQgAeKiAS6REwHuE/dEhZKh7Jq2o02G0NXeAXR/WqeN0SWSw0dEVf39
TMARg27X27zx0Wg2g8pBC1nxA1zyzMfYI2OTwvFZFNPVenGCVUw1dFt8eolAOscO
LakQuCWrFrW7kiRQlxVK/o67fKTkBVt7zM5WjBEO3beGWe2TkRUWUg==

FortiWeb CLI Reference Fortinet Technologies Inc.

config 240

-----END RSA PRIVATE KEY-----"

set certificate "-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQCbXq6VYR1CijANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
SU4xEjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQmFuZ2Fsb3JlMREwDwYD
VQQKDAhGb3J0aW5ldDEMMAoGA1UECwwDTEFCMQ0wCwYDVQQDDAR0ZXN0MSMwIQYJ
KoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0LmNvbTAeFw0xMjEyMDUxMDE1NTla
Fw0xNDEyMDUxMDE1NTlaMIGKMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0
YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxETAPBgNVBAoMCEZvcnRpbmV0MQwwCgYD
VQQLDANMQUIxDTALBgNVBAMMBHRlc3QxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRA
Zm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArvHH
eXZJilTr4TbH/5O5jFxKQ5dILr/561JOJ5UZWtgs9VhXSuCzmrs6FX35vyc7NR+9
tCbMrl7qA68MxBMuu6phf2r77M9bsp3rOZE2nFR+lhjpWrXBk7/puFLBbI2yqh8d
7DB25m5pI0ClmbdJ5GGlc/1wHULQhFQSYCMSVjc34esvaLE8oAVFWHAZX14dbAbj
gC4CMbayzJZaYEfh/7suMwvdwS3sYjOwZYq6DFEF5ZPpKN+ji9J+8EmAvaZS2m3M
fFdPFf4eEAgsHmYasqxH7s4Ksc2zTm3cG5srRCqEsEddhoblI1JvmApoN2JiNiYJ
hYiEPyJdf2z+dADwXwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCbA8kKwVRPri/d
L8okLny6FygJ0auPbuRQCUGAWpfdKdXn6iyMlLuR066j82o2yrQ0ddgRcdaExT0I
RCoC2NqhzZvy8JJW2A+KTXutwdGGg8ckHQ5UVRtNo/lPZ6Quz8AsswzNk2Qx6OtF
FcTEBNxVTHKabQR46ChIa3sG032Wiuj6Y2Rv77mTmmDRZnrY8QGZd2zMm3riAqUf
IGil0/yg0AhA+ZBt5rer3X+GTknhDAPJ+yU2WS1c8pPj3A3DI0+xwTOq/sNCqTmc
xb7Q1VM/1kiOE9YaPasAJuQ7WHmnd8J0vHw1/e+whf/lsKxV0ClBNL/JdlyNAMvy
isnZYL58
-----END CERTIFICATE-----"
next
end

Related topics

l server-policy policy on page 140

l server-policy server-pool on page 168

system certificate multi-local

Use this command to configure RSA, DSA, and ECDSA certificates into multi-certificate, and reference them in server
policy in Reverse Proxy mode and pserver in TTP or WCCP mode.

Syntax
config system certificate multi-local
edit "<certificate-multi-local_name>" on page 241
set comment "<comment_str>" on page 241
set rsa-cert <rsa-cert_str> on page 241
set dsa-cert <dsa-cert_str> on page 241
set ecc-cert <ecc-cert_str> on page 241
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 241

Variable Description Default

"<certificate-multi-local_ Enter the name of a multi-certificate file. No

name>" default.

comment "<comment_str>" Enter a description or other comment. No

default.

rsa-cert <rsa-cert_str> Select the RSA certificate created in system certificate local No
(page 1). default.

dsa-cert <dsa-cert_str> Select the DSA certificate created in system certificate local No
(page 1). default.

ecc-cert <ecc-cert_str> Select the ECDSA certificate created in system certificate No

local (page 1). default.

Related topics

l system certificate local on page 237

l server-policy policy on page 140
l server-policy server-pool on page 168

system certificate ocsp-stapling

Use this command to configure an OCSP server.

Once an OCSP server is configured, OCSP stapling is enabled. When OCSP stapling is enabled, FortiWeb periodically
fetches the revocation status of the specified certificate from the OCSP server and caches the response for a period if
the revocation status is contained in the response.
For more information on OCSP stapling, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate ocsp-stapling
edit "<ocsp_name>"
set certificate "<certificate_name>"
set local-cert "<certificate_name>"
set comment "<comment_str>"
set ocsp_url "<url>"
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 242

Variable Description Default

"<ocsp_name>" Enter the name of an OCSP group. The maximum No default

length is 63 characters.

certificate "<certificate_name>" A CA certificate that has been imported in FortiWeb. No default

local-cert "<certificate_name>" The local certificate of the server certificate to be No default

queried.

comment "<comment_str>" Optionally, enter a comment for the OCSP group. No default

ocsp_url "<url>" Enter URL of the OCSP server corresponding to the No default
specified CA certificate.

Related topics

l system certificate local on page 237

l system certificate ca on page 228
l server-policy policy on page 140
l server-policy server-pool on page 168

system certificate server-certificate-verify

Use this command to configure how the FortiWeb appliance will verify certificates presented by HTTP server.

Syntax
config system certificate server-certificate-verify
edit "<certificate_verificator_name>"
set ca "<ca-group_name>"
set crl "<crl-group_name>"
next
end

Variable Description Default

"<certificate_verificator_ Enter the name of a certificate verifier. The maximum length No

name>" is 63 characters. default.

ca "<ca-group_name>" Enter the name of an existing CA Group that you want to use No
to authenticate client certificates. default.

crl "<crl-group_name>" Enter the name of an existing CRL Group, if any, to use to No
verify the revocation status of client certificates. default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 243

Related topics

l system certificate ca-group on page 230

l system certificate crl on page 231

system certificate sni

In some cases, the members of a server pool or a single pool member host multiple secure websites that use different
certificates. Use this command to create a Server Name Indication (SNI) configuration that identifies the certificate to use
by domain.
You can select a SNI configuration in a server policy only when the operating mode is Reverse Proxy mode and an
HTTPS configuration is applied to the policy.
Not all web browsers support SNI. Go to the following location for a list of web browsers that support SNI:
HTTP://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_
indication.5B10.5D
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate sni
edit "<sni_name>"
config members
edit <entry_index>
set domain-type {plain | regular}
set domain "<server_fqdn>"
set multi-local-cert {enable | disable}
set multi-local-cert-group <multi-local-cert-group_name>
set certificate-type {enable | disable}
set lets-certificate <name>
set local-cert "<local-cert_name>"
set inter-group "<intermediate-cagroup_name>"
set verify "<certificate_verificator_name>"
end
next
end

Variable Description Default

"<sni_name>" Enter the name of an Server Name Indication (SNI) No default.

configuration.

<entry_index> Enter the index number of an SNI configuration entry. The No default.
valid range is 1–9,999,999,999,999,999,999.

domain-type {plain | regular} Specify plain to match a domain to certificates using a plain

FortiWeb CLI Reference Fortinet Technologies Inc.

config 244

Variable Description Default

literal domain specified in domain. Specify regular to

match multiple domains to certificates using a regular
expression specified in domain.

domain "<server_fqdn>" Enter the domain of the secure website (HTTPS) that uses No default.
the certificate specified by local-cert "<local-cert_name>"
on page 244.
Enter a literal domain if domain-type {plain | regular} on
page 243 is set to plain; or enter a regular expression if
domain-type is set to regular.

multi-local-cert {enable | Enable this option to allow FortiWeb to use multiple local disable
disable} certificates.

multi-local-cert-group <multi- Select the multi-certificate you have created. No default.

local-cert-group_name>

certificate-type {enable | Enable allow FortiWeb to automatically retrieve CA disable

disable} certificates from Let's Encrypt.

lets-certificate <name> Select the Letsencrypt certificate you have created. See No default.
system certificate letsencrypt.

local-cert "<local-cert_ Enter the name of the server certificate that FortiWeb uses No default.
name>" to encrypt or decrypt SSL-secured connections for the
website specified by domain "<server_fqdn>" on page 244.

inter-group "<intermediate- Enter the name of a group of intermediate certificate No default.

cagroup_name>" authority (CA) certificates, if any, that FortiWeb presents to
validate the CA signature of the certificate specified by
local-cert "<local-cert_name>" on page 244.
If clients receive certificate warnings that an intermediary
CA has signed the server certificate configured in local-cert
"<local-cert_name>" on page 244, rather than by a root CA
or other CA currently trusted by the client directly, configure
this option.
Alternatively, include the entire signing chain in the server
certificate itself before uploading it to the FortiWeb
appliance, thereby completing the chain of trust with a CA
already known to the client. See the FortiWeb
Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides

verify "<certificate_ Enter the name of a certificate verifier, if any, that FortiWeb No default.
verificator_name>" uses when an HTTP client presents its personal certificate.
If you do not select one, the client is not required to present
a personal certificate.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 245

Variable Description Default

Personal certificates, sometimes also called user

certificates, establish the identity of the person connecting
to the website (PKI authentication).
You can require that clients present a certificate
alternatively or in addition to HTTP authentication. For
details, see waf HTTP-authen HTTP-authen-rule on page
476.
To display the list of existing verifiers, enter:
edit ?
Note: The client must support TLS 1.0.

Related topics

l system certificate local on page 237

l system certificate intermediate-certificate-group on page 234
l system certificate verify on page 248

system certificate xml-client-certificate

Use this command to show names of the uploaded XML client certificates that are stored locally on the FortiWeb
appliance.
The XML client certificate is used for request verification or response encryption.

Syntax
config system certificate xml-client-certificate
edit system certificate xml-client-certificate on page 245
set certificate <certificate_str>
set secret-key <secret-key_str>
next
end

Variable Description Default

"<xml-client-certificate_ Enter the name of an XML client certificate. No

name>" default.

certificate <certificate_str> Set the certificate. Only certificates in PEM format may be No
set. default.

secret-key <secret-key_str> Enter the secret key string. No

This is optional, used only for HMAC-SHA-1 sign. default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 246

Related topics

l waf ws security on page 657

l system certificate xml-client-certificate on page 245

system certificate tsl-ca

Use this command to show the names of Trust Service Lists (TSL) for a certificate authority (CA). You use the web UI to
upload the TSL.
For information on how to upload a TSL, see the FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate tsl-ca
edit "<tsl-ca_name>"
set type {file | url}
set distribute-url
next
end

Variable Description Default

"<tsl-ca_name>" Enter the name of a TSL. No default

type {file | url} Select the way to upload a TSL. No default

distribute-url Enter the distribution URL of the TSL. No default

Related topics

l system certificate ca
l system certificate ca-group

FortiWeb CLI Reference Fortinet Technologies Inc.

config 247

system certificate urlcert

Use this command to configure the URL-based client certificate feature for a server policy or server pool. This feature
allows you to require a certificate for some requests and not for others. Whether a client is required to present a personal
certificate or not is based on the requested URL and the rules you specify in the URL-based client certificate group.
A URL-based client certificate group specifies the URLs to match and whether the matched request is required to
present a certificate or exempt from presenting a certificate.
When the URL-based client certificate feature is enabled, clients are not required to present a certificate if the request
URL is specified as exempt in the URL-based client certificate group rule or URL of the request does not match a rule.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate urlcert
edit "<url-cert-group_name>"
config list
edit <entry_index>
set url "<url_str>"
set require {enable | disable}
end
next
end

Variable Description Default

"<url-cert-group_name>" Enter the name for the URL-based client certificate group. No
default.

<entry_index> Enter the index number of an URL-based client certificate No

group entry. default.

url "<url_str>" Enter a URL to match. No

When the URL of a client request matches this value and the default.
value of require is enable, FortiWeb requires the client to
present a private certificate.

require {enable | disable} Specify whether client requests with the URL specified by No
url are required to present a personal certificate. default.
When you select disable, FortiWeb does not require client
requests with the specified URL to present a personal
certificate.

Related topics

l server-policy policy on page 140

l server-policy server-pool on page 168

FortiWeb CLI Reference Fortinet Technologies Inc.

config 248

system certificate verify

Use this command to configure how the FortiWeb appliance will verify certificates presented by HTTP clients.
To apply a certificate verification rule, select it in a policy. For details, see server-policy policy on page 140.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system certificate verify
edit "<certificate_verificator_name>"
set ca "<ca-group_name>"
set crl "<crl-group_name>"
set publish-dn {enable | disable}
set strictly-need-cert {enable | disable}
set partial-chain {enable | disable}
next
end

Variable Description Default

"<certificate_verificator_ Enter the name of a certificate verifier. The maximum length No

name>" is 63 characters. default.

ca "<ca-group_name>" Enter the name of an existing CA Group that you want to use No
to authenticate client certificates. default.

crl "<crl-group_name>" Enter the name of an existing CRL Group, if any, to use to No
verify the revocation status of client certificates. default.

publish-dn {enable | disable} Enable to list only certificates related to the specified CA disable
Group. This is beneficial when a client installs many
certificates in its browser or when apps don't list client
certificates. If you enable this option, also enable the option
in a CA Group. For details, see system certificate ca-group
on page 230.

strictly-need-cert {enable | Enable to strictly require verifying the client certificate. enable
disable}

partial-chain {enable | Enable to do partial certificate chain validation. External disable

disable} clients can be validated by the Intermediate CA only.
When this option is enabled, you also need to enable
partial-chain in config system certificate ca-
group.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 249

Related topics

l system certificate ca-group on page 230

l system certificate crl on page 231
l server-policy policy on page 140
l server-policy server-pool on page 168

system certificate xml-client-certificate-group

Use this command to group XML client certificates.

Syntax
config system certificate xml-client-certificate-group
edit system certificate xml-client-certificate-group
config members
edit <entry_index>
set client-name <name_str>
next
end
next
end

Variable Description Default

"<xml-client-certificate- Type the name of the XML client certificate group. You will No
group_name>" use this name to select the client certificate group in other default.
parts of the configuration.

<entry_index> Type the index number of the individual entry in the table. No
default.

client-name <name_str> Type the name of a client that you want to include in the No
group. default.

Related topics

l system certificate xml-client-certificate on page 245

l waf ws security

system conf-sync

Use this command to configure non-HA configuration synchronization settings.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 250

This command configures, but does not execute, the synchronization. To do this,
use the web UI.
This command works only when administrative domains (ADOMs) are disabled.

This type of synchronization is used between FortiWeb appliances that are not part of a native FortiWeb high availability
(HA) pair, such as when you need to clone the configuration once, or when HA is provided by an external device.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 1.

Syntax
config system conf-sync
set ip "<remote-fortiweb_ipv4>"
set password "<password_str>"
set sync-type {full-sync | partial-sync}
set server-port <port_int>
set auto-sync {enable | disable}
set frequency {daily | every | weekly}
set day {Friday | Monday | Saturday | Sunday | Thursday | Tuesday | Wednesday}
set time "<hh:mm>"
end

Variable Description Default

ip "<remote-fortiweb_ipv4>" Enter the IP address of the remote FortiWeb appliance 0.0.0.0

that you want to synchronize with the local FortiWeb
appliance.

password "<password_str>" Type the administrator password for the remote FortiWeb No default.
appliance. The maximum length is 63 characters.

sync-type {full-sync | partial- Select one of the synchronization types. partial-

sync} For all operation modes except WCCP, full-sync sync
updates the entire configuration of the peer FortiWeb
appliance except for the following items:
l Network interface used for synchronization (prevents

sync from accidentally breaking connectivity with

future syncs)
l Administrator accounts

l Access profiles

l HA settings

For the WCCP operation mode, full-sync updates the

entire configuration except for the following items:
l config system interface

l config route static

l config route policy

l config system wccp

l Administrator accounts

FortiWeb CLI Reference Fortinet Technologies Inc.

config 251

Variable Description Default

l Access profiles
l HA settings
For all operation modes, partial-sync updates the
configuration of the peer FortiWeb appliance, except for
the following items:
router ...
server-policy health
server-policy HTTP-content-routing-policy
server-policy persistence-policy
server-policy policy
server-policy server-pool
server-policy service custom
server-policy service predefined
server-policy vserver
system ...

server-port <port_int> Type the port number of the remote (peer) FortiWeb 955
appliance that is used to connect to the local appliance for
configuration synchronization. The valid range is from 1 to
65,535.
Caution: The port number used with this command must
be different than the port number used with the command
or the submitting operation will fail.

auto-sync {enable | disable} Enable to automatically synchronize the configurations disable

hourly, daily, or weekly. Also configure the frequency,
day, and time commands accordingly.

frequency {daily | every Enter how often you want the configurations to No default.
| weekly} synchronize:
l daily—Synchronizes the configuration every day at

a specified time. Also configure the day and time

commands. For example, Selecting 10:30 will
synchronize the configurations every day at 10:30.
l every—Synchronizes the configuration after an

interval you set using the time command. For

example, entering 05:00 for the time command will
synchronize the configurations every five hours.
l weekly—Synchronizes the configuration on a

specific day and time. For example, selecting Sunday

for day and 5:15 for time will synchronize the
configurations every Sunday at 5:15.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 252

Variable Description Default

day {Friday | Monday If auto-sync is enabled and the frequency is set to No default.
| Saturday | Sunday weekly, enter the day of the week on which you want the
| Thursday | Tuesday | configurations to synchronize.
Wednesday}

time "<hh:mm>" Enter the time of day or interval at which the configurations No default.
will be synchronized:
l daily—Sets the time of day at which the

configurations will be synchronized.

l every—Sets the interval at which the configurations

will be synchronized.
l weekly—Sets the time of day at which the

configurations will be synchronized.

Related topics

l system settings on page 336

system console

Use this command to configure the management console settings. Usually this is set during the early stages of
installation and needs no adjustment.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system console
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
set mode {batch | line}
set output {more | standard}
set shell {cli | sh}
end

Variable Description Default

baudrate {9600 | 19200 | Select the baud rate of the console connection. The rate 9600
38400 | 57600 | 115200} should conform to the specifications of your specific
FortiWeb appliance.

mode {batch | line} Select the console input mode: either batch or line. line

output {more | standard} Select either: standard

FortiWeb CLI Reference Fortinet Technologies Inc.

config 253

Variable Description Default

l more—When displaying multiple pages’ worth of

output, pause after displaying each page’s worth of
text. When the display pauses, the last line displays -
-More--. You can then either:
• Press the spacebar to display the next page.
• Type Q to truncate the output and return to the
command prompt.
l standard—Do not pause between pages’ worth of
output, and do not offer to truncate output.

shell {cli | sh} Select either: cli

l cli—Command-line shell.

l sh—Busybox shell.

Example

This example configures the local console connection to operate at 9,600 baud, and to show long output in a paged
format.
config system console
set baudrate 9600
set output more
end

Related topics

l system admin on page 207

system csf

You can configure Fabric Connector to use Single Sign-On (SSO) to log in to FortiWeb with FortiGate's administrator
accounts.
Use this command to configure the Fabric Connector on FortiWeb. Single sign-on with FortiGate requires configurations
on FortiGate as well. For how to configure SSO with FortiGate, see Fabric Connector: Single Sign On with FortiGate.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system csf
set status {enable | disable}
set configuration-sync {enable | disable}
set upstream-ip <fortigate ip>
set upstream-port <port for fabric>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 254

set management-ip <fortiweb mgmt ip>

setmanagement-port <port for fortiweb mgmt>
end

Variable Description Default

status {enable | Enable or disable the Fabric Connector. disable

disable}

configuration- Enable means when Fabric connection with FortiGate is established, the Single Enable
sync {enable | Sign-On mode would be enabled automatically and FortiGate would enable
disable} synchronizing SAML Single-Sign-On related settings to the FortiWeb device.
Disable means when Fabric connection with the FortiGate is established, you
need to manually enable Single Sign-On mode and manually configure the SAML
Single-Sign-On settings.
It's recommended to set it as enable.

upstream-ip The FortiGate IP. If you have multiple FortiGate appliances and they are deployed 0.0.0.0
<fortigate ip> as Fabric net, enter the IP address of the Fabric root.
This IP would be the IP of the interface that is selected in the Allow other Security
Fabric devices to join field on the FortiGate.

upstream-port Use the default 8013. 8013

management-ip Enter FortiWeb GUI management IP. No

management- Enter FortiWeb GUI management HTTPS port. This must be the same as the No
port <port for setting of the HTTPS in System > Admin > Settings in FortiWeb default
fortiweb mgmt>

Related topics

l system saml

system decoding enhancement

Use this command to configure decoding enhancement. You can decode cookies and parameters using base64 or CSS
for specified URLs.
To configure decoding enhancement, you must first enable the feature. For details, see system advanced on page 217.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 255

Syntax
config system decoding-enhancement
edit <entry_index>
set url-type {plain | regular}
set url-pattern "<url_string>"
set b64arg enable
config field-list
edit <entry_index>
set base64-decoding {enable | disable}
set css-decoding {enable | disable}
set field-name "<parameter_cookie_str>"
set field-name-type {plain | regular}
set field-type {parameter | cookie}
next
end
next
end

Variable Description Default

<entry_index> Enter the index number of the decoding rule that you want to No
create or modify. default.

url-type {plain | regular} Enter to select between: No

l plain—A simple string; a string of text that contains a default.
literal URL.
l regular—A regular expression; a string of text that

defines a search pattern for a URL that may come in

many variations.

url-pattern "<url_string>" Enter the URL path for which you want the decoding rule to No
apply. default.

When it’s enabled, all the parameters in the URL will be enable
b64arg {enable | disable} decoded before being parsed.
If you only want to decode certain parameters instead of all,
you can disable this option and then enable the base64-
decoding to apply the decoding for specified parameters.

<entry_index> Enter the index number of the field that you want to create or No
modify. default.

base64-decoding {enable Configure to enable Base64 decoding for the field. disable
| disable}

css-decoding {enable Configure to enable CSS decoding for the field. disable
| disable}

field-name "<parameter_ Enter the parameter or cookie string for the field. No
cookie_str>" default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 256

Variable Description Default

field-name-type {plain Enter to select between: No

| regular} l plain—A simple string; a string of text that contains a default.
literal URL.
l regular—A regular expression; a string of text that

defines a search pattern for a URL that may come in

many variations.

field-type {parameter Enter to select between: No

| cookie} l parameter—Enter to set a parameter field for the field. default.
l cookie—Enter to set a cookie field for the field.

Example

This example enables decoding enhancement and creates a decoding rule with a parameter field type.
config system advanced
set decoding-enhancement enable
end
config system decoding-enhancement
edit 1
set url-type plain
set url-pattern "/decoding"
config field-list
edit 1
set base64-decoding enable
set css-decoding enable
set field-type parameter
set field-name-type plain
set field-name key
next
end
next
end

l system advanced on page 217

system dns

Use this command to configure the FortiWeb appliance with its local domain name, and the IP addresses of the domain
name system (DNS) servers that the FortiWeb appliance will query to resolve domain names such as
www.example.com into IP addresses.
FortiWeb appliances require connectivity to DNS servers for DNS lookups. Use either the DNS servers supplied by your
Internet service provider (ISP) or the IP addresses of your own DNS servers. You must provide unicast, non-local
addresses for your DNS servers. Local host and broadcast addresses will not be accepted.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 257

For improved performance, use DNS servers on your local network.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system dns
set primary "<dns_ipv4>"
set secondary "<dns_ipv4>"
set domain "<local-domain_str>"
end

Variable Description Default

primary "<dns_ipv4>" Enter the IP address of the primary DNS server. 8.8.8.8

secondary "<dns_ipv4>" Enter the IP address of the secondary DNS server. 0.0.0.0

domain "<local-domain_str>" Enter the name of the local domain to which the FortiWeb No default.
appliance belongs, if any. The maximum length is 127
characters.
This field is optional. It will not appear in the Host: field of
HTTP headers for client connections to protected web
servers.
Note: You can also configure the host name. For details,
see .

Example

This example configures the FortiWeb appliance with the name of the local domain to which it belongs, example.com. It
also configures its host name, fortiweb. Together, this configures the FortiWeb appliance with its own fully qualified
domain name (FQDN), fortiweb.example.com.
config system global
set hostname "fortiweb"
end
config system dns
set domain "example.com"
end

Related topics

l log syslog-policy on page 90

l router static on page 98

FortiWeb CLI Reference Fortinet Technologies Inc.

config 258

l system interface on page 312

l server-policy policy on page 140

system endpoint-control

Use this command to set a FortiClient EMS connector.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system endpoint-control fctems
edit <ems_connector_name>
set server <IP_address>
set https-port <port>
set server-verification {enable | disable}
set ca-cert <cert_name>
set source-ip <IP_address>
set call-timeout <int>
set preserve-ssl-session {enable | disable}
set fingerprint <fingerprint>
set EMS_SN <EMS_EN>
next
end

Variable Description Default

<ems_connector_name> Enter the name of the EMS connector. No default.

server <IP_address> Enter the EMS server IP address. No default.

https-port <port> Enter the HTTPS access port number. 443

server-verification {enable | Enable this option to verify the FortiClient EMS disable
disable} certificate that is used for the HTTPS connection
between FortiWeb and FortiClient EMS.

ca-cert <cert_name> Select the certificate for verifying FortiClient EMS No default.
server certificate that is used for the connection
between FortiWeb and FortiClient EMS.

source-ip <IP_address> Enter the allowed source IP addresses of the API 0.0.0.0
calls.

call-timeout <int> Enter the timeout value for the API calls from 15
FortiWeb to EMS server.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 259

Variable Description Default

preserve-ssl-session {enable | Enable/disable preservation of EMS SSL session disable

disable} connection.

fingerprint <fingerprint> Enter the EMS server fingerprint. automatically

populated once
EMS is verified.

EMS_SN <EMS_EN> Enter the EMS server serial number. automatically

populated once
EMS is verified.

It's highly recommended not to change the default value of the variables except <ems_
connector_name>, server <IP_address>, and https-port <port>.

Related topics

l system endpoint-control on page 730

l system endpoint-control on page 258
l server-policy ztna-profile on page 201
l server-policy ztna-rule on page 203

system eventhub

When FortiWeb-VM is deployed on Azure, use this command to manually configure the FortiWeb appliance to send log
messages to Azure Event Hubs.
Alternatively, you can create the configuration automatically using a PowerShell script. For details, see the FortiWeb-
VM Azure Install Guide:
HTTPs://docs.fortinet.com/fortiweb/hardware
When the event hub configuration is complete, FortiWeb sends health logs to Azure Event Hub.
If you also create a corresponding Azure CEF SIEM policy (see log siem-policy on page 86), FortiWeb also sends
security logs to Azure Event Hub.
This command is available for FortiWeb-VM running on Microsoft Azure only.
You can use the Azure classic portal to obtain the values that the config system eventhub settings require. For
detailed instructions, see the FortiWeb-VM Azure Install Guide:
HTTPs://docs.fortinet.com/fortiweb/hardware
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 260

Syntax
config system eventhub
set status {enable | disable}
set appliance_id "<subscription_str>"
set policy_saskey "<primary-key_str>"
set policy_name "<policy-name_str>"
set eventhub_name "<ehub-name_str>"
set servicebus_namespace "<servicebus-namespace_str>"
end

Variable Description Default

status {enable | disable} Enter enable to activate the Azure event hub disable
configuration.

appliance_id Enter the subscription (ID) that has the access to the Azure No default.
"<subscription_str>" Event Hub

policy_saskey "<primary- Enter the primary shared access key that the specified No default.
key_str>" policy (by policy_name <policy-name_str>) uses for
Shared Access Signature authentication on the Azure
Event Hub.

policy_name "<policy- Enter the name of the Shared Access policy created for the No default.
name_str>" Azure Event Hub.

eventhub_name "<ehub- Enter the name of the Azure Event Hub that is associated No default.
name_str>" with the specified service bus (by servicebus_
namespace <servicebus-namespace_str>).

servicebus_namespace Enter the Service Bus Namespace that the Event Hub is No default.
"<servicebus-namespace_ created at.
str>"

Related topics

l log siem-policy on page 86

l log siem-message-policy on page 85

system fail-open

If your appliance’s hardware model, network cabling, and configuration supports it, you can configure fail-to-wire/bypass
behavior. This allows traffic to pass through unfiltered between 2 ports (a link pair) while the FortiWeb appliance is shut
down, rebooting, or has unexpectedly lost power such as due to being accidentally unplugged or PSU failure.
Fail-open is supported only:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 261

l when the operation mode is True Transparent Proxy, Transparent Inspection, or WCCP
l in standalone mode (not HA)
l for a bridge (V-zone) between ports wired to a CP7 processor or other hardware which provides support for fail-to-
wire
l FortiWeb 600D: port1 + port2

l FortiWeb1000C: port3 + port4

l FortiWeb 1000D: port3 + port4 or port5 + port6

l FortiWeb 1000E: port3 + port4 + port5 + port6

l FortiWeb 2000E: port1 + port2 or port3 + port4

l FortiWeb3000C/D: port5 + port6

l FortiWeb3000E/4000E: port9 + port10, port11 + port12, port13 + port14, or port15 + port16

l FortiWeb 3010E: port3 + port4, port9 + port10, port11 + port12, port13 + port14 or port15 + port16

l FortiWeb4000C/D: port5 + port6 or port7 + port8

l FortiWeb3000CFsx/DFsx: port5 + port6 or port7 + port8

FortiWeb-400B/400C, FortiWeb HA clusters, and ports not wired to a CP7/fail-open chip do not support fail-to-wire.

In the case of HA, don’t use fail-open—instead, use a standby HA appliance to

provide full fault tolerance.
Bypass results in degraded security while FortiWeb is shut down, and therefore HA
is usually a better solution: it ensures that degraded security does not occur if one of
the appliances is shut down. If it is possible that both of your HA FortiWeb appliance
could simultaneously lose power, you can add an external bypass device such as
FortiBridge.

Fail-to-wire may be useful if you are required by contract to provide uninterrupted connectivity, or if you consider
connectivity interruption to be a greater risk than being open to attack during the power interruption.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system fail-open
set port3-port4 {poweroff-bypass | poweroff-cutoff}
end

Variable Description Default

port3-port4 {poweroff- Select either: poweroff-

bypass | poweroff-cutoff} l poweroff-bypass—Behave like a wire when bypass
powered off, allowing connections to pass directly
through from one port to the other, bypassing policy
and profile filtering.
l poweroff-keep—Interrupt connectivity when

powered off.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 262

Variable Description Default

Note: The name of this setting varies by which ports are

wired together for bypass in your specific hardware
model.

Related topics

l system ha on page 287

system fds proxy

Use this command to configure the FortiWeb proxy to override the default list of FDN servers and update FortiGuard
service packages from a new address.
Before using this command, you must configure FortiWeb to act as a proxy server. To do so, set fds-proxy to enable.
See system global for how to enable fds-proxy.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system fds proxy override
set override_switch {enable | disable}
set address "<fds_IPv4>"
end

config system fds proxy schedule

set status {enable | disable}
set frequency {every | daily | weekly}
set time
set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday}
end

Variable Description Default

override_switch {enable | disable} Enable to override the default list of FDN disable
servers and connect to a specific server.

address "<fds_IPv4>" Enter either an IP address or fully qualified No

domain name (FQDN) of the FDS override, default.
so that FortiWeb proxy will obtain FortiGuard
service packages from this address.

status {enable | disable} Enable to schedule updating the database disable

per certain frequency.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 263

Variable Description Default

frequency {every | daily | weekly} Set the database update frequency. No

default.

time Set the hour and minute ranges; hh: 0–23, No

mm 0–59 or 60=random. default.

day {Sunday | Monday | Tuesday | Set the specific day during one week to No
Wednesday | Thursday | Friday | Saturday} update the database. default.

Example

This example enables FortiWeb to act as an FDS proxy and update FortiGuard service packages from 192.0.2.1.
config system global
set fds-proxy enable
end

config system fds proxy

set override_switch enable
set address "192.0.2.1"
end

system feature-visibility

Use this command to enable or disable the ability to view configuration options for these features in the web UI and CLI:
1. System features
Traffic Mirror
l

l Replacement Message for AJAX requests

l Firewall

l Debug

l WCCP

l reCAPTCHA

2. Security Features
l FTP Security

l Mobile Application Identification

l Signature Update Management

l FortiGate Integration

l Web Anti-Defacement

l Padding Oracle Protection

l Web Vulnerability Scan

3. Additional Features
l ADFS Policy

l Acceleration

l Web Cache

FortiWeb CLI Reference Fortinet Technologies Inc.

config 264

l API Gateway
l ICAP Server
When these features are disabled, options for configuring these features are hidden in the web UI and CLI. If you're
planning to configure and implement these features in your FortiWeb configuration, you'll need to enable feature visibility
for them first.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system feature-visibility
set acceleration-policy {enable | disable}
set adfs-policy {enable | disable}
set api-gateway {enable | disable}
set debug-log {enable | disable}
set firewall {enable | disable}
set recaptcha {enable | disable}
set fortigate-integration {enable | disable}
set ftp-security {enable | disable}
set mobile-app-identification {enable | disable}
set padding-oracle {enable | disable}
set support-ajax-requests {enable | disable}
set support-icap-server {enable | disable}
set traffic-mirror {enable | disable}
set wad {enable | disable}
set wccp-mode {enable | disable}
set web-cache {enable | disable}
set wvs {enable | disable}
set ztna {enable | disable}
end

Variable Description Default

acceleration-policy {enable | disable} Enable to display acceleration policy disable

configuration options.

adfs-policy {enable | disable} Enable to display ADFS policy and ADFS disable
server pool options.

api-gateway {enable | disable} Enable to display API users, API gateway disable
rule and policy configuration options.

debug-log {enable | disable} Enable to display debug log configurations. disable

firewall {enable | disable} Enable to display firewall policy and NAT disable
policy configuration options.

recaptcha {enable | disable} Enable to display user recaptcha-user disable

configurations.

fortigate-integration {enable | disable} Enable to display FortiGate integration disable

configuration options.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 265

Variable Description Default

ftp-security {enable | disable} Enable to display FTP security rule, profile, disable
and policy configuration options.

mobile-app-identification {enable | disable} Enable to display the JWT token secret and disable
token header to verify a request from a
mobile application.

padding-oracle {enable | disable} Enable to display padding oracle rule disable

configuration options.

support-ajax-requests {enable | disable} Enable to display support AJAX requests disable

options.

support-icap-server {enable | disable} Enable to display ICAP server configuration disable

options.

traffic-mirror {enable | disable} Enable to display traffic mirror rule, profile, disable
and policy configuration options.

wad {enable | disable} Enable to display web anti-defacement disable

configuration options.

wccp-mode {enable | disable} Enable to display WCCP client configuration disable

options.

web-cache {enable | disable} Enable to display web cache policy and disable
profile configuration options.

wvs {enable | disable} Enable to display web vulnerability scan disable

policy and profile configuration options.

Enable to display Zero Trust Network

ztna {enable | disable} Access (ZTNA) policy and profile
configuration options.

Related Topics

l waf web-protection-profile inline-protection on page 636

l waf ftp-protection-profile on page 463
l waf ftp-command-restriction-rule on page 459
l waf ftp-file-security on page 461
l server-policy policy on page 140
l server-policy server-pool on page 168
l system replacemsg on page 1

FortiWeb CLI Reference Fortinet Technologies Inc.

config 266

system fips-cc

Use this command to enable and configure Federal Information Processing Standards (FIPS) and Common Criteria
(CC) compliant mode.

Syntax
config system fips-cc
set status {enable | disable | fips-ciphers}
set entropy-token {dynamic | enable | disable}
set reseed-interval <reseed-interval_int>
set ssl-client-restrict {enable | disable}

end

Variable Description Default

status {enable | disable | fips- Select enable or disable to turn on and off the FIPS disable
ciphers} operation mode. fips-ciphers is a special kind of FIPS
mode.
fips-ciphers mode
The fips-ciphers mode is only supported by FortiWeb-
VMs on AWS and Azure. In fips-ciphers mode,
FortiWeb has the following limitations:
1. For the business traffic going through FortiWeb, both
HTTP and HTTPS protocols are allowed, but TLS 1.0
and TLS 1.1 are not supported for HTTPS traffic. Only
the following SSL ciphers are allowed:
For TLS1.3
l TLS_AES_256_GCM_SHA384
l TLS_AES_128_GCM_SHA256

For TLS1.2
l ECDHE-ECDSA-AES256-GCM-SHA384
l ECDHE-RSA-AES256-GCM-SHA384
l DHE-RSA-AES256-GCM-SHA384
l ECDHE-ECDSA-AES128-GCM-SHA256
l ECDHE-RSA-AES128-GCM-SHA256
l DHE-RSA-AES128-GCM-SHA256
2. For the traffic to FortiWeb's CLI and GUI, HTTP and
Telnet are not allowed. Only HTTPS and SSH are
allowed. The supported SSL ciphers for HTTPS traffic
are the same as listed above.
The supported ciphers for SSH traffic include:
l diffie-hellman-group-exchange-sha256
l ssh-rsa

FortiWeb CLI Reference Fortinet Technologies Inc.

config 267

Variable Description Default

l hmac-sha2-256
l hmac-sha2-512
l [email protected]
l [email protected]

3. shell mode is disable in fips-ciphers mode.

To ensure a truly fips-ciphers configuration, it's
recommended to start with a clean install or do a factory
reset first.
Once fips-ciphers mode is enabled, disabling this
mode would be done by a factory reset.

entropy-token {dynamic | Use the entropy token to seed the RNG in FIPS-CC mode. disable
l When the status is enabled, the entropy token is used
enable | disable}
to seed or reseed the RNG, and it must be inserted to
FortiWeb.
l When the status is disabled, the entropy token is not

used to seed or reseed the RNG, but the old method

will be used to seed or reseed the RNG.
l When the status is dynamic, it means when entropy

token is present, the entropy token will be used to

seed or reseed the RNG; if the token is not present,
the old method will be used to seed or reseed the
RNG.

reseed-interval <reseed- Set the interval to reseed the RNG. The valid range is 0– 1440
interval_int> 1440 minutes.

ssl-client-restrict {enable Enable/disable ciphers restriction. disable

| disable}

system firewall address

Use this command to configure IP addresses and address ranges that FortiWeb's built-in stateful firewall uses. You use
the address configuration in a firewall policy. For details, see system firewall firewall-policy on page 269.

Syntax
config system firewall address
edit "<firewall-address_name>"
set type {ip-netmask | ip-range}
set ip-netmask "<firewall-address_ipv4mask>"
set ip-address-value "<firewall-address_ipv4>"
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 268

Variable Description Default

"<firewall-address_name>" Enter a name that identifies this firewall address No

configuration. default.

type {ip-netmask | ip-range} Select how this configuration specifies a firewall address or ip-
addresses: range
l ip-netmask—A single IP address and netmask.

l ip-range—A single IP address or a range of IP

addresses.

ip-netmask "<firewall- Enter an IPv4 address and subnet mask, separated by a No

address_ipv4mask>" forward slash ( / ). For example, 192.0.2.2/24. default.

Available when type {ip-netmask | ip-range} on page 268 is

ip-netmask.

ip-address-value "<firewall- Enter a single IP address or a range of addresses. For No

address_ipv4>" example, 192.0.2.1, or 192.0.2.1-192.0.2.256. default.

Available when type {ip-netmask | ip-range} on page 268 is

ip-range.

Related topics

l system firewall firewall-policy on page 269

l system firewall service on page 268

system firewall service

Use this command to configure the protocols and ports that FortiWeb's built-in stateful firewall uses. You use the service
configuration in a firewall policy. For details, see system firewall firewall-policy on page 269.

Syntax
config system firewall service
edit "<firewall-service_name>"
set protocol {TCP | UDP | ICMP}
set source-port-min <source-port-min_int>
set source-port-max <source-port-max_int>
set destination-port-min <source-port-min_int>
set destination-port-max <source-port-max_int>
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 269

Variable Description Default

"<firewall-service_name>" Enter a name that identifies this firewall service configuration. No

default.

protocol {TCP | UDP | ICMP} Select the protocol for this firewall service configuration. TCP

source-port-min <source- Enter the start port in the range of source ports for this 0
port-min_int> firewall service.

source-port-max <source- Enter the end port in the range of source ports for this firewall 65535
port-max_int> service

destination-port-min Enter the start port in the range of destination ports for this 0
<source-port-min_int> firewall service.

destination-port-max Enter the end port in the range of destination ports for this 65535
<source-port-max_int> firewall service

Related topics

l system firewall address on page 267

l system firewall firewall-policy on page 269

system firewall firewall-policy

Use this command to configure the policies that FortiWeb's built-in stateful firewall uses to determine which traffic to
allow and deny.
The firewall policy uses address and service configurations that you create separately. For details, see system firewall
address on page 267 and system firewall service on page 268.

Syntax
config system firewall firewall-policy
set default-action {deny | accept}
config firewall-policy-match-list
edit <entry_index>
set in-interface "<incoming_interface_name>"
set out-interface "<outgoing_interface_name>"
set src-address "<firewall-address_name>"
set dest-address "<firewall-address_name>"
set service "<firewall-service_name>"
set action {deny | accept}
set vzone-enable {enable | disable}
set vzone "<vzone_name>"

end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 270

Variable Description Default

default-action {deny | accept} Select either: accept

l deny—Firewall blocks traffic that does not match a

policy rule. However, administrative access is still

allowed on network interfaces for which it has been
configured.
l accept—Firewall allows traffic that does not match a

policy rule.

<entry_index> Enter the index number of the policy rule in the table. No
default.

in-interface "<incoming_ Enter the name of the interface (for example, port1) on No
interface_name>" which FortiWeb receives packets it applies this firewall default.
policy rule to.

out-interface "<outgoing_ Enter the name of the interface (for example, port2) No
interface_name>" through which FortiWeb routes packets it applies this default.
firewall policy rule to.

src-address "<firewall- Enter the name of the firewall address configuration that No
address_name>" specifies the source IP address or addresses to which this default.
policy applies.

For details about creating firewall address configurations,

see system firewall address on page 267.

dest-address "<firewall- Enter the name of the firewall address configuration that No
address_name>" specifies the source IP address or addresses to which this default.
policy rule applies.
For details about creating firewall address configurations,
see system firewall address on page 267.

service "<firewall-service_ Enter the name of the firewall service configuration that No
name>" specifies the protocols and ports to which this policy rule default.
applies.
For details about creating firewall address configurations,
see system firewall address on page 267.

action {deny | accept} Enter either: deny

l deny—Firewall blocks traffic that matches this policy

rule. However, administrative access is still allowed on

network interfaces for which it has been configured.
l accept—Firewall allows traffic that matches this policy

rule.

vzone-enable {enable | Select to enable a V-zone (bridge). If this option is enabled, disable
disable} select a V-zone to use. V-zones allow network connections
to travel through FortiWeb's physical network ports without
explicitly connecting to one of its IP addresses.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 271

Variable Description Default

This option is available only when the operation mode is

True Transparent Proxy or Transparent Inspection mode.

vzone "<vzone_name>" Select a configured V-zone. For details about creating a V- No

zone, see system v-zone on page 352. default.

Example

This example configures a firewall policy to deny any HTTP services but coming from specified sources.
config system firewall address
edit "alloowed_source"
set type ip-range
set ip-address-value "172.22.203.100-172.22.203.115"
end
config system firewall address
edit "site1"
set type ip-netmask
set ip-netmask "206.11.0.2/24"
end
config system firewall service
edit "HTTP"
set protocol TCP
set destination-port-min 80
set destination-port-max 80
end
config system firewall firewall-policy
set default-action deny
config firewall-policy-match-list
edit 1
set in-interface port1
set out-interface port2
set src-address site1
set dest-address site1
set service HTTP
set action accept
next
end
end

Related topics

l system firewall address on page 267

l system firewall service on page 268

FortiWeb CLI Reference Fortinet Technologies Inc.

config 272

system firewall fwmark-policy

Use this command to mark the traffic coming in FortiWeb. Using it together with policy route, you can direct the marked
traffic to go out of FortiWeb through a specified interface or/and to a specified next-hop gateway.

Syntax
config system firewall fwmark-policy
edit "<fwmark-policy-name>" on page 272
set from <firewall_source-address_name> on page 272
set to <firewall_destination-address_name> on page 272
set in-interface <incoming_interface_name> on page 272
set service <firewall-service_name>" on page 272
set mark <mark_int> on page 272
end

Variable Description Default

"<fwmark-policy-name>" The name of the fwmark policy. No

default.

from <firewall_source- Enter the name of the firewall address configuration that No
address_name> specifies the source IP address or addresses to which this default.
policy applies.

For details about creating firewall address configurations,

see system firewall address on page 267.

to <firewall_destination- Enter the name of the firewall address configuration that No

address_name> specifies the source IP address or addresses to which this default.
policy rule applies.
For details about creating firewall address configurations,
see system firewall address on page 267.

in-interface <incoming_ Enter the name of the interface (for example, port1) on No
interface_name> which FortiWeb receives packets it applies this firewall policy default.
rule to.

service <firewall-service_ Enter the name of the firewall service configuration that No
name>" specifies the protocols and ports to which this policy rule default.
applies.
For details about creating firewall address configurations,
see system firewall address on page 267.

mark <mark_int> Enter a value to mark the traffic that matches with the No
conditions above. The valid range is 1-255. default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 273

Example
config system firewall fwmark-policy
edit "1"
set from 1
set to 2
set in-interface port2
set service ALL_TCP
set mark 234
next
end

system firewall dnat policy

Use this command to configure a firewall DNAT policy. Firewall DNAT policies translate the destination IP address.
Firewall DNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating
modes.

FortiWeb applies a firewall DNAT policy only if IP forwarding is enabled. For details
about IP forwarding, see router setting on page 97.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system firewall dnat-policy
edit "<policy_name>" on page 273
set external-start <external_ipv4> on page 274
set mapped-start <mapped_ipv4> on page 274
set mapped-end <mapped_ipv4> on page 274
set ingress-interface <ingress_port> on page 274
set protocol {tcp | udp | icmp} on page 274
set port-forwarding {enable | disable} on page 274
set external-port-start <external_port> on page 274
set external-port-end <external_port> on page 274
set mapped-port-start <mapped_port> on page 274
set mapped-port-end <mapped_port> on page 274
next
end

Variable Description Default

"<policy_name>" Enter a name that identifies the firewall DNAT policy. Don't No
use spaces or special characters. The maximum length is 63 default.
characters.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 274

Variable Description Default

external-start <external_ Enter the first IP address of an IP range to match the 0.0.0.0
ipv4> destination IP address in the packet header that you want to
translate.
The external addresses must be one-to-one mapped to the
translated addresses. For example, if the external IP range
contains 10 addresses, the mapped IP range must also
contain 10 addresses.
After you configure the mapped-start and mapped-end,
the system will calculate how many addresses are included
in the range and automatically determine the last IP address
of the external IP range.
The IP address must be IPv4.

mapped-start <mapped_ Enter the first IP address of an IP range that you want to 0.0.0.0
ipv4> translate the external IP to.

mapped-end <mapped_ Enter the last IP address of an IP range that you want to 0.0.0.0
ipv4> translate the external IP to.

ingress-interface <ingress_ Enter the interface to match the network interface through No
port> which the packet comes in FortiWeb. default.

protocol {tcp | udp | icmp} Select the protocol type of the packets that you want to No
translate. default.

port-forwarding {enable | Enable to translate the port in destination IP address. No

disable} default.

external-port-start <external_ Enter the first port in the port range to match the port in 0
port> destination IP address.
This option is available only when port-forwarding is
enabled.

external-port-end <external_ Enter the last port in the port range to match the port in 0
port> destination IP address.
This option is available only when port-forwarding is
enabled.

mapped-port-start Enter the first port in the port range to translate the external 0
<mapped_port> port range to.
This option is available only when port-forwarding is
enabled.

mapped-port-end <mapped_ Enter the last port in the port range to translate the external 0
port> port range to.
This option is available only when port-forwarding is
enabled.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 275

Related Topic

l router setting on page 97

l system firewall snat-policy on page 275

system firewall snat-policy

Use this command to configure a firewall SNAT policy. Firewall SNAT policies translate a matching source IP address to
a single IP address or an IP address in an address pool.
Firewall SNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating
modes.

FortiWeb applies a firewall SNAT policy only if IP forwarding is enabled. For details
about IP forwarding, see router setting on page 97.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system firewall snat-policy
edit "<policy_name>" on page 275
set source-start <source_ipv4> on page 275
set source-end <source_ipv4> on page 276
set out-interface “<egress_port>” on page 276
set destination-start <destination_ipv4> on page 276
set destination-end <destination_ipv4> on page 276
set trans-to-type {ip | pool | no-nat} on page 276
set trans-to-ip “<translation_ipv4>” on page 276
set trans-to-ip-start “<first_ipv4>” on page 276
set trans-to-ip-end “<last_ipv4>” on page 276
next
end

Variable Description Default

"<policy_name>" Enter a name that identifies the firewall SNAT policy. Don't No default.
use spaces or special characters. The maximum length is
63 characters.

source-start <source_ipv4> Enter the first IP in the IP range to match the source 0.0.0.0/0
IP address in the packet header that you want to translate.
The IP address must be an IPv4 address.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 276

Variable Description Default

source-end <source_ipv4> Enter the last IP in the IP range to match the source
IP address in the packet header that you want to translate.
The IP address must be an IPv4 address.

out-interface “<egress_ Select the interface that FortiWeb will use to forward traffic No default.
port>” that matches the source-start <source_ipv4> on page 275.

destination-start Enter the first IP in the IP range to match the destination 0.0.0.0/0
<destination_ipv4> IP address in the packet header. The IP address must be an
IPv4 address.

destination-end Enter the last IP in the IP range to match the destination

<destination_ipv4> IP address in the packet header. . The IP address must be
an IPv4 address.

trans-to-type {ip | pool | no- Select one of the following: ip

nat} l ip—Select to translate the source IP to an IP address

that you specify.

l pool—Select to translate the source IP to the next
available IP address in an IP address pool that you
specify.
l no-nat—Select to not perform SNAT for the matched
traffic.

trans-to-ip “<translation_ Enter the IP address that you want to translate the source IP 0.0.0.0
ipv4>” to. An example IP address is 192.0.2.2. The IP address
must be an IPv4 address.
This option is available only when the trans-to-type {ip | pool
| no-nat} on page 276 is set to IP.

trans-to-ip-start “<first_ Enter the first IP address in the SNAT pool. An example IP 0.0.0.0
ipv4>” address is 192.0.2.3. The IP address must be an IPv4
address.
This option is available only when the trans-to-type {ip | pool
| no-nat} on page 276 is set to pool.

trans-to-ip-end “<last_ipv4>” Enter the last IP address in the SNAT pool. An example IP 0.0.0.0
address is 192.0.2.4. The IP address must be an IPv4
address.
This option is available only when the trans-to-type {ip | pool
| no-nat} on page 276 is set to pool.

Related Topic

l router setting on page 97

l system firewall dnat policy on page 273

FortiWeb CLI Reference Fortinet Technologies Inc.

config 277

system fortigate-integration

FortiGate appliances can maintain a list of source IPs that it prevents from interacting with the network and protected
systems. You can configure FortiWeb to receive this list of IP addresses at intervals you specify. Then, you configure an
inline protection profile to detect the IP addresses in the list and take an appropriate action.
This feature is available only if the operating mode is Reverse Proxy or True Transparent Proxy.
This command configures a FortiGate appliance that provides banned source IPs. To configure FortiWeb to detect the
quarantined IP addresses and take the appropriate action, configure the FortiGate Quarantined IPs settings in an inline
protection profile. For details, see waf web-protection-profile inline-protection on page 636.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system fortigate-integration
set server "<domain_name_or_ipv4>"
set port <port_int>
set protocol {HTTP | HTTPS}
set server-verification {enable | disable} on page 277
set ca-cert <cert_name>
set username "<username_str>"
set password "<password_str>"
set schedule-frequency <schedule-frequency_int>
set flag {enable | disable}
end

Variable Description Default

server "<domain_name_or_ Enter the FortiGate IP address or domain name that is used No default.
ipv4>" for administrative access.

port <port_int> Specify the port that the FortiGate uses for administrative 80
access via HTTPs.
In most cases, this is port 443.

protocol {HTTP | HTTPS} Specify whether the FortiGate and FortiWeb communicate HTTP
securely using HTTPS.

server-verification {enable | Enable this option to verify the TLS certificates used for the disable
disable} HTTPS connection between FortiWeb and FortiGate.
Available only if HTTPS is selected for Protocol.

ca-cert <cert_name> Select the certificate for the HTTPS connection between No default.
FortiWeb and FortiGate. It should be uploaded in System >
Admin > Certificates > Admin Cert CA.

username "<username_str>" Enter the name of the administrator account that FortiWeb No default.
uses to connect to the FortiGate.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 278

Variable Description Default

password "<password_str>" Enter the password for the FortiGate administrator account No default.
that FortiWeb uses.

schedule-frequency Enter how often FortiWeb checks the FortiGate for an 1

<schedule-frequency_int> updated list of banned source IP addresses, in hours.
The valid range is 1 to 5.

flag {enable | disable} Enables or disables the transmission of quarantined source disable
IP address information from the specified FortiGate.

Related topics

l waf file-upload-restriction-policy on page 451

l log reports on page 75
l system fortisandbox-statistics on page 789

system fortisandbox

Use this command to configure FortiWeb to submit all files that match your upload restriction rules to FortiSandbox.
FortiSandbox evaluates whether the file poses a threat and returns the result to FortiWeb. If FortiSandbox determines
that the file is malicious, FortiWeb performs the following tasks:
l Generates an attack log message that contains the result.
l For 10 minutes after it receives the FortiSandbox results, takes the action specified by the file security policy. During
this time, it does not re-submit the file to FortiSandbox.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system fortisandbox
set type {fsa | cloud}
set server "<server_ipv4>"
set cache-timeout <timeout_int>
set email "<email_str>"
set interval <interval_int>
set elog {enable | disable}
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 279

Variable Description Default

type {fsa | cloud} Specify whether FortiWeb submits files that match the fsa
upload restriction rules to a FortiSandbox physical
appliance (or FortiSandbox-VM) or to FortiWeb Cloud
Sandbox.
The FortiWeb Cloud Sandbox option requires you to
register your FortiWeb and a FortiWeb FortiGuard
Sandbox Cloud Service subscription.

server "<server_ipv4>" Enter the IP address of the FortiSandbox to send files to. No default.
Available only when type is fsa.

cache-timeout <timeout_int> Enter how long FortiWeb waits before it clears the hash 72
table entry for an uploaded file that was evaluated by
FortiSandbox, in hours.

The valid range is 1–168.

FortiWeb stores file evaluation results from FortiSandbox

in a hash table. Whenever a client uploads a file, FortiWeb
looks for a table entry that matches it. If there is a matching
entry, FortiWeb takes action based on the stored result. If
there is no matching entry, FortiWeb sends the file to
FortiSandbox for evaluation.

email "<email_str>" Enter the email address that FortiSandbox sends weekly No default.
reports and notifications to.

interval <interval_int> Enter a number that specifies how often FortiWeb retrieves 5
statistics from FortiSandbox, in minutes.

elog {enable | disable} Enter so that FortiWeb will report event logs when it disable
successfully submits files to FortiSandbox.

Example

This example creates a connection to a FortiSandbox at 192.0.2.2 that retrieves statistics at the default interval (5
minutes) and sends a weekly report to [email protected].
config system fortisandbox
set server "192.0.2.2"
set ssl enable
set email "[email protected]"
end

Related topics

l waf file-upload-restriction-policy on page 451

l log reports on page 75
l system fortisandbox-statistics on page 789

FortiWeb CLI Reference Fortinet Technologies Inc.

config 280

system global

Use this command to configure system-wide settings such as language, display refresh rate and listening ports of the
web UI, the time zone and host name of the FortiWeb appliance, and NTP time synchronization.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system global
set admin-port <port_int>
set admin-sport <port_int>
set admin-tls-v10 {enable | disable}
set admin-tls-v11 {enable | disable}
set admin-tls-v12 {enable | disable}
set admin-tls-v13 {enable | disable}
set admin-lockout-threshold <admin-lockout-threshold_int>
set admin-lockout-duration <minutes_int>
set admintimeout <minutes_int>
set adom-admin {enable | disable}
set auth-timeout <milliseconds_int>
set cli-signature {enable | disable}
set confsync-port <port_int>
set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}
set dst {enable | disable}
set fds-proxy {enable | disable}
set force-us-only {enable | disable}
set hostname "<host_name>"
set admin-HTTPs-pki-required {enable | disable}
set HTTPs-certificate "<certificate_name>"
set HTTPs-intermediate-certificate "<certificate_group_name>"
set ie6workaround {enable | disable}
set language {english |japanese | simch | trach}
set multi-factor-authentication {optional | mandatory}
set ntpserver {"<ntp_fqdn>" | "<ntp_ipv4>"}
set ntpsync {enable | disable}
set pre-login-banner {enable | disable}
set record-cli-fail-cmd {enable | disable}
set refresh <seconds_int>
set syncinterval <minutes_int>
set timezone "<time-zone-code_str>"
set tftp {enable | disable}
set ssh-fips {enable | disable}
set cert-expire-check-time <cert-expire-check-time _int>
set ipv6-dad-ha {enable | disable} on page 286
set fortiguard-anycast {enable | disable} on page 286
set updated-debug-log {enable | disable}
set power-status {enable | disable}
set shell-access {enable | disable}
set shell-username <user_name>
set shell-password <password>
set shell-timeout <int>
set shell-history-size

FortiWeb CLI Reference Fortinet Technologies Inc.

config 281

set shell-trusthostv4
set shell-trusthostv6
end

Variable Description Default

admin-port <port_int> Enter the port number on which the FortiWeb appliance 80
listens for HTTP access to the web UI. The valid range is 1–
65,535.

admin-sport <port_ Enter the port number on which the FortiWeb appliance 443
int> listens for HTTPS (SSL-secured) access to the web UI. The
valid range is 1–65,535.

admin-tls-v10 Enable to specify TSL 1.0 clients can use to connect disable
{enable | disable} securely to the FortiWeb appliance.

admin-tls-v11 Enable to specify TSL 1.1 clients can use to connect disable
{enable | disable} securely to the FortiWeb appliance.

admin-tls-v12 Enable to specify TSL 1.2 clients can use to connect enable
{enable | disable} securely to the FortiWeb appliance.

admin-tls-v13 Enable to specify TSL 1.3 clients can use to connect disable
{enable | disable} securely to the FortiWeb appliance.

admin-lockout- Enter the number of invalid logon attempts before the 3

threshold <admin- account is locked out. The valid range is 1–10.
lockout-threshold_
int>

admin-lockout- Set the length of time the account remains locked. The valid 60
duration <minutes_ range is 1–2147483647 seconds.
int>

admintimeout Enter the amount of time (in minutes) after which an idle 5
<minutes_int> administrative session with the web UI or CLI will be
automatically logged out. The valid range is 1–48.
To improve security, do not increase the idle timeout.

adom-admin {enable | Enable to be able to restrict administrator accounts to disable

disable} specific administrative domains. See also domains
"<adom_name>" on page 209.
Note: After you type end, if this setting is enabled, the CLI
will terminate your session and restructure the
configuration to use ADOMs. Global settings will remain in
the global configuration scope, but objects that are
configurable separately per ADOM such as services are
moved to the root ADOM. To continue by configuring
additional ADOMs, log in again, then go to Defining ADOMs
on page 57.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 282

Variable Description Default

auth-timeout Enter the number of milliseconds that FortiWeb will wait for 2000
<milliseconds_int> the remote authentication server to respond to its query.
The valid range is 1–60,000.
If administrator logins often time out, and FortiWeb is
configured to query an external RADIUS or LDAP server,
increasing this value may help.
This setting only affects remote authentication queries for
administrator accounts. To configure the query
connection timeout for end-user accounts, use auth-
timeout <timeout_int> on page 474 instead.

cli-signature {enable | Enable to be able to enter custom attack signatures via the disable
disable} CLI.
Typically, attack signatures should be entered using the
web UI, where you can verify syntax and test matching of
your regular expression. If you are sure that your
expression is correct, you can enable this option to enter
your custom signature via the CLI.

confsync-port <port_ Enter the port number the local FortiWeb uses to listen for a 8333
int> remote (peer) FortiWeb.

Used when you have configured FortiWeb to synchronize

its configuration. The valid range is 1–65,535.
Caution: The port number must be different than the port
number set using config server-policy custom-application
application-policy (page 1).

dh-params {1024 | Specifies the key length that FortiWeb presents in Diffie- 2048
1536 | 2048 | 3072 | Hellman exchanges. Most web browsers require a key
4096 | 6144 | 8192} length of at least 2048.

dst {enable | disable} Enable to automatically adjust the FortiWeb appliance’s disable
clock for daylight savings time (DST).

fds-proxy {enable Enable to configure FortiWeb to act as a proxy for the FDN. disable
| disable} FortiWeb proxy will obtain FortiGuard service packages
from the default list of FDN servers and distribute the
packages to other FortiWeb devices. On FortiWeb proxy,
port 8989 is used as the listening port for the package
update requests from other FortiWeb devices, and the
concurrent connection limit is 128. When FortiWeb proxy
receives downloading requests from several devices at the
same time, the requests will be queued and processed one
by one.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 283

Variable Description Default

With this option enabled, you can configure system

autoupdate overrideon other FortiWeb devices so that they
can connect with this FortiWeb proxy to update FortiGuard
service packages.
If you want to override the default FDN servers and specify
a new address for the FortiWeb proxy to obtain FortiGuard
service packages, see system fds proxy.

force-us-only {enable Enable so that FortiWeb will receive FortiGuard service disable
| disable} updates from FortiGuard servers located only in the United
States.

hostname "<host_ Enter the host name of this FortiWeb appliance. Host FortiWeb
name>" names may include US-ASCII letters, numbers, hyphens,
and underscores. The maximum length is 63 characters.
Spaces and special characters are not allowed.
The host name of the FortiWeb appliance is used in several
places.
l It appears in the System Information widget on the

Status tab of the web UI, and in the config router all
(page 1) CLI command.
l It is used in the command prompt of the CLI.

l It is used as the SNMP system name. For details about

SNMP, see system snmp sysinfo on page 343.

The System Information widget and the config router all
(page 1) CLI command will display the full host name.
However, if the host name is longer than 16 characters, the
CLI and other places display the host name in a truncated
form ending with a tilde ( ~ ) to indicate that additional
characters exist, but are not displayed.
For example, if the host name is FortiWeb1234567890, the
CLI prompt would be FortiWeb123456789~#.
Note: You can also configure the local domain name. For
details, see system dns on page 256.

admin-HTTPs-pki- Enable to use certificate-based Web UI login. disable

required {enable | Before enabling this, please make sure the related
disable} configurations are set correctly. For details, see system
admin-certificate ca on page 212, user pki-user on page
370, and user admin-usergrp on page 358.

HTTPs-certificate Specifies the certificate that FortiWeb uses for the defaultcert
"<certificate_name>" accesses to its Web UI through HTTPS. This must be one
of the certificates stored locally on the FortiWeb for
administration. For details, see system admin-certificate
local on page 215.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 284

Variable Description Default

Specifies the intermediate CA group if any. See system No default

HTTPs- admin-certificate intermediate-ca-group.
intermediate-
certificate
"<certificate_
group_name>"

ie6workaround Enable to use the work around for a navigation bar freeze disable
{enable | disable} issue caused by using the web UI with Microsoft
Internet Explorer 6.

language Select which language to use when displaying the web UI. english
{english |japanese | The display’s web pages will use UTF-8 encoding,
simch | trach} regardless of which language you choose. UTF-8 supports
multiple languages, and allows all of them to be displayed
correctly, even when multiple languages are used on the
same web page.
For example, your organization could have websites in both
English and simplified Chinese. Your FortiWeb
administrators prefer to work in the English version of the
web UI. They could use the web UI in English while writing
rules to match content in both English and simplified
Chinese without changing this setting. Both the rules and
the web UI will display correctly, as long as all rules were
input using UTF-8.
Usually, your text input method or your management
computer’s operating system should match the display, and
also use UTF-8. If they do not, you may not be able to
correctly display both your input and the web UI at the same
time.
For example, your web browser’s or operating system’s
default encoding for simplified Chinese input may be
GB2312. However, you usually should switch it to be UTF-
8 when using the web UI, unless you are writing regular
expressions that must match HTTP client’s requests, and
those requests use GB2312 encoding.
For more information on language support in the web UI
and CLI, see Language support & regular expressions on
page 50.
Note: This setting does not affect the display of the CLI.

multi-factor- Configure to set 2FA for admin account security. optional

l optional: only when an admin user enters correct
authentication
{optional | mandatory} username and password, the Token Code window
pops up to require the token code for account security.
l mandatory: only when an admin user enters correct

username and password as well as the token code, the

FortiWeb CLI Reference Fortinet Technologies Inc.

config 285

Variable Description Default

authentication can succeed for login.

ntpserver {"<ntp_ Enter the IP address or fully qualified domain name (FQDN) pool.ntp.org
fqdn>" | "<ntp_ipv4>"} of a Network Time Protocol (NTP) server or pool, such as
pool.ntp.org, to query in order to synchronize the
FortiWeb appliance’s clock. The maximum length is 63
characters.
For details about NTP and to find the IP address of an NTP
server that you can use, go to:
HTTP://www.ntp.org/

ntpsync {enable | Enable to automatically update the system date and time by enable
disable} connecting to a NTP server. Also configure ntpserver
{"<ntp_fqdn>" | "<ntp_ipv4>"}, syncinterval <minutes_int>
and timezone "<time-zone-code_str>".

pre-login-banner Enable to add a login disclaimer message for disable

{enable | disable} administrators logging in to FortiWeb.

This disclaimer is a statement that a user accepts or

declines. It is useful for environments such as corporations
that are governed by strict usage policies for forensics and
legal reasons.

record-cli-fail-cmd Enable so that FortiWeb will generate an event log if a CLI disable
{enable | disable} command fails or is executed incorrectly.

refresh <seconds_ Enter the automatic refresh interval (in seconds) for the 80
int> web UI’s System Status Monitor widget.
The valid range is 0– 9,223,372,036,854,775,807. To
disable automatic refreshes, type 0.

syncinterval Enter how often (in minutes) the FortiWeb appliance should 60
<minutes_int> synchronize its time with the Network Time Protocol (NTP)
server.
The valid range is 1–1440. To disable time synchronization,
type 0.

tftp {enable | disable} Specify whether FortiWeb can perform backups, enable
restoration, firmware updates and other tasks using TFTP.

timezone "<time- Enter the two-digit code for the time zone in which the 04
zone-code_str>" FortiWeb appliance is located.
The valid range is from 00 to 75. To display a list of time
zone codes, their associated the GMT time zone offset, and
contained major cities, type set timezone ?.

ssh-fips {enable | A setting used with Federal Information Processing disable

disable} Standards (FIPS) and Common Criteria (CC) compliant

FortiWeb CLI Reference Fortinet Technologies Inc.

config 286

Variable Description Default

mode.

When the FIPS-CC certification process is complete, a

separate document will provide detailed information about
this command.

cert-expire-check- Set the notification time ( the days) before the certificate 0
time <cert-expire- expires. The valid value range is 0-365. When the value is
check-time _int> 0, it means no certificate expiration will be checked. When
the value is 100, it means notification will be sent 100 days
before the certificate expires.

ipv6-dad-ha {enable | Enable to perform IPv6 DAD detection on the primary disable
disable} appliance in Active-Passive and standard Active-Active HA
groups.

updated-debug-log Diasble it if too many FDS disconnection logs are enable

{enable | disable} generated.

fortiguard-anycast If enabled, FortiWeb will be upgraded from the Anycast disable

{enable | disable} server. The default domain is globalupdate.fortinet.net and
the corresponding USG domain name is
usupdate.fortinet.net.
If disabled, FortiWeb will upgraded from the original server,
the default domain is update.fortiguard.net and the
corresponding USG domain name is
usupdate.fortiguard.net.

power-status {enable Enable to show the power status. disable

| disable}

shell-access {enable | Enable Shell access through SSH. disable

disable}

shell-username Enter the user name for Shell access. N/A

<user_name>

shell-password Enter the password for Shell access. N/A

shell-timeout <int> Enter the time period after which the Shell access will be 10
expired.
The valid range is 1-1200 minutes.

shell-history-size Specify the size of the command history file which is stored 1024
in "$HOME/.ash_history".
Using diag cli commmand to view the history of the
commands executed in Shell.
The valid range is 1-4096 lines.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 287

Variable Description Default

shell-trusthostv4 Specify the IPv4 addresses or range of the trust-hosts who 0.0.0.0/0
are allowed to access FortiWeb through Shell.

shell-trusthostv6 Specify the IPv6 addresses or range of the trust-hosts who ::/0
are allowed to access FortiWeb through Shell.

You can assign multiple ADOM to one admin user.

<admin_name> Enter the name of the

Example

This example configures time synchronization with a public NTP server pool. The FortiWeb appliance is located in the
Pacific Time zone (code 04) and will synchronize its time with the NTP server pool every 60 minutes.
config system global
set timezone 08
set ntpsync enable
set ntpserver "pool.ntp.org"
set syncinterval 30
end

For an example that includes a hostname, see system dns on page 256.

Related topics

l system admin on page 207

l system autoupdate schedule on page 222
l system interface on page 312
l system dns on page 256
l system advanced on page 217
l router static on page 98
l date on page 759
l time on page 785
l system status on page 791

system ha

Use this command to configure the FortiWeb appliance to act as a member of a high availability (HA) cluster in order to
improve availability.
By default, FortiWeb appliances are each a single, standalone appliance and operate independently.
If you have purchased more than one, however, you can configure multiple FortiWeb appliances in active-passive,
standard active-active, or high volume active-active HA mode. This improves availability so that you can achieve
99.999% service level agreement (SLA) uptimes regardless of, for example, hardware failure or maintenance periods.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 288

If you have multiple FortiWeb appliances but do not need failover, you can still
synchronize the configuration. This can be useful for cloned network environments
and externally load-balanced active-active HA. For details, see "server-policy
custom-application application-policy" on page 1.

Unless specially stated, the configurations of config system ha can be automatically synchronized from primary to
secondary appliances.
For more information on HA, including troubleshooting, failover behavior, synchronized data, and network topology, see
the FortiWeb high availability (HA) section under Key Concepts chapter in FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system ha
set mode {active-passive | active-active-standard | active-active-high-volume
|standalone}
set group-id <group_int>
set group-name "<pair-name_str>"
set sdn-connector <string>
set lb-ocid <string>
set priority <level_int>
set override {enable | disable}
set network-type {flat | udp-tunnel}
set tunnel-local "<tunnel-local_str>"
set tunnel-peer "<tunnel-peer_str>"
set hbdev "<interface_name>"
set hbdev-backup "<interface_name>"
set lacp-ha-secondary {enable | disable}
set link-failed-signal {enable | disable}
set hb-interval <milliseconds_int>
set hb-lost-threshold <seconds_int>
set arps <arp_int>
set arp-interval <seconds_int>
set monitor {"<interface_name>" ...}
set boot-time <limit_int>
set ha-mgmt-status {enable | disable}
set ha-mgmt-interface "<interface_name>"
set schedule {ip | leastconnection | round-robin}le {ip | leastconnection | round-
robin}
set session-sync-broadcast {enable | disable}
set session-sync-dev {"<interface_name>" ...}
set session-warm-up <seconds_int>
set weight-1 <weight_int>
set weight-2 <weight_int>
set weight-3 <weight_int>
set weight-4 <weight_int>
set weight-5 <weight_int>
set weight-6 <weight_int>
set weight-7 <weight_int>
set weight-8 <weight_int>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 289

set session-pickup {enable | disable}

set persistence-sync {enable | disable}
set eip-addr <class_ip>
set eip-aid <eip-aid_str>
set ha-eth-type <ha-eth-type_str>
set hc-eth-type <hc-eth-type_str>
set hbcast-eth-type <hbcast-eth-type_str>
set l2ep-eth-type <l2ep-eth-type_str>
set 17-persistence-sync {enable | disable}
set server-policy-hlck {enable | disable}
set encryption {enable | disable}
set key <passwd>
end

Variable Description Default

mode {active- Select one of the following: standalone

l active-passive—Form an HA group with
passive | active-
active-standard | another FortiWeb appliance. The appliances
active-active-high- operate together, with the standby assuming the
volume role of the active appliance if it fails.
l active-active-standard—The primary
|standalone}
appliance in a standard active-active HA group
plays the role as the central controller to receive
traffic from clients and send the processed traffic to
back-end web servers, and vice versa. The primary
appliance distributes the traffic to all the HA
members (including itself) according to the specified
load-balancing algorithm so that each FortiWeb
appliance performs the security services to protect
the traffic.
l active-active-high-volum—Unlike the

standard active-active HA mode where the primary

acts as a traffic distributor, the members in high
volume active-active mode don't reply on the
primary to distribute traffic, instead, they can directly
receive traffic from the clients and process the traffic
independently. It significantly increases the traffic
throughput of the HA group.
l standalone—Operate each appliance

independently.
Note: To avoid connectivity issues, do not use config
system ha to remove an appliance from an HA cluster.
Instead, use ha disconnect on page 763, which removes
the appliance from the cluster and changes the HA mode
to standalone.

group-id <group_ Enter a number that identifies the HA pair. 0

int>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 290

Variable Description Default

Both members of the HA pair must have the same

group ID. If you have more than one HA pair on the
same network, each HA pair must have a different
group ID.
Changing the group ID changes the cluster’s virtual MAC
address.
The valid range is 0 to 63.

group-name Enter a name to identify the HA pair if you have more No default.
"<pair-name_str>" than one.
This setting is optional, and does not affect HA function.
The maximum length is 63 characters.

Select the OCI SDN connector you have created. See

sdn-connector system sdn-connector. No default.
<string> Available only when FortiWeb-VM is deployed in active-
passive mode on OCI.

Enter the Load Balancer's OCID.

lb-ocid <string> To get the Load Balancer OCID: No default.
1. Log in to OCI.
2. Go to Core Infrastructure > Networking > Load
Balancers.
3. Click the load balancer used for the HA cluster.
4. Copy the OCID of this load balancer.
Available only when FortiWeb-VM is deployed in active-
passive mode on OCI.

priority <level_int> Enter the priority of the appliance when electing the 5
primary appliance in the HA pair. On standby devices,
this setting can be reconfigured using the CLI command
ha manage on page 764.
This setting is optional. The smaller the number, the
higher the priority. The valid range is 0 to 9.
This setting can't be synchronized from primary to
secondary appliances. You should configure it on each
HA member.
Note:
l By default, unless you enable override {enable |

disable} on page 291, uptime is more important than

this setting.
l This setting can't be synchronized from primary to

secondary appliances. You should configure it on

each HA member. It's suggested to leave it with
default value.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 291

Variable Description Default

override {enable | Enable to make priority <level_int> on page 290 a more disable
disable} important factor than uptime when selecting the primary
appliance.

network-type {flat | Select the common HA mode flat or udp-tunnel mode on flat
udp-tunnel} OpenStack platform.

tunnel-local Set the local IP address on OpenStack platform. No default.

"<tunnel-local_ This filed can be configured only when the network type
str>" is upd-tunnel.
Note: This setting can't be synchronized from primary to
secondary appliances. You should configure it on each
HA member. It's suggested to leave it with default value.

tunnel-peer Set the peer IP address on OpenStack platform. No default.

"<tunnel-peer_ This filed can be configured only when the network type
str>" is upd-tunnel.
Note: This setting can't be synchronized from primary to
secondary appliances. You should configure it on each
HA member. It's suggested to leave it with default value.

hbdev "<interface_ Select which port on this appliance that the main and No default.
name>" standby appliances will use to send heartbeat signals
and synchronization data between each other (i.e. the
HA heartbeat link). The maximum length is 15
characters.
Connect this port to the same port number on the other
member of the HA cluster. (e.g., If you select port3 for
the primary heartbeat link, connect port3 on this
appliance to port3 on the other appliance.)
At least one heartbeat interface must be selected on
each appliance in the HA cluster. Ports that currently
have an IP address assigned for other purposes (that is,
virtual servers or bridges) cannot be re-used as a
heartbeat link.
At least one heartbeat interface must be selected on
each appliance in the HA cluster. Ports that currently
have an IP address assigned for other purposes (that is,
virtual servers or bridges) cannot be re-used as a
heartbeat link.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 292

Variable Description Default

Tip: If enough ports are available, you can select both a

primary heartbeat interface and a secondary heartbeat
interface (hbdev-backup "<interface_name>" on page
292) on each appliance in the HA pair to provide
heartbeat link redundancy. You cannot use the same
port as both the primary and secondary heartbeat
interface on the same appliance, as this is incompatible
with the purpose of link redundancy.
Note: If a switch is used to connect the heartbeat
interfaces, the heartbeat interfaces must be reachable by
Layer 2 multicast.

hbdev-backup Select a secondary, standby port on this appliance that No default.

"<interface_ the main and standby appliances will use to send
name>" heartbeat signals and synchronization data between
each other (i.e. the HA heartbeat link).
It must not be the same network interface as hbdev
"<interface_name>" on page 291. The maximum length
is 15 characters.
Connect this port to the same port number on the other
member of the HA cluster. (e.g., If you select port4 for
the secondary heartbeat link, connect port4 on this
appliance to port4 on the other appliance.)
Ports that currently have an IP address assigned for
other purposes (that is, virtual servers or bridges) cannot
be re-used as a heartbeat link.

lacp-ha-secondary Enable to provide support for 2 LACP interfaces, also disable

{enable | disable} known as "bridges," "V-zones," or "aggregated links." For
more information about configuring bridges, see the
FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides

link-failed-signal Enable to ensure that all equipment in the network disable

{enable | disable} detects the new primary unit in a cluster after a failover
occurs.
When a failover occurs in an HA active-passive cluster,
the new primary unit broadcasts gratuitous ARP packets
so that switches will refresh their MAC forwarding tables
and detect the new primary unit. However, sometimes
switches will not immediately detect a failover and
refresh MAC forwarding tables to recognize a new
primary unit.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 293

Variable Description Default

This command shuts down each interface (except for the

heartbeat interfaces and reserve management
interfaces) of the former primary unit for about a second
so that any remaining equipment that did not
automatically detect the failover will refresh their
MAC forwarding tables and recognize the new primary
unit,

arps <arp_int> Enter the number of times that the FortiWeb appliance 10
will broadcast address resolution protocol (ARP) packets
(IPv4 environment) or Neighbor Solicitation (NS) packets
(IPv6 environment) when it takes on the main role. Even
though a new NIC has not actually been connected to the
network, FortiWeb does this to notify the network that a
different physical port has become associated with the IP
address and virtual MAC of the HA pair.
This is sometimes called “using gratuitous ARP packets
to train the network,” and can occur when the main
appliance is starting up, or during a failover. Also
configure arp-interval <seconds_int> on page 293.
Normally, you do not need to change this setting.
Exceptions include:
l Increase the number of times the main appliance

sends gratuitous ARP packets if your HA pair takes

a long time to fail over or to train the network.
Sending more gratuitous ARP packets may help the
failover to happen faster.
l Decrease the number of times the main appliance

sends gratuitous ARP packets if your HA pair has a

large number of VLAN interfaces and virtual
domains. Because gratuitous ARP packets are
broadcast, sending them may generate a large
amount of network traffic. As long as the HA pair still
fails over successfully, you could reduce the number
of times gratuitous ARP packets are sent to reduce
the amount of traffic produced by a failover.
The valid range is 1–16.

arp-interval Enter the number of seconds to wait between each 3

<seconds_int> broadcast of ARP/NS packets.
Normally, you do not need to change this setting.
Exceptions include:
l Decrease the interval if your HA pair takes a long

time to fail over or to train the network. Sending ARP

packets more frequently may help the failover to
happen faster.
l Increase the interval if your HA pair has a large

FortiWeb CLI Reference Fortinet Technologies Inc.

config 294

Variable Description Default

number of VLAN interfaces and virtual domains.

Because gratuitous ARP packets are broadcast,
sending them may generate a large amount of
network traffic. As long as the HA pair still fails over
successfully, you could increase the interval
between when gratuitous ARP packets are sent to
reduce the rate of traffic produced by a failover.
The valid range is 1–20.

hb-interval Enter the number of 100-millisecond intervals to set the 1

<milliseconds_int> pause between each heartbeat packet that the one
FortiWeb appliance sends to the other FortiWeb
appliance in the HA pair. This is also the amount of time
that a FortiWeb appliance waits before expecting to
receive a heartbeat packet from the other appliance.
This part of the configuration is synchronized between
the active appliance and standby appliance.
The valid range is 1–20 (that is, between 100 and 2,000
milliseconds).
Note: Although this setting is synchronized between the
main and standby appliances, you should initially
configure both appliances with the same hb-interval
<milliseconds_int> on page 294 to prevent inadvertent
failover from occurring before the initial synchronization.

hb-lost-threshold Enter the number of times one of HA appliances retries 3

<seconds_int> the heartbeat and waits to receive HA heartbeat packets
from the other HA appliance before assuming that the
other appliance has failed.
This part of the configuration is synchronized between
the main appliance and standby appliance.
Normally, you do not need to change this setting.
Exceptions include:
l Increase the failure detection threshold if a failure is

detected when none has actually occurred. For

example, during peak traffic times, if the main
appliance is very busy, it might not respond to
heartbeat packets in time, and the standby
appliance may assume that the main appliance has
failed.
l Reduce the failure detection threshold or detection

interval if administrators and HTTP clients have to

wait too long before being able to connect through
the main appliance, resulting in noticeable down
time.
The valid range is 1–60.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 295

Variable Description Default

Note: Although this setting is synchronized between the

main and standby appliances, you should initially
configure both appliances with the same hb-lost-
threshold <seconds_int> on page 294 to prevent
inadvertent failover from occurring before the initial
synchronization.
Note: You can use SNMP traps to notify you when a
failover is occurring. For details, see system snmp
community on page 339.

monitor Enter the name of one or more network interfaces that No default.
{"<interface_ each directly correlate with a physical link. These ports
name>" ...} will be monitored for link failure.
Separate the name of each network interface with a
space. To remove from or add to the list of monitored
network interfaces, retype the entire list.
Port monitoring (also called interface monitoring)
monitors physical network ports to verify that they are
functioning properly and linked to their networks. If the
physical port fails or the cable becomes disconnected, a
failover occurs. You can monitor physical interfaces, but
not VLAN subinterfaces or 4-port switches.
Note: To prevent an unintentional failover, do not
configure port monitoring until you configure HA on both
appliances in the HA pair, and have plugged in the
cables to link the physical network ports that will be
monitored.

boot-time <limit_ Enter the maximum number of seconds that a appliance 30

int> will wait for a heartbeat or synchronization connection
after the appliance returns online.
If this limit is exceeded, the appliance will assume that
the other unit is unresponsive, and assume the role of
the main appliance.
Due to the default heartbeat and synchronization
intervals, as long as the HA pair are cabled directly
together, the default value is usually sufficient. If the HA
heartbeat link passes through other devices, such as
routers and switches, however, a larger value may be
needed. You may notice this especially when updating
the firmware.
The valid range is 1–100 seconds.

ha-mgmt-status Specifies whether the network interface you select disable

{enable | disable} provides administrative access to this appliance when it
is a member of the HA cluster.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 296

Variable Description Default

When this option is selected, you can access the

configuration for this cluster member using the IP
address of the specified network interface. The interface
configuration, including administrative access and other
settings, is not synchronized with other cluster members.

You can configure up to eight reserve management ports

in each HA cluster. You cannot configure routing for the
port you select.

ha-mgmt-interface Specifies the network interface that provides No default.

"<interface_ administrative access to this appliance when it is a
name>" member of the HA cluster.

schedule {ip | Specifies the load-balancing algorithm used by the ip

leastconnection | primary appliance (in an active-active HA cluster) to
round-robin} distribute received traffic over the available cluster
members.
l ip—Consistently distribute the traffic coming

from a source to the same cluster member.

l leastconnection—Dynamically distribute

traffic to a cluster member who has the fewest

connections processing.
l round-robin—Distribute traffic among the

available members in a circular order.

Note that FortiWeb's Session Management is not
supposed by the active-active HA deployment with the
algorithm By connections or Round-robin being used for
the load-balancing.
Available only when mode {active-passive | active-
active-standard | active-active-high-volume |standalone}
on page 289 is active-active-standard or
active-active-high-volume.

session-sync- Specifies whether the primary appliance in an active- disable

broadcast {enable active HA cluster synchronizes sessions to others in
| disable} broadcast. By default, session information is
synchronized in unicast. Broadcast will be recommended
if a active-active HA cluster contains many appliances.
Available only when mode {active-passive | active-
active-standard | active-active-high-volume |standalone}
on page 289 is active-active-standard or
active-active-high-volume.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 297

Variable Description Default

session-sync-dev The primary appliance use the heartbeat interface No default.

{"<interface_ (hbdev "<interface_name>" on page 291) to synchronize
name>" ...} its session table to other appliances in an active-active
HA cluster by default. However, you can use extra
interfaces (up to four interfaces) for the session
synchronization when the HA cluster is in heavy traffic.
Specifies the network interface(s) of this FortiWeb
appliance for session synchronizations. For example,
typing set session-sync-dev port3 port4
port5 for using port3, port4 and port5 to synchronize
session information.
Note:
l Only the primary appliance in the active-active
HA cluster is allowed to set session-sync-
dev. The configuration here will be
synchronized to all the secondary appliance in
the cluster by the primary, and all the appliances
send or receive session information with the
same interface configuration.
l The heartbeat interface will not participate in the
session synchronization anymore if other
interfaces are specified here.
l It can not specify the heartbeat interface to
session-sync-dev.
l Available only when mode {active-passive |
active-active-standard | active-active-high-
volume |standalone} on page 289 is active-
active-standard or active-active-
high-volume.

session-warm-up Specifies the active-active HA warm-up time that the 10

<seconds_int> primary appliance will hold traffic distribution to wait for
the active-active HA negotiation (determine the primary
and secondary, and necessary synchronizations)
completes (when every time the active-active HA starts).
Available only when mode {active-passive | active-
active-standard | active-active-high-volume |standalone}
on page 289 is active-active-standard or
active-active-high-volume.

weight-1 <weight_ When the system ha on page 287 algorithm is ip, sets 1
int> the weight for the first unit in an active-active HA cluster.
The primary unit performs weighted round-robin
according to the specified weight to distribute the first
packet coming from the source IP to cluster members.
The weight of each unit can be set with a range of 0–255.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 298

Variable Description Default

weight-2 <weight_ When the schedule algorithm is ip, sets the weight for 1
int> the second unit in an active-active HA cluster.
The primary unit performs weighted round-robin
according to the specified weight to distribute the first
packet coming from the source IP to cluster members.
The weight of each unit can be set with a range of 0–255.

weight-3 <weight_ When the system ha on page 287 algorithm is ip, sets 1
int> the weight for the third unit in an active-active HA cluster.
The primary unit performs weighted round-robin
according to the specified weight to distribute the first
packet coming from the source IP to cluster members.
The weight of each unit can be set with a range of 0–255.

weight-4 <weight_ When the system ha on page 287 algorithm is ip, sets 1
int> the weight for the fourth unit in an active-active HA
cluster.
The primary unit performs weighted round-robin
according to the specified weight to distribute the first
packet coming from the source IP to cluster members.
The weight of each unit can be set with a range of 0–255.

weight-5 <weight_ When the system ha on page 287 algorithm is ip, sets 1
int> the weight for the fifth unit in an active-active HA cluster.
The primary unit performs weighted round-robin
according to the specified weight to distribute the first
packet coming from the source IP to cluster members.
The weight of each unit can be set with a range of 0–255.

weight-6 <weight_ When the system ha on page 287 algorithm is ip, sets 1
int> the weight for the sixth unit in an active-active HA cluster.
The primary unit perform weighted round-robin
according to the specified weight to distribute the first
packet coming from the source IP to cluster members.
The weight of each unit can be set with a range of 0–255.

weight-7 <weight_ When the system ha on page 287 algorithm is ip, sets 1
int> the weight for the seventh unit in an active-active HA
cluster.
The primary unit performs weighted round-robin
according to the specified weight to distribute the first
packet coming from the source IP to cluster members.
The weight of each unit can be set with a range of 0–255.

weight-8 <weight_ When the system ha on page 287 algorithm is ip, sets 1
int> the weight for the eighth unit in an active-active HA
cluster.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 299

Variable Description Default

The primary unit performs weighted round-robin

according to the specified weight to distribute the first
packet coming from the source IP to cluster members.
The weight of each unit can be set with a range of 0–255.

session-pickup Enable so that the primary unit in the HA cluster disable

{enable | disable} synchronizes the session table with all cluster units. If a
cluster unit fails, the HA session table information is
available to the remaining cluster units which can use the
session table to resume connections without interruption.
Enable for session fail-over protection. If this is not
required, disabling may reduce CPU usage and reduce
HA heartbeat network bandwidth usage.
Note: Only sessions that have been established for
longer than 30 seconds will be synchronized.

persistence-sync Enable/disable the persistence synchronization. disable

{enable | disable}

eip-addr <class_ Enter the elastic IP address for HA on AWS. No default.

ip>

eip-aid <eip-aid_ Enter the ID of the elastic IP for HA on AWS. No default.

str>

ha-eth-type <ha- HA heartbeat packet Ethertype (4-digit hex). The range 0x8890
eth-type_str> is 0x8890–0x889F.
Note: This setting can't be synchronized from primary to
secondary appliances. You should configure it on each
HA member. It's suggested to leave it with default value.

hc-eth-type <hc- Tuple session HA heartbeat packet Ethertype (4-digit 8891

eth-type_str> hex). The range is 0x8890–0x889F.
Note: This setting can't be synchronized from primary to
secondary appliances. You should configure it on each
HA member. It's suggested to leave it with default value.

hbcast-eth-type Broadcast HA heartbeat packet Ethertype (4-digit hex). 8893

<hbcast-eth-type_ The range is 0x8890–0x889F.
str>

l2ep-eth-type Telnet session HA heartbeat packet Ethertype (4-digit 8894

<l2ep-eth-type_ hex). The range is 0x8890–0x889F.
str> Note: This setting can't be synchronized from primary to
secondary appliances. You should configure it on each
HA member. It's suggested to leave it with default value.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 300

Variable Description Default

17-persistence- When FortiWeb is operating in HA Active-Passive (AP) disable

sync {enable mode, you can enable Layer 7 Persistence
| disable} Synchronization.
This option enables session synchronization when
there's a failover that causes the secondary appliance to
take over as the new primary, and is useful for web
applications that require sticky sessions.

server-policy-hlck Enable to check the server policy health. disable

{enable | disable} Server policy health check is only available if the
operation mode is Reverse Proxy, and the HA mode is
Active-Active.

encryption {enable Enable to encrypt the heartbeat traffic between primary

and secondary appliances. disable
| disable}
If you want to set an HA group, make sure the encryption
status is the same across all members, otherwise the HA
group can't successfully be built.

key <passwd> Enter the password to encrypt the heartbeat traffic fffffffe12345678
between primary and secondary appliances when they
are in Federal Information Processing Standards (FIPS)
mode or in non-FIPS mode with encryption enabled.
Note: This setting can't be synchronized from primary to
secondary appliances. You should configure it on each
HA member, and the password on all the members
should be the same. It's suggested to leave it with default
value.

Example

This example configures a FortiWeb appliance as one appliance in an active-passive HA pair whose group ID is 1. The
primary heartbeat occurs over port3, and the secondary heartbeat link is over port4. Priority is more important than
uptime when electing the main appliance. The appliance will wait 30 seconds after boot time for a heartbeat or
synchronization before assuming that it should be that main appliance. Aside from the heartbeat link, failover can also be
triggered by port monitoring of port1 and port2.
config system ha
set mode active-passive
set group-id 1
set priority 6
set override enable
set hbdev port3
set hbdev-backup port4
set arps 3
set arp-interval 2
set hb-interval 1
set hb-lost-threshold 3
set monitor port1 port2
set boot-time 30

FortiWeb CLI Reference Fortinet Technologies Inc.

config 301

end

Related topics

l system interface on page 312

l "debug application hasync" on page 1
l "debug application hatalk" on page 1
l system ha status on page 740
l ha disconnect on page 763
l ha manage on page 764
l ha synchronize on page 766
l system status on page 791

system ha-aa-server-policy-hlck

To check whether the server policies are running properly on the HA cluster, you can configure server policy heath
check. The configurations are synchronized to all members in the cluster. The system sends an HTTP or HTTPS
request, and waits for a response that matches the values required by the health check rule. A timeout indicates that the
connection between the HA cluster member and the back-end server is not available. The system then generates event
logs. The primary node will not distribute traffic to this HA member until the connection is recovered.
Server policy health check is only available if the operation mode is Reverse Proxy, and the HA mode is Active-Active-
Standard.
You should first enable the HA Health Check option on the HA tab in System > High Availability > Settings, or
enable it through the command config system ha, then configure a health check on the HA Health Check tab.
FortiWeb only supports checking the health of server policies in the root administrative domain.
To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
config system ha-aa-server-policy-hlck
edit "<health-check_id>"
set HTTPS {enable | disable}
set client-cert <client-certificate-name>
set relationship {and | or}
config health-list
edit <entry_index>
set time-out <seconds_int>
set retry-times <retries_int>
set interval <seconds_int>
set url-path "<request_str>"
set method {get | head | post}
set match-type {response-code | match-content | all}
set response-code {response-code_int}
set match-content "<match-content_str>"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 302

next
end
next
end

Variable Description Default

"<health-check_id" Enter the ID of the server policy health check. The No default.
maximum length is 63 characters.
To display the list of existing server health checks,
enter:
edit ?

HTTPS {enable | Enable to use the HTTPS protocol for the health check
disable} connections with the back-end server. The systems
uses HTTP protocol if this option is disabled.nd you can
configure the client certificate for the connection.
client-cert <client- If HTTPS is enabled, you can specify a Client Certificate
certificate-name> for the connection. This is optional.
The Client Certificate is imported on GUI in System >
Certificates > Local or by CLI command config
system certificate local.

relationship {and |or} l and—FortiWeb considers the server to be and

responsive when it passes all the tests in the list.
l or—FortiWeb considers the server to be
responsive when it passes at least one of the tests
in the list.

<entry_index> Enter the index number of the individual rule in the table. No default.
The valid range is 1–16.

timeout <seconds_int> Enter the number of seconds which must pass after the 3
server health check to indicate a failed health check.
The valid range is 1–10 .

retry-times <retries_int> Enter the number of times, if any, a failed health check 3
will be retried before the server is determined to be
unresponsive. The valid range is 1–10.

interval <seconds_int> Enter the number of seconds between each server 10

health check. The valid range is from 1–10.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 303

Variable Description Default

method {get | head | post} Specify whether the health check uses the HEAD, GET, get
or POST method.

match-type {response-code | l response-code—If the web server successfully match-

match-content | all} returns the URL specified by url-path and the content
code specified by response-code, FortiWeb
considers the server to be responsive.
l match-content—If the web server successfully
returns the URL specified by url-path and its
content matches the match-content value,
FortiWeb considers the server to be responsive.
l all—If the web server successfully returns the
URL specified by url-path and its content
matches the match-content value, and the code
specified by response-code, FortiWeb considers
the server to be responsive.

response-code {response- Enter the response code that you require the server to 200
code_int} return to confirm that it is available, if match-type is
response-code or all.

Example

This example configures a server policy health check that periodically requests the main page of the website, /index. If
FortiWeb can't receive responses containing the required page (which contains the word “About”) every 10 seconds (the
default), and the check fails at least three times in a row, FortiWeb considers the connection between itself and the
server being broken. The primary node will then stop distributing traffic to this HA member until the connection is
recovered.
config config system ha-aa-server-policy-hlck
edit "status_check1"
set trigger-policy "notification-servers1"
configure health-list
edit 1
set type HTTP
set retry-times 3
set url-path "/index"
set method get
set match-type match-content
set regular About
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 304

system ha-mgmt-router-static

For a FortiWeb applicance in an HA group, the configurations set by config router policy and config router
static are synchronized by all the group members, but the configurations set by HA Mgmt Static Route or HA
Mgmt Policy route are applied only to this specific member.
Use this command to add or delete a static route that is used only by this HA member. It is useful when you want to
connect this cluster member to back-end servers that are not in the server pool of the HA group.
To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp
area. For details, see Permissions on page 46.

Only one default route (the static route with destination as 0.0.0.0/0) is allowed on FortiWeb
appliance. For example, if you have configured a default route in Network > Route, then it's
not allowed to configure another default route in HA route settings.

Syntax
config system ha-mgmt-router-static
edit <route_index>
set device "<interface_name>"
set dst "<destination_ip>"
set gateway "<router_ip>"
next
end

Variable Description Default

<route_index> Enter the index number of the static route. If multiple routes No default.
match a packet, the one with the smallest index number is
applied.
The valid range is 0–65,535.

device "<interface_name>" Enter the name of the network interface, such as port1, No default.
through which traffic subject to this route will be outbound.
The maximum length is 63 characters.

gateway "<router_ip>" Enter the IP address of a next-hop router. 0.0.0.0

FortiWeb CLI Reference Fortinet Technologies Inc.

config 305

Variable Description Default

Caution: The gateway IP address must be in the same

subnet as the interface’s IP address. If you change the
interface’s IP address later, the new IP address must also
be in the same subnet as the interface’s default gateway
address. Otherwise, all static routes and the default
gateway will be lost.

system ha-mgmt-router-policy

For a FortiWeb applicance in an HA group, the configurations set by config router policy and config router
static are synchronized by all the group members, but the configurations set by HA Mgmt Static Route or HA
Mgmt Policy route are applied only to this specific member.
Use this command to add or delete a policy route that is used only by this HA member. It is useful when you want to
connect this cluster member to back-end servers that are not in the server pool of the HA group.
To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
config system ha-mgmt-router-policy
edit <policy_index>
set iif "<incoming_interface_name>"
set src "<source_ip>"
set dst "<destination_ip>"
set oif "<outgoing_interface_name>"
set gateway "<router_ip>"
set priority <priorty_int>
next
end

Variable Description Default

<policy_index> Enter the index number of the policy route. No default.

The valid range is 0–65,535.

"<incoming_interface_ Enter the name of the interface, such as port1, on which No default.
name>" FortiWeb receives packets it applies this routing policy to.

src "<source_ip>" Enter the source IP address and netmask to match, 0.0.0.0
separated with a space. 0.0.0.0
FortiWeb routes matching traffic through the specified
interface and gateway.

dst "<destination_ip>" Enter the destination IP address and netmask to match, 0.0.0.0
separated with a space. 0.0.0.0

FortiWeb CLI Reference Fortinet Technologies Inc.

config 306

Variable Description Default

FortiWeb routes matching traffic through the specified

interface and gateway.

"<outgoing_interface_ Enter the name of the interface, such as port2, through No default.
name>" which FortiWeb routes packets that match the specified IP
address information.

gateway "<router_ip>" Enter the IP address of a next-hop router. 0.0.0.0

A gateway address is not required for the particular routing
policies used as static routes in an one-arm topology.
Leave this blank for a one-arm network topology.

priority <priorty_int> Enter a value between 1 and 200 that specifies the priority 200
of the route.

When packets match more than one policy route, FortiWeb

directs traffic to the route with the lowest value.

system ha-node

For the high volume active-active mode, you should allocate appliances to the HA group.

Syntax
config system ha-node
edit <HA_node_number>
set <HA_node_device_SN>
next
end

Variable Description Default

<HA_node_number> The index number of the node to be N/A

selected as an HA group member.

<HA_node_device_SN> The serial number of the node. N/A

Example
config system ha-node
edit 1
set sn FV100XXXXXXXXXXX
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 307

system icapserver

Use this command to configure FortiWeb to submit all files that match your upload restriction rules to ICAP server.
ICAP server evaluates whether the file poses a threat and returns the result to FortiWeb. If ICAP determines that the file
is malicious, FortiWeb performs the following tasks:
l Generates an attack log message that contains the result.
l Takes the action specified by the file security policy. During this time, it does not re-submit the file to ICAP server.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system icapserver
set server "<server_ipv4>"
set cache-timeout <timeout_int>
set port <port_int>
set elog {enable | disable}
set service-name <name_str>
set ssl {enable | disable}
end

Variable Description Default

server "<server_ipv4>" Enter the IP address or domain name of the ICAP server to No default.
send files to.

port <port_int> Enter the port on which the ICAP server is listening. 1344 or
When ssl {enable | disable} on page 307 is enable, the 11344
default port is 11344, while when ssl {enable | disable} on
page 307 is disable, the default port is 1344.

cache-timeout <timeout_int> After it receives the ICAP results, FortiWeb takes the 72
action specified by the file security policy. During this time,
it does not re-submit the file to ICAP server. The valid
range is 1-168 hours.

elog {enable | disable} Enter so that FortiWeb will report event logs when it disable
successfully submits files to FortiSandbox.

service-name <name_str> The name of the ICAP service, which appears in the URL No default
configured in the ICAP client. For example, icap://<ip_
address>/<name>.

ssl {enable | disable} Enable to encrypt the transmission. The port varies disable
depending on whether this option is enabled or not.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 308

Example

This example creates a connection to an ICAP server at 192.0.2.2 that retrieves statistics and sends a weekly report
to [email protected].
config system icapserver
set server "192.0.2.2"
set ssl enable
set cache-timeout 5
end

Related topics

l waf file-upload-restriction-policy on page 451

l log reports on page 75

system ha-traffic-distribution

The domain name of your application is paired with one or more IP addresses. These IP addresses are called Virtual IPs
in FortiWeb. When your users visit your application, the destination of these requests are these virtual IP addresses. If
you have deployed a FortiWeb HA cluster in your network, these requests will arrive first at FortiWeb cluster for threat
detection, then be forwarded to the back-end servers. The traffic distribution controls which FortiWeb appliances in the
cluster process the traffic destined to certain virtual IPs.

Syntax
config system ha-traffic-distribution
edit <traffic-distribution_name>
set node-order <the_index_of_node_with_highest_priority>
set node-order <the_index_of_node_with_secondary_priority>
set node-order <the_index_of_node_with_third_priority>
...
set vip-list <vip_names>
next
end

Variable Description Default

<traffic-distribution_name> The name of the traffic distribution. N/A

node-order <the_index_of_node_with_highest_ The priority order of the nodes that N/A

priority> process the traffic to the VIP.

node-order <the_index_of_node_with_
secondary_priority>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 309

Variable Description Default

node-order <the_index_of_node_with_third_ The node with the highest priority

priority> processes the traffic to the specified
VIPs. If this node is down, the
...
secondary node takes over the traffic,
and so on.

The name of the VIP. You can assign

vip-list <vip_names> the same VIP to different traffic N/A
distributions.

Example
config system ha-traffic-distribution
edit traffic1
set node-order 2
set node-order 3
set node-order 1
set vip-list vip1
next
end

system hsm info

Use this command to edit the configuration so that FortiWeb will work with SafeNet Network HSM 7 (hardware security
module). The HSM integration allows FortiWeb to retrieve a per-connection SSL session key instead of loading the local
private key and certificate.

Because the HSM configuration requires you to upload a server certificate, you can
create it using the web UI only. After you create the configuration in the web UI, this
command allows you to edit it.
For detailed information on integrating HSM with FortiWeb, see the FortiWeb
Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

Before you can show or edit HSM configuration in the CLI and access HSM settings in the web UI, use the following
command to enable the HSM settings:
config server-policy setting
set high-compatibility-mode enable
set hsm enable
end

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 310

Syntax
config system hsm info
set ip "<hsm_ipv4>"
set port <port_int>
set timeout <timeout_int>
set filename "<filename_str>"
set register-status {enable| disable}
end

Variable Description Default

ip "<hsm_ipv4>" Enter the IP address of the HSM. No default.

port <port_int> Enter the port where FortiWeb establishes an NTLS 1792
connection with the HSM.

timeout <timeout_int> Enter a timeout value for the connection between HSM and No default.
FortiWeb.

filename "<filename_str>" Shows the name of the server certificate file from the HSM. No default.
You cannot edit this option using the CLI.

register-status {enable| Enable to create FortiWeb as a client of the HSM. disable

disable}

Related topics

l system hsm partition on page 310

l system certificate local on page 237

system hsm partition

Use this command to edit information about the partition that the FortiWeb HSM client is assigned to. The partition
settings are part of the configuration that allows FortiWeb to work with SafeNet Luna SA HSM (hardware security
module).
Before you can show or edit HSM configuration in the CLI and access HSM settings in the web UI, use the following
command to enable the HSM settings:
config server-policy setting
set hsm enable

For additional HSM integration settings, see system hsm info on page 309.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 311

For detailed information on integrating HSM with FortiWeb, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system hsm partition
edit "<partition_name>"
set password <password_int>
end

Variable Description Default

"<partition_name>" Enter the name of a partition that the FortiWeb HSM client is No
assigned to. default.

password <password_int> Enter the partition password. No

default.

Related topics

l system hsm info on page 309

l system certificate local on page 237

system icapserver

Syntax
config system icapserver
set server "<server_ipv4>"
set cache-timeout <timeout_int>
set port <port_int>
set elog {enable | disable}
set service-name <name_str>
set ssl {enable | disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 312

end

Variable Description Default

server "<server_ipv4>" Enter the IP address or domain name of the ICAP server to No default.
send files to.

port <port_int> Enter the port on which the ICAP server is listening. 1344 or
When ssl {enable | disable} on page 312 is enable, the 11344
default port is 11344, while when ssl {enable | disable} on
page 312 is disable, the default port is 1344.

elog {enable | disable} Enter so that FortiWeb will report event logs when it disable
successfully submits files to FortiSandbox.

service-name <name_str> The name of the ICAP service, which appears in the URL No default
configured in the ICAP client. For example, icap://<ip_
address>/<name>.

ssl {enable | disable} Enable to encrypt the transmission. The port varies disable
depending on whether this option is enabled or not.

Example

Related topics

l waf file-upload-restriction-policy on page 451

l log reports on page 75

system interface

Use this command to configure:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 313

l The network interfaces associated with the physical network ports of the FortiWeb appliance
l VLAN subinterfaces or 802.3ad link aggregates associated with physical network interfaces
Both the network interfaces and VLAN subinterfaces can include administrative access.
You can restrict which IP addresses are permitted to log in as a FortiWeb administrator through the network interfaces
and VLAN subinterfaces. For details, see system admin on page 207.

When the FortiWeb appliance is operating in either of the transparent modes, VLANs
do not support Cisco discovery protocol (CDP).

The Link Aggregation Control Protocol (LACP) Interface and Redundant Interface
are currently supported only when FortiWeb is deployed in Reverse Proxy or True
Transparent Proxy mode. It can be applied to VLAN subinterfaces. It cannot be
applied to ports that are used for the HA heartbeat, but it can be applied to monitor
ports in an HA cluster. It is not supported in FortiWeb-VM.

You can use SNMP traps to notify you when a network interface’s configuration changes, or when a link is brought down
or brought up. For details, see system snmp community on page 339.
To use this command, your administrator account’s access control profile must have either rw permission to the netgrp
area. For details, see Permissions on page 46.

Syntax
config system interface
edit "<interface_name>"
set status {up | down}
set type {aggregate | physical | vlan | redundant}
set algorithm {layer2 | layer2_3 | layer3_4}
set allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}
set ip6-allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}
set wccp {enable | disable}
set description "<comment_str>"
set interface "<interface_name>"
set intf {"<port_name>" ...}
set ip "<interface_ipv4mask>"
set ip6 "<interface_ipv6mask>"
set mode {static | dhcp}
set ip6-mode {static | dhcp}
set vlanid <vlan-id_int>
set vlanproto {8021q | 8021ad} on page 318
set lacp-speed {fast | slow}
set mtu <mtu_int>
set system interface
set system interface
set system interface
set system interface
config secondaryip
edit <entry_index>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 314

set ip {"<interface_ipv4mask>" | "<interface_ipv6mask>"}

next
end
next
end

Variable Description Default

"<interface_name>" Enter the name of a network interface. The maximum No default.

length is 15 characters.

status {up | down} Enable (select up) to bring up the network interface so that up
it is permitted to receive and/or transmit traffic.
Note: This administrative status from this command is not
the same as its detected physical link status.
For example, even though you have used config
system interface to configure port1 with set status
up, if the cable is physically unplugged, diagnose
hardware nic list port1 may indicate correctly that
the link is down (Link detected: no).

algorithm {layer2 | layer2_3 | Select the connectivity layers that will be considered when layer2
layer3_4} distributing frames among the aggregated physical ports.
l layer2—Consider only the MAC address. This

results in the most even distribution of frames, but

may be disruptive to TCP if packets frequently arrive
out of order.
l layer2_3—Consider both the MAC address and IP
session. Queue frames involving the same session to
the same port. This results in slightly less even
distribution, and still does not guarantee perfectly
ordered TCP sessions, but does result in less jitter
within the session.
l layer3_4—Consider both the IP session and TCP
connection. Queue frames involving the same session
and connection to the same port. Distribution is not
even, but this does prevent TCP retransmissions
associated with link aggregation.

allowaccess {HTTP HTTPs Enter the IPv4 protocols that will be permitted for ping
ping snmp ssh FortiWeb- administrative connections to the network interface or HTTPs
manager} VLAN sub-interface. ssh
Separate each protocol with a space. To remove from or
add to the list of permitted administrative access protocols,
retype the entire list.
l ping—Allow ICMP ping responses from this network

interface.
l HTTP—Allow HTTP access to the web UI.
The HTTP access to FortiWeb's GUI will be
automatically redirected to HTTPS, so you can't

FortiWeb CLI Reference Fortinet Technologies Inc.

config 315

Variable Description Default

enable HTTP alone, it should be enabled along with

HTTPS.
l HTTPs—Allow secure HTTP (HTTPS) access to the
web UI.
l snmp—Allow SNMP access. For details, see system
snmp community on page 339.
Note: This setting only configures which network
interface will receive SNMP queries. To configure
which network interface will send traffic, see system
snmp community on page 339.
l ssh—Allow SSH access to the CLI.
l FortiWeb-manager — Allow FortiWeb Manager to
use this interface to administer this appliance.
Caution: Enable administrative access only on network
interfaces or VLAN subinterfaces that are connected to
trusted private networks or directly to your management
computer. If possible, enable only secure administrative
access protocols such as HTTPS or SSH. Failure to restrict
administrative access could compromise the security of
your FortiWeb appliance. Consider allowing ping only
when troubleshooting.

ip6-allowaccess {HTTP Enter the IPv6 protocols that will be permitted for ping
HTTPs ping snmp ssh administrative connections to the network interface or
FortiWeb-manager} VLAN subinterface.
Separate each protocol with a space. To remove from or
add to the list of permitted administrative access protocols,
retype the entire list.
l ping—Allow ICMP ping responses from this network

interface.
l HTTP—Allow HTTP access to the web UI.
The HTTP access to FortiWeb's GUI will be
automatically redirected to HTTPS, so you can't
enable HTTP alone, it should be enabled along with
HTTPS.
l HTTPs—Allow secure HTTP (HTTPS) access to the
web UI.
l snmp—Allow SNMP access. For details, see system
snmp community on page 339.
Note: This setting only configures which network
interface will receive SNMP queries. To configure
which network interface will send traffic, see system
snmp community on page 339.
l ssh—Allow SSH access to the CLI.
l FortiWeb-manager — Allow FortiWeb Manager to

FortiWeb CLI Reference Fortinet Technologies Inc.

config 316

Variable Description Default

use this interface to administer this appliance.

Caution: Enable administrative access only on network
interfaces or VLAN subinterfaces connected to trusted
private networks or directly to your management computer.
If possible, enable only secure administrative access
protocols such as HTTPS or SSH. Failure to restrict
administrative access could compromise the security of
your FortiWeb appliance. Consider allowing ping only
when troubleshooting.

wccp {enable | disable} Specify whether FortiWeb uses the interface to disable
communicate with a FortiGate unit configured as a WCCP
server.
Available only when the operation mode is WCCP.

description "<comment_str>" Enter a description or other comment. If the comment is No default.

more than one word or contains an apostrophe, surround
the comment with double quotes ( " ). The maximum
length is 63 characters.

interface "<interface_name>" Enter the name of the network interface with which the No default.
VLAN subinterface will be associated. The maximum
length is 15 characters.
This field is available only if type {aggregate | physical |
vlan | redundant} on page 317 is vlan.

intf {"<port_name>" ...} Enter the names of 2 physical network interfaces or more No default.
that will be combined into the aggregate link. Only physical
network interfaces may be aggregated. The maximum
length is 15 characters each.
This field is available only if type {aggregate | physical |
vlan | redundant} on page 317 is vlan.

ip "<interface_ipv4mask>" Enter the IPv4 address and netmask of the network Varies by
interface, if any. The IP address must be on the same the
subnet as the network to which the interface connects. Two interface.
network interfaces cannot have IP addresses on the same
subnet. The default setting for port1 is 192.168.1.99
with a netmask of 256.256.256.0. Other ports have no
default.

ip6 "<interface_ipv6mask>" Enter the IPv6 address and netmask of the network ::/0
interface, if any. The IP address must be on the same
subnet as the network to which the interface connects. Two
network interfaces cannot have IP addresses on the same
subnet.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 317

Variable Description Default

lacp-speed {fast | slow} Select the rate of transmission for the LACP frames slow
(LACPUs) between FortiWeb and the peer device at the
other end of the trunking cables, either:
l SLOW—Every 30 seconds.

l FAST—Every 1 second.

Note: This must match the setting on the other device. If

the rates do not match, FortiWeb or the other device could
mistakenly believe that the other’s ports have failed,
effectively disabling ports in the trunk.

type {aggregate | physical | Indicates whether the interface is directly associated with a Varies by
vlan | redundant} single physical network port, a group of redundant the
interfaces, or is instead a VLAN subinterface or link interface.
aggregate.
The default varies by whether you are editing a network
interface associated with a physical port (physical) or
creating a new subinterface/aggregate (vlan or
aggregate).

mode {static | dhcp} Specify whether the interface obtains its IPv4 address and static
netmask using DHCP.

ip6-mode {static | dhcp} Specify whether the interface obtains its IPv6 address and static
netmask using DHCP.

vlanid <vlan-id_int> Enter the VLAN ID of packets that belong to this VLAN 0
subinterface.
l If one physical network port (that is, a VLAN trunk) will

handle multiple VLANs, create multiple VLAN

subinterfaces on that port, one for each VLAN ID that
will be received.
l If multiple, different physical network ports will handle

the same VLANs, on each of the ports, create VLAN

subinterfaces that have the same VLAN IDs.
The VLAN ID is part of the tag that is inserted into each
Ethernet frame in order to identify traffic for a specific
VLAN. VLAN header addition is handled automatically, and
does not require that you adjust the maximum transmission
appliance (MTU). Depending on whether the device
receiving a packet operates at Layer 2 or Layer 3 of the
network, this tag may be added, removed or rewritten
before forwarding to other nodes on the network.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 318

Variable Description Default

For example, a Layer 2 switch or FortiWeb appliance

operating in either of the transparent modes would typically
add or remove a tag when forwarding traffic among
members of the VLAN, but would not route tagged traffic to
a different VLAN ID. In contrast, a FortiWeb appliance
operating in Reverse Proxy mode, inspecting the traffic to
make routing decisions based upon higher-level
layers/protocols, might route traffic between different
VLAN IDs (also known as inter-VLAN routing) if indicated
by its policy, such as if it has been configured to do WSDL-
based routing.
For the maximum number of interfaces, including VLAN
subinterfaces, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
This field is available only when type {aggregate | physical |
vlan | redundant} on page 317 is vlan. The valid range is
between 1 and 4094 and must match the VLAN ID added
by the IEEE 802.1q-compliant router or switch connected
to the VLAN subinterface.

vlanproto {8021q | 8021ad} Select either the VLAN type 802.1Q or 802.1ad. 802.1Q

<entry_index> Enter the index number of the individual entry in the table. No default.

ip {"<interface_ipv4mask>" | Type an additional IPv4 or IPv6 address and netmask for No default.
"<interface_ipv6mask>"} the network interface.
Available only when ip-src-balance or ip6-src-
balance is enabled. For details, see system network-
option on page 321.

mtu <mtu_int> Enter the maximum transmission unit (MTU) that the 1500
interface supports.
Valid values are 512–9216 (for IPv4) or 1280–9216 (for
IPv6).
You cannot specify an MTU for a VLAN interface that is
larger than the MTU of the corresponding physical
interface.

Example

This example configures the network interface named port1, associated with the first physical network port, with the IP
address and subnet mask 192.0.2.1/24. It also enables ICMP ECHO (ping) and HTTPS administrative access to that
network interface, and enables it.
config system interface
edit "port1"
set ip "192.0.2.1 256.256.256.0"
set allowaccess ping HTTPs

FortiWeb CLI Reference Fortinet Technologies Inc.

config 319

set status up
next
end

Example

This example configures the network subinterface named vlan_100, associated with the physical network interface
port1, with the IP address and subnet mask 192.0.2.1/24. It does not allow administrative access.
config system interface
edit "vlan_100"
set type vlan
set ip "192.0.2.1 256.256.256.0"
set status up
set vlanid 100
set interface "port1"
next
end

Related topics

l system v-zone on page 352

l router static on page 98
l server-policy vserver on page 199
l system snmp community on page 339
l system admin on page 207
l system ha on page 287
l system network-option on page 321
l ping on page 768
l hardware nic on page 711
l network ip on page 717
l network sniffer on page 721

system ip-detection

Use this command to configure how FortiWeb analyzes the identification (ID) field in IP packet headers in order to
distinguish source IP addresses that are actually Internet connections shared by multiple clients, not single clients.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system ip-detection
set share-ip-detection-level {low | medium | high}
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 320

Variable Description Default

share-ip-detection-level Select how different packets’ ID fields can be before low

{low | medium | high} FortiWeb detects that an IP is shared by multiple clients.

Related topics

l system advanced on page 217

system manager-mode

The autoscaling options on FortiWeb are automatically configured after initial deployment. You can use this command to
change the default configurations.

Syntax
config system manager
set mode {server | client | standalone}
set server-type {physical}
set server-ip <server_ip_address>
set server-port <integer>
set config-sync-port <integer>
set connection-interval <integer>
set connection-lost-threshold <integer>
set callback-url <string>
set callback-interval <integer>
set server-public-ip <server_public_ip_address>
next
end

Variable Description Default

mode {server | client | standalone} After the VMs in auto-scaling cluster are No default.
deployed, the function APP elects a server
VM. You can use this command to change
the role of the VM.

server-type {physical} Currently we only support physical server. physical

More types will be supported in future
releases.

server-ip <server_ip_address> Enter port1's IP address of the server. port1's IP

address.

server-port Enter a TCP port number. The clients use 996

server-ip: server-port to

FortiWeb CLI Reference Fortinet Technologies Inc.

config 321

Variable Description Default

communicate with the server, for example,

config-sync-port <integer> Enter the port that is used for configuration 997
synchronization. The configurations of the
server will be synchronized to all the clients
in the cluster.
connection-interval <integer> Enter the number of seconds between each 10
server-client connection. The valid range is
from 1–10.
connection-lost-threshold Enter the number of seconds which must 3
<integer> pass after the server confirmed that the
client's connection is lost. The valid range is
1–10 .
callback-url <string> The URL of the function APP. The VMs in function
the auto-scaling cluster uses this URL to APP's IP
communicate with the function APP. address
This URL is broadcasted to all the VMs in the
cluster when they are deployed, so that they
can communicate with the function APP. The
function APP will then elect a server VM
among all the available VMs.

callback-interval <integer> Specify the interval time for FortiWeb-VM to 30

send heartbeat request to callback URL. The
valid range is 10-600 seconds.
server-public-ip The public IP address of the Server. You can server
use this address to access the server's GUI VM's IP
and CLI. address

system network-option

Use this command to configure system-wide TCP connection options.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
netgrp area. For details, see Permissions on page 46.

Syntax
config system network-option
set tcp-timestamp {enable | disable}
set tcp-tw-recycle {enable | disable}
set ip-src-balance {enable | disable}
set ip6-src-balance {enable | disable}
set tcp-buffer {default | high | max | ultra}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 322

set arp_ignore {enable | disable}

set loopback-mtu <loopback-mtu_int>
set tcp-usertimeout <tcp-usertimeout_int>
set tcp-keepcnt <tcp-keepcnt_int>
set tcp-keepidle <tcp-keepidle_int>
set tcp-keepintvl <tcp-keepintvl_int>
set loopback-tso-gso {enable | disable}
set route-priority {system | dhcp}
set dns-priority {system | dhcp}
set dns-cache-timeout <dns-cache-timeout_int>
set tcp-mtu-probing {enable | disable}
set system network-option
set system network-option
set ipfrag-timeout <ipfrag-timeout_int>
set ip6frag-high-thresh <ip6frag-high-thresh_int>
set ip6frag-low-thresh <ip6frag-low-thresh_int>
set ip6frag-timeout <ip6frag-timeout_int>
set tcp-usertimeout <integer>
end

Variable Description Default

tcp-timestamp {enable | Enable to: enable

disable} l Verify whether clients’ TCP timestamps are sequential

l Include TCP timestamps in packets from FortiWeb

Disabling this option can be useful when multiple clients

are in front of a source NAT gateway such as a FortiGate.
If it applies source NAT but forwards packets to FortiWeb
without modifying the TCP timestamp, packets received
from that source IP will appear to FortiWeb to have an
unstable timestamp. FortiWeb will therefore drop out-of-
sequence packets. Disabling therefore prevents packets
dropped due to this cause, and can improve performance
in that case.
Caution: Disabling this option affects FortiWeb’s dynamic
calculation of TCP retransmission timeout (RTO) and
therefore round trip time (RTT). If you disable the
timestamp when it is not necessary, this can result in
decreased application performance.

tcp-tw-recycle {enable | Enable to quickly recycle sockets that are ready to close disable
disable} (i.e. in the TIME_WAIT state per the TCP RFC).
This option can be useful in networks with both sustained
high load and bursts of new connection requests. If all
sockets are busy, new connection requests may be
refused. Enabling this option frees sockets more quickly.
Caution: Enabling this option can cause issues with
external load balancers and HA failover if they are not
expecting the connection to close quickly. This can result
in decreased application performance. Generally, it is safer
to wait for sockets to safely close before they are reused.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 323

Variable Description Default

ip-src-balance {enable | Enable to allow FortiWeb to connect to the back-end disable

disable} servers using more than one IPv4 address. FortiWeb uses
a round-robin load-balancing algorithm to distribute the
connections among the available IP addresses.
To specify the additional IP addresses, see system
interface on page 312.
This option is useful for performance testing when the
number of concurrent connections between FortiWeb and
a back-end server exceeds the number of ports that a
single IP can provide.

ip6-src-balance {enable | Enable to allow FortiWeb to connect to the back-end disable

disable} servers using more than one IPv6 address. FortiWeb uses
a round-robin load-balancing algorithm to distribute the
connections among the available IP addresses.
To specify the additional IP addresses, see system
interface on page 312.

tcp-buffer {default | high | default: 64 KB max

max | ultra} high: 614 KB
max: 1228 KB
ultra: 3992 KB
This option is useful when amount of traffic between a
server pool member and FortiWeb is significantly larger
than traffic between FortiWeb and the client.

arp_ignore {enable | disable} Specify how FortiWeb responds to ARP requests. disable
l disable—Reply for any local target IP address,

configured on any interface.

l enable—Reply only if the target IP address is local

address configured on the incoming interface.

loopback-mtu <loopback- If the operation mode is True Transparent Proxy, specify a 65536
mtu_int> global MTU for v-zones.
Caution: If this value is smaller than a v-zone's MTU, this
value replaces the larger value in the v-zone configuration.
Available only when the operation mode is True
Transparent Proxy.

tcp-usertimeout <tcp- Enter how long FortiWeb waits before it closes the 120
usertimeout_int> connection with a client that is not sending any data or
responding with ACK to keepalive packets, in seconds.

tcp-keepcnt <tcp-keepcnt_ Enter only if no value is specified for tcp-usertimeout <tcp- 3

int> usertimeout_int> on page 323. Fortinet recommends that
you always specify a tcp-usertimeout value.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 324

Variable Description Default

tcp-keepidle <tcp-keepidle_ Enter how long FortiWeb waits before it sends a client or 60
int> server that keeps a connection with FortiWeb open without
sending data a keepalive packet, in seconds.

tcp-keepintvl <tcp-keepintvl_ Enter how often FortiWeb sends a keepalive packet to a 20

int> client that keeps a connection open without sending data,
in seconds.

loopback-tso-gso {enable | Used for debugging. disable

disable}

route-priority {system | dhcp} Configure the priority of route IP address obtained by the No default
system and dhcp, whose route IP address has the priority.

dns-priority {system | dhcp} Configure the priority of DNS obtained by the system and No default
dhcp, whose DNS has the priority.

dns-cache-timeout <dns- Configure how long the DNS proxy cache expires. The 0
cache-timeout_int> valid range is 0~60 (minutes). Only integers are supported.

For example, if the value is set to 3, the DNS proxy queries

the DNS records from the DNS server and renews the
records in the cache every 3 minutes. Please note that if
the DNS records in the DNS server are changed during the
3-minute interval, and a client requests for a connection to
the domain at this point, the connection will fail because
the DNS record stored in the DNS proxy cache is not valid
anymore.

To avoid this problem, you can set the dns-cache-

timeout to a smaller value, so that the DNS proxy renews
its cache more frequently. You can also set it to 0 (the
default value), which means the DNS proxy doesn't cache
the DNS records. It initiates query to the DNS server
whenever there is a request to look up the DNS records.

tcp-mtu-probing {enable | Enable to negotiate with the upstream and downstream disable
disable} switches to get the maximum MTU value. Adjust the MTU
accordingly for actual need.

ipfrag-high-thresh <ipfrag- Enter the maximum threshold of the queued IP fragments 4194304
high-thresh_int> memory that FortiWeb receives.
The valid range is 0-4194304 bytes.

ipfrag-low-thresh <ipfrag- Enter the minimum threshold of the queued IP fragments 3145728
low-thresh_int> memory that FortiWeb receives.
The valid range is 0-3145728 bytes.

ipfrag-timeout <ipfrag- Type the number of seconds before the next IP fragment is 30
timeout_int> received.
The valid range is 0-30 seconds.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 325

Variable Description Default

ip6frag-high-thresh <ip6frag- Enter the maximum threshold of the queued IP6 IP 4194304
high-thresh_int> fragments memory that FortiWeb receives.
The valid range is 0-4194304 bytes.

ip6frag-low-thresh <ip6frag- Enter the minimum threshold of the queued IP6 fragments 3145728
low-thresh_int> memory that FortiWeb receives.
The valid range is 0-3145728 bytes.

ip6frag-timeout <ip6frag- Type the number of seconds before the next IP6 fragment 30
timeout_int> is received.
The valid range is 0-30 seconds.

tcp-usertimeout <integer> When the health check is disabled and the back-end 120
server is not responsive, FortiWeb will wait for the
specified time until it sends the 503 error code. It's
recommended to set a value smaller than 20 (seconds).
This is to avoid too many times of retry being accumulated
during the waiting time, which may cause the connection to
be closed before FortiWeb has the chance to send the
error code.
This option is at the appliance level. It affects all the
policies on the appliance. You can also set the tcp-
conn-timeout under config server-policy
policy which only affects a specific policy. If the timeout
is configured both at the policy and the appliance level,
FortiWeb will take the value whichever is smaller.
Sometimes when there is a third device, such as a
gateway, deployed between FortiWeb and the back-end
server, FortiWeb will directly get the status code from the
third device instead of waiting along the timeout period.
The valid range for this option is 0-600 (seconds).
0 means FortiWeb will send the 503 error code as soon as
it detects the back-end server is not responsive.

Example

This example assigns additional IP addresses to port1. FortiWeb uses a round-robin load-balancing algorithm to
distribute connections to back-end servers among the available IP addresses.
config system network-option
set ip-src-balance enable
end

config system interface

edit port1
set type physical
set ip 192.0.2.71/24
set allowaccess HTTPs ping ssh snmp HTTP telnet

FortiWeb CLI Reference Fortinet Technologies Inc.

config 326

config secondaryip
edit 1
set ip 192.0.2.72/24
next
edit 2
set ip 192.0.2.73/24
next
end
next
end

Related topics

l system interface on page 312

l ping on page 768
l network ip on page 717
l network sniffer on page 721

system object-tagging

Use this command to create tags that can be attached to server policy. It helps in labeling server policy for future usage
such as sorting, filtering and acknowledging policies.
To use this command, your administrator account’s access control profile must have both r and w permissions to items
in the admingrp category.

Syntax
config system object-tagging
edit <string>
set color <color-id>
next
end

Variable Description Default

<string> The name of the tag. no default

<color-id> Assign a color to this tag. The valid range is 0-32. 1

system password-policy

Use this command to configure a password policy for administrator accounts that set rules for password characteristics.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 327

Syntax
config system password-policy
set status {enable | disable}
set min-length-option {enable | disable}
set mini-length <mini-length_int>
set single-admin-mode {enable | disable}
set character-requirements {enable | disable}
set min-upper-case-letter <min-upper-case-letter_int>
set min-lower-case-letter <min-lower-case-letter_int>
set mini-number <mini_number_int>
set min-non-alphanumeric <min-non-alphanumeric_int>
set forbid-password-reuse {enable | disable}
set history-password-number <history-password-number_int>
set expire-status {enable | disable}
set expire-day <expire-day_int>

end

Variable Description Default

status {enable | disable} Enable to enforce password rules for disable

administrator accounts. When you
configure rules for the password
policy, administrator accounts that
don't adhere to the password policy
will be prompted to update their
password upon logging in.
For some cloud platforms such as
AWS, Azure, and GCP, etc., it is
enabled by default.

min-length-option {enable | disable} Enable/disable to set the minimum disable

length for the password.

mini-length <mini-length_int> Enter the minimum password length. 8

The valid range is 8–128.

single-admin-mode {enable | disable} Enable/disable to activate single disable

admin user login.
Enable/disable to set characters,
character-requirements {enable | disable}
upper/lower case, numbers (0–9), and 0
special.

min-upper-case-letter <min-upper-case-letter_ Enter the number of upper case 0

int> characters. The valid range is 0–128.

min-lower-case-letter <min-lower-case-letter_int> Enter the number of lower case 0

characters. The valid range is 0–128.

mini-number <mini_number_int> Enter the number of number 0

characters. The valid range is 0–128.
Only numbers 0–9 are supported.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 328

Variable Description Default

min-non-alphanumeric <min-non-alphanumeric_ Enter the number of special 0

int> characters. The valid range is 0–128.

forbid-password-reuse {enable | disable} Enable forbidding password re-use. disable

history-password-number <history-password- Enter the number of history 3

number_int> passwords that can not be re-used.
The valid range is 1–10.

expire-status {enable | disable} Enable password expiration. disable

expire-day <expire-day_int> Enter the valid period for the 90

password. The valid range 1–999
days

Example

This example enables configuration of the password policy.

config system password-policy
set status enable
set system password-policy
set min-length 8
set single-admin-mode enable
set character-requirements enable
set min-upper-case-letter 2
set min-lower-case-letter 2
set min-number 2
set min-non-alphanumeric 3
set forbid-password-reuse enable
set history-password-number 2
set expire-status enable
set expire-day 100

end

system raid

Use this command to configure the RAID level.

Currently, only RAID level 1 is supported, and only on the following models shipped with FortiWeb 4.0 MR1 or later:
l FortiWeb-1000B
l FortiWeb-1000C
l FortiWeb-1000D
l FortiWeb-1000E
l FortiWeb-2000E
l FortiWeb-3000C

FortiWeb CLI Reference Fortinet Technologies Inc.

config 329

l FortiWeb-3000D
l FortiWeb-3000E
l FortiWeb-4000C
l FortiWeb-4000D
l FortiWeb-4000E
On older appliances that have been upgraded to FortiWeb 4.0 MR1 or later, RAID cannot be activated.

Back up the data regularly. RAID is not a substitute for regular backups. RAID 1
(mirroring) is designed to improve hardware fault tolerance, but cannot negate all
risks.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system raid
set level {raid1}
end

Variable Description Default

level {raid1} Enter the RAID level. Currently, only RAID level 1 is raid1
supported.

Example

This example sets RAID level 1.

config system raid
set level raid1
end

Related topics

l create-raid level on page 757

l create-raid rebuild on page 758
l hardware raid list on page 713

system recaptcha-api

Use this command to specify the URL that FortiWeb will use to send API calls to Google reCAPTCHA service, and the
timeout of the API request.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 330

To use this command, your administrator account’s access control profile must have both r and w permissions to items
in the admingrp category.

Syntax
config system recaptcha-api
set url <string>
set timeout <int>
end

Variable Description Default

url <string> Specify the URL of the Google https://www.google.com/recaptcha/api/siteverify

reCAPTCHA service. FortiWeb
sends API calls to this URL to
verify client’s response to the
reCAPTCHA challenge

timeout <int> If there isn't any result returned 10 (seconds)

from Google reCAPTCHA
service by the timeout period, the
bot confirmation will be treated
as failed.

system replacemsg-image

Use this command to add images that the FortiWeb HTML web pages can use. These pages are the ones that FortiWeb
uses for blocking, authentication, and unavailable servers.
You cannot edit the images that FortiWeb provides by default.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system replacemsg-image
edit "<image_name>"
set image-type {gif | jpg | png | tiff}
set image-base64 <image_code>
end

Variable Description Default

"<image_name>" Enter the name of the image to add. No default

FortiWeb CLI Reference Fortinet Technologies Inc.

config 331

Variable Description Default

image-type {gif | jpg | png | Specify the image file format of the image to add. No default
tiff}

image-base64 <image_ Enter the HTTP page return code as clear text, Base64- No default
code> encoded.
Ensure the value has the following properties:
l Its length is divisible by 4 (a rule of Base64 encoding)

l It begins with characters that identify its format (for

example, R0lGO for GIF, iVBORw0K for PNG)

l The format matches the value of image-type

system saml

You can configure Fabric Connector to use Single Sign-On (SSO) to log in to FortiWeb with FortiGate's administrator
accounts.
Use this command to configure the single sign on options on FortiWeb. Before using this command, you need to first use
config system csf to configure the Fabric Connector. For a complete guide, see Fabric Connector: Single Sign On
with FortiGate.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system saml
set status {enable | disable}
set default-login-page
set default-profile
set idp-entity-id
set idp-single-sign-on-url
set idp-single-logout-url
set server-address
end

Variable Description Default

status Enable or disable single sign on mode. disable

{enable | When this is enabled, the Single Sign-On option will be available on the login page of
disable} FortiWeb.

default- l normal: When accessing to FortiWeb GUI, the login page has both Single Sign- normal
login-page On and Non Single Sign-On login options.
l sso: When accessing to FortiWeb GUI, it would redirect to the SAML Single Sign-
On login page. Non Single Sign-On login is not available. User can only log in with
FortiGate administrator accounts

FortiWeb CLI Reference Fortinet Technologies Inc.

config 332

Variable Description Default

default- Logging in to FortiWeb via FortiGate Fabric Single Sign-On does not share the same No
profile admin profile between FortiWeb and FortiGate. It requires specifying profiles to those default
FortiGate administrator accounts on FortiWeb.
Choose the profiles you have created in config system accprofile. The selected
profiles will be assigned to the FortiGate administrator accounts that are used to log in to
FortiWeb via the SAML Single Sign-On.
The following two default profiles are available as well as the customized profiles if any:
l admin_no_access: users will be assigned with none access privilege.

l prof_admin: this is FortiWeb's default profile for root admin.

idp-entity- It's automatically synchronized from FortiGate if you have configured set No
id configuration-sync enable in config system csf. default

idp-single- It's automatically synchronized from FortiGate if you have configured set No
sign-on-url configuration-sync enable in config system csf. default

idp-single- It's automatically synchronized from FortiGate if you have configured set No
logout-url configuration-sync enable in config system csf. default

server- It's automatically synchronized from FortiGate if you have configured set No
address configuration-sync enable in config system csf. default

Related topics

l system csf

system sdn-connector

Use this command to create external connectors for Amazon Web Services (AWS), Microsoft Azure, and OCI.
The AWS and Azure connectors authorize FortiWeb to automatically retrieve the IP addresses of the back-end servers
deployed on AWS or Azure.
OCI Connector is available only when FortiWeb-VM is deployed on OCI. It is used to obtain FortiWeb HA member
information in Active-Passive mode.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system sdn-connector
edit <name>
set status {enable | disable}
set type {azure | aws | oci}
set update-interval <int>
set access-key <string> on page 333

FortiWeb CLI Reference Fortinet Technologies Inc.

config 333

set secret-key <string> on page 333

set region <string>
set tenant-id <string>
set subscription-id <string>
set client-id <string>
set client-secret <string>
set resource-group <string>
set azure-region <string>
setserver-region-type {commercial | government}
set server-region <region-id>
set user-ocid <string>
set tenant-ocid <string>
set compartment-ocid <string>
set private-key <userdef>
end
end

Variable Description Default

<name> Enter a name for the external connector object. No default

status {enable Enable or disable the external connector object. enable

| disable}

type {azure | Select the type of the connector. No default

aws | oci}

update- Specify the update interval for the connector to get AWS objects 60
interval <int> and dynamically populates the information in the server pool
configuration.

AWS connector settings

access-key Specify the access key ID. No default

<string> An access key on AWS grants programmatic access to your
resources. If you have security considerations, it's
recommended to create an IAM role specially for FortiWeb and
grant read-only access.
See this article for how to get access key ID and secret access
key on AWS:
HTTPs://docs.aws.amazon.com/general/latest/gr/aws-sec-
cred-types.html.

secret-key Specify the secret access key. No default

region Specify the region where your instances are deployed, for No default
<string> example, us-west-2.

Azure connector settings

FortiWeb CLI Reference Fortinet Technologies Inc.

config 334

Variable Description Default

You must create an Azure AD application to generate the Azure client ID and
corresponding Azure client secret. This application must be a service principal.
Otherwise, the Fabric connector cannot read the inventory. You can find the complete
instructions at Use portal to create an Azure Active Directory application and service
principal that can access resources.
Keep the following in mind when you get to the part about making a new application
registration:
l The Application type has two options. Choose Web app/API.

l The Sign-on URL has the asterisk commonly associated with a required field, but

this is not applicable in this case. Put in any valid URL in the field to complete the
form and enable the Create button.

tenant-id See instructions above for how to find the Tenant ID. No default
<string>

subscription- The ID of the subscription where your application server is No default

id <string> deployed.

client-id See instructions above for how to find the Client ID. No default
<string>

client-secret See instructions above for how to find the Client Secret. No default
<string>

resource-group The name of the resource group where your application server No default
<string> is deployed. Make sure that the service principal (app
registration) is granted for the network contributor and VM
contributor roles for the target resource group.

azure-region The region where your application server is deployed. No default

OCI Connector settings

you need to generate the RSA key that will be used for authentication when FortiWeb-
VM connects to the load balancer.
1. Log in to a Linux system which has installed OpenSSL.
2. Open a SHELL terminal, enter the following commands:
openssl genrsa -out ./oci_api.key 2048
openssl rsa -pubout -in ./oci_api.key -out ./oci_api_
pub.key
The file oci_api.key is the RSA private key file and the file oci_api_pub.key
is its paired public key file.
3. Log in OCI. Go to Governance and Administration > Identity > User.
4. Select the proper user you wan to use.
5. Click Add Public Key, copy the text in oci_api_pub.key file, and then paste it

FortiWeb CLI Reference Fortinet Technologies Inc.

config 335

Variable Description Default

into the PUBLIC KEY field on the Add Public Key window.
6. Click Add.
For a complete guide on the OCI connector settings, see Configuring OCI Connector.

server-region- If your OCI server region is either “US Federal Cloud with DISA commercial
type Impact Level 5 Authorization Regions” or “US Government
{commercial | Cloud with FedRAMP Authorization Regions”, please select
government} Government. Otherwise please select Commercial.

server-region Enter the Region Identifier of your load balancer. No default

l For Commercial regions, please find the Region Identifier
<region-id>
on this page:
HTTPs://docs.cloud.oracle.com/en-
us/iaas/Content/General/Concepts/regions.htm
l For Government regions, please find the Region Identifier

on the following pages:

l HTTPs://docs.cloud.oracle.com/en-
us/iaas/Content/General/Concepts/govfeddod.htm
l HTTPs://docs.cloud.oracle.com/en-
us/iaas/Content/General/Concepts/govfedramp.htm

user-ocid To get the User OCID: No default

<string> 1. Log in to OCI.
2. Go to Governance and Administration > Identity >
User.
3. Click the user you want to use.
4. Copy the OCID of this user.

tenant-ocid To get the tenant OCID: No default

<string> 1. Log in to OCI.
2. Go to Governance and Administration >
Administration > Tenancy Details.
3. Click the Tenancy you want to use.
4. Copy the OCID of this Tenancy.

compartment- To get the compartment OCID: No default

ocid <string> 1. Log in to OCI.
2. Go to Governance and Administration > Identity >
Compartments.
3. Click the compartment that your load balancer is located in.
4. Copy the OCID of this Tenancy.
Note: If you don't have a compartment, you can leave this
option empty.

private-key Upload the private key file you have generated when system No default
<userdef> sdn-connector on page 332.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 336

To apply the external connector, you need to select it in the server pool configurations so that FortiWeb can use the
connector to automatically retrieve the IP addresses of the back-end servers deployed on AWS or Azure.
Here is an example:
config server-policy server-pool
edit pool
config pserver-list
edit 1
set server-type sdn-connector
set sdn-addr-type public
set sdn aws
set filter InstanceId=i-04d15747127e4f8fe
next
end
next
end

Related topics

l server-policy server-pool

system settings

Use this command to configure the operation mode and gateway of the FortiWeb appliance.
You will usually set the operation mode once, during installation. Exceptions include if you install the FortiWeb appliance
in Offline Protection mode for evaluation purposes, before deciding to switch to another mode for more feature support in
a permanent deployment.

Back up your configuration before changing the operation mode. Changing modes
deletes any policies not applicable to the new mode, TCP SYN flood protection
settings, all static routes, all V-zone (bridge) IPs, and all VLANs. You must re-cable
your network topology to suit the operation mode, unless you are switching between
the two transparent modes, which have similar network topology requirements.

The physical topology must match the operation mode. You may need to re-cable your deployment after changing this
setting. For details, see the FortiWeb Installation Guide.
There are four operation modes:
l Reverse proxy—Requests are destined for a virtual server’s network interface and IP address on the FortiWeb
appliance. The FortiWeb appliance applies the first applicable policy, then forwards permitted traffic to a real web
server. The FortiWeb appliance logs, blocks, or modifies violations according to the matching policy and its
protection profile. Most features are supported.
l Offline Protection — Requests are destined for a real web server instead of the FortiWeb appliance; traffic is
duplicated to the FortiWeb through a span port. The FortiWeb appliance monitors traffic received on the virtual
server’s network interface (regardless of the IP address) and applies the first applicable policy. Because it is not

FortiWeb CLI Reference Fortinet Technologies Inc.

config 337

inline with the destination, it does not forward permitted traffic. The FortiWeb appliance logs or blocks violations
according to the matching policy and its protection profile. If FortiWeb detects a malicious request, it sends a TCP
RST (reset) packet to the web server and client to attempt to terminate the connection. It does not otherwise modify
traffic. (It cannot, for example, apply SSL, load-balance connections, or support user authentication.)
Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than Alertcannot be guaranteed to
be successful in Offline Protection mode. The FortiWeb appliance will attempt to block traffic that violates the policy
by mimicking the client or server and requesting to reset the connection. However, the client or server may receive
the reset request after it receives the other traffic due to possible differences in routing paths.
Most organizations do not permanently deploy their FortiWeb appliances in Offline Protection mode. Instead, they
will use Offline Protection as a way to learn about their web servers’ protection requirements and to form some of
the appropriate configuration during a transition period, after which they will switch to one of the operation modes
that places the appliance inline between all clients and all web servers.
Switching out of Offline Protection mode when you are done with transition can prevent bypass problems that can
arise as a result of misconfigured routing. It also offers you the ability to offer some protection features that cannot
be supported in a span port topology used with offline detection.
l True transparent proxy — Requests are destined for a real web server instead of the FortiWeb appliance. The
FortiWeb appliance transparently proxies the traffic arriving on a network port that belongs to a Layer 2 bridge,
applies the first applicable policy, and lets permitted traffic pass through. The FortiWeb appliance logs, blocks, or
modifies violations according to the matching policy and its protection profile. No changes to the IP address
scheme of the network are required. This mode supports user authentication via HTTP but not HTTPS.
l Transparent Inspection — Requests are destined for a real web server instead of the FortiWeb appliance. The
FortiWeb appliance asynchronously inspects traffic arriving on a network port that belongs to a Layer 2 bridge,
applies the first applicable policy, and lets permitted traffic pass through. The FortiWeb appliance logs or blocks
traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It cannot, for
example, apply SSL, load-balance connections, or support user authentication.

Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than
Alertcannot be guaranteed to be successful in Transparent Inspection mode. The
FortiWeb appliance will attempt to block traffic that violates the policy. However, due
to the nature of asynchronous inspection, the client or server may have already
received the traffic that violated the policy.

The default operation mode is Reverse Proxy.

Feature support varies by operation mode. For details, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
You can use SNMP traps to notify you if the operation mode changes. For details, see system snmp community on page
339.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system settings
set opmode {offline-protection | reverse-proxy | transparent | transparent-
inspection | wccp}
set gateway "<router_ipv4>"
set stop-guimonitor {enable | disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 338

set enable-cache-flush {enable | disable}

set enable-debug-log {enable | disable}
set enable-machine-learning-debug {enable | disable}
set enable-file-upload {enable | disable}
end

Variable Description Default

opmode {offline-protection | Select the operation mode of the FortiWeb appliance. reverse-
reverse-proxy | transparent | If you have not yet adjusted the physical topology to suit proxy
transparent-inspection | the new operation mode, see the FortiWeb
wccp} Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
You may also need to reconfigure IP addresses, VLANs,
static routes, bridges, policies, TCP SYN flood prevention,
and virtual servers, and on your web servers, enable or
disable SSL.
Note: If you select offline-protection, you can
configure the port from which TCP RST (reset) commands
are sent to block traffic that violates a policy. For details,
see block-port <port_int> on page 143.

gateway "<router_ipv4>" Type the IPv4 address of the default gateway. none
This setting is visible only if opmode {offline-protection |
reverse-proxy | transparent | transparent-inspection |
wccp} on page 338 is either True Transparent Proxy,
Transparent Inspection, or WCCP.
FortiWeb will use the gateway setting to create a
corresponding static route under router static with the first
available index number. Packets will egress through
port1 or mgmt1, the hard-coded management network
interface for the transparent operation modes.

stop-guimonitor {enable | Enable to configure FortiWeb to stop checking whether the enable
disable} process that generates the web UI (HTTPsd) is defunct.
In some cases, a process that has completed execution
can still have an entry in the process table, which can
create a resource leak.
When this setting is disabled, FortiWeb checks the
process and stops and reloads the web UI if it determines
that the process is defunct.

enable-cache-flush {enable | Enable to configure FortiWeb to clear its cache memory enable
disable} every 45 minutes and generate an event log message for
the action.

enable-debug-log {enable Enable so that FortiWeb will record crash, daemon, kernel, enable
| disable} netstat, and core dump logs.

enable-machine-learning- Enable so that FortiWeb will record machine learning enable

debug {enable | disable} debug.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 339

Variable Description Default

enable-file-upload {enable | Enable to upload the debugging file. disable

disable}

Related topics

l server-policy policy on page 140

l server-policy vserver on page 199

system snmp community

Use this command to configure the FortiWeb appliance’s SNMP agent to belong to an SNMP version 1 or 2c community,
and to select which events cause the FortiWeb appliance to generate SNMP traps.
To configure the SNMP agent as a member of a SNMP version 3 community, see system snmp user on page 345.
The FortiWeb appliance’s simple network management protocol (SNMP) agent allows queries for system information
can send traps (alarms or event messages) to the computer that you designate as its SNMP manager. In this way you
can use an SNMP manager to monitor the FortiWeb appliance. You can add the IP addresses of up to eight SNMP
managers to each community, which designate the destination of traps and which IP addresses are permitted to query
the FortiWeb appliance.
An SNMP community is a grouping of equipment for network administration purposes. You must configure your
FortiWeb appliance to belong to at least one SNMP community so that community’s SNMP managers can query the
FortiWeb appliance’s system information and receive SNMP traps from the FortiWeb appliance.
You can add up to three SNMP communities. Each community can have a different configuration for queries and traps,
and the set of events which trigger a trap. Use SNMP traps to notify the SNMP manager of a wide variety of types of
events. Event types range from basic system events, such as high usage of resources, to when an attack type is
detected or a specific rule is enforced by a policy.
Before you can use SNMP, you must activate the FortiWeb appliance’s SNMP agent and add it as a member of at least
one community. For details, see system snmp sysinfo on page 343. You must also enable SNMP access on the network
interface through which the SNMP manager will connect. For details, see system interface on page 312.
On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the
FortiWeb appliance belongs, and compile the necessary Fortinet proprietary management information blocks (MIBs)
and Fortinet-supported standard MIBs. For information on MIBs, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system snmp community
edit <community_index>
set status {enable | disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 340

set name "<community_str>"

set events {cpu-high | intf-ip | log-full | mem-low | netlink-down-status |
netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-
cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-
change | waf-amethod-attack | waf-hidden-fields | waf-pvalid-attack | waf-
signature-detection | power-supply-failure}
set query-v1-port <port_int>
set query-v1-status {enable | disable}
set query-v2c-port <port_int>
set query-v2c-status {enable | disable}
set trap-v1-lport <port_int>
set trap-v1-rport <port_int>
set trap-v1-status {enable | disable}
set trap-v2c-lport <port_int>
set trap-v2c-rport <port_int>
set trap-v2c-status {enable | disable}
config hosts
edit <snmp-manager_index>
set ip {"<manager_ipv4>" | "<manager_ipv6>"}
next
end
next
end

Variable Description Default

<community_index> Enter the index number of a community to which the No default.

FortiWeb appliance belongs. The valid range is 1–
9,999,999,999,999,999,999.

status {enable | disable} Enable to activate the community. disable

This setting takes effect only if the SNMP agent is enabled.
For details, see system snmp sysinfo on page 343.

name "<community_str>" Enter the name of the SNMP community to which the No default.
FortiWeb appliance and at least one SNMP manager
belongs. The maximum length is 63 characters.
The FortiWeb appliance will not respond to SNMP managers
whose query packets do not contain a matching community
name. Similarly, trap packets from the FortiWeb appliance
will include community name, and an SNMP manager may
not accept the trap if its community name does not match.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 341

Variable Description Default

events {cpu-high | intf-ip | Enter one or more of the following SNMP event names in No default.
log-full | mem-low | netlink- order to cause the FortiWeb appliance to send traps when
down-status | netlink-up- those events occur. Traps will be sent to the SNMP
status | policy-start | policy- managers in this community. Also enable traps.
stop | pserver-failed | sys- l cpu-high—CPU usage has exceeded 80%.

ha-cluster-status-change | l intf-ip—A network interface’s IP address has

sys-ha-member-join | sys- changed. For details, see system interface on page

ha-member-leave | sys- 312.
mode-change | waf- l log-full—Local log disk space usage has exceeded

amethod-attack | waf- 80%. If the space is consumed and a new log message
hidden-fields | waf-pvalid- is triggered, the FortiWeb appliance will either drop it or
attack | waf-signature- overwrite the oldest log message, depending on your
detection | power-supply- configuration. For details, see log disk on page 66.
failure} l mem-low—Memory (RAM) usage has exceeded 80%.

l netlink-down-status—A network interface has

been brought down (disabled). This could be due to

either an administrator changing the network interface’s
settings, or due to HA executing a failover.
l netlink-up-status—A network interface has been

brought up (enabled).This could be due to either an

administrator changing the network interface’s settings,
or due to HA executing a failover.
l policy-start—A policy was enabled. For details,

see server-policy policy on page 140.

l policy-stop—A policy was disabled. For details, see

server-policy policy on page 140.

l pserver-failed—A server health check has

determined that a physical server that is a member of a

server farm is now unavailable. For details, see server-
policy policy on page 140. on page 1.
l sys-ha-cluster-status-change—HA cluster

status was changed.

l sys-ha-member-join—HA member has joined.

l sys-ha-member-leave—HA member has left.

l sys-mode-change—The operation mode was

changed. See system settings on page 336.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 342

Variable Description Default

parameter-validation-rule on page 553.

l waf-signature-detection—FortiWeb enforced a
signature rule. For details, see waf signature on page
555.
l waf-url-access-attack—FortiWeb enforced a
URL access rule. See waf url-access url-access-rule on
page 610.
l power-supply-failure—FortiWeb detects the
power supply fails. It is only available for 2000E, 3000E,
3010E, and 4000E.

query-v1-port <port_int> Enter the port number on which the FortiWeb appliance will 161
listen for SNMP v1 queries from the SNMP managers of the
community. The valid range is 1–65,535.

query-v1-status {enable | Enable to respond to queries using the SNMP v1 version of enable
disable} the SNMP protocol.

query-v2c-port <port_int> Enter the port number on which the FortiWeb appliance will 161
listen for SNMP v2c queries from the SNMP managers of the
community. The valid range is 1–65,535.

query-v2c-status {enable | Enable to respond to queries using the SNMP v2c version of enable
disable} the SNMP protocol.

trap-v1-lport <port_int> Enter the port number that will be the source (also called 162
local) port number for SNMP v1 trap packets. The valid
range is 1–65,535.

trap-v1-rport <port_int> Enter the port number that will be the destination (also called 162
remote) port number for SNMP v1 trap packets. The valid
range is 1–65,535.

trap-v1-status {enable | Enable to send traps using the SNMP v1 version of the enable
disable} SNMP protocol.

trap-v2c-lport <port_int> Enter the port number that will be the source (also called 162
local) port number for SNMP v2c trap packets. The valid
range is 1–65,535.

trap-v2c-rport <port_int> Enter the port number that will be the destination (also called 162
remote) port number for SNMP v2c trap packets. The valid
range is 1–65,535.

trap-v2c-status {enable | Enable to send traps using the SNMP v2c version of the enable
disable} SNMP protocol.

<snmp-manager_index> Enter the index number of an SNMP manager for the No default.
community. The valid range is 1–
9,999,999,999,999,999,999.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 343

Variable Description Default

ip {"<manager_ipv4>" | Enter the IP address of the SNMP manager that, if traps No default.
"<manager_ipv6>"} and/or queries are enabled in this community:
l Will receive traps from the FortiWeb appliance

l Will be permitted to query the FortiWeb appliance

SNMP managers have read-only access.

To allow any IP address using this SNMP community name
to query the FortiWeb appliance, enter 0.0.0.0.
Note: Entering 0.0.0.0 effectively disables traps if there
are no other host IP entries, because there is no specific
destination for trap packets. If you do not want to disable
traps, you must add at least one other entry that specifies
the IP address of an SNMP manager.

Example

For an example, see system snmp sysinfo on page 343.

Related topics

l system snmp sysinfo on page 343

l system interface on page 312
l server-policy policy on page 140

system snmp sysinfo

Use this command to enable and configure basic information for the FortiWeb appliance’s SNMP agent.
Before you can use SNMP, you must activate the FortiWeb appliance’s SNMP agent and add it as a member of at least
one community. For details, see system snmp community on page 339. You must also enable SNMP access on the
network interface through which the SNMP manager will connect. For details, see system interface on page 312.
On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the
FortiWeb appliance belongs, and compile the necessary Fortinet proprietary management information blocks (MIBs)
and Fortinet-supported standard MIBs. For information on MIBs, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system snmp sysinfo
set contact-info "<contact_str>"
set description "<description_str>"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 344

set location "<location_str>"

set status {enable | disable}
set engine-id "<engine-id_str>"
end

Variable Description Default

contact-info "<contact_str>" Type the contact information for the administrator or other No default.
person responsible for this FortiWeb appliance, such as a
phone number or name. The contact information can
contain only letters (a-z, A-Z), numbers, hyphens ( - ) and
underscores ( _ ). The maximum length is 63 characters.

description "<description_ Type a description of the FortiWeb appliance. The string No default.
str>" can contain only letters (a-z, A-Z), numbers, hyphens ( - )
and underscores ( _ ). The maximum length is 63
characters.

location "<location_str>" Type the physical location of the FortiWeb appliance. The No default.
string can contain only letters (a-z, A-Z), numbers,
hyphens ( - ) and underscores ( _ ). The maximum length is
63 characters.

status {enable | disable} Enable to activate the SNMP agent, enabling the FortiWeb disable
appliance to send traps and/or receive queries for the
communities in which you have enabled queries and/or
traps.
This setting enables queries only if SNMP administrative
access is enabled on one or more network interfaces. For
details, see system interface on page 312.

engine-id "<engine-id_str>" Enter the SNMP engineID string. The maximum is 24 No default
characters.

Example1234

This example enables the SNMP agent, configures it to belong to a community named public whose SNMP manager is
192.0.2.20. The SNMP manager is not directly attached, but can be reached through the network interface named
port3.
This example also configures the SNMP agent to send traps using SNMP v2c for high CPU or memory usage, and when
the primary appliance fails; it also enables responses to SNMP v2c queries through the network interface named port3
(along with the previously enabled administrative access protocols, ICMP ping, HTTPS, and SSH).
config system snmp sysinfo
set contact-info "admin_example_com"
set description "FortiWeb-1000E"
set location "Rack_2"
set status enable
set engine-id 246
end

config system snmp community

FortiWeb CLI Reference Fortinet Technologies Inc.

config 345

edit 1
set status enable
set name public
set events cpu-high
set query-v1-status disable
set query-v2c-port 161
set query-v2c-status enable
set trap-v1-status disable
set trap-v2c-lport 162
set trap-v2c-rport 162
set trap-v2c-status enable
config hosts
edit 1
set interface port3
set ip 192.0.2.20
next
end
next
end
config system interface
edit port3
set allowaccess ping HTTPs ssh snmp
next
end

Related topics

l system snmp community on page 339

l system interface on page 312
l router static on page 98

system snmp user

Use this command to configure the FortiWeb appliance’s SNMP agent to belong to an SNMP version 3 community, and
to select which events cause the FortiWeb appliance to generate SNMP traps.
To configure the SNMP agent as a member of a SNMP version version 1 or 2c community and for more information on
the SNMP agent, see system snmp community on page 339.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config system snmp user
edit name "<user_str>"
set status {enable | disable}
set security-level { noauthnopriv | authnopriv | authpriv >
set auth-proto {sha1 | md5}
set auth-pwd "<auth-password_str>"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 346

set priv-proto {aes | des}

set priv-pwd "<priv-password_str>"
set query-status {enable | disable}
set query-port <port_int>
set trap-status {enable | disable}
set trapport-local <port_int>
set trapport-remote <port_int>
set events {cpu-high | intf-ip | log-full | mem-low | netlink-down-status |
netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-
cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-
change | waf-amethod-attack | waf-hidden-fields | waf-pvalid-attack | waf-
signature-detection | waf-url-access-attack | power-supply-failure}
set "<snmp-manager_index>"
config hosts
edit "<snmp-manager_index>"
set {"<manager_ipv4> | <manager_ipv6>"}
next
end
next
end

Variable Description Default

name "<user_str>" Enter the name of the SNMP user to which the FortiWeb No default.
appliance and at least one SNMP manager belongs. The
maximum length is 63 characters.
The FortiWeb appliance does not respond to SNMP
managers whose query packets do not contain a matching
community name. Similarly, trap packets from the FortiWeb
appliance include the community name, and an SNMP
manager may not accept the trap if its community name
does not match.

status {enable | disable} Enable to activate the community. disable

This setting takes effect only if the SNMP agent is enabled.
For details, see system snmp sysinfo on page 343.

security-level { Enter the security level. No default.

noauthnopriv | authnopriv | l noauthnopriv—No additional authentication or

authpriv > encryption compared to SNMP v1 and v2.

l authnopriv—The SNMP manager needs to provide

the password specified in this community configuration.

Also specify auth-proto and auth-pwd.
l authpriv—Adds both authentication and encryption.

Also specify auth-proto, auth-pwd, priv-proto,

and priv-pwd. Ensure that the SNMP manager and
FortiWeb use the same protocols and passwords.

auth-proto {sha1 | md5} If the security-level option includes authentication, sha1

specify the authentication protocol.

auth-pwd "<auth- If the security-level option includes authentication, No default.

password_str>" specify the authentication password.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 347

Variable Description Default

priv-proto {aes | des} If the security-level option is authprivuser_name, aes

specify the encryption protocol.

priv-pwd "<priv-password_ If the security-level option is authprivuser_name, No default.

str>" specify the encryption password.

query-status {enable | Enable to respond to queries using the SNMP v3 version of enable
disable} the SNMP protocol.

query-port <port_int> Enter the port number on which the FortiWeb appliance 161
listens for SNMP v3 queries from the SNMP managers of the
community. The valid range is 1–65,535.

trap-status {enable | Enable to send traps using the SNMP v3 version of the enable
disable} SNMP protocol.

trapport-local <port_int> Enter the port number that is the source (also called local) 162
port number for SNMP v3 trap packets. The valid range is 1–
65,535.

trapport-remote <port_int> Enter the port number that is the destination (also called 162
remote) port number for SNMP v3 trap packets. The valid
range is 1–65,535.

events {cpu-high | intf-ip | Enter the name of one or more the SNMP events. When No default.
log-full | mem-low | netlink- FortiWeb detects the specified events, it sends traps to the
down-status | netlink-up- SNMP managers in this community. Also enable trap-
status | policy-start | policy- status.
stop | pserver-failed | sys- l cpu-high—CPU usage has exceeded 80%.

ha-cluster-status-change | l intf-ip—A network interface’s IP address has

sys-ha-member-join | sys- changed. See system interface on page 312.

ha-member-leave | sys- l log-full—Local log disk space usage has exceeded

mode-change | waf- 80%. If the space is consumed and a new log message
amethod-attack | waf- is triggered, the FortiWeb appliance will either drop it or
hidden-fields | waf-pvalid- overwrite the oldest log message, depending on your
attack | waf-signature- configuration. For details, see log disk on page 66.
detection | waf-url-access- l mem-low—Memory (RAM) usage has exceeded 80%.

attack | power-supply- l netlink-down-status—A network interface has

failure} been brought down (disabled). This could be due to
either an administrator changing the network interface’s
settings, or due to HA executing a failover.
l netlink-up-status—A network interface has been

brought up (enabled). This could be due to either an

administrator changing the network interface’s settings,
or due to HA executing a failover.
l policy-start—A policy was enabled. For details,

see server-policy policy on page 140.

l policy-stop—A policy was disabled. For details, see

server-policy policy on page 140.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 348

Variable Description Default

l pserver-failed—A server health check has

determined that a physical server that is a member of a
server farm is now unavailable. For details, see server-
policy policy on page 140.
l sys-ha-cluster-status-change—HA cluster
status was changed.
l sys-ha-member-join—HA member has joined.
l sys-ha-member-leave—HA member has left.
l sys-mode-change—The operation mode was
changed. For details, see system settings on page 336.
l power-supply-failure—FortiWeb detects the
power supply fails. It is only available for 2000E, 3000E,
3010E, and 4000E.

l waf-amethod-attack—FortiWeb enforced an
allowed methods restriction. For details, see waf web-
protection-profile inline-protection on page 636, waf
web-protection-profile offline-protection on page 645,
and waf allow-method-exceptions on page 384.
l waf-hidden-fields—FortiWeb detected a hidden
fields attack.
l waf-pvalid-attack—FortiWeb enforced an
input/parameter validation rule. For details, see waf
parameter-validation-rule on page 553.
l waf-signature-detection—FortiWeb enforced a
signature rule. For details, see waf signature on page
555.
l waf-url-access-attack—FortiWeb enforced a
URL access rule. For details, see waf url-access url-
access-rule on page 610.
l power-supply-failure—FortiWeb detects the
power supply failure. It is only available for 2000E,
3000E, 3010E, and 4000E.

"<snmp-manager_index>" Enter the index number of an SNMP manager for the No default.
community. The valid range is 1–
9,999,999,999,999,999,999.

{"<manager_ipv4> | Enter the IP address of the SNMP manager that can do the No default.
<manager_ipv6>"} following when you enable traps, queries, or both in this
community:
l Receive traps from the FortiWeb appliance

l Query the FortiWeb appliance

SNMP managers have read-only access.

To allow any IP address using this SNMP community name
to query the FortiWeb appliance, enter 0.0.0.0 or ::.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 349

Variable Description Default

Note: Entering 0.0.0.0 or :: effectively disables traps if

there are no other host IP entries, because there is no
specific destination for trap packets. If you do not want to
disable traps, add at least one other entry that specifies the
IP address of an SNMP manager.

Example

For an example, see system snmp sysinfo on page 343.

Related topics

l system snmp sysinfo on page 343

l system interface on page 312
l server-policy policy on page 140

system sso-admin

With Single Sign-On Mode enabled, users will be redirected to FortiGate's Single Sign-On Provider page when they click
Single Sign-On on FortiWeb's login page. They will be required to log in with FortiGate's administrator account.
Use this command to create a SSO admin account and grant permissions for this account.
For how to configure SSO with FortiGate, see Fabric Connector: Single Sign On with FortiGate.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config system sso-admin
edit <name>
set access-profile <profile name>
set domains <adom name>
end
end

Variable Description Default

<name> Enter a name of the administrator account, such as No
admin1 or [email protected], that can be referenced default
in other parts of the configuration.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 350

Variable Description Default

Do not use spaces or special characters except the ‘at’

symbol ( @ ). The maximum length is 63 characters.
To display the list of existing accounts, enter:
edit ?
Note: This is the user name that the administrator must
provide when logging in to the CLI or web UI.
access-profile Enter the name of an access profile that gives the No
<profile_name> permissions for this administrator account. See also default
system accprofile on page 204. The maximum length is 63
characters.
You can select prof_admin, a special access profile used
by the admin administrator account. However, selecting
this access profile will not confer all of the same
permissions of the admin administrator. For example, the
new administrator would not be able to reset lost
administrator passwords.
To display the list of existing profiles, enter:
edit ?

domains <adom_name> Enter the name of an administrative domain (ADOM) to root

assign and restrict this administrative account to it.

Related topics

l system admin

system tcpdump

Use this command to configure capturing packets.

To use this command, your administrator account’s access control profile must have rw permission to the netgrp area.
For details, see Permissions on page 46.

Syntax
config system tcpdump
edit file id
set "<filter_str>"
set {any | "<interface_str>"}
set "<max-packet-count_int>"

end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 351

Variable Description Default

file id Enter the packet capture file ID. No default

"<max-packet-count_int>" Specify the maximum packets you want to capture for the policy. 4000
Capture will stop automatically if the total captured packets hit the
count.

"<filter_str>" Specify which protocols and port numbers that you do or do not want No
to capture, such as 'tcp and port 80 and host IP1 and ( default.
IP2 or IP3 )', or leave this field blank for no filters.
Note that please use the same filter expression as tcpdump for this
filter, you can refer to the Linux main page of TCPDUMP
(HTTP://www.tcpdump.org/manpages/tcpdump.1.html).

{any | "<interface_str>"} Select the network interface on which you want to capture packets, any
such as port1, or any for all interfaces.

"<max-packet-count_int>" Specify the maximum packets you want to capture for the policy. 4000
Capture will stop automatically if the total captured packets hit the
count.

Related topics

l debug on page 682

system vip

The virtual IP addresses are the IP addresses that paired with the domain name of your application. When users visit
your application, the destination of their requests are these IP addresses.
You can later attach one or more virtual IP addresses to a virtual server, and then reference the virtual server in a server
policy. The web protection profile in the server policy will be applied to all the virtual IPs attached to this virtual server.
Only the global administrators can create, edit, and delete VIPs.

Syntax
config system vip
edit <vip_name> on page 352
set vip <ip&netmask> on page 352
set vip6 <ip&netmask> on page 352
set interface <interface_name> on page 352
set index <the_index_number> on page 352
set domains <adom_name>
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 352

Variable Description Default

<vip_name> Enter a unique name that can be referenced by other parts No default
of the configuration. The maximum length is 63 characters.

vip <ip&netmask> Enter the IPv4 address and subnet of the virtual IP. 0.0.0.0/0
If the FortiWeb appliance is operating in Offline Protection
mode or either of the transparent modes, because
FortiWeb ignores this IP address when it determines
whether or not to apply a server policy to the connection,
you can specify any IP address except the address of the
web server.
The virtual IP address cannot be the same with the IP
address of any one of the interfaces.

vip6 <ip&netmask> Enter the IPv6 address and subnet of the virtual IP. ::/0
If the FortiWeb appliance is operating in Offline Protection
mode or either of the transparent modes, because
FortiWeb ignores this IP address when it determines
whether or not to apply a server policy to the connection,
you can specify any IP address except the address of the
web server.
The virtual IP address cannot be the same with the IP
address of any one of the interfaces.

interface <interface_name> Enter the name of the network interface or bridge the virtual port1
IP is bound to and where traffic destined for the virtual IP
arrives.

index <the_index_number> Enter the index number for this vip. No default

Enter the ADOM you want to create this virtual IP in. No default
domains <adom_name>

system v-zone

Use this command to configure bridged network interfaces, also called v-zones.
Bridges allow network connections to travel through the FortiWeb appliance’s physical network ports without explicitly
connecting to one of its IP addresses.

For FortiWeb-VM, you must create vSwitches before you can configure a bridge.
For details, see the FortiWeb-VM Install Guide:
HTTPs://docs.fortinet.com/fortiweb/hardware

To use this command, your administrator account’s access control profile must have either w or rw permission to the
netgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 353

Syntax
config system v-zone
edit "<bridge_name>"
set interfaces {"<interface_name>" "<interface_name>" ...}
set monitor {enable | disable}
set mtu <mtu_int>
set use-interface-macs {"<interface_name>" "<interface_name>" ...}
set multicast-snooping {enable | disable}
next
end

Variable Description Default

"<bridge_name>" Type the name of the bridge. The maximum length is 15 No default.
characters.
To display the list of existing bridges, type:
edit ?

interfaces {"<interface_ Type the names of two or more network interfaces that No default.
name>" "<interface_name>" currently have no IP address of their own, nor are
...} members of another bridge, and therefore could be
members of this bridge. Separate each name with a space.
The maximum length is 63 characters.

mtu <mtu_int> Enter the maximum transmission unit (MTU) that the 1500
bridge supports.
When you specify the MTU for a bridge, FortiWeb
automatically sets the MTU for the v-zone members to the
same value.
Valid values are 512–9216 (for IPv4) or 1280–9216 (for
IPv6).

multicast-snooping {enable | Enable/disable multicast snooping. No default

disable}

monitor {enable | disable} Specifies whether FortiWeb automatically brings down all disable
members of this v-zone if one member goes down.

use-interface-macs Enter the names of network interfaces that are members of No default.
{"<interface_name>" the bridge and send and transmit traffic using the MAC
"<interface_name>" ...} address of their corresponding FortiWeb network interface.

When the operation mode is True Transparent Proxy, by

default, traffic to the back-end servers preserves the MAC
address of the source. If you are using FortiWeb with front-
end load balancers that are in a high availability cluster that
uses multiple bridges, this mechanism can cause switching
problems on failover. When the v-zone uses the MAC
address of the FortiWeb network interface instead, a
failover does not interrupt the flow of traffic.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 354

Variable Description Default

Available only when the operation mode is True

Transparent Proxy.

Example

This example configures a true bridge between port3 and port4. The bridge has no virtual network interface, and so it
cannot respond to pings.
config system v-zone
edit bridge1
set interfaces port3 port4
next
end

Related topics

l system interface on page 312

l system settings on page 336

system wccp

Use this command to configure FortiWeb as a Web Cache Communication Protocol (WCCP) client. This configuration
allows a FortiGate configured as a WCCP server to redirect HTTP and HTTPS traffic to FortiWeb for inspection.
If your WCCP configuration includes multiple WCCP clients, the WCCP server can balance the traffic load among the
clients. In addition, it detects when a client fails and redirects sessions to clients that are still available.
WCCP was originally designed to provide web caching with load balancing and fault tolerance and is described by the
Web Cache Communication Protocol Internet draft.
This feature requires the operation mode to be WCCP. For details, see system settings on page 336.
For information on connecting and configuring your network devices for WCCP mode, see the FortiWeb Administration
Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
For detailed information on configuring FortiGate and other Fortinet devices to act as a WCCP service group, see the
FortiGate WCCP topic in the [[[Undefined variable FortinetVariables.ProductName7]]] Handbook:
HTTPs://docs.fortinet.com/fortigate/admin-guides

Syntax
config system wccp
edit service-id <service-id_int>
set cache-id "<cache-id_ipv4>"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 355

set router-list "<router-list_ipv4>"

set group-address "<group-address_ipv4>"
set authentication {enable | disable}
set password "<passwd_str>"
set cache-engine-method {GRE | L2}
set ports <ports_int>
set primary-hash [src-ip | dst-ip | src-port | dst-port}
set priority <priority_int>
set protocol <priority_int>
set assignment-weight <assignment-weight_int>
set assignment-bucket-format {ciso-implementation | wccp-v2}
set return-to-sender {enable | disable}
end

Variable Description Default

service-id <service-id_int> Enter the service ID of the WCCP service group that 51
this WCCP client belongs to.

For HTTP traffic, the service ID is 0.

For other types of traffic (for example, HTTPS), the

valid range is 51–256. Do not use 1–50, which are
reserved by the WCCP standard.

cache-id "<cache-id_ Enter the IP address of the FortiWeb interface that No default.
ipv4>" communicates with the WCCP server.

Ensure that the WCCP protocol is enabled for the

specified network interface. For details, see system
settings on page 336.

router-list "<router-list_ Enter the IP addresses of the WCCP servers in the No default.
ipv4>" WCCP service group.

You can specify up to 8 servers. To configure more

than 8 WCCP servers, use Group Address instead.

group-address "<group- Enter the IP addresses of the clients for multicast No default.
address_ipv4>" WCCP configurations.

The multicast address allows you to configure a

WCCP service group with more than 8 WCCP
clients.

The valid range of multicast addresses is 224.0.0.0–

239.256.256.256.

authentication {enable | Specify whether communication between the disable

disable} WCCP server and client is encrypted using the MD5
cryptographic hash function.

password "<passwd_str>" Enter the password used by the WCCP server and No default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 356

Variable Description Default

clients.

All servers and clients in the group use the same

password.

The maximum password length is 8 characters.

Available only when authentication {enable |
disable} on page 355 is enabled.

cache-engine-method Enter how the FortiGate unit transmits traffic to GRE

{GRE | L2} FortiWeb:
l GRE—The WCCP server encapsulates

redirected packets within a generic routing

encapsulation (GRE) header. The packets also
have a WCCP redirect header.
l L2—The WCCP server overwrites the original

MAC header of the IP packets and replaces it

with the MAC header for the WCCP client.

ports <ports_int> Enter the port numbers of the sessions that this 80
client inspects. The valid range is 0–65535.

Enter 0 to specify all ports.

primary-hash [src-ip | dst- Enter the hashing scheme that the WCCP server src-ip dst-ip
ip | src-port | dst-port} uses in combination with assignment-weight to
direct traffic, when the WCCP service group has
more than one WCCP client.
Specify one or more of the following values:
l src-ip—Source IP address

l dst-ip—Destination IP address

l src-port—Source port

l dst-port—Destination port

priority <priority_int> Enter a value that specifies the priority that this 0
service group has.

If more than one service group is available to scan

the traffic specified by ports and protocol, the
WCCP server transmits all the traffic to the service
group with the highest priority value.

protocol <priority_int> Enter the protocol of the network traffic the WCCP 6
service group transmits. For TCP sessions, enter 6.

Valid values are 0–256.

assignment-weight Enter a value that the WCCP server uses in 0

<assignment-weight_int> combination with primary-hash to direct traffic,

FortiWeb CLI Reference Fortinet Technologies Inc.

config 357

Variable Description Default

when the WCCP service group has more than one

WCCP client. The valid range is 0–256.

assignment-bucket-format Enter the hash table bucket format for the WCCP ciso-
{ciso-implementation | cache engine. implementation
wccp-v2} l cisco-implementation—Source IP

address
l wccp-v2—Web Cache Communication

Protocol version 2

return-to-sender {enable | Specify whether FortiWeb routes traffic back to the disable
disable} client instead of the WCCP server.

Example

This example configures FortiWeb as a WCCP client that belongs to the WCCP service group 52 and specifies the
interface used for WCCP client functionality (192.0.2.100) and the WCCP server (192.0.2.1).
config system wccp
edit service-id 52
set cache-id "192.0.2.100"
set router-list "192.0.2.1"
set ports 80 443
set primary-hash src-ip dst-ip

Related topics

l system settings on page 336

l system interface on page 312

system certificate xml-server-certificate

Use this command to show names of the uploaded XML server certificates that are stored locally on the FortiWeb
appliance.
The XML server certificate is used for request decryption or response signature.

Syntax
config system certificate xml-server-certificate
edit system certificate xml-server-certificate
set certificate <certificate_str> on page 358
set private-key <private-key_str>
set passwd <passwd_str>
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 358

Variable Description Default

"<xml-server-certificate_ Enter the name of an XML server certificate. No

name>" default.

certificate <certificate_str> Set the certificate. Only certificates in PEM format may be No
set. default.

private-key <private-key_ Set the key file to upload. No

str> default.

passwd <passwd_str> Type the password that is used to encrypt the file, enabling No
the FortiWeb appliance to decrypt and install the certificate. default.

Related topics

l waf ws security on page 657

user admin-usergrp

Use this command to configure LDAP/RADIUS/PKI/TACACS+ remote authentication groups that can be used when
configuring a FortiWeb administrator account.
Before you can add a remote authentication group, you must first define at least one query for LDAP, RADIUS, or
TACACS+ accounts (see user ldap-user on page 361 or "server-policy custom-application application-policy" on page
1), a PKI user (see user pki-user on page 370), or a TACACS+ user (see user tacacs+ user on page 375).
For information about certificate-based Web UI login, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see Permissions on page 46.

Syntax
config user admin-usergrp
edit "<group_name>"
config members
edit <entry_index>
set type {ldap | radius | pki | tacacs+}
set ldap-name "<query_name>"
set radius-name "<query_name>"
set tacacs+-name "<tacacs+_name>"
next
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 359

Variable Description Default

"<group_name>" Enter the name of the remote authentication group. The No

maximum length is 63 characters. default.

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

type {ldap | radius | pki | Select the protocol used for the query, LDAP, RADIUS, PKI ldap
tacacs+} or TACACS+.

ldap-name "<query_name>" Enter the name of an existing LDAP account query. The No
maximum length is 63 characters. default.
To display the list of existing queries, enter:
edit ?

radius-name "<query_ Enter the name of an existing RADIUS account query. The No
name>" maximum length is 63 characters. default.
To display the list of existing queries, enter:
edit ?

pki-name "<pki_name>" Enter the name of an existing PKI user. The maximum length No
is 63 characters. default.
To display the list of existing queries, enter:
edit ?

tacacs+-name "<tacacs+_ Enter the name of an existing TACACS+. The maximum No

name>" length is 63 characters. default.
To display the list of existing queries, enter:
edit ?

Example

This example creates a remote authentication group using an existing LDAP user query named LDAP Users 1.
Because remote authentication groups use LDAP queries by default, the LDAP query type is not explicitly configured.
config user admin-usergrp
edit "Admin LDAP"
config members
edit 0
set ldap-name "LDAP Users 1"
next
end
next
end

Related topics

l system admin on page 207

l user ldap-user on page 361

FortiWeb CLI Reference Fortinet Technologies Inc.

config 360

l user pki-user on page 370

l user radius-user on page 371
l "server-policy custom-application application-policy" on page 1
l user tacacs+ user on page 375

user kerberos-user

Use this command to specify a Kerberos Key Distribution Center (KDC) that FortiWeb can use to obtain a Kerberos
service ticket for web applications on behalf of clients.
Because FortiWeb determines the KDC to use based on the realm of the web application, you do not have to specify the
KDC in the site publish rule.
For details, see waf site-publish-helper rule on page 569 and the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see Permissions on page 46.

Syntax
config user kerberos-user
edit "<kdc_name>"
set realm "<realm_str>"
set shortname <shortname _str>
set status {enable | disable}
config server-members
edit "<entry_index>"
set server <server_str>
set port <port_int>
next
end
next
end

Variable Description Default

"<kdc_name>" Enter the name of the Key Distribution Center (KDC). No

default.

realm "<realm_str>" Enter the domain of the domain controller (DC) that the Key No
Distribution Center (KDC) belongs to. default.

shortname <shortname _str> Enter the shortname for the realm you specified (This is No
optional). A shortname is an alias of the delegated realm; it default.
can be any set of characters except for symbols "@", "/" and
"\". For example, the shortname can include

FortiWeb CLI Reference Fortinet Technologies Inc.

config 361

Variable Description Default

the domain name of the realm that is not fully qualified. With
a shortname being configured, the format of UPN can be
username@shortname.

status {enable | disable} Specify whether the KDC configuration is enabled. enable

server <server_str> Enter the IP address of the KDC. No

default.

port <kdc-port_int> Enter the port the KDC uses to listen for requests. No
default.

"<entry_index>" Enter the index number of the server in the table. No

default.

Related topics

l waf site-publish-helper rule on page 569

l "waf site-publish-helper keytab_file" on page 1

user ldap-user

Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or
end users via an LDAP server.
To apply LDAP queries to end users, select a query in a user group that is then selected within an authentication rule,
which is in turn selected within an authentication policy, which is ultimately selected within an inline protection profile
used for web protection. For details, see user user-group on page 376.
To apply LDAP queries to administrators, select a query in an admin group and reference that group in a system
administrator configuration. For details, see user admin-usergrp on page 358.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see Permissions on page 46.

Syntax
config user ldap-user
edit "<ldap-query_name>"
set bind-type {anonymous | simple | regular}
set common-name-id "<cn-attribute_str>"
set distinguished-name "<search-dn_str>"
set filter "<query-filter_str>"
set group_authentication {enable | disable}
set group_dn "<group-dn_str>"
set group-type {edirectory | open-ldap | windows-ad}
set password "<bind-password_str>"
set port <port_int>
set protocol {ldaps | starttls}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 362

set server "<ldap_ipv4_domain>"

set ssl-connection {enable | disable}
set ca-cert <ca_name>
set username "<bind-dn_str>"
next
end

Variable Description Default

"<ldap-query_name>" Enter the name of the LDAP user query. The maximum No default.
length is 63 characters.
To display the list of existing queries, enter:
edit ?

bind-type {anonymous | Select one of the following LDAP query binding styles: simple
simple | regular} l simple—Bind using the client-supplied password

and a bind DN assembled from the common-name-id

"<cn-attribute_str>" on page 362, distinguished-name
"<search-dn_str>" on page 362, and the client-
supplied user name.
l regular—Bind using a bind DN and password that
you configure in username "<bind-dn_str>" on page
364 and password "<bind-password_str>" on page
363.
l anonymous—Do not provide a bind DN or password.
Instead, perform the query without authenticating.
Select this option only if the LDAP directory supports
anonymous queries.

common-name-id "<cn- Enter the identifier, often cn, for the common name (CN) No default.
attribute_str>" attribute whose value is the user name. The maximum
length is 63 characters.
Identifiers may vary by your LDAP directory’s schema.

distinguished-name Enter the distinguished name (DN) such as No default.

"<search-dn_str>" ou=People,dc=example,dc=com, that, when prefixed
with the common name, forms the full path in the directory
to user account objects. The maximum length is 256
characters.

filter "<query-filter_str>" Enter an LDAP query filter string, if any, that will be used to No default.
filter out results from the query’s results based upon any
attribute in the record set. The maximum length is 256
characters.
This option is valid only when bind-type {anonymous |
simple | regular} on page 362 is regular.

group_authentication Enable to only include users that are members of an LDAP enable
{enable | disable} group. Also configure group-type {edirectory | open-ldap |
windows-ad} on page 363 and group_dn "<group-dn_str>"
on page 363.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 363

Variable Description Default

This option is valid only when bind-type {anonymous |

simple | regular} on page 362 is regular.

group_dn "<group-dn_str>" Enter the distinguished name of the LDAP user group, such No default.
as ou=Groups,dc=example,dc=com. The maximum
length is 256 characters.
This option is valid only when group_authentication
{enable | disable} on page 362 is enabled.

group-type {edirectory | Select the schema that matches your server’s LDAP open-
open-ldap | windows-ad} directory. ldap
Group membership attributes may have different names
depending on an LDAP directory schemas. The FortiWeb
appliance will use the group membership attribute that
matches your directory’s schema when querying the group
DN.
This option is valid only when group_authentication
{enable | disable} on page 362 is enabled.

password "<bind-password_ Enter the password of the username "<bind-dn_str>" on No default.

str>" page 364. The maximum length is 63 characters.
This field may be optional if your LDAP server does not
require the FortiWeb appliance to authenticate when
performing queries, and does not appear if bind-type
{anonymous | simple | regular} on page 362 is anonymous
or simple.

port <port_int> Enter the port number where the LDAP server listens. The 389
valid range is 1–65535.
The default port number varies by your selection in ssl-
connection {enable | disable} on page 363; port 389 is
typically used for non-secure connections or for
STARTTLS-secured connections, and port 636 is typically
used for SSL-secured (LDAPS) connections.

protocol {ldaps | starttls} Select whether to secure the LDAP query using LDAPS or ldaps
STARTTLS. You may need to reconfigure port <port_int>
to correspond to the change in protocol.
This field is applicable only if ssl-connection {enable |
disable} on page 363 is enable.

server "<ldap_ipv4_ Type the server IP or domain address of the LDAP server. 0.0.0.0
domain>"

ssl-connection {enable | Enable to connect to the LDAP servers using an encrypted enable
disable} connection, then select the style of the encryption in
protocol {ldaps | starttls} on page 363.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 364

Variable Description Default

ca-cert <ca_name> Enter the name of the certificate so the FortiWeb will only No default.
accept a certificate from the LDAP server that is signed by
this CA.
Only available when ssl-connection is enabled.

username "<bind-dn_str>" Enter the bind DN, such as No default.

cn=FortiWebA,dc=example,dc=com, of an LDAP user
account with permissions to query the distinguished-name
"<search-dn_str>" on page 362. The maximum length is
256 characters.
This field may be optional if your LDAP server does not
require the FortiWeb appliance to authenticate when
performing queries, and does not appear if bind-type
{anonymous | simple | regular} on page 362 is anonymous
or simple.

Example

This example configures an LDAP user query to the server at 192.0.2.100 on port 389. SSL and TLS are disabled. To
bind the query, the FortiWeb appliance will use the bind DN cn=Manager,dc=example,dc=com, whose password is
mySecretPassword. Once connected and bound, the query for search for user objects in
ou=People,dc=example,dc=com, comparing the user name supplied by the HTTP client to the value of each object’s
cn attribute. Group authentication is disabled.
config user ldap-user
edit "ldap-user1"
set server "192.0.2.100"
set ssl-connection disable
set port 389
set common-name-id "cn"
set distinguished-name "ou=People,dc=example,dc=com"
set bind-type regular
set username "cn=Manager,dc=example,dc=com"
set password "mySecretPassword"
set group-authentication disable
next
end

Related topics

l user user-group on page 376

l system admin on page 207
l user admin-usergrp on page 358

FortiWeb CLI Reference Fortinet Technologies Inc.

config 365

user local-user

Use this command to configure locally defined user accounts.

Local user accounts are used by the HTTP authentication feature to authorize HTTP requests. For details, see the
FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To incorporate local user accounts, add them to a user group that is selected within an authentication rule, which is in
turn selected within an authentication policy. For details, see user user-group on page 376.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see Permissions on page 46.

Syntax
config user local-user
edit "<local-user_name>"
set username "<user_str>"
set password "<password_str>"
next
end

Variable Description Default

"<local-user_name>" Enter a name that can be referenced in other parts of the No

configuration. default.
To display the list of existing accounts, enter:
edit ?
The maximum length is 63 characters.
Note: This is not the user name that the person must
provide when logging in to the CLI or web UI.

username "<user_str>" Enter the user name that the client must provide when No
logging in, such as user1 or [email protected]. default.
The maximum length is 63 characters.

password "<password_str>" Enter the password for the local user account. The maximum No
length is 63 characters. default.

Example

This example configures a local user account that can be used for HTTP authentication.
config user local-user
edit "local-user1"
set username "user1"
set password "myPassword"
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 366

Related topics

l user user-group on page 376

user ntlm-user

Use this command to configure user accounts that will authenticate with the FortiWeb appliance via an NT LAN Manager
(NTLM) server.
NTLM queries can be made to a Microsoft Windows or Active Directory server that has been configured for NTLM
authentication. Both NTLM v1 and NTLM v2 versions of the protocol are supported.
NTLM user queries are used by the HTTP authentication feature to authorize HTTP requests. For details, see the
FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To incorporate NTLM user account queries, add them to a user group that is selected within an authentication rule, which
is in turn selected within an authentication policy. For details, see user user-group on page 376.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see Permissions on page 46.

Syntax
config user ntlm-user
edit "<ntlm-query_name>"
set port <port_int>
set server "<ntlm_ipv4>"
next
end

Variable Description Default

"<ntlm-query_name>" Enter the name of the NTLM user query. The maximum No
length is 63 characters. default.
To display the list of existing queries, enter:
edit ?

port <port_int> Enter the port number where the NTLM server listens. The 445
valid range is 1–65535.

server "<ntlm_ipv4>" Enter the IP address of the NTLM server. No

default.

Example

This example configures an NTLM query connection to a server at 192.0.2.101 on port 445.
config user ntlm-user

FortiWeb CLI Reference Fortinet Technologies Inc.

config 367

edit "ntlm-user1"
set server "192.0.2.101"
set port 445
next
end

Related topics

l user user-group on page 376

user oauth-user request

FortiWeb supports front-end authentication with third party authentication servers such as Google and Facebook.
Use this command to create OAuth requests.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see Permissions on page 46.

Syntax
config user oauth-user request
edit <oauth_request_name>
set type {authz | token | refresh | validate | userinfo}
set endpoint <string>
set method {get | post}
set ctype {urlencoded | json}
set user-key <string>
set tls-check {enable | disable}
set tls-ca <ca_name>
config custom-headers
edit <index>
set <custom-parameters_name>
set <custom-parameters_value>
next
end
config custom-parameters
edit <index>
set <custom-headers_name>
set <custom-headers_value>
next
end
next
end

Variable Description Default

<oauth_request_name> Enter a name for the request. No default

FortiWeb CLI Reference Fortinet Technologies Inc.

config 368

Variable Description Default

type {authz | token | refresh | validate | Select the OAuth request types. authz
userinfo}

endpoint <string> Enter the OAuth request URL. No default

method {get | post} Select the request method. post

ctype {urlencoded | json} Select the request content type. urlencoded

user-key <string> Indicate username keyword in response. No default

tls-check {enable | disable} Enable to do strict TLS verification even disable

with a custom CA certificate to check the
TLS traffic between FortiWeb and the
third party OAuth authorization servers.

tls-ca <ca_name> Select the certificate to check the TLS No default

traffic. It's uploaded in System > Admin
> Certificates.

<custom-headers_name> Enter the name of the header to insert in No default

the request.

<custom-headers_value> Enter the value of the header. No default

<custom-parameters_name> Enter the name of the parameter to insert No default

into the request.

<custom-parameters_value> Enter the value of the parameter. No default

Related topics

l user oauth-user server

user oauth-user server

FortiWeb supports front-end authentication with third party authentication servers such as Google and Facebook.
Use this command to add the third party authentication server information.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see Permissions on page 46.

Syntax
config user oauth-user request
edit
set <oauth_request_name>
set mode {client | resource-server | both}
set scope <string>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 369

set client-id <string>

set client-secret <passwd>
set redirect-endpoint <string>
set authz-req <datasource>
set token-req <datasource>
set validate-req <datasource>
set validate-frequency {session | transaction | interval}
set validate-interval <integer>
set userinfo-req <datasource>
next
end

Variable Description Default

<oauth_request_name> Enter a name for the request. No default

mode {client | resource-server | both} Select whether FortiWeb works as an No default

authorization client or a resource server,
or both.

scope <string> Enter the scope field for OAuth. No default

client-id <string> A client credential. Assigned by urlencoded

authorization server.

client-secret <passwd> A client credential. Assigned by No default

authorization server.

redirect-endpoint <string> Redirection URL back to FortiWeb. disable

authz-req <datasource> The authorization request created in the No default

OAuth Request tab.

token-req <datasource> The token request created in the OAuth No default

Request tab.

refresh-req <datasource> The refresh request created in the No default

OAuth Request tab.

validate-req <datasource> The valid request created in the OAuth No default

Request tab.

validate-frequency {session | transaction | Whether to validate the request per No default

interval} session, transaction, or every several
second.

validate-interval <integer> If the validate-frequency is interval, then

enter the interval time.

userinfo-req <datasource> The user info request created in the No default

OAuth Request tab.

Related topics

l user oauth-user request

FortiWeb CLI Reference Fortinet Technologies Inc.

config 370

user pki-user

In FortiWeb's certificate-based Web UI login, a PKI user is the administrator that FortiWeb will authorizes his Web UI
access based on his PKI certificate. With this command, you can create a PKI user for FortiWeb to verify and authorize
the Web UI accesses from the user.
Before creating a PKI user, you must import the CA certificate (through FortiWeb Web UI) associated with the user to the
FortiWeb. For details, see system admin-certificate ca on page 212.
After the PKI user is created, include it in an admin group through user admin-usergrp on page 358.
For information about certificate-based Web UI login, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config user pki-user
edit "<pki-user_name>"
set cacert "<cacert_str>"
set subject "<subject_str>"
next
end

Variable Description Default

"<pki-user_name>" Enter the name of a PKI user. The maximum length is 63 No

characters. default.

cacert "<cacert_str>" Specifies the CA certificate associated with the PKI user's No
certificate. It must be one of the CA certificates stored on the default.
FortiWeb for administration. For details, see system admin-
certificate ca on page 212.

subject "<subject_str>" Specifies the subject of the PKI user's certificate, such as C No
= US, ST = Washington, O = yourorganization, default.
CN = yourname.

Example

This example adds a PKI user associated with the CA certificate CA_Cert_1.
config user pki-user
edit "pki_user1"
set cacert "CA_Cert_1"
set subject "C = US, ST = Washington, O = oganization, CN = Bradley Avery"
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 371

user radius-user

Use this command to configure RADIUS queries used to authenticate end-users and/or administrators.

If you use a RADIUS query for administrators, separate it from the queries for regular
users. Do not combine administrator and user queries into a single entry.
Failure to separate queries will allow end-users to have administrative access the
FortiWeb web UI and CLI.

Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and
accounting functions. The FortiWeb authentication feature uses RADIUS user queries to authenticate and authorize
HTTP requests. (The HTTP protocol does not support active logouts, and can only passively log out users when their
connection times out. Therefore FortiWeb does not fully support RADIUS accounting.) RADIUS authentication with
realms (e.g., the person logs in with an account such as [email protected]) are supported.
To authenticate a user, the FortiWeb appliance sends the user’s credentials to RADIUS for authentication. If RADIUS
authentication succeeds, the user is successfully authenticated with the FortiWeb appliance. If RADIUS authentication
fails, the appliance refuses the connection. To override the default authentication scheme, select a specific
authentication protocol or change the default RADIUS port.
To incorporate RADIUS users, they must be in a user group selected within an authentication rule, which is in turn
selected within an authentication policy. For details, see "server-policy custom-application application-policy" on page 1.

For access profiles, FortiWeb appliances support RFC 2548

(HTTP://www.ietf.org/rfc/rfc2548.txt) Microsoft Vendor-specific RADIUS Attributes. If
you do not want to use them, you can configure them locally instead. For details, see
system accprofile on page 204.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see Permissions on page 46.

Syntax
config user radius-user
edit "<radius-query_name>"
set secret "<password_str>"
set server {radius_ipv4 | radius_ipv6 | domain name}
set server-port <port_int>
set auth-type {default | chap | ms_chap | ms_chap_v2 | pap}
set nas-ip "<nas_ipv4>"
set secondary-secret "<password_str>"
set secondary-server {radius2_ipv4 | domain name}
set secondary-server-port <port_int>
set fac-push {enable | disable}
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 372

Variable Description Default

"<radius-query_name>" Enter a unique name that can be referenced in other parts No default.
of the configuration.
Do not use spaces or special characters. The maximum
length is 63 characters.
To display the list of existing queries, enter:
edit ?
Note: This is the name of the query only, not the
administrator or end-user’s account name/login, which is
defined by either "<administrator_name>" on page 208 or
username "<user_str>" on page 365.

secret "<password_str>" Enter the RADIUS server secret key for the primary No default.
RADIUS server. The primary server secret key should be a
maximum of 16 characters in length, but is allowed to be up
to 63 characters.

server {radius_ipv4 | radius_ Enter the IP address or domain name of the RADIUS No default.
ipv6 | domain name} server to query for users.

server-port <port_int> Enter the port number where the RADIUS server listens. 1812
The valid range is 1–65535.

auth-type {default | chap | Enter the authentication method. The default option default
ms_chap | ms_chap_v2 | uses PAP, MS-CHAP-V2, and CHAP, in that order.
pap}

nas-ip "<nas_ipv4>" Enter the NAS IP address and called station ID. For details, 0.0.0.0
see RFC 2548 (HTTP://www.ietf.org/rfc/rfc2548.txt). If you
do not enter an IP address, the IP address of the network
interface that the FortiWeb appliance uses to communicate
with the RADIUS server is applied.

secondary-secret Enter the RADIUS server secret key for the secondary No default.
"<password_str>" RADIUS server. The secondary server secret key should
be a maximum of 16 characters in length, but is allowed to
be up to 63 characters.

secondary-server {radius2_ Enter the IP address or domain name of the secondary No default.
ipv4 | domain name} RADIUS server.

secondary-server-port Enter the port number where the secondary RADIUS 1812
<port_int> server listens. The valid range is 1–65535.

fac-push {enable | disable} If you are using FAC Radius server to authenticate clients, disable
you can enable this option to send FortiToken mobile
notification automatically to clients for extra token
authentication.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 373

Related topics

l user admin-usergrp on page 358

l user user-group on page 376

user recaptcha-user

Use this command to create a reCAPTCHA server that FortiWeb uses to perform bot confirmation with Google
reCAPTCHA service. This requires you to set the site key and secret key in the reCAPTCHA server configurations in
FortiWeb so that it can communicates with the reCAPTCHA service on behalf of your application server.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see Permissions on page 46.
To use this command, you should enable recaptcha in system feature-visibility. See system feature-
visibility.

Syntax
config user recaptcha-user
edit "<recaptcha_server_name>"
set type {tickbox | invisible}
set site-key <str>
set secret-key <str>
next
end

Variable Description Default

type {tickbox | invisible} Select the type of the reCAPTCHA service you have tickbox
registered in Google.

site-key <str> Enter the site key No

default.

secret-key <str> Enter the secret key. No

default.

user saml-user

Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or
end users via a Security Assertion Markup Language (SAML) server.
To use a SAML server for client authentication, select it in a site publish rule. For details, see waf site-publish-helper rule
on page 569.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 374

To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see Permissions on page 46.

Syntax
config user saml-user
edit "<saml_server_name>"
set entityID "<server_URL>"
set service-path "<server_URL_path>"
set slo-bind {post | redirect}
set slo-path "<slo_URL_path>"
set sso-bind <post>
set sso-path "<sso_URL_path>"
next
end

Variable Description Default

"<saml_server_name>" Enter a name that can be referenced by other parts of the No

configuration. The maximum length is 63 characters. default.

entityID "<server_URL>" Enter the URL for the SAML server. The communications No
protocol must be HTTPS. default.

service-path "<server_URL_ Enter a path for the SAML server at the URL you specified in No
path>" entityID "<server_URL>" on page 374. default.

slo-bind {post | redirect} Select the binding that the server will use when the service POST
provider initiates a single logout request:
l POST—SAML protocol messages are transported via

the user's browser in an XHTML document using

base64-encoding.
l REDIRECT—SAML protocol messages will be carried in

the URL of an HTTP GET request. Because the length

of URLs is limited, this option is best for shorter
messages. If the SAML message contains information
that the IDP is not yet aware of, you can sign the
message for security purposes.

slo-path "<slo_URL_path>" Enter a partial URL that the IDP will use to confirm with the No
service provider that a user has been logged out. default.

sso-bind <post> Select the binding that the server will use to transport the POST
SAML authentication request to the IDP.

sso-path "<sso_URL_path>" Enter a partial URL that the IDP will use to confirm with the No
service provider that a user has been authenticated. default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 375

Example

This example configures a SAML server at HTTPs://sp.example.com/samlsp. We specify the Service Path,
Assertion Consumer Service (ACS), and Single Logout Service (SLS). We use a POST binding for ACS and a
REDIRECT binding for SLS.
config user saml-user
edit "saml_example"
set entityID "HTTPs://sp.example.com/samlsp"
set service-path "/saml.sso"
set slo-bind redirect
set slo-path "/SLO/REDIRECT"
set sso-bind post
set sso-path "/SAML2/POST"
next
end

l waf site-publish-helper rule on page 569

user tacacs+ user

Use this command to configure TACACS+ queries that can be used for authentication of administrators’ access to the
web UI or CLI.
To authenticate an administrator, the FortiWeb appliance sends the administrator’s credentials to TACACS+ server for
authentication. If the TACACS+ server replies to the query with a signal of successful authentication, the client is
successfully authenticated with the FortiWeb appliance. If TACACS+ authentication fails or the query returns a negative
result, the appliance refuses the connection.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see "Permissions" on page 1.
Syntax
config user tacacs+-user
edit "<tacacs+-user_name>" on page 375
set server {radius_ipv4 | domain name} on page 376
set secret "<password_str>" on page 376
set auth-type {auto | ms_chap | chap | pap | ascii} on page 376
next
end

Variable Description Default

"<tacacs+-user_name>" Enter a unique name that can be referenced in other parts of No

the configuration. default.
The maximum length is 63 characters.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 376

Variable Description Default

server {radius_ipv4 | domain Enter the IP address or domain name of the TACACS+ No
name} server. default.

secret "<password_str>" Enter the TACACS+ server secret key for the TACACS+ No
server. default.

auth-type {auto | ms_chap | Select Auto to automatically assign an authentication type or Auto
chap | pap | ascii} select Specify to specify a type among MSCHAP, CHAP,
PAP, and ASCII.

Related topics

l user tacacs+ user on page 375

l user user-group on page 376

user user-group

Use this command to configure user groups.

User groups are used by the HTTP authentication feature to authorize HTTP requests. A group can include a mixture of
local user accounts, LDAP, RADIUS, and NTLM user queries.
Before you can configure a user group, you must first configure any local user accounts or user queries that you want to
include. For details, see user local-user on page 365, user ldap-user on page 361, "server-policy custom-application
application-policy" on page 1, or user ntlm-user on page 366.
To apply user groups, select them in within an authentication rule, which is in turn selected within an authentication
policy, which is ultimately selected within an inline protection profile used for web protection. For details, see waf HTTP-
authen HTTP-authen-rule on page 476.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
authusergrp area. For details, see Permissions on page 46.

Syntax
config user user-group
edit "<user-group_name>"
set auth-type {basic | digest | NTLM}
config members
edit <entry_index>
set type {ldap | local | ntlm | radius}
set ldap-name "<query_name>"
set local-name "<query_name>"
set ntlm-name "<query_name>"
set radius-name "<query_name>"
next
end
next

FortiWeb CLI Reference Fortinet Technologies Inc.

config 377

end

Variable Description Default

"<user-group_name>" Enter the name of the user group. The maximum length is 63 No
characters. default.
To display the list of existing groups, enter:
edit ?

auth-type {basic | digest | Select one of the following authentication types: basic
NTLM} l basic—This is the original and most compatible

authentication scheme for HTTP. However, it is also the

least secure as it sends the user name and password
unencrypted to the server.
l digest—Authentication encrypts the password and

thus is more secure than the basic authentication.

l NTLM—Authentication uses a proprietary protocol of

Microsoft and is considered to be more secure than

basic authentication.

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

ldap-name "<query_name>" Select the name of a LDAP user query. No

Available if the value of type {ldap | local | ntlm | radius} on default.
page 377 is ldap.
The maximum length is 63 characters.

local-name "<query_name>" Select the name of a local user account. No

Available if the value of type {ldap | local | ntlm | radius} on default.
page 377 is local.
The maximum length is 63 characters.

ntlm-name "<query_name>" Select the name of a NTLM user query. No

Available if the value of type {ldap | local | ntlm | radius} on default.
page 377 is ntlm.
The maximum length is 63 characters.

radius-name "<query_ Select the name of a RADIUS user query. No

name>" Available if the value of type {ldap | local | ntlm | radius} on default.
page 377 is radius.
The maximum length is 63 characters.

type {ldap | local | ntlm | Select which type of user or user query that you want to add local
radius} to the group.
Note: You can mix all user types in the group. However, if
the authentication rule’s auth-type {basic | digest | NTLM} on
page 377 does not support a given user type, all user
accounts of that type will be ignored, effectively disabling
them.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 378

Example

For an example, see waf HTTP-authen HTTP-authen-policy on page 473.

Related topics

l user ldap-user on page 361

l user local-user on page 365
l user ntlm-user on page 366
l waf HTTP-authen HTTP-authen-rule on page 476

wad file-filter

Use this command to specify the names of directories and files that you want to exclude from anti-defacement
monitoring. Alternatively, you can specify the folders and files you want FortiWeb to monitor and it will exclude any
others.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wadgrp area. For details, see Permissions on page 46.

Syntax
config wad file-filter
edit "<wad-file-filter_name>"
set filter-type {block-file-list | allow-file-list}
edit <entry_index>
set file-type {directory | regular-file}
set file-name "<file_str>"
next
end

Variable Description Default

"<wad-file-filter_name>" Enter the name of the file filter you can reference in other No
parts of the configuration. default.

filter-type {block-file-list | Specify the type of filter: No

allow-file-list} l block-file-list—A list of files or folders that the default.
anti-defacement feature does not monitor.
l allow-file-list—A list of files or folders that the

anti-defacement feature monitors. The feature ignores

all other files and folders.
FortiWeb still applies criteria in the anti-defacement
configuration to these items. For example, if the file size
exceeds the maximum, FortiWeb does not monitor it.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 379

Variable Description Default

<entry_index> Enter the index number of the individual entry in the table. No
default.

file-type {directory | regular- Specify the type of item to add to the list: No
file} l directory—A folder or directory path. default.
l regular-file—A file.

file-name "<file_str>" Enter the name of the folder or file to add to the list. No
Ensure that the name exactly matches the folder or file that default.
you want to specify. If file-type {directory | regular-file} on
page 379 is directory, include the / (forward slash).
For example, if file-type is directory and you want to
add a folder abc that is under the root folder of a website,
enter /abc.
You can restrict the filter condition to a specific file by
including file path information in file-name. For example, a
website contains many files with the name 123.txt. To
specify the instance located in the abc folder only, enter
/abc/123.txt.

Example

This example creates a filter video-folder that excludes the folder /abc from anti-defacement monitoring when it is
applied to an anti-defacement monitoring configuration.
config wad file-filter
edit "video-folder"
set filter-type block-file-list
edit 1
set file-type directory
set file-name "/abc"
next
end

Related topics

l wad website on page 379

wad website

Use this command to enable and configure website defacement attack detection and automatic repair.
The FortiWeb appliance monitors the website’s files for any changes and folder modifications at specified time intervals.
If it detects a change that could indicate a defacement attack, the FortiWeb appliance notifies you, and can quickly react
by automatically restoring the website contents to the previous backup revision.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 380

Optionally, you can specify a filter that either defines which files and folders FortiWeb does not scan when it looks for
changes (blocklist) or the specific files and folders you want it to monitor (allowlist). For details, see wad file-filter on page
378.
FortiWeb automatically backs up website files and creates a revision in the following cases:
l When the FortiWeb appliance initiates monitoring for the first time, the FortiWeb appliance downloads a backup
copy of the website’s files and stores it as the first revision.
l If the FortiWeb appliance could not successfully connect during a monitor interval, it creates a new revision the next
time it re-establishes the connection.

When you intentionally modify the website, you must disable the monitor option;
otherwise, the FortiWeb appliance sees your changes as a defacement attempt and
undoes them.

Backup copies omit files exceeding the file size limit and/or matching the file extensions that you have configured the
FortiWeb appliance to omit. For details, see backup-max-fsize <limit_int> on page 381 and backup-skip-ftype
"<extensions_str>" on page 381.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wadgrp area. For details, see Permissions on page 46.

Syntax
config wad website
edit <entry_index>
set alert-email "<email-policy_name>"
set auto {disable | restore | acknowledge}
set backup-max-fsize <limit_int>
set backup-skip-ftype "<extensions_str>"
set connect-type {ftp | smb | ssh}
set description "<comment_str>"
set hostname-ip {"<host_ipv4>" | "<host_fqdn>"}
set interval-other <seconds_int>
set interval-root <seconds_int>
set monitor {enable | disable}
set monitor-depth <folders_int>
set name "<name_str>"
set password "<password_str>"
set port <port_int>
set share-name "<share_str>"
set user "<user_str>"
set web-folder "<path_str>"
set file-filter "wad-file-filter_name>"
next
end

Variable Description Default

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–16.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 381

Variable Description Default

alert-email "<email-policy_ Enter the name of the email policy that specifies the email No default.
name>" address that FortiWeb sends an email to when it detects
that the website changed. (See log email-policy on page
67.)The maximum length is 63 characters.

auto {disable | restore | Enter the action that FortiWeb takes when it detects that disable
acknowledge} the website has changed.
l disable—FortiWeb takes no action. You can use the

web UI to manually restore all or some of the changed

files.
l restore—Restore the website to the previous

revision number.
l acknowledge—Accept changes to the website.

Note: When you intentionally modify the website, type

acknowledge. Otherwise, the FortiWeb appliance detects
your changes as a defacement attempt and undoes them.

backup-max-fsize <limit_int> Enter a file size limit in kilobytes (KB) to indicate which files 10240
will be included in the website backup. Files exceeding this
size will not be backed up. The valid range is 1–1,048,576
kilobytes.
Note: Backing up large files can impact performance.

backup-skip-ftype Enter zero or more file extensions, such as iso,avi, to No default.

"<extensions_str>" exclude from the website backup. Separate each file
extension with a comma. The maximum length is 512
characters.
Note: Backing up large files, such as video and audio, can
impact performance.

connect-type {ftp | smb | ssh} Select which protocol to use when connecting to the ftp
website in order to monitor its contents and download
website backups. For Microsoft Windows-style shares,
enter smb.

description "<comment_str>" Enter a description or other comment. If the comment is No default.

more than one word or contains special characters,
surround the comment with double quotes ( " ). The
maximum length is 256 characters.

hostname-ip {"<host_ipv4>" | Enter the IP address or fully qualified domain name No default.
"<host_fqdn>"} (FQDN) of the physical server on which the website is
hosted.
This will be used when connecting by SSH or FTP to the
website to monitor its contents and download backup
revisions, and therefore could be different from the real or
virtual web host name that may appear in the Host: field
of HTTP headers.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 382

Variable Description Default

interval-other <seconds_int> Enter the amount of time (in seconds) between each 600
monitoring connection from the FortiWeb appliance to the
web server. During this connection, the FortiWeb
appliance examines the website’s subfolders to see if any
files have been changed by comparing the files with the
latest backup. The valid range is 1–86,400.
If any file change is detected, the FortiWeb appliance will
download a new backup revision. If you've enabled auto
{disable | restore | acknowledge} on page 381, the
FortiWeb appliance will revert the files to their previous
version.

interval-root <seconds_int> Enter the number of seconds between each monitoring 60

connection from the FortiWeb appliance to the web server.
During this connection, the FortiWeb appliance examines
web-folder "<path_str>" on page 383 (but not its
subfolders) to see if any files have been changed by
comparing the files with the latest backup. The valid range
is 1–86,400.
If any file change is detected, the FortiWeb appliance will
download a new backup revision. If you've enabled auto
{disable | restore | acknowledge} on page 381, the
FortiWeb appliance will revert the files to their previous
version.

monitor {enable | disable} Enable to monitor the website’s files for changes, and to enable
download backup revisions that can be used to revert the
website to its previous revision if the FortiWeb appliance
detects a change attempt.

monitor-depth <folders_int> Enter how many folder levels deep to monitor for changes 5
to the website’s files. Files in subfolders deeper than this
level will not be backed up. The valid range is 1–10.

name "<name_str>" Enter a name for the website. The maximum length is 63 No default.
characters.
This name will not be used when monitoring the website,
nor will it be referenced in any other part of the
configuration, and therefore can be any identifier that is
useful to you. It does not need to be the website’s FQDN or
virtual host name.

password "<password_str>" Enter the password for the user name you entered in user No default.
"<user_str>" on page 383. The maximum length is 63
characters.

port <port_int> Enter the port number on which the website’s physical 21
server listens. The standard port number for FTP is 21; the
standard port number for SSH is 22.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 383

Variable Description Default

This is applicable only if connect-type {ftp | smb | ssh} on

page 381 is ftp or ssh.

share-name "<share_str>" Enter the name of the shared folder on the web server. The No default.
maximum length is 63 characters.
This variable appears only if connect-type {ftp | smb | ssh}
on page 381 is smb.

user "<user_str>" Enter the user name that the FortiWeb appliance will use to No default.
log in to the website’s physical server. The maximum
length is 63 characters.

web-folder "<path_str>" Enter the path to the website’s folder, such as public_ No default.
html, on the physical server. The path is relative to the
initial location when logging in with the user name that you
specify in user "<user_str>". The maximum length is 1,023
characters.
Available only if the value of connect-type {ftp | smb | ssh}
on page 381 is ftp or ssh.

file-filter "wad-file-filter_ Enter the filter that specifies either the files and folders that No default.
name>" FortiWeb excludes from anti-defacement monitoring or the
specific files and folders to monitor.

Example
config wad website
edit 1
set alert-email "email_policy_1"
set connect-type ssh
set hostname-ip "192.0.2.10"
set monitor enable
set name "www.example.com"
set password "P@ssword1"
set port 22
set user "fortiweb"
set web-folder "public_html"
set file-filter "video-folder"
next
end

Related topics

l wad file-filter on page 378

l system interface on page 312
l router static on page 98

FortiWeb CLI Reference Fortinet Technologies Inc.

config 384

waf allow-method-exceptions

Use this command to configure the FortiWeb appliance with combinations of URLs and host names, which are
exceptions to HTTP request methods that are generally allowed or denied according to the inline or Offline Protection
profile.
While most URL and host name combinations controlled by a profile may require similar HTTP request methods, you
may have some that require different methods. Instead of forming separate policies and profiles for those requests, you
can configure allowed method exceptions. The exceptions define specific HTTP request methods that are allowed by
specific URLs and hosts.
To apply allowed method exceptions, select them within an inline or Offline Protection profile. For details, see waf web-
protection-profile inline-protection on page 636 or waf web-protection-profile offline-protection on page 645.
Before you configure an allowed method exception, if you want to apply it only to HTTP requests for a specific real or
virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts on
page 103.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf allow-method-exceptions
edit "<method-exception_name>"
config allow-method-exception-list
edit <entry_index>
set allow-request {get post head options trace connect delete put patch
webdav rpc others}
set host "<protected-hosts_name>"
set host-status {enable | disable}
set request-file "<url_str>"
set request-type {plain | regular}
next
end
next
end

Variable Description Default

"<method-exception_ Enter the name of the allowed methods exception. The No default.
name>" maximum length is 63 characters.
To display a list of the existing exceptions, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–9,999,999,999,999,999,999.

allow-request {get post head Select one or more of the allowed HTTP request methods No default.
options trace connect delete that are an exception for that combination of URL and host.
put patch webdav rpc others} Methods that you do not select will be denied.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 385

Variable Description Default

The OTHERS option includes methods not specifically

named in the other options. It often may be required by
WebDAV applications such as Microsoft Exchange Server
and Subversion, which may require HTTP methods not
commonly used by web browsers, such as PROPFIND and
BCOPY. For details, see RFC 4918
(HTTP://tools.ietf.org/html/rfc4918).
Note: If a WAF Auto Learning Profile will be selected in
the policy with an Offline Protection profile that uses this
allowed method exception, you must enable the HTTP
request methods that will be used by sessions that you
want the FortiWeb appliance to learn about. If a method is
disabled, the FortiWeb appliance will reset the connection,
and therefore cannot learn about the session.

host "<protected-hosts_ Enter the name of a protected host that the Host: field of No default.
name>" an HTTP request must be in order to match the exception.
The maximum length is 256 characters.
This setting is used only if host-status {enable | disable} on
page 385 is enable.

host-status {enable | disable} Enable to require that the Host: field of the HTTP request disable
match a protected hosts entry in order to match the allowed
method exception. Also configure host "<protected-hosts_
name>" on page 385.

request-file "<url_str>" Depending on your selection in request-type No default.

{plain | regular} on page 386, either:
l Enter the literal URL, such as /index.php, that is an

exception to the generally allowed HTTP request

methods. The URL must begin with a slash ( / ).
l Enter a regular expression, such as ^/*.php,
matching all and only the URLs which are exceptions
to the generally allowed HTTP request methods. The
pattern is not required to begin with a slash ( / ).
However, it must at least match URLs that begin with a
slash, such as /index.cfm.
For example, if multiple URLs on a host have identical
HTTP request method requirements, you would type a
regular expression matching all of and only those
URLs.
Do not include the name of the web host, such as
www.example.com, which is configured separately in host
"<protected-hosts_name>" on page 385. The maximum
length is 256 characters.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 386

Variable Description Default

Note: Regular expressions beginning with an exclamation

point ( ! ) are not supported. For information on language
and regular expression matching, see the FortiWeb
Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

request-type {plain | regular} Indicate whether request-file "<url_str>" on page 385 is a plain
literal URL (plain) or a regular expression (regular).

Example

This example adds an exception to the list of allowed methods (post) that can be used in HTTP requests. In addition to
the allowed methods already specified in protection profiles that use this exception, web hosts included in the protected
hosts group named example_com_hosts (such as example.com, www.example.com, and 192.0.2.10) are
allowed to receive POST requests to the Perl file that handles the guestbook.
config waf allow-method-exceptions
edit "auto-learn-profile2"
config allow-method-exception-list
edit 1
set allow-request post
set host "example_com_hosts"
set host-status enable
set request-file "/perl/guesbook.pl"
set request-type plain
next
end
next
end

Related topics

l server-policy allow-hosts on page 103

l waf web-protection-profile inline-protection on page 636
l waf web-protection-profile offline-protection on page 645

waf allow-method-policy

Use this command to allow only specific HTTP request methods.

To define specific exceptions to this policy, use waf allow-method-exceptions on page 384.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 387

Syntax
config waf allow-method-policy
edit "<allowed-methods_name>"
set allow-method {get post head options trace connect delete put patch webdav rpc}
set override-header {enable | disable}
set override-parameter {enable | disable}
set severity {High | Medium | Low | Info}
set triggered-action "<trigger-policy_name>"
set allow-method-exception "<method-exception_name>"
next
end

Variable Description Default

"<allowed-methods_name>" Enter the name of a new or existing allowed methods policy. No

This field cannot be modified if you are editing an existing default.
allowed method exception. To modify the name, delete the
entry, then recreate it using the new name. The maximum
length is 63 characters.
To display a list of the existing policies, enter:
edit ?

override-header {enable | When Override Header or Override Parameter settings are disable
disable} enabled, FortiWeb should check methods from these
headers or parameters as well as the HTTP method used in
the actual request. If any of the methods are not in the
allowed method list, FortiWeb should deny the request.

override-parameter {enable | When Override Header or Override Parameter settings are disable
disable} enabled, FortiWeb should check methods from these
headers or parameters as well as the HTTP method used in
the actual request. If any of the methods are not in the
allowed method list, FortiWeb should deny the request.

allow-method {get post head Select one or more HTTP request methods that you want to No
options trace connect delete allow for this specific policy. default.
put patch webdav rpc} Methods that you do not select will be denied, unless
specifically allowed for a host and/or URL in analyzer-policy
"<fortianalyzer-policy_name>" on page 94.
The others option includes methods not specifically named
in the other options. It often may be required by WebDAV
applications such as Microsoft Exchange Server 2003 and
Subversion, which may require HTTP methods not
commonly used by web browsers, such as PROPFIND and
BCOPY. For details, see RFC 2518
(HTTP://tools.ietf.org/html/rfc4918).

FortiWeb CLI Reference Fortinet Technologies Inc.

config 388

Variable Description Default

Note: If a WAF Auto Learning Profile is used in the server

policy where the HTTP request method is applied (via the
Web Protection Profile), you must enable the HTTP
request methods that will be used by sessions that you want
the FortiWeb appliance to learn about. If a method is
disabled, the FortiWeb appliance will reset the connection,
and therefore cannot learn about the session.

severity {High | Medium | Low Select the severity level to use in logs and reports generated High
| Info} when a violation of the policy occurs.

triggered-action "<trigger- Enter the name of the trigger policy you want FortiWeb to No
policy_name>" apply when a violation of the HTTP request method policy default.
occurs. Trigger policies determine who will be notified by
email when the policy violation occurs, and whether the log
message associated with the violation are recorded. The
maximum length is 63 characters.
To display a list of the existing policies, enter:
set triggered-action ?

allow-method-exception Enter the name of an existing HTTP request method No

"<method-exception_name>" exception, if any, to apply to it. The maximum length is 63 default.
characters.
To display a list of the existing policy, enter:
set allow-method-exception ?

Example

This example allows the HTTP GET and POST methods and rejects others, except according to the exceptions defined in
MethodExceptions1.
config waf allow-method-policy
edit "allowpolicy1"
set allow-method get post
set triggered-action "TriggerActionPolicy1"
set allow-method-exception "MethodExceptions1"
next
end

Related topics

l waf allow-method-exceptions on page 384

FortiWeb CLI Reference Fortinet Technologies Inc.

config 389

waf api-learning-policy

The machine learning based API Protection learns the REST API data structure from user traffic samples and then build
a mathematical model to screen out malicious API requests.
It analyzes the method, URL, and endpoint data of the API request samples to generate an API data structure file for
your application. This model describes the API data schema model of endpoint data. If the incoming API request violates
the data structure, it will be detected as an attack.
Use this command to edit machine learning based API Protection policies.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf api-learning-policy
edit <api-protection-policy_ID>
set policy-id <index>
set status {enable | disable}
set ip-list-type {Trust | Black}
set start-training-cnt <integer>
set url-replacer-policy <string>
set action-mlapi {alert | alert_deny | block-period}
set block-period-mlapi <integer>
set severity-mlapi {High | Medium | Low | Info}
set trigger-mlapi <datasource>
set schema-property {maximum | minimum | maxLength | minLength | maxItems | minItems}
set data-format {date-time | date | time | email | hostname | ipv4 | ipv6}
set de-duplication-all {enable | disable}
set de-duplication-count <integer>
set schema-required-ratio <integer>
set schema-ignored-ratio <integer>
next
end

Variable Description Default

<bot-detection-policy_ Specify the API protection policy ID. No default

id>

policy-id <index> Specify the server policy ID to associate this API

protection policy with.

status {enable | disable} Enable or disable API protection. enable

ip-list-type {Trust | Allow or deny sample collection from the Source IP list. trust
Black}

start-training-cnt The system will start building API Protection machine No default
<integer> learning model if the sample count reaches the start-
training-cnt.

url-replacer-policy Specify the URL replacer policy you want to use. No default

FortiWeb CLI Reference Fortinet Technologies Inc.

config 390

Variable Description Default

<datasource> If your applications have dynamic URLs or unusual

parameter styles, you must use URL Replacer Policy to
recognize them.
See waf machine-learning url-replacer-rule/policy on
page 534 for more information.

action-mlapi {alert | Choose the action FortiWeb takes when an API attack is alert_deny
alert_deny | block- detected.
period} alert—Accepts the connection and generates an alert
email and/or log message.
alert_deny—Blocks the request (or resets the
connection) and generates an alert and/or log message.
block-period—Blocks the request for a certain period
of time.

block-period-mlapi Enter the number of seconds that you want to block the 600
<integer> requests. The valid range is 1–3,600 seconds.
This option only takes effect when you choose Period
Block in Action.

severity-mlapi {High | Select the severity level for this anomaly type. The High
Medium | Low | Info} severity level will be displayed in the alert email and/or
log message.

trigger-mlapi Select a trigger policy that you have set in Log&Report No default
<datasource> > Log Policy > Trigger Policy. If an API attack is
detected, it will trigger the system to send email and/or
log messages according to the trigger policy.

schema-property In the learned model, it could include these properties No default

{maximum | minimum | and data formats under the string type.
maxLength | minLength Specify the schema properties that will be learned by the
| maxItems | minItems} API Protection machine learning model.

data-format {date-time | Specify the data format that will be learned by the API No default
date | time | email | Protection machine learning model.
hostname | ipv4 | ipv6}

schema-required-ratio The schema-required-ratio is the threshold for the No default

<integer> required type. If the percentage of samples including a
certain field is over the schema-required-ratio, this
field will be treated as the required type and learned in
the final model.

schema-ignored-ratio If the percentage of samples including a certain field is No default

<integer> lower than the schema-required-ratio, this field will
be discarded in the final model.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 391

waf api-learning-rule

Use this command to specify the domains to be protected by the ML based API protection model, and the API paths to
be learned by the model.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax

config waf api-learning-rule

edit <api-protection-policy_ID>
set domain-name <index>
config api-path-list
edit api-path-list <id>
set api-path-type {plain | regular}
set api-path <string>
next
end
next
end

Variable Description Default

<bot-detection- Specify the API protection policy ID. No default
policy_ID>

domain-name <string> Enter the name of the domain to be protected. No default

api-path-list <index> Enter the API path list ID. No default

The system by default learns API requests to all the
URL paths of the domain. If you want to restrict the
learning to certain API paths, specify the API paths
that you want to system to learn.
api-path-type {plain Specify whether the API pattern must contain a plain
| regular} literal URL (plain), or a regular expression
designed to match multiple URLs (regular).
api-path <string> l If the api-path-type is plain, then enter No default
the the literal URL, such as
/folder1/index.htm that the HTTP
request must contain in order to match the rule,
or use wildcards to match multiple URLs, such
as /folder1/* or
/folder1/*/index.htm. The URL must
begin with a slash ( / ).
l If the api-path-type is regular, then enter
a regular expression, such as
^/*\.jsp\?uid\=(.*), matching all and
only the URLs to which the rule should apply.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 392

Variable Description Default

The pattern does not require a slash ( / );

however, it must at least match URLs that
begin with a slash, such as /profile.cfm.

waf api-policy

Use this command to create API gateway policy.

Syntax
config waf api-policy
edit <api-policy_name>
config api-rule-list
edit <api-rule-list_id>
set api-rule-name <api-rule-name_str>
next
end
next
end

Variable Description Default

<api-policy_name> Enter a name for the API gateway policy. No default.

<api-rule-list_id> The index number of the API gateway rule entry. No default.

api-rule-name <api- Select the created API gateway rule. No default.

rule-name_str>

Related topics

l waf api-user-group on page 399

l waf api-rules on page 392
l waf api-users on page 397

waf api-rules

To restrict API access, you can use this command to configure certain rules involving API key verification, API key
carryover, API user grouping, sub-URL setting, and specified actions FortiWeb will take in case of any API call violation.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 393

Syntax
config waf api-rules
edit <api-rules_name>
set api-key-verification {enable | disable}
set allow-user-group <allow-user-group_name>
set api-key-location {HTTP-parameter | HTTP-header}
set header-field-name <header-field-name_str>
set parameter-name <parameter-name_str>
set rate-limit-period <rate-limit-period_int>
set rate-limit-requests <rate-limit-requests_int>
set rate-limit-user-period <rate-limit-user-period_int>
set rate-limit-user-requests <rate-limit-user-requests_int>
set x-ratelimit-headers <enable|disable>
set action {alert | deny_no_log | alert_deny | block-period}
set block-period <block-period_int>
set severity {High | Medium | Low | Info}
set trigger-policy <trigger-policy_str>
set host <host_str>
set host-status {enable | disable}
config attach-HTTP-header
edit <attach-HTTP-header_id>
set HTTP-header-item <HTTP-header-item_str>
next
end
config match-url-prefixes
edit <match-url-prefixes_id>
set frontend-prefix <frontend-prefix_str>
set backend-prefix <backend-prefix_str>
next
end
config sub-url-setting
edit <sub-url-setting_id>
set HTTP-method {get | post | head | options | trace | connect | delete | put |
patch | any}
set type {plain | regular}
set url-expression <url-expression_str>
set api-key-verification {enable | disable}
set api-key-location {HTTP-parameter | HTTP-header}
set header-field-name <header-field-name_str>
set parameter-name <parameter-name_str>
set rate-limit-period <rate-limit-period_int>
set rate-limit-requests <rate-limit-requests_int>
set rate-limit-user-period <rate-limit-user-period_int>
set rate-limit-user-requests <rate-limit-user-requests_int>
set allow-user-group <allow-user-group_name>
set api-key-inherit {enable | disable}
next
end
next
end

Variable Description Default

<api-rules_name> Type a unique name for the API gateway rule. No default

FortiWeb CLI Reference Fortinet Technologies Inc.

config 394

Variable Description Default

api-key-verification When an user makes an API request, the API key will be disable
{enable | disable} included in HTTP header or parameter, FortiWeb obtains the
API key from the request. When this option is enabled,
FortiWeb verifies the key to check whether the key belongs to
an valid API user.

allow-user-group Select a user group created to define which users have the disable
<allow-user-group_str> persmission to access the API.
Available only when waf api-rules is enable.

api-key-location Indicate where FortiWeb can find your API key in HTTP HTTP-
{HTTP-parameter | request: parameter
HTTP-header} l HTTP-parameter

l HTTP-header

header-field-name Enter the header filed name in which FortiWeb can find the No default.
<header-field-name_ API key whenapi-key-location {HTTP-parameter | HTTP-
str> header} is HTTP Header.

parameter-name Enter the parameter name in which FortiWeb can find the API No default.
<parameter-name_str> key when api-key-location {HTTP-parameter | HTTP-header}
is HTTP Parameter.

rate-limit-period <rate- Type the maximum number of API call requests allowed in a No default.
limit-period_int> certain number of seconds.

rate-limit-requests Type the maximum number of API call requests allowed in No default.
<rate-limit-requests_ a certain number of seconds.
int>

rate-limit-user-period Limit API requests by users. No default.

<rate-limit-user-period_ Type the maximum number of API call requests allowed per
int> user in a certain number of seconds.

rate-limit-user-requests Type the maximum number of API call requests allowed No default.
<rate-limit-user- per user in a certain number of seconds.
requests_int>

x-ratelimit-headers Enable to add X-RateLimit-* headers in the response packet disable

{enable | disable} if the user exceeds the rate limit. The following information
can be displayed to users: the request limit, the remaining
requests, and the minimum time to wait before the user is
allowed to send the next request.

action {alert | deny_no_ Select which action FortiWeb will take when it detects any API alert
log | alert_deny | block- call violation:
period} l alert—Accept the connection and generate an alert

email and/or log message.

l alert_deny—Block the request (or reset the

connection) and generate an alert and/or log message.

l deny_no_log—Block the request (or reset the

FortiWeb CLI Reference Fortinet Technologies Inc.

config 395

Variable Description Default

connection).
l block-period—Block subsequent requests from the
client for a number of seconds. Also configure waf api-
rules.

block-period <block- Enter the number of seconds that you want to block 600
period_int> subsequent requests from a client after FortiWeb detects any
API call violation. The valid range is 1–10,000 seconds.
Available only if waf api-rules is set to block-period.

severity {High | Medium When policy violations are recorded in the attack log, each log Low
| Low | Info} message contains a Severity Level (severity_level)
field. Select which severity level FortiWeb will use when it
logs any API call violation:
l Informative

l Low

l Medium

l High

trigger-policy <trigger- Select the trigger, if any, that FortiWeb will use when it logs No default.
policy_str> and/or sends an alert email about any API call violation. For
details, see "Viewing log messages" on page 1.

host <host_str> Select the name of a protected host that the Host: field of No default.
an HTTP request must be in to match the API gateway rule.
This option is available only if waf api-rules is enable.

host-status {enable | Enable to apply this rule only to HTTP requests for specific disable
disable} web hosts. Also configure waf api-rules.

<attach-HTTP-header_ Enter the sequence number of the HTTP header. No default.

id>

HTTP-header-item Enter the HTTP header item. No default.

<HTTP-header-item_
str>

<match-url-prefixes_ The sequence number of the match URL prefixes. No default.

id>

frontend-prefix Enter the Frontend Prefix; the frontend prefix is the URL path No default.
<frontend-prefix_str> in a client call, for example, /fortiweb/, the URL is like this
HTTPs://172.22.14.244/
fortiweb/example.json?param=value.

backend-prefix Enter the Backend Prefix; the backend prefix is the path No default.
<backend-prefix_str> which the client request will be replaced with, for example,
/api/v1.0/System/Status/.
After the URL rewriting, the URL is like this
HTTPs://10.200.3.183:90/api/

FortiWeb CLI Reference Fortinet Technologies Inc.

config 396

Variable Description Default

v1.0/System/Status/example.json?param=value.

<sub-url-setting_id> Enter the sequence number of the sub-URL. No default.

HTTP-method {get | Select the HTTP method from the drop down list. GET
post | head | options |
trace | connect | delete |
put | patch | any}

type {plain | regular} Select whether the url-expression <url-expression_str> field plain
must contain either:
l plain —The field is a string that the request URL must

exactly.
l regular—The field is a regular expression that defines a

set of matching URLs.

url-expression <url- Depending on your selection in type {plain | regular}, enter No default.
expression_str> either:
l The literal URL, such as /index.php, that the HTTP

request must contain in order to match the input rule. The

URL must begin with a backslash ( / ).
l A regular expression, such as ^/*.php, matching all

and only the URLs to which the input rule should apply.
The pattern does not require a slash ( / ).; however, it
must at least match URLs that begin with a slash, such
as /index.cfm.

api-key-location Indicate where FortiWeb can find your API key in HTTP HTTP-
{HTTP-parameter | request: parameter
HTTP-header} l HTTP-parameter

l HTTP-header

Available only when api-key-verification {enable | disable} is

enable.

header-field-name Enter the header filed name in which FortiWeb can find the No default.
<header-field-name_ API key when api-key-location {HTTP-parameter | HTTP-
str> header} is HTTP-header.

parameter-name Enter the parameter name in which FortiWeb can find the API No default.
<parameter-name_str> key when api-key-location {HTTP-parameter | HTTP-header}
is HTTP-parameter.

rate-limit-period <rate- Type the maximum number of API call requests allowed in a No default.
limit-period_int> certain number of seconds.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 397

Variable Description Default

rate-limit-requests Type the maximum number of API call requests allowed in No default.
<rate-limit-requests_ a certain number of seconds.
int>

rate-limit-user-period Limit API requests by users. No default.

<rate-limit-user-period_ Type the maximum number of API call requests allowed per
int> user in a certain number of seconds.

rate-limit-user-requests Type the maximum number of API call requests allowed No default.
<rate-limit-user- per user in a certain number of seconds.
requests_int>

allow-user-group Select a user group created to define which users have the No default.
<allow-user-group_ persmission to access the API.
name> Available only when api-key-verification {enable | disable} is
enable.

api-key-inherit {enable | When an user makes an API request, the API key will be disable
disable} included in HTTP header or parameter of sub URL, FortiWeb
obtains the API key from the request. When this option is
enabled, FortiWeb verifies the key to check whether the key
belongs to an valid API user.

Related topics

l waf api-user-group on page 399

l waf api-policy on page 392
l waf api-users on page 397

waf api-users

Use this command to define API users to restrict access to APIs based on API keys.

Syntax
config waf api-users
edit <api-user_name>
set email <email_str>
set comments <comments_str>
set uuid <uuid_str>
set api-key <api-key_str>
set create-time <create-time_str>
set key-mode {dynamic | jwt | standard}
set url <jwt_url>
set headers <jwt_hearders>
set params <jwt_parameters>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 398

set phantom-token-name <token_name>

set token-name <token_name>
set header-verification <string>
set payload-validation <string>
set rsa-key
config ip-access-list
edit <ip-access-list_id>
set ip <ip_str>
next
end
config http-referer-list
edit <http-referer-list_id>
set http-referer <http-referer_str>
next
end
next
end

Variable Description Default

<api-user_name> Enter a name that identifies the user. No default.

email <email_str> Type the email address of the user that is used for contact No default.
purpose.

comments Optionally, enter a description or comments for the user. No default.

<comments_str>

uuid <uuid_str> Enter a unique identifier for the requesting user. No default.

api-key <api-key_ Specify an API key for the API user; the minimum length is No default.
str> 40 characters.

key-mode {dynamic Standard Standard

| jwt | standard} Once the API user is created successfully, an API key and
UUID are automatically assigned to this user by FortiWeb.
Dynamic
FortiWeb adopts RSA algorithm to generate token. It uses
public key to encode, and private key to decode a random
string with minimum length 64.
You need to enter the RSA key for dynamic key.
JWT
JSON Web Token (JWT) is an open standard (RFC 7519)
that defines a way for transmitting information –like
authentication and authorization facts– between two parties:
an issuer and an audience.
For the JWT key, you need to enter the value for the
following fields so that FortiWeb can communicate with the
JWT server to validate the key.

url <jwt_url> The URL that FortiWeb uses to communicate with the JWT No default.
server.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 399

Variable Description Default

headers <jwt_ The headers append to the URL. No default.

hearders>

params <jwt_ The parameters append to the URL. No default.

parameters>

phantom-token- The name of the phantom token used for JWT key. No default.
name <token_
name>

token-name The name of the token used for JWT key. No default.
<token_name>

header-verification The header verification used for JWT key. No default.

payload-validation The payload verification used for JWT key. No default.

rsa-key The RSA key used for Dynamic key or JWT key. No default.

create-time Specify the API user creation time. No default.

<create-time_str>

<ip-access-list_id> The index number of the IP entry. No default.

<ip_str> Specify the IP addresses from which the API key can only be No default.
used.

<http-referer-list_ The index number of the referer HTTP header entry. No default.
id>

http-referer <http- Specify the referer HTTP header in which the specified No default.
referer_str> URLs are present.

Related topics

l waf api-policy on page 392

l waf api-rules on page 392
l waf api-user-group on page 399

waf api-user-group

Use this command to create API user group which defines specific permissions of the group users can perform.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 400

Syntax
config waf api-user-group
edit <api-user-group_name>
config user-list
edit <user-list_id>
set api-user-name <api-user-name_str>
next
end
next
end

Variable Description Default

<api-user-group_name> Enter a name for the API user group. No default.

<user-list_id> The index number of the API user entry. No default.

api-user-name <api-user-name_str> Select the created API user name. No default.

Related topics

l waf api-policy on page 392

l waf api-rules on page 392
l waf api-users on page 397

waf application-layer-dos-prevention

Use this command to create an HTTP-layer DoS protection policy. Once you create the policy, reference it in an inline
protection profile that is used by a server policy.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf application-layer-dos-prevention
edit "<app-dos-policy_name>"
set enable-HTTP-session-based-prevention {enable | disable}
set HTTP-connection-flood-check-rule "<rule_name>"
set HTTP-request-flood-prevention-rule "<rule_name>"
set enable-layer4-dos-prevention {enable | disable}
set layer4-access-limit-rule "<rule_name>"
set layer4-connection-flood-check-rule "<rule_name>"
set layer3-fragment-protection {enable | disable}
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 401

Variable Description Default

"<app-dos-policy_name>" Enter the name of a new or existing rule. The maximum No default.
length is 63 characters.
To display the list of existing rules, enter:
edit ?

enable-HTTP-session- Enable to use DoS protection based on session cookies. disable

based-prevention {enable | Also configure HTTP-connection-flood-check-rule "<rule_
disable} name>" on page 401 and HTTP-request-flood-prevention-
rule "<rule_name>" on page 401.

HTTP-connection-flood- Enter the name of an existing rule that sets the maximum No default.
check-rule "<rule_name>" number of HTTP requests per second to a specific URL.
The maximum length is 63 characters.
To display a list of the existing rules, enter:
set HTTP-connection-flood-check-rule ?
This setting applies only if enable-HTTP-session-based-
prevention {enable | disable} on page 401 is enabled.

HTTP-request-flood- Enter the name of an existing rule that limits TCP No default.
prevention-rule "<rule_ connections from the same client. The maximum length is
name>" 63 characters.
To display a list of the existing rules, enter:
set HTTP-request-flood-prevention-rule ?
This setting applies only if enable-HTTP-session-based-
prevention {enable | disable} on page 401 is enabled.

enable-layer4-dos- Enable to use DoS protection that is not based on session disable
prevention {enable | disable} cookies. Also configure layer4-access-limit-rule "<rule_
name>" on page 401 and layer4-connection-flood-check-
rule "<rule_name>" on page 401.

layer4-access-limit-rule Enter the name of a rule that limits the number of HTTP No default.
"<rule_name>" requests per second from any source IP address. The
maximum length is 63 characters.
To display a list of the existing rules, enter:
set layer4-access-limit-rule ?
This setting applies only if enable-layer4-dos-prevention
{enable | disable} on page 401 is enabled.

layer4-connection-flood- Enter the name of an existing rule that limits the number of No default.
check-rule "<rule_name>" TCP connections from the same source IP address. The
maximum length is 63 characters.
To display a list of the existing rules, enter:
set layer4-connection-flood-check-rule ?
This setting applies only if enable-layer4-dos-prevention
{enable | disable} on page 401 is enabled.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 402

Variable Description Default

layer3-fragment-protection Enable to prevent attacks of fragmented packets. disable

{enable | disable}

Example

This example shows the settings for a DoS protection policy that protects a web portal using existing DoS prevention
rules.
config waf application-layer-dos-prevention
edit "Web Portal DoS Policy"
set enable-HTTP-session-based-prevention enable
set HTTP-connection-flood-check-rule "Web Portal TCP Connect Limit"
set HTTP-request-flood-prevention-rule "Web Portal HTTP Request Limit"
set enable-layer4-dos-prevention enable
set layer4-access-limit-rule "Web Portal HTTP Request Limit"
set layer4-connection-flood-check-rule "Web Portal Network Connect Limit"
next
end

Related topics

l waf HTTP-connection-flood-check-rule on page 478

l waf HTTP-request-flood-prevention-rule on page 492
l waf layer4-access-limit-rule on page 526
l waf layer4-connection-flood-check-rule on page 530
l system advanced on page 217

waf base-signature-disable

Use this command to disable individual or whole categories of data leak and attack signatures in every signature group
that currently exists.
For example, if you disable a certain signature ID with this command, the signature ID in every signature group you have
defined will be disabled.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf base-signature-disable
edit "<signature-ID_name>"
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 403

Variable Description Default

"<signature-ID_name>" Enter the name of an individual signature or signature No

category ID. The maximum length is 63 characters. default.
For example, to disable the first cross-site scripting attack
signature everywhere it is currently selected, you would
enter:
edit 010000001

Example

This example globally disables the XSS signature whose ID is 010000001.

config waf base-signature-disable
edit "010000001"
next
end

Related topics

l waf signature on page 555

waf biometrics-based-detection

By checking the client events such as mouse movement, keyboard, screen touch, and scroll, etc in specified period,
FortiWeb judges whether the request comes from a human or from a bot. You can use this command to configure the
biometrics based detection rule to define the client event, collection period, and the request URL, etc.

Syntax
config waf biometrics-based-detection
edit <biometrics-based-detection-name_str>
set mouse-movement {enable | disable}
set click {enable | disable}
set screen-touch {enable | disable}
set keyboard {enable | disable}
set scroll {enable | disable}
set event-collection-time <time_int>
set bot-effective-time <time_int>
set action {alert | alert_deny | | deny_no_log}
set severity {high | medium | low | Info}
set trigger <trigger_policy>
config url-list
edit <url-list_id>
set host <host_str>
set host-status {enable | disable}
set type {simple-string | regex-expression}
set url <url_str>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 404

next
end
next
end

Variable Description Default

<biometrics-based- Type a unique name that can be referenced in other No default.

detection-name_str> parts of the configuration.

mouse-movement {enable | Click to enable monitoring the mouse movement enable

disable} event.

keyboard {enable | disable} Click to enable monitoring the keyboard event. enable

click {enable | disable} Click to enable monitoring the click event. enable

screen-touch {enable | Click to enable monitoring the screen touch event. disable
disable}

scroll {enable | disable} Click to enable monitoring the scroll event. disable

event-collection-time Specify how long the events will be collected from the 15
<time_int> client.

bot-effective-time <time_ For the identified bot, choose the time period before 5
int> FortiWeb tests and verifies the bot again.

action {alert | alert_deny | | Select which action FortiWeb will take when it detects Alert
deny_no_log} a violation of the policy:
l Alert—Accept the connection and generate an

alert email and/or log message.

l Alert & Deny—Block the request (or reset the
connection) and generate an alert and/or log
message.
l Deny (no log)—Block the request (or reset the
connection).
The default value is Alert.

severity {high | medium | When policy violations are recorded in the attack log, Low
low | Info} each log message contains a Severity Level
(severity_level) field. Select which severity level
FortiWeb will use when it logs a violation of the
policy:
l Informative

l Low

l Medium

l High

trigger <trigger_policy> Select the trigger, if any, that FortiWeb will use when No default.
it logs and/or sends an alert email about a violation of
the policy. For details, see "Viewing log messages"
on page 1.

<url-list_id> Enter the sequence number of the URL. No default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 405

Variable Description Default

host <host_str> Select the name of a protected host that the Host: No default.
field of an HTTP request must be in to match the
bot deception policy.
This option is available only if waf biometrics-based-
detection on page 403 is enabled.

host-status {enable | Enable to apply this rule only to HTTP requests for disable
disable} specific web hosts. Also configure host <host_str>.

type {simple-string | regex- Select whether the url <url_str> field must contain simple-string
expression} either:
l simple-string—The field is a string that the

request URL must exactly.

l regex-expression—The field is a regular
expression that defines a set of matching URLs.

url <url_str> Depending on your selection in type {simple-string | No default.

regex-expression}, enter either:
l The literal URL, such as /index.php, that the

HTTP request must contain in order to match the

input rule. The URL must begin with a backslash
( / ).
l A regular expression, such as ^/*.php,
matching all and only the URLs to which the
input rule should apply. The pattern does not
require a slash ( / ).; however, it must at least
match URLs that begin with a slash, such as
/index.cfm.

When you have finished typing the regular

expression, click the >> (test) icon.
This opens the Regular Expression Validator
window where you can finetune the expression.
For details, see Appendix D:
Regular expressions.

Related topics

waf bot-mitigation-policy on page 415

waf bot-detection-policy

Use this command to edit bot detection policies.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 406

To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf bot-detection-policy
edit <bot-detection-policy_ID>
set policy-id <server-policy-id>
set model-status {enable | disable}
set advanced-mode {enable | disable}
set client-identification-method {IP | IP-and-User-Agent | Cookie}
set sampling-count <integer>
set sampling-count-per-client <integer>
set sampling-time-per-vector <integer>
set training-accuracy <percentage>
set cross-validation <percentage>
set testing-accuracy <percentage>
set selected-model {Strict | Loose}
set anomaly-count <integer>
set bot-confirmation {enable | disable}
set verification-method {Disable | Real-Browser-Enforcement | Captcha-Enforcement
| reCaptcha-Enforcement}
set recaptcha <recaptcha_server_name>
set validation-timeout <integer>
set max-attempt-times <integer>
set mobile-verification-method {Disable | Mobile-Token-Validation} on page 412
set auto-refresh {enable | disable}
set refresh-factor <value-from-0-to-one>
set minimum-vector-number <integer>
set action {alert | deny_no_log | alert_deny | block-period}
set block-period <integer>
set severity {High | Medium | Low | Info}
set trigger <trigger_policy_name>
config allow-source-ip
edit <allow-source-ip-list-id>
set ip <ip-address>
next
end
config bot-detection-exception-list
edit <bot-detection-exception-list-id>
set host <string>
set host-status {enable | disable}
set url-type {plain | regular}
set url-pattern <string>
next
end
next
end

Variable Description Default

policy-id <server- Associate this bot detection policy with the No defalut
policy-id> specified server policy.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 407

Variable Description Default

model-status {enable Enable or disable bot detection. enable
| disable}
advanced-mode {enable Enable or disable the advanced settings in disable
| disable} the bot detection policy
client-identification- The data collected in one sample should be IP-and-User-Agent
method {IP | IP- from the same user. The system uses IP, IP
and-User-Agent |
Cookie} and User-Agent, or Cookie to identify a
user.
IP: The traffic data in one sample should
come from the same source IP.
IP and User-Agent: The traffic data in one
sample should come from the same source
IP and User-Agent (the browser).
Cookie: The traffic data in one sample
should have the same cookie value.
sampling-count This controls how many samples should be 1000
<integer> collected during the sample collection
period.
More samples mean the model will be more
accurate; but at the same time, it costs
longer time to complete the sample
collection.
Not all traffic data will be collected as
samples. The system abandons traffic data
if it meets one of the following criteria:
l The system sends Javascript challenge

to user clients before collecting

samples from them. If a client doesn't
pass the challenge, the system will not
collect sample data from it.
l The traffic is from malicious IPs

reported by the IP Intelligence feature,

or is recognized as a bot by the system.
l The traffic is from Known Engines,

such as Google and Bing. The system

also skips the known engine traffic
when executing bot detection.
Using these criteria is to exclude malicious
traffic and the traffic from known engines
that act like a bot, thus to make sure the bot
detection model is built upon valid data
collected from regular users.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 408

Variable Description Default

sampling-count-per- This controls how many samples FortiWeb 3
client <integer> will collect from each client (user) in an hour.
For example, if the value is set to 3, and a
client generates 10 samples in an hour, the
system only collects the first 3 samples from
this client in an hour. If the client generates
more samples in the second hour, the
system continues collecting samples from
this client until the sample count reaches 3.
This option prevents the system from
continuously collecting samples from one
client, thus to avoid the interference of the
bot traffic in the sampling stage.
sampling-time-per- Each vector (also called sample) records a 5
vector <integer> certain user's behaviors in a certain time
range. This option defines how long the time
range is.
For example, if the Sample Time Per
Vector is 5 minutes, the system will record a
certain user's behaviors in 5 minutes and
count it as one sample.
training-accuracy The training accuracy is calculated by this 95%
<userdef> formula:
The number of the regular samples in
the training sample set/the total number
of training samples * 100%.
As we have introduced in the Basic
Concepts section, multiple models are built
based on multiple parameter combinations
in the SVM algorithm. The system uses
each model to detect anomalies in the
sample set, and calculates the training
accuracy for each model.
For example, if there are 100 training
samples, and 90 of them are treated as
regular samples by a model, then the
training accuracy for this model is 90%.
The default value for the training accuracy is
95%, which means only the models whose
training accuracy equals to or higher than
95% will be selected as qualified models.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 409

Variable Description Default

cross-validation The system divides the training sample sets 90%
<userdef> evenly into three parts, let's say, Part A, B
and C. The system executes three rounds of
bot detection:
l First, the system observes the samples

in Part A and B to build up a

mathematical model, then uses this
model to detect anomalies in Part C.
l Then, the system observes the

samples in Part B and C to build up a

mathematical model, then uses this
model to detect anomalies in Part A.
l At last, the system observes the

samples in Part A and C to build up a

mathematical model, then uses this
model to detect anomalies in Part B.
The cross-validation value is calculated by
this formula:
The total number of the regular
samples/the total number of samples *
100%.
For example, if there are 100 samples, and
10 anomalies are detected in the three
rounds, then the cross-validation value for
this model is: (100-10)/100 * 100% = 90%.
The default value for the training accuracy is
90%, which means only the models whose
Cross-Validation Value equals to or higher
than 90% will be selected as qualified
models.
testing-accuracy Three quarters of the samples are divided 95%
<userdef> into training sample set, and one quarter of
the samples are divided into testing sample
set. The system uses the models built for
the training sample set to detect anomalies
in the testing sample set. If the training
accuracy and testing accuracy for a model
vary greatly, it may indicate the model is not
invalid.
The testing accuracy is calculated by this
formula:
The number of the regular samples in
the testing sample set/the number of the
testing samples * 100%.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 410

Variable Description Default

For example, if there are 100 testing

samples, and 95 of them are treated as
regular samples by a model, then the testing
accuracy for this model is 95%.
The default value for the training accuracy is
95%, which means only the models whose
testing accuracy equals to or higher than
95% will be selected as qualified models.
selected-model {Strict Multiple models are built during the model loose
| Loose} building stage. The system uses training
accuracy, cross-validation value, and
testing accuracy to select qualified models.
The Model Type is used to select the one
final model out of all the qualified models.
l If you configure the Model Type to

Loose, the system chooses the model

which has the highest training
accuracy among all the qualified
models.
l If you configure the Model Type to

Strict, the system chooses the model

which has the lowest training accuracy
among all the qualified models.
The Strict Model detects more anomalies,
but there are chances that regular users are
false positively detected as bots.
The Moderate Model is comparatively
loose. It's less likely to conduct false
positive detection, but there are risks that
real bots might be escaped from detection.
There isn't a perfect option for every
situation. Whichever model type you
choose, you can always leverage the other
commands to mitigate the side effects, for
example, using bot-confirmation
enable to avoid false positive detections.
anomaly-count If the system detects certain times of 3
<integer> anomalies from a user, it takes actions such
as sending alerting emails or blocking the
traffic from this user.
Anomaly Count controls how many times
of anomalies are allowed for each user.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 411

Variable Description Default

For example, the Anomaly Count is set to 4,

and the system has detected 3 anomalies in
the last 6 vectors. If the 7th vector is
detected again as an anomaly, the system
will take actions.
Please note that if no valid traffic is collected
for the 7th vector (for example, the user
leaves your application), the system will
clear the anomaly count and the user
information. If the user revisits your
application, he/she will be treated as new
users and the system starts anomaly
counting afresh.
Since this option allows certain times of
anomalies from a user, it might be a good
choice if you want to avoid false positive
detections.
bot-confirmation If the number of anomalies from a user has enable
{enable | reached the Anomaly Count, the system
disable}
executes Bot Confirmation before taking
actions.
The Bot Confirmation is to confirm if the
user is indeed a bot. The system sends RBE
(Real Browser Enforcement) JavaScript or
CAPTCHA to the client to double check if it's
a real bot.
verification-method Disable: Do not execute browser Real-Browser-
{Disable | Real- verification. Enforcement
Browser-
Enforcement | Real Browser Enforcement: The system
Captcha- sends a JavaScript to the client to verify
Enforcement | whether it is a web browser.
reCaptcha-
Enforcement} CAPTCHA Enforcement: The system
requires clients to successfully fulfill a
CAPTCHA request. CAPTCHA verification
will not pop out for the bot confirmation
again for the same user within 10 mins
timeout.
reCAPTCHA Enforcement: The system
requires the client to successfully fulfill a
reCAPTCHA request.
It will trigger the action policy if the traffic is
not from web browser.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 412

Variable Description Default

recaptcha <recaptcha_ Enter the reCAPTCHA server you have No default.
server_name> created through user recaptcha-user
validation-timeout Enter the maximum amount of time (in 20
<integer> seconds) that FortiWeb waits for results
from the client for Bot Confirmation. The
default value is 20. The valid range is 5–30.
max-attempt-times The maximum number of the CAPTCHA 3
<integer> enforcement validation attempts. If the client
fails the validation for the specified time, the
system will trigger the action policy.
This is only available if the verification-
method is set to CAPTCHA-Enforcement
mobile-verification- Disable: Disable the system to verify disable
method {Disable | whether the sample traffic is from mobile
Mobile-Token-
Validation} devices.
Mobile-Token-Validation: The system
verifies the mobile token to confirm if the
traffic is from mobile devices.
auto-refresh {enable | If this is enabled, FortiWeb detects if the enable
disable} current model is applicable. If not, FortiWeb
will refresh the current model automatically.
refresh-factor Auto Refresh Factor controls the timing to 0.7
<userdef> trigger the model refreshment when a
certain number of false positive vectors are
detected.
FortiWeb makes statistics for the bot
detection in the past 24 hours. It counts the
number of the following vectors:
l All vectors in the past 24 hours (A),

l Anomaly vectors (B), and

l The anomaly vectors that are

confirmed as bots (C)

If (B - C)/(A - C) > 1 - Auto Refresh Factor
* training accuracy, the model will be
refreshed.
l (B - C) is the false positive vectors, and

(A - C) is the regular vectors. (B - C)/(A

- C) represents the false positive rate.
l (1 - Auto Refresh Factor * training

accuracy) is an adjusted anomaly

vector rate. You can consider it as an
auto refresh threshold.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 413

Variable Description Default

If the false positive rate (B - C)/(A - C)

becomes greater than the auto refresh
threshold (1 - Auto Refresh Factor *
training accuracy), the system determines
the current model is not applicable and
automatically refreshes the model.
The following table calculates the value of
the auto refresh threshold when the Auto
Refresh Factor is set to 0-1 (assuming the
training accuracy is the default value 95%).
For example, if the Auto Refresh Factor is
set to 0.8, the auto refresh threshold will be
1 - 0.8 * 95% = 0.24, which means the
system automatically refreshes the model
when the false positive rate is greater than
0.24 (e.g. 24 false positive vectors and 100
regular vectors).
You can use this table to quickly decide a
value for the Auto Refresh Factor that is
suitable for your situation.

minimum-vector-number As we mentioned above, the system 0

<integer> decides whether to update the bot detection
model based on the statistics in the past 24
hours. If very few vectors are detected in the
past 24 hours, it may interfere the rightness
of the model refreshment decision.
Set a value for the Minimum Vector
Number, so that the system won't update
the model if the number of the vectors hasn't
reached this value.
If the value is set to 0, the system will use
the value of the Sample Count as the
Minimum Vector Number.
action {alert | deny_ The action FortiWeb takes when a user alert
no_log | alert_ client is confirmed as a bot:
deny | block-
l alert—Accepts the connection and
period}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 414

Variable Description Default

generates an alert email and/or log

message.
l deny_no_log—Blocks the request. No
logs will be generated.
l alert_deny—Blocks the request (or
resets the connection) and generates
an alert and/or log message.
l block-period—Blocks the request for a
certain period of time.
block-period <integer> Enter the number of seconds that you want 600
to block the requests. The valid range is 1–
3,600 seconds.
This option only takes effect when you
choose Period Block in Action.
severity {High | Select the severity level for this anomaly High
Medium | Low | type. The severity level will be displayed in
Info}
the alert email and/or log message.
trigger <trigger- Select a trigger policy. If an anomaly is No default
policy-name> detected, it will trigger the system to send
email and/or log messages according to the
trigger policy.
<ip-address> If specified, the system will collect sample No default
data only from the these IP addresses.
host <string> The system collects samples from any IP No default
address except the specified IP address or
FQDN of a protected host.
host-status {enable | Enable or disable comparing the URLs to enable
disable} the Host: field in the HTTP header.
url-type {plain | Specify whether the Exception URLs must No default
regular} contain either:
l plain—The field is a string that the

Exception URL must match exactly.

l regular—The field is a regular

expression that defines a set of

matching URLs.
url-pattern <string> Depending on the url-type, enter either: No default
l plain—The literal URL, such as

/index.php, that the HTTP request

must contain in order to match the rule.
The URL must begin with a slash ( / ).
l regular—A regular expression, such

as ^/*.php, matching the URLs to

FortiWeb CLI Reference Fortinet Technologies Inc.

config 415

Variable Description Default

which the rule should apply. The

pattern does not require a slash ( / ),
but it must match URLs that begin with
a slash, such as /index.cfm.
Do not include the domain name, such as
www.example.com, which is configured
separately in [bot-detection-
exception-list] <No.> host
<string>.

waf bot-mitigation-policy

You can use this command to integrate the bot deception policy, the biometrics based detection rule, and threshold
based detection rule, and apply the policy in the web protection profile for bot mitigation.

Syntax
config waf bot-mitigate-policy
edit bot-deception <bot-deception_str>
set bot-deception <bot-deception_str>
set biometrics-based-detection <biometrics-based-detection_str>
set threshold-based-detection <threshold-based-detection_str>
set known-bots <known-bots_str>
next
end

Variable Description Default

"<bot-mitigate-policy_ Enter a name for the bot mitigation policy. No default

name>"

bot-deception <bot- Select a bot deception policy from the created policy list. No default
deception_str>

biometrics-based-detection Select a biometrics based detection rule from the created rule No default
<biometrics-based- list.
detection_str>

threshold-based-detection Select a threshold based detection rule from the created rule No default
<threshold-based- list.
detection_str>

known-bots <known-bots_ Select a known bots rule from the created rule list. No default
str>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 416

Related topics

l waf bot-deception on page 1

l waf biometrics-based-detection on page 403
l waf threshold-based-detection on page 600
l waf known-bots on page 514

waf cookie-security

Use this command to configure FortiWeb features that prevent cookie-based attacks.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config waf cookie-security
edit "<cookie-security_name>"
set security-mode {no |encrypted | signed}
set action {alert |alert_deny | block-period | remove_cookie | deny_no_log}
set block-period <block-period_int>
set severity {High |Medium | Low | Info}
set trigger "trigger-policy_name>"
set cookie-replay-protection-type {no | IP}
set max-age <max-age_int>
set secure-cookie {enable | disable}
set HTTP-only {enable | disable}
set allow-suspicious-cookies{Never |Always | Custom}
set allow-time "<time_str>"
config cookie-security-exception-list
edit <entry_index>
set cookie-name "<cookie-name_str>"
set cookie-domain "<cookie-domain_str>"
set cookie-path "<cookie-path_str>"
end
next
end

Variable Description Default

"<cookie-security_name>" Enter the cookie security policy name. The maximum

No default.
length is 63 characters.

security-mode {no Enter the security mode for the cookie security policy
l no—FortiWeb does not apply cookie tampering no
|encrypted | signed}
protection or encrypt cookie values.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 417

Variable Description Default

l encrypted—Encrypts cookie values the back-end

web server sends to clients. Clients see encrypted
cookies only. FortiWeb decrypts cookies submitted
by clients before it sends them to the back-end
server.
l signed—Prevents tampering (cookie poisoning) by
tracking the cookie value. This option requires you to
enable Session Management in the protection policy
and the client to support cookies. For details, see
waf web-protection-profile inline-protection on page
636.
When FortiWeb receives the first HTTP or HTTPS
request from a client, it uses a cookie to track the
session. When you select this option, the session-
tracking cookie includes a hash value that FortiWeb
uses to detect tampering with the cookie from the
back-end server response. If FortiWeb determines
the cookie from the client has changed, it takes the
specified action according to action {alert |alert_
deny | block-period | remove_cookie | deny_no_log}
on page 417.

action {alert |alert_deny | Select one of the following actions that the FortiWeb
block-period | remove_ appliance will perform when it detects cookie poisoning:
l alert—Accept the request and generate an alert
cookie | deny_no_log}
email and/or log message.
l alert_deny—Block the request (or reset the
connection) and generate an alert email and/or log
message.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code.
l block-period—Block subsequent requests from
the client for a number of seconds. Also configure
block-period <block-period_int> on page 418.
alert
Note: If FortiWeb is deployed behind a NAT load
balancer, when using this option, you must also
define an X-header that indicates the original client’s
IP. For details, see waf x-forwarded-for on page 659.
Failure to do so may cause FortiWeb to block all
connections when it detects a violation of this type.
l remove_cookie—Accept the request, but remove
the poisoned cookie from the datagram before it
reaches the web server, and generate an alert
and/or log message.
l deny_no_log—Deny a request. Do not generate a
log message.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 418

Variable Description Default

Caution: This setting will be ignored if monitor-mode

{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email will occur only if
enabled and configured. See config log disk and config
log alertemail.
Note: If you select an auto-learning profile with this rule,
you should select alert. If the action is alert_deny, for
example, the FortiWeb appliance will block the request or
reset the connection when it detects an attack, resulting
in incomplete session information for the auto-learning
feature. For details about auto-learning requirements,
see "waf web-protection-profile autolearning-profile" on
page 1.

block-period <block-period_ Enter the number of seconds to block a connection when

int> action {alert |alert_deny | block-period | remove_cookie
600
| deny_no_log} on page 417 is set to block-period.
The valid range is from 1 to 3,600 seconds.

severity {High |Medium | Low Select the severity level to use in logs and reports
generated when cookie poisoning is detected. High
| Info}

trigger "trigger-policy_ Enter the name of the trigger to apply when cookie
name>" poisoning is detected. For details, see log trigger-policy
on page 93. The maximum length is 63 characters. To No default.
display the list of existing trigger policies, type:
set trigger ?

cookie-replay-protection- Select whether FortiWeb uses the IP address of a

type {no | IP} request to determine the owner of the cookie.
Because the public IP of a client is not static in many
environments, Fortinet recommends that you do not no
enable Cookie Replay.
Available only when security-mode {no |encrypted |
signed} on page 416 is encrypted.

max-age <max-age_int> Set the cookie security attributes. Enter the maximum
age, in minutes, permitted for cookies that do not have an
0
“Expires” or “Max-Age” attribute. To configure no expiry
age for cookies, enter 0.

secure-cookie {enable | Set the cookie security attributes. Enable to add the
disable} secure flag to cookies, which forces browsers to return disable
the cookie only when the request is for an HTTPS page.

HTTP-only {enable | disable} Set the cookie security attributes. Enable to add the
HttpOnly flag to cookies, which prevents client-side enable
scripts from accessing the cookie.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 419

Variable Description Default

Enable to add the "SameSite" attribute so that you can

samesite { enable | disable declare that your cookie should be restricted to a first-
disable
} party or same-site context.

l strict: Any request from the third parties will not

samesite-value {strict | lax carry such cookies;
| l lax: Any request from the third parties will not carry
such cookies except for GET requests that navigate lax
none}
to the destination URL.
l none: Set the value as none if a cookie is required to
be sent by cross origin.

allow-suspicious-cookies Select whether FortiWeb allows requests that contain

{Never |Always | Custom} cookies that it does not recognize or that are missing
cookies.
l When security-mode {no |encrypted | signed} on

page 416 is encrypted, suspicious cookies are

cookies for which FortiWeb does not have a
corresponding encrypted cookie value.
l When cookie-replay-protection-type {no | IP} on
page 418 is IP, the suspicious cookie is a missing
cookie that tracks the client IP address.
In many cases, when you first introduce the cookie
security features, cookies that client browsers have
cached earlier generate false positives. To avoid this Custom
problem, either select Never, or select Custom and
enter an appropriate date on which to start taking the
specified action against suspicious cookies.
l Never—FortiWeb does not take the action specified

by action against suspicious cookies.

l Always—FortiWeb always takes the specified

action against suspicious cookies.

l Custom—FortiWeb takes the specified action

against suspicious cookies starting on the date

specified by allow-time "<time_str>" on page 419.
This feature is not available if security-mode {no
|encrypted | signed} on page 416 is signed.

allow-time "<time_str>" Set the date on which FortiWeb starts to take the
specified action against suspicious cookies if allow-
No default.
suspicious-cookies{Never |Always | Custom} on page
419 is Custom.

<entry_index> Enter the index number of a new or existing entry in the

No default.
exception list of the cookie security policy.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 420

Variable Description Default

cookie-name "<cookie- Set the exception cookie entry name.

No default.
name_str>"

cookie-domain "<cookie- Enter the partial or complete domain name or IP address

domain_str>" as it appears in the cookie. For example: No default.
www.example.com, .google.com or 192.0.2.50.

cookie-path "<cookie-path_ Enter the path as it appears in the cookie, such as / or

/blog/folder. No default.
str>"

Related topics

l waf web-protection-profile inline-protection on page 636

waf csrf-protection

Use this command to protect against cross-site request forgery (CSRF). CSRF is an attack that exploits the trust that a
site has in a user's browser to transmit unauthorized commands.
The CRSF protection feature is not supported when the operation mode is Offline Protection or Transparent Inspection.
To protect back-end servers from CSRF attacks, you create two lists of items: a list of web pages to protect against
CSRF attacks, and a corresponding list of the URLs found in the requests that the pages generate. For more information
on configuring CSRF protection, including troubleshooting and adding parameter filters, see the FortiWeb Administration
Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To apply a CSRF protection rule, you select it in an inline protection profile. For details, see waf web-protection-profile
inline-protection on page 636.
Before you configure a CSRF protection rule, if you want to apply it only to HTTP requests for a specific real or virtual
host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts on page
103.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf csrf-protection
edit "<csrf-rule_name>"
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger <trigger-policy_name>
config csrf-page-list
edit <entry_index>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 421

set host <host_name>

set request-url <url_str>
set host-status {enable | disable}
set request-type {plain | regular}
set parameter-filter {enable | disable}
set parameter-name <parameter-name_str>
set parameter-value-type {plain | regular}
set parameter-value <parameter-value_str>
next
end
config csrf-url-list
edit <entry_index>
set host <host_name>
set request-url <url_str>
set host-status {enable | disable}
set request-type {plain | regular}
set parameter-filter {enable | disable}
set parameter-name <parameter-name_str>
set parameter-value-type {plain | regular}
set parameter-value <parameter-value_str>
next
end
next
end

Variable Description Default

"<csrf-rule_name>" Enter the name of a new or existing rule. The maximum No default.
length is 63 characters.
To display the list of existing rules, enter:
edit ?

action {alert | alert_deny | Enter the action that FortiWeb takes when it detects a alert
block-period | deny_no_log} missing or incorrect anti-CSRF parameter:
l alert—Accept the request and generate an alert

email, a log message, or both.

l alert_deny—Block the request (reset the

connection) and generate an alert email, a log

message, or both.

You can customize the web page that FortiWeb

returns to the client with the HTTP status code.
l block-period—Block subsequent requests from
the client for a number of seconds. Also configure
block-period <seconds_int> on page 422.
l deny_no_log—Deny a request. Do not generate a
log message.
Note: Logging and alert email occur only if the
corresponding settings are enabled and configured. For
details, see log disk on page 66 and log alertMail on page
60.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 422

Variable Description Default

block-period <seconds_int> Enter the number of seconds that you want to block 600
subsequent requests from the client after the FortiWeb
appliance detects a CSRF attack.
The valid range is 1–3,600 seconds.
This setting applies only if action {alert | alert_deny | block-
period | deny_no_log} on page 421 is block-period.

severity {High | Medium | Select the severity level to use in any logs and reports that Low
Low | Info} FortiWeb generates when a violation of this rule occurs.

trigger <trigger-policy_ Enter the name of the trigger to apply when this rule is No default.
name> violated. For details, see log trigger-policy on page 93. The
maximum length is 63 characters.
To display the list of existing trigger policies, enter:
set trigger ?

<entry_index> Enter the index number of the individual entry in the table. No default.

host <host_name> Enter a protected host name (either a web host name or IP No default.
address) that the Host: field of the HTTP request
matches.
This setting applies only if host-status {enable | disable} on
page 422 is enable.

request-url <url_str> Enter either a literal URL or regular expression, depending No default.
on the value of request-type.

host-status {enable | disable} Enter enableto apply this rule only to HTTP requests for disable
specific web hosts. Also configure host.
Disable to match the rule based on the URL and any
parameter filter only.

request-type {plain | regular} Select whether request-url <url_str> on page 422 contains plain
a literal URL (plain), or a regular expression designed to
match multiple URLs (regular).

parameter-filter {enable | Enter enable to specify a parameter name and value to disable
disable} match.

The parameter can be located in either the URL or the

HTTP body of a request.

parameter-name Enter the name of the parameter name to match. No default.

<parameter-name_str>

parameter-value-type Select whether parameter-value <parameter-value_str> on plain

{plain | regular} page 423 contains a literal value (plain) or a regular
expression designed to match multiple parameters
(regular).

FortiWeb CLI Reference Fortinet Technologies Inc.

config 423

Variable Description Default

parameter-value Enter either a literal parameter or regular expression, No default.

<parameter-value_str> depending on the value of parameter-value-type
{plain | regular} on page 422.

To match any parameter value, for parameter-value-

type, enter regular, and for parameter-value, enter
* (asterisk).

Example

The web page csrf_login.html contains the following HTML form:

This form generates the following request when the page is added to the list of pages protected by a CSRF protection
policy:
HTTP://target-site.com/csrf_
test2.php?username=test&password=123&tknfv=3DF5BDCCIG3DCXNTE3RUNCTKRS3E36AD

The CSRF protection feature adds the parameter tknfv with a value that matches the session ID.
To create this example, you add csrf_login.html to the list of pages and /csrf_check2.php to the list of URLs.
config waf csrf-protection
edit "csrf_rule1"
set action alert_deny
config csrf-page-list
edit 1
set request-url "csrf_login.html"
set request-type regular
next
end
config csrf-url-list
edit 1
set request-url "/csrf_check2.php"
set request-type plain
next
end
next
end

waf custom-access policy

Use this command to configure custom access policies. Custom access policies group custom access rules.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 424

To apply a custom access policy, select it within an inline protection profile or Offline Protection profile. For details, see
waf web-protection-profile inline-protection on page 636 or waf web-protection-profile offline-protection on page 645.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf custom-access policy
edit "<custom-policy_name>"
config rule
edit <entry_index>
set rule-name "<custom-rule_name>"
set threat-weight {low | critical | informational | moderate | substantial |
severe}
next
end
next
end

Variable Description Default

"<custom-policy_name>" Enter the name of a new or existing custom policy. The No default.
maximum length is 63 characters.
To display a list of the existing policies, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–9,223,372,036,854,775,807.

rule-name "<custom-rule_ Enter the name of the existing custom access rule to add to No default.
name>" the policy. The maximum length is 63 characters.

threat-weight {low | critical | Set the weight for the threat per a custom policy moderate
informational | moderate |
substantial | severe}

Example

For an example, see waf custom-access rule on page 425.

Related topics

l waf web-protection-profile inline-protection on page 636

l waf web-protection-profile offline-protection on page 645
l waf custom-access rule on page 425

FortiWeb CLI Reference Fortinet Technologies Inc.

config 425

waf custom-access rule

Use this command to configure custom access rules.

What if you want to allow a web crawler, but only if it is not too demanding, and comes from a source IP that is known to
be legitimate for that crawler? What if you want to allow only a client that is a senior manager’s IP, and only if it hasn’t
been infected by malware whose access rate is contributing to a DoS?
Advanced access control rules provide a degree of flexibility for these types of complex conditions. You can combine any
or all of these criteria:
l Source IP
l User
l HTTP Session
l Rate limit (including rate limiting for specific types of content)
l HTTP header or response code
l URL
l Predefined or custom attack or data leak signature violation
l Transaction or packet interval timeout
l Real browser enforcement
l CAPTCHA enforcement
In the rule, add all criteria that you require allowed traffic to match.
Before you can apply a custom access rule, you must first group it with any others that you want to apply in a custom
access policy. For details, see waf custom-access policy on page 423.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf custom-access rule
edit "<custom-access_name>"
set action {alert | alert_deny | block-period | deny_no_log | redirect}
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_name>"
set bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-
enforcement | disable}
set recaptcha <recaptcha_server_name>
set max-attempt-times <attempts_int>
set validation-timeout <seconds_int>
set mobile-app-identification {disabled | mobile-token-validation}
set bot-confirmation {enable | disable}
config access-limit-filter
edit <entry_index>
set access-rate-limit <rate_int>
next
end
config HTTP-header-filter
edit <entry_index>
set header-name-type {custom | predefined}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 426

set header-field-check {enable | disable}

set predefined-header {host | connection | authorization | x-pad | cookie |
referer | user-agent | X-Forwarded-For | Accept}
set pre-header-type {plain | regular}
set pre-header-rev-match {enable | disable}
set custom-header-name "<key_str>"
set cus-header-type {plain | regular}
set cus-header-name-type {plain | regular}
set cus-header-rev-match {enable | disable}
set header-value "<value_str>"
set HTTP-hline-missing-check {enable | disable}
set HTTP-hline-empty-check {enable | disable}
set basic-scheme-check {enable | disable}
set HTTP-method-check {enable | disable}
set HTTP-method-value-type {plain | regular}
set HTTP-method-value "<HTTP-method-value_str>"
set HTTP-method-rev-match {enable | disable} on page 433
next
end
config method
edit <entry_index>
set method-type {predefined|custom}
set predefined-method-set {GET POST HEAD OPTIONS TRACE CONNECT DELETE PUT
PATCH WEBDAV RPC OTHERS}
set custom-method-type {plain |regular}
set custom-method-value <string>
set method-reverse-match {enable|disable}
next
end
config source-ip-filter
edit <entry_index>
set source-ip <ip_range>
set exclusive-match {no | yes}
next
end
config user-filter
edit <entry_index>
set reverse-match {no | yes}
set user-name "<user-name_str>"
next
end
config geo-filter
edit <entry_index>
set match-exclusive {yes | no}
set country-list <country-list_str>
next
end
config url-filter
edit <entry_index>
set request-file "<url_str>"
set reverse-match {no | yes}
next
end
config HTTP-transaction
edit <entry_index>
set HTTP-transation-timeout "<timeout_int>"
next

FortiWeb CLI Reference Fortinet Technologies Inc.

config 427

end
config response-code
edit <entry_index>
set <response-code_int>
set response-code-max <response-code_int>
set response-code-rev-match {enable | disable}
next
end
config content-type
edit <entry_index>
set {text/html text/plain text/xml application/xml application/soap+xml
application/json application/octet-stream text/javascript text/}
set content-type-rev-match {enable | disable}
next
end
config packet-interval
edit <entry_index>
set packet-interval-timeout <timeout_int>
next
end
config parameter
edit <entry_index>
set name-type {plain |regular}
set name <parameter_name>
set value-check {enable | disable}
set value <value_regular_expression>
set location-check {enable | disable}
set location {URL | HTTP-body}
set parameter-rev-match {enable | disable}
next
end
config signature-class
edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 |
090000000| 100000000 | 110000000 | 120000000}
set status {enable | disable}
next
end
config custom-signature
edit <entry_index>
set custom-signature-enable {enable | disable}
set {custom-signature-group | custom-signature}
set "<custom-signature-name_str>"
next
end
config occurrence
edit <entry_index>
set occurrence-num "<occurrence_int>"
set within "<within_int>"
set percentage-flag {enable | disable}
set percentage "<percentage_int>"
set traced-by {Source-IP | User | Http-Session}
next
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 428

Variable Description Default

"<custom-access_name>" Enter the name of a new or existing custom No default.

access rule. The maximum length is 63
characters.
To display a list of the existing rule, enter:
edit ?

action {alert | alert_deny | Select the specific action to be taken when alert
block-period | deny_no_log | the request matches the signature.
l alert—Accept the request and
redirect}
generate an alert email and/or log
message.
Note: If type {request | response} on
page 443 is response, it does not cloak,
except for removing sensitive headers.
Sensitive information in the body
remains unaltered.
l alert_deny—Block the request (or
reset the connection) and generate an
alert email and/or log message. This
option is applicable only if type is
signature-creation.
You can customize the web page that
FortiWeb returns to the client with the
HTTP status code.
l block-period—Block subsequent
requests from the client for a number of
seconds. Also configure block-period
<seconds_int> on page 429.
l deny_no_log—Deny a request. Do not
generate a log message.
Note: If FortiWeb is deployed behind a
NAT load balancer, when using this
option, you must also define an X-
header that indicates the original client’s
IP. Failure to do so may cause FortiWeb
to block all connections when it detects
a violation of this type. For details, see
waf x-forwarded-for on page 659.
l redirect—Redirect the request to the
URL that you specify in the protection
profile and generate an alert email
and/or log message.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 429

Variable Description Default

block-period <seconds_int> Enter the length of time (in seconds) for 600
which the FortiWeb appliance will block
additional requests after a source IP address
violates this rule.
The block period is shared by all clients
whose traffic originates from the source IP
address.
The valid range is 1–3,600 seconds.

severity {High | Medium | Low | Select the severity level to use in logs and High
Info} reports generated when a violation of the rule
occurs.

trigger "<trigger-policy_ Enter the name of the trigger to apply when No default.
name>" this policy is violated. For details, see log
trigger-policy on page 93. The maximum
length is 63 characters.
To display the list of existing trigger policies,
enter:
set trigger ?

bot-recognition {captcha- Select between: disable

l captcha-enforcement—Requires
enforcement | recaptcha-
enforcement | real-browser- the client to successfully fulfill a
enforcement | disable} CAPTCHA request. If the client cannot
successfully fulfill the request within the
max-attempt-times <attempts_
int> on page 430, or doesn't fulfill
the request within the validation-
timeout <seconds_int> on page
430, FortiWeb applies the action and
sends the CAPTCHA block page.
l recaptcha-enforcement—Requires
the client to successfully fulfill a
reCAPTCHA request. If the client cannot
successfully fulfill the request within the
validation-timeout <seconds_
int> on page 430, FortiWeb applies
the action and sends the CAPTCHA
block page. CAPTCHA verification will
not pop out for the bot confirmation
again for the same user within 10 mins
timeout.
l real-browser-enforcement—
Enable to return a JavaScript to the
client to test whether it is a web browser
or automated tool when it violates the

FortiWeb CLI Reference Fortinet Technologies Inc.

config 430

Variable Description Default

access rule. If the client either fails the

test or does not return results before the
timeout specified by validation-timeout
<seconds_int>, FortiWeb applies the
specified action. If the client appears to
be a web browser, FortiWeb allows the
client to violate the rule.
l disable—Disable this option to simply
apply the access rule.

recaptcha <recaptcha_ Enter the reCAPTCHA server you have No default.

server_name> created through user recaptcha-user

mobile-app-identification For mobile clients that cannot execute Java Disabled

{disabled | mobile-token- script or CAPTCHA, FortiWeb can verify the
validation} request is legitimate by verifying the JTW-
token a mobile application carries when it
access a web server.

bot-confirmation {enable | Enable to confirm if the client is indeed a bot. disable

disable} The system sends RBE (Real Browser
Enforcement) JavaScript or CAPTCHA to the
client to double check if it's a bot.

max-attempt-times <attempts_ If captcha-enforcement is selected for 3

int> bot-recognition {captcha-enforcement |
recaptcha-enforcement | real-browser-
enforcement | disable} on page 429, enter
the maximum number of attempts that a
client may attempt to fulfill a
CAPTCHA request. The valid range is 1–5.
Available only when captcha-
enforcement is selected for bot-
recognition.

validation-timeout <seconds_ Specifies the maximum amount of time that 20

int> FortiWeb waits for results from the web
browser test. The valid range is 5–30.

config access-limit-filter

<entry_index> Enter the index number of the individual entry No default.

in the table. The valid range is 1–
9,999,999,999,999,999,999.

access-rate-limit <rate_int> Enter the rate threshold for source IP 1

addresses.
The valid range is 1–65535. To disable the
rate limit, enter 0.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 431

Variable Description Default

Note: Blocking a shared source IP address

could block innocent clients that share the
same source IP address with an offending
client.

config HTTP-header-filter

header-name-type {custom | Select whether to define the HTTP header predefined

predefined} filter by selecting a predefined HTTP header
name, or by typing the name of a custom
HTTP header. Also configure header-value
"<value_str>" and, depending on which you
indicate in this option, either:
l predefined-header {host | connection |

authorization | x-pad | cookie | referer |

user-agent | X-Forwarded-For | Accept}
on page 431
l pre-header-type {plain | regular} on page
431
l pre-header-rev-match {enable | disable}
on page 431
l pre-header-rev-match {enable | disable}
l pre-header-rev-match {enable | disable}
on page 431
l pre-header-rev-match {enable | disable}

header-field-check {enable | Enable/disable checking the HTTP header No default.

disable} field.

predefined-header {host | Select the name (key) of the HTTP header host
connection | authorization | x- such as Accept: that must be present in
pad | cookie | referer | user- order for the request to be allowed.
agent | X-Forwarded-For | This field appears only if header-name-type
Accept} {custom | predefined} on page 431 is
predefined.

pre-header-type {plain | Indicate whether header-value "<value_str>" plain

regular} on page 434 is a literal header value (plain)
or a regular expression that indicates multiple
possible valid header values (regular).

pre-header-rev-match Indicate how to use predefined-header {host | disable

{enable | disable} connection | authorization | x-pad | cookie |
referer | user-agent | X-Forwarded-For |
Accept} on page 431 and header-value
"<value_str>" on page 434 when determining
whether or not this condition has been met.
l no—If the regular expression does

FortiWeb CLI Reference Fortinet Technologies Inc.

config 432

Variable Description Default

match the request object, the condition

is met.
l yes—If the regular expression does not

match the request object, the condition

is met.
The effect is equivalent to preceding a
regular expression with an exclamation
point ( ! ).
If all conditions are met, the FortiWeb
appliance will allow access.

custom-header-name "<key_ Enter the name (key) without the trailing No default.
str>" colon ( : ), such as X-Real-IP, of the HTTP
header that must be present in order for the
request to be allowed.
This field appears only if header-name-type
{custom | predefined} on page 431 is
custom.

cus-header-type {plain | Indicate whether header-value "<value_str>" plain

regular} on page 434 is a literal header value (plain)
or a regular expression that indicates multiple
possible valid header values (regular).

cus-header-name-type {plain | Indicate whether custom-header-name plain

regular} "<key_str>" on page 432is a literal header
name (plain) or a regular expression that
indicates multiple possible valid header
names (regular).

cus-header-rev-match Indicate how to use custom-header-name disable

{enable | disable} "<key_str>" on page 432 and header-value
"<value_str>" on page 434 when
determining whether or not this condition has
been met.
l no—If the regular expression does

match the request object, the condition

is met.
l yes—If the regular expression does not

match the request object, the condition

is met.
The effect is equivalent to preceding a
regular expression with an exclamation
point ( ! ).
If all conditions are met, the FortiWeb
appliance will allow access.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 433

Variable Description Default

HTTP-hline-empty-check If you enable Header Empty Value Check, disable

{enable | disable} the request matches the condition if it
contains the specified header but the value of
the matched header is empty.
The HTTP-hline-empty-check checks
whether a certain header has empty value.

basic-scheme-check {enable | Enable to check the Misformatted Basic disable

disable} Scheme.
This field appears only when:
l header-name-type is predefined.

l predefined-header is
authorization
l HTTP-hline-missing-check is
disable
l HTTP-hline-empty-check is
disable

HTTP-method-check Enable HTTP Method Check and configure disable

{enable | disable} a plain string or regular expression for the
HTTP method that FortiWeb will search for in
the header field.

HTTP-method-value-type Select a plain string or regular string. No default.

{plain | regular}

HTTP-method-value To prevent accidental matches, specify as No default.

"<HTTP-method-value_ much of the header’s value as possible. Do
str>" not use an ambiguous substring.

HTTP-method-rev-match When you enable HTTP Method Check, you disable

{enable | disable} can also enable HTTP Method Reverse
Match so that the request matches the
condition if the header does not contain the
HTTP method's exact value or regular
expression.

If you enable HTTP-hline-missing-check, disable

HTTP-hline-missing-check the request matches the condition if it does
{enable | disable} not contain the specified header name.
The HTTP-hline-missing-check checks
whether a certain header is missing.
HTTP-hline-empty-check and HTTP-
hline-missing-check can't be enabled
at the same time.
This setting does not take effect for HTTP2
packets without the following headers:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 434

Variable Description Default

l :method
l :scheme

l :path

l :authority

l :status

HTTP2 packets without the above headers

will not go far to be scanned against the
HTTP-hline-missing-check setting. It
will be considered as illegitimate and be
abandoned directly when it arrives at
FortiWeb at the first place.

header-value "<value_str>" Depending on your selection in pre-header- No default.

type {plain | regular} on page 431, either:
l Type the literal header value, such as

192.0.2.80, your specified HTTP

header must contain in order to match
the filter. Value matching is case
sensitive. (If you require a filter based
upon more than one HTTP header,
create multiple entries in the set, one for
each HTTP header.).
l Type a regular expression, such as

192\.0\.2\.*, matching all and only

the header values which accepted HTTP
header values must match.
For details about language and regular
expression matching, see the FortiWeb
Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-
guides
Tip: To prevent accidental matches, specify
as much of the header’s value as possible.
Do not use an ambiguous substring.
For example, entering the value 192.0.2.1
would also match the IPs 192.0.2.10-19 and
192.0.2.100-199. This result may be
unintended. The better solution would be to
configure either:
l A regular expression such as

^192.0.2.1$ or
l A source IP condition instead of an

HTTP header condition

config method

FortiWeb CLI Reference Fortinet Technologies Inc.

config 435

Variable Description Default

Configure the HTTP methods that FortiWeb predefined

method-type will search for in the header field.
{predefined|custom} Select whether to use the predefined method
types or define custom types.

Select the methods that FortiWeb will search No default.

predefined-method-set {GET for in the header field.
POST HEAD OPTIONS Please note that if you only select WEBDAV,
TRACE CONNECT DELETE then some of the methods included in
PUT PATCH WEBDAV RPC WEBDAV (GET, HEAD, POST, DELETE,
OTHERS} PUT) won't be scanned by the system; The
WEBDAV related attack log won't have
WEBDAV keyword in it, instead, it will be
shown as the individual method violations.

If you have defined custom for method- plain

custom-method-type {plain type, then select whether to use plain string
|regular} or regular string.

To prevent accidental matches, specify as No default.

custom-method-value much of the header’s value as possible. Do
<string> not use an ambiguous substring.

Enable method-reverse-match so that the disable

method-reverse-match request matches the condition if the header
{enable|disable} does not contain the HTTP method's exact
value or regular expression.

config source-ip-filter

source-ip <ip_range> Enter the IP address or IP address range that No default.

specifies the clients that FortiWeb allows.
For example:
l 1.2.3.4

l 2001::1

l 1.2.3.4-1.2.3.40

l 2001::1-2001::100

Depending on your configuration of how

FortiWeb will derive the client’s IP (see waf x-
forwarded-for on page 659), this may be the
IP address that is indicated in an HTTP
header rather than the IP header.

exclusive-match {no | Set whether the condition can be met when No

yes} source IP does not match.

config user-filter

FortiWeb CLI Reference Fortinet Technologies Inc.

config 436

Variable Description Default

user-name "<user-name_str>" Enter the user name to match. No default.

reverse-match {no | yes} Indicate how to use user-name "<user- no

name_str>" on page 436 when determining
whether or not this rule’s condition has been
met.
l no—If the regular expression does

match the user name, the condition is

met.
l yes—If the regular expression does not

match the user name, the condition is

met.
The effect is equivalent to preceding a
regular expression with an exclamation point
( ! ).

config url-filter

request-file "<url_str>" Enter a regular expression that defines either No default.

all matching or all non-matching URLs. Then,
also configure reverse-match {no | yes} on
page 436.
For example, for the URL access rule to
match all URLs that begin with /wordpress,
you could enter ^/wordpress, then, in
reverse-match {yes | no}, select no.
The pattern is not required to begin with a
slash ( / ). The maximum length is 256
characters.
Note: Regular expressions beginning with an
exclamation point ( ! ) are not supported.
Instead, use reverse-match
{yes | no}.

reverse-match {no | yes} Indicate how to use request-file "<url_str>" no

on page 436 when determining whether or
not this rule’s condition has been met.
l no—If the regular expression does

match the request URL, the condition is

met.
l yes—If the regular expression does not

match the request URL, the condition is

met.

The effect is equivalent to preceding a

regular expression with an exclamation
point ( ! ).

FortiWeb CLI Reference Fortinet Technologies Inc.

config 437

Variable Description Default

config HTTP-transaction

HTTP-transation-timeout Enter a timeout value of 1–3600 seconds. 5

"<timeout_int>" If the lifetime of a HTTP transaction exceeds
this value, the transaction matches this
condition.

config response-code

<response-code_int> Specify the start and end code in a range of 404

HTTP response codes.
To specify a single code, enter the same
value for the start and end codes (for
example, 404-404 or 500-503).
If its HTTP response code is within this
range, the HTTP transaction matches this
condition.

response-code-max Specify the maximum start and end code in a No default.

<response-code_int> range of HTTP response codes.

response-code-rev-match Enable it so that the response matches the disable

{enable | disable} condition if the code is not in the specified
range.

config content-type

{text/html text/plain text/xml Specify a file content type to match. application/soap+xml

application/xml Use with occurrence to detect and control application/xml
application/soap+xml web scraping (content scraping) activity. (or)text/xml text/html
application/json text/plain
application/octet-stream application/json
text/javascript text/} application/octet-
stream text/javascript
text/css

content-type-rev-match Enable it so that the content type matches disable

{enable | disable} the condition if it's not the specified type.

config packet-interval

packet-interval-timeout Specify the maximum number of seconds 1

<timeout_int> allowed between packets arriving from either
the client or server (request or response
packets), in seconds. Enter a value from 1 to
60.
If the interval exceeds this value, the HTTP
transaction matches this condition.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 438

Variable Description Default

config parameter

name-type {plain |regular} Indicate whether the parameter name is a plain

literal value (plain) or a regular expression
that indicates multiple possible valid values
(regular).

name <parameter_name> Enter either a literal value or a regular No default.

expression to match the parameter name.

Enable to check the value of the specified disable

value-check {enable | parameters.
disable}

Enter a regular expression to match the No default.

value <value_regular_ parameter value.
expression>

location-check {enable | The system by default search for the disable

disable} parameters in both URL and HTTP body.
You can enable Location Check to restrict
the search to either URL or HTTP body.

location {URL | HTTP-body} Specify whether to scan the parameters in No default.

URL or HTTP body.

Enable parameter-rev-match so that the disable

parameter-rev-match request matches the condition if the URL or
{enable | disable} HTTP body does not contain the specified
parameter names or values.

config signature-class

{010000000 | 020000000 | Specify the ID of a signature class. No default.

030000000 | 040000000 | Ensure the signature is enabled in signature
050000000 | 060000000 | configuration before you use it in an
090000000| 100000000 | advanced access control rule. For details,
110000000 | 120000000} see waf signature on page 555.

status {enable | disable} Specify whether the HTTP transaction disable

matches this condition if it matches the
specified signature.

config custom-signature

custom-signature-enable Specify whether the current custom signature disable

{enable | disable} filter is enabled.

{custom-signature-group | Specify whether "<custom-signature-name_ custom-signature-

custom-signature} str>" on page 439 specifies a custom group

FortiWeb CLI Reference Fortinet Technologies Inc.

config 439

Variable Description Default

signature group or an individual signature.

"<custom-signature-name_ Specify the custom signature group or No default.

str>" individual signature to match.
Ensure the signature is enabled in signature
configuration before you use it in an
advanced access control rule. For details,
see waf signature on page 555.

config occurrence

occurrence-num Specify the maximum number of times a 1

"<occurrence_int>" transaction can match other filter types in the
current rule during the time period specified
by within.
Enter a value between 1–100,000.
If the number of matches exceeds this
threshold, the associated HTTP source client
IP address or client matches this condition.

within "<within_int>" Specify the time period during which 1

FortiWeb counts the number of times
transactions match other filter types in the
current rule.
Enter a value between 1–600.

percentage-flag {enable | Specify whether the current filter matches disable

disable} when the rate of matches with other filter
types in the current rule exceeds the
percentage "<percentage_int>" on page 439.

percentage "<percentage_ The maximum rate of matches with other No default.

int>" filter types in the current rule, expressed as
percent of hits.
If percentage-flag {enable | disable} on page
439 is enabled and the number of matches
exceeds this threshold, the associated HTTP
source client IP address or client matches
this condition.

traced-by {Source-IP | User | Specify whether FortiWeb determines the source-ip

Http-Session} rate at which a transaction matches other
filter types in the current rule by counting
matches by source client IP address or by
client.
To specify user, ensure that the value of
client-management {enable | disable} on
page 638 is enable.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 440

Variable Description Default

config geo-filter

<entry_index> Enter the index number of the individual entry No default.

in the table.

match-exclusive {yes | no} If you select yes, FortiWeb matches the No

traffic from all countries except the ones you
select. If you select no, FortiWeb matches
the traffic from the countries you select.

country-list <country-list_str> Enter the countries you select. No default.

Example

This example allows access to URLs beginning with “/admin”, but only if they originate from 192.0.2.5, and only if the
client does not exceed 5 requests per second.
Clients that violate this rule will be blocked for 60 seconds (the default duration). The violation will be logged in the attack
log using severity_level=High, and all servers configured in notification-servers1 will be used to notify the
network administrator.
config waf custom-access rule
edit "combo-IP-rate-URL-rule1"
set action block-period
set severity High
set trigger "notification-servers1"
config access-limit-filter
edit 1
set access-rate-limit 5
next
end
config source-ip-filter
edit 1
set source-ip "192.0.2.5"
next
end
config url-filter
edit 1
set request-file "/admin*"
next
end
next
end
config waf custom-access policy
edit "combo-IP-rate-URL-policy1"
config rule
edit 1
set rule-name "combo-access-rate-rule1"
next
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 441

Related topics

l waf custom-access policy on page 423

l log trigger-policy on page 93
l waf signature on page 555

waf custom-protection-group

Use this command to configure custom protection groups, creating sets of custom protection rules that can be used with
attack signatures (“server protection rule”).
Before you can configure this command, you must first define your custom data leak and attack signatures. For details,
see waf custom-protection-rule on page 442.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf custom-protection-group
edit "<custom-protection group_name>"
config type-list
edit <entry_index>
set custom-protection-rule "<rule_name>"
next
end
next
end

Variable Description Default

"<custom-protection group_ Enter the name of a new or existing group. The maximum No
name>" length is 63 characters. default.
To display the list of existing group, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

custom-protection-rule Enter the name of the custom protection rule to associate No

"<rule_name>" with the custom protection group. The maximum length is 63 default.
characters.
To display a list of the existing rules, enter:
set custom-protection-rule ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 442

Example

This example groups custom protection rule 1 and custom protection rule 3 together within Custom
Protection group 1.
config waf custom-protection-group
edit "Custom Protection group 1"
config type-list
edit 1
set custom-protection-rule "custom protection rule 3"
next
edit 3
set custom-protection-rule "custom protection rule 1"
next
end
next
end

Related topics

l waf signature on page 555

l waf custom-protection-rule on page 442

waf custom-protection-rule

Use this command to configure custom data leak and attack signatures.

Before you enter custom signatures via the CLI, first enable it.

To use your custom signatures, you must first group them so that they can be included in a rule. For details, see waf
custom-protection-group on page 441.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf custom-protection-rule
edit "<custom-protection rule_name>"
set type {request | response}
set action {alert | alert_deny | alert_erase | redirect | block-period | send_
HTTP_response | only_erase | deny_no_log}
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_"name>
config meet-condition
edit <entry_index>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 443

set operator {RE | GT | LT | NE | EQ}

set request-target {REQUEST_FILENAME REQUEST_URI REQUEST_HEADERS_NAMES
REQUEST_HEADERS REQUEST_COOKIES_NAMES REQUEST_COOKIES ARGS_NAMES ARGS_
VALUE REQUEST_RAW_URI REQUEST_BODY CONTENT_LENGTH HEADER_LENGTH BODY_
LENGTH COOKIE_NUMBER ARGS_NUMBER HTTP_METHOD HTTP_METHOD}
set response-target {RESPONSE_BODY RESPONSE_HEADER CONTENT_LENGTH HEADER_
LENGTH BODY_LENGTH RESPONSE_CODE}
set threshold <threshold_int>
set case-sensitive {enable | disable}
set expression <regex_pattern>
next
end
next
end

Variable Description Default

"<custom-protection rule_ Enter the name of the new or existing custom signature. The No default.
name>" maximum length is 63 characters.
To display a list of the existing rules, enter:
edit ?

type {request | response} Specify the type of regular expression: request

l request—The expression is an attack signature.

l response—The expression is a server information

disclosure signature.

action {alert | alert_deny | Select the specific action to be taken when the request alert
alert_erase | redirect | matches the this signature.
l alert—Accept the request and generate an alert
block-period | send_HTTP_
response | only_erase | email and/or log message.
deny_no_log} Note: If type {request | response} on page 443 is
response, it does not cloak, except for removing
sensitive headers. Sensitive information in the body
remains unaltered.
l alert_deny—Block the request (or reset the
connection) and generate an alert email and/or log
message. This option is applicable only if type is
signature-creation.
You can customize the web page that FortiWeb returns
to the client with the HTTP status code.
l alert_erase—Hide replies with sensitive information
(sometimes called “cloaking”). Block the reply (or reset
the connection) or remove the sensitive information,
and generate an alert email and/or log message.
If the sensitive information is a status code, you can
customize the web page that FortiWeb returns to the
client with the HTTP status code.
Note: This option is not fully supported in Offline
Protection mode. Effects will be identical to alert;

FortiWeb CLI Reference Fortinet Technologies Inc.

config 444

Variable Description Default

sensitive information will not be blocked or erased.

l block-period—Block subsequent requests from the
client for a number of seconds. Also configure block-
period <seconds_int> on page 497.
Note: If FortiWeb is deployed behind a NAT load
balancer, when using this option, you must also define
an X-header that indicates the original client’s IP.
Failure to do so may cause FortiWeb to block all
connections when it detects a violation of this type. For
details, see waf x-forwarded-for on page 659.
l redirect—Redirect the request to the URL that you
specify in the protection profile and generate an alert
email and/or log message. Also configure redirect-url
"<redirect_fqdn>" on page 643 and rdt-reason {enable |
disable} on page 643.
l send_HTTP_response—Block and reply to the client
with an HTTP error message, and generate an alert
email, a log message, or both.
l only_erase—Hide replies with sensitive information
(sometimes called “cloaking”). Block the reply (or reset
the connection) or remove the sensitive information
without generating an alert email and/or log message.
This option is applicable only if type is response; and
this option is not supported in Offline Protection mode.
You can customize the web page that FortiWeb returns
to the client with the HTTP status code. For details, see
"system replacemsg" on page 1.

l deny_no_log—Deny a request. Do not generate a log

message.

Caution: This setting will be ignored if monitor-mode

{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email will occur only if enabled
and configured. For details, see log disk on page 66 and log
alertMail on page 60.

block-period <seconds_int> If action {alert | alert_deny | alert_erase | redirect | block- 600

period | send_HTTP_response | only_erase | deny_no_log}
on page 443 is block-period, enter the number of
seconds that you want to block subsequent requests from
the client after the FortiWeb appliance detects that the client
has violated the rule. For details about viewing the list of
currently blocked clients, see the FortiWeb Administration
Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

FortiWeb CLI Reference Fortinet Technologies Inc.

config 445

Variable Description Default

The valid range is 1–3,600 seconds.

severity {High | Medium | When rule violations are recorded in the attack log, each log Medium
Low | Info} message contains a Severity Level (severity_level)
field. Select which severity level the FortiWeb appliance will
use when it logs a violation of the rule.

trigger "<trigger-policy_ Select which trigger policy, if any, that the FortiWeb No default.
"name> appliance will use when it logs and/or sends an alert email
about a violation of the rule. For details, see log trigger-
policy on page 93.
The maximum length is 63 characters.
To display the list of existing trigger policies, enter:
set trigger ?

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is from 1–9,999,999,999,999,999,999.

operator {RE | GT | LT | NE | l RE—The signature matches when the value of a RE

EQ} selected target in the request or response matches the
value of expression.
l GT—The signature matches when specified target has
a value greater than the value of threshold.
l LT—The signature matches when specified target has
a value less than the value of threshold.
l NE— The signature matches when specified target has
a different value than threshold.
l EQ— The signature matches when specified target has
the same value as threshold.

request-target {REQUEST_ Enter the name of one or more locations in the HTTP No default.
FILENAME REQUEST_ request to scan for a signature match.
URI REQUEST_ For example, ARGS_NAMES for the names of parameters or
HEADERS_NAMES REQUEST_COOKIES for strings in the HTTP Cookie:
REQUEST_HEADERS header.
REQUEST_COOKIES_
NAMES REQUEST_
COOKIES ARGS_NAMES
ARGS_VALUE
REQUEST_RAW_URI
REQUEST_BODY
CONTENT_LENGTH
HEADER_LENGTH
BODY_LENGTH COOKIE_
NUMBER ARGS_
NUMBER HTTP_METHOD
HTTP_METHOD}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 446

Variable Description Default

response-target Enter the name of one or more locations in the HTTP No default.
{RESPONSE_BODY response to scan for a signature match.
RESPONSE_HEADER
CONTENT_LENGTH
HEADER_LENGTH
BODY_LENGTH
RESPONSE_CODE}

threshold <threshold_int> Enter the value that FortiWeb compares to the target value No default.
to determine if a request or response matches.

case-sensitive {enable | Enable to differentiate upper case and lower case letters disable
disable} when evaluating the web server’s response for data leaks
according to expression <regex_pattern> on page 446.
For example, when enabled, an HTTP reply containing the
phrase Credit card would not match an expression that
looks for the phrase credit card (difference highlighted
in bold).

expression <regex_ When operator {RE | GT | LT | NE | EQ} on page 445 is RE, No default.
pattern> type a regular expression that matches either an attack from
a client or a data leak from the server.
If action is Alert & Erase, enclose the portion of the regular
expression to erase in brackets.

For example, the following command erases the expression

"webattack" from the response packet:
config waf custom-protection-rule
edit "test"
set type response
set action alert_erase
config meet-condition
edit 1
set response-target RESPONSE_BODY
set expression "(webattack)"
next
end
next
end

To prevent false positives, it should not match anything else.

The maximum length is 2,071 characters.

Example

This example configures a signature to detect and block an LFI attack that uses directory traversal through an
unsanitized controller parameter in older versions of Joomla. Each time it detects an attack, the trigger policy named
notification-servers1 sends an alert email and attack log messages whose severity level is High.
config waf custom-protection-rule

FortiWeb CLI Reference Fortinet Technologies Inc.

config 447

edit "Joomla_controller_LFI"
set type request
set action alert_deny
set severity High
set trigger "notification-servers1"
config meet-condition
edit 1
set request-target REQUEST_RAW_URI
set expression "^/index\.php\?option=com_ckforms\&controller=(\.\.\/)+?"
next
end
next
end

Related topics

l waf custom-protection-group on page 441

l log trigger-policy on page 93

waf exclude-url

Use this command to configure URLs that are exempt from a file compression or file decompression rule.
To apply an exclusion, include it in a compression or decompression rule. For details, see waf file-compress-rule on
page 449.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf exclude-url
edit "<rule_name>"
config exclude-rules
edit <entry_index>
set host "<protected-host_name>"
set host-status {enable | disable}
set request-file "<url_str>"
next
end
next
end

Variable Description Default

"<rule_name>" Enter the name of a new or existing exception. The No default.

maximum length is 63 characters.
To display a list of the existing exceptions, enter:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 448

Variable Description Default

edit ?

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–9,999,999,999,999,999,999.

host "<protected-host_ Enter the name of a protected host that the Host: field of No default.
name>" an HTTP request must be in order to match the exception.
The maximum length is 256 characters.
This setting applies only if host-status {enable | disable} on
page 448 is enable.

host-status {enable | disable} Enable to apply this exception only to HTTP requests for disable
specific web hosts. Also configure host "<protected-host_
name>" on page 448.
Disable to match the exception based upon the other
criteria, such as the URL, but regardless of the Host: field.

request-file "<url_str>" Enter the literal URL, such as /archives, to which the No default.
exception applies. The URL must begin with a slash ( / ).
Do not include the name of the host, such as
www.example.com, which is configured separately using
host. The maximum length is 256 characters.

Example

This example configures two exclusion rules, one for compression and the other for decompression. Either rule can be
referenced by name in a file compression or file decompression rule.
config waf exclude-url
edit "Compression Exclusion"
config exclude-rules
edit 1
set host "192.0.2.2"
set host-status enable
set request-file "/archives"
next
end
next
edit "Decompression Exclusion"
config exclude-rules
edit 1
set host "www.example.com"
set host-status enable
set request-file "/products.cfm"
next
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 449

Related topics

l waf file-compress-rule on page 449

waf file-compress-rule

Use this command to compress specific file types in HTTP replies.

Compression can reduce bandwidth, which can reduce delivery time to end users. Modern browsers automatically
decompress files before they display web pages.
You can configure most web servers to compress files when they respond to a request. However, if you do not want to
configure each of your web servers separately, or if you want to offload compression for performance reasons, you can
configure FortiWeb to do the compression.
By default, the maximum pre-compressed file size is 64 KB. FortiWeb transmits files larger than the maximum without
compression. You can use the config system advanced command’s max-cache-size setting to adjust the
maximum files size. For details, see system advanced on page 217.
To apply a compression rule, select it in an inline protection profile. For details, see waf web-protection-profile inline-
protection on page 636.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf file-compress-rule
edit "<rule_name>"
set compression-type {gzip | brotli}
set compression-level {level1 | level2 | level3 | level4 | level5 | level6 |
level7 | level8 | level9 | level10 | level11}
set exclude-url "<exclusion-rule_name>"

next
end
config content-types
edit "<content-types_id>"
set content-type "<content-type_name>"

end

Variable Description Default

"<rule_name>" Enter the name of a new or existing rule. The maximum No

length is 63 characters. default.
To display the list of existing rules, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No

FortiWeb CLI Reference Fortinet Technologies Inc.

config 450

Variable Description Default

The valid range is 1–9,999,999,999,999,999,999. default.

compression-type {gzip | Set the file compression type. No

brotli} default.

compression-level {level1 | Set the compression level for the file to be compressed. No
level2 | level3 | level4 | level5 default.
| level6 | level7 | level8 |
level9 | level10 | level11}

content-type "<content- Enter one of the following content types to compress it: No
type_name>" l text/plain default.
l text/html
l application/xml(or)text/xml
l application/soap+xml
l application/x-javascript
l text/css
l application/javascript
l text/javascript
l application/json
l application/rss+xml
To compress multiple file types, add each file type in a
separate table entry with its own <entry_index> on page 449.
See Example on page 450.

exclude-url "<exclusion- Enter the name of an exclusion to use with the rule, if any. No
rule_name>" For details, see waf exclude-url on page 447. The maximum default.
length is 63 characters.

Example

This example configures a file compression rule that compresses CSS and HTML files, unless they match one of the
URLs in the exception named “Compression Exclusion 1.”
config waf file-compress-rule
edit "file-compress-rule_name"
set compression-type gzip
set compression-level level2
set content-types
edit 1
set content-type text/css
next
edit 2
set content-type text/html
next
end
set exclude-url "Compression Exclusion 1"
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 451

Related topics

l waf exclude-url on page 447

waf file-upload-restriction-policy

Use this command to set file security policies that FortiWeb will use to manage the types of files that can be uploaded to
your web servers.
The policies are composed of individual rules set using the config server-policy custom-application application-policy
(page 1) command. Each rule identifies the host and/or URL to which the restriction applies and the types of files
allowed. To apply a file security policy, select it within an inline or Offline Protection profile.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf file-upload-restriction-policy
edit "<file-upload-restriction-policy_name>"
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger <trigger-policy_name>
set trojan-detection {enable | disable}
set av-scan {enable | disable}
set fortisandbox-check {enable | disable}
set hold-session-while-scanning-file {enable | disable}
set icap-server-check {enable | disable}
set exchange-mail-detection {enable | disable}
set owa-protocol {enable | disable}
set activesync-protocol {enable | disable}
set mapi-protocol {enable | disable}
config rule
edit <entry_index>
set file-upload-restriction-rule <rule_name>
next
end
next
end

Variable Description Default

"<file-upload-restriction- Enter the name of an existing or new file security policy. No default.
policy_name>" The maximum length is 63 characters.
To display the list of existing policies, enter:
edit ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 452

Variable Description Default

action {alert | alert_deny | Enter the action you want FortiWeb to perform when the alert
block-period | deny_no_log} policy is violated:
l alert—Accept the request and generate an alert

and/or log message.

l alert_deny—Block the request (or reset the
connection) and generate an alert email and/or log
message.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see "system replacemsg" on page 1 and the
FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
l block-period—Block subsequent requests from
the client for a number of seconds. Also configure
block-period <seconds_int> on page 452.
l deny_no_log—Deny a request. Do not generate a
log message.
Note: If FortiWeb is deployed behind a NAT load
balancer, when using this option, you must also
define an X-header that indicates the original client’s
IP. Failure to do so may cause FortiWeb to block all
connections when it detects a violation of this type.
For details, see waf x-forwarded-for on page 659.
Caution: This setting will be ignored if monitor-mode
{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email will occur only if enabled
and configured. For details, see log disk on page 66 and
log alertMail on page 60.
Note: If an auto-learning profile will be selected in the
policy with Offline Protection profiles that use this rule, you
should select alert. If the action is alert_deny, the
FortiWeb appliance will reset the connection when it
detects an attack, resulting in incomplete session
information for the auto-learning feature. For details about
auto-learning requirements, see "waf web-protection-
profile autolearning-profile" on page 1.

block-period <seconds_int> If action {alert | alert_deny | block-period | deny_no_log} on 600

page 452 is block-period, type the number of seconds
that violating requests will be blocked. The valid range is
1–3,600 seconds.

severity {High | Medium | Select the severity level to use in logs and reports Low
Low | Info} generated when a violation of the rule occurs.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 453

Variable Description Default

trigger <trigger-policy_ Enter the name of the trigger to apply when this policy is No default.
name> violated. For details, see log trigger-policy on page 93. The
maximum length is 63 characters.
To display the list of existing triggers, enter:
set trigger ?

trojan-detection {enable | Enter enable to scan for Trojans. disable

disable}
Attackers may attempt to upload Trojan horse code
(written in scripting languages such as PHP and ASP) to
the back-end web servers. The Trojan then infects clients
who access an infected web page.

av-scan {enable | disable} Enter enable to scan for viruses, malware, and greyware. disable

fortisandbox-check {enable | Enter enable to send matching files to FortiSandbox for disable
disable} evaluation.

Also specify the FortiSandbox settings for your FortiWeb.

For details, see system fortisandbox on page 278.

FortiSandbox evaluates the file and returns the results to

FortiWeb.

If trojan-detection {enable | disable} on page 453 is

enable and FortiWeb detects a virus, it does not send the
file to FortiSandbox.

exchange-mail-detection Enter enable so that FortiWeb will scan email disable

{enable | disable} attachments in applications using OWA or ActiveSync
protocols. If enabled, FortiWeb will perform Trojan
detection, an antivirus scan, and will send the attachments
to FortiSandbox.
Note: To perform Trojan detection, an antivirus scan, and
send attachments to FortiSandbox, you must enable
trojan-detection {enable | disable} on page 453, trojan-
detection {enable | disable} on page 453, and fortisandbox-
check {enable | disable} on page 453, respectively, in the
file security policy.

owa-protocol {enable Available only when exchange-mail-detection {enable disable

| disable} | disable} on page 453 is set to enable. If enabled,
FortiWeb will scan attachments in Exchange Email sent
and received via a web browser login.

activesync-protocol {enable Available only when exchange-mail-detection {enable disable

| disable} | disable} on page 453 is set to enable. If enabled,
FortiWeb will scan attachments in Exchange Email sent
and received via a mobile phone login.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 454

Variable Description Default

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–9,999,999,999,999,999,999.

file-upload-restriction-rule Enter the name of an upload restriction rule to use with the No default.
<rule_name> policy, if any. For details, see "server-policy custom-
application application-policy" on page 1. The maximum
length is 63 characters.
To display the list of existing rules, enter:
set file-upload-restriction-rule ?

hold-session-while- Enable it, and FortiWeb waits for up to 30 minutes. If disable

scanning-file FortiWeb holds the session for over 30 minutes while
{enable | disable} FortiSandbox scans the file in the request, FortiWeb will
forward the session without taking any other actions.
This option is available only when you enable Send files to
FortiSandbox.
mapi-protocol {enable FortiWeb will scan attachments in Email sent and received disable
| disable} via the Messaging Application Programming Interface
(MAPI), a new transport protocol implemented in Microsoft
Exchange Server 2013 Service Pack 1 (SP1).
Available only when Scan attachments in Email is enabled.
icap-server-check Enable so that FortiWeb sends files to ICAP server that disable
{enable | disable} matches the uploading or downloading direction.

Related topics

l server-policy custom-application application-policy on page 1

l log trigger-policy on page 93
l system fortisandbox on page 278

waf file-upload-restriction-rule

Use this command to define the specific host and request URL for which file upload restrictions apply, and define the
specific file types that can be uploaded to that host or URL.
To apply the rule, select it in a file security policy. For details, see waf file-upload-restriction-policy on page 451.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf file-upload-restriction-rule
edit "<file-upload-restriction-rule_name>"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 455

set host-status {enable | disable}

set host "<protected-host_name>"
set request-file "<url_pattern>"
set request-type {regular | plain}
set file-size-limit <size_int>
set json-file-support {enable | disable} on page 456
set json-key-for-filename <filename> on page 456
set json-key-field <FileContents> on page 456
set waf file-upload-restriction-rule
set file-uncompress {enable | disable}
set uncompress-nest-limit <int>
set uncompress-oversize-limit <int>
config file-types
edit <entry_index>
set file-type-id "<id_str>"
set file-type_name "<file-type-extension_str>"
next
config file-types
edit <entry_index>
set file-extention <file-type-extension_str>
next
end
next
end

Variable Description Default

"<file-upload-restriction-rule_ Enter the name of a new or existing rule. The maximum No default.
name>" length is 63 characters.
To display the list of existing rules, enter:
edit ?

host-status {enable | disable} Enable to apply this exception only to HTTP requests for disable
specific web hosts.
Disable to match the exception based upon the other
criteria, such as the URL, but regardless of the Host: field.

host "<protected-host_ Enter the name of a protected host that the Host: field of No default.
name>" an HTTP request must be in order to match the rule. The
maximum length is 256 characters.
This setting applies only if host-status {enable | disable} on
page 455 is enable.

request-file "<url_pattern>" Depending on your selection in request-type {regular | No default.

plain} on page 456, type either:
l The literal URL, such as /fileupload, that the

HTTP request must contain in order to match the

signature exception. The URL must begin with a slash
( / ).
l A regular expression, such as ^/*.php, matching all

and only the URLs to which the signature exception

should apply. The pattern is not required to begin with

FortiWeb CLI Reference Fortinet Technologies Inc.

config 456

Variable Description Default

a slash ( / ). However, it must at least match URLs that

begin with a slash, such as /index.cfm.
Do not include the name of the web host, such as
www.example.com, which is configured separately in
analyzer-policy "<fortianalyzer-policy_name>" on page 94.
The maximum length is 256 characters.
Note: Regular expressions beginning with an exclamation
point ( ! ) are not supported. For information on language
and regular expression matching, see the FortiWeb
Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

request-type {regular | plain} Select whether analyzer-policy "<fortianalyzer-policy_ plain

name>" on page 94 will contain a literal URL (plain), or a
regular expression designed to match multiple URLs
(regular).

file-size-limit <size_int> Optionally, enter a number to represent the maximum size 0

in kilobytes for any individual file. This places a size limit on
allowed file types. The valid range is 0–30720 KB.

json-file-support {enable | Enable JSON File Support if you want FortiWeb to further Disable
disable} parse the file contained in JSON file.

json-key-for-filename FortiWeb will parse the JSON file to find the value of the No default.
<filename> filename parameter, and compare it against the value
you set for json-key-for-filename. This is optional.

json-key-field FortiWeb will parse the JSON file to find the value of the No default.
<FileContents> content parameter, and compare it against the value you
set for json-key-field.

Both json-key-for-filename and json-key-field require

exact match and are case sensitive.
If both of them matches, FortiWeb will apply File Security
policy to the file contained in JSON file.
If only json-key-field matches, FortiWeb will apply File
Security policy to the file contained in JSON file, and in the
attack log the name of the file will be shown as "JSON
File".
If only json-key-for-filename matches, it equals to no
match. FortiWeb will not execute further scan to the file
contained in JSON file.

enable_base64_decode Enable to decode the file contained in the JSON file with enable
{enable | disable} base64.

file-uncompress {enable | Enable file unzip in CLI to verify file type and size in the disable
disable} compressed files.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 457

Variable Description Default

uncompress-nest-limit <int> Type the maximum number of allowed levels of 12

compression (“nesting”) that FortiWeb will attempt to
decompress.
The valid range is 1-100.

uncompress-oversize-limit Type the maximum size in kilobytes (KB) of the memory 5,000
<int> buffer that FortiWeb will use to temporarily undo the
compression.
When the file has multiple compression levels and the size
of the decompressed files reaches the maximum when
FortiWeb decompresses to a certain level, then FortiWeb
will only check the already-decompressed files. The files
that are not decompressed will pass through FortiWeb
without scanning.
The maximum acceptable values are:
102400 KB: FortiWeb 100D, 100E, 400C, 400D, 400E,
600D, 600E, 1000C, 3000CFsx, 4000C
204800 KB: FortiWeb 1000D, 2000D, 3000D, 3000DFsx,
4000D, 1000E, 2000E, 3010E, 1000F, 2000F
358400 KB: FortiWeb 3000E, 4000E, 3000F, 4000F

<entry_index> Enter the index number of the individual entry in the table. No default.
Each entry in the table can define one file type. The valid
range is 1–9,999,999,999,999,999,999.

file-type-id "<id_str>" Select the numeric type ID that corresponds to the file type. No default.
Recognized IDs are updated by FortiGuard services and
may vary. For a list of available IDs, select all file types in
the GUI, then use the CLI to view their corresponding IDs.
Common IDs include:
l 00001 (GIF)

l 00002 (JPG)
l 00003 (PDF)
l 00004 (XML)
l 00005 (MP3)
l 00006 (MIDI)
l 00007 (WAVE)
l 00008 (FLV for a Macromedia Flash Video)
l 00009 (RAR)
l 00010 (ZIP)
l 00011 (BMP)
l 00012 (RM for RealMedia)
l 00013 (MPEG for MPEG v)
l 00014 (3GPP)

FortiWeb CLI Reference Fortinet Technologies Inc.

config 458

Variable Description Default

l 00203 (MSI)
l 00204 (BAT)

file-type_name "<file-type- Enter the extension, such as MP3, of the file type to allow to No default.
extension_str>" be uploaded. Recognized file types are updated by
FortiGuard services and may vary. For a list of available
names, use the GUI.
Note: Microsoft Office Open XML file types such as .docx,
xlsx, .pptx, and .vsdx are a type of ZIP-compressed XML. If
you specify restrictions for them, those signatures will take
priority. However, if you do not select a MSOOX restriction
but do have an XML or ZIP restriction, the XML and ZIP
restrictions will still apply, and the files will still be restricted.

file-extention <file-type- If the file type is not one of the Recognized file types, use No default.
extension_str> this command to enter your custom file type.

Example

This example allows both MPEG and FLV files uploaded to the URL /file-uploads on the host www.example.com.
config waf file-upload-restriction-rule
edit "file-upload-rule1"
set host-status enable
set host "www.example.com"
set request-file "/file-uploads"
config file-types
edit 1
set file-type-id "00013"
set file-type-name "MPEG"
next
edit 2
set file-type-id "00008"
set file-type-name "FLV"
next
end
next
end

Related topics

l server-policy custom-application application-policy on page 1

FortiWeb CLI Reference Fortinet Technologies Inc.

config 459

waf ftp-command-restriction-rule

Use this command to create FTP command restriction rules to specify acceptable FTP commands that clients can use to
communicate with your server(s). Certain FTP commands can expose your server(s) to attack. For example, because
attackers can exploit the PORT command to carry out FTP bounce attacks, restricting the PORT command can harden
your network's security if you're using FTP.
For details about applying an FTP command restriction rule to an FTP server policy, see waf ftp-protection-profile.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

If ftp-security isn't enabled in feature-visibility, you must enable it

before you can create an FTP command restriction rule. To enable ftp-security,
see system feature-visibility on page 263.

Syntax
config waf ftp-command-restriction-rule
edit "<rule_name>"
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <block_period_int>
set severity {High | Info | Low | Medium}
set trigger "<policy_name>"
next
end
config command-types
edit <entry_index>
set command-type <ftp_command>

next
end

Variable Description Default

"<rule_name>" Enter a unique name that can be referenced in other parts of No

the configuration. Don't use spaces or special characters. default.
The maximum length is 63 characters.

<entry_index> Enter an index number of the individual entry in the table. No

The valid range is 1–999,999,999,999,999,999. default.
You must create an entry index for each FTP command that
you plan to include in the rule.

command-type <ftp_ Enter an FTP command that you want to include in the rule. No
command> You can include these FTP commands in the rule: default.
l ABOR l MLSD l RNTO

l ACCT l MODE l SITE

FortiWeb CLI Reference Fortinet Technologies Inc.

config 460

Variable Description Default

l ALLO l NLST l SIZE

l APPE l OPTS l SMNT
l AUTH l PASS l STAT
l CDUP l PASV l STOR
l CWD l PORT l STOU
l DELE l PROT l STRU
l EPRT l PWD l SYST
l EPSV l QUIT l TYPE
l FEAT l REIN l USER
l HELP l REST l XCUP
l LIST l RETR l XMKD
l MDTM l RMD l XPWD
l MKD l RNFR l XRMD

action {alert | alert_deny | Select which action FortiWeb will take when it detects a alert
block-period | deny_no_log} violation of the rule:
l alert—Accept the connection and generate an alert

email and/or log message.

l alert_deny—Block the request (or reset the
connection) and generate an alert and/or log message.
l deny_no_log—Block the request (or reset the
connection).
l block-period—Block subsequent requests from the
client for a number of seconds. Also configure waf ftp-
command-restriction-rule on page 459.
Note: This setting will be ignored if monitor-mode {enable |
disable} on page 152is enabled in a server policy.

block-period <block_period_ Enter the number of seconds that you want to block 600
int> subsequent requests from a client after FortiWeb detects
that the client has violated the rule. The valid range is 1–
3,600 seconds.
This setting is available only if action {alert | alert_deny |
block-period | deny_no_log} on page 460 is set to block-
period.

severity {High | Info | Low When rule violations are recorded in the attack log, each log Medium
| Medium} message contains a Severity Level (severity_level)
field. Select which severity level FortiWeb will use when it
logs a violation of the rule:
l Info

l Low

l Medium

l High

FortiWeb CLI Reference Fortinet Technologies Inc.

config 461

Variable Description Default

trigger "<policy_name>" Enter the name of a trigger policy, if any, that FortiWeb will No
use when it logs and/or sends an alert email about a default.
violation of the rule.

Related Topic

l waf ftp-protection-profile on page 463

l system feature-visibility on page 263
l waf ftp-file-security on page 461

waf ftp-file-security

Use this command to create FTP file check rules so that FortiWeb places restrictions on uploading or downloading files
and scans files that clients attempt to upload to or download from your server(s). When configured, FortiWeb can also
send files to FortiSandbox for analysis and perform an antivirus scan.
For details about applying an FTP file check rule to an FTP server policy, see waf ftp-protection-profile.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

If ftp-security isn't enabled in feature-visibility, you must enable it

before you can create an FTP file check rule. To enable ftp-security, see
system feature-visibility on page 263.

Syntax
config waf ftp-file security
edit "<rule_name>"
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <block_period_int>
set severity {High | Info | Low | Medium}
set trigger "<policy_name>"
set check-dir {both | download | upload}
set av-scan {enable | disable} on page 462
set send-files-to-fortisandbox {enable | disable}
set icap-server-check {enable | disable}

next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 462

Variable Description Default

"<rule_name>" Enter a unique name that can be referenced in other parts of No

the configuration. Don't use spaces or special characters. default.
The maximum length is 63 characters.

action {alert | alert_deny Select which action FortiWeb will take when it detects a alert_deny
| block-period | deny_no_log} violation of the rule:
l alert—Accept the connection and generate an alert

email and/or log message.

l alert_deny—Block the request (or reset the
connection) and generate an alert and/or log message.
l deny_no_log—Block the request (or reset the
connection).
l block-period—Block subsequent requests from the
client for a number of seconds. Also configure waf ftp-
file-security on page 461.
Note: This setting will be ignored if monitor-mode {enable |
disable} on page 152 is enabled in a server policy.

block-period <block_period_ Enter the number of seconds that you want to block 600
int> subsequent requests from a client after FortiWeb detects
that the client has violated the rule. The valid range is 1–
3,600 seconds.
This setting is available only if waf ftp-file-security on page
461 is set to block-period.

l Low

l Medium

l High

trigger "<policy_name>" Enter the name of a trigger policy, if any, that FortiWeb will No
use when it logs and/or sends an alert email about a default.
violation of the rule.

check-dir {both | download Select one of the following: upload

| upload} l both—FortiWeb applies the rule to files being either

downloaded from or uploaded to your server(s).

l download—FortiWeb applies the rule to files being

downloaded from your server(s).

l upload—FortiWeb applies the rule to files being

uploaded to your server(s).

av-scan {enable | disable} Enable so that FortiWeb performs an antivirus scan on files disable
that match the waf ftp-file-security on page 461.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 463

Variable Description Default

send-files-to-fortisandbox Enable so that FortiWeb sends files to FortiSandbox that disable

{enable | disable} match the waf ftp-file-security on page 461.
Also specify the FortiSandbox settings for your FortiWeb.
For details, see system fortisandbox on page 278.
FortiSandbox evaluates the file and returns the results to
FortiWeb.
If waf ftp-file-security on page 461 is enabled and FortiWeb
detects a virus, it does not send the file to FortiSandbox.

icap-server-check {enable Enable so that FortiWeb sends files to ICAP server that disable
| disable} matches the uploading or downloading directions.

Related Topic

l system feature-visibility on page 263

l waf ftp-command-restriction-rule on page 459
l waf ftp-protection-profile on page 463

waf ftp-protection-profile

Use this command to configure an FTP security inline profile.

FTP security inline profiles combine previously-configured rules, profiles, and policies in a comprehensive set that can
be applied in an FTP server policy. Apply the profile in an FTP server policy. For details, see server-policy policy on page
140.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
traroutegrp area. For details, see Permissions on page 46.

Before creating an FTP security inline profile

Prior to creating an FTP security inline profile, you should create and configure the rules, profiles, and policies that you
plan to add to the FTP security inline profile. You can include the following:
l FTP Command Restriction rules (see waf ftp-command-restriction-rule on page 459)
l FTP File Check rules (see waf ftp-file-security on page 461)
l IP Reputation intelligence (see waf ip-intelligence on page 501)
l Geo IP rules (see waf geo-block-list on page 465)
l IP List rules (see waf ip-list on page 505)

If ftp-security isn't enabled in feature-visibility, you must enable it

before you can create an FTP security inline profile. To enable ftp-security, see
system feature-visibility on page 263.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 464

Syntax
config waf ftp-protection-profile
edit "<policy_name>"
set ftp-file-check "<rule_name>"
set ftp-geo-ip "<rule_name>"
set ftp-ip-check "<rule_name>"
set ftp-ip-intelligence {enable | disable}
set ftp-restriction-command-type "<rule_name>"

Variable Description Default

"<policy_name>" Enter a unique name that can be referenced in other parts of No

the configuration. Don't use spaces or special characters. default.
The maximum length is 63 characters.

ftp-file-check "<rule_name>" Enter the name of an FTP file check rule that you previously No
created. If you haven't created an FTP file check rule to default.
include in this profile yet, see waf ftp-file-security on page
461 for instructions about creating one.

ftp-geo-ip "<rule_name>" Enter the name of a geo IP block policy that you previously No
created. If you haven't created a geo IP block policy to default.
include in this profile yet, see waf geo-block-list on page 465
for instructions about creating one.

ftp-ip-check "<rule_name>" Enter the name of an IP List that you previously created. If No
you haven't created an IP List rule to include in this profile default.
yet, see waf ip-list on page 505 for instructions about
creating one.

ftp-ip-intelligence {enable Enable to include the active IP reputation policy in this disable
| disable} profile. If you haven't created an IP reputation policy to
include in this profile yet, see "To configure an IP reputation
policy" on page 1 for instructions about creating one.

ftp-restriction-command-type Enter the name of an FTP command restriction rule that you No
"<rule_name>" previously created. If you haven't created an FTP command default.
restriction rule to include in this profile yet, see waf ip-
intelligence on page 501 for instructions about creating one.

Related Topics

l server-policy policy on page 140

l waf ftp-command-restriction-rule on page 459
l waf ftp-file-security on page 461
l waf ip-intelligence on page 501
l waf geo-block-list on page 465
l waf ip-list on page 505

FortiWeb CLI Reference Fortinet Technologies Inc.

config 465

waf geo-block-list

Use this command to define large sets of client IP addresses to block based upon their associated geographical location.

Because network mappings may change as networks grow and shrink, if you use
this feature, be sure to periodically update the geography-to-IP mapping database.
To download the file, go to the Fortinet Customer Service & Support website:
HTTPs://support.fortinet.com

Optionally, you can also specify a list of IP addresses or IP address ranges that are exempt from this blacklist. For
details, see waf geo-ip-except on page 467.
Alternatively, you can block clients individually (see "server-policy custom-application application-policy" on page 1) or
based upon their reputation (see waf ip-intelligence on page 501).
To apply the rule, select it in a protection profile. For details, see waf web-protection-profile inline-protection on page 636
or waf web-protection-profile offline-protection on page 645.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf geo-block-list
edit "<geography-to-ip_name>"
set severity {High | Medium | Low | Info}
set action { alert_deny | block-period | deny_no_log}
set block-period <block_period_int>
set trigger "<trigger-policy_name>"
set ignore-x-forwarded-for {enable | disable}
config country-list
edit <entry_index>
set country-name "<region_name>"
next
end
next
end

Variable Description Default

"<geography-to-ip_name>" Enter the name of a new or existing rule. The maximum No

length is 63 characters. default.
To display the list of existing rules, enter:
edit ?

severity {High | Medium | Low Select the severity level to use in logs and reports generated Low
| Info} when a violation of the rule occurs.

action { alert_deny | block- Select which action FortiWeb will take when it detects a block-
period | deny_no_log} violation of the rule: period

FortiWeb CLI Reference Fortinet Technologies Inc.

config 466

Variable Description Default

l alert_deny—Block the request (or reset the

connection) and generate an alert and/or log message.
l deny_no_log—Block the request (or reset the
connection).
l block-period—Block subsequent requests from the
client for a number of seconds. Also configure block-
period.
Note: This setting will be ignored if monitor-mode {enable |
disable} on page 152 is enabled in a server policy.

block-period <block_period_ Enter the number of seconds that you want to block 60
int> subsequent requests from a client after FortiWeb detects
that the client has violated the rule. The valid range is 1–
3,600 seconds.
This setting is available only if Action is set to block-
period.

trigger "<trigger-policy_ Enter the name of the trigger to apply when this rule is No
name>" violated. For details, see log trigger-policy on page 93. The default.
maximum length is 63 characters.
To display the list of existing trigger policies, enter:
set trigger ?

ignore-x-forwarded-for By default, FortiWeb scans the IP addresses in the X- disable

{enable | disable} Forwarded-For header at the HTTP layer. This causes high
resource consumption. To enhance the performance, you
can enable Ignore X-Forwarded-For so that the IP
addresses can be scanned at the TCP layer instead. This
avoids HTTP packets being processed unnecessarily.

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

country-name "<region_ Enter the name of a region (Antarctica or Bouvet No

name>" Island) or country (U.S.) as it is written in English. default.
Surround names with multiple words or apostrophes in
double quotes.
The list of locations varies by the currently installed IP-to-
geography mapping package. For a current list of locations,
use the web UI.

Example

This example creates a set of North American IP addresses that a server policy can use to block clients with IP
addresses belonging to Belize and Canada. FortiWeb does not block the IP addresses specified by the allow-north-
america exception list.
config waf geo-block-list
edit "north-america"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 467

set trigger "notification-servers1"

set exception rule "allow-north-america"
set severity Low
config country-list
edit 1
set country-name "Belize"
next
edit 2
set country-name "Canada"
next
end
next
end

Related topics

l log trigger-policy on page 93

l waf geo-ip-except on page 467
l waf web-protection-profile inline-protection on page 636
l server-policy custom-application application-policy on page 1
l waf ip-intelligence on page 501
l debug flow trace on page 694

waf geo-ip-except

Use this command to specify IP addresses or ranges of IP addresses that are exceptions to the list of client IP addresses
that FortiWeb blocks based on their geographic location.
For details about creating the blocklist by country or region, see waf geo-block-list on page 465.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf geo-ip-except
edit "<geo-ip-except_name>"
edit <entry_index>
set ip {"<address_ipv4>" | "<ip_range_ipv4>"}
next
end
next
end

Variable Description Default

"<geo-ip-except_name>" Enter the name of a new or existing list of exceptions. No

default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 468

Variable Description Default

To display the list of existing rules, enter:

edit ?

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

ip {"<address_ipv4>" | "<ip_ Enter the IP address or IP address range that is exempt from No
range_ipv4>"} blocking based on its geographic location. default.

Example

This example adds the IP address range 192.0.2.0 to 192.0.2.5 to the geo-location blocklist exception list allow-
north-america.
config waf geo-ip-except
edit "allow-north-america"
set ip "92.0.2.0-192.0.2.5"
end
next
end

Related topics

l waf geo-block-list on page 465

l server-policy custom-application application-policy on page 1
l waf ip-intelligence on page 501
l debug flow trace on page 694

waf hidden-fields-protection

Use this command to configure groups of hidden field rules.

To apply hidden field rule groups, select them within an inline protection profile. For details, see waf web-protection-
profile inline-protection on page 636.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf hidden-fields-protection
edit "<hidden-field-group_name>"
config hidden_fields_list
edit <entry_index>
set hidden-field-rule "<hidden-field-rule_name>"
next

FortiWeb CLI Reference Fortinet Technologies Inc.

config 469

end
next
end

Variable Description Default

"<hidden-field-group_ Enter the name of a new or existing hidden field rule group. No
name>" The maximum length is 63 characters. default.
To display the list of existing groups, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

hidden-field-rule "<hidden- Enter the name of an existing hidden field rule to add to the No
field-rule_name>" group. The maximum length is 63 characters. default.
To display the list of existing rules, enter:
set hidden-field-rule ?

Related topics

l waf hidden-fields-rule on page 469

l waf web-protection-profile inline-protection on page 636

waf hidden-fields-rule

Use this command to configure hidden field rules.

Hidden form inputs, like other types of parameters and inputs, can be vulnerable to tampering and can be used as a
vector for other attacks.
Unlike other inputs, they are often written into an HTML page by the web server when it serves that page to the client,
and are not visible on the rendered web page. As such, they are difficult to for users to unintentionally modify, and are
often incorrectly perceived as relatively safe by website owners.
Like other inputs, however, they are accessible through the JavaScript document object model (DOM), and as inputs,
can be used to inject invalid data into your databases or attempt to tamper with the session state.
Hidden field rules prevent such tampering. The FortiWeb appliance caches the values of a session’s hidden inputs as
they pass to the HTTP client, and verifies that they remain unchanged when the HTTP client submits a form.
You apply hidden field constraints by first grouping them into a hidden field group. For details, see waf hidden-fields-
protection on page 468.
Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a specific real or virtual host,
you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts on page 103.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 470

Alternatively, you can use the web UI to fetch the request URL from the server and
scan it for hidden inputs, using the results to configure the hidden input rule. For
details, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf hidden-fields-rule
edit "<hidden-field-rule_name>"
set action {alert | alert_deny | redirect | block-period | send_403_forbidden |
deny_no_log}
set block-period <seconds_int>
set host "<protected-hosts_name>"
set host-status {enable | disable}
set request-file "<url_str>"
set action-url0 "<url_str>"
set action-url1 "<url_str>"
set action-url2 "<url_str>"
set action-url3 "<url_str>"
set action-url4 "<url_str>"
set action-url5 "<url_str>"
set action-url6 "<url_str>"
set action-url7 "<url_str>"
set action-url8 "<url_str>"
set action-url9 "<url_str>"
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_name>"
config hidden-field-name
edit <entry_index>
set argument "<hidden-field_str>"
next
end
next
end

Variable Description Default

"<hidden-field-rule_name>" Enter the name of a new or existing rule. The maximum No default.
length is 63 characters.
To display the list of existing rules, enter:
edit ?

action {alert | alert_deny | Select one of the following actions that the FortiWeb alert
redirect | block-period | appliance will perform when an HTTP request violates one
send_403_forbidden | deny_ of the hidden field rules in the entry:
no_log} l alert—Accept the request and generate an alert

email and/or log message.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 471

Variable Description Default

l alert_deny—Block the request (or reset the

connection) and generate an alert email and/or log
message.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see "system replacemsg" on page 1.
l block-period—Block subsequent requests from
the client for a number of seconds. Also configure
block-period <seconds_int> on page 497.
Note: If FortiWeb is deployed behind a NAT load
balancer, when using this option, you must also define
an X-header that indicates the original client’s IP.
Failure to do so may cause FortiWeb to block all
connections when it detects a violation of this type. For
details, see waf x-forwarded-for on page 659.
l redirect—Redirect the request to the URL that you
specify in the protection profile and generate an alert
email and/or log message. Also configure redirect-url
"<redirect_fqdn>" on page 643 and rdt-reason
{enable | disable} on page 643.
l send_403_forbidden—Reply to the client with an
HTTP 403 Access Forbidden error message and
generate an alert email and/or log message.
l deny_no_log—Deny a request. Do not generate a
log message.
l block-period—Block subsequent requests from
the client for a number of seconds.
Caution: This setting will be ignored if monitor-mode
{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email will occur only if enabled
and configured. For details, see log disk on page 66 and
log alertMail on page 60.
Note: If you select an auto-learning profile with this rule,
you should select alert. If the action is alert_deny,
for example, the FortiWeb appliance will block the request
or reset the connection when it detects an attack, resulting
in incomplete session information for the auto-learning
feature. For details about auto-learning requirements, see
"waf web-protection-profile autolearning-profile" on page 1.

block-period <seconds_int> If action {alert | alert_deny | redirect | block-period | send_ 600

403_forbidden | deny_no_log} on page 470 is block-
period, enter the number of seconds that the connection
will be blocked. The valid range is 1–3,600 seconds.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 472

Variable Description Default

host "<protected-hosts_ Enter the name of a protected host that the Host: field of No default.
name>" an HTTP request must be in order to match the rule. The
maximum length is 256 characters.
This setting applies only if host-status {enable | disable} on
page 472 is enable.

host-status {enable | disable} Enable to apply this hidden field rule only to HTTP requests disable
for specific web hosts. Also configure host "<protected-
hosts_name>" on page 472.
Disable to match the input rule based upon the other
criteria, such as the URL, but regardless of the Host: field.

request-file "<url_str>" Enter the literal URL, such as /login.jsp, that contains No default.
the hidden form.
The URL must begin with a slash ( / ). Do not include the
name of the web host, such as www.example.com, which
is configured separately in host "<protected-hosts_name>"
on page 472. Regular expressions are not supported. The
maximum length is 256 characters.

action-url0 "<url_str>" Add up to 10 URLs that are valid to use with the HTTP No default.
POST method when the client submits the form containing
action-url1 "<url_str>"
the hidden fields in this rule.
action-url2 "<url_str>"

action-url3 "<url_str>"

action-url4 "<url_str>"

action-url5 "<url_str>"

action-url6 "<url_str>"

action-url7 "<url_str>"

action-url8 "<url_str>"

action-url9 "<url_str>"

severity {High | Medium | Select the severity level to use in logs and reports High
Low | Info} generated when a violation of the rule occurs.

trigger "<trigger-policy_ Enter the name of the trigger to apply when this rule is No default.
name>" violated. For details, see log trigger-policy on page 93. The
maximum length is 63 characters.
To display the list of existing trigger policies, enter:
set trigger ?

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–9,999,999,999,999,999,999.

argument "<hidden-field_ Enter the name of the hidden form input, such as No default.
str>" languagepref. The maximum length is 63 characters.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 473

Example

This example blocks and logs requests from search.jsp if its hidden form input, whose name is “languagepref”, is posted
to any URL other than query.do.
config waf hidden-fields-rule
edit "hidden_fields_rule1"
set action alert_deny
set request-file "/search.jsp"
set action-url0 "/query.do"
config hidden-field-name
edit 1
set argument "languagepref"
next
end
next
end

Related topics

l server-policy allow-hosts on page 103

l waf hidden-fields-protection on page 468
l log trigger-policy on page 93

waf HTTP-authen HTTP-authen-policy

Use this command to group HTTP authentication rules into HTTP authentication policies.
The FortiWeb appliance uses authentication policies with the HTTP authentication feature to authorize HTTP requests.
For details, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To apply HTTP authentication policies, select them in an inline protection profile. For details, see waf web-protection-
profile inline-protection on page 636.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf HTTP-authen HTTP-authen-policy
edit "<auth-policy_name>"
set cache {enable | disable}
set alert-type {none | fail | success | all}
set cache-timeout <timeout_int>
set auth-timeout <timeout_int>
config rule
edit <entry_index>
set HTTP-authen-rule "<HTTP-auth-rule_name>"
next

FortiWeb CLI Reference Fortinet Technologies Inc.

config 474

end
next
end

Variable Description Default

"<auth-policy_name>" Enter the name of a new or existing HTTP authentication No

policy. The maximum length is 63 characters. default.
To display the list of existing policies, enter:
edit ?

cache {enable | disable} Enable to cache client user names and passwords from No
remote authentication such as LDAP queries. Also configure default.
cache-timeout <timeout_int> on page 474.
This can be used can improve performance by preventing
frequent queries.

alert-type {none | fail | Enter the instances when alerts will be issued for HTTP none
success | all} authentication attempts:
l none—No alerts are issued for HTTP authentication.

l fail—Alerts are issued only for HTTP authentication

failures.
l success—Alerts are issued for successful HTTP

authentication.
l all—Alerts are issued for all failed and successful

HTTP authentication.

cache-timeout <timeout_int> Enter the query cache timeout, in seconds. The valid range 300
is 0–3,600.
This option is available only when cache {enable | disable}
on page 474 is enabled.

auth-timeout <timeout_int> Enter the connection timeout (in milliseconds) for the query 2000
to the FortiWeb’s query to the remote authentication server
in milliseconds.
The valid range is 0–60,000. To prevent dropped
connections if the authentication server does not answer
queries quickly enough, increase this value.

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

HTTP-authen-rule "<HTTP- Enter the name of an existing HTTP authentication rule. The No
auth-rule_name>" maximum length is 63 characters. default.
To display the list of existing rules, enter:
set HTTP-authen-rule ?

Example

This example first configures a user group that contains both a local user account and an LDAP query.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 475

config user user-group

edit "user-group1"
config members
edit 1
set type local
set local-name "user1"
next
edit 2
set ldap-name "user2"
set type ldap
next
end
next
end

Second, it configures a rule that requires basic HTTP authentication when requesting the URL
/employees/holidays.html on the host www.example.com. This URL will be identified as belonging to the realm
named “Restricted Area”. Users belonging to user-group1 can authenticate.
config waf HTTP-authen HTTP-authen-rule
edit "auth-rule1"
set host-status enable
set host "www.example.com"
config rule
edit 1
set request-url "/employees/holidays.html"
set authen-type basic
set user-group "user-group1"
set user-realm "Restricted Area"
next
end
next
end

Third, it groups two HTTP authentication rules into an HTTP authentication policy that can be applied in an inline
protection profile.
config waf HTTP-authen HTTP-authen-policy
edit "HTTP-auth-policy1"
config rule
edit 1
set HTTP-authen-rule "HTTP-auth-rule1"
next
edit 2
set HTTP-authen-rule "HTTP-auth-rule2"
next
end
next
end

Related topics

l waf HTTP-authen HTTP-authen-rule on page 476

l waf web-protection-profile inline-protection on page 636

FortiWeb CLI Reference Fortinet Technologies Inc.

config 476

waf HTTP-authen HTTP-authen-rule

Use this command to configure HTTP authentication rules.

Authentication rules are used by the HTTP authentication feature to define sets of request URLs that will be authorized
for each user group.
You apply authentication rules by adding them to an authentication policy, which is ultimately selected within an inline
protection profile for use in web protection. For details, see waf HTTP-authen HTTP-authen-policy on page 473.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf HTTP-authen HTTP-authen-rule
edit "<auth-rule_name>"
set host "<protected-hosts_name>"
set host-status {enable | disable}
config rule
edit <entry_index>
set authen-type {basic | digest | ntlm}
set request-url "<path_str>"
set user-group "<user-group_name>"
set user-realm "<realm_str>"
next
end
next
end

Variable Description Default

"<auth-rule_name>" Enter the name of a new or existing rule. The maximum length is 63 No default.
characters.
To display the list of existing rules, enter:
edit ?

host "<protected-hosts_ Enter the name of a protected host that the Host: field of an HTTP No default.
name>" request must be in order to match the HTTP authentication rule. The
maximum length is 256 characters.
This setting applies only if host-status is enable.

host-status {enable | disable} Enable to apply this HTTP authentication rule only to HTTP requests disable
for specific web hosts. Also configure host "<protected-hosts_name>"
on page 476.
Disable to match the HTTP authentication rule based upon the other
criteria, such as the URL, but regardless of the Host: field.

<entry_index> Enter the index number of the individual entry in the table. The valid No default.
range is 1–9,999,999,999,999,999,999.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 477

Variable Description Default

authen-type {basic | digest | Select which type of HTTP authentication to use, either: basic
ntlm} l basic—Clear text, Base64-encoded user name and password.

Supports local user accounts, and RADIUS and LDAP user

queries. NTLM user queries are not supported.
l digest—Hashed user name, realm, and password. RADIUS,

LDAP and NTLM user queries are not supported.

l ntlm—Encrypted user name and password. Local user

accounts and RADIUS and LDAP user queries are not

supported.

request-url "<path_str>" Enter the literal URL, such as /employees/holidays.html, that a No default.
request must match in order to trigger HTTP authentication. The
maximum length is 256 characters.

user-group "<user-group_ Enter the name of a user group that is authorized to use the URL in No default.
name>" request-url "<path_str>" on page 477. The maximum length is 63
characters.
To display the list of existing user groups, enter:
set user-group ?

user-realm "<realm_str>" Enter the realm, such as Restricted Area, to which the request- No default.
url "<path_str>" on page 477 belongs. The maximum length is 63
characters.
Browsers often use the realm multiple times.
l It may appear in the browser’s prompt for the user’s credentials.

Especially if a user has multiple logins, and only one login is valid
for that specific realm, displaying the realm helps to indicate
which user name and password should be supplied.
l After authenticating once, the browser may cache the

authentication credentials for the duration of the browser

session. If the user requests another URL from the same realm,
the browser often will automatically re-supply the cached user
name and password, rather than asking the user to enter them
again for each request.
The realm may be the same for multiple authentication rules, if all of
those URLs permit the same user group to authenticate.
For example, the user group All_Employees could have access to
the request-url "<path_str>" on page 477 URLs /wiki/Main and
/wiki/ToDo. These URLs both belong to the realm named
Intranet Wiki. Because they use the same realm name, users
authenticating to reach /wiki/Main usually will not have to
authenticate again to reach /wiki/ToDo, as long as both requests
are within the same browser session.
This field does not appear if authen-type is ntlm, which does not
support HTTP-style realms.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 478

Example

For an example, see waf HTTP-authen HTTP-authen-policy on page 473.

Related topics

l user user-group on page 376

l waf HTTP-authen HTTP-authen-policy on page 473

waf HTTP-connection-flood-check-rule

Use this command to limit the number of TCP connections per HTTP session. This can prevent TCP connection floods
from clients operating behind a shared IP with innocent clients.
Excessive numbers of TCP connections per session can occur if a web application or client is malfunctioning, or if an
attacker is attempting to waste socket resources to produce a DoS.
This command is similar to waf layer4-connection-flood-check-rule on page 530. However, this feature counts TCP
connections per session cookie, while TCP flood prevention counts only TCP connections per IP address. Because it
uses session cookies at the application layer instead of only TCP/IP connections at the network layer, this feature can
differentiate multiple clients that may be behind the same source IP address, such as when the source IP address hides
a subnet that uses network address translation (NAT). However, in order to work, the client must support cookies.
To apply this rule, include it in an application-layer DoS-prevention policy. For details, see waf application-layer-dos-
prevention on page 400.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf HTTP-connection-flood-check-rule
edit "<rule_name>"
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <seconds_int>
set HTTP-connection-threshold <limit_int>
set severity {High | Medium | Low | Info}
set trigger-policy "<trigger-policy_name>"
next
end

Variable Description Default

"<rule_name>" Enter the name of a new or existing rule. The maximum No

length is 63 characters. default.
To display the list of existing rules, enter:
edit ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 479

Variable Description Default

action {alert | alert_deny | Select one of the following actions that the FortiWeb alert
block-period | deny_no_log} appliance will perform when the count exceeds the rate limit:
l alert—Accept the connection and generate an alert

email and/or log message.

l alert_deny—Block the connection and generate an

alert email and/or log message.

l block-period—Block subsequent requests from the

client for a number of seconds. Also configure block-

period <seconds_int> on page 479.
l deny_no_log—Deny a request. Do not generate a log

message.
Caution: This setting will be ignored if monitor-mode
{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email will occur only if enabled
and configured. For details, see log disk on page 66 and log
alertMail on page 60.
Note: If an auto-learning profile will be selected in the policy
with Offline Protection profiles that use this rule, you should
select alert. If the action is alert_deny, the FortiWeb
appliance will reset the connection when it detects an attack,
resulting in incomplete session information for the auto-
learning feature. For details about auto-learning
requirements, see "waf web-protection-profile autolearning-
profile" on page 1.

block-period <seconds_int> Enter the length of time (in seconds) for which the FortiWeb 600
appliance will block additional requests after a client
exceeds the rate threshold.
The valid range is 1–3,600 seconds.

HTTP-connection-threshold Enter the maximum number of TCP connections allowed 1

<limit_int> from the same client. The valid range is 1–1,024.

severity {High | Medium | Low Select the severity level to use in logs and reports generated Medium
| Info} when a violation of the rule occurs.

trigger-policy "<trigger- Enter the name of the trigger to apply when this rule is No
policy_name>" violated. For details, see log trigger-policy on page 93. The default.
maximum length is 63 characters.
To display the list of existing trigger policies, enter:
set trigger ?

Related topics

l log trigger-policy on page 93

l waf application-layer-dos-prevention on page 400

FortiWeb CLI Reference Fortinet Technologies Inc.

config 480

waf HTTP-constraints-exceptions

Use set statements under this command to configure exceptions to existing HTTP protocol parameter constraints for
specific hosts.
Exceptions may be useful if you know that some HTTP protocol constraints, during normal use, will cause false positives
by matching an attack signature. Exceptions define HTTP constraints that will not be subject to HTTP protocol constraint
policy.
For example, if you enable max-HTTP-header-length in a HTTP protocol constraint exception for a specific host,
FortiWeb ignores the HTTP header length check when executing the web protection profile for that host.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf HTTP-constraints-exceptions
edit "<HTTP-exception_name>"
config HTTP_constraints-exception-list
edit <entry_index>
set request-file "<url_pattern>"
set request-type {plain | regular}
set host-status {enable | disable}
set block-malformed-request {enable | disable}
set Illegal-content-length-check {enable | disable}
set Illegal-content-type-check {enable | disable}
set Illegal-header-name-check {enable | disable}
set Illegal-header-value-check {enable | disable}
set Illegal-host-name-check {enable | disable}
set Illegal-HTTP-request-method-check {enable | disable}
set Internal-resource-limits-check {enable | disable} on page 482
set max-cookie-in-request {enable | disable}
set max-header-line-request {enable | disable}
set max-HTTP-body-length {enable | disable}
set max-HTTP-body-parameter-length {enable | disable}
set max-HTTP-content-length {enable | disable}
set max-HTTP-header-length {enable | disable}
set max-HTTP-header-line-length {enable | disable}
set max-HTTP-header-name-length {enable | disable}
set max-HTTP-header-value-length {enable | disable}
set max-HTTP-parameter-length {enable | disable}
set max-HTTP-request-filename-length {enable | disable}
set max-HTTP-request-length {enable | disable}
set max-url-param-name-len {enable | disable}
set max-url-param-value-len {enable | disable}
set max-url-parameter {enable | disable}
set max-url-parameter-length {enable | disable}
set number-of-ranges-in-range-header {enable | disable}
set HTTP2-max-requests <int>
set parameter-name-check {enable | disable}
set parameter-value-check {enable | disable}
set redundant-header-check {enable | disable}
set source-ip-status {enable|disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 481

set source-ip "<ip_range>"

set url-param-name-check {enable | disable}
set url-param-value-check {enable | disable}
set redundant-header-check {enable | disable}
set duplicate-parameter-check {enable | disable}
set null-byte-in-url-check {enable | disable}
set Illegal-byte-in-url-check {enable | disable}
set web-socket-protocol-check {enable | disable}
set odd-and-even-space-attack-check {enable | disable}
set rpc-protocol-check {enable | disable} on page 485
set HTTP2-max-requests <int>
move "<source-exception_id>" to {before | after | up | down} "<destination-
exception_id>"
next
end
next
end

Variable Description Default

"<HTTP-exception_name>" Enter the name of a new or existing HTTP protocol No default

constraint exception. The maximum length is 63
characters.
To display the list of existing exceptions, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No default
The valid range is 1–9,999,999,999,999,999,999.

request-file "<url_pattern>" Enter either: No default

l The literal URL, such as /index.php, that the HTTP

request must contain in order to match the input rule.

The URL must begin with a slash ( / ).
l A regular expression, such as ^/*.php, matching all

and only the URLs to which the input rule should apply.
The pattern is not required to begin with a slash ( / ).
However, it must at least match URLs that begin with a
slash, such as /index.cfm.
Do not include the name of the web host, such as
www.example.com, which is configured separately in
host. The maximum length is 256 characters.

request-type {plain | regular} Enter either plain or regular (for a regular expression) No default
to match the string entered in request-file "<url_pattern>"
on page 481.

host-status {enable | disable} Enable to apply this exception only to HTTP requests for disable
specific web hosts. Also configure analyzer-policy
"<fortianalyzer-policy_name>" on page 94.
Disable to match the exception based upon the other
criteria, such as the URL, but regardless of the Host: field.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 482

Variable Description Default

block-malformed-request Enable to omit the constraint on syntax and FortiWeb

{enable | disable} parsing errors.
Caution: Some web applications require abnormal or very
large HTTP POST requests. Since allowing such errors and
excesses is generally bad practice and can lead to
vulnerabilities, use this option to omit the malformed
request scan only if absolutely necessary.

Illegal-content-length-check Enable to omit the constraint on the maximum acceptable disable

{enable | disable} size in bytes of the request body.

Illegal-content-type-check Enable to omit the constraint on whether the Content disable

{enable | disable} Type: value uses the format <type>/<subtype>.

Illegal-header-name-check Enable to omit the constraint on whether the HTTP header disable
{enable | disable} name contains illegal characters.

Illegal-header-value-check Enable to omit the constraint on whether the HTTP header disable
{enable | disable} value contains illegal characters.

Illegal-host-name-check Enable to omit the constraint on host names with illegal disable
{enable | disable} characters.

Illegal-HTTP-request- Enable to omit the constraint on illegal HTTP request disable

method-check {enable | methods.
disable}

Illegal-responese-code- Enable to omit the constraint on whether the HTTP disable

check {enable | disable} response code is a 3-digit number.

Internal-resource-limits- Enable to omit the constraint on the maximum number of disable

check {enable | disable} limits allowed by HTTP parser.

max-cookie-in-request Enable to omit the constraint on the maximum number of disable

{enable | disable} cookies per request.

max-header-line-request Enable to omit the constraint on the maximum number of disable

{enable | disable} HTTP header lines.

max-HTTP-body-length Enable to omit the constraint on the maximum HTTP body disable
{enable | disable} length.

max-HTTP-body-parameter- Enable to omit the constraint on the maximum acceptable disable

length {enable | disable} size in bytes of all parameters in the HTTP body of HTTP
POST requests.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 483

Variable Description Default

max-HTTP-content-length Enable to omit the constraint on the maximum HTTP disable

{enable | disable} content length.

max-HTTP-header-length Enable to omit the constraint on the maximum HTTP disable

{enable | disable} header length.

max-HTTP-header-line- Enable to omit the constraint on the maximum HTTP disable

length {enable | disable} header line length.

max-HTTP-header-name- Enable to omit the constraint on the maximum acceptable disable

length {enable | disable} size in bytes of a single HTTP header name.

max-HTTP-header-value- Enable to omit the constraint on the maximum acceptable disable

length {enable | disable} size in bytes of a single HTTP header value.

max-HTTP-request- Enable to omit the constraint on the maximum HTTP disable

filename-length {enable | request filename length.
disable}

max-HTTP-parameter- Enable to omit the constraint on the maximum HTTP disable

length {enable | disable} parameter length.

max-HTTP-request-length Enable to omit the constraint on the maximum HTTP disable

{enable | disable} request length.

max-url-param-name-len Enable to omit the constraint on the maximum acceptable disable

{enable | disable} length in bytes of the parameter name.

max-url-param-value-len Enable to omit the constraint on the maximum acceptable disable

{enable | disable} length in bytes of the parameter value.

max-url-parameter {enable | Enable to omit the constraint on the maximum number of disable
disable} parameters in the URL.

max-url-parameter-length Enable to omit the constraint on the maximum length of disable

{enable | disable} parameters in the URL.

number-of-ranges-in-range- Enable to omit the constraint on the maximum acceptable disable

header {enable | disable} number of Range: fields of an HTTP header.

parameter-name-check Enable to omit the constraint on null characters in disable

{enable | disable} parameter names.

parameter-value-check Enable to omit the constraint on null characters in disable

{enable | disable} parameter values.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 484

Variable Description Default

Post-request-ctype-check Enable to omit the constraint on whether the Content- disable

{enable | disable} Type: header is available.

redundant-header-check Enable to omit the constraint on the redundant instances of disable

{enable | disable} Content-Length, Content-Type and Host herder
fields.

source-ip-status Enable to check requests for matching the HTTP constraint disable
{enable|disable} exceptions rule by their source IP addresses.

source-ip "<ip_range>" Enter the source IP of the protected requests to which this No default.
exception applies. Only a single IPv4/IPv6 address, or a
IPv4/IPv6 range is acceptable.
For example:
l 1.2.3.4

l 2001::1

l 1.2.3.4-1.2.3.40

l 2001::1-2001::100

Available only when source-ip-status {enable|disable} on

page 484 is enable.

url-param-name-check Enable to omit the constraint on illegal characters in the disable

{enable | disable} parameter name.

url-param-value-check Enable to omit the constraint on illegal characters in the disable

{enable | disable} parameter value.

redundant-header-check Enable to omit the constraint on the redundant instances of disable

{enable | disable} Content-Length, Content-Type and Host herder
fields.

duplicate-parameter-check Enable to omit the constraint on duplicate parameter disable

{enable | disable} names.

null-byte-in-url-check Enable to omit the constraint on null bytes in URL. disable

{enable | disable}

Illegal-byte-in-url-check Enable to omit the constraint on illegal bytes in URL. disable

{enable | disable}

web-socket-protocol-check Enable to omit detecting traffic that uses the WebSocket disable
{enable | disable} TCP-based protocol.

odd-and-even-space-attack- Enable to omit the constraint on detecting Odd and Even disable
check {enable | disable} Space Attack.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 485

Variable Description Default

rpc-protocol-check {enable | Enable to omit detecting traffic that uses the PRC protocol. disable
disable}

HTTP2-max-requests <int> Specifies the maximum acceptable number of requests in 1000

an HTTP/2 connection.

adjust the priority of the exception entries. no

"<source-exception_id>" default
to {before | after | up |
down} "<destination-
exception_id>"

Example

This example omits header length limits for HTTP requests to www.example.com and 192.0.2.1 for /login.asp.
config waf HTTP-constraints-exceptions
edit "exception1"
config HTTP_constraints-exception-list
edit 1
set host "www.example.com"
set host-status enable
set max-HTTP-header-length enable
set request-file "/login.asp"
next
edit 2
set host "192.0.2.1"
set host-status enable
set max-HTTP-body-length enable
set request-file "/login.asp"
next
end
next
end

Related topics

l waf web-protection-profile inline-protection on page 636

l waf web-protection-profile offline-protection on page 645
l log trigger-policy on page 93
l waf HTTP-protocol-parameter-restriction on page 488

waf HTTP-header-security

Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS,
clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers

FortiWeb CLI Reference Fortinet Technologies Inc.

config 486

so that the browsers avoid exposure to known vulnerabilities when handling requests.
For more information on HTTP Header Security, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
admingrp area. For details, see Permissions on page 46.

Syntax
config waf HTTP-header-security
edit "<HTTP-header-security_name>"
config HTTP-header-security-list
set name {x-content-type-options | x-frame-options | x-xss-protection | content-
security-policy | feature-policy | referrer-policy}
set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-
mode}
set waf HTTP-header-security
set allow-from-source "<allow-from_str>"
set request-type {plain | regular}
set request-file "<request-file_str>"
set request-status {enable | disable}

next
end
next
end

Variable Description Default

"<HTTP-header-security_name>" Enter of name of an HTTP header security policy. No default.

The maximum length is 63 characters.

request-status {enable | disable} Enable to set a URL Filter. disable

request-type {plain | regular} Defines the Request URL Type as a simple string No default.
(plain) or a regular expression (regular) for the
URL Filter.
Available only if request-status {enable | disable} on
page 486 is set to enable.

request-file "<request-file_str>" Sets the Request URL for the URL Filter. No default.
Available only if request-status {enable | disable} on
page 486 is set to enable.

<entry-index_int> Creates or edits a Secure Header Rule in the No default.

selected HTTP Header Security Policy.

name {x-content-type-options | x- Defines the Secure Header Type in the No default.

frame-options | x-xss-protection | Secure Header Rule. The following options are
content-security-policy | feature- available:
policy | referrer-policy} l x-frame-options—Prevents browsers from

FortiWeb CLI Reference Fortinet Technologies Inc.

config 487

Variable Description Default

Clickjacking attacks by providing appropriate

restrictions on displaying pages in frames.
l x-content-type-options—Prevents
browsers from MIME content-sniffing
attacks by disabling the browser's MIME
sniffing function.
l x-xss-protection—Enables a browser's
built-in Cross-site scripting (XSS) protection.
l content-security-policy—FortiWeb
adds the Content-Security-Policy
HTTP header to a web page, allowing you to
specify restrictions on resource types and
sources. This prevents certain types of
attacks, including XSS and data injection
attacks.
l feature-policy—Provides a mechanism to
allow and deny the use of browser features in
its own frame, and in content within any
<iframe> elements in the document.
For example, fullscreen 'self'
HTTPs://game.com
HTTPs://map.example.com;geolocation *;
camera 'none'
l referrer-policy—Controls how much
referrer information (sent via the Referer
header) should be included with requests.
The value of Referrer-Policy can be "no-
referrer", "no-referrer-when-downgrade",
"same-origin", "origin", "strict-origin", "origin-
when-cross-origin", "strict-origin-when-cross-
origin", or "unsafe-url".

value {nosniff | allow-from | deny | Defines the response according to the defined No default.
sameorigin | sanitizing-mode | Secure Header Type.
block-mode} The x-frame-options header can be
implemented with one of the following options:
l deny—The browser will not allow any frame to

be displayed.
l sameorigin—The browser will not allow a

frame to be displayed unless the page of the

frame originated from the same site.
l allow-from—The browser will not allow a

frame to be displayed unless the page of the

frame originated from the specified domain.
The x-content-type-options header can be
implemented with one option:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 488

Variable Description Default

l nosniff—The browser will not guess any

content type that is not explicitly specified
when downloading extensions.
The x-xss-protection header can be
implemented with one of the following options:
l sanitizing-mode—The browser will

sanitize the malicious scripts when a XSS

attack is detected.
l block-mode—The browser will block the

page when a XSS attack is detected.

allow-from-source "<allow-from_ Sets the specified domain if the name {x-content- No default.
str>" type-options | x-frame-options | x-xss-protection |
content-security-policy | feature-policy | referrer-
policy} on page 486 is x-frame-options and the
Header Value is set to allow-from.

Example

This example creates a HTTP header security policy.

config waf HTTP-header-security
edit HTTP_header_security1
set request-status enable
set request-type plain
set request-file "/bWAPP/clickjacking.php"
config HTTP-header-security-list
edit 1
set name x-content-type-options
set value nosniff
next
edit 2
set name x-frame-options
set value deny
next
edit 3
set name x-xss-protection
set value block-mode
next
next
end

waf HTTP-protocol-parameter-restriction

Use this command to configure HTTP protocol constraints.

HTTP constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the
HTML, XML, or other documents or encapsulated protocols carried in the content payload.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 489

Use protocol constraints to prevent attacks such as buffer overflows in web servers that do not restrict elements of the
HTTP protocol to acceptable lengths, or mishandle malformed requests. Such errors can lead to security vulnerabilities.

You can also use protocol constraints to block requests that are too large for the
memory size you have configured for FortiWeb’s scan buffers. If your web
applications do not require large HTTP POST requests, enable waf HTTP-protocol-
parameter-restriction on page 488 to harden your configuration. To configure the
buffer size, see system advanced on page 217.

You can configure each protocol parameter independently with a threat weight, action, severity, and trigger that
determines how an attack on that parameter is handled. For example, you can set the action for header constraints to
alert, the severity to high, and a trigger set to deliver an email each time FortiWeb detects a violation of these protocol
parameters.
To apply HTTP protocol constraints, select them in an inline or Offline Protection profile. For details, see waf web-
protection-profile inline-protection on page 636 and waf web-protection-profile offline-protection on page 645.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf HTTP-protocol-parameter-restriction
edit "<HTTP-constraint_name>"
set <constraint_name>-check {enable | disable}
set <constraint_name>-action {alert | alert_deny | block-period | deny_no_log}
set <constraint_name>-block-period <seconds_int>
set <parameter_name>-threat-weight {low | critical | informational | moderate |
substantial | severe}
set <constraint_name>-severity {High | Medium | Low | Info}
set <constraint_name>-trigger "<trigger-policy_name>"

next
end

Variable Description Default

"<HTTP-constraint_name>" Enter the name of a new or existing HTTP No

protocol constraint. The maximum length is default.
63 characters.
To display the list of existing constraints,
enter:
edit ?

<constraint_name>-check {enable | disable} Specify whether FortiWeb includes the

specified constraint when it applies this set of
constraints.

<constraint_name>-action {alert | alert_ Select one of the following actions that the alert
deny | block-period | deny_no_log} FortiWeb appliance will perform when an
HTTP request violates one of the rules:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 490

Variable Description Default

l alert—Accept the request and

generate an alert email and/or log
message.
l alert_deny—Block the request (or
reset the connection) and generate an
alert email and/or log message.
l deny_no_log—Deny a request. Do not
generate a log message.
You can customize the web page that
FortiWeb returns to the client with the
HTTP status code. For details, see
"system replacemsg" on page 1.
l block-period—Block subsequent
requests from the client for a number of
seconds. Also configure <constraint_
name>-block-period <seconds_int> on
page 491.
Note: If FortiWeb is deployed behind a
NAT load balancer, when using this
option, you must also define an X-
header that indicates the original client’s
IP (see waf x-forwarded-for on page
659). Failure to do so may cause
FortiWeb to block all connections when
it detects a violation of this type.
Caution: This setting is ignored when the
value of monitor-mode {enable | disable} on
page 152 is enable.
Note: Logging and/or alert email will occur
only if enabled and configured. For details,
see log disk on page 66 and log alertMail on
page 60.
Note: If you select an auto-learning profile
with this rule, you should select alert. If the
action is alert_deny, for example, the
FortiWeb appliance will block the request or
reset the connection when it detects an
attack, resulting in incomplete session
information for the auto-learning feature. For
details about auto-learning requirements,
see "waf web-protection-profile autolearning-
profile" on page 1.
Note: This is not a single setting. Configure
the action setting for each violation type. The
number of action settings equals the number
of violation types.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 491

Variable Description Default

For example, for maximum HTTP header

length violations, you might type the
accompanying setting:
set max-HTTP-header-length-action
alert
Note: Available actions vary depending on
operating mode and protocol parameter.

<constraint_name>-severity {High | Select the severity level to use in logs and Medium
Medium | Low | Info} reports generated when a violation of the rule
occurs.
Note: This is not a single setting. Configure
the severity setting for each violation type.
The number of severity settings equals the
number of violation types.
For example, for maximum HTTP header
length violations, you might type the
accompanying setting:
set max-HTTP-header-length-
severity High

<constraint_name>-trigger "<trigger-policy_ Enter the name of the trigger to apply when No

name>" this rule is violated (see log trigger-policy on default.
page 93). The maximum length is 63
characters.
To display the list of existing trigger policies,
enter:
set trigger ?
Note: This is not a single setting. Configure
the trigger setting for each violation type. The
number of trigger settings equals the number
of violation types.
For example, for maximum HTTP header
length violations, you might type
accompanying setting:
set max-HTTP-header-length-
trigger trigger-policy1

<constraint_name>-block-period If action is block-period, type the 600

<seconds_int> number of seconds that the connection will
be blocked.

<parameter_name>-threat-weight {low Set the threat weight for an event when No

| critical | informational | moderate | FortiWeb detects a violation of a parameter default.
substantial | severe} restriction rule. For details, see the FortiWeb
Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-
guides.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 492

Example

This example limits the total size of the HTTP header, including all lines, to 2,048 bytes. If the HTTP header length
exceeds 2,048 bytes, the FortiWeb appliance takes an action to create a log message (alert), identifying the violation
as medium severity, and sends an email to the administrators defined within the trigger policy email-admin.
config waf HTTP-protocol-parameter-restriction
edit "HTTP-constraint1"
set max-HTTP-header-length 2048
set max-HTTP-header-length-action alert
set max-HTTP-header-length-severity Medium
set max-HTTP-header-length-trigger email-admin
next
end

Related topics

l waf web-protection-profile inline-protection on page 636

l waf web-protection-profile offline-protection on page 645
l log trigger-policy on page 93
l server-policy custom-application application-policy on page 1
l debug application HTTP on page 1
l debug flow trace on page 694

waf HTTP-request-flood-prevention-rule

Use this command to limit the maximum number of HTTP requests per second coming from any client to a specific URL
on one of your protected servers.
The FortiWeb appliance tracks the requests using a session cookie. If the count exceeds the request limit, FortiWeb
performs the specified action.
To apply this rule, include it in an application-layer DoS-prevention policy. This feature is effective only when client-
management {enable | disable} on page 638 is enabled in the inline protection profile that uses the parent DoS-
prevention policy.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf HTTP-request-flood-prevention-rule
edit "<rule_name>"
set access-limit-in-HTTP-session <limit_int>
set action {alert | alert_deny | block-period | deny_no_log}
set bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-
enforcement | disable}
set recaptcha <recaptcha_server_name>
set max-attempt-times <attempts_int>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 493

set validation-timeout <seconds_int>

set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger-policy "<trigger-policy_name>"
set mobile-app-identification {disabled | mobile-token-validation}
set bot-confirmation {enable | disable}

next
end

Variable Description Default

"<rule_name>" Enter the name of a new or existing rule. The No default.

maximum length is 63 characters.
To display the list of existing rules, enter:
edit ?

access-limit-in-HTTP-session <limit_ Enter the maximum number of HTTP connections 0

int> allowed per second from the same client. The
valid range is 0–4,096. To disable the limit, enter
0.

action {alert | alert_deny | block- Select one of the following actions that the alert
period | deny_no_log} FortiWeb appliance will perform when the count
exceeds the limit:
l alert—Accept the request and generate

an alert email and/or log message.

l alert_deny—Block the request (or reset
the connection) and generate an alert email
and/or log message.
You can customize the web page that
FortiWeb returns to the client with the HTTP
status code. For details, see "system
replacemsg" on page 1.
l block-period—Block subsequent
requests from the client for a number of
seconds. Also configure block-period
<seconds_int> on page 494.
Note: If FortiWeb is deployed behind a NAT
load balancer, when using this option, you
must also define an X-header that indicates
the original client’s IP (see waf x-forwarded-
for on page 659). Failure to do so may cause
FortiWeb to block all connections when it
detects a violation of this type.
l deny_no_log—Deny a request. Do not
generate a log message.
Caution: This setting will be ignored if monitor-
mode {enable | disable} on page 152 is enabled.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 494

Variable Description Default

Note: Logging and/or alert email will occur only if

enabled and configured. For details, see log disk
on page 66 and log alertMail on page 60.
Note: If you select an auto-learning profile with
this rule, you should select alert. If the action
is alert_deny, for example, the FortiWeb
appliance will block the request or reset the
connection when it detects an attack, resulting in
incomplete session information for the auto-
learning feature. For details about auto-learning
requirements, see "waf web-protection-profile
autolearning-profile" on page 1.

bot-recognition {captcha- Enable to return a JavaScript to the client to test disable

enforcement | recaptcha- whether it is a web browser or automated tool
enforcement | real-browser- when it exceeds the rate limit.
enforcement | disable} If the client either fails the test or does not return
results before the timeout specified by validation-
timeout <seconds_int> on page 494, FortiWeb
applies the specified action. If the client appears
to be a web browser, FortiWeb allows the client to
exceed the rate limit.
Disable this option to apply the rate limit
regardless of whether the client is a web browser
(for example, Firefox) or an automated tool (for
example, wget).
recaptcha <recaptcha_server_ Enter the reCAPTCHA server you have created No default.
name> through user recaptcha-user

max-attempt-times <attempts_int> If captcha-enforcement is selected for bot- 3

recognition {captcha-enforcement | recaptcha-
enforcement | real-browser-enforcement |
disable} on page 494, enter the maximum
number of attempts that a client may attempt to
fulfill a CAPTCHA request. The valid range is 1–
5.
Available only when captcha-enforcement is
selected for bot-recognition.

validation-timeout <seconds_int> Specify the maximum amount of time (in 20

seconds) that FortiWeb waits for results from the
client for Real Browser Enforcement. The valid
range is 5–30.

block-period <seconds_int> If action is block-period, type the number of 600

seconds that the connection will be blocked.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 495

Variable Description Default

This setting applies only if action is block-

period. The valid is from 1 to 10,000 seconds.

severity {High | Medium | Low | Info} Select the severity level to use in logs and reports Medium
generated when a violation of the rule occurs.

trigger-policy "<trigger-policy_ Enter the name of the trigger to apply when this No default.
name>" rule is violated. For details, see log trigger-policy
on page 93. The maximum length is 63
characters.
To display the list of existing trigger policies,
enter:
set trigger ?

mobile-app-identification {disabled | Disabled: Disable not to carry out the mobile Disabled
mobile-token-validation} token verification.
Mobile Token Validation: Requires the client to
use mobile token for verification.
To apply mobile token validation, you must
enable Mobile App Identification in waf web-
protection-profile inline-protection on page 636

bot-confirmation {enable | disable} Enable to choose how to verify users when the Disabled
rules of bot detection are triggered.

Example

This example illustrates a rule that imposes a two-minute blocking period on clients that exceed the set request limit.
config waf HTTP-request-flood-prevention-rule
edit "Web Portal HTTP Request Limit"
set access-limit-in-HTTP-session 10
set action block-period
set block-period 120
set severity Medium
set trigger-policy "Server_Policy_Trigger"
next
end

Related topics

l log trigger-policy on page 93

l waf application-layer-dos-prevention on page 400

FortiWeb CLI Reference Fortinet Technologies Inc.

config 496

waf input-rule

Use this command to configure input rules.

Input rules define whether or not parameters are required, and sets their maximum allowed length, for HTTP requests
matching the host and URL defined in the input rule.
Each input rule contains one or more individual rules. This enables you to define, within one input rule, all parameter
restrictions that apply to HTTP requests matching that URL and host name.
For example, one web page might have multiple inputs: a user name, password, and a preference for whether or not to
remember the login. Within the input rule for that web page, you could define separate rules for each parameter in the
HTTP request: one rule for the user name parameter, one rule for the password parameter, and one rule for the
preference parameter.
To apply input rules, select them within a parameter validation rule. For details, see waf parameter-validation-rule on
page 553.
Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you
must first define the web host in a protected hosts group. For details, see server-policy allow-hosts on page 103.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf input-rule
edit "<input-rule_name>"
set action {alert | alert_deny | redirect | send_403_forbidden | block-period |
deny_no_log}
set block-period <seconds_int>
set host "<protected-host_name>"
set host-status {enable | disable}
set request-file "<url_str>"
set request-type {plain | regular}
set maximum-parameter-number <int>
set json-parameter-support {enable | disable}
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_name>"
config rule-list
edit <entry_index>
set type-checked (enable | disable}
set argument-type {custom-data-type | data-type | regular-expression}
set argument-name-type {plain | regular}
set argument-name "<input_name>"
set argument-expression "<regex_pattern>"
set custom-data-type "<custom-data-type_name>"
set data-type "<predefined_name>"
set is-essential {yes | no}
set max-length <limit_int>
set location {url | body}
set from-json {yes | no}
next
end
next

FortiWeb CLI Reference Fortinet Technologies Inc.

config 497

end

Variable Description Default

"<input-rule_name>" Enter the name of a new or existing rule. The maximum No default.
length is 63 characters.
To display the list of existing rules, enter:
edit ?

action {alert | alert_deny | Select one of the following actions that the FortiWeb alert
redirect | send_403_ appliance will perform when an HTTP request violates one
forbidden | block-period | of the input rules in the entry:
deny_no_log} l alert—Accept the request and generate an alert

email and/or log message.

l alert_deny—Block the request (or reset the

connection) and generate an alert email and/or log

message.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see "system replacemsg" on page 1.
l block-period—Block subsequent requests from

the client for a number of seconds. Also configure

block-period <seconds_int> on page 497.
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

email and/or log message. Also configure redirect-url
"<redirect_fqdn>" on page 643 and rdt-reason
{enable | disable} on page 643.
l send_403_forbidden—Reply to the client with an

HTTP 403 Access Forbidden error message and

generate an alert email and/or log message.
Caution: This setting will be ignored if monitor-mode
{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email will occur only if enabled
and configured. For details, see log disk on page 66 and
log alertMail on page 60.
Note: If you select an auto-learning profile with this rule,
you should select alert. If the action is alert_deny,
for example, the FortiWeb appliance will block the request
or reset the connection when it detects an attack, resulting
in incomplete session information for the auto-learning
feature. For details about auto-learning requirements, see
"waf web-protection-profile autolearning-profile" on page 1.

block-period <seconds_int> Enter the number of seconds to block the source IP. The 600
valid range is 1–3,600 seconds.
This setting applies only if action {alert | alert_deny |
redirect | send_403_forbidden | block-period | deny_no_
log} on page 497 is block-period.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 498

Variable Description Default

host-status {enable | disable} Enable to apply this input rule only to HTTP requests for disable
specific web hosts. Also configure host "<protected-host_
name>" on page 498.
Disable to match the input rule based upon the other
criteria, such as the URL, but regardless of the Host: field.

request-file "<url_str>" Depending on your selection in request-type No default.

{plain | regular} on page 498, enter either:
l The literal URL, such as /index.php, that the HTTP

request must contain in order to match the input rule.

The URL must begin with a slash ( / ).
l A regular expression, such as ^/*.php, matching all

and only the URLs to which the input rule should

apply. The pattern is not required to begin with a slash
( / ). However, it must at least match URLs that begin
with a slash, such as /index.cfm.
Do not include the name of the web host, such as
www.example.com, which is configured separately in host
"<protected-host_name>" on page 498. The maximum
length is 256 characters.
Note: Regular expressions beginning with an exclamation
point ( ! ) are not supported. For information on language
and regular expression matching, see the FortiWeb
Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

request-type {plain | regular} Select whether request-file "<url_str>" on page 498 will plain
contain a literal URL (plain), or a regular expression
designed to match multiple URLs (regular).

maximum-parameter- Limit the maximum number of parameters in a request; 0

number <int> The valid range is from 0 to 1024; When the value is 0,
FortiWeb will not check the parameter number.

json-parameter-support Enabled to check the parameters in JSON or not. disable

{enable | disable} The JSON data could be in URL or Body.
If enabled, the maximum-parameter-number will include
JSON parameters.

severity {High | Medium | Select the severity level to use in logs and reports Low
Low | Info} generated when a violation of the rule occurs.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 499

Variable Description Default

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–9,999,999,999,999,999,999.

is-essential {yes | no} Select yes if the parameter is required for HTTP requests no
to this combination of Host: field and URL. Otherwise,
select no.

max-length <limit_int> Enter the maximum allowed length of the parameter value. 0
The valid range is 0–1,024. To disable the limit, enter 0.

location {url | body} Specify where this parameter is from. The parameter will url body
only be checked when it’s from the selected location.
You can select both url and body, for example, set
location url body.

from-json {yes | no} Specify whether this parameter is from JSON. no

You must also enable json-parameter-support for this
option to function.

type-checked (enable | Enable to use predefined or configured data types when disable
disable} validating parameters. Also configure argument-type
{custom-data-type | data-type | regular-expression} on
page 499.
Disable to ignore data-type and custom-data-type
settings.

argument-type {custom- Specify the type of argument. data-type

data-type | data-type |
regular-expression}

argument-name-type {plain | Specify one of the following options: plain

regular} l plain—argument-name is the name attribute of the

parameter’s input tag exactly as it appears in the form

on the web page.
l regular—argument-name is a regular expression

designed to match the name attribute of the

parameter’s input tag.

argument-name "<input_ If argument-name-type {plain | regular} on page 499 is No default.

name>" plain, specify the name of the input as it appears in the
HTTP content, such as username. The maximum length is
63 characters.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 500

Variable Description Default

If argument-name-type is regular, specify a regular

expression designed to match the name attribute of the
parameter’s input tag.

argument-expression Enter a regular expression that matches all valid values,

"<regex_pattern>" and no invalid values, for this input.
The maximum length is 2,071 characters.
Note: Regular expressions beginning with an exclamation
point ( ! ) are not supported.

custom-data-type "<custom- Enter the name of a custom data type, if any. The No default.
data-type_name>" maximum length is 63 characters.
To display the list of custom data types, enter:
set custom-data-type ?
This setting applies only if type-checked (enable | disable}
on page 499 is enable.

data-type "<predefined_ Select one of the predefined data types, if the input No default.
name>" matches one of them (available options vary by FortiGuard
updates).
To display available options, enter:
set data type ?
For match descriptions of each option, see "server-policy
pattern data-type-group" on page 1.
Alternatively, configure argument-type {custom-data-type |
data-type | regular-expression} on page 499. This option is
ignored if you configure argument-type, which also
defines parameters to which the input rule applies, but
supersedes this option.

Example

This example blocks and logs requests for the file named login.php that do not include a user name and password, both
of which are required, or whose user name and password exceed the 64-character limit.
config waf input-rule
edit "input_rule1"
set action alert_deny
set request-file "/login.php?*"
request-type regular
config rule-list
edit 1
set argument-name "username"
set argument-type data-type
set data-type Email
set is-essential yes
set max-length 64
next
edit 2

FortiWeb CLI Reference Fortinet Technologies Inc.

config 501

set argument-name "password"

set data-type String
set is-essential yes
set max-length 64
next
end
next
end

Related topics

l server-policy allow-hosts on page 103

l waf parameter-validation-rule on page 553

waf ip-intelligence

Use this command to configure reputation-based source IP blacklisting.

Clients with suspicious behaviors or poor reputations include spammers, phishers, botnets, and anonymizing proxy
users. If you have purchased a subscription for the FortiGuard IP Reputation service, your FortiWeb can periodically
download an updated blacklist to keep your appliance current with changes in dynamic IPs, spreading virus infections,
and spammers changing service providers.
IP intelligence settings apply globally, to all policies that use this feature.
Before or after using this command, use waf ip-intelligence-exception on page 504 to configure any exemptions that you
want to apply. To apply IP reputation-based blocking, configuring these category settings first, then enable ip-
intelligence {enable | disable} on page 642 in the server policy’s protection profile.
Alternatively, you can block sets of many clients based upon their geographical origin (see waf geo-block-list on page
465) or manually by specific IPs (see "server-policy custom-application application-policy" on page 1).
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf ip-intelligence
edit <entry_index>
set action {alert | alert_deny | redirect | send_403_forbidden | block-period |
deny_no_log}
set block-period <seconds_int>
set category "<category_name>"
set severity {Low | Medium | High | Info}
set status {enable | disable}
set trigger "<trigger-policy_name>"
set ignore-x-forwarded-for {enable | disable}
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 502

Variable Description Default

<entry_index> Enter the index number of the individual entry in the table No
entry in the table. default.

action {alert | alert_deny | Select one of the following actions that the FortiWeb block-
redirect | send_403_ appliance performs when a client’s source IP matches the period
forbidden | block-period | blacklist category:
deny_no_log} l alert—Accept the request and generate an alert

email and/or log message.

l alert_deny—Block the request (or reset the
connection) and generate an alert email and/or log
message.
You can customize the web page that FortiWeb returns
to the client with the HTTP status code. For details, see
"system replacemsg" on page 1.
l block-period—Block subsequent requests from the
client for a number of seconds. Also configure block-
period <seconds_int> on page 502.
l redirect—Redirect the request to the URL that you
specify in the protection profile and generate an alert
email and/or log message. Also configure redirect-url
"<redirect_fqdn>" on page 643 and rdt-reason {enable |
disable} on page 643.
l send_403_forbidden—Reply to the client with an
HTTP 403 Access Forbidden error message and
generate an alert email and/or log message.
l deny_no_log—Deny a request. Do not generate a log
message.
Caution: FortiWeb ignores this setting when monitor-mode
{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email will occur only if enabled
and configured. For details, see log disk on page 66 and log
alertMail on page 60.
Note: If you select an auto-learning profile with this rule, you
should select alert. If the action is alert_deny, for
example, the FortiWeb appliance will block the request or
reset the connection when it detects an attack, resulting in
incomplete session information for the auto-learning feature.
For details about auto-learning requirements, see "waf web-
protection-profile autolearning-profile" on page 1.

block-period <seconds_int> Enter the number of seconds to block the source IP. The 60
valid range is 1–3,600 seconds.
This setting applies only if action {alert | alert_deny |
redirect | send_403_forbidden | block-period | deny_no_log}
on page 502 is block-period.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 503

Variable Description Default

category "<category_name>" Enter the name of an existing IP intelligence category, such

as "Anonymous Proxy" or Botnet. If the category name
contains a space, you must surround the name in double
quotes. The maximum length is 63 characters.
Category names vary by the version number of your
FortiGuard IRIS package.

status {enable | disable} Enable to block clients whose source IP belongs to this enable
category according to the FortiGuard IRIS service.

severity {Low | Medium | When rule violations are recorded in the attack log, each log Low
High | Info} message contains a Severity Level (severity_level)
field. Select which severity level the FortiWeb appliance
uses when a blacklisted IP address attempts to connect to
your web servers:
l Low

l Medium

l High

l Info

trigger "<trigger-policy_ Select which trigger, if any, that the FortiWeb appliance No
name>" uses when it logs and/or sends an alert email about a default.
blacklisted IP address’s attempt to connect to your web
servers. For details, see log trigger-policy on page 93. The
maximum length is 63 characters.
To display the list of existing trigger policies, enter:
set trigger ?

ignore-x-forwarded-for By default, FortiWeb scans the IP addresses in the X- disable

Example

The following command blacklists clients whose source IPs are currently known by Fortinet to be members of a botnet.
In the FortiGuard IRIS package for this example, “Botnet” is the first item in the list of categories.
When a botnet member makes a request, FortiWeb blocks the connection and continues to block it without re-evaluating
it for the next 6 minutes (360 seconds). FortiWeb logs the event with a high severity level and sends notifications to the
Syslog and email servers specified in notification-servers1.
config waf ip-intelligence
edit 1
set status enable
set action period_block
set block-period 360
set severity High

FortiWeb CLI Reference Fortinet Technologies Inc.

config 504

set trigger-policy "notification-servers1"

set ignore-x-forwarded-for disable
next
end

Related topics

l waf ip-intelligence-exception on page 504

l log trigger-policy on page 93
l waf web-protection-profile inline-protection on page 636
l waf web-protection-profile offline-protection on page 645
l waf geo-block-list on page 465
l server-policy custom-application application-policy on page 1
l debug flow trace on page 694

waf ip-intelligence-exception

Use this command to exempt IP addresses from reputation-based blocking. The settings apply globally, to all policies
that use this feature.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf ip-intelligence-exception
edit <entry_index>
set status {enable | disable}
set ip "<client_ipv4>"
next
end

Variable Description Default

<entry_index> Enter the index number of the individual entry in the table No default.
entry in the table. The valid range is 1–
9,999,999,999,999,999,999.

status {enable | disable} Enable to exempt clients from IP reputation-based disable

blocking.

ip "<client_ipv4>" Enter the client’s source IP address. No default.

Example

See waf ip-intelligence on page 501.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 505

Related topics

l waf ip-intelligence on page 501

waf ip-list

Use this command to define which source IP addresses are trusted clients, undetermined, or distrusted.
l Trusted IPs—Almost always allowed to access to your protected web servers. Trusted IPs are exempt from many
(but not all) of the restrictions that would otherwise be applied by a server policy. To determine skipped scans, see
debug flow trace on page 694.
l Neither—If a source IP address is neither explicitly blacklisted or trusted by an IP list policy, the client can access
your web servers, unless it is blocked by any of your other configured, subsequent web protection scan techniques.
For details, see debug flow trace on page 694.
l Blacklisted IPs—Blocked and prevented from accessing your protected web servers. Requests from blacklisted IP
addresses receive a warning message in response. The warning message page includes ID: 70007, which is the ID
of all attack log messages about requests from blacklisted IPs.

Because FortiWeb evaluates trusted and blacklisted IP policies before many other
techniques, defining these IP addresses can improve performance.

Alternatively, you can block sets of many clients based upon their reputation (see waf ip-intelligence on page 501) or
geographical origin (see waf geo-block-list on page 465).
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf ip-list
edit "<ip-list_name>"
set severity {Low | Medium | High | Info}
set action { alert_deny | block-period | deny_no_log}
set block-period <block_period_int>
set ignore-x-forwarded-for {enable | disable}
set trigger-policy "<trigger-policy_name>"
config members
edit waf ip-list
set group-type {ip-string | ip-group}
set ip "<client_ip>"
set ip-group <name>
set type {trust-ip | black-ip | allow-only-ip }
next
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 506

Variable Description Default

"<ip-list_name>" Enter the name of a new or existing rule. The maximum No

length is 63 characters. default.
To display the list of existing rules, enter:
edit ?

action { alert_deny | block- Select which action FortiWeb will take when it detects a block-
period | deny_no_log} violation of the rule: period
l alert_deny—Block the request (or reset the

connection) and generate an alert and/or log message.

l deny_no_log—Block the request (or reset the
connection).
l block-period—Block subsequent requests from the
client for a number of seconds. Also configure block-
period.
Note: This setting will be ignored if monitor-mode {enable |
disable} on page 152 is enabled in a server policy.

severity {Low | Medium | High When rule violations are recorded in the attack log, each log No
| Info} message contains a Severity Level (severity_level) default.
field. Select which severity level the FortiWeb appliance will
use when a blacklisted IP address attempts to connect to
your web servers:
l Low

l Medium

l High

trigger-policy "<trigger- Select which trigger, if any, that the FortiWeb appliance will No
policy_name>" use when it logs and/or sends an alert email about a default.
blacklisted IP address’s attempt to connect to your web
servers. The maximum length is 63 characters. For details,
see log trigger-policy on page 93.
To display the list of existing trigger policies, enter:
set trigger ?

ignore-x-forwarded-for By default, FortiWeb scans the IP addresses in the X- disable

FortiWeb CLI Reference Fortinet Technologies Inc.

config 507

Variable Description Default

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

group-type {ip-string | ip- Select ip-string to enter IP addresses or ranges, or ip- ip-string
group} group to reference the IP groups you have created through
config server-policy ip-group.

ip "<client_ip>" If you have selected ip-string for group-type, then enter No

one of the following values: default.
l A single IP address that a client source IP must match,

such as a trusted private network IP address (e.g. an

administrator’s computer, 172.16.1.20). Multiple
addresses or ranges should be separated with comma
",".
l A range or addresses (e.g. 1.2.3.4,2001::1,1.2.3.4-

1.2.3.40,2001::1-2001::100).

ip-group <name> If you have selected ip-group for group-type, then specify No
the IP Group you have created through config server- default.
policy ip-group. By using the IP group, you can save
the effort to type the IP addresses every time you need to re-
use them.

type {trust-ip | black-ip | Select either: trust-

allow-only-ip } l black-ip—The source IP address that is distrusted, ip
and is permanently blocked (blacklisted) from
accessing your web servers, even if it would normally
pass all other scans.
Note: If multiple clients share the same source IP
address, such as when a group of clients is behind a
firewall or router performing network address
translation (NAT), blacklisting the source IP address
could block innocent clients that share the same source
IP address with an offending client.
l trust-ip—The source IP address is trusted and

allowed to access your web servers, unless it fails a

previous scan. For details, see "Sequence of scans" on
page 1.
By default, if the IP address of a request is neither in the
Block IP nor Trust IP list, FortiWeb will pass this request to
other scans to decide whether it is allowed to access your
web servers. However, you can define the allow-only-ip
IP addresses so that such requests can be screened against
the Allow Only IPs before they are passed to other scans.
l allow-only-ip—If the source IP address is a

allow-only-ip, it will be passed to other scans to

decide whether it's allowed to access your web servers.
If not, FortiWeb will take actions according to the trigger

FortiWeb CLI Reference Fortinet Technologies Inc.

config 508

Variable Description Default

policy.
If the Allow Only range is empty, then the source IP
addresses which are not in the Block IP and Trust IP list
will be passed directly to other scans.
Requests that are blocked according to the IP Lists will
receive a warning message as the HTTP response. The
warning message page includes ID: 70007, which is the ID
of all attack log messages about requests from blocked IPs.

Example

The following shows the configuration for a trusted host of 192.0.2.0 followed by a blacklisted client of 192.0.2.1.
config waf ip-list
edit "IP-List-Policy1"
config members
edit 1
set ip "192.0.2.0"
next
edit 2
set type black-ip
set ip "192.0.2.1"
set severity Medium
set trigger-policy "TriggerActionPolicy1"
next
end
next
end

Related topics

l log trigger-policy on page 93

l waf web-protection-profile inline-protection on page 636
l waf web-protection-profile offline-protection on page 645
l waf geo-block-list on page 465
l waf ip-intelligence on page 501
l debug flow trace on page 694

waf json-schema

Use this command to view JSON schema files that have already been uploaded to FortiWeb. You can upload JSON
schema files only in the web UI.
You can reference the JSON schema file in a JSON protection rule, or add multiple JSON schema files in a group
(Config waf json-schema group) then reference it in JSON protection rule.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 509

To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf json-schema file
edit "<json_schema_file_name>"
set json-schema-version {Auto-identify | Draft-3| Draft-4| Draft-6| Draft-7| Draft-
201909| Draft-202012}
next
end

Variable Description Default

"<json_schema_file_ To display a list of existing JSON schema files, enter: No default.

name>" edit ?

json-schema-version {Auto- Select a JSON schema version. The system will check if Auto-
identify | Draft-3| Draft-4| schema file is valid against the specified version. identify
Draft-6| Draft-7| Draft- If your select Auto-identify, FortiWeb will use the
201909| Draft-202012} version stated by the ‘$schema’ key in the JSON Schema
file. If ‘$schema’ is not found or incorrect, then all versions
will be checked.

Related topics

l waf json-validation rule on page 510

l waf json-schema group

waf json-schema group

Use this command to group multiple JSON Schemas together. The schema group can be referenced in a JSON
Protection Rule. If a request does not match any of the schema in the group it will be considered as a violation.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
Config waf json-schema group
edit <json-schema-group-name>
config members
edit 1

FortiWeb CLI Reference Fortinet Technologies Inc.

config 510

set member-name <schema-name1>

next
edit 2
set member-name <schema-name2>
next
end
end
end

Variable Description Default

<json-schema-group-name> Enter a name for the JSON schema group. No

default.

member-name <schema- select a JSON Schema you have created through config No
name> waf json-schema file. default.

Related topics

l waf json-schema
l waf json-validation rule on page 510

waf json-validation rule

Use this command to create JSON protection rules and configure JSON protection policies.

Syntax
config waf json-validation rule
edit "<json_rule_name>"
set host-status {enable | disable}
set host "<host_name_str>"
set request-type {plain | regular}
set request-file "<file_str>"
set Schema-type {single-schema|schema-group}
set Schema-file <schema-file>
set Schema-group <schema-group>
set action {alert | alert_deny | block-period | redirect | send_403_forbidden |
deny_no_log}
set block-period <period_int>
set severity {High Low | Medium | Info}
set trigger "<trigger_policy_name>"
set waf json-validation rule
set json-limits {enable | disable}
set json-data-size "<json-data-size_int>"
set key-size "<key-size_int>"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 511

set key-number "<key-number_int>"

set value-size "<value-size_int>"
set value-number-in-array "<value-number-in-array _int>"
set object-depth "<object-depth_int>"
next
end
config waf json-validation policy
edit "<json_policy_name>"
set enable-signature-detection {enable | disable}
config input-rule-list
edit "<input-rule-list_id>"
set json_input_rule "<json_input_rule_str>"
next
end
next
end

Variable Description Default

"<json_rule_name>" Enter a name that can be referenced by other parts of the No default.
configuration. You will use the name to select the rule in a
JSON protection policy.
host-status {enable | Enable to compare the JSON rule to the Host: field in disable
disable} the HTTP header. If enabled, also configure host "<host_
name_str>" on page 511.
host "<host_name_ Enter the name of a protected host that the Host: field of No default.
str>" an HTTP request must match in order for the rule to apply.
For details, see server-policy allow-hosts on page 103.

request-type {plain | regular} Select whether request-type {plain | regular} on page 511 No default.
must contain either:
l plain—The field is a string that the request URL must

match exactly.
l regular—The field is a regular expression that

defines a set of matching URLs.

request-file "<file_str>" Depending on your selection for request-type {plain No default.

| regular} on page 511, enter either:
l plain—The literal URL, such as /index.php, that

the HTTP request must contain in order to match the

rule. The URL must begin with a slash ( / ).
l regular—A regular expression, such as ^/*.php,

matching the URLs to which the rule should apply. The

pattern does not require a slash ( / ), but it must match
URLs that begin with a slash, such as /index.cfm.
Do not include the domain name, such as
www.example.com, which is configured separately in host
"<host_name_str>" on page 511.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 512

Variable Description Default

Schema-type {single- Select whether to use a single schema file or a schema single-
schema|schema-group} group. If a request does not match the schema it will be schema
considered as a violation.

Schema-file <schema-file> Select the schema file you have uploaded it through the No default.
JSON Schema tab in API Protection > JSON Protection
in GUI.
Please note the schema file can't be uploaded through CLI.

Schema-group <schema- Select the schema group you have created through No default.
group> config waf json-schema group. For more
information, see waf json-schema group on page 509.

action {alert | alert_deny | Select one of the following actions that FortiWeb performs alert
block-period | redirect when a request violates the rule:
| send_403_forbidden | l alert—Accept the request and generate an alert

deny_no_log} email and/or log message.

l alert_deny—Block the request (or reset the
connection) and generate an alert email and/or log
message.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see "system replacemsg" on page 1.
l block-period—Block subsequent requests from
the client for a number of seconds. Also configure
block-period <period_int> on page 512.
l redirect—Redirect the request to the URL that you
specify in the protection profile and generate an alert
email and/or log message.
l send_403_forbidden—Reply to the client with an
HTTP 403 Access Forbidden error message and
generate an alert email and/or log message.
l deny_no_log—Deny a request. Do not generate a
log message.
Caution:FortiWeb ignores this setting when monitor-mode
{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email will occur only if enabled
and configured. For details, see log disk on page 66 and log
alertMail on page 60.

block-period <period_int> Enter the amount of time (in seconds) that you want to 600
block subsequent requests from a client after FortiWeb
detects a rule violation. This setting is available only when
action {alert | alert_deny | block-period | redirect | send_
403_forbidden | deny_no_log} on page 512 is block-
period.
The valid range is 1–3,600 seconds.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 513

Variable Description Default

severity {High Low | Medium When rule violations are recorded in the attack log, each Low
| Info} log message contains a Severity Level field. Select which
severity level FortiWeb will use when it logs a violation of
the rule:
l Low

l Medium

l High

l Info

trigger "<trigger_policy_ Enter the name of the trigger, if any, to apply when the rule No default.
name>" is violated. The maximum length is 63 characters. For
details, see log trigger-policy on page 93.
To display a list of existing triggers, enter:
set trigger ?

json-limits {enable | disable} Enable to define limits for data size, key, and value, etc. disable

json-data-size "<json-data- Enter the total size of JSON data in the JSON file. The valid 1024
size_int>" range is 0–10240.

key-size "<key-size_int>" Enter the key size of each object. The valid range is 0– 64
10240. The

key-number "<key-number_ Enter the total key number of each JSON file. The valid 256
int>" range is 0–2147483647.

value-size "<value-size_ Enter the value size of each key. The valid range is 0– 128
int>" 10240.

value-number-in-array Enter the total value number in an array. The valid range is 256
"<value-number-in-array _ 0–2147483647.
int>"

object-depth "<object- Enter the number of the nested objects. The valid range is 32
depth_int>" 0–2147483647.
"<json_policy_name>" Enter the name of a JSON protection policy. You will use No default.
the name to select the policy in other parts of the
configuration.
"<input-rule-list_ Enter the index number of an entry to create or modify a No default.
id>" rule for the policy.
enable-signature- Enable to scan for matches with attack and data leak disable
detection {enable signatures in JSON data submitted by clients in HTTP
| disable} requests with Content-Type: values
application/json or text/json.
json_input_rule Enter the sequence number of a JSON protection rule to No default.
"<json_input_rule_ add to the JSON protection policy.
str>"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 514

Example

The below example creates a JSON protection rule and applies the rule to a new JSON protection policy.
config waf json-validation rule
edit "example_rule_name_1"
set action block-period
set block-period 3000
set severity Medium
set trigger "example_trigger_policy_name"
set host-status enable
set host "example_host_name"
set request-type plain
set request-file "/index.php"
set schema-file "example_schema_file_name"
set json-limits enable
set json-data-size 1030
set key-size 100
set key-number 300
set value-size 200
set object-depth 60
next
end
config waf json-validation policy
edit "example_policy_name"
config input-rule-list
edit "example_rule_1"
set "example_rule_1"
next
end
next
end

Related topics

l waf json-schema on page 508

l waf web-protection-profile inline-protection on page 636

waf known-bots

Known Bots protects your websites, mobile applications, and APIs from malicious bots such as DoS, Spam, and
Crawler, etc, and known good bots such as known search engines without affecting the flow of critical traffic. This feature
identifies and manages a wide range of attacks from automated tools no matter where these applications or APIs are
deployed.
Use these commands to configure known bots prevention.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 515

Syntax
config waf known-bots
edit "known-bots_rule_name"
set crawler-action {alert | redirect | deny_no_log | alert_deny | block_period | send_
HTTP_response}
set crawler-block-period <period_int>
set crawler-severity {High | Medium | Low | Info}
set crawler-status {enable | disable}
set crawler-threat-weight {low | critical | informational | moderate | substantial |
severe}
set crawler-trigger <trigger_policy_name>
set dos-action {alert | redirect | deny_no_log | alert_deny | block_period | send_
HTTP_response}
set dos-block-period <period_int>
set dos-severity {High | Medium | Low | Info}
set dos-status {enable | disable}
set dos-threat-weight {low | critical | informational | moderate | substantial |
severe}
set dos-trigger <trigger_policy_name>
set known-engines-action {alert | redirect | deny_no_log | alert_deny | block_period |
send_HTTP_response}
set known-engines-block-period <period_int>
set known-engines-severity {High | Medium | Low | Info}
set known-engines-status {enable | disable}
set known-engines-threat-weight {low | critical | informational | moderate |
substantial | severe}
set known-engines-trigger <trigger_policy_name>
set scanner-action {alert | redirect | deny_no_log | alert_deny | block_period | send_
HTTP_response}
set scanner-block-period <period_int>
set scanner-severity {High | Medium | Low | Info}
set scanner-status {enable | disable}
set scanner-threat-weight {low | critical | informational | moderate | substantial |
severe}
set scanner-trigger <trigger_policy_name>
set spam-action {alert | redirect | deny_no_log | alert_deny | block_period | send_
HTTP_response}
set spam-block-period <period_int>
set spam-severity {High | Medium | Low | Info}
set spam-status {enable | disable}
set spam-threat-weight {low | critical | informational | moderate | substantial |
severe}
set spam-trigger <trigger_policy_name>
set trojan-action {alert | redirect | deny_no_log | alert_deny | block_period | send_
HTTP_response}
set trojan-block-period <period_int>
set trojan-severity {High | Medium | Low | Info}
set trojan-status {enable | disable}
set trojan-threat-weight {low | critical | informational | moderate | substantial |
severe}
set trojan-trigger <trigger_policy_name>
config malicious-bot-disable-list
edit "<malicious-bot-disable-list_name>"
next
end
config known-good-bots-disable-list

FortiWeb CLI Reference Fortinet Technologies Inc.

config 516

edit "<known-good-bots-disable-list_name>"
next
end
next
end

Variable Description Default

"known-bots_rule_name" Enter a name for the known bots No default

rule name.

crawler-action {alert | redirect | deny_no_log | Select the action FortiWeb takes alert_deny
alert_deny | block_period | send_HTTP_ when this type attack is identified.
response} l alert—Accept the request

and generate an alert email

and/or log message.
l alert_deny—Block the

request (or reset the

connection) and generate an
alert email and/or log
message.
You can customize the web
page that FortiWeb returns to
the client with the HTTP
status code. For details, see
system replacemsg-image on
page 330.
l deny_no_log—Block the

request (or reset the

connection).
l redirect—Redirect the

request to the URL that you

specify in the protection
profile and generate an alert
email and/or log message.
l block_period—Block

subsequent requests from the

client for a number of
seconds. Also configure
crawler-block-period
<period_int> on page 517.
You can customize the web
page that FortiWeb returns to
the client with the HTTP
status code. For details, see
system replacemsg-image on
page 330.
l send_HTTP_response—

Block and reply to the client

with an HTTP error message

FortiWeb CLI Reference Fortinet Technologies Inc.

config 517

Variable Description Default

and generate an alert email

and/or log message.
Note: Logging and/or alert email
will occur only if enabled and
configured. See log on page 715
and log alertMail on page 60.

crawler-block-period <period_int> Enter the number of seconds that 600

you want to block subsequent
requests from the client after the
FortiWeb appliance detects this
type attack.

crawler-severity {High | Medium | Low | Info} When policy violations are High
recorded in the attack log, each
log message contains a Severity
Level (severity_level) field.
Select which severity level
FortiWeb will use when it logs an
attack:
l High

l Medium

l Low

l Info

crawler-status {enable | disable} Enable or disable the bot type enable

detection for this rule.

crawler-threat-weight {low | critical | Set the threat weight for crawler critical
informational | moderate | substantial | bot attack.
severe}

crawler-trigger <trigger_policy_name> Enter the name of the trigger to No default

apply when this policy is violated.
For details, see log trigger-policy
on page 93.
To display the list of existing
triggers, enter:
set trigger ?

dos-action {alert | redirect | deny_no_log | Select the action FortiWeb takes alert_deny
alert_deny | block_period | send_HTTP_ when this type attack is identified.
l alert—Accept the request
response}
and generate an alert email
and/or log message.
l alert_deny—Block the

request (or reset the

connection) and generate an

FortiWeb CLI Reference Fortinet Technologies Inc.

config 518

Variable Description Default

alert email and/or log

message.
You can customize the web
page that FortiWeb returns to
the client with the HTTP
status code. For details, see
system replacemsg-image on
page 330.
l deny_no_log—Block the

request (or reset the

connection).
l redirect—Redirect the

request to the URL that you

specify in the protection
profile and generate an alert
email and/or log message.
l block_period—Block

subsequent requests from the

client for a number of
seconds. Also configure dos-
block-period <period_int> on
page 518.
You can customize the web
page that FortiWeb returns to
the client with the HTTP
status code. For details, see
system replacemsg-image on
page 330.
l send_HTTP_response—

Block and reply to the client

with an HTTP error message
and generate an alert email
and/or log message.
Note: Logging and/or alert email
will occur only if enabled and
configured. See log on page 715
and log alertMail on page 60.

dos-block-period <period_int> Enter the number of seconds that 600

you want to block subsequent
requests from the client after the
FortiWeb appliance detects this
type attack.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 519

Variable Description Default

dos-severity {High | Medium | Low | Info} When policy violations are High
recorded in the attack log, each
log message contains a Severity
Level (severity_level) field.
Select which severity level
FortiWeb will use when it logs an
attack:
l High

l Medium

l Low

l Info

dos-status {enable | disable} Enable or disable the bot type enable

detection for this rule.

dos-threat-weight {low | critical | informational Set the threat weight for DoS bot critical
| moderate | substantial | severe} attack.

dos-trigger <trigger_policy_name> Enter the name of the trigger to No default

apply when this policy is violated.
For details, see log trigger-policy
on page 93.
To display the list of existing
triggers, enter:
set trigger ?

known-engines-action {alert | redirect | deny_ Select the action FortiWeb takes alert_deny
no_log | alert_deny | block_period | send_ when this type attack is identified.
l alert—Accept the request
HTTP_response}
and generate an alert email
and/or log message.
l alert_deny—Block the

request (or reset the

connection).
l redirect—Redirect the

request to the URL that you

FortiWeb CLI Reference Fortinet Technologies Inc.

config 520

Variable Description Default

specify in the protection

profile and generate an alert
email and/or log message.
l block_period—Block

subsequent requests from the

client for a number of
seconds. Also configure
known-engines-block-period
<period_int> on page 520.
You can customize the web
page that FortiWeb returns to
the client with the HTTP
status code. For details, see
system replacemsg-image on
page 330.
l send_HTTP_response—

Block and reply to the client

known-engines-block-period <period_int> Enter the number of seconds that 600

you want to block subsequent
requests from the client after the
FortiWeb appliance detects this
type attack.

known-engines-severity {High | Medium | When policy violations are Info

Low | Info} recorded in the attack log, each
log message contains a Severity
Level (severity_level) field.
Select which severity level
FortiWeb will use when it logs an
attack:
l High

l Medium

l Low

l Info

known-engines-status {enable | disable} Enable or disable the bot type enable

detection for this rule.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 521

Variable Description Default

known-engines-threat-weight {low | critical | Set the threat weight for known informational
informational | moderate | substantial | search engines attack.
severe}

known-engines-trigger <trigger_policy_ Enter the name of the trigger to No default

name> apply when this policy is violated.
For details, see log trigger-policy
on page 93.
To display the list of existing
triggers, enter:
set trigger ?

scanner-action {alert | redirect | deny_no_log Select the action FortiWeb takes alert_deny
| alert_deny | block_period | send_HTTP_ when this type attack is identified.
l alert—Accept the request
response}
and generate an alert email
and/or log message.
l alert_deny—Block the

request (or reset the

connection).
l redirect—Redirect the

request to the URL that you

specify in the protection
profile and generate an alert
email and/or log message.
l block_period—Block

subsequent requests from the

client for a number of
seconds. Also configure
scanner-block-period
<period_int> on page 522.
You can customize the web
page that FortiWeb returns to
the client with the HTTP
status code. For details, see
system replacemsg-image on

FortiWeb CLI Reference Fortinet Technologies Inc.

config 522

Variable Description Default

page 330.
l send_HTTP_response—
Block and reply to the client
with an HTTP error message
and generate an alert email
and/or log message.
Note: Logging and/or alert email
will occur only if enabled and
configured. See log on page 715
and log alertMail on page 60.

scanner-block-period <period_int> Enter the number of seconds that 600

you want to block subsequent
requests from the client after the
FortiWeb appliance detects this
type attack.

scanner-severity {High | Medium | Low | Info} When policy violations are High
recorded in the attack log, each
log message contains a Severity
Level (severity_level) field.
Select which severity level
FortiWeb will use when it logs an
attack:
l High

l Medium

l Low

l Info

scanner-status {enable | disable} Enable or disable the bot type enable

detection for this rule.

scanner-threat-weight {low | critical | Set the threat weight for scanner critical
informational | moderate | substantial | bot attack.
severe}

scanner-trigger <trigger_policy_name> Enter the name of the trigger to No default

apply when this policy is violated.
For details, see log trigger-policy
on page 93.
To display the list of existing
triggers, enter:
set trigger ?

spam-action {alert | redirect | deny_no_log | Select the action FortiWeb takes alert_deny
alert_deny | block_period | send_HTTP_ when this type attack is identified.
l alert—Accept the request
response}
and generate an alert email

FortiWeb CLI Reference Fortinet Technologies Inc.

config 523

Variable Description Default

and/or log message.

request (or reset the

connection).
l redirect—Redirect the

request to the URL that you

specify in the protection
profile and generate an alert
email and/or log message.
l block_period—Block

subsequent requests from the

client for a number of
seconds. Also configure
spam-block-period <period_
int> on page 523.
You can customize the web
page that FortiWeb returns to
the client with the HTTP
status code. For details, see
system replacemsg-image on
page 330.
l send_HTTP_response—

Block and reply to the client

spam-block-period <period_int> Enter the number of seconds that 600

you want to block subsequent
requests from the client after the
FortiWeb appliance detects this
type attack.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 524

Variable Description Default

spam-severity {High | Medium | Low | Info} When policy violations are High
recorded in the attack log, each
log message contains a Severity
Level (severity_level) field.
Select which severity level
FortiWeb will use when it logs an
attack:
l High

l Medium

l Low

l Info

spam-status {enable | disable} Enable or disable the bot type enable

detection for this rule.

spam-threat-weight {low | critical | Set the threat weight for scanner critical
informational | moderate | substantial | bot attack.
severe}

spam-trigger <trigger_policy_name> Enter the name of the trigger to No default

apply when this policy is violated.
For details, see log trigger-policy
on page 93.
To display the list of existing
triggers, enter:
set trigger ?

trojan-action {alert | redirect | deny_no_log | Select the action FortiWeb takes alert_deny
alert_deny | block_period | send_HTTP_ when this type attack is identified.
l alert—Accept the request
response}
and generate an alert email
and/or log message.
l alert_deny—Block the

request (or reset the

connection).
l redirect—Redirect the

FortiWeb CLI Reference Fortinet Technologies Inc.

config 525

Variable Description Default

request to the URL that you

specify in the protection
profile and generate an alert
email and/or log message.
l block_period—Block

subsequent requests from the

client for a number of
seconds. Also configure
trojan-block-period <period_
int> on page 525.
You can customize the web
page that FortiWeb returns to
the client with the HTTP
status code. For details, see
system replacemsg-image on
page 330.
l send_HTTP_response—

Block and reply to the client

trojan-block-period <period_int> Enter the number of seconds that 600

you want to block subsequent
requests from the client after the
FortiWeb appliance detects this
type attack.

trojan-severity {High | Medium | Low | Info} When policy violations are High
recorded in the attack log, each
log message contains a Severity
Level (severity_level) field.
Select which severity level
FortiWeb will use when it logs an
attack:
l High

l Medium

l Low

l Info

trojan-status {enable | disable} Enable or disable the bot type enable

detection for this rule.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 526

Variable Description Default

trojan-threat-weight {low | critical | Set the threat weight for Trojan bot critical
informational | moderate | substantial | attack.
severe}

trojan-trigger <trigger_policy_name> Enter the name of the trigger to No default

apply when this policy is violated.
For details, see log trigger-policy
on page 93.
To display the list of existing
triggers, enter:
set trigger ?

"<malicious-bot-disable-list_name>" Select the malicious bot list not to No default

be scanned.

"<known-good-bots-disable-list_name>" Select the known good bots list not No default

to be scanned.

Related Topics

l waf web-protection-profile inline-protection on page 636

waf layer4-access-limit-rule

Use this command to limit the number of HTTP requests per second from any IP address to your web server. The
FortiWeb appliance tracks the number of requests. If the count of HTTP GET or POST requests exceeds the request limit,
FortiWeb performs the action you specified.
To apply this rule, include it in an application-layer DoS-prevention policy and include that policy in an inline protection
profile. For details, see waf application-layer-dos-prevention on page 400.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf layer4-access-limit-rule
edit "<rule_name>"
set access-limit-standalone-ip <limit_int>
set access-limit-share-ip <limit_int>
set action {alert | alert_deny | block-period | deny_no_log}
set bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-
enforcement | disable}
set recaptcha <recaptcha_server_name>
set max-attempt-times <attempts_int>
set block-period <seconds_int>
set severity {High | Medium | Low | Info}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 527

set trigger-policy "<trigger-policy_name>"

set validation-timeout <seconds_int>
set mobile-app-identification {disabled | mobile-token-validation}
set bot-confirmation {enable | disable}
next
end

Variable Description Default

"<rule_name>" Enter the name of a new or existing rule. The maximum No default.
length is 63 characters.
To display the list of existing rules, enter:
edit ?

access-limit-standalone-ip Enter the maximum number of HTTP requests allowed per 0

<limit_int> second from any source IP address representing a single
client. The valid range is 0–65,536. To disable the limit,
enter 0.

access-limit-share-ip <limit_ Enter the maximum number of HTTP requests allowed per 0
int> second from any source IP address shared by multiple
clients behind a network address translation (NAT)
device, such as a firewall or router. The valid range is 0–
65,536. To disable the limit, enter 0.

action {alert | alert_deny | Select one of the following actions that the FortiWeb alert
block-period | deny_no_log} appliance will perform when the count exceeds either
threshold limit:
l alert—Accept the request and generate an alert

email and/or log message.

l alert_deny—Block the request (or reset the
connection) and generate an alert email and/or log
message.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see "system replacemsg" on page 1.
l block-period—Block subsequent requests from
the client for a number of seconds. Also configure
block-period <seconds_int> on page 528.
Note: If FortiWeb is deployed behind a NAT load
balancer, when using this option, you must also
define an X-header that indicates the original client’s
IP. Failure to do so may cause FortiWeb to block all
connections when it detects a violation of this type.
For details, see waf x-forwarded-for on page 659.
l deny_no_log—Deny a request. Do not generate a
log message.
Caution: This setting will be ignored if monitor-mode
{enable | disable} on page 152 is enabled.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 528

Variable Description Default

Note: Logging and/or alert email will occur only if enabled

and configured. For details, see log disk on page 66 and
log alertMail on page 60.
Note: If you select an auto-learning profile with this rule,
you should select alert. If the action is alert_deny,
for example, the FortiWeb appliance will block the request
or reset the connection when it detects an attack, resulting
in incomplete session information for the auto-learning
feature. For details about auto-learning requirements, see
"waf web-protection-profile autolearning-profile" on page
1.

bot-recognition {captcha- Select between: disable

enforcement | recaptcha- l captcha-enforcement—Requires the client to

enforcement | real-browser- successfully fulfill a CAPTCHA request. If the client

enforcement | disable} cannot successfully fulfill the request within the max-
attempt-times <attempts_int> on page 528, or doesn't
fulfill the request within the validation-timeout
<seconds_int> on page 529, FortiWeb applies the
action and sends the CAPTCHA block page.
l recaptcha-enforcement—Requires the client to

successfully fulfill a reCAPTCHA request. If the client

cannot successfully fulfill the request within the
validation-timeout <seconds_int> on page 529,
FortiWeb applies the action and sends the
reCAPTCHA block page.
l real-browser-enforcement—Enable to return a

JavaScript to the client to test whether it is a web

browser or automated tool when it violates the access
rule. If the client either fails the test or does not return
results before the timeout specified by validation-
timeout, FortiWeb applies the specified action. If
the client appears to be a web browser, FortiWeb
allows the client to violate the rule.
l disable—Not to carry out the real browser

verification.
recaptcha <recaptcha_ Enter the reCAPTCHA server you have created through No default.
server_name> user recaptcha-user

max-attempt-times If captcha-enforcement is selected for bot- 3

<attempts_int> recognition, enter the maximum number of attempts
that a client may attempt to fulfill a CAPTCHA request.
The valid range is 1–5.
Available only when captcha-enforcement is selected
for bot-recognition.

block-period <seconds_int> Enter the number of seconds to block access to the client. 600

FortiWeb CLI Reference Fortinet Technologies Inc.

config 529

Variable Description Default

This applies only when the action {alert | alert_deny |

block-period | deny_no_log} on page 527 setting is
block-period. The valid range is 1–10,000 seconds.

severity {High | Medium | Select the severity level to use in logs and reports Medium
Low | Info} generated when a violation of the rule occurs.

trigger-policy "<trigger- Enter the name of the trigger to apply when this rule is No default.
policy_name>" violated. For details, see log trigger-policy on page 93.
The maximum length is 63 characters.
To display the list of existing trigger policies, enter:
set trigger ?

validation-timeout Enter the maximum amount of time (in seconds) that 20

<seconds_int> FortiWeb waits for results from the client for bot-
recognition. The valid range is 5–30.

mobile-app-identification Disabled: Disable not to carry out the mobile token Disabled
{disabled | mobile-token- verification.
validation} Mobile Token Validation: Requires the client to use
mobile token for verification.
To apply mobile token validation, you must enable Mobile
App Identification in waf web-protection-profile inline-
protection on page 636

bot-confirmation {enable | Enable to choose how to verify users when the rules of bot Disabled
disable} detection are triggered.

Example

This examples includes two rules. One blocks connections for two minutes while the other creates an alert and denies
the connection.
config waf layer4-access-limit-rule
edit "Web Portal HTTP Request Limit"
set access-limit-share-ip 10
set access-limit-standalone-ip 10
set action block-period
set block-period 120
set severity Medium
set trigger-policy "Web_Protection_Trigger"
next
edit "Online Store HTTP Request Limit"
set access-limit-share-ip 5
set access-limit-standalone-ip 5
set action alert_deny
set severity High
set trigger-policy "Web_Protection_Trigger"
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 530

Related topics

l log trigger-policy on page 93

l waf application-layer-dos-prevention on page 400
l waf layer4-connection-flood-check-rule on page 530

waf layer4-connection-flood-check-rule

Use this command to limit the number of fully-formed TCP connections per source IP address. This effectively prevents
TCP flood-style denial-of-service (DoS) attacks.
TCP flood attacks exploit the fact that servers must consume memory to maintain the state of the open connection until
either the timeout, or the client or server closes the connection. This consumes some memory even if the client is not
currently sending any HTTP requests.
Normally, a legitimate client forms a single TCP connection, through which they may make several HTTP requests. As a
result, each client consumes a negligible amount of memory to track the state of the TCP connection. However, an
attacker opens many connections with perhaps zero or one request each, until the server is exhausted and has no
memory left to track the TCP states of new connections with legitimate clients.
This command is similar to waf HTTP-connection-flood-check-rule on page 478. However, this feature counts TCP
connections per IP, while the other command counts TCP connections per session cookie.
It is also similar to syncookie in server-policy policy on page 140. However, this feature counts fully-formed TCP
connections, while the anti-SYN flood feature counts partially-formed TCP connections.
To apply this rule, include it in an application-layer DoS-prevention policy and include that policy in an inline protection
profile. For details, see waf application-layer-dos-prevention on page 400.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf layer4-connection-flood-check-rule
edit "<rule_name>"
set layer4-connection-threshold <limit_int>
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger-policy "<trigger-policy_name>"
next
end

Variable Description Default

"<rule_name>" Enter the name of a new or existing rule. The maximum No

length is 63 characters. default.
To display the list of existing rules, enter:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 531

Variable Description Default

edit ?

layer4-connection-threshold Enter the maximum number of TCP connections allowed 0

<limit_int> from the same IP address. The valid range is 0–65,536.

email and/or log message.

l alert_deny—Block the connection and generate an

alert email and/or log message.

l block-period—Block subsequent requests from the

client for a number of seconds. Also configure block-

period <seconds_int> on page 531.
l deny_no_log—Deny a request. Do not generate a log

block-period <seconds_int> Enter the length of time (in seconds) for which the FortiWeb 600
appliance will block additional requests after a source IP
address exceeds the rate threshold.
The block period is shared by all clients whose traffic
originates from the source IP address. The valid range is 1–
3,600.

severity {High | Medium | Low Select the severity level to use in logs and reports generated Medium
| Info} when a violation of the rule occurs.

Example

This example illustrates a basic TCP flood check rule.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 532

config waf layer4-connection-flood-check-rule

edit "Web Portal Network Connect Limit"
set action alert_deny
set layer4-connection-threshold 10
set severity Medium
set trigger-policy "Server_Policy_Trigger"
next
end

Related topics

l log trigger-policy on page 93

l waf application-layer-dos-prevention on page 400
l waf layer4-access-limit-rule on page 526

waf link-cloaking link-cloaking-rule

Use this command to prevent web pages in your application from being scanned by web crawlers and scanning
software. Link cloaking transforms the fixed links to automatically generated links by JavaScript codes. For example, <a
href="HTTPs://example/login"> will be transformed to
href="HTTPs://jisc.waasonline.com/index/login", where the link tag <a> is cut off so that the crawlers
can't recognize it. When the link is loaded in the client's browser, the lost code will be added back automatically.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax

Variable Description Default

<link_cloaking_name> Enter a name for the rule. no default

host-status {enable | disable} Enable to require that the Host: field of the HTTP disable
request matches a protected host name entry in

FortiWeb CLI Reference Fortinet Technologies Inc.

config 533

Variable Description Default

order to match the link cloaking rule.

host <name> Enter the protected host names entry (either a web no default
host name or a IP address) that the Host: field of
the HTTP request must be in to match the rule.

url-type {plain | regular} Enter to select between: plain

l plain—A simple string; a string of text that

contains a literal URL.

l regular—A regular expression; a string of

text that defines a search pattern for a URL that

may come in many variations.

url-pattern "<url_string>" Depending on the url-type, enter either: no default

l plain—The literal URL, such as /index.php,

that the HTTP request must contain in order to

match the rule. The URL must begin with a
slash ( / ).
l regular—A regular expression, such as

^/*.php, matching the URLs to which the rule

should apply. The pattern does not require a
slash ( / ), but it must match URLs that begin
with a slash, such as /index.cfm.
Do not include the domain name, such as
www.example.com, which is configured separately
in [bot-detection-exception-list] <No.>
host <string>.

exceptions If you want to exclude certain links from Link no default

Cloaking, type a literal URL or use regular
expression to match multiple URLs.

waf link-cloaking link-cloaking-policy

Use this command to add link cloaking rule to link cloaking policy.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax

config waf link-cloaking link-cloaking-policy

edit <link_cloaking_policy_name>
config rule-list
edit <index>
set rule <name> on page 534
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 534

next
end

Variable Description Default

<link_cloaking_policy_ Enter a name for the policy. no default

name>

rule <name> Enter the name of the link cloaking rule to be added in the no default
policy.

waf machine-learning url-replacer-rule/policy

Use this command to enable the machine learning feature and configure its settings.

Syntax
config waf machine-learning url-replacer-rule
edit url-replacer-rule_name
set type {pre-defined | custom-defined}
set app-type {jsp | owa-2003}
set url-replacer-policy_name
set url "<url_str>"
set new-url "<new-url_str>"
set param "<param_str>"
set new-param "<new-param_str>"
next
end
config waf machine-learning url-replacer-policy
edit url-replacer-policy_name
config rule list
edit rule-id "<rule_id>"
set type URL_Replacer
set plugin-name "<plugin-name_str>"
next
end
next
end

Variable Description Default

url-replacer-rule_name Specify a unique name that can No

be referenced by other parts of default.
the configuration.
The name can be up to 63
characters long with no space or
special character.

type {pre-defined | custom-defined} Select either of the following: No

FortiWeb CLI Reference Fortinet Technologies Inc.

config 535

Variable Description Default

l Predefined—Use one of the default.

predefined URL replacers
which can be selected from
the Application Type below.

l Custom-Defined—Define
your own URL replacer by
configuring the URL Path,
New URL, Param Change,
and New Param fields
below.

app-type {jsp | owa-2003} If you have selected Predefined No

in the Type field above, then you default.
must click the down arrow and
select either of the following
from the list menu:
l JSP—Use the URL

replacer designed for Java

server pages (JSP) web
applications, where
parameters are often
separated by semi-colon (;).

l OWA 2003— Use the URL

replacer designed for
default URLs in Microsoft
Outlook Web App (OWA),
where user name and
directory parameters are
often embedded within the
URL, as illustrated below:

(^/public/)(.*)
(^/exchange/)([^/]+)/*
(([^/]+)/(.*))*
These two application types
are predefined URL
interpreter plug-ins used by
popular web applications.

url "<url_str>" Enter a regular expression, such No

as (^/[^/]+)/(.*), matching all and default.
only the URLs to which the URL
replacer should apply. The URL
path can be up to 256 characters

FortiWeb CLI Reference Fortinet Technologies Inc.

config 536

Variable Description Default

long.

The pattern does not require a

backslash (/). However, it must
at least match URLs that begin
with a backslash as they appear
in the HTTP header, such as
/index.html. Do not include the
domain name, such as
www.example.com.

new-url "<new-url_str>" Enter either a literal URL, such No

as /index.html, or a regular default.
expression with a back-
reference (such as $1) defining
how the URL will be interpreted.
The new URL cab be up to 256
characters long.

param "<param_str>" Enter either the parameter’s No

literal value, such as user1, or a default.
back-reference (such as $0)
defining how the value will be
interpreted.

new-param "<new-param_str>" Type either the parameter’s No

literal name, such as username, default.
or a backreference (such as $2)
defining how the parameter’s
name will be interpreted in the
auto-learning report. You can
use up to 256 characters.

url-replacer-policy_name Specify a unique name that can No

be referenced by other parts of default.
the configuration.
The name can be up to 63
characters long with no space or
special character.

rule-id "<rule_id>" Select the sequence number of No

the URL Replacer Rules default.

type URL_Replacer Select the type URL_Replacer. No

default.

plugin-name "<plugin-name_str>" Enter the plugin name. No

default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 537

Related Topic

l waf machine-learning-policy

waf machine-learning-policy

How an anomaly detection model is built?

FortiWeb uses machine learning model to analyze the parameters in your domain and decide whether the value of the
parameter is legitimate or not. The machine learning model is built upon vast amount of parameter value samples
collected from the real requests to the domain.
When a sample is collected, the system generalized it into a pattern. For example, “[email protected]” and
“[email protected]” will both be generalized to the pattern “[email protected]”. The anomaly detection model is
built based on the patterns, not the raw samples.
FortiWeb analyzes the characteristics of the patterns and builds an initial model when 400 samples are collected. The
system runs the initial model to detect anomalies, while it keeps collecting more samples to refine it.
Once the number of samples accumulates to 1200, the system will evaluate whether the patterns vary largely since the
initial model is built:
l If there are very few patterns generalized, it indicates the patterns are stable. The system will switch the initial model
to a standard model.
l If a lot of new patterns keeps coming in, the system will continue collecting more samples to cover as much patterns
as possible. It won't switch to standard model until the patterns become stable.
The standard model is much more reliable and accurate compared with the initial model. However, your domains may
change as new URLs are added and existing parameters provide new functions. This means the mathematical model of
the same parameter might be different from what FortiWeb originally observed. To keep the machine learning model up
to date, FortiWeb continues collecting new samples to update it, where the outdated patterns are discarded and new
patterns are introduced.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf machine-learning-policy
edit <machine-learning-policy_id>
set start-min-count <start-min-count _int>
set renovate-short-time <renovate-short-time_int>
set waf machine-learning-policy
set switch-min-count <switch-min-count_int>
set switch-percent <switch-percent_int>
set sliding-win-time <sliding-win-time_int>
set sub-window-size <sub-window-size_int>
set waf machine-learning-policy
set denoise-percent <denoise-percent_int>
set denoise-threshold <denoise-threshold_int>
set sample-limit-by-ip <sample-limit-by-ip_int>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 538

set svm-model {xss | sql-injection | code-injection | command-injection | lfi-rfi

| common-injection | remote-exploits}
set svm-type {standard | extended}
set anomaly-detection-threshold <anomaly-detection-threshold_int>
set waf machine-learning-policy
set action-anomaly {alert | alert_deny | block-period}
set block-period-anomaly <block-period_int>
set severity-definitely {High | Info | Low | Medium}
set trigger-definitely <policy_name>
set status {enable | disable}
set ip-expire-intval <int>
set ip-expire-cnts <int>
set ip-argcount-limit {enable | disable}
set ip-list-type {Trust | Black}
set url-replacer-policy <policy_name>
set threat-model {enable | disable} on page 540
set parameters-limit-per-conn {enable | disable}
set anomaly-detection-threshold <anomaly-detection-threshold_int>
config allow-domain-name
edit <allow-domain-name_id>
set domain-name <domain-name_str>
set domain-index <domain-index_id>
set hmm-probability-sample-length-check {enable | disable}
set sample-length-threshold <int>
set hmm-probability-threshold <int>
set character-set {AUTO | ISO-8859-1 | ISO-8859-2 | ISO-8859-3 | ISO-8859-4 |
ISO-8859-5 | ISO-8859-6 | ISO-8859-7 | ISO-8859-8 | ISO-8859-9 | ISO-
8859-10 | ISO-8859-15 | GB2312 | BIG5 | ISO-2022-JP | ISO-2022-JP-2 |
Shift-JIS | ISO-2022-KR | UTF-8}
next
end
config source-ip-list
edit <source-ip-list_id>
set <ip>
next
end
next
end

Variable Description Default

<machine- Enter the ID of the machine learning policy. It's the number displayed in the No default
learning-policy_ "#" column of the machine learning policy table on the Machine Learning
id> Policy page. The valid range is 0–65535.

start-min-count An initial model will be built if the sample count reaches start-min- 400
<start-min-count count.
_int>

renovate-short- The system keeps updating the initial model. renovate-short-time 15 (minutes)
time <renovate- defines how frequently FortiWeb updates the model if new patterns keep
short-time_int> coming in.
The valid range is 15 to 1440.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 539

Variable Description Default

renovate-long- renovate-long-time defines how frequently FortiWeb updates the 8 (hours)

time <renovate- initial model even if no new pattern is generalized out of the samples
long-time_int> collected in the past hours. For example, assuming you set the value to 8
(hours), and in the past 8 hours there isn't any new pattern, FortiWeb will
update the model every 8 hours anyway.
The valid range is 8 to 720.

switch-min- When the number of samples reaches switch-min-count, FortiWeb 1200

count <switch- will evaluate whether to build a standard model.
min-count_int> The valid range is 800 to 3000.

switch-percent switch-percent = the number of generalized patterns / the number of 5(%)

<switch- raw samples * 100 (%)
percent_int> When the switch-percent is smaller than the value you set, FortiWeb
switches the initial model to the standard model.
The valid range is 2 to 20.

sliding-win-time After the standard model is built, FortiWeb keeps updating it according to 15 (minutes)
<sliding-win- the newest samples so that the model can be up to date even when your
time_int> domain changes, such as when new URLs are added and existing
parameters provide new functions.
sliding-win-time defines how frequently FortiWeb updates the
standard model.
The valid range is 15-1440 in minutes.

sub-window-size If there isn't any new pattern generalized during the sliding-win-time, 50
<sub-window- the system will not update the standard model until the number of samples
size_int> reaches the sub-window-size.
The sub-window-size can be set as 50 or 100.

sub-window- Every time the standard model is updated, FortiWeb counts it as one sub- 40
count <sub- window-count. If a certain times of sub-window-count have passed
window-count_ and there isn't any sample coming in for a pattern, FortiWeb considers this
int> pattern outdated, and will discard it.
The sub-window-count can be set as 20, 40, or 80.
For example, assuming the sub-window-count is 20, then FortiWeb will
discard a pattern if there isn't any sample collected for it after the model
has been updated for 20 times consecutively.

denoise-percent It's important to reduce the noisy samples in order to build an accurate 3 (%)
<denoise- model.
percent_int> During the sample collecting period, the system ranks all the samples by
their probabilities. The ones with the lowest probabilities will be selected
as noisy reduction samples, and will be filtered further with denoise-
threshold to determine whether it is a noise.
For example, if you set denoise-percent to 3, then the 3% samples
with the lowest probabilities will be selected as noisy reduction samples.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 540

Variable Description Default

The valid range is 1 to 10.

denoise- The system uses the following formula to determine whether the noisy 2
threshold reduction samples are indeed noises:
<denoise- The probability of the sample > μ + denoise-threshold * σ.
threshold_int> μ is the average probabilities of the noisy samples. σ is the denoise
standard deviation.
Assume there is a circle with most of the samples crowded in the center,
and several samples scattered around the edge of the circle. If the
probability of the sample is larger than the value of "μ + the strictness level
* σ", it means this sample is scattered far away from the center cluster. It
indicates this sample might be an anomaly, i.e. a noise.
If you set the denoise-threshold larger, it means the system tolerates
a longer distance that a sample is scattered from the center cluster. In this
way, less samples will be treated as noises.
If you want to identify more samples as noises, set the denoise-
threshold smaller.
The valid range is 1 to 10.

threat-model Enable to scan anomalies to verify whether they are attacks. It provides a enable
{enable | method to check whether an anomaly is a real attack by the trained
disable} Support Vector Machine Model.

svm-model {xss Enable or disable threat models for different types of threats such as enable
| sql-injection | cross-site scripting, SQL injection and code injection. Currently, seven
code-injection | trained Support Vector Machine Model are provided for seven attack
command- types.
injection | lfi-rfi |
common-
injection |
remote-exploits}

svm-type If standard is selected, the system automatically disables the svm standard
{standard | models which can easily trigger false positives.
extended} If extended is selected, the system enables all svm models.

anomaly- The value of the anomaly-detection-threshold ranges from 1 to 10. 0.1

detection- The system uses the following formula to calculate the anomaly threshold:
threshold The probability of the anomaly > μ + the strictness level * σ
<anomaly-
If the probability of the sample is larger than the value of "μ + the strictness
detection-
level * σ", this sample will be identified as anomaly.
threshold_int>
μ and σ are calculated based on the probabilities of all the samples
collected during the sample collection period, where μ is the average value
of all the parameters' probabilities, σ is the standard deviation. They are
fixed values. So, the value of "μ + the strictness level * σ" varies with the
strictness level you set. The smaller the value of the strictness level is, the
more strict the anomaly detection model will be.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 541

Variable Description Default

This option sets a global value for all the parameters. If you want to adjust
the strictness level for a specific parameter, See Manage anomaly-
detecting settings.

parameters- Enable to avoid collecting samples solely for the parameters in the same enable
limit-per-conn connection. The anomaly detection will be more effective if the system
{enable builds machine learning models for parameters diversely distributed in
| disable} different connections.

action-anomaly Choose the action FortiWeb takes when definite attack is verified. alert_deny
{alert | alert_ alert—Accepts the connection and generates an alert email and/or log
deny | block- message.
period} alert_deny—Blocks the request (or resets the connection) and
generates an alert and/or log message.
block-period—Blocks the request for a certain period of time.

block-period- Enter the number of seconds that you want to block the requests. The valid 600
anomaly <block- range is 1–3,600 seconds.
period_int> This option only takes effect when you choose Period Block in Action.

severity- Select the severity level for this anomaly type. The severity level will be High
definitely {High | displayed in the alert email and/or log message.
Info | Low
| Medium}

trigger-definitely Select a trigger policy that you have set in Log&Report > Log Policy > No default.
<policy_name> Trigger Policy. If definite anomaly is detected, it will trigger the system to
send email and/or log messages according to the trigger policy.

status {enable Enable to change the status to Running, while disable to change the status enable
| disable} to Stopped.

url-replacer- Select the name of the URL Replacer Policy that you have created in No default.
policy <policy_ Machine Learning Templates. If web applications have dynamic URLs or
name> unusual parameter styles, you must adapt URL Replacer Policy to
recognize them.

trigger-potential Select a trigger policy that you have set in Log&Report > Log Policy >
<policy_name> Trigger Policy. If potential anomaly is detected, it will trigger the system to
send email and/or log messages according to the trigger policy.

<allow-domain- Enter the ID of the policy. The valid range is 1–65,535. No default.
name_id>

ip-list-type {Trust Allow or deny sample collection from the Source IP list. Trust
| Black}

domain-name Add full domain name or use wildcard '*' to cover multiple domains under No default.
<domain-name_ one profile.
str>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 542

Variable Description Default

domain-index The number automatically assigned by the system when the domain name No default.
<domain-index_ is created.
id>

hmm-probability- Enable to check whether the parameter value is in unexpected length or of disable
sample-length- high anomaly probability.
check {enable |
disable}

sample-length- If the length of the parameter value is larger than the specified threshold, 0
threshold <int> the system will not send it to SVM model for further validation. Instead, it
will be directly treated as an anomaly.
The valid range is 0-1,024. 0 means not applicable.

hmm-probability- If the anomaly probability of the parameter value is larger than the 0
threshold <int> specified threshold, the system will not send it to SVM model for further
validation. Instead, it will be directly treated as an anomaly.
The valid range is 0-2,000. 0 means not applicable.
If you are not sure how to set a proper probability value, there are two
places where you can refer:
l In Parameter View, beside the Strictness Level for Anomaly

option, there is a Test Sample button. Click it and enter a parameter

value to check its probability. Repeat the tests with different values
until you get an idea on a reasonable probability threshold.
l In Attack Log, find an Anomaly Detection attack. Click it to view the
log details. You will find its probability.

character-set The corresponding character code when manually setting the domain. No default.
{AUTO | ISO-
8859-1 | ISO-
8859-2 | ISO-
8859-3 | ISO-
8859-4 | ISO-
8859-5 | ISO-
8859-6 | ISO-
8859-7 | ISO-
8859-8 | ISO-
8859-9 | ISO-
8859-10 | ISO-
8859-15 |
GB2312 | BIG5 |
ISO-2022-JP |
ISO-2022-JP-2 |
Shift-JIS | ISO-
2022-KR | UTF-
8}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 543

Variable Description Default

<source-ip-list_ Enter the ID of the source IP. The valid range is 1– No default.
id> 9,223,372,036,854,775,807

<ip> Enter the IP range for the source IP list. No default.

ip-expire-intval An parameter is in unconfirmed status initially, and it will be set to 4/3

<int> confirmed if the parameter is contained in the requests from a certain
ip-expire-cnts number of different source IPs within the given time. Otherwise, the
<int> parameter will be discarded.
ip-expire-cnts defines the "the number of different source IPs", while
the ip-expire-intval defines the given time period.
The valid range for ip-expire-intval is 1-24 in hours, and the default
value is 4.
The valid range for ip-expire-cnts is 1-5, and the default value is 3.

ip-argcount-limit Enable it so that each source IP can create at most 20 new arguments in disable
{enable | every 30 minutes.
disable}

sample-limit-by- The limitation number of samples collected from each IP. The valid range 30
ip <sample-limit- is 0–5000.
by-ip_int>

Related Topics

l waf machine-learning url-replacer-rule/policy on page 534

waf mitb-policy

Use this command to configure MiTB policies.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf mitb-policy
edit "<mitb-rule_name>"
config rule list
edit "<rule-list_id>"
set "<mitb-rule_name>"
next
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 544

Variable Description Default

"<rule-list_id>" Select the sequence number of the MiTB rules. No default.

"<mitb-rule_name>" Enter the name of a MiTB policy. No default.

Related topics

l waf mitb-rule on page 544

waf mitb-rule

Use this command to configure MiTB rules.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf mitb-rule
edit mitb-rule_name
set action {alert| alert_deny}
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_name>"
set host-status {enable | disable}
set host "<host_str>"
set request-url "<request-url_str>"
set request-type {plain | regular}
set post-url "<post-url_str>"
edit protected-parameter-list_name
set type {regular-input | password-input}
set obfuscate {enable | disable}
set encrypt {enable | disable}
set anti-keyLogger {enable | disable}
next
end

config allowed-external-domains-list
edit allowed-external-domains-list_id
set domain "<domain_str>"
next
end

Variable Description Default

mitb-rule_name Enter a name that can be referenced by other parts of the No default.
configuration.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 545

Variable Description Default

action {alert| alert_deny} Select the action the FortiWeb appliance takes when it Alert
detects a violation of the rule:
Alert—Accept the connection and generate an alert email
and/or log message.
Alert & Deny—Block the request (or reset the
connection) and generate an alert and/or log message.

severity {High | Medium | Select which severity level the FortiWeb appliance will use Low
Low | Info} when it logs a violation of the rule.

trigger "<trigger-policy_ Select which trigger, if any, that the FortiWeb appliance No default.
name>" will use when it logs and/or sends an alert email about a
violation of the rule.

host-status {enable | Enable to compare the MiTB rule to the Host: field in the No default.
disable} HTTP header.

host "<host_str>" Select the IP address or FQDN of a protected host. No default.

request-url "<request-url_ The URL hosting the webpage which contains the No default.
str>" parameters (field names or passwords) you want to
protect.

request-type {plain | regular} Select either of the URL types. plain

post-url "<post-url_str>" Enter the URL triggered after you submit your access No default.
request.

protected-parameter-list_ Enter the protected parameter list name. No default.

name

type {regular-input | Select the input type to carry out the protection. regular-
password-input} input

obfuscate {enable | disable} Enable to obfuscate the configured parameter name. No default.

encrypt {enable | disable} Enable to encrypt the parameter value. No default.

anti-keyLogger {enable | Enable anti-keyLogger to prevent hackers from No default.

disable} intercepting your password input.

allowed-external-domains- Enter the allowed external domain list ID. No default.

list_id

domain "<domain_str>" Set the domain, for example, www.alloweddomain.com. No default.

Related topics

l waf mitb-policy

FortiWeb CLI Reference Fortinet Technologies Inc.

config 546

waf mobile-api-protection

When a client accesses a web server from a mobile application, the Mobile Application Identification module checks
whether the request carries the JWT-token field and whether the token carried is valid, and sets flags for the following
cases:
l The traffic doesn't carry the JWT-token header
l The traffic carries the JWT-token header and the token is valid
l The traffic carries the JWT-token header, while the token is invalid
The mobile API protection feature checks the flags. With the API protection policy and rule configured, actions set in the
protection rule will be performed.

Syntax
config waf mobile-api-protection-rule
edit <mobile-api-protection-rule_name>
set host-status {enable | disable}
set host <host_str>
set action {alert | deny_no_log | alert_deny | block-period}
set block-period <block-period_int>
set severity {High | Medium | Low | Info}
set trigger <trigger_policy_name>
config url-list
edit <url-list_id>
set url-type {plain | regular}
set url-pattern <url-pattern_str>
next
end
next
end

config waf mobile-api-protection-policy

edit <mobile-api-protection-policy_name>
config rule-list
edit <rule-list_id>
set rule <rule_name>
next
end
next
end

Variable Description Default

<mobile-api-protection-rule_ Enter the name for the mobile API protection rule. No
name> default.

host-status {enable | disable} Enable to compare the mobile API protection rule to the Disable
Host: field in the HTTP header.

host <host_str> Select the IP address or fully qualified domain name (FQDN) No
of the protected host to which this rule applies. default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 547

Variable Description Default

This option is available only if host-status {enable | disable}

is enable.

action {alert | deny_no_log | Select which action the FortiWeb appliance will take when it Alert
alert_deny | block-period} detects a violation.
alert—Accept the connection and generate an alert email
and/or log message.
alert_deny—Block the request (or reset the connection) and
generate an alert and/or log message.
deny_no_log—Block the request (or reset the connection).
block-period—Blocks the request for a certain period of
time.

block-period <block-period_ Enter the number of seconds that you want to block the 600
int> requests. The valid range is 1–3,600 seconds.
This option only takes effect when you choose Period Block
in action {alert | deny_no_log | alert_deny | block-
period}.

severity {High | Medium | When FortiWeb records rule violations in the attack log, High
Low | Info} each log message contains a Severity Level field. Select
the severity level that FortiWeb will record when the rule is
violated:
l Low

l Medium

l High

l Informative

The default value is High.

trigger <trigger_policy_ Select the trigger, if any, that FortiWeb carries out when it No
name> logs and/or sends an alert email about a rule violation. For default.
details, see "Viewing log messages" on page 1.

<url-list_id> Type the index number of the individual URL within the URL No
list, or keep the field’s default value of auto to let the default.
FortiWeb appliance automatically assign the next available
index number.

url-type {plain | regular} Select whether the URL Pattern field will contain a literal plain
URL (plain), or a regular expression designed to match
multiple URLs (regular).

url-pattern <url-pattern_str> Depending on the url-type, enter either: No default

l plain—The literal URL, such as /index.php, that the

HTTP request must contain in order to match the rule.

The URL must begin with a slash ( / ).
l regular—A regular expression, such as ^/*.php,

matching the URLs to which the rule should apply. The

pattern does not require a slash ( / ), but it must match

FortiWeb CLI Reference Fortinet Technologies Inc.

config 548

Variable Description Default

URLs that begin with a slash, such as /index.cfm.

Do not include the domain name, such as
www.example.com, which is configured separately in
[bot-detection-exception-list] <No.> host
<string>.

<mobile-api-protection- Enter the name for the mobile API protection policy. No
policy_name> default.

<rule-list_id> Type the index number of the individual rule within the rule No
list, or keep the field’s default value of auto to let the default.
FortiWeb appliance automatically assign the next available
index number.

rule <rule_name> Select the mobile API protection rule from the drop-down list. No
default.

waf openapi-file

Use this command to create openapi file name.

Syntax
config waf openapi-file
edit "<openapi-file_name>"
end

Variable Description Default

"<openapi-file_name>" Enter the name of an openapi file. No default.

Related topics

l waf openapi-validation-policy on page 548

waf openapi-validation-policy

Use this command to create new openapi validation policy and configure related settings.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 549

Syntax
config waf openapi-validation-policy
edit openapi-validation-policy_name
set action {alert | alert_deny | block-period | redirect | send_403_forbidden |
deny_no_log}
set block-period "<seconds_int>"
set severity {Low | Medium | High | Info}
set trigger "<trigger-policy>"
config schema-file
edit schema-file_id on page 549
set openapi-file <datasource> on page 549
end

Variable Description Default

openapi-validation- Enter the name for the OpenAPI validation policy. No default
policy_name

action {alert | Select which action FortiWeb will take when it detects a alert
alert_deny | block- violation of the policy.
period | redirect |
send_403_forbidden |
deny_no_log}

block-period Type the number of seconds that you want to block 600
"<seconds_int>" subsequent requests from the client after the FortiWeb
appliance detects that the client has violated the rule. The
valid range is 1–3600 seconds.
severity {Low | Select which severity level the FortiWeb appliance will use Low
Medium | High | Info} when it logs a violation of the rule.
trigger "<trigger- Select which trigger, if any, that the FortiWeb appliance will No default
policy>" use when it logs and/or sends an alert email about a violation
of the rule.

schema-file_id The scheme file by the sequence number. No

default.

openapi-file <datasource> Select the created OpenAPI file. No

default.

Related topics

l waf openapi-file on page 548

FortiWeb CLI Reference Fortinet Technologies Inc.

config 550

waf padding-oracle

Use this command to create a policy that protects vulnerable block cipher implementations for web applications that
selectively encrypt inputs without using HTTPS.
To apply this policy, include it in an inline web or Offline Protection profile. For details, see waf web-protection-profile
inline-protection on page 636 and waf web-protection-profile offline-protection on page 645.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf padding-oracle
edit "<padding-oracle_rule_name>"
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <block-period_int>
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_name>"
config protected-url-list
edit <entry_index>
set host-status {enable | disable}
set host "<host_str>"
set url-type {plain | regular}
set protected-url "<protected-url_str>"
set target "<cookie parameter url>"
end
next
end

Variable Description Default

"<padding-oracle_rule_ Enter the name of a new or existing rule. The maximum No default.
name>" length is 63 characters.
To display the list of existing policies, enter:
edit ?

action {alert | alert_deny | Specify the action that FortiWeb takes when a request alert
block-period | deny_no_log} violates the rule:
l alert—Accept the request and generate an alert

email and/or log message.

l alert_deny—Block the request (or reset the
connection) and generate an alert and/or log
message.
l block-period—Block subsequent requests from
the client for a number of seconds. Also configure
block-period <block-period_int> on page 551.
l deny_no_log—Deny a request. Do not generate a
log message.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 551

Variable Description Default

Note: If FortiWeb is deployed behind a NAT load

balancer, when using this option, define an X-
header that indicates the original client’s IP. Failure
to do so may cause FortiWeb to block all
connections when it detects a violation of this type.
For details, see waf x-forwarded-for on page 659.
Attack log messages contain Padding Oracle
Attack when this feature detects a possible attack.
Because this attack involves some repeated brute force,
the attack log may not appear immediately, but should
occur within 2 minutes, depending on your configured
DoS alert interval.
Caution: This setting will be ignored if monitor-mode
{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email occur only when the
these features are enabled and configured. For details,
see log attack-log on page 61 and log alertMail on page
60.
Note: To use this rule set with auto-learning, select
alert. If action is alert_deny or any other option
that causes the FortiWeb appliance to terminate or
modify the request or reply when it detects an attack
attempt, the session information for auto-learning will be
incomplete.

block-period <block-period_ Enter the number of seconds that FortiWeb blocks 600
int> subsequent requests from the client after it detects that
the client has violated the rule.
This setting is available only if action {alert | alert_deny |
block-period | deny_no_log} on page 550 is block-
period.
The valid range is 1–36,000 seconds.

severity {High | Medium | When rule violations are recorded in the attack log, each Medium
Low | Info} log message contains a Severity Level (severity_
level) field. Specify the severity level FortiWeb uses
when it logs a violation of this rule.

trigger "<trigger-policy_ Enter the name of the trigger policy, if any, that the No default.
name>" FortiWeb appliance uses when it logs and/or sends an
alert email about a violation of the rule. For details, see
log trigger-policy on page 93.
To display the list of existing triggers, enter:
set trigger ?

<entry_index> Enter the index number of the individual entry in the No default.
table. The valid range is 1–9,999,999,999,999,999,999.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 552

Variable Description Default

host-status {enable | Specify enable to apply this rule only to HTTP requests disable
disable} for specific web hosts. Also specify host "<host_str>" on
page 552.
Specify disable to match the rule based on the other
criteria, such as the URL, but regardless of the Host:
field.

host "<host_str>" Specify which protected host names entry (either a web No default.
host name or IP address) that the Host: field of the
HTTP request must be in to match the rule.
This option is available only if the value of host-status
{enable | disable} on page 552 is enabled.
Maximum length is 256 characters.

url-type {plain | regular} Enter to determine how the value of protected-url plain
"<protected-url_str>" on page 552 is specified:
l plain—A literal URL.

l regular—A regular expression designed to match

multiple URLs.

protected-url "<protected- If the value of url-type {plain | regular} on page 552 is No default.
url_str>" plain, enter the literal URL that HTTP requests that
match the rule contain.
For example:
/profile.jsp
The URL must begin with a backslash ( / ).
If the value of url-type is regular, specify a regular
expression matching all and only the URLs to which the
rule should apply.
For example:
^/*\.jsp\?uid\=(.*)
The pattern does not require a slash ( / ).; however, it
must at least match URLs that begin with a slash, such
as /profile.cfm.
Do not include the domain name, such as
www.example.com, which is specified by host.
Regular expressions beginning with an exclamation
point ( ! ) are not supported. For information on
language and regular expression matching, see the
FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

target "<cookie parameter Specify which parts of the client’s requests FortiWeb parameter
url>" examines for padding attack attempts:
l url—A URL (for example, the parameter

/user/0000012FE03BC2 is embedded in the

FortiWeb CLI Reference Fortinet Technologies Inc.

config 553

Variable Description Default

URL).
l parameter—A parameter (for example, the
parameter /index.php?user=0000012FE03BC2
appended to a traditional GET or POST body).
l cookie—A cookie.

Example

This example illustrates a padding oracle rule that blocks requests to the host www.example.com when a parameter
appended in a traditional GET URL parameter or POST body matches the specified regular expression. When a request
matches the expression, FortiWeb logs or sends a high-severity message as specified in the notification-
servers1 trigger policy.
config waf padding-oracle
edit "padding-oracle1"
set action block-period
set block-period 3600
set severity High
set trigger "notification-servers1"
config protected-url-list
edit 1
set host-status enable
set host "www.example.com"
set url-type regular
set protected-url "\/profile\.jsp\?uid\=(.*)"
set target parameter
end

Related topics

l waf web-protection-profile inline-protection on page 636

l waf web-protection-profile offline-protection on page 645

waf parameter-validation-rule

Use this command to configure parameter validation rules, each of which is a group of input rule entries.
To apply parameter validation rules, select them within an inline or Offline Protection profile. For details, see waf web-
protection-profile inline-protection on page 636 and waf web-protection-profile offline-protection on page 645.
Before you can configure parameter validation rules, you must first configure one or more input rules. For details, see
waf input-rule on page 496.
You can use SNMP traps to notify you when a parameter validation rule is enforced. For details, see system snmp
community on page 339.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 554

To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf parameter-validation-rule
edit "<rule_name>"
config input-rule-list
edit <entry_index>
set input-rule "<input-rule_name>"
next
end
next
end

Variable Description Default

"<rule_name>" Enter the name of a new or existing rule. The maximum No

length is 63 characters. default.
To display the list of existing rules, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

input-rule "<input-rule_ Enter the name of an input rule to use in the parameter No
name>" validation rule. The maximum length is 63 characters. default.
To display the list of existing input rules, enter:
set input-rule ?

Example

This example configures a parameter validation rule that applies two input rules.
config waf parameter-validation-rule
edit "parameter_validator1"
config input-rule-list
edit 1
set input-rule "input_rule1"
next
edit 2
set input-rule "input_rule2"
next
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 555

Related topics

l waf input-rule on page 496

l waf web-protection-profile inline-protection on page 636
l waf web-protection-profile offline-protection on page 645

waf signature

Use this command to configure web server protection rules.

There are several security features specifically designed to protect web servers from known attacks. You can configure
defenses against:
l Cross-site scripting (XSS)
l SQL injection and many other code injection styles
l Remote file inclusion (RFI)
l Local file inclusion (LFI)
l OS commands
l Trojans/viruses
l Exploits
l Sensitive server information disclosure
l Credit card data leaks

To defend against known attacks, FortiWeb scans:

l Parameters in the URL of HTTP GET requests
l Parameters in the body of HTTP POST requests
l XML in the body of HTTP POST requests (if waf web-protection-profile inline-protection on page 636 is enabled)
l Cookies
l Headers
l JSON Protocol Detection
l Uploaded filename(MULTIPART_FORM_DATA_FILENAME)

In addition to scanning standard requests, signatures can also scan action message format 3.0 (AMF3) binary inputs
used by Adobe Flash clients to communicate with server-side software and XML. For details, see amf3-protocol-
detection {enable | disable} on page 639 and waf web-protection-profile inline-protection on page 636 (for inline
protection profiles) or amf3-protocol-detection {enable | disable} on page 648 (for Offline Protection profiles).
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Updating signatures

Known attack signatures can be updated. For details about uploading a new set of attack definitions, see the FortiWeb
Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

FortiWeb CLI Reference Fortinet Technologies Inc.

config 556

You can also create your own. For details, see waf custom-protection-rule on page 442.

Configuring signatures

Before configuring a server protection rule, if you want to configure your own attack or data leak signatures, you must
also configure custom server protection rules. For details, see waf custom-protection-group on page 441.
Each server protection rule can be configured with the severity and notification settings (“trigger”) that, in combination
with the action, determines how FortiWeb handles each violation.
For example, attacks categorized as cross-site scripting and SQL injection could have the action set to alert_deny,
the severity set to High, and a trigger set to deliver an alert email each time these rule violations are detected.
Specific signatures in those categories, however, might be disabled, set to log/alert instead, or exempt requests to
specific host names/URLs.

Alternatively, you can automatically configure a server protection rule that detects all
attack types by generating a default auto-learning profile. For details, see the
FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

Overriding signature category configuration

To override category-wide actions for a specific signature, configure:

l config signature_disable_list on page 557—Disable a specific signature ID (e.g. 040000007), even if the category in
general (e.g. SQL Injection (Extended)) is enabled.
l config sub_class_disable_list on page 557—Disable a subcategory of signatures (e.g. Session Fixation), even if
the category in general (e.g. General Attacks) is enabled.
l config alert_only_list on page 557—Only log/alert when detecting the attack, even if the category in general is
configured to block.
l config filter_list on page 557—Exempt specific host name and/or URL combinations from scanning with this
signature.

Applying signature policies

To apply server protection rules, select them within an inline or Offline Protection profile. For details, see waf web-
protection-profile inline-protection on page 636 and waf web-protection-profile offline-protection on page 645.
You can use SNMP traps to notify you when an attack or data leak has been detected. For details, see system snmp
community on page 339.

Syntax
config waf signature
edit "<signature-set_name>"
set credit-card-detection-threshold <instances_int>
set custom-protection-group "<group_name>"
set sensitivity-level {1|2|3|4}
config main_class_list
edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 |
070000000 | 080000000 | 090000000 | 100000000 | 110000000 | 120000000}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 557

set action {alert |alert_deny | block-period |only_erase | send_HTTP_response

| alert_erase | redirect | deny_no_log}
set block-period <seconds_int>
set severity {Low | Medium | High | Info}
set trigger "trigger-policy_name>"
next
end
config signature_disable_list
edit "<signature-id_str>"
next
end
config sub_class_disable_list
edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 |
070000000 | 080000000 | 090000000 | 100000000 | 110000000 | 120000000}
next
end
config alert_only_list
edit "<alert-only-list_signature-id_str>"
next
end
config fpm_disable_list
edit "<fpm-disable-list_signature-id_str>"
next
end
config scoring_override_disable_list
edit "<scoring-override-disable-list_signature-id_str>"
next
end
config score_grade_list
edit "<score-grade-list_signature-id_str>"
set scoring-grade {low | critical | informational | moderate | substantial |
severe}
next
end
config filter_list
edit <entry_index>
set signature_id "<signature-id_str>"
set match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER
| COOKIE | HTTP_HEADER | JSON_ELEMENTS}
set operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}
set HTTP-method {get post head options trace connect delete put others patch}
set ip {<ipv4> | <ipv6>}
set name {"<name_str>" | "<name_pattern>"}
set value-check {enable | disable}
set value {"<value_str>" | "<value_pattern>"}
set concatenate-type {AND | OR}
next
set comment "<comment_str>"
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 558

Variable Description Default

"<signature-set_name>" Enter the name of a new or existing rule. The maximum No default.
length is 63 characters.
To display the list of existing rules, enter:
edit ?

credit-card-detection- Enter the number of credit cards that triggers the credit 1
threshold <instances_int> card number detection feature.
For example, to ignore web pages with only one credit
card number, but to detect when a web page containing
two or more credit cards, enter 2.
The valid range is 1–128.

custom-protection-group Enter the name of the custom signature group to be used, No default.
"<group_name>" if any. The maximum length is 63 characters.
To display the list of existing custom signature groups,
enter:
set custom-protection-group ?

sensitivity-level {1|2|3|4} Increasing the level adds additional signatures but also 4
adds the chance of blocking legitimate traffic.

{010000000 | 020000000 | Enter the ID of a signature class (or, for subclass No default.
030000000 | 040000000 | overrides, the subclass ID).
050000000 | 060000000 | To display the list of signature classes, enter:
070000000 | 080000000 | edit ?
090000000 | 100000000 |
110000000 | 120000000}

action {alert |alert_deny | Select which action the FortiWeb appliance will take when alert
block-period |only_erase | it detects a signature match.
send_HTTP_response | Note: This is not a single setting. Available actions may
alert_erase | redirect | vary slightly, depending on what is possible for each
deny_no_log} specific type of attack/information disclosure.
l alert—Accept the request and generate an alert

email and/or log message.

Note: Does not cloak, except for removing sensitive
headers. (Sensitive information in the body remains
unaltered.)
l alert_deny—Block the request (or reset the
connection) and generate an alert email and/or log
message.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see "system replacemsg" on page 1.
l block-period—Block subsequent requests from
the client for a number of seconds. Also configure
block-period <seconds_int> on page 560.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 559

Variable Description Default

Note: If FortiWeb is deployed behind a NAT load

balancer, when using this option, you must also
define an X-header that indicates the original client’s
IP. Failure to do so may cause FortiWeb to block all
connections when it detects a violation of this type.
For details, see waf x-forwarded-for on page 659.
l only_erase—Hide sensitive information in replies
from the web server (sometimes called “cloaking”).
Block the request or remove the sensitive
information, but do not generate an alert email and/or
log message.
Caution: This option is not supported in Offline
Protection mode.
l send_HTTP_response—Block and reply to the
client with an HTTP error message, and generate an
alert email, a log message, or both
l alert_erase—Hide replies with sensitive
information (sometimes called “cloaking”). Block the
reply (or reset the connection) or remove the
sensitive information, and generate an alert email
and/or log message.
l deny_no_log—Deny a request. Do not generate a
log message.
Note: This option is not fully supported in Offline
Protection mode. Effects will be identical to alert;
sensitive information will not be blocked or erased.

l redirect—Redirect the request to the URL that

you specify in the protection profile and generate an
alert email and/or log message. Also configure
redirect-url "<redirect_fqdn>" on page 643 and rdt-
reason {enable | disable} on page 643.
Caution: FortiWeb ignores this setting if monitor-mode
{enable | disable} on page 152 is enabled.
Note: Actions that generate log messages alert email
actions require the features to be enabled and configured.
For details, see log disk on page 66 and log alertMail on
page 60.
Note: If you select an auto-learning profile in the policy
with Offline Protection profiles that use this rule, select
alert. If the action is alert_deny, the FortiWeb
appliance resets the connection when it detects an attack
and the session information for the auto-learning feature
will be incomplete. For details about auto-learning
requirements, see "waf web-protection-profile
autolearning-profile" on page 1.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 560

Variable Description Default

block-period <seconds_int> Enter the number of seconds that you want to block 600
subsequent requests from the client after the FortiWeb
appliance detects that the client has violated the rule.
The valid range is 1–3,600 seconds. The setting is
applicable only if action is period-block.
Note: This is not a single setting. You can configure the
block period separately for each signature category.

severity {Low | Medium | When rule violations are recorded in the attack log, each Medium
High | Info} log message contains a Severity Level (severity_
level) field. Select which severity level the FortiWeb
appliance will use when it logs a violation of the rule:
l Low

l Medium

l High

Note: This is not a single setting. You can configure the

severity separately for each signature category.

trigger "trigger-policy_ Enter the name of the trigger, if any, to apply when a No default.
name>" protection rule is violated. For details, see log trigger-
policy on page 93. The maximum length is 63 characters.
To display the list of existing triggers, enter:
set trigger ?
Note: This is not a single setting. You can configure a
different trigger for each signature category.

"<signature-id_str>" Enter the ID of a specific signature that you want to No default.

disable.
Some signatures often cause false positives and are
disabled by default. To display a list, enter:
edit ?

"<alert-only-list_signature- Enter the ID of a specific signature that generates logs or No default.

id_str>" alert email only and does not block matching requests.

"<fpm-disable-list_ Enter the ID of a specific signature for which false positive No default.
signature-id_str>" mitigation is disabled.
The false positive mitigation feature performs additional
lexical and syntax analysis after a SQL injection signature
matches a request.

"<scoring-override-disable- Enter the ID of a specific signature that will not be affected No default.
list_signature-id_str>" by the threat weight settings, if any. When traffic violates
specified signature, FortiWeb takes the local action
specified for that signature.

"<score-grade-list_ Enter the ID of a specific signature to configure its threat No default.

signature-id_str>" weight.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 561

Variable Description Default

Specify the scoring-grade to set the threat weight of

the specified signature.

scoring-grade {low | critical | Specify the threat weight that the signature adds to the No default.
informational | moderate | combined threat weight.
substantial | severe} Global threat weight risk level values can be modified
using server-policy pattern threat-weight on page 124.

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–128. You can create up to 128
exceptions for each signature.

signature_id "<signature- Enter the ID of a specific signature that you want to No default.
id_str>" disable when the request matches the specified object.

match-target {HTTP_ Enter the type of object that FortiWeb examines for
METHOD | CLIENT_IP | matching values:
l HTTP_METHOD—One or more HTTP methods
HOST | URI | FULL_URL |
PARAMETER | COOKIE | specified by HTTP-method {get post head options
HTTP_HEADER | JSON_ trace connect delete put others patch} on page 562.
l CLIENT_IP—The IP address or IP range specified
ELEMENTS}
by ip {<ipv4> | <ipv6>} on page 562.
l HOST—The Host: field value specified by value

{"<value_str>" | "<value_pattern>"} on page 562.

l URI—The URL value specified by value. The value

does not include parameters.

l FULL_URL—The URL value specified by value.

The value includes parameters to match.

l PARAMETER—A parameter specified by name

{"<name_str>" | "<name_pattern>"} on
page 562. To match a specific parameter value,
enable value-check {enable | disable} on page 562,
and then specify value.
l COOKIE—A cookie specified by name. To match a

specific cookie value, enable value-check, and

then specify value.

operator {STRING_MATCH Enter the type of values to match. The match-target

| REGEXP_MATCH | EQ | value determines which types are available.
l STRING_MATCH—value is a literal value (for
NE| INCLUDE | EXCLUDE}
example, a literal host name).
l REGEXP_MATCH—value is a regular expression that

matches the object the exception applies to.

l EQ—When match-target is CLIENT_IP,

FortiWeb only performs a signature scan for requests

with a client IP address that matches the value of ip.
l NE—When match-target is CLIENT_IP,

FortiWeb does not perform a signature scan for

FortiWeb CLI Reference Fortinet Technologies Inc.

config 562

Variable Description Default

requests with a client IP address that matches the

value of ip.
l INCLUDE—When match-target is HTTP_
METHOD, FortiWeb does not perform a signature
scan for requests that include the HTTP methods
specified by HTTP-method.
l EXCLUDE—When match-target is HTTP_
METHOD, FortiWeb only performs a signature scan for
requests that include the HTTP methods specified by
HTTP-method.

HTTP-method {get post When match-target {HTTP_METHOD | CLIENT_IP | No default.

head options trace connect HOST | URI | FULL_URL | PARAMETER | COOKIE |
delete put others patch} HTTP_HEADER | JSON_ELEMENTS} on page 561 is
HTTP_METHOD, specifies one or more HTTP methods to
match.

ip {<ipv4> | <ipv6>} When match-target {HTTP_METHOD | CLIENT_IP | No default.

HOST | URI | FULL_URL | PARAMETER | COOKIE |
HTTP_HEADER | JSON_ELEMENTS} on page 561 is
CLIENT_IP, specifies the IP address or IP range to
match.

name {"<name_str>" | Enter the name of a parameter or cookie to match. No default.

"<name_pattern>"} Whether the value is a literal value or a regular expression
is determined by the value of operator {STRING_MATCH
| REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE} on
page 561.
Available when match-target {HTTP_METHOD |
CLIENT_IP | HOST | URI | FULL_URL | PARAMETER |
COOKIE | HTTP_HEADER | JSON_ELEMENTS} on
page 561 is PARAMETER or COOKIE.

value-check {enable | Enable to specify whether matching requests match a disable

disable} specified parameter or cookie value as well as the
specified parameter or cookie name.

value {"<value_str>" | Enter the value to match (for example, a Host: field No default.
"<value_pattern>"} value). Whether the value is a literal value or a regular
expression is determined by the value of operator.

concatenate-type {AND | l AND—A matching request matches this entry in AND

OR} addition to other entries in the list.
l OR—A matching request matches this entry or other
entries in the list.

comment "<comment_str>" Enter a description or other comment. No default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 563

Example

This example enables both the Trojans (070000000) and XSS (010000000) classes of signatures, setting them to
result in attack logs with a severity_level field of High, and using the email and SNMP settings defined in
notification-servers1. It also enables use of custom attack and data leak signatures in the set named custom-
signature-group1.
This example disables by ID a signature that is known to cause false positives (080200001). It also makes an exception
(config filter_list) by ID for a specific signature (070000001) for a URL (/virus-sample-upload) on a host
(www.example.com) that is used by security researchers to receive virus samples.
config waf signature
edit "attack-signatures1"
set custom-protection-group "custom-signature-group1"
config main_class_list
edit "010000000"
set severity High
set trigger "notification-servers1"
next
edit "070000000"
set severity High
set trigger "notification-servers1"
next
end
config signature_disable_list
edit "080200001"
next
end
config filter_list
edit 1
set signature_id "070000001"
set match-target HOST
set value "www.example.com"
next
edit 2
set signature_id "070000001"
set match-target URI
set value "/virus-sample-upload"
next
end
next
end

Related topics

l waf web-protection-profile inline-protection on page 636

l waf web-protection-profile offline-protection on page 645
l system snmp community on page 339
l waf custom-protection-group on page 441
l log trigger-policy on page 93

FortiWeb CLI Reference Fortinet Technologies Inc.

config 564

waf signature_update_policy

Use this command to deploy new signature updates in alert mode.

Syntax
config waf signature_update_policy
set status {enable | disable}
end

Variable Description Default

status {enable | disable} Enable to list new signatures from the FDS update. disable

Example

This example shows how to enable the option to show the new signature list from the FDS update.
config waf signature_update_policy
set status enable
end

Related topics

l waf signature on page 555

waf site-publish-helper authentication-server-pool

Use this command to create a pool of authentication server connections for use with a site publishing rule.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
config waf site-publish-helper authentication-server-pool
edit "<authentication-server-pool_name>"
edit <entry_index>
set server-type {ldap | radius}
set ldap-server "<ldap-query_name>"
set radius-server "<radius-query_name>"
set rsa-securid {enable | disable}
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 565

Variable Description Default

"<authentication-server- Enter the name of a new or existing authentication server No default.

pool_name>" pool. The maximum length is 63 characters.
To display the list of existing pools, enter:
edit ?

<entry_index> Enter the index number of a new or existing server entry in No default.
the authentication server pool.

server-type {ldap | radius} Set the server type to the server entry <entry_index>. ldap
Enter ldap for a LDAP server or radius for a RADIUS
server.

ldap-server "<ldap-query_ Set the name of the LDAP query to the server entry No default.
name>" <entry_index> if you set the server entry as LDAP. For
details, see user ldap-user on page 361.

radius-server "<radius- Set the name of the RADIUS query to the server entry No default.
query_name>" <entry_index> if you set the server entry as RADIUS.
For details, see user radius-user on page 371.

rsa-securid {enable | disable} Specify whether FortiWeb authenticates clients using a disable
username and a RSA SecurID authentication code only.
Users are not required to enter a password.
When this option is enabled, the authentication delegation
options in the site publish rule are not available.
Available only if server-type {ldap | radius} on page 565 is
radius and client-auth-method {html-form-auth | HTTP-
auth | client-cert-auth | saml-auth | ntlm-auth} on page 572
is html-form-auth.

Example

For an example, see waf site-publish-helper rule on page 569.

Related topics

l waf site-publish-helper rule on page 569

waf site-publish-helper form-based-delegation

Use this command to create a Form Based Delegation rule.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 566

Syntax
config waf site-publish-helper form-based-delegation
edit waf site-publish-helper form-based-delegation
set url-type { plain | regular}
set logon-url <URL>
set form-action <URL>
set additional-cookies
set username-field
set password-field
set waf site-publish-helper form-based-delegation
next
end

Variable Description Default

form-based-delegation_ Enter a name for the Form based Delegation rule. No default.
name

url-type { plain | regular} plain—Enter a literal URL, such as /folder1/index.htm plain

that the HTTP request must contain in order to match the
rule, or use wildcards to match multiple URLs, such as
/folder1/* or /folder1/*/index.htm. The URL must begin with
a slash ( / ).
regular—A regular expression, such as ^/*.php,
matching the URLs to which the rule should apply. The
pattern does not require a slash ( / ).

logon-url <URL> Enter the logon URL in simple string or regular expression. No default.

form-action <URL> The URL of the form. No default.

method { PUT | GET} Select whether to use GET or POST method to initiate the POST
authentication requests to the server.

additional-cookies Configure to add cookie in the authentication request. disable

username-field The keyword of the username field. No default.

password-field The keyword of the password field. No default.

additional-field-list Enter additional fields to add in the authentication request. No default.

field-entry: field content
The format must be “key=value”

To use the Form Based Delegation, you need to create a Site Publish rule, select HTML Form Authentication for
Client Authentication Method, select Form Based Delegation for Authentication Delegation, then choose the Form
Based Delegation you have created. See waf site-publish-helper rule on page 569.

waf site-publish-helper policy

Use this command to group together web applications that you want to publish.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 567

Before you configure site publishing policies, you must first define the individual sites that will be a part of the group. For
details, see waf site-publish-helper rule on page 569.
To apply this policy, include it in an inline web protection profile. For details, see waf web-protection-profile inline-
protection on page 636.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf site-publish-helper policy
edit "<site-publish-policy_name>"
set account-lockout {enable | disable}
set max-login-failures <failures_int>
set account-block-period <account-block-period_int>
set within <within_int>
set limit-users {enable | disable}
set maximum-users <integer>
set session-idle-timeout <integer>
set credential-stuffing-protection {enable | disable}
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <block_period_int>
set severity {high | medium | low | Info}
set trigger "<trigger_policy>"
config rule
edit <entry_index>
set rule-name "<site-publish-rule_name>"
next
end
next
end

Variable Description Default

"<site-publish-policy_ Enter the name of a new or existing policy. The maximum No default.
name>" length is 63 characters.
To display the list of existing policies, enter:
edit ?

account-lockout {enable | Enable to prevent account cracking by locking an account disable

disable} out after several failures logging into FortiWeb.

max-login-failures <failures_ Set the threshold of login failure. FortiWeb will trigger 5
int> lockout to the account if number of login failure exceeds the
threshold during the specified time period (within
<within_int> on page 567).

account-block-period Set the time period (in minutes) that FortiWeb locks out an 60
<account-block-period_int> account for. No more login is accepted for the locked
account during the period.

within <within_int> Set the time period (in minutes) for FortiWeb counting the 3

FortiWeb CLI Reference Fortinet Technologies Inc.

config 568

Variable Description Default

login failures and judging lockout to accounts. Count of

limit-users {enable | disable} Enable to limit the number of concurrent logins per account. disable

maximum-users <integer> Specify the maximum number of concurrent logins using 1

the same account.

session-idle-timeout When a session is idle for the specified period of time, the 30
<integer> Concurrent Users count will be renewed. The user who is
timed-out needs to re-log in.

credential-stuffing-protection Enable to use FortiGuard's Credential Stuffing Defense disable

{enable | disable} database to prevent against credential stuffing attacks.

action {alert | alert_deny Set the action. The options are: No default.
| block-period | deny_no_log} l alert—Accept the request and generate an alert

email and/or log message.

l alert_deny—Block the request (or reset the

connection) and generate an alert email and/or log

message
l block-period—Block subsequent requests from

the client for a number of seconds.

l deny_no_log—Deny a request. Do not generate a

log message.
You can customize the web page that returns to the client
with the HTTP status code.

block-period <block_period_ If the action {alert | alert_deny | block-period | deny_no_log} 600

int> on page 568 is block-period, set amount of time (in
seconds) FortiWeb will block subsequent requests from the
client. The valid range is 1–3600 seconds.

severity {high | medium | low Set the severity of credential stuffing attacks. No default.
| Info}

trigger "<trigger_policy>" Select the trigger policy, if any, to apply in the Site Publish No default.
policy. For details, see log trigger-policy on page 93.

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–9,999,999,999,999,999,999.

rule-name "<site-publish- Enter the name of an existing rule. No default.

rule_name>"

Example

For an example, see waf site-publish-helper rule on page 569.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 569

Related topics

l waf site-publish-helper rule on page 569

l waf web-protection-profile inline-protection on page 636

waf site-publish-helper rule

Use this command to configure access control, authentication, and, optionally, SSO for your web applications.
You may want to configure single sign-on (SSO) and combination access control and authentication (called “site
publishing” in the GUI) instead of configuring simple HTTP authentication rules if:
l Your users access multiple web applications on your domain
l You have defined accounts centrally on an LDAP (such as Microsoft Active Directory) or RADIUS server
SSO provides a benefit over HTTP authentication rules: your users do not need to authenticate each time they access
separate web applications in your domain. When FortiWeb receives the first request, it will return (depending on your
configuration) an HTML authentication form or HTTP WWW-Authenticate: code to the client.
FortiWeb sends the client’s credentials in a query to the authentication server. Once the client is successfully
authenticated, if the web application supports HTTP authentication and you have configured delegation, FortiWeb
forwards the credentials to the web application. The server’s response is returned to the client. Until the session expires,
subsequent requests from the client to the same or other web applications in the same domain do not require the client to
authenticate..

For example, you may prefer SSO if you are using FortiWeb to replace your discontinued Microsoft Threat Management
Gateway, using it as a portal for multiple applications such as SharePoint, Outlook Web Application, and/or IIS. Your
users will only need to authenticate once while using those resources.
Before you configure site publishing, you must first define the queries to your authentication server. For details, see user
ldap-user on page 361 and "server-policy custom-application application-policy" on page 1.
FortiWeb supports the following additional site publishing options:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 570

l RADIUS authentication that requires users to provide a secondary password, PIN, or token code in addition to a
username and password (two-factor authentication)
l RADIUS authentication that allows users to authenticate using their username and RSA SecurID token code only
(no password)
l Regular Kerberos authentication delegation and Kerberos constrained delegation
For details about these options, see the descriptions of the individual site publishing rule settings and the FortiWeb
Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf site-publish-helper rule
edit "<site-publish-rule_name>"
set status {enable | disable}
set req-type {plain | regular}
set cookieless {enable | disable}
set cookieless-cache <int>
set saml-server "<server_name>"
set service-principal-name-pool "<pool_name>"
set published-site "<host_fqdn>"
set path "<url_str>"
set client-auth-method {html-form-auth | HTTP-auth | client-cert-auth | saml-
auth | ntlm-auth}
set logoff-path-type {plain | regular}
set Published-Server-Logoff-Path "<url_str>"
set cookie-timeout <timeout_int>
set kerberos-type {krb5 | spnego} on page 579
set auth-server-pool "<authentication-server-pool_name>"
set auth-delegation {HTTP-basic | kerberos | kerberos-constrained-delegation |
radius-constrained-delegation |no-delegation | ntlm | form-based-
delegation}
set form-based-delegation <form-based-delegation_name>
set field-name {subject | SAN}
set attribution-name {email | UPN}
set pass-failed-auth {enable | disable}
set delegated-spn "<delegated-spn_str>"
set keytab-file <keytab_file>
set delegator-spn "<delegator-spn_str>"
set prefix-support {enable | disable}
set prefix-domain "<prefix-domain_str>"
set alert-type {all | fail | none | success}
set sso-support {enable | disable}
set sso-domain "<domain_str>"
set cookieless {enable | disable}
set append-custom-header {enable | disable}
set custom-header-name <custom-header-name_str>
set custom-header-value-format <custom-header-value-format_str>
set pass-failed-auth {enable | disable}
set cache-tgs-ticket {enable | disable}
next

FortiWeb CLI Reference Fortinet Technologies Inc.

config 571

end

Variable Description Default

"<site-publish-rule_name>" Enter the name of a new or existing rule. The maximum No default.
length is 63 characters.
To display the list of existing rules, enter:
edit ?

status {enable | disable} Enable to activate this rule. enable

This can be used to temporarily deactivate access to a
single web application without removing it from a site
publishing policy.

req-type {plain | regular} Select whether published-site "<host_fqdn>" on page plain

571 contains a literal FQDN (plain), or a regular
expression designed to match multiple host names or
fully qualified domain names (regular).

cookieless {enable | Enable to authenticate clients without using cookies. For disable
disable} cookieless authentication, FortiWeb uses credential
cache to avoid frequent requests to the authentication
server.

cookieless-cache <int> You can set the cache timeout value for the cookieless 3600
authentication.
The valid range is 0-86,400.
When it's set to 0, FortiWeb will send authentication
requests to the authentication server every time the user
logs in.

saml-server "<server_ Select the SAML server that FortiWeb uses to No default.
name>" authenticate clients.
Available only when client-auth-method {html-form-
auth | HTTP-auth | client-cert-auth | saml-auth | ntlm-
auth} on page 572 is set to saml-auth.

service-principal-name- Select the SPN pool for the application that clients No default.
pool "<pool_name>" access using this site publish rule.
Available only when auth-delegation {HTTP-basic |
kerberos | kerberos-constrained-delegation | radius-
constrained-delegation |no-delegation | ntlm | form-
based-delegation} on page 573 is kerberos or
kerberos-constrained-delegation.

published-site "<host_ Depending on your selection in req-type {plain | regular} No default.

fqdn>" on page 571, enter either:
l The literal Host: name, such as

sharepoint.example.com, that the HTTP

request must contain in order to match the rule.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 572

Variable Description Default

l A regular expression, such as

^*\.example\.edu, matching only the host
names to which the rule should apply.
The maximum length is 256 characters.
Note: Regular expressions beginning with an
exclamation point ( ! ) are not supported. For
information on language and regular expression
matching, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

path "<url_str>" Enter the URL of the request for the web application, No default.
such as /owa. It must begin with a forward slash ( / ).

client-auth-method {html- Specify one of the following options: html-form-

l html-form-auth—FortiWeb authenticates clients auth
form-auth | HTTP-auth |
client-cert-auth | saml-auth by presenting an HTML web page with an
| ntlm-auth} authentication form. When the authentication
cookie expires, FortiWeb replies to the first request
without a valid authentication cookie with a 200
(OK) status code and injects HTML into the
response, showing the user the login page.
l HTTP-auth—FortiWeb authenticates clients by

replying to the request with a 401 (Unauthorized)

status code, and the browser displays a traditional,
browser-specific authentication prompt.
l client-cert-auth—FortiWeb validates the

HTTP client’s personal certificate using the

certificate verifier specified in the associated server
policy or server pool configuration.
l saml-auth—FortiWeb uses a SAML server to

pass identity information to a service provider via a

signed XML document for client authentication.
When the authentication cookie expires, FortiWeb
replies to the first request without a valid
authentication cookie with a 301 (Moved
Temporarily) status code, forcing the browser to
direct to the authentication page.
l ntlm-auth—FortiWeb uses a NTLM server for

client authentication. FortiWeb replies to the first

request from the client with a 401 (Unauthorized)
status code, and the browser displays a traditional,
browser-specific authentication prompt.
If waf site-publish-helper rule on page 569 is enable,
only HTTP_auth is allowed here.

logoff-path-type {plain | Specify whether Published-Server-Logoff-Path

regular} contains a literal URL (plain), or a regular expression
designed to match multiple URLs (regular).

FortiWeb CLI Reference Fortinet Technologies Inc.

config 573

Variable Description Default

Published-Server-Logoff- This setting appears only if client-auth-method {html- No default.

Path "<url_str>" form-auth | HTTP-auth | client-cert-auth | saml-auth |
ntlm-auth} on page 572 is html-form-auth.
Depending on the value of logoff-path-type, enter
one of the following values:
l The literal URL of the request that a client sends to

log out of the application (for example,

/owa/auth/logoff.aspx .
l A regular expression that matches the request that

a client sends to log out of the application.

Ensure that the value is a sub-path of the path value.
For example, if path is /owa,
/owa/auth/logoff.aspx is a valid value.
When a client logs out of the web application, FortiWeb
redirects the client to its authentication dialog.
Note:Regular expressions beginning with an
exclamation point ( ! ) are not supported. For
information on language and regular expression
matching, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

cookie-timeout <timeout_ Specify the length of time (in minutes) that passes before 0
int> the cookie that the site publish rule adds expires and the
client must re-authenticate.
The valid range is 0–216,000. To disable the limit, enter
0.
If waf site-publish-helper rule on page 569 is enable,
this must be 0.
If you enter a value of 0, the browser only deletes the
cookie when the user closes all browser windows.

auth-server-pool Enter the name of the pool of servers that FortiWeb uses No default.
"<authentication-server- to authenticate clients. For details, see waf site-publish-
pool_name>" helper authentication-server-pool on page 564.

auth-delegation {HTTP- Specify one of the following options: no-

l HTTP-basic—Use HTTP Authorization: delegation
basic | kerberos |
kerberos-constrained- headers with Base64 encoding to forward the
delegation | radius- client’s credentials to the web application. Typically,
constrained-delegation you should select this option if the web application
|no-delegation | ntlm | form- supports HTTP protocol-based authentication.
based-delegation} Available only if client-auth-method {html-form-
auth | HTTP-auth | client-cert-auth | saml-auth |
ntlm-auth} on page 572 is html-form-auth or
HTTP-auth.
l kerberos—After it authenticates the client via the

FortiWeb CLI Reference Fortinet Technologies Inc.

config 574

Variable Description Default

HTTP form or HTTP basic method, FortiWeb

obtains a Kerberos service ticket for the specified
web application on behalf of the client. It adds the
ticket to the HTTP Authorization: header of the
client request with Base64 encoding.
Available only if client-auth-method is html-
form-auth or HTTP-auth.
l kerberos-constrained-delegation—After it
authenticates the client’s certificate, FortiWeb
obtains a Kerberos service ticket for the specified
web application on behalf of the client. It adds the
ticket to the HTTP Authorization: header of the
client request with Base64 encoding.
Available only if client-auth-method is
client-cert-auth.
l radius-constrained-delegation——After it
authenticates the client’s certificate, FortiWeb
sends a RADIUS access-request to the RADIUS
server, using the RFC822 name (email address) of
the certificate’s Subject Alternative Name.
For some applications a prefix should be added to
the mail address sent to the RADIUS server
(example: “app1/[email protected]”).
Use field-name to define the format of the
extracted user name.
Available only if client-auth-method is
client-cert-auth.
l no-delegation—FortiWeb does not send the
client’s credentials to the web application.
Select this option when the web application has no
authentication of its own or uses HTML form-based
authentication.
Note: If the web application uses HTML form-based
authentication, the client is required to authenticate
twice: once with FortiWeb and once with the web
application’s form.
l ntlm—FortiWeb uses NT LAN Manager (NTLM) for
authentication delegation. This is a
challenge/response authentication protocol that
FortiWeb uses to verify the identify of clients
attempting to connect to the server(s).
Note: If the POST method request triggers NTLM
authentication, the request body cannot exceed
100M.
l form-based-delegation—FortiWeb uses Form

FortiWeb CLI Reference Fortinet Technologies Inc.

config 575

Variable Description Default

Based Delegation to forward the client’s credentials

to the server.
Available only when client-auth-method is
html-form-auth.
If waf site-publish-helper rule on page 569 is enable,
only no_delegation or HTTP-basic is allowed here.
Not available when rsa-securid {enable | disable} on
page 565 is set to enable.

Enter the username format that FortiWeb uses to send No default.

field-name the user email address to the RADIUS server for
authorization.
For example, let's say the email address of the user
account is [email protected].
If the format is USERNAME, FortiWeb will send
example to RADIUS server.
If the format is RAWNAME, FortiWeb will send
[email protected] to RADIUS server.
You can add any letter before or/and after
USERNAME/RAWNAME. FortiWeb will combine them
together and send it to RADIUS server. So, to send
app1/[email protected], you can enter either
app1/[email protected] or app1/RAWNAME.
Note: USERNAME and RAWNAME should be exactly
as is, and in upper case.
This option is available only when auth-delegation
is radius-constrained-delegation.

Select the Form Based Delegation you have created. No default.

form-based-delegation See waf site-publish-helper form-based-delegation.
<form-based-
delegation_name>

field-name {subject | SAN} Specify one of the following options to specify the SAN
certificate information that FortiWeb uses to determines
the client username:
l subject—The email address value in the

certificate’s Subject information.

For attribution-name {email | UPN} on page 576,
select email.
l SAN—The certificate’s subjectAltName (Subject
Alternative Name or SAN) and either the User
Principal Name (UPN) or the email address value in
the certificate’s Subject information.
For attribution-name, enter UPN or email.
In certificates issued in a Windows environment, the

FortiWeb CLI Reference Fortinet Technologies Inc.

config 576

Variable Description Default

certificate’s SAN and UPN contain the username.

For example:
username@domain
Available only when auth-delegation {HTTP-basic |
kerberos | kerberos-constrained-delegation | radius-
constrained-delegation |no-delegation | ntlm | form-
based-delegation} on page 573 is kerberos-
constrained-delegation.

attribution-name {email | Specify one of the following options to specify the UPN
UPN} certificate information that FortiWeb uses to determines
the client username:
l email—The email address value in the certificate’s

Subject information.
For field-name {subject | SAN} on page 575, enter
subject or SAN.
l UPN—The User Principal Name (UPN) value.
For field-name, enter SAN.
Note: Because the email value can be an alias rather
than the real DC (domain controller) domain, the most
reliable method for determining the username is SAN
and UPN.
Available only when auth-delegation {HTTP-basic |
kerberos | kerberos-constrained-delegation | radius-
constrained-delegation |no-delegation | ntlm | form-
based-delegation} on page 573 is kerberos-
constrained-delegation.

delegated-spn Specify the Service Principal Name (SPN) for the web No default.
"<delegated-spn_str>" application that clients access using this site publish
rule.
A service principal name uses the following format:
<service_type >/<instance_name>:<port_
number>/
<service_name>
For example, for an Exchange server that belongs to the
domain dc1.com and has the hostname USER-
U3LOJFPLH1, the SPN is HTTP/USER-
[email protected].
Available only when auth-delegation {HTTP-basic |
kerberos | kerberos-constrained-delegation | radius-
constrained-delegation |no-delegation | ntlm | form-
based-delegation} on page 573 is kerberos or
kerberos-constrained-delegation.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 577

Variable Description Default

keytab-file <keytab_file> Specify the keytab file configuration for the AD user that No default.
FortiWeb uses to obtain Kerberos service tickets for
clients. For details, see "waf site-publish-helper keytab_
file" on page 1.
Available only when auth-delegation {HTTP-basic |
kerberos | kerberos-constrained-delegation | radius-
constrained-delegation |no-delegation | ntlm | form-
based-delegation} on page 573 is kerberos-
constrained-delegation.

delegator-spn "<delegator- Specify the Service Principal Name (SPN) that you used No default.
spn_str>" to generate the keytab specified by keytab-file <keytab_
file> on page 577.
This is the SPN of the AD user that FortiWeb uses to
obtain a Kerberos service tickets for clients.
Available only when auth-delegation {HTTP-basic |
kerberos | kerberos-constrained-delegation | radius-
constrained-delegation |no-delegation | ntlm | form-
based-delegation} on page 573 is kerberos-
constrained-delegation.

prefix-support {enable | Enable to allow users in environments that require users enable
disable} to log in using both a domain and username to log in with
just a username. Also specify prefix-domain "<prefix-
domain_str>" on page 577.
In some environments, the domain controller requires
users to log in with the username format
domain\username. For example, if the domain is
example.com and the username is user1, the user
enters EXAMPLE\user1.
Alternatively, enable this option and enter EXAMPLE for
prefix-domain "<prefix-domain_str>" on page 577. The
user enters user1 for the username value and FortiWeb
automatically adds EXAMPLE\ to the HTTP
Authorization: header before it forwards it to the
web application.
Available only when auth-delegation {HTTP-basic |
kerberos | kerberos-constrained-delegation | radius-
constrained-delegation |no-delegation | ntlm | form-
based-delegation} on page 573 is HTTP-basic or
kerberos.

prefix-domain "<prefix- Enter a domain name that FortiWeb adds to the HTTP No default.
domain_str>" Authorization: header before it forwards it to the
web application.
Available only when prefix-support {enable | disable} on
page 577 is enabled.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 578

Variable Description Default

If auth-delegation {HTTP-basic | kerberos | kerberos-

constrained-delegation | radius-constrained-delegation
|no-delegation | ntlm | form-based-delegation} on page
573 is kerberos, ensure that the string is the full
domain name (for example, example.com).

sso-domain "<domain_ Enter the domain suffix of Host: names that will be No default.
str>" allowed to share this rule’s authentication sessions, such
as .example.com. Include the period ( . ) that
precedes the host’s name.

sso-support {enable | Enable for single sign-on support. disable

disable} For example, if this website is www1.example.com and
the SSO domain is .example.com, once a client has
authenticated with that site, it can access
www2.example.com without authenticating a second
time.
Site publishing SSO sessions exist on FortiWeb only;
they are not synchronized to the authentication and/or
accounting server, and therefore SSO is not shared with
non-web applications. For SSO with other protocols,
consult the documentation for your FortiGate or other
firewall.
If waf site-publish-helper rule on page 569 is enable,
this must be disable.

alert-type {all | fail | none | Specify which site publishing-related authentication none
success} events the FortiWeb appliance will log and/or send an
alert email about.
l all

l fail

l success

l none

Event log messages contain the user name,

authentication type, success or failure, and source
address (for example, User jdoe [Site Publish]
login successful from 172.0.2.5) when an
end-user successfully authenticates. A similar message
is recorded if the authentication fails (for example, User
hackers [Site Publish] login failed from
172.0.2.5).
Note: Logging and/or alert email occurs only if it is
enabled and configured. For details, see log disk on
page 66 and log alertMail on page 60.

cookieless {enable | Enable to allow Android clients to access to Microsoft disable

disable} Exchange servers through Exchange ActiveSync
protocol.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 579

Variable Description Default

Note: If this is enabled, these are restrictions are put in

place:
l Only HTTP_auth is allowed for client-auth-

method {html-form-auth | HTTP-auth | client-

cert-auth | saml-auth | ntlm-auth} on page 572.
l sso-support {enable | disable} on page 578 must

be disable.
l cookie-timeout <timeout_int> on page 573 must

be 0.
l Only no_delegation, HTTP-basic or

kerberos is allowed for auth-delegation

{HTTP-basic | kerberos | kerberos-constrained-
delegation | radius-constrained-delegation |no-
delegation | ntlm | form-based-delegation} on
page 573.

kerberos-type {krb5 Two kinds of authorization mechanisms are available, spnego

| spnego} which are used by web servers to retrieve the Kerberos
tickets.
Available only when Authentication Delegation is
Kerberos.

pass-failed-auth Enable it so that FortiWeb can be configured when disable

{enable | disable} Kerberos Constrained Delegation fails.
Available only when client-auth-method {html-form-
auth | HTTP-auth | client-cert-auth | saml-auth | ntlm-
auth} on page 572 is client-cert-auth, and
auth-delegation {HTTP-basic | kerberos | kerberos-
constrained-delegation | radius-constrained-delegation
|no-delegation | ntlm | form-based-delegation} on page
573 is kerberos-constrained-delegation.

append-custom-header Enable this option to forward the username to the back- disable
{enable | disable} end server in HTTP header.

custom-header-name Enter a name for the HTTP header. You can change it to X-FortiWeb-
<custom-header-name_ any name as you desire, e.g. X-FortiWeb-Uname, Username
str> useraccount. Special characters are not supported.

custom-header-value- Enter the format for the value, such as aaa- xxx-
format <custom- USERNAME-bbb, xxx-USERNAME, or USERNAME. USERNAME-
header-value-format_ Special characters are not supported. It must contain XXX
str> "USERNAME" in the value format. FortiWeb replaces
the "USERNAME" with the actual username when
forwarding the HTTP header to the back-end server.

pass-failed-auth This option is enabled automatically when the enable

{enable | disable} Authentication Delegation is Kerberos Constrained

FortiWeb CLI Reference Fortinet Technologies Inc.

config 580

Variable Description Default

Delegation. When it is disabled and Kerberos

Constrained Delegation fails, 500 and Account Failed
Authentication pages will be returned.

cache-tgs-ticket This option is enabled automatically when the enable

{enable | disable} Authentication Delegation is Kerberos Constrained
Delegation or Kerberos to control whether caching
kerberos tgs ticket. When pass-failed-auth {enable |
disable} on page 579 is disabled, this option will also be
disabled.

Example

This example configures a site publisher with SSO for both Outlook and Sharepoint on the example.com domain.
config waf site-publish-helper authentication-server-pool
edit "LDAP server pool"
edit 1
set server-type ldap
set ldap-server "LDAP query 1"
end
next
end
config waf site-publish-helper authentication-server-pool
edit "RADIUS server pool"
edit 1
set server-type radius
set ldap-server "RADIUS query 1"
end
next
end
config waf site-publish-helper rule
edit "Outlook"
set published-site "^*\.example\.edu"
set auth-server-pool "LDAP server pool"
set auth-delegation HTTP-basic
set sso-support enable
set sso-domain ".example.edu"
set path "/owa"
set alert-type fail
set Published-Server-Logoff-Path /owa/auth/logoff.aspx?Cmd=logoff
next
edit "Sharepoint"
set published-site ^*\\.example\\.edu
set req-type regular
set auth-server-pool "RADIUS server pool"
set auth-delegation HTTP-basic
set sso-support enable
set sso-domain ".example.edu"
set path "/sharepoint"
set alert-type fail
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 581

Related topics

l waf site-publish-helper policy on page 566

l waf site-publish-helper authentication-server-pool on page 564
l log trigger-policy on page 93
l server-policy allow-hosts on page 103
l waf web-protection-profile inline-protection on page 636

waf staged_signature_list

Use this command to update the status of the signatures.

Syntax
config waf staged_signature_list
edit signature_id <signature_id_int>
set status {unapplied | applied | disabled}
end

Variable Description Default

signature_id <signature_id_ Select the ID that corresponds to the signature. No

int> default.

status {unapplied | applied | Enable to select an action for the signature. No

disabled} Disable: disable the signature across all the web protection default.
policies. If this signature related rule brings multiple blocks,
you can confirm the false positive and enable this option.
Approve: change the Alert mode of the signature to normal
status, with the action as configured in signature protection
policy.
Undo: use this option to cancel the "Disable" and "Approve"
operations for a signature.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 582

Example

This example shows how to update the status of signatures from the FDS update.
config waf staged_signature_list
edit 3
set status applied
end

Related topics

l waf signature_update_policy on page 564

waf syntax-based-attack-detection

Using regular expression-based signatures to detect SQL/XSS injection attacks is core to a WAF solution. However, it is
a continuous and tedious process to maintain and update the signatures to address new evasion techniques and to tune
false positives and negatives for some attacks. To address this, syntax-based SQL/XSS injection detection is
introduced.

Syntax
config waf syntax-based-attack-detection
edit "<policy_name>"
set sql-arithmetic-operation-action {alert | redirect | deny_no_log | alert_deny |
block_period | send_HTTP_response}
set detection-target-sql { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_
AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }
set sql-arithmetic-operation-block-period <period_int>
set sql-arithmetic-operation-severity {High | Medium | Low | Info}
set sql-arithmetic-operation-status {enable | disable}
set sql-arithmetic-operation-threat-weight {low | critical | informational | moderate
| substantial | severe}
set sql-arithmetic-operation-trigger <trigger_policy_name>
set sql-condition-based-action {alert | redirect | deny_no_log | alert_deny | block_
period | send_HTTP_response}
set sql-condition-based-block-period <period_int>
set sql-condition-based-severity {High | Medium | Low | Info}
set sql-condition-based-status {enable | disable}
set sql-condition-based-threat-weight {low | critical | informational | moderate |
substantial | severe}
set sql-condition-based-trigger <trigger_policy_name>
set sql-embeded-queries-action {alert | redirect | deny_no_log | alert_deny | block_
period | send_HTTP_response}
set sql-embeded-queries-block-period <period_int>
set sql-embeded-queries-severity {High | Medium | Low | Info}
set sql-embeded-queries-status {enable | disable}
set sql-embeded-queries-threat-weight {low | critical | informational | moderate |
substantial | severe}
set sql-embeded-queries-trigger <trigger_policy_name>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 583

set sql-function-based-action {alert | redirect | deny_no_log | alert_deny | block_

period | send_HTTP_response}
set sql-function-based-block-period <period_int>
set sql-function-based-severity {High | Medium | Low | Info}
set sql-function-based-status {enable | disable}
set sql-function-based-threat-weight {low | critical | informational | moderate |
substantial | severe}
set sql-function-based-trigger <trigger_policy_name>
set sql-line-comments-action {alert | redirect | deny_no_log | alert_deny | block_
period | send_HTTP_response}
set sql-line-comments-block-period <period_int>
set sql-line-comments-severity {High | Medium | Low | Info}
set sql-line-comments-status {enable | disable}
set sql-line-comments-threat-weight {low | critical | informational | moderate |
substantial | severe}
set sql-line-comments-trigger <trigger_policy_name>
set sql-stacked-queries-action {alert | redirect | deny_no_log | alert_deny | block_
period | send_HTTP_response}
set sql-stacked-queries-block-period <period_int>
set sql-stacked-queries-severity {High | Medium | Low | Info}
set sql-stacked-queries-status {enable | disable}
set sql-stacked-queries-threat-weight {low | critical | informational | moderate |
substantial | severe}
set sql-stacked-queries-trigger <trigger_policy_name>
set xss-html-attribute-based-action {alert | redirect | deny_no_log | alert_deny |
block_period | send_HTTP_response}
set detection-target-xss { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_
AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }
set xss-html-attribute-based-block-period <period_int>
set xss-html-attribute-based-severity {High | Medium | Low | Info}
set xss-html-attribute-based-status {enable | disable}
set xss-html-attribute-based-threat-weight {low | critical | informational | moderate
| substantial | severe}
set xss-html-attribute-based-trigger <trigger_policy_name>
set xss-html-css-based-action {alert | redirect | deny_no_log | alert_deny | block_
period | send_HTTP_response}
set xss-html-css-based-block-period <period_int>
set xss-html-css-based-severity {High | Medium | Low | Info}
set xss-html-css-based-status {enable | disable}
set xss-html-css-based-threat-weight {low | critical | informational | moderate |
substantial | severe}
set xss-html-css-based-trigger <trigger_policy_name>
set xss-html-tag-based-action {alert | redirect | deny_no_log | alert_deny | block_
period | send_HTTP_response}
set xss-html-tag-based-block-period <period_int>
set xss-html-tag-based-check-level {strict | moderate}
set xss-html-tag-based-severity {High | Medium | Low | Info}
set xss-html-tag-based-status {enable | disable}
set xss-html-tag-based-threat-weight {low | critical | informational | moderate |
substantial | severe}
set xss-html-tag-based-trigger <trigger_policy_name>
set xss-javascript-function-based-action {alert | redirect | deny_no_log | alert_deny
| block_period | send_HTTP_response}
set xss-javascript-function-based-block-period <period_int>
set xss-javascript-function-based-severity {High | Medium | Low | Info}
set xss-javascript-function-based-status {enable | disable}
set xss-javascript-function-based-threat-weight {low | critical | informational |
moderate | substantial | severe}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 584

set xss-javascript-function-based-trigger <trigger_policy_name>

set xss-javascript-variable-based-action {alert | redirect | deny_no_log | alert_deny
| block_period | send_HTTP_response}
set xss-javascript-variable-based-block-period <period_int>
set xss-javascript-variable-based-severity {High | Medium | Low | Info}
set xss-javascript-variable-based-status {enable | disable}
set xss-javascript-variable-based-threat-weight {low | critical | informational |
moderate | substantial | severe}
set xss-javascript-variable-based-trigger <trigger_policy_name>
config exception-element-list
edit "<list-id>"
set match-target {HOST | URI | FULL-URL | PARAMETER | COOKIE}
set operator {STRING_MATCH| REGEXP_MATCH}
set value-name <name_str>
set value-check {enable | disable}
set value <value_str>
set concatenate-type {AND | OR}
set attack-type {arithmetic_operation_based_boolean_injection | condition_based_
boolean_injection | embeded_queries_sql_injection | html_attr_based_xss_
injection | html_css_based_xss_injection | html_tag_based_xss_injection |
js_func_based_xss_injection | js_var_based_xss_injection | line_comments |
invalid | sql_function_based_boolean_injection | stacked_queries_sql_
injection}
next
end
next
end

Variable Description Default

"<policy_name>" Enter a name for the syntax based detection policy. No default

sql-arithmetic- Select the action FortiWeb takes when this injection type alert_deny
operation-action attack is identified.
{alert | redirect | l alert—Accept the request and generate an alert

deny_no_log | alert_ email and/or log message.

deny | block_period | l alert_deny—Block the request (or reset the

send_HTTP_ connection) and generate an alert email and/or log

response} message.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l deny_no_log—Block the request (or reset the

connection).
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

email and/or log message.
l block_period—Block subsequent requests from

the client for a number of seconds. Also configure sql-

arithmetic-operation-block-period <period_int> on
page 585.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For

FortiWeb CLI Reference Fortinet Technologies Inc.

config 585

Variable Description Default

details, see system replacemsg-image on page 330.

l send_HTTP_response—Block and reply to the
client with an HTTP error message and generate an
alert email and/or log message.
Note: Logging and/or alert email will occur only if enabled
and configured. See log on page 715 and log alertMail on
page 60.

detection-target-sql { Select the elements in the request that you want FortiWeb Parameter
ARGS_NAMES | to scan: Name/Parameter
ARGS_VALUE | l Parameter Name Value/Request
REQUEST_ l Parameter Value Cookie
COOKIES |
l Request Cookie
REQUEST_USER_
l Request User-Agent
AGENT | REQUEST_
REFERER | OTHER_ l Request Referer
REQUEST_ l Other Request Header
HEADERS } You can select multiple elements, for example, set
detection-target-sql ARGS_NAMES REQUEST_
COOKIES ARGS_VALUE.

sql-arithmetic- Enter the number of seconds that you want to block 600
operation-block- subsequent requests from the client after the FortiWeb
period <period_int> appliance detects this injection type attack.

sql-arithmetic- When policy violations are recorded in the attack log, each High
operation-severity log message contains a Severity Level (severity_
{High | Medium | Low level) field. Select which severity level FortiWeb will use
| Info} when it logs an injection attack:
l High

l Medium

l Low

l Info

sql-arithmetic- Enable or disable the attack type detection for this rule. enable
operation-status
{enable | disable}

sql-arithmetic- Set the threat weight for Arithmetic Operation Based severe
operation-threat- Boolean Injection attack.
weight {low | critical |
informational |
moderate |
substantial | severe}

sql-arithmetic- Enter the name of the trigger to apply when this policy is No default
operation-trigger violated. For details, see log trigger-policy on page 93.
<trigger_policy_ To display the list of existing triggers, enter:
name> set trigger ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 586

Variable Description Default

sql-condition-based- Select the action FortiWeb takes when this injection type alert_deny
action {alert | redirect attack is identified.
| deny_no_log | alert_ l alert—Accept the request and generate an alert

deny | block_period | email and/or log message.

send_HTTP_ l alert_deny—Block the request (or reset the

response} connection) and generate an alert email and/or log

message.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l deny_no_log—Block the request (or reset the

connection).
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

email and/or log message.
l block_period—Block subsequent requests from

the client for a number of seconds. Also configure sql-

condition-based-block-period <period_int> on page
586.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l send_HTTP_response—Block and reply to the

client with an HTTP error message and generate an

alert email and/or log message.
Note: Logging and/or alert email will occur only if enabled
and configured. See log on page 715 and log alertMail on
page 60.

sql-condition-based- Enter the number of seconds that you want to block 600
block-period <period_ subsequent requests from the client after the FortiWeb
int> appliance detects this injection type attack.

sql-condition-based- When policy violations are recorded in the attack log, each High
severity {High | log message contains a Severity Level (severity_
Medium | Low | Info} level) field. Select which severity level FortiWeb will use
when it logs an injection attack:
l High

l Medium

l Low

l Info

sql-condition-based- Enable or disable the attack type detection for this rule. enable
status {enable |
disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 587

Variable Description Default

sql-condition-based- Set the threat weight for Arithmetic Operation Based severe
threat-weight {low Boolean Injection attack.
| critical |
informational |
moderate |
substantial | severe}

sql-condition-based- Enter the name of the trigger to apply when this policy is No default
trigger <trigger_ violated. For details, see log trigger-policy on page 93.
policy_name> To display the list of existing triggers, enter:
set trigger ?

sql-embeded- Select the action FortiWeb takes when this injection type alert_deny
queries-action {alert | attack is identified.
redirect | deny_no_ l alert—Accept the request and generate an alert

log | alert_deny | email and/or log message.

block_period | send_ l alert_deny—Block the request (or reset the

HTTP_response} connection) and generate an alert email and/or log

connection).
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

email and/or log message.
l block_period—Block subsequent requests from

the client for a number of seconds. Also configure sql-

embeded-queries-block-period <period_int> on page
587.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l send_HTTP_response—Block and reply to the

client with an HTTP error message and generate an

alert email and/or log message.
Note: Logging and/or alert email will occur only if enabled
and configured. See log on page 715 and log alertMail on
page 60.

sql-embeded- Enter the number of seconds that you want to block 600
queries-block-period subsequent requests from the client after the FortiWeb
<period_int> appliance detects this injection type attack.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 588

Variable Description Default

sql-embeded- When policy violations are recorded in the attack log, each High
queries-severity {High log message contains a Severity Level (severity_
| Medium | Low | Info} level) field. Select which severity level FortiWeb will use
when it logs an injection attack:
l High

l Medium

l Low

l Info

sql-embeded- Enable or disable the attack type detection for this rule. enable
queries-status
{enable | disable}

sql-embeded- Set the threat weight for Embedded Queries SQL Injection severe
queries-threat-weight attack.
{low | critical |
informational |
moderate |
substantial | severe}

sql-embeded- Enter the name of the trigger to apply when this policy is No default
queries-trigger violated. For details, see log trigger-policy on page 93.
<trigger_policy_ To display the list of existing triggers, enter:
name> set trigger ?

sql-function-based- Select the action FortiWeb takes when this injection type alert_deny
action {alert | redirect attack is identified.
| deny_no_log | alert_ l alert—Accept the request and generate an alert

deny | block_period | email and/or log message.

send_HTTP_ l alert_deny—Block the request (or reset the

response} connection) and generate an alert email and/or log

connection).
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

email and/or log message.
l block_period—Block subsequent requests from

the client for a number of seconds. Also configure sql-

function-based-block-period <period_int> on page
589.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l send_HTTP_response—Block and reply to the

FortiWeb CLI Reference Fortinet Technologies Inc.

config 589

Variable Description Default

client with an HTTP error message and generate an

alert email and/or log message.
Note: Logging and/or alert email will occur only if enabled
and configured. See log on page 715 and log alertMail on
page 60.

sql-function-based- Enter the number of seconds that you want to block 600
block-period <period_ subsequent requests from the client after the FortiWeb
int> appliance detects this injection type attack.

sql-function-based- When policy violations are recorded in the attack log, each High
severity {High | log message contains a Severity Level (severity_
Medium | Low | Info} level) field. Select which severity level FortiWeb will use
when it logs an injection attack:
l High

l Medium

l Low

l Info

sql-function-based- Enable or disable the attack type detection for this rule. enable
status {enable |
disable}

sql-function-based- Set the threat weight for SQL Function Based Boolean severe
threat-weight {low Injection attack.
| critical |
informational |
moderate |
substantial | severe}

sql-function-based- Enter the name of the trigger to apply when this policy is No default
trigger <trigger_ violated. For details, see log trigger-policy on page 93.
policy_name> To display the list of existing triggers, enter:
set trigger ?

sql-line-comments- Select the action FortiWeb takes when this injection type alert_deny
action {alert | redirect attack is identified.
| deny_no_log | alert_ l alert—Accept the request and generate an alert

deny | block_period | email and/or log message.

send_HTTP_ l alert_deny—Block the request (or reset the

response} connection) and generate an alert email and/or log

connection).
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

FortiWeb CLI Reference Fortinet Technologies Inc.

config 590

Variable Description Default

email and/or log message.

l block_period—Block subsequent requests from
the client for a number of seconds. Also configure sql-
line-comments-block-period <period_int> on page
590.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l send_HTTP_response—Block and reply to the

client with an HTTP error message and generate an

alert email and/or log message.
Note: Logging and/or alert email will occur only if enabled
and configured. See log on page 715 and log alertMail on
page 60.

sql-line-comments- Enter the number of seconds that you want to block 600
block-period <period_ subsequent requests from the client after the FortiWeb
int> appliance detects this injection type attack.

sql-line-comments- When policy violations are recorded in the attack log, each High
severity {High | log message contains a Severity Level (severity_
Medium | Low | Info} level) field. Select which severity level FortiWeb will use
when it logs an injection attack:
l High

l Medium

l Low

l Info

sql-line-comments- Enable or disable the attack type detection for this rule. enable
status {enable |
disable}

sql-line-comments- Set the threat weight for Line Comments attack. severe
threat-weight {low
| critical |
informational |
moderate |
substantial | severe}

sql-line-comments- Enter the name of the trigger to apply when this policy is No default
trigger <trigger_ violated. For details, see log trigger-policy on page 93.
policy_name> To display the list of existing triggers, enter:
set trigger ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 591

Variable Description Default

sql-stacked-queries- Select the action FortiWeb takes when this injection type alert_deny
action {alert | redirect attack is identified.
| deny_no_log | alert_ l alert—Accept the request and generate an alert

deny | block_period | email and/or log message.

send_HTTP_ l alert_deny—Block the request (or reset the

response} connection) and generate an alert email and/or log

connection).
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

email and/or log message.
l block_period—Block subsequent requests from

the client for a number of seconds. Also configure sql-

stacked-queries-block-period <period_int> on page
591.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l send_HTTP_response—Block and reply to the

client with an HTTP error message and generate an

alert email and/or log message.
Note: Logging and/or alert email will occur only if enabled
and configured. See log on page 715 and log alertMail on
page 60.

sql-stacked-queries- Enter the number of seconds that you want to block 600
block-period <period_ subsequent requests from the client after the FortiWeb
int> appliance detects this injection type attack.

sql-stacked-queries- When policy violations are recorded in the attack log, each High
severity {High | log message contains a Severity Level (severity_
Medium | Low | Info} level) field. Select which severity level FortiWeb will use
when it logs an injection attack:
l High

l Medium

l Low

l Info

sql-stacked-queries- Enable or disable the attack type detection for this rule. enable
status {enable |
disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 592

Variable Description Default

sql-stacked-queries- Set the threat weight for Stacked Queries SQL Injection severe
threat-weight {low attack.
| critical |
informational |
moderate |
substantial | severe}

sql-stacked-queries- Enter the name of the trigger to apply when this policy is No default
trigger <trigger_ violated. For details, see log trigger-policy on page 93.
policy_name> To display the list of existing triggers, enter:
set trigger ?

xss-html-attribute- Select the action FortiWeb takes when this injection type alert_deny
based-action {alert | attack is identified.
redirect | deny_no_ l alert—Accept the request and generate an alert

log | alert_deny | email and/or log message.

block_period | send_ l alert_deny—Block the request (or reset the

HTTP_response} connection) and generate an alert email and/or log

connection).
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

email and/or log message.
l block_period—Block subsequent requests from

the client for a number of seconds. Also configure

xss-html-attribute-based-block-period <period_int>
on page 593.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l send_HTTP_response—Block and reply to the

client with an HTTP error message and generate an

alert email and/or log message.
Note: Logging and/or alert email will occur only if enabled
and configured. See log on page 715 and log alertMail on
page 60.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 593

Variable Description Default

detection-target-xss { Select the elements in the request that you want FortiWeb Parameter
ARGS_NAMES | to scan: Name/Parameter
ARGS_VALUE | l Parameter Name Value/Request
REQUEST_ l Parameter Value Cookie
COOKIES |
l Request Cookie
REQUEST_USER_
l Request User-Agent
AGENT | REQUEST_
REFERER | OTHER_ l Request Referer
REQUEST_ l Other Request Header
HEADERS } You can select multiple elements, for example, set
detection-target-xss ARGS_NAMES REQUEST_
COOKIES ARGS_VALUE.

xss-html-attribute- Enter the number of seconds that you want to block 600
based-block-period subsequent requests from the client after the FortiWeb
<period_int> appliance detects this injection type attack.

xss-html-attribute- When policy violations are recorded in the attack log, each High
based-severity {High | log message contains a Severity Level (severity_
Medium | Low | Info} level) field. Select which severity level FortiWeb will use
when it logs an injection attack:
l High

l Medium

l Low

l Info

xss-html-attribute- Enable or disable the attack type detection for this rule. enable
based-status {enable
| disable}

xss-html-attribute- Set the threat weight for HTML Attribute Based XSS severe
based-threat-weight Injection attack.
{low | critical |
informational |
moderate |
substantial | severe}

xss-html-attribute- Enter the name of the trigger to apply when this policy is No default
based-trigger violated. For details, see log trigger-policy on page 93.
<trigger_policy_ To display the list of existing triggers, enter:
name> set trigger ?

xss-html-css-based- Select the action FortiWeb takes when this injection type alert_deny
action {alert | redirect attack is identified.
| deny_no_log | alert_ l alert—Accept the request and generate an alert

deny | block_period | email and/or log message.

send_HTTP_ l alert_deny—Block the request (or reset the

response} connection) and generate an alert email and/or log

message.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 594

Variable Description Default

You can customize the web page that FortiWeb

returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l deny_no_log—Block the request (or reset the

connection).
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

email and/or log message.
l block_period—Block subsequent requests from

the client for a number of seconds. Also configure

xss-html-css-based-block-period <period_int> on
page 594.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l send_HTTP_response—Block and reply to the

client with an HTTP error message and generate an

alert email and/or log message.
Note: Logging and/or alert email will occur only if enabled
and configured. See log on page 715 and log alertMail on
page 60.

xss-html-css-based- Enter the number of seconds that you want to block 600
block-period <period_ subsequent requests from the client after the FortiWeb
int> appliance detects this injection type attack.

xss-html-css-based- When policy violations are recorded in the attack log, each High
severity {High | log message contains a Severity Level (severity_
Medium | Low | Info} level) field. Select which severity level FortiWeb will use
when it logs an injection attack:
l High

l Medium

l Low

l Info

xss-html-css-based- Enable or disable the attack type detection for this rule. enable
status {enable |
disable}

xss-html-css-based- Set the threat weight for HTML CSS Based XSS Injection severe
threat-weight {low attack.
| critical |
informational |
moderate |
substantial | severe}

xss-html-css-based- Enter the name of the trigger to apply when this policy is No default
trigger <trigger_ violated. For details, see log trigger-policy on page 93.
policy_name>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 595

Variable Description Default

To display the list of existing triggers, enter:

set trigger ?

xss-html-tag-based- Select the action FortiWeb takes when this injection type alert_deny
action {alert | redirect attack is identified.
| deny_no_log | alert_ l alert—Accept the request and generate an alert

deny | block_period | email and/or log message.

send_HTTP_ l alert_deny—Block the request (or reset the

response} connection) and generate an alert email and/or log

connection).
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

email and/or log message.
l block_period—Block subsequent requests from

the client for a number of seconds. Also configure

xss-html-tag-based-block-period <period_int> on
page 595.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l send_HTTP_response—Block and reply to the

client with an HTTP error message and generate an

alert email and/or log message.
Note: Logging and/or alert email will occur only if enabled
and configured. See log on page 715 and log alertMail on
page 60.

xss-html-tag-based- Enter the number of seconds that you want to block 600
block-period <period_ subsequent requests from the client after the FortiWeb
int> appliance detects this injection type attack.

xss-html-tag-based- l moderate—An injection attack will be reported when strict

check-level {strict | tags besides body/head/html are detected.
moderate} l strict—No injection attack will be reported when

tags besides body/head/html are detected.

Note: It is not advised to set it as moderate as false
positves may occur.

xss-html-tag-based- When policy violations are recorded in the attack log, each High
severity {High | log message contains a Severity Level (severity_
Medium | Low | Info} level) field. Select which severity level FortiWeb will use
when it logs an injection attack:
l High

FortiWeb CLI Reference Fortinet Technologies Inc.

config 596

Variable Description Default

l Medium
l Low
l Info

xss-html-tag-based- Enable or disable the attack type detection for this rule. enable
status {enable |
disable}

xss-html-tag-based- Set the threat weight for HTML Tag Based XSS Injection severe
threat-weight {low attack.
| critical |
informational |
moderate |
substantial | severe}

xss-html-tag-based- Enter the name of the trigger to apply when this policy is No default
trigger <trigger_ violated. For details, see log trigger-policy on page 93.
policy_name> To display the list of existing triggers, enter:
set trigger ?

xss-javascript- Select the action FortiWeb takes when this injection type alert_deny
function-based-action attack is identified.
{alert | redirect | l alert—Accept the request and generate an alert

deny_no_log | alert_ email and/or log message.

deny | block_period | l alert_deny—Block the request (or reset the

send_HTTP_ connection) and generate an alert email and/or log

connection).
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

email and/or log message.
l block_period—Block subsequent requests from

the client for a number of seconds. Also configure

xss-javascript-function-based-block-period <period_
int> on page 597.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l send_HTTP_response—Block and reply to the

client with an HTTP error message and generate an

alert email and/or log message.
Note: Logging and/or alert email will occur only if enabled
and configured. See log on page 715 and log alertMail on
page 60.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 597

Variable Description Default

xss-javascript- Enter the number of seconds that you want to block 600
function-based-block- subsequent requests from the client after the FortiWeb
period <period_int> appliance detects this injection type attack.

xss-javascript- When policy violations are recorded in the attack log, each High
function-based- log message contains a Severity Level (severity_
severity {High | level) field. Select which severity level FortiWeb will use
Medium | Low | Info} when it logs an injection attack:
l High

l Medium

l Low

l Info

xss-javascript- Enable or disable the attack type detection for this rule. enable
function-based-status
{enable | disable}

xss-javascript- Set the threat weight for Javascript Function Based XSS severe
function-based- Injection attack.
threat-weight {low
| critical |
informational |
moderate |
substantial | severe}

xss-javascript- Enter the name of the trigger to apply when this policy is No default
function-based- violated. For details, see log trigger-policy on page 93.
trigger <trigger_ To display the list of existing triggers, enter:
policy_name> set trigger ?

xss-javascript- Select the action FortiWeb takes when this injection type alert_deny
variable-based-action attack is identified.
{alert | redirect | l alert—Accept the request and generate an alert

deny_no_log | alert_ email and/or log message.

deny | block_period | l alert_deny—Block the request (or reset the

send_HTTP_ connection) and generate an alert email and/or log

connection).
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert

email and/or log message.
l block_period—Block subsequent requests from

the client for a number of seconds. Also configure

xss-javascript-variable-based-block-period <period_

FortiWeb CLI Reference Fortinet Technologies Inc.

config 598

Variable Description Default

int> on page 598.

You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see system replacemsg-image on page 330.
l send_HTTP_response—Block and reply to the

client with an HTTP error message and generate an

alert email and/or log message.
Note: Logging and/or alert email will occur only if enabled
and configured. See log on page 715 and log alertMail on
page 60.

xss-javascript- Enter the number of seconds that you want to block 600
variable-based-block- subsequent requests from the client after the FortiWeb
period <period_int> appliance detects this injection type attack.

xss-javascript- When policy violations are recorded in the attack log, each High
variable-based- log message contains a Severity Level (severity_
severity {High | level) field. Select which severity level FortiWeb will use
Medium | Low | Info} when it logs an injection attack:
l High

l Medium

l Low

l Info

xss-javascript- Enable or disable the attack type detection for this rule. enable
variable-based-status
{enable | disable}

xss-javascript- Set the threat weight for Javascript Variable Based XSS severe
variable-based- Injection attack.
threat-weight {low
| critical |
informational |
moderate |
substantial | severe}

xss-javascript- Enter the name of the trigger to apply when this policy is No default
variable-based- violated. For details, see log trigger-policy on page 93.
trigger <trigger_ To display the list of existing triggers, enter:
policy_name> set trigger ?

"<list-id>" Enter an ID for the exception list. No default

match-target {HOST | Select the type of request element to exempt from this URI
URI | FULL-URL | rule.
PARAMETER |
COOKIE}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 599

Variable Description Default

operator {STRING_ l STRING_MATCH—Name is the literal name of a REGEXP_MATCH

MATCH | REGEXP_ parameter.
MATCH} l REGEXP_MATCH— Name is a regular expression
that matches all and only the name of the parameter
that the exception applies to.

value-name <name_ Specify the name of the parameter to match.

str>

value-check {enable | Enable to specify a parameter value to match in addition to disable

disable} the parameter name.

value <value_str> Specify a HOST/URI/FULL-URL/PARAMETER/COOKIE No default

value to match.

concatenate-type l AND—A matching request matches this entry in AND

{AND | OR} addition to other entries in the exemption list.
l OR—A matching request matches this entry instead

of other entries in the exemption list.

Later, you can use the exception list options to adjust the
matching sequence for entries.

attack-type Select the attack type you want to create the exception for. No default
{arithmetic_
operation_based_
boolean_injection |
condition_based_
boolean_injection |
embeded_queries_
sql_injection | html_
attr_based_xss_
injection | html_css_
based_xss_injection |
html_tag_based_
xss_injection | js_
func_based_xss_
injection | js_var_
based_xss_injection |
line_comments |
invalid | sql_function_
based_boolean_
injection | stacked_
queries_sql_
injection}

Related topics

l waf web-protection-profile inline-protection on page 636

FortiWeb CLI Reference Fortinet Technologies Inc.

config 600

waf threshold-based-detection

Use this command to configure threshold based detection rules to define occurrence, time period, severity, and trigger
policy, etc of the following suspicious behaviors, and thus FortiWeb judges whether the request comes from a human or
a bot.
l Crawler
l Vulnerability Scanning
l Slow Attack
l Content Scraping
l Illegal User Scan

Syntax
config waf threshold-based-detection
edit "<policy_name>"
set bot-recognition {disabled | real-browser-enforcement | captcha-enforcement |
recaptcha-enforcement}
set recaptcha <recaptcha_server_name>
set mobile-app-identification {disabled | mobile-token-validation}
set bot-confirmation {enable | disable}
set validation-timeout <validation-timeout_int>
set set set set max-attempt-times <max-attempt-times_int>
set crawler-detection {enable | disable}
set crawler-action {alert | deny_no_log | alert_deny | block-period}
set crawler-severity {High | Medium | Low | Info}
set crawler-trigger <crawler-trigger-policy_name>
set crawler-occurrence-num <crawler-occurrence-num_int>
set crawler-within <crawler-within_int>
set crawler-block-period <crawler-block-period_int>
set scanner-detection {enable | disable}
set scanner-action {alert | deny_no_log | alert_deny | block-period}
set scanner-severity {High | Medium | Low | Info}
set crawler-trigger <crawler-trigger-policy_name>
set scanner-occurrence-num <scanner-occurrence-num_int>
set scanner-within <scanner-within_int>
set scanner-block-period <scanner-block-period_int>
set slow-attack-detection {enable | disable}
set slow-attack-action {alert | deny_no_log | alert_deny | block-period}
set slow-attack-severity {High | Medium | Low | Info}
set slow-attack-trigger <slow-attack-trigger-policy_name>
set slow-attack-occurrence-num <slow-attack-occurrence-num_int>
set slow-attack-within <slow-attack-within_int>
set slow-attack-HTTP-transaction-timeout <slow-attack-HTTP-transaction-timeout_
int>
set slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int>
set slow-attack-block-period <slow-attack-block-period_int>
set content-scraping-detection {enable | disable}
set content-scraping-action {alert | deny_no_log | alert_deny | block-period}
set content-scraping-severity {High | Medium | Low | Info}
set content-scraping-trigger <content-scraping-trigger-policy_name>
set content-scraping-occurrence-num <content-scraping-occurrence-num_int>
set content-scraping-within <content-scraping-within_int>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 601

set content-scraping-block-period <content-scraping-block-period_int>

set waf threshold-based-detection
set waf threshold-based-detection
set waf threshold-based-detection
set waf threshold-based-detection
set waf threshold-based-detection
set waf threshold-based-detection
set waf threshold-based-detection
set waf threshold-based-detection
next
end

Variable Description Default

"<policy_name>" Enter a name for the threshold based detection rule that can No default.
be referenced in bot mitigation policy.

bot-recognition {disabled | Select between: disabled

real-browser-enforcement | l captcha-enforcement—Requires the client to

captcha-enforcement | successfully fulfill a CAPTCHA request. If the client

recaptcha-enforcement} cannot successfully fulfill the request within the , or
doesn't fulfill the request within the validation-timeout
<validation-timeout_int>, FortiWeb applies the action
and sends the CAPTCHA block page.
l real-browser-enforcement—Enable to return a
JavaScript to the client to test whether it is a web
browser or automated tool when it violates the access
rule. If the client either fails the test or does not return
results before the timeout specified by waf threshold-
based-detection on page 600, FortiWeb applies the
specified action. If the client appears to be a web
browser, FortiWeb allows the client to violate the rule.
l recaptcha-enforcement—Requires the client to
successfully fulfill a reCAPTCHA request. If the client
cannot successfully fulfill the request within the , or
doesn't fulfill the request within the validation-timeout
<validation-timeout_int>, FortiWeb applies the action
and sends the CAPTCHA block page.
l disable—Not to carry out the bot verification.
recaptcha <recaptcha_ Enter the reCAPTCHA server you have created through No default.
server_name> user recaptcha-user

mobile-app-identification l disabled—Not to carry out the mobile token disabled

{disabled | mobile-token- verification.
validation} l mobile-token-validation—Requires the client to
use mobile token to verify whether the traffic is from
mobile devices.
To apply mobile token validation, you must enable
mobile-app-identification in waf web-protection-profile
inline-protection.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 602

Variable Description Default

bot-confirmation {enable | Enable to confirm if the client is indeed a bot. The system disable
disable} sends RBE (Real Browser Enforcement) JavaScript or
CAPTCHA to the client to double check if it's a bot.

validation-timeout Enter the maximum amount of time (in seconds) that 20

<validation-timeout_int> FortiWeb waits for results from the client.
Available only when the bot-recognition {disabled | real-
browser-enforcement | captcha-enforcement | recaptcha-
enforcement} is browser-enforcement or captcha-
enforcement.

crawler-detection {enable | Enable to detect tools that browse your web site for indexing enable
disable} purposes.

crawler-action {alert | deny_ Select which action FortiWeb will take when it detects a alert
no_log | alert_deny | block- crawler:
period} l alert—Accept the connection and generate an alert

email and/or log message.

l alert_deny—Block the request (or reset the

connection) and generate an alert and/or log message.

l deny_no_log—Block the request (or reset the

connection).
l block-period—Block subsequent requests from the

client for a number of seconds. Also configure crawler-

block-period <crawler-block-period_int>.

crawler-severity {High | When policy violations are recorded in the attack log, each Medium
Medium | Low | Info} log message contains a Severity Level (severity_
level) field. Select which severity level FortiWeb will use
when it logs a crawler:
l Informative

l Low

l Medium

l High

crawler-trigger <crawler- Select the trigger, if any, that FortiWeb will use when it logs No default.
trigger-policy_name> and/or sends an alert email about a crawler. For details, see
"Viewing log messages" on page 1.

crawler-occurrence-num Define the frequency that FortiWeb detects 403 and 404 100
<crawler-occurrence-num_ response codes returned by the web server.
int>

crawler-within <crawler- Specify the time period, in seconds, during which FortiWeb 10
within_int> detects the 403 and 404 response codes.

crawler-block-period Enter the number of seconds that you want to block 600
<crawler-block-period_int> subsequent requests from a client after FortiWeb detects a
crawler. The valid range is 1–3,600 seconds.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 603

Variable Description Default

Available only if crawler-action {alert | deny_no_log | alert_

deny | block-period} is set to block-period.

scanner-detection {enable | Enable to detect tools that scan your web site for disable
disable} vulnerabilities.

scanner-action {alert | deny_ Select which action FortiWeb will take when it detects attack alert
no_log | alert_deny | block- signatures:
period} l alert—Accept the connection and generate an alert

email and/or log message.

l alert_deny—Block the request (or reset the

connection) and generate an alert and/or log message.

l deny_no_log—Block the request (or reset the

connection).
l block-period—Block subsequent requests from the

client for a number of seconds. Also configure scanner-

block-period <scanner-block-period_int>.

scanner-severity {High | When policy violations are recorded in the attack log, each Medium
Medium | Low | Info} log message contains a Severity Level (severity_
level) field. Select which severity level FortiWeb will use
when it logs attack signatures:
l Informative

l Low

l Medium

l High

scanner-trigger <scanner- Select the trigger, if any, that FortiWeb will use when it logs No default.
trigger-policy_name> and/or sends an alert email about attack signatures. For
details, see "Viewing log messages" on page 1.

scanner-occurrence-num Define the frequency that FortiWeb detects attack 100

<scanner-occurrence-num_ signatures.
int>

scanner-within <scanner- Specify the time period, in seconds, during which FortiWeb 10
within_int> monitors the attack signatures.

scanner-block-period Enter the number of seconds that you want to block 600
<scanner-block-period_int> subsequent requests from a client after FortiWeb detects
attack signatures. The valid range is 1–3,600 seconds.
Available only if scanner-action {alert | deny_no_log | alert_
deny | block-period} is set to block-period.

slow-attack-detection Enable to detect Denial of Service tools that try to go disable

{enable | disable} undetected by generating a small stream of traffic.

slow-attack-action {alert | Select which action FortiWeb will take when it detects slow
deny_no_log | alert_deny | attack activities:
block-period} l alert—Accept the connection and generate an alert

FortiWeb CLI Reference Fortinet Technologies Inc.

config 604

Variable Description Default

email and/or log message.

l alert_deny—Block the request (or reset the
connection) and generate an alert and/or log message.
l deny_no_log—Block the request (or reset the
connection).
l block-period—Block subsequent requests from the
client for a number of seconds. Also configure slow-
attack-block-period <slow-attack-block-period_int>.

slow-attack-severity {High | When policy violations are recorded in the attack log, each Medium
Medium | Low | Info} log message contains a Severity Level (severity_
level) field. Select which severity level FortiWeb will use
when it logs slow attack activities:
l Informative

l Low

l Medium

l High

slow-attack-trigger <slow- Select the trigger, if any, that FortiWeb will use when it logs No default.
attack-trigger-policy_name> and/or sends an alert email about slow attack activities. For
details, see "Viewing log messages" on page 1.

slow-attack-occurrence-num Define the frequency that FortiWeb detects slow attack 5

<slow-attack-occurrence- activities.
num_int>

slow-attack-within <slow- Specify the time period, in seconds, during which FortiWeb 100
attack-within_int> detects slow attack activities.

slow-attack-HTTP- Specify a timeout value, in seconds, for the HTTP 60

transaction-timeout <slow- transaction.
attack-HTTP-transaction-
timeout_int>

slow-attack-packet-interval- Specify the timeout value, in seconds, for interval between 10

timeout <slow-attack-packet- packets arriving from either the client or server (request or
interval-timeout_int> response packets).

slow-attack-block-period Enter the number of seconds that you want to block 600
<slow-attack-block-period_ subsequent requests from a client after FortiWeb detects
int> slow attack activities. The valid range is 1–3,600 seconds.
Available only if slow-attack-action {alert | deny_no_log |
alert_deny | block-period} is set to block-period.

content-scraping-detection Enable to detect bots that illegally copy contents from your disable
{enable | disable} web site.

content-scraping-action Select which action FortiWeb will take when it detects alert
{alert | deny_no_log | alert_ content scraping activities:
deny | block-period} l alert—Accept the connection and generate an alert

FortiWeb CLI Reference Fortinet Technologies Inc.

config 605

Variable Description Default

email and/or log message.

l alert_deny—Block the request (or reset the
connection) and generate an alert and/or log message.
l deny_no_log—Block the request (or reset the
connection).
l block-period—Block subsequent requests from the
client for a number of seconds. Also configure content-
scraping-block-period <content-scraping-block-period_
int>.

content-scraping-severity When policy violations are recorded in the attack log, each Medium
{High | Medium | Low | Info} log message contains a Severity Level (severity_
level) field. Select which severity level FortiWeb will use
when it logs content scraping activities:
l Informative

l Low

l Medium

l High

content-scraping-trigger Select the trigger, if any, that FortiWeb will use when it logs No default.
<content-scraping-trigger- and/or sends an alert email about content scraping
policy_name> activities. For details, see "Viewing log messages" on page
1.

content-scraping- Define the frequency that FortiWeb detects content scraping 100
occurrence-num <content- activities.
scraping-occurrence-num_
int>

content-scraping-within Specify the time period, in seconds, during which FortiWeb 30

<content-scraping-within_ detects content scraping activities.
int>

content-scraping-block- Enter the number of seconds that you want to block 600
period <content-scraping- subsequent requests from a client after FortiWeb detects
block-period_int> content scraping activities. The valid range is 1–3,600
seconds.
Available only if content-scraping-action {alert | deny_no_
log | alert_deny | block-period} is set to block-period.

Related Topics

l waf bot-mitigation-policy on page 415

l waf biometrics-based-detection on page 403
l waf bot-deception on page 1

FortiWeb CLI Reference Fortinet Technologies Inc.

config 606

waf url-access url-access-policy

Use this command to configure a set of URL access rules that define HTTP requests that are allowed or denied.
Before using this command, you must first define your URL access rules. For details, see waf url-access url-access-rule
on page 610.
To apply URL access policies, select them within an inline or Offline Protection profile. For details, see waf web-
protection-profile inline-protection on page 636 or waf web-protection-profile offline-protection on page 645.
You can use SNMP traps to notify you when a URL access rule is enforced. For details, see system snmp community on
page 339.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf url-access url-access-policy
edit "<url-access-policy_name>"
config rule
edit <entry_index>
set url-access-rule-name "<url-access-rule_name>"
next
end
next
end

Variable Description Default

"<url-access-policy_name>" Enter the name of the new or existing URL access policy. No
The maximum length is 63 characters. default.
To display the list of existing policies, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

url-access-rule-name "<url- Enter the name of the existing URL access rule to add to the No
access-rule_name>" policy. The maximum length is 63 characters. default.

Example

This example adds two rules to the policy, with the first one set to priority level 0, and the second one set to priority level
1. The rule with priority 0 would be applied first.
config waf url-access url-access-policy
edit "URL-access-set2"
config rule
edit 1
set url-access-rule-name "URL Access Rule 1"
next

FortiWeb CLI Reference Fortinet Technologies Inc.

config 607

edit 2
set url-access-rule-name "Blocked URL"
next
next
end

Related topics

l waf url-access url-access-rule on page 610

l waf web-protection-profile inline-protection on page 636
l waf web-protection-profile offline-protection on page 645

waf url-encryption

To prevent users from forceful browsing, you can now encrypt the URLs, which can ensure that the internal directory
structure of the web application is not revealed to users.
Use this command to create URL encryption rules and policies.

Syntax
config waf url-encryption url-encryption-rule
edit "<encryption-rule_name>"
set host-status {enable | disable}
set host <host_str>
set allow-unencrypted {enable | disable}
set action {alert | deny_no_log | alert_deny | block-period}
set block-period <block-period_int>
set severity {High | Medium | Low | Info}
set trigger <trigger_str>
config url-list
edit "<url-list_id>"
set url-type {plain | regular}
set url-pattern <url-pattern_str>
end
config exceptions
edit "<exceptions-item_id>"
set url-type {plain | regular}
set url-pattern <url-pattern_str>
end
next
end

config waf url-encryption url-encryption-policy

edit "<url-encryption-policy_name>"
set full-mode {enable | disable}
config rule-list
edit "<rule-list_id>"
set rule <rule_str>
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 608

next
end

Variable Description Default

"<encryption-rule_name>" Enter a name for the encryption rule. No default.

host-status {enable | Enable to require that the Host: field of the HTTP disable
disable} request match a protected host names entry in order to
match the URL acceleration rule. Also configure host
<host_str>.

host <host_str> Select which protected host names entry (either a web No default.
host name or IP address) that the Host: field of the HTTP
request must be in to match the URL acceleration rule.

allow-unencrypted {enable | When enabled, unencrypted URL requests will be enable

disable} allowed.
Unencrypted URL requests are the valid requests from the
client that FortiWeb failed to decrypt.
When disabled, if the URL can match the rule, and
FortiWeb detects unencrypted URLs, the action will be
triggered.

action {alert | deny_no_log | Select which action the FortiWeb appliance will take when Alert
alert_deny | block-period} it detects a violation.
alert—Accept the connection and generate an alert email
and/or log message.
alert_deny—Block the request (or reset the connection)
and generate an alert and/or log message.
deny_no_log—Block the request (or reset the
connection).
block-period—Blocks the request for a certain period of
time.

block-period <block-period_ Enter the number of seconds that you want to block the 60
int> requests. The valid range is 1–3,600 seconds.
This option only takes effect when you choose Period
Block in action {alert | deny_no_log | alert_deny | block-
period}.

l Medium

l High

l Informative

The default value is High.

trigger <trigger_str> Select the trigger, if any, that FortiWeb carries out when it No default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 609

Variable Description Default

logs and/or sends an alert email about a rule violation. For

details, see "Viewing log messages" on page 1.

"<url-list_id>" Enter the ID for the URL request. No default.

url-type {plain | regular} Select whether the URL Pattern field will contain a literal plain
URL (plain), or a regular expression designed to match
multiple URLs (regular).

url-pattern <url-pattern_str> Depending on the url-type, enter either: No default.

l plain—The literal URL, such as /index.php, that

the HTTP request must contain in order to match the

rule. The URL must begin with a slash ( / ).
l regular—A regular expression, such as ^/*.php,

matching the URLs to which the rule should apply.

The pattern does not require a slash ( / ), but it must
match URLs that begin with a slash, such as
/index.cfm.

"<exceptions-item_id>" Enter the exception URL ID. No default.

url-type {plain | regular} Select whether the URL Pattern field will contain a literal plain
URL (plain), or a regular expression designed to match
multiple URLs (regular).

url-pattern <url-pattern_str> Depending on the url-type, enter either: No default.

l plain—The literal URL, such as /index.php, that

the HTTP request must contain in order to match the

rule. The URL must begin with a slash ( / ).
l regular—A regular expression, such as ^/*.php,

matching the URLs to which the rule should apply.

The pattern does not require a slash ( / ), but it must
match URLs that begin with a slash, such as
/index.cfm.

"<url-encryption-policy_ Enter an encryption policy name. No default.

name>"

full-mode {enable | disable} When enabled, Script Events，Embedded non-HTML enable

content - scripts, js files, and Embedded non-HTML
content - stylesheets that match the rule will be encrypted.

"<rule-list_id>" Enter the URL encryption rule ID. No default.

rule <rule_str> Select the URL encryption rule name. No default.

Related topics

l waf web-protection-profile inline-protection on page 636

FortiWeb CLI Reference Fortinet Technologies Inc.

config 610

waf url-access-parameter

Use this command to add URL access parameter rules. It should be referred in an URL access rule.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf url-access-parameter
edit waf url-access-parameter
config waf url-access-parameter-list
edit <index>
set argument-name <string>
set data-type
next
end
next
end

Variable Description Default

"<url-access-parameter- Enter the name of a new or existing rule. The maximum No

rule_name>" length is 63 characters. default.
To display the list of existing rules, enter:
edit ?

argument-name <string> Depending on your selection in Type, enter either: No

l The literal name that the HTTP request must contain in default.
order to match the rule.
l A regular expression.

To create and test a regular expression, click the >> (test)

icon. This opens the Regular Expression Validator
window where you can fine-tune the expression. For details,
see "Regular expression syntax" on page 1.

data-type Specify the data type of the parameter value. No

default.

waf url-access url-access-rule

Use this command to configure URL access rules that define the HTTP requests that are allowed or denied based on
their host name and URL.
Typically, for example, access to administrative panels for your web application should only be allowed if the client’s
source IP address is an administrator’s computer on your private management network. Unauthenticated access from
unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 611

To apply URL access rules, first group them within a URL access policy. For details see, waf url-access url-access-policy
on page 606.
You can use SNMP traps to notify you when a URL access rule is enforced. For details, see system snmp community on
page 339.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf url-access url-access-rule
edit "<url-access-rule_name>"
set action {alert_deny | continue | pass | deny_no_log}
set host "<protected-hosts_name>"
set host-status {enable | disable}
set severity {Informative | Low | Medium | High | Info}
set trigger "<trigger-policy_name>"
config match-condition
edit <entry_index>
set sip-address-check {enable | disable}
set sip-address-type {sip | sdomain | source-domain}
set sip-address-value "<client_ip>"
set sdomain-type {"<ipv4>" | "<ipv6>"}
set sip-address-domain "<fqdn_str>"
set source-domain-type {simple-string | regex-expression}
set source-domain "<source-domain_str>"
set reverse-dns-timeout <int>
set type {regex-expression | simple-string}
set reg-exp "<object_pattern>"
set url-access-parameter
set only-method {get | post | head | options | trace | connect | delete | put
| patch | webdav | rpc | others}
set only-protocol {http | https | ws | wss}
set reverse-match {yes | no}
next
end
next
end

Variable Description Default

"<url-access-rule_name>" Enter the name of a new or existing rule. The maximum No default.
length is 63 characters.
To display the list of existing rules, enter:
edit ?

action {alert_deny | Select which action the FortiWeb appliance will take when pass
continue | pass | deny_no_ a request matches the URL access rule.
log} l alert_deny—Block the request (or reset the

connection) and generate an alert email and/or log

message.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 612

Variable Description Default

You can customize the web page that FortiWeb

returns to the client with the HTTP status code. For
details, see "system replacemsg" on page 1.
l continue—Generate an alert and/or log message,
then continue by evaluating any subsequent rules
defined in the web protection profile. If no other rules
are violated, allow the request. If multiple rules are
violated, a single request will generate multiple attack
log messages. For details, see debug flow trace on
page 694.
l pass—Allow the request. Do not generate an alert
and/or log message.
l deny_no_log—Deny a request. Do not generate a
log message.
Caution: This setting will be ignored if monitor-mode
{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email will occur only if enabled
and configured. For details, see log disk on page 66 and
log alertMail on page 60.
Note: If an auto-learning profile will be selected in the
policy with Offline Protection profiles that use this rule, you
should select pass. If the action is alert_deny, the
FortiWeb appliance will reset the connection when it
detects an attack, resulting in incomplete session
information for the auto-learning feature. For details about
auto-learning requirements, see "waf web-protection-
profile autolearning-profile" on page 1.

host "<protected-hosts_ Enter the name of a protected host that the Host: field of No default.
name>" an HTTP request must be in order to match the rule. The
maximum length is 256 characters.
This setting is used only if host-status {enable | disable} on
page 612 is enable.

host-status {enable | disable} Enable to require that the Host: field of the HTTP request disable
match a protected hosts entry in order to match the rule.
Also configure host "<protected-hosts_name>" on page
612.

severity {Informative | Low | When rule violations are recorded in the attack log, each Low
Medium | High | Info} log message contains a Severity Level (severity_
level) field. Select which severity level the FortiWeb
appliance will use when a blocklisted IP address attempts
to connect to your web servers:
l Informative

l Low

l Medium

FortiWeb CLI Reference Fortinet Technologies Inc.

config 613

Variable Description Default

l High
l Info

trigger "<trigger-policy_ Select which trigger, if any, that the FortiWeb appliance will No default.
name>" use when it logs and/or sends an alert email about a
blocklisted IP address’s attempt to connect to your web
servers. The maximum length is 63 characters. For details,
see log trigger-policy on page 93.
To display the list of existing trigger policies, enter:
set trigger ?

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–9,999,999,999,999,999,999.

sip-address-check {enable | Enable to add the client’s source IP address as a criteria for disable
disable} matching the URL access rule. Also configure sip-address-
type {sip | sdomain | source-domain} on page 613 and the
specific settings for each source address type.

sip-address-type {sip | l sip—Configure sip-address-value "<client_ip>" on sip

sdomain | source-domain} page 613.
l sdomain—Configure sdomain-type {"<ipv4>" |
"<ipv6>"} on page 613 and sip-address-domain
"<fqdn_str>" on page 613.
l source-domain—Configure source-domain-type
{simple-string | regex-expression} on page 613 and
source-domain "<source-domain_str>" on page 614.

sip-address-value "<client_ Enter one of the following values: 0.0.0.0

ip>" l A single IP address that a client source IP must match,

such as a trusted private network IP address (e.g. an

administrator’s computer, 172.16.1.20).
l A range or addresses (e.g. 1.2.3.4,2001::1,1.2.3.4-

1.2.3.40,2001::1-2001::100).
Available only if sip-address-type {sip | sdomain | source-
domain} on page 613 is sip.

sdomain-type {"<ipv4>" | Specifies the type of IP address FortiWeb retrieves from No default.
"<ipv6>"} the DNS lookup of the domain specified by sip-address-
domain "<fqdn_str>" on page 613.
Available only if sip-address-type {sip | sdomain | source-
domain} on page 613 is sdomain.

sip-address-domain "<fqdn_ Specifies the domain to match the client source IP after No default.
str>" DNS lookup.
Available only if sip-address-type {sip | sdomain | source-
domain} on page 613 is sdomain.

source-domain-type {simple- l simple-string—source-domain specifies a simple-

string | regex-expression} literal domain. string

FortiWeb CLI Reference Fortinet Technologies Inc.

config 614

Variable Description Default

l regex-expression—source-domain specifies a
regular expression that is designed to match multiple
URLs.
Available only if sip-address-type {sip | sdomain | source-
domain} on page 613 is source-domain.

source-domain "<source- Enter a literal domain or a regular expression that is No default.

domain_str>" designed to match multiple URLs.
Available only if sip-address-type {sip | sdomain | source-
domain} on page 613 is sdomain.

reverse-dns-timeout <int> To avoid the process hanging for a long time, you can set 10
this option to limit the time (in millisecond) when FortiWeb
performs the reverse DNS lookup for an IP address.
The unit is 0.01 second. For example, if you set the value to
10, it means 0.1 second.
The valid value range is 0-600. 0 means the process will
not be blocked by reverse dns lookup.
This option is available only when sip-address-check is
enabled and the sip-address-type is source-domain.

type {regex-expression | Select how to use the text in reg-exp "<object_pattern>" on No default.
simple-string} page 614 to determine whether or not a request URL meets
the conditions for this rule.
l simple-string—The text is a string that request

URLs must match exactly.

l regular-expression—The text is a regular

expression that defines a set of matching URLs.

reg-exp "<object_pattern>" Depending on your selection in type {regex-expression | No default.

simple-string} on page 614 and reverse-match {yes | no} on
page 615, type a regular expression that defines either all
matching or all non-matching URLs. Then, also configure
reverse-match {yes | no} on page 615.
For example, for the URL access rule to match all URLs
that begin with /wordpress, you could enter
^/wordpress, then, for reverse-match, enter no.
The pattern is not required to begin with a slash ( / ). The
maximum length is 256 characters.
Note: Regular expressions beginning with an exclamation
point ( ! ) are not supported. Instead, use reverse-
match {yes | no}.

url-access-parameter Enter the URL Access Parameter rule you have created by No default.
config waf url-access-parameter.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 615

Variable Description Default

only-method {get | post | Select the HTTP methods. Only the requests with the No default.
head | options | trace | specified HTTP methods will match.
connect | delete | put | patch |
webdav | rpc | others}

only-protocol {http | https | Select the HTTP protocols. Only the requests with the No default.
ws | wss} specified HTTP protocols will match.

reverse-match {yes | no} Indicate how to use reg-exp "<object_pattern>" on page no

614 when determining whether or not this rule’s condition
has been met.
l no—If the simple string or regular expression does

match the request URL, the condition is met.

l yes—If the simple string or regular expression does

not match the request URL, the condition is met.

The effect is equivalent to preceding a regular
expression with an exclamation point ( ! ).

Example

This example defines two sets of URL access rules.

The first set, Blocked URL, defines two URL match conditions: one uses a simple string to match an administrative
page, and the other uses a regular expression to match a set of dynamic URLs for statistics pages.
The second set, Allowed URL, defines a single match condition that uses a regular expression to match all dynamic
forms of the index page.
Actual blocking or allowing of the URLs, however, would not occur until a policy applies these URL access rules, and
sets an action that the FortiWeb appliance will perform when an HTTP request matches either rule set.
config waf url-access url-access-rule
edit "Blocked URL"
config match-condition
edit 1
set type simple-string
set reg-exp "/admin.php"
next
edit 2
set type regular-expression
set reverse-match no
set reg-exp "statistics.php*"
next
end
next
edit "Allowed URL"
config match-condition
edit 1
set type regular-expression
set reverse-match no
set reg-exp "index.php*"
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 616

next
end

Related topics

l waf web-protection-profile inline-protection on page 636

l waf web-protection-profile offline-protection on page 645
l waf url-access url-access-policy on page 606

waf url-rewrite url-rewrite-policy

Use this command to group URL rewrite rules.

Before you can configure a URL rewrite group, you must first configure any URL rewriting rules that you want to include.
For details, see waf url-rewrite url-rewrite-rule on page 617.
To apply a URL rewriting group, select it in an inline protection profile. For details, see waf web-protection-profile inline-
protection on page 636.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf url-rewrite url-rewrite-policy
edit "<url-rewrite-group_name>"
config rule
edit <entry_index>
set url-rewrite-rule-name "<url-rewrite-rule_name>"
next
end
next
end

Variable Description Default

"<url-rewrite-group_name>" Enter the name of the URL rewriting rule group. The No
maximum length is 63 characters. default.
To display the list of existing group, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

url-rewrite-rule-name "<url- Enter the name of an existing URL rewriting rule that you No
rewrite-rule_name>" want to include in the group. The maximum length is 63 default.
characters.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 617

Related topics

l waf url-rewrite url-rewrite-rule on page 617

l waf web-protection-profile inline-protection on page 636

waf url-rewrite url-rewrite-rule

Use this command to configure URL rewrite rules or to redirect requests.

Rewriting or redirecting HTTP requests and responses is popular, and can be done for many reasons.
Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying technology or website
structures to HTTP clients.
For example, when visiting a blog web page, its URL might be:
HTTP://www.example.com/wordpress/?feed=rss2

Simply knowing the file name, that the blog uses PHP, its compatible database types, and the names of parameters via
the URL could help an attacker to craft an appropriate attack for that platform. By rewriting the URL to something more
human-readable and less platform-specific, the details can be hidden:
HTTP://www.example.com/rss2

Aside from for security, rewriting and redirects can be for aesthetics or business reasons. Financial institutions can
transparently redirect customers that accidentally request HTTP:
HTTP://bank.example.com/login

to authenticate and do transactions on their secured HTTPS site:

HTTPs://bank.example.com/login

Additional uses could include:

l During maintenance windows, requests can be redirected to a read-only server.
l International customers can use global URLs, with no need to configure the back-end web servers to respond to
additional HTTP virtual host names.
l Shorter URLs with easy-to-remember phrases and formatting are easier for customers to understand, remember,
and return to.
Much more than their name implies, “URL rewriting rules” can do all of those things, and more:
l Redirect HTTP requests to HTTPS
l Rewrite the URL line in the header of an HTTP request
l Rewrite the Host: field in the header of an HTTP request
l Rewrite the Referer: field in the header of an HTTP request
l Redirect requests to another website
l Send a 403 Forbidden response to a matching HTTP requests
l Rewrite the HTTP location line in the header of a matching redirect response from the web server
l Rewrite the body of an HTTP response from the web server

FortiWeb CLI Reference Fortinet Technologies Inc.

config 618

Rewrites/redirects are not supported in all modes. For details, see the FortiWeb
Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

To use a URL rewriting rule, add it to a policy. For details, see waf url-rewrite url-rewrite-policy on page 616.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf url-rewrite url-rewrite-rule
edit "<url-rewrite-rule_name>"
set action {403-forbidden | redirect | redirect-301 | HTTP-body-rewrite | HTTP-
header-rewrite | HTTP-response-header-rewrite}
set host {<server_fqdn> | <server_ipv4> | <host_pattern>}
set host-status {enable | disable}
set host-use-pserver {enable | disable}
set url "<replacement-url_str>"
set url-status {enable | disable}
set referer-status {enable | disable}
set referer "<referer-url_str>"
set referer-use-pserver {enable | disable}
config header-insert
edit <entry_index>
set header-name "<header-name_str>"
set header-value "<header-value_str>"
next
end
set body_replace "<replacement_str>"
set location "<location_str>"
set location-status {enable | disable}
set location_replace "<location_str>"
set header-response-status {enable | disable}
config response-header-removal
edit <entry_index>
set response-removel-header-name <string>
next
end
config response-header-insert
edit <entry_index>
set response-header-name <string>
set response-header-value <string>
next
end
config match-condition
edit <entry_index>
set response-header-name resp-header1
set response-header-value resp-value1
next
end
next
end
next

FortiWeb CLI Reference Fortinet Technologies Inc.

config 619

end

Variable Description Default

"<url-rewrite-rule_name>" Enter the name of a new or existing rule. The maximum No default.
length is 63 characters.
To display the list of existing rules, enter:
edit ?

action {403-forbidden | Specify one of the following values: HTTP-

l 403-forbidden—Send a 403 (Forbidden) response header-
redirect | redirect-301 |
to the client. rewrite
HTTP-body-rewrite | HTTP-
l redirect—Send a 302 (Moved Temporarily)
header-rewrite | HTTP-
response-header-rewrite} response to the client, with a new Location: field in
the HTTP header.
l redirect-301—Send a 301 (Moved

Permanently) response to the client, with a new

Location: field in the HTTP header.
l HTTP-body-rewrite—Replace the specific HTTP

content in the body of responses.

l HTTP-header-rewrite—Rewrite the host, referer

and request URL fields in HTTP header.

l HTTP-response-header-rewrite—Rewrite the

HTTP header or body in the response packet.

The following rows list the configurations when different
actions are selected.

HTTP-header-rewrite

header-name "<header- Enter the name of the header field that you want to insert to No default.
name_str>" a request, such as "Myheader."
You can add up to 10 headers in the insertion list.

header-value "<header- Enter the value of the header field that you specified in No default.
value_str>" header-name "<header-name_str>", such as "123."
Then, the customized header Myheader: 123 will be
inserted to the matched HTTP requests.

host {<server_fqdn> | Type the FQDN of the host, such as No default.

<server_ipv4> | <host_ store.example.com, to which the request will be
pattern>} redirected. The maximum length is 256 characters.
This option is available only when host-status {enable |
disable} on page 620 is enabled.
This field supports back references such as $0 to the parts
of the original request that matched any capture groups that
you entered in reg-exp "<object_pattern>" on page 622 for
each object in the condition table. (A capture group is a
regular expression, or part of one, surrounded in
parentheses.)

FortiWeb CLI Reference Fortinet Technologies Inc.

config 620

Variable Description Default

Use $n (0 <= n <= 9) to invoke a substring, where n is the

order of appearance of the regular expression, from left to
right, from outside to inside, then from top to bottom.
For example, regular expressions in the condition table in
this order:
(a)(b)(c(d))(e)
(f)
would result in invokable variables with the following
values:
l $0—a

l $1—b

l $2—cd

l $3—d

l $4—e

l $5—f

host-status {enable | Enable to rewrite the Host: field or host name part of the disable
disable} Referer: field.
When disabled, the FortiWeb appliance preserves the
value from the client’s request when rewriting it.

host-use-pserver {enable | Enable this when you have a server farm for server balance disable
disable} or content routing. In this case you do not know which
server in the server farm the FortiWeb appliance will use.
When FortiWeb processes the request, it sets the value for
the actual host.
This option is available only when host-status {enable |
disable} on page 620 is enabled. Any setting you make for
host is ignored.

url "<replacement-url_str>" Enter the string, such as /catalog/item1, that will No default.
replace the request URL. The maximum length is 256
characters.
This option is available only when url-status
{enable | disable} on page 620 is enabled.
Do not include the name of the web host, such as
www.example.com, nor the protocol, which are configured
separately in host {<server_fqdn> | <server_ipv4> | <host_
pattern>} on page 619.
Like host, this field supports back references such as $0 to
the parts reg-exp "<object_pattern>" on page 622 for each
object in the condition table.
For an example, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

url-status {enable | disable} Enable to rewrite the URL part of the request URL. disable

FortiWeb CLI Reference Fortinet Technologies Inc.

config 621

Variable Description Default

If you disable this option, the FortiWeb appliance preserves

the value from the client’s request when it rewrites it.

referer-status {enable | Enable to rewrite the Referer: field in the HTML header. disable
disable} Also configure referer "<referer-url_str>" on page 621 and
referer-use-pserver {enable | disable} on page 621.

referer-use-pserver Enable this when you have a server farm for server balance disable
{enable | disable} or content routing. In this case you do not know which
server in the server farm the FortiWeb appliance will use.
When FortiWeb processes the request, it sets the value for
the actual referrer.
This option is available only when referer-status {enable |
disable} on page 621 is enabled. Any setting you make for
referer "<referer-url_str>" on page 621 is ignored.

referer "<referer-url_str>" Enter the replacement value for the Referer: field in the No default.
HTML header. The maximum length is 256 characters.
This option is available only when referer-status {enable |
disable} on page 621 is enabled.

redirect | redirect-301

location "<location_str>" Enter the URL string that provides a location for use in a No default.
301 or 302 HTTP redirection when the HTTP request
matches. The maximum length is 256 characters.

HTTP-response-header-rewrite

location-status Enable to configure the location_replace. disable

{enable | disable}

location_replace "<location_ Enter the replacement value for the Location: field in the No default.
str>" HTTP header for the response. The maximum length is 256
characters.

header-response-status Enable to configure HTTP header insertion when the HTTP disable
{enable | disable} response matches.

response-header-name Type the Header name that you want to insert into the No default.
<string> HTTP response. You can add up to 10 headers in the
insertion list.

response-header-value Type the value of the Header field. No default.

<entry_index> The index number of the header removal item. No default.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 622

Variable Description Default

response-removel-header- The name of the header that you want to remove. Up to 10 No default.
name <string> header names can be added in the removal list.

HTTP-body-rewrite

body_replace Enter the value that will replace matching HTTP content in No default.
"<replacement_str>" the body of responses. The maximum is 256 characters.
For an example, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

Match Conditions

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–9,999,999,999,999,999,999.

object {HTTP-host | HTTP- Select which part of the HTTP request to test for a match: HTTP-
l HTTP-host host
reference | HTTP-url}
l HTTP-url

l HTTP-reference (the Referer: field)

If the request must match multiple conditions (for example,

it must contain both a matching Host: field and a matching
URL), add each object match condition to the condition
table separately.

protocol-filter {enable | Enable if you want to match this condition only for either disable
disable} HTTP or HTTPS. Also configure waf url-rewrite url-rewrite-
rule on page 617.
For example, you could redirect clients that accidentally
request the login page by HTTP to a more secure HTTPS
channel—but the redirect is not necessary for HTTPS
requests.
As another example, if URLs in HTTPS requests should be
exempt from rewriting, you could configure the rewriting
rule to apply only to HTTP requests.

protocol {HTTP | HTTPs} Select the protocol to use. HTTP

reg-exp "<object_pattern>" Depending on your selection in object {HTTP-host | HTTP- No default.

reference | HTTP-url} on page 622 and reverse-match
{yes | no} on page 623, type a regular expression that
defines either all matching or all non-matching Host:
fields, URLs, or Referer: fields. Then, also configure
reverse-match {yes | no}.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 623

Variable Description Default

For example, for the URL rewriting rule to match all URLs
that begin with /wordpress, you could enter
^/wordpress, then, in reverse-match {yes | no},
select no.
The pattern is not required to begin with a slash ( / ). The
maximum length is 256 characters.
Note: Regular expressions beginning with an exclamation
point ( ! ) are not supported. Instead, use reverse-match
{yes | no}.

reverse-match {yes | no} Indicate how to use reg-exp "<object_pattern>" on page no

622when determining whether or not this URL rewriting
condition has been met.
l no—If the regular expression does match the request

object, the condition is met.

l yes—If the regular expression does not match the

request object, the condition is met.

The effect is equivalent to preceding a regular
expression with an exclamation point ( ! ).
If all conditions are met, the FortiWeb appliance will do your
selected action {403-forbidden | redirect | redirect-301 |
HTTP-body-rewrite | HTTP-header-rewrite | HTTP-
response-header-rewrite}.

content-filter {enable | Enable if you want to match this condition only for specific disable
disable} HTTP content types (also called Internet or MIME file types)
such as text/html, as indicated in the Content-Type:
HTTP header. Also configure content-type-set {text/html
text/plain text/javascript application/xml(or)text/xml
application/javascript application/soap+xml application/x-
javascript} on page 623.

content-type-set {text/html Enter the HTTP content types that you want to match in a No default.
text/plain text/javascript space-delimited list, such as:
set content-type-set text/html text/plain
application/xml(or)text/xml
application/javascript
application/soap+xml
application/x-javascript}

is-essential {yes | no} Select what to do if there is no Referer: field, either: yes
l no—Meet this condition.

l yes—Do not meet this condition.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 624

Variable Description Default

Requests can lack a Referer: field for several reasons,

such as if the user manually types the URL, and the request
does not result from a hyperlink from another website, or if
the URL resulted from an HTTPS connection. In those
cases, the field cannot be tested for a matching value. For
details, see the RFC 2616 section on the Referer: field
(HTTP://www.w3.org/Protocols/rfc2616/rfc2616-
sec14.html).
This option appears only if object {HTTP-host | HTTP-
reference | HTTP-url} on page 622 is HTTP-reference.

Related topics

l waf url-rewrite url-rewrite-policy on page 616

waf user-tracking policy

Use this command to group user tracking rules, which track sessions by user and capture a username to reference in
traffic and attack log messages.
Before you configure a user-tracking policy, define the rules to add. For details, see waf user-tracking rule on page 625.
To apply a user tracking policy, you select it in an inline or Offline Protection profile. For details, see waf web-protection-
profile inline-protection on page 636 and waf web-protection-profile offline-protection on page 645.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf user-tracking policy
edit "<user-tracking-policy_name>"
config input-rule-list
edit <entry_index>
set input-rule "<input-rule_name>"
next
end
next
end

Variable Description Default

"<user-tracking-policy_ Enter the name of a new or existing policy. The maximum No

name>" length is 63 characters. default.
To display the list of existing policies, enter:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 625

Variable Description Default

edit ?

<entry_index> Enter the index number of the individual entry in the table. No
The valid range is 1–9,999,999,999,999,999,999. default.

input-rule "<input-rule_ Enter the name of an existing rule. No

name>" default.

waf user-tracking rule

Use this command to configure FortiWeb to track sessions by user and capture a username to reference in traffic and
attack log messages.
When FortiWeb detects users that match the criteria that you specify in a user tracking policy, it stores the session ID
and username.
To apply a user tracking rule, add it to a user tracking policy that you can select in an inline or Offline Protection profile.
For details, see waf user-tracking policy on page 624.
You can apply a user tracking policy using either an inline or Offline Protection profile. However, Session Fixation
Protection, Session Timeout, Limit Concurrent Users per Account, and Credential Stuffing Defense are not supported in
Offline Protection mode.
You can also use the user tracking feature to create a filter in a custom rule that matches specific users. This type of
custom rule requires you to create a user tracking policy and apply it to the protection profile that uses the custom rule.
For details, see waf custom-access rule on page 425.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf user-tracking rule
edit "<rule_name>"
set hostname-ip "<hostname-ip_str>"
set host-status { enable | disable}
set authentication-url "<url_str>"
set username-parameter "<username_str>"
set password-parameter "<password_str>"
set session-id-name "<session-id_str>"
set logoff-path "<logoff_str>"
set session-fixation-protection {enable | disable}
set limit-users {enable | disable}
set maximum-users <maximum-users_int>
set session-idle-timeout <session-idle-timeout_int>
set session-timeout-enable {enable | disable}
set session-timeout-enforcement {enable | disable}
set session-timeout <timeout_int>
set session-frozen-time <frozen-time_int>
set session-frozen-action {alert | alert_deny | redirect | block-period | deny_no_
log}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 626

set session-frozen-block-period <block-period_int>

set session-frozen-severity {High | Medium | Low | Info}
set session-frozen-trigger "<trigger-policy_name>"
set default-action {failed | success}
set credential-stuffing-protection {enable | disable}
config match-condition
edit <entry_index>
set authentication-result-type {failed | success}
set HTTP-match-target {return-code | response-body | redirect-url}
set value-type {plain | regular}
set value "<value-str>"
next
end
next
end

Variable Description Default

"<rule_name>" Enter a name that identifies the rule. You will use this name No default.
to reference the rule in other parts of the configuration. The
maximum length is 63 characters.

hostname-ip "<hostname-ip_ Select which protected host names entry (either a web host No default.
str>" name or IP address) that the Host: field of the HTTP
request must be in to match the rule.
Available only when host-status { enable | disable} is
enable.

host-status { enable | Enable to require that the Host: field of the HTTP disable
disable} request match a protected host names entry in order to
match the URL access rule.
Also configure hostname-ip "<hostname-ip_str>".

authentication-url "<url_str>" Enter the URL to match in authorization requests. No default.

Ensure that the value begins with a forward slash ( / ).

username-parameter Enter the username field value to match in authorization No default.

"<username_str>" requests.

password-parameter Enter the password field value to match in authorization No default.

"<password_str>" requests.

session-id-name "<session- Enter the name of the session ID that is used to identify No default.
id_str>" each session.
Examples of session ID names are sid, PHPSESSID, and
JSESSIONID.
To track users with JSON format login credentials, here
you need to type the API token in response data that users
will use to access server resource in API queries.

logoff-path "<logoff_str>" Optionally, enter the URL of the request that a client sends No default.
to log out of the application.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 627

Variable Description Default

When the client sends this URL, FortiWeb stops tracking

the user session.
Ensure that the value begins with a forward slash ( / ).

session-fixation-protection Enter enable to configure FortiWeb to erase session IDs disable

{enable | disable} from the cookie and argument fields of a matching login
request.
FortiWeb erases the IDs for non-authenticated sessions
only.
For web applications that do not renew the session cookie
when a user logs in, it is possible for an attacker to trick a
user into authenticating with a session ID that the attacker
acquired earlier. This feature prevents the attacker from
accessing the web app in an authenticated session.
When this feature removes session IDs, FortiWeb does not
generate a log message because it is very common for a
legitimate user to access a web application using an
existing cookie. For example, a client who leaves his or her
web browser open between sessions presents the cookie
from an earlier session.
Caution: This option is not supported in Offline Protection
mode.

limit-users {enable | disable} Enable to limit the number of concurrent logins per disable
account.

maximum-users <maximum- Specify the maximum number of concurrent logins using 1

users_int> the same account.

session-idle-timeout When a session is idled for the specified period of time, the 30
<session-idle-timeout_int> Concurrent Users count will be renewed. The user who is
timed-out needs to re-log in. The valid range is 1-1440.

session-timeout-enable Enable to set the time in minutes that FortiWeb waits disable
{enable | disable} before it stops tracking an inactive user session.

session-timeout- Enter enable to configure FortiWeb to remove the session disable

enforcement {enable | ID for user sessions that are idle for longer than the length
disable} of time specified by session-timeout. When a session
is reset, the client has to log in again to access the back-
end server.
If a session exceeds the timeout threshold, instead of
tracking subsequent matching sessions by user, FortiWeb
takes the specified action, for a length of time specified by
session-frozen-time.

session-timeout <timeout_ Enter the length of time in minutes that FortiWeb waits 30
int> before it stops tracking an inactive user session.
The valid range is 1–60.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 628

Variable Description Default

session-frozen-time <frozen- Enter the length of time after a session exceeds the timeout 30
time_int> threshold that FortiWeb takes the specified action against
requests with the ID of the timed-out session.
After the freeze time has elapsed, FortiWeb removes the
session ID for idle sessions but no longer takes the
specified action.
Available only when session-timeout-enforcement {enable
| disable} on page 627 is enable.

session-frozen-action {alert | When session-timeout-enforcement {enable | disable} on alert

alert_deny | redirect | block- page 627 is enable, enter the action that FortiWeb takes
period | deny_no_log} against requests with the ID of a timed-out session during
the specified time period, or when credential-stuffing-
protection {enable | disable} on page 629 is enabled enter
the action that FortiWeb takes against spilled
username/password pairs:
l alert—Accept the request and generate an alert

email and/or log message.

l alert_deny—Block the request and generate an
alert email and/or log message.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see "system replacemsg" on page 1.
Note: In Offline Protection mode, because the deny
action is not supported, this option has the same effect
as alert.
l redirect — Redirect the request to the URL that you
specify in the protection profile and generate an alert
and/or log message. Also configure redirect-url
<redirect_fqdn> and rdt-reason {enable |
disable}.
Caution: This option is not supported in Offline
Protection mode
l block-period—Block subsequent requests from
the client for a specified number of seconds.
deny_no_log—Deny a request. Do not generate a
log message.
You can customize the web page that FortiWeb
returns to the client with the HTTP status code. For
details, see "system replacemsg" on page 1.
Caution: This option is not supported in Offline
Protection mode
When the action generates a log message, the message
field value is Session Timeout Enforcement:
triggered by user <username>.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 629

Variable Description Default

Available only when session-timeout-enforcement {enable

| disable} on page 627 or credential-stuffing-protection
{enable | disable} on page 629 is set to enable.

session-frozen-block-period Enter the number of seconds to block requests with the ID 600
<block-period_int> of a timed-out session or when credential-stuffing-
protection {enable | disable} on page 629 is enabled and
detects spilled username/password pairs.
This setting is available only if session-frozen-action {alert |
alert_deny | redirect | block-period | deny_no_log} on page
628 is block-period. The valid range is 1–3,600
seconds.

session-frozen-severity When the session timeout settings generate an attack log, Low
{High | Medium | Low | Info} each log message contains a Severity Level (severity_
level) field. Select which severity level FortiWeb uses
when it takes the specified action:
l Low

l Medium

l High

Available only when session-timeout-enforcement {enable

| disable} on page 627 or credential-stuffing-protection
{enable | disable} on page 629 is set to enable.

session-frozen-trigger Enter the name of the trigger, if any, to apply when No default.
"<trigger-policy_name>" FortiWeb detects requests with the ID of a timed-out
session or when credential-stuffing-protection
is enabled and FortiWeb detects spilled
username/password pairs. The maximum length is 63
characters.
For details, see log trigger-policy on page 93.
To display the list of existing triggers, enter:
set trigger ?

default-action {failed | Enter the authentication result that FortiWeb associates failed
success} with requests that match the criteria but do not match an
entry in the Authentication Result Condition Table.
When the login result is successful, FortiWeb tracks the
session using the session ID and username values.

credential-stuffing-protection Enable to use FortiGuard's Credential Stuffing Defense disable

{enable | disable} database to prevent against Credential Stuffing attacks.
For details, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

<entry_index> Enter the index number of the individual entry in the table. No default.

authentication-result-type Specify the status FortiWeb assigns to user logins that success
{failed | success} match this table item: failed or successful.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 630

Variable Description Default

FortiWeb tracks sessions by user only when the status is

successful.
If the request does not match any rules in this table,
FortiWeb uses the value specified by default-action {failed |
success} on page 629.

HTTP-match-target {return- Select the location of the value to match with the string or return-
code | response-body | regular expression specified in this table item: return- code
redirect-url} code, response-body, redirect-url.

value-type {plain | regular} Indicate whether value is a simple string (plain) or a plain
regular expression (regular).

value "<value-str>" Enter the value to match. No default.

Example

This example matches requests from clients using the URL /login2 with the parameters user and pass and a session
ID specified by jsessionid. FortiWeb tracks matching sessions by user and stops tracking if the client logs out using
the URL /logout2.
FortiWeb tracks only requests with the return code 200, which it classifies as successful. It does not track requests with a
response body that matches the regular expression deny. In addition, because the rule uses the default value for the
default authentication result, it does not track requests that do not match an item in the list of match conditions.
The rule enables both session fixation protection and session timeout enforcement for tracked sessions. If a session is
idle longer than the default session timeout, FortiWeb blocks requests from clients that use the session ID that has timed
out for the default period block time. It performs this action for 30 minutes after the session times out (the default session
freeze time).
config waf user-tracking
edit "rule1"
set authentication-url "/login2"
set username-parameter user
set password-parameter pass
set session-id-name "jsessionid"
set logoff-path "/logout2"
set session-fixation-protection enable
set timeout-enforcement enable
set session-frozen-action period-block
set session-frozen-severity High
set session-frozen-trigger "trigger1"
config match-condition
edit 1
set authentication-result-type success
set HTTP-match-target return-code
set value-type plain
set value 200
next
edit 2
set authentication-result-type failed
set HTTP-match-target return
set value-type regular

FortiWeb CLI Reference Fortinet Technologies Inc.

config 631

set value deny

next
end
next
end

Related topics

l server-policy allow-hosts on page 103

l waf web-protection-profile inline-protection on page 636
l waf web-protection-profile offline-protection on page 645

waf web-cache-exception

Use this command to configure FortiWeb to cache responses from your servers.
Use web-cache-exception to cache all URLs except for a few. To cache only a few URLs, see .
To apply this policy, include it in an inline protection profile. For details, see waf web-protection-profile inline-protection
on page 636.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf web-cache-exception
edit "<web-cache-exception_rule_name>"
config exception-list
edit <entry_index>
set host-status {enable | disable}
set host "<host_str>"
set url-type {plain | regular}
set url-patten "<url-pattern_str>"
set cookie-name "<cookie-name_str>"
end
next
end

Variable Description Default

"<web-cache-exception_ Enter the name of a new or existing rule. The maximum No default.
rule_name>" length is 63 characters.
To display the list of existing policies, enter:
edit ?

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–9,999,999,999,999,999,999.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 632

Variable Description Default

host-status {enable | disable} Specify enable to require that the Host: field of the disable
HTTP request match a protected host names entry in order
to match the exception. Also specify a value for host.

host "<host_str>" Specify which protected host names entry (either a web No default.
host name or IP address) that the Host: field of the
HTTP request must be in to match the exception.
Maximum length is 256 characters.
This option is available only if the value of host-status
{enable | disable} on page 632 is enabled.

url-type {plain | regular} Specify the type of value that is used for url-patten "<url- plain
pattern_str>" on page 632:
l plain—A literal URL.

l regular — A regular expression designed to match

multiple URLs.

url-patten "<url-pattern_str>" If the value of url-type {plain | regular} on page 632 is No default.
plain, specify the literal URL, such as /index.php, that
the HTTP request must contain in order to match the rule.
The URL must begin with a slash ( / ).
If the value of url-type is regular, specify a regular
expression, such as ^/*.php, that matches all and only
the URLs that the rule applies to. The pattern does not
require a slash ( / ); however, it must match URLs that
begin with a slash, such as /index.cfm.
Do not include the domain name, such as
www.example.com, which is specified by host.
Maximum length is 256 characters.
Tip: Generally, URLs that require autolearning adapters
do not work well with caching either. Do not cache dynamic
URLs that contain variables such as user names (e.g.
older versions of Microsoft OWA) or volatile data such as
parameters. Because FortiWeb is unlikely to receive
identical subsequent requests for them, dynamic URLs
can rapidly consume cache without improving
performance.

cookie-name "<cookie- Specify the name of the cookie, such as sessionid, as it No default.
name_str>" appears in the Cookie: HTTP header.
Maximum length is 127 characters.
Tip: Content that is unique to a user, such as personalized
pages that appear after a person has logged in, usually
should not be cached. If the web application’s
authentication is cookie-based, configure this setting with
the name of the authentication cookie. Otherwise, if it is
parameter-based, configure the exception with a URL
pattern that matches the authentication ID parameter.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 633

Related topics

l waf web-protection-profile inline-protection on page 636

waf web-cache

To improve performance of your back-end network and servers by reducing their traffic and processing load, you can
configure FortiWeb to cache responses from your servers.
Use this command to create web cache rules and policies.

To configure the web caching, you must enable it in system feature-visibility.

Syntax
config waf web-cache-rule
edit "<rule-name_entry>"
set host-status {enable | disable}
set host <host_str>
set path <path_str>
set HTTP-method {get-head | get-head-options | all-methods}
set request-file-type {text | picture | media | binary | other}
set allow-return-code {allow-200 | allow-200-206 | allow-200-206-301-302}
set cache-inactive-time <cache-inactive-time_int>
set inactive-time-type {minutes | hours}
set client-cache-expire <client-cache-expire_int>
set client-cache-expire-type {minutes | hours}
set key-factor {method | protocol | host | url | arguments | cookies}
set enable-client-expire {enable | disable}
set policy-id <entry_index>
config cookie-name-list
edit <cookie-name-list_id>
set cookie-name "<cookie-name_str>"
end
config bypass-sub-url
edit "<bypass-sub-url_id>"
set HTTP-method {get | post | head | options | trace | connect | delete | put |
patch | any}
set type {plain | regular}
set url-expression <url-expression_str>
set enable-bypass-args {enable | disable}
set bypass-args <bypass-args_str>
set enable-bypass-cookies {enable | disable}
set bypass-cookies <bypass-cookies_str>
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 634

config waf web-cache-policy

edit "<web-cache-policy_name>"
next
end

Variable Description Default

"<rule-name_entry>" Enter a 40-character string for the name, for example No default.
e1947036-a1fa-489e-8434-c8a401a75f78.

host-status {enable | Enable to require that the Host: field of the HTTP No default.
disable} request match a protected host names entry in order to
match the web cache rule. Also configure host <host_str>.

host <host_str> Select which protected host names entry (either a web No default.
host name or IP address) that the Host: field of the HTTP
request must be in to match the web cache rule.

path <path_str> Enter a path for your web pages, for example /test, a No default.
prefix of a set of URLs.

HTTP-method {get-head | Select whether to cache the response contents according get-head
get-head-options | all- to the HTTP method you use.
methods}

request-file-type {text | Select whether to cache the response contents according All values
picture | media | binary | to the content type.
other}

allow-return-code {allow- Select whether to cache the response contents according 200
200 | allow-200-206 | allow- to the response code.
200-206-301-302}

cache-inactive-time <cache- Specify a timeout threshold that the cache becomes 60 minutes
inactive-time_int> invalid and needs to be refreshed. After the timeout, the
cached web contents will be removed automatically.

inactive-time-type {minutes | Select the time unit for the cache inactive time. minutes
hours}

client-cache-expire <client- Enter a period specified by max-age so that if the client 60 minutes
cache-expire_int> requests the same contents again in the period, the client
can obtain the web content from local cache directly.

client-cache-expire-type Select the time unit for the cache expiration time. minutes
{minutes | hours}

key-factor {method | Select the protocol variable that you want to use to All values
protocol | host | url | generate the cache key. except
arguments | cookies} cookies.

enable-client-expire {enable Enable to clear the cache based on the specified period. disable
| disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 635

Variable Description Default

policy-id <entry_index> Enter the ID of the server policy that has enabled this web disable
cache.

"<cookie-name-list_id>" Enter the cookie name ID if you specify cookie in key-

factor {method | protocol | host | url | arguments | cookies}

cookie-name "<cookie- Enter a cookie name related to the ID. No default.

name_str>"

"<bypass-sub-url_id>" Enter the bypass sub URL list ID. No default.

HTTP-method {get | post | Select the HTTP method in which the request sub URL is No default.
head | options | trace | included.
connect | delete | put | patch
| any}

type {plain | regular} Select whether the url-expression <url-expression_str> plain

field must contain either:
l plain—The field is a string that the request sub

URLmust match exactly.

l regular—The field is a regular expression that defines

a set of matching sub URLs.

url-expression <url- Depending on your selection in type {plain | regular}, enter No default.
expression_str> either:
l The literal URL, such as /index.php, that the HTTP

request must contain in order to match the web cache

rule. The URL must begin with a slash ( / ).
l A regular expression, such as ^/*.php, matching all

and only the URLs to which the web cache rule should
apply. The pattern is not required to begin with a
slash ( / ). However, it must at least match URLs that
begin with a slash, such as /index.cfm.
Note: Regular expressions beginning with an exclamation
point ( ! ) are not supported. For information on language
and regular expression matching, see the FortiWeb
Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides

enable-bypass-args {enable Enable this option so that the request matches the bypass
| disable} URL only when the request brings the specific arguments.

bypass-args <bypass-args_ Enter the bypass arguments. No default.

str>

enable-bypass-cookies Enable this option so that the request matches the bypass disable
{enable | disable} URL only when the request brings the specific cookies.

bypass-cookies <bypass- Enter the bypass arguments. No default.

cookies_str>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 636

Variable Description Default

"<web-cache-policy_ Enter the server policy ID as the cache policy name. No default.
name>"

Related topics

l server-policy policy on page 140

waf web-protection-profile inline-protection

Use this command to configure inline protection profiles.

Inline protection profiles are a set of attack protection settings. The FortiWeb appliance applies the profile when a
connection matches a server policy that includes the protection profile. You can use inline protection profiles in server
policies for any mode except Offline Protection.
To apply protection profiles, select them within a server policy. For details, see server-policy policy on page 140.
Before configuring an inline protection profile, first configure any of the following that you want to include in the profile:
l Parameter validation rule (see waf parameter-validation-rule on page 553)
l URL access policy (see waf url-access url-access-policy on page 606
l Hidden field rule group (see waf hidden-fields-protection on page 468)
l Parameter restriction constraint (see waf HTTP-protocol-parameter-restriction on page 488)
l Authentication policy and/or site publisher (see waf HTTP-authen HTTP-authen-policy on page 473 and waf site-
publish-helper policy on page 566)
l Allowed method exception (see waf allow-method-exceptions on page 384)
l List of manually trusted and block-listed IPs, FortiGuard IP reputation category-based blocklisted IPs, and/or a
geographically-based IP blocklist (see waf ip-intelligence on page 501, "server-policy custom-application
application-policy" on page 1, and waf geo-block-list on page 465)
l Attack signatures (see waf signature on page 555)
l File security policy (see "server-policy custom-application application-policy" on page 1)
l Web Shell Detection (see waf webshell-detection-policy on page 651)
l URL rewriting policy (see waf url-rewrite url-rewrite-policy on page 616)
l XML protection policy (waf xml-validation on page 665)
l DoS protection policy (see waf application-layer-dos-prevention on page 400)
l Compression rules (see waf file-compress-rule on page 449)
l Policy that protects vulnerable block cipher implementations for web applications that selectively encrypt inputs
without using HTTPS (waf padding-oracle on page 550)
l FortiGate that provides a list of quarantined source IPs (system fortigate-integration on page 277)
l Cross-site request forgery (CSRF) protection rule (see waf csrf-protection on page 420)
l Cookie security policy (see waf cookie-security on page 416)
l User tracking policy (see waf user-tracking policy on page 624)
l JSON protection policy (see waf json-validation rule on page 510)
l OpenAPI Validation (see waf openapi-validation-policy on page 548)
l Mobile API protection policy (see waf mobile-api-protection on page 546)

FortiWeb CLI Reference Fortinet Technologies Inc.

config 637

l Bot mitigation policy (see waf bot-detection-policy on page 405)

l API gateway policy (see waf api-rules on page 392)
l Syntax-based attack detection policy (see waf syntax-based-attack-detection on page 582)
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf web-protection-profile inline-protection
edit "<inline-protection-profile_name>"
set client-management {enable | disable}
set threat-score-profile <name>
set HTTP-session-timeout <seconds_int>
set x-forwarded-for-rule "<x-forwarded-for_name>"
set signature-rule {"High Level Security" | "Medium Level Security" | "Alert
Only" | <signature-set_name>}
set amf3-protocol-detection {enable | disable}
set custom-access-policy "<combo-access_name>"
set padding-oracle "<rule_name>"
set csrf-protection "<rule_name>"
set cookie-security-policy "<cookie-security_name>"
set parameter-validation-rule "<rule_name>"
set hidden-fields-protection "<group_name>"
set file-upload-policy "<policy_name>"
set HTTP-protocol-parameter-restriction "<constraint_name>"
set url-access-policy "<policy_name>"
set allow-method-policy "<policy_name>"
set ip-list-policy "<policy_name>"
set geo-block-list-policy "<policy_name>"
set application-layer-dos-prevention "<policy_name>"
set ip-intelligence {enable | disable}
set fortigate-quarantined-ips {enable | disable}
set quarantined-ip-action {alert | alert_deny}
set quarantined-ip-severity {High | Medium | Low}
set quarantined-ip-trigger "<trigger-policy_name>"
set url-rewrite-policy "<group_name>"
set HTTP-authen-policy "<policy_name>"
set HTTP-header-security "<policy_name>"
set site-publisher-helper "<policy_name>"
set file-compress-rule "<rule_name>"
set user-tracking-policy "<user-tracking-policy_name>"
set redirect-url "<redirect_fqdn>"
set rdt-reason {enable | disable}
set data-analysis {enable | disable}
set comment "<comment_str>"
set profile-id "<profile-id_str>"
set mitb-protection "<mitb-protection_name>"
set openapi-validation-policy "<openapi-validation-policy_name>"
set websocket-security-policy "<websocket-security-policy_name>"
set json-validation-policy "<json-validation-policy_name>"
set cors-protection-policy "<cors-protection-policy>"
set mobile-app-identification {enable | disable}
set token-secret <token-secret_str>
set token-header <token-header_str>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 638

set mobile-api-protection <mobile-api-protection_name>

set bot-mitigate-policy <bot-mitigate-policy_name>
set api-management-policy <api-management-policy_name>
set url-encryption-policy <url-encryption-policy_str>
set syntax-based-attack-detection <detection_name>
set owasp_api_top10_log_field {enable/disable}
next
end

Variable Description Default

"<inline-protection-profile_ Enter the name of the inline protection profile. The No default.
name>" maximum length is 63 characters.
To display the list of existing profiles, enter:
edit ?

client-management {enable | Enable to add an implementation of HTTP sessions, and disable

disable} track their states, using a cookie such as
cookiesession1. Also configure HTTP-session-timeout
<seconds_int> on page 639.
Although HTTP has no inherent support for sessions, a
notion of individual HTTP client sessions, rather than
simply the source IP address and/or timestamp, is required
by some features.
For example, you might want to require that a client’s first
HTTP request always be a login page: the rest of the web
pages should be inaccessible if they have not
authenticated. Out-of-order requests could represent an
attempt to bypass the web application’s native
authentication mechanism. How can FortiWeb know if a
request is the client’s first HTTP request?
Therefore FortiWeb must keep some record of the first
request from that client (the session initiation). It also must
record their previous HTTP request(s), until a span of time
(the session timeout) has elapsed during which there were
no more subsequent requests, after which it would require
that the session be initiated again.
The session management feature provides such FortiWeb
session support.
This feature requires that the client support cookies.
Note: You must enable this option:
l If you want to include this profile’s traffic in the traffic

log, in addition to enabling traffic logs in general. For

details, see log attack-log on page 61.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 639

Variable Description Default

If you have enabled client-management, but does not

configure threat-score-profile, the system will by
default applies the configurations in config server-
policy pattern threat-weight.
This option is available only when client-management is
enabled.

HTTP-session-timeout Enter the HTTP session timeout in seconds. The valid 1200
<seconds_int> range is 20–3,600.
This setting is available only if client-management {enable |
disable} on page 638 is enabled.

x-forwarded-for-rule "<x- Specify the name of a rule that configures FortiWeb’s use No default.
forwarded-for_name>" of X-Forwarded-For: and X-Real-IP. The maximum length
is 63 characters. For details, see waf x-forwarded-for on
page 659.
To display the list of existing rules, enter:
set x-forwarded-for-rule ?

signature-rule {"High Level Specify a signature policy to include in the profile. The No default.
Security" | "Medium Level maximum length is 63 characters. For details, see waf
Security" | "Alert Only" | signature on page 555.
<signature-set_name>} To display the list of existing rules, enter:
set server-protection-rule ?
The type of attack that FortiWeb detects determines the
attack log messages for this feature. For a list, see waf
signature on page 555.

amf3-protocol-detection Enable to scan requests that use action message format disable
{enable | disable} 3.0 (AMF3) for these attacks if you have enabled those in
the signature set specified by signature-rule {"High Level
Security" | "Medium Level Security" | "Alert Only" |
<signature-set_name>} on page 639:
l Cross-site scripting (XSS) attacks

l SQL injection attacks

l Common exploits

AMF3 is a binary format that Adobe Flash clients can use to

send input to server-side software.
Caution: To scan for attacks or enforce input rules on
AMF3, you must enable this option. Failure to enable the
option will make the FortiWeb appliance unable to scan
AMF3 requests for attacks.

json-validation-policy "<json- Enter the JSON protection policy name. No default.

validation-policy_name>"

cors-protection-policy Enter the CORS protection policy name. No default.

"<cors-protection-policy>"

FortiWeb CLI Reference Fortinet Technologies Inc.

config 640

Variable Description Default

mobile-app-identification Enable to configure the JWT token secret and token header disable
{enable | disable} to verify a request from a mobile application.
Refer to Approov doc for how to get the token.

token-secret <token-secret_ Enter the token secret that you have got from Approov. No default
str> Available only when mobile-app-identification {enable |
disable} is enable.

token-header <token- Specify the header where the token is carried. No default
header_str> Available only when mobile-app-identification {enable |
disable} is enable.

mobile-api-protection Select the name of an existing API protection policy. For No default
<mobile-api-protection_ details, see waf mobile-api-protection.
name>

bot-mitigate-policy <bot- Select the name of a bot mitigation policy. For details, see No default.
mitigate-policy_name> waf mobile-api-protection.

api-management-policy Select the name of an API gateway policy. For details, see No default.
<api-management-policy_ waf api-rules.
name>

custom-access-policy Select the name of a custom access policy. The maximum No default.
"<combo-access_name>" length is 63 characters. For details, see waf custom-access
policy on page 423.
To display the list of existing policies, enter:
set custom-access-policy ?

padding-oracle "<rule_ Select the name of a padding oracle protection rule. The No default.
name>" maximum length is 63 characters. For details, see waf
padding-oracle on page 550.
To display the list of existing rules, enter:
set padding-oracle ?

csrf-protection "<rule_ Select the name of cross-site request forgery protection No default.
name>" rule, if any, to apply to matching requests. For details, see
waf csrf-protection on page 420.

Available only when client-management {enable | disable}

on page 638 is enabled.

cookie-security-policy Select the name of a cookie security policy. For details, see
"<cookie-security_name>" waf cookie-security on page 416.
To display the list of existing policies, enter:
set cookie-security-policy ?

parameter-validation-rule Select the name of a parameter validation rule. The No default.

"<rule_name>" maximum length is 63 characters. For details, see waf
parameter-validation-rule on page 553.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 641

Variable Description Default

To display the list of existing rules, enter:

set parameter-validation-rule ?

hidden-fields-protection Select the name of a hidden field rule group that you want No default.
"<group_name>" to apply, if any. The maximum length is 63 characters. For
details, see waf hidden-fields-protection on page 468.
To display the list of existing groups, enter:
set hidden-fields-protection ?

file-upload-policy "<policy_ Select the name of a file upload security policy to use, if No default.
name>" any. The maximum length is 63 characters. For details, see
"server-policy custom-application application-policy" on
page 1.
To display the list of existing policies, enter:
set file-upload-policy ?

HTTP-protocol-parameter- Select the name of an HTTP protocol constraint that you No default.
restriction "<constraint_ want to apply, if any. The maximum length is 63 characters.
name>" For details, see waf HTTP-protocol-parameter-restriction
on page 488.
To display the list of existing profiles, enter:
set HTTP-protocol-parameter-restriction ?

url-access-policy "<policy_ Select the name of a URL access policy. The maximum No default.
name>" length is 63 characters. For details, see waf url-access url-
access-policy on page 606.
To display the list of existing policies, enter:
set url-access-policy ?

allow-method-policy Select the name of an allowed method policy. The No default.

"<policy_name>" maximum length is 63 characters. For details, see "server-
policy custom-application application-policy" on page 1.
To display the list of existing policies, enter:
set allow-method-policy ?

ip-list-policy "<policy_ Select the name of a trusted IP or blocklisted IP policy. The No default.
name>" maximum length is 63 characters. For details, see "server-
policy custom-application application-policy" on page 1.
To display the list of existing policies, enter:
set ip-list-policy ?

geo-block-list-policy Select the name of a geographically-based client IP block No default.

"<policy_name>" list that you want to apply, if any. The maximum length is 63
characters. For details, see waf geo-block-list on page 465.
To display the list of existing groups, enter:
set geo-block-list-policy ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 642

Variable Description Default

application-layer-dos- Select the name of an existing DoS protection policy to use No default.
prevention "<policy_name>" with this profile, if any. The maximum length is 63
characters. For details, see waf application-layer-dos-
prevention on page 400.
To display the list of existing profiles, enter:
set application-layer-dos-prevention ?

ip-intelligence {enable | Enable to apply intelligence about the reputation of the disable
disable} client’s source IP. Blocking and logging behavior is
configured in waf ip-intelligence on page 501.

fortigate-quarantined-ips Enable to detect source IP addresses that a FortiGate unit disable

{enable | disable} is currently preventing from interacting with the network
and protected systems.
To configure communication between the FortiOS and
FortiWeb, see system fortigate-integration on page 277.

quarantined-ip-action {alert | Specify the action that FortiWeb takes if it detects a alert
alert_deny} quarantined IP address:
l alert—Accept the request and generate an alert

email, log message, or both.

l alert_deny—Block the request and generate an

alert, log message, or both.

quarantined-ip-severity Specify the severity that FortiWeb assigns to quarantined High

{High | Medium | Low} IP log messages.

quarantined-ip-trigger Select the name of the trigger to apply when FortiWeb No default.
"<trigger-policy_name>" detects a quarantined IP. For deails, see log trigger-policy
on page 93.
To display the list of existing trigger policies, enter:
set trigger ?

url-rewrite-policy "<group_ Select the name of a URL rewriting rule set, if any, that will No default.
name>" be applied to matching HTTP requests. The maximum
length is 63 characters.
To display the list of existing policies, enter:
set url-rewrite-policy ?
For details, see waf url-access url-access-policy on page
606.

HTTP-authen-policy Select the name of an HTTP authentication policy, if any, No default.

"<policy_name>" that will be applied to matching HTTP requests. The
maximum length is 63 characters. For details, see waf
HTTP-authen HTTP-authen-policy on page 473.
To display the list of existing profiles, enter:
set HTTP-authen-policy ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 643

Variable Description Default

If the HTTP client fails to authenticate, it will receive an

HTTP 403 (Access Forbidden) error message.

HTTP-header-security Select the name of an HTTP Header Security Policy, if any. No default.
"<policy_name>" For details, see waf HTTP-header-security on page 485.
To display the list of existing policies, enter:
set HTTP-header-security ?

site-publisher-helper Select the name of a site publishing policy, if any, that will No default.
"<policy_name>" be applied to matching HTTP requests. The maximum
length is 63 characters. For details, see waf site-publish-
helper policy on page 566.
To display the list of existing profiles, enter:
set site-publisher-policy ?
If the HTTP client fails to authenticate, it will receive an
HTTP 403 (Access Forbidden) error message.

file-compress-rule "<rule_ Select the name of an existing file compression rule to use No default.
name>" with this profile, if any. The maximum length is 63
characters. For details, see waf file-compress-rule on page
449.
To display the list of existing rules, enter:
set file-compress-rule ?

user-tracking-policy "<user- Select the name of a user tracking policy. The maximum No default.
tracking-policy_name>" length is 63 characters. For details, see waf user-tracking
policy on page 624.
To display the list of existing policies, enter:
set user-tracking-policy ?

redirect-url "<redirect_ Enter a URL, including the FQDN/IP and path, if any, to No default.
fqdn>" which an HTTP client will be redirected if their HTTP
request violates any of the rules in this profile.
For example, you could enter
www.example.com/products/.
If you do not enter a URL, depending on the type of
violation and the configuration, the FortiWeb appliance will
log the violation, may attempt to remove the offending
parts, and could either reset the connection or return an
HTTP 403 (Access Forbidden) or 404 (File Not Found)
error message.
The maximum length is 256 characters.

rdt-reason {enable | disable} Enable to include the reason for URL redirection as a No default.
parameter in the URL, such as reason=DETECT_PARAM_
RULE_FAILED, when traffic has been redirected using
redirect-url "<redirect_fqdn>" on page 643.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 644

Variable Description Default

The FortiWeb appliance also adds fortiwaf=1 to the

URL to detect and cancel a redirect loop when the redirect
action recursively triggers an attack event.
Caution: If you specify a redirect URL that is protected by
the FortiWeb appliance, you should enable this option to
prevent infinite redirect loops.

data-analysis {enable | Enable this to collect data for servers covered by this disable
disable} profile.

comment "<comment_str>" Enter a description or other comment. If the comment No default.

contains more than one word or contains an apostrophe,
surround the comment in double quotes ( " ). The maximum
length is 199 characters.

xml-validation-policy "<xml_ Select the name of an XML protection policy, if any. The No default.
policy_name>" maximum length is 63 characters. For details, see waf xml-
validation on page 665.
To display the list of existing policies, enter:
set xml-validation-policy ?

profile-id "<profile-id_str>" Enter the inline profile ID. No default.

mitb-protection "<mitb- Select the MiTB protection policy name. No default.

protection_name>" For details, see waf mitb-policy on page 543.

openapi-validation-policy Select the openapi validation policy name. No default.

"<openapi-validation-policy_ For details, see waf openapi-validation-policy on page 548.
name>"

websocket-security-policy Select the websocket security policy name. No default.

"<websocket-security- For details, see waf websocket-security policy on page
policy_name>" 656.

url-encryption-policy <url- Select the URL encryption policy name. No default.

encryption-policy_str> For details, see waf url-encryption on page 607.

syntax-based-attack- Select the name of an existing SQL/XSS syntax based No default.

detection <detection_name> detection policy. For details, see waf syntax-based-attack-
detection.

owasp_api_top10_log_field Enable to record the OWASP API Top10 attack categories enable
{enable/disable} in attack logs so that you can filter the attack logs by
OWASP API Top10.

Related topics

l log trigger-policy on page 93

l server-policy pattern custom-global-allow-list-group on page 118
l server-policy policy on page 140

FortiWeb CLI Reference Fortinet Technologies Inc.

config 645

l waf signature on page 555

l waf padding-oracle on page 550
l waf parameter-validation-rule on page 553
l waf HTTP-protocol-parameter-restriction on page 488
l waf url-access url-access-policy on page 606
l waf allow-method-exceptions on page 384
l waf application-layer-dos-prevention on page 400
l waf file-compress-rule on page 449
l waf geo-block-list on page 465
l waf hidden-fields-protection on page 468
l waf HTTP-authen HTTP-authen-policy on page 473
l waf HTTP-protocol-parameter-restriction on page 488
l waf ip-intelligence on page 501
l "server-policy custom-application application-policy" on page 1
l waf syntax-based-attack-detection on page 582

waf web-protection-profile offline-protection

Use this command to configure Offline Protection profiles.

Detection profiles are useful when you want to preview the effects of some web protection features without affecting
traffic, or without affecting your network topology.
Unlike protection profiles, a detection profile is designed for use in Offline Protection mode. Detection profiles cannot be
guaranteed to block attacks. They attempt to reset the connection, but due to variable speeds of different routing paths,
the reset request may arrive after the attack has been completed. Their primary purpose is to detect attacks, especially
for use in conjunction with auto-learning profiles. In fact, if used in conjunction with auto-learning profiles, you should
configure the detection profile to log only and not block attacks in order to gather complete session statistics for the auto-
learning feature. As a result, detection profiles can only be selected in policies whose deployment-mode is offline-
detection, and those policies will only be used by the FortiWeb appliance when its operation mode is offline-
detection.
Unlike inline protection profiles, Offline Protection profiles do not support HTTP conversion, or cookie poisoning
detection.
To apply detection profiles, select them within a server policy. For details, see server-policy policy on page 140.
Before configuring an Offline Protection profile, first configure any of the following that you want to include in the profile:
l File security policy (see "server-policy custom-application application-policy" on page 1)
l Web Shell Detection policy (see waf webshell-detection-policy on page 651)
l Server protection rule (see waf signature on page 555)
l List of manually trusted and block-listed IPs, FortiGuard IRIS category-based blocklisted IPs, and/or a
geographically-based IP blocklist (see waf ip-intelligence on page 501, "server-policy custom-application
application-policy" on page 1 and waf geo-block-list on page 465)
l Parameter validation rule (see waf parameter-validation-rule on page 553)
l URL access policy (see waf url-access url-access-policy on page 606
l Allowed method exception (see waf allow-method-exceptions on page 384)
l Hidden field rule group (see waf hidden-fields-protection on page 468)

FortiWeb CLI Reference Fortinet Technologies Inc.

config 646

l Parameter restriction constraint (see waf HTTP-protocol-parameter-restriction on page 488)

l Policy that protects vulnerable block cipher implementations for web applications that selectively encrypt inputs
without using HTTPS (waf padding-oracle on page 550)
l User tracking policy (see waf user-tracking policy on page 624)
l XML protection policy (see waf xml-validation on page 665)
l JSON protection policy (see waf json-validation rule on page 510)
l OpenAPI Validation (see waf openapi-validation-policy on page 548)
l Mobile API protection policy (see waf mobile-api-protection on page 546)
l Syntax-based attack detection policy (see waf syntax-based-attack-detection on page 582)
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf web-protection-profile offline-protection
edit "<offline-protection-profile_name>"
set client-management {enable | disable}
set threat-score-profile <name>
set HTTP-session-timeout <seconds_int>
set x-forwarded-for-rule "<x-forwarded-for_name>"
set HTTP-session-keyword "<key_str>"
set signature-rule {"High Level Security" | "Medium Level Security" | "Alert
Only" | "<signature-set_name>"}
set amf3-protocol-detection {enable | disable}
set custom-access-policy "<combo-access_name>"
set padding-oracle "<rule_name>"
set parameter-validation-rule "<rule_name>"
set hidden-fields-protection "<group_name>"
set file-upload-policy "<policy_name>"
set HTTP-protocol-parameter-restriction "<constraint_name>"
set url-access-policy "<policy_name>"
set allow-method-policy "<policy_name>"
set ip-list-policy "<policy_name>"
set geo-block-list-policy "<policy_name>"
set ip-intelligence {enable | disable}
set csrf-protection "<rule_name>"
set user-tracking-policy "<user-tracking-policy_name>"
set data-analysis {enable | disable}
set comment "<comment_str>"
set openapi-validation-policy "<openapi-validation-policy_name>"
set json-validation-policy "<json-validation-policy_name>"
set mobile-app-identification {enable | disable}
set token-secret <token-secret_str>
set token-header <token-header_str>
set mobile-api-protection <mobile-api-protection_name>
set syntax-based-attack-detection <detection_name>
set owasp_api_top10_log_field {enable/disable}
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 647

Variable Description Default

"<offline-protection-profile_ Enter the name of the Offline Protection profile. The No default.
name>" maximum length is 63 characters.
To display the list of existing profiles, enter:
edit ?

client-management {enable | Enable to track the states of HTTP sessions. Also disable
disable} configure HTTP-session-timeout <seconds_int> on page
648.
Although HTTP has no inherent support for sessions, a
notion of individual HTTP client sessions, rather than
simply the source IP address and/or timestamp, is required
by some features.
For example, you might want to require that a client’s first
HTTP request always be a login page: the rest of the web
pages should be inaccessible if they have not
authenticated. Out-of-order requests could represent an
attempt to bypass the web application’s native
authentication mechanism. How can FortiWeb know if a
request is the client’s first HTTP request? If FortiWeb were
to treat each request independently, without knowledge of
anything previous, it could not, by definition, enforce page
order. Therefore FortiWeb must keep some record of the
first request from that client (the session initiation). It also
must record their previous HTTP request(s), until a span of
time (the session timeout) has elapsed during which there
were no more subsequent requests, after which it would
require that the session be initiated again.
The session management feature provides such FortiWeb
session support.
Note: This feature requires that the client support cookies.
Note: You must enable this option if you want to
include this profile’s traffic in the traffic log, in addition to
enabling traffic logs in general. For details, see log attack-
log on page 61.

threat-score-profile <name> Select the Threat Score Profile so that FortiWeb can take
action on IPs or clients when their threat score
accumulates to a certain value. The threat score profile is
configured in config server-policy pattern
threat-score-profile.
If you have enabled client-management, but does not
configure threat-score-profile, the system will by
default applies the configurations in config server-
policy pattern threat-weight.
This option is available only when client-management is
enabled.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 648

Variable Description Default

HTTP-session-timeout Enter the HTTP session timeout in seconds. The valid 1200
<seconds_int> range is 20–3,600.
This setting is available only if waf web-protection-profile
offline-protection on page 645 is enabled.

x-forwarded-for-rule "<x- Specify the name of a rule that configures FortiWeb’s use No default.
forwarded-for_name>" of X-Forwarded-For: and X-Real-IP. For details, see waf x-
forwarded-for on page 659.
To display a list of existing rules, enter:
set forwarded-for-rule ?

HTTP-session-keyword If you want to use an HTTP header other than Session- No default.
"<key_str>" Id: to track separate HTTP sessions, enter the key
portion of the HTTP header that you want to use, such as
Session-Num.
The maximum length is 63 characters.

signature-rule {"High Level Specify a signature policy to include in the profile. The No default.
Security" | "Medium Level maximum length is 63 characters. For details, see waf
Security" | "Alert Only" | signature on page 555.
"<signature-set_name>"} To display the list of existing rules, enter:
set server-protection-rule ?
The type of attack that FortiWeb detects determines the
attack log messages for this feature. For a list, see waf
signature on page 555.

amf3-protocol-detection Enable to scan requests that use the action message disable
{enable | disable} format 3.0 (AMF3) for these attacks if you have enabled
those in the set of signatures specified by signature-rule
{"High Level Security" | "Medium Level Security" | "Alert
Only" | "<signature-set_name>"} on page 648:
l Cross-site scripting (XSS) attacks

l SQL injection attacks

l Common exploits

AMF3 is a binary format that can be used by Adobe Flash

clients to send input to server-side software.
Caution: To scan for attacks or enforce input rules on
AMF3, you must enable this option. Failure to enable the
option makes the FortiWeb appliance unable to scan
AMF3 requests for attacks.

custom-access-policy Enter the name of a custom access policy. The maximum No default.
"<combo-access_name>" length is 63 characters. For details, see waf custom-
access policy on page 423.
To display the list of existing policies, enter:
set custom-access-policy ?

FortiWeb CLI Reference Fortinet Technologies Inc.

config 649

Variable Description Default

padding-oracle "<rule_ Enter the name of a padding oracle protection rule. The No default.
name>" maximum length is 63 characters. For details, see waf
padding-oracle on page 550.
To display the list of existing rules, enter:
set padding-oracle ?

parameter-validation-rule Enter the name of a parameter validation rule. The No default.

"<rule_name>" maximum length is 63 characters. For details, see waf
parameter-validation-rule on page 553.
To display the list of existing rules, enter:
set parameter-validation-rule ?

hidden-fields-protection Enter the name of a hidden field rule group that you want to No default.
"<group_name>" apply, if any. The maximum length is 63 characters. For
details, see waf hidden-fields-protection on page 468.
To display the list of existing groups, enter:
set hidden-fields-protection ?

file-upload-policy "<policy_ Enter the name of a file security policy. The maximum No default.
name>" length is 63 characters. For details, see "server-policy
custom-application application-policy" on page 1.
To display the list of existing policies, enter:
set file-upload-policy ?

HTTP-protocol-parameter- Enter the name of an HTTP protocol constraint that you No default.
restriction "<constraint_ want to apply, if any. The maximum length is 63
name>" characters. For details, see waf HTTP-protocol-parameter-
restriction on page 488.
To display the list of existing constraints, enter:
set HTTP-protocol-parameter-restriction ?

url-access-policy "<policy_ Enter the name of a URL access policy. The maximum No default.
name>" length is 63 characters. For details, see waf url-access url-
access-policy on page 606.
To display the list of existing policies, enter:
set url-access-policy ?

allow-method-policy Enter the name of an allowed method policy. The No default.

ip-list-policy "<policy_ Enter the name of a trusted IP or blocklisted IP policy. The No default.
name>" maximum length is 63 characters. For details, see "server-
policy custom-application application-policy" on page 1.
To display the list of existing policies, enter:

FortiWeb CLI Reference Fortinet Technologies Inc.

config 650

Variable Description Default

set ip-list-policy ?

geo-block-list-policy Enter the name of a geographically-based client IP block No default.

"<policy_name>" list that you want to apply, if any. The maximum length is
63 characters. For details, see waf geo-block-list on page
465.
To display the list of existing policies, enter:
set geo-block-list-policy ?

csrf-protection "<rule_ Select the name of cross-site request forgery protection

name>" rule, if any, to apply to matching requests. See waf csrf-
protection on page 420.
To display the list of existing rules, enter:
set csrf-protection ?
Available only when client-management {enable | disable}
on page 647 is enabled.

data-analysis {enable | Enable this to collect data for servers covered by this disable
disable} profile.

comment "<comment_str>" Enter a description or other comment. If the comment No default.

contains more than one word or contains an apostrophe,
surround the comment in double quotes ( " ). The
maximum length is 199 characters.

openapi-validation-policy Select the openapi validation policy name. No default.

"<openapi-validation-policy_
name>"

json-validation-policy "<json- Select the JSON protection policy name. No default.

validation-policy_name>"

mobile-app-identification Enable to configure the JWT token secret and token disable
{enable | disable} header to verify a request from a mobile application.
Refer to Approov doc for how to get the token.

token-secret <token-secret_ Enter the token secret that you have got from Approov. No default
str> Available only when mobile-app-identification {enable |
disable} is enable.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 651

Variable Description Default

token-header <token- Specify the header where the token is carried. No default
header_str> Available only when mobile-app-identification {enable |
disable} is enable.

mobile-api-protection Select the name of an existing API protection policy. For No default
<mobile-api-protection_ details, see waf mobile-api-protection.
name> Available only when mobile-app-identification {enable |
disable} is enable.

syntax-based-attack- Select the name of an existing SQL/XSS syntax based No default

detection <detection_name> detection policy. For details, see waf syntax-based-attack-
detection.

owasp_api_top10_log_field Enable to record the OWASP API Top10 attack categories enable
{enable/disable} in attack logs so that you can filter the attack logs by
OWASP API Top10.

Related topics

l server-policy policy on page 140

l waf signature on page 555
l waf padding-oracle on page 550
l waf parameter-validation-rule on page 553
l waf url-access url-access-rule on page 610
l waf allow-method-exceptions on page 384
l system settings on page 336
l waf geo-block-list on page 465
l waf hidden-fields-protection on page 468
l waf HTTP-protocol-parameter-restriction on page 488
l waf ip-intelligence on page 501
l "server-policy custom-application application-policy" on page 1
l waf syntax-based-attack-detection on page 582

waf webshell-detection-policy

Use this command to set Web Shell Detection policies that FortiWeb will use to Trojans in the files that can be uploaded
to your web servers.
Attackers may attempt to upload Trojan horse code (written in scripting languages such as PHP and ASP) to the back-
end web servers. The Trojan then infects clients who access an infected web page.
Web Shell Detection detects Trojan in the uploaded files. In addition to the traditional method which detects Trojan
based on tags and keywords, Web Shell Detection can perform fuzzy hash based detection as well, where it determines
the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the
attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 652

Web Shell Detection is divided into two categories: Fuzzy Hash Based Detection and Known Web Shells. And each
category is divided into five categories according to the type, namely PHP, ASP, JSP, Perl, and Python.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf webshell-detection-policy
edit "<file-upload-restriction-policy_name>"
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger <trigger-policy_name>
set fuzzy-similarity-threshold <threshold>
set fuzzy-asp-status {enable | disable} on page 654
set fuzzy-jsp-status {enable | disable}
set fuzzy-php-status {enable | disable}
set fuzzy-perl-status {enable | disable}
set fuzzy-python-status {enable | disable}
set known-asp-status {enable | disable}
set known-jsp-status {enable | disable}
set known-php-status {enable | disable}
set known-perl-status {enable | disable}
set known-python-status {enable | disable}
config fuzzy-disable-list
edit edit <webshell-name>
end
end
end

Variable Description Default

"<file-upload-restriction- Enter the name of an existing or new Web Shell Detection No

policy_name>" policy. The maximum length is 63 characters. default.
To display the list of existing policies, enter:
edit ?

action {alert | alert_deny | Enter the action you want FortiWeb to perform when the alert_
block-period | deny_no_log} policy is violated: deny
l alert—Accept the request and generate an alert

and/or log message.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 653

Variable Description Default

l block-period—Block subsequent requests from

the client for a number of seconds. Also configure
block-period <seconds_int> on page 653.
l deny_no_log—Deny a request. Do not generate a
log message.
Note: If FortiWeb is deployed behind a NAT load
balancer, when using this option, you must also
define an X-header that indicates the original client’s
IP. Failure to do so may cause FortiWeb to block all
connections when it detects a violation of this type.
For details, see waf x-forwarded-for on page 659.
Caution: This setting will be ignored if monitor-mode
{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email will occur only if enabled
and configured. For details, see log disk on page 66 and
log alertMail on page 60.
Note: If an auto-learning profile will be selected in the
policy with Offline Protection profiles that use this rule,
you should select alert. If the action is alert_deny,
the FortiWeb appliance will reset the connection when it
detects an attack, resulting in incomplete session
information for the auto-learning feature. For details about
auto-learning requirements, see "waf web-protection-
profile autolearning-profile" on page 1.

block-period <seconds_int> If action {alert | alert_deny | block-period | deny_no_log} 600

on page 652 is block-period, type the number of
seconds that violating requests will be blocked. The valid
range is 1–3,600 seconds.

severity {High | Medium | Select the severity level to use in logs and reports medium
Low | Info} generated when a violation of the rule occurs.

trigger <trigger-policy_ Enter the name of the trigger to apply when this policy is No
name> violated. For details, see log trigger-policy on page 93. default
The maximum length is 63 characters.
To display the list of existing triggers, enter:
set trigger ?

fuzzy-similarity-threshold Web Shell Detection can perform fuzzy hash based 80

<threshold> detection to determines the similarity by comparing the
hash value of the file and the Trojan sample library. In this
way, no matter how the attacker modifies the script, as
long as the similarity meets the threshold, it can be
identified as a Trojan.
Specify the Fuzzy Similarity Threshold. A file will be
identified as a Trojan when it resembles the Trojan
sample library by the specified percentage.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 654

Variable Description Default

The valid range is 1-100 (%).

fuzzy-asp-status {enable | Enable or disable fuzzy hash based detection for ASP enable
disable} script type.

fuzzy-jsp-status {enable | Enable or disable fuzzy hash based detection for JSP enable
disable} script type.

fuzzy-php-status {enable | Enable or disable fuzzy hash based detection for PHP enable
disable} script type.

fuzzy-perl-status {enable | Enable or disable fuzzy hash based detection for Perl enable
disable} script type.

fuzzy-python-status {enable | Enable or disable fuzzy hash based detection for Python enable
disable} script type.

known-asp-status {enable | Enable or disable FortiWeb to detect ASP script type enable
disable} according to known signatures.

known-jsp-status {enable | Enable or disable FortiWeb to detect JSP script type enable
disable} according to known signatures.

known-php-status {enable | Enable or disable FortiWeb to detect PHP script type enable
disable} according to known signatures.

known-perl-status {enable | Enable or disable FortiWeb to detect Perl script type enable
disable} according to known signatures.

known-python-status {enable Enable or disable FortiWeb to detect Python script type enable
| disable} according to known signatures.

edit <webshell-name> Enter the web shell name to exclude it. The uploaded file No
containing the specified script will not be identified as an default
attack.

Related topics

l server-policy custom-application application-policy on page 1

l log trigger-policy on page 93
l system fortisandbox on page 278

waf websocket-security rule

Use this command to configure WebSocket rule related settings.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 655

Syntax
config waf websocket-security rule
edit websocket-security_rule_name
set host-status {enable | disable}
set host <host_str>
set url-type {plain | regular}
set url <url_str>
set block-websocket-traffic {enable | disable}
set action {alert | deny_no_log | alert_deny}
set max-frame-size <max-frame-size_int>
set max-message-size <max-message-size_int>
set block-extensions {enable | disable}
set enable-attack-signatures {enable | disable}
set allow-plain-text {enable | disable}
set allow-binary-text {enable | disable}
config allowed-origin-list
edit allowed-origin-list <allowed-origin-list_id> on page 656
set origin <origin_str> on page 656
next
end
next
end

Variable Description Default

websocket-security_rule_ Enter the WebSocket security rule name. No default.

name

host-status {enable | disable} Enable to compare the WebSocket security rule to the No default.
Host: field in the HTTP header.

host <host_str> Select the IP address or fully qualified domain name No default.
(FQDN) of the protected host to which this rule applies.
This option is available only if Host Status is enabled.

url-type {plain | regular} Select whether the URL Pattern field will contain a literal Plain
URL (Simple String), or a regular expression designed to
match multiple URLs (Regular Expression).

url <url_str> The URL which hosts the web page containing the user No default.
input fields you want to protect.

block-websocket-traffic Enable to deny the WebSocket traffic, and FortiWeb will Disable
{enable | disable} not check any WebSocket related traffic. This option is
disabled by default.

action {alert | deny_no_log | Select which action the FortiWeb appliance will take when Alert
alert_deny} it detects a violation.
Alert—Accept the connection and generate an alert email
and/or log message.
Alert & Deny—Block the request (or reset the connection)
and generate an alert and/or log message.
Deny (no log)—Block the request (or reset the

FortiWeb CLI Reference Fortinet Technologies Inc.

config 656

Variable Description Default

connection).

max-frame-size <max-frame- Specifies the maximum acceptable frame header and body 64
size_int> size in bytes. The valid range is 0–2147483647 bytes.

max-message-size <max- Specifies the maximum acceptable message header and 1024
message-size_int> body size in bytes. The valid range is 0–2147483647
bytes.

block-extensions {enable Enable to not check the extension header in WebSocket Disable
| disable} handshake packet. By default, this option is disabled.

enable-attack-signatures Enable to detect attack in WebSocket message body. But if Disable

{enable | disable} WebSocket traffic has extension header and allow
extension header in WebSocket security rule, FortiWeb
can not detect attack signatures. When attack signature is
detected, the actions FortiWeb will take follow those of
related signatures.

allow-plain-text {enable Enable to allow detecting the plain text. Enable

| disable}

allow-binary-text {enable Enable to allow detecting the binary text. Enable

| disable}

allowed-origin-list <allowed- Enter the origin list ID in WebSocket handshake packet. No default.
origin-list_id>

origin <origin_str> Enter the allowed origin. No default.

Related topics

l waf HTTP-constraints-exceptions on page 480

l waf HTTP-protocol-parameter-restriction on page 488

waf websocket-security policy

Use this command to create WebSocket policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf websocket-security policy
edit "<"<policy_name>"
config rule-list
edit rule-list_id on page 657

FortiWeb CLI Reference Fortinet Technologies Inc.

config 657

set rule "<rule_name>"

end

Variable Description Default

"<policy_name>" Enter the WebSocket Security policy name. No default.

rule-list_id Enter the sequence number of the rule in the rule list.

rule "<rule_name>" Select the created WebSocket security rule name. No default.

Related topics

l waf websocket-security rule on page 654

waf ws security

Use this command to create WS-security rules.

You can use WS-Security rules to do the following:
l Encrypt and decrypt parts of SOAP messages
l Digitally sign parts of SOAP messages
l Verify parts of SOAP messages using digital signatures

Syntax
config waf ws-security rule
edit "<ws-security_rule_name>"
set encryption-algorithm {3EDS | AES-128 | AES-256}
set encryption-part {Element Value | Element Markup}
set key-transport-algorithm {RSA-15 | RSA-OAEP}
set request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify}
set request-security-status {enable | disable}
set response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign}
set response-security-status {enable | disable}
set signature-algorithm {RSA-SHA-1 | HMAC-SHA-1}
set xml-client-certificate-group <xml-client-certificate_group_str>
set xml-server-certificate <xml-server-certificate_str>
config namespace-mapping
edit waf ws security
set prefix <prefix _str>
set namespace <namespace_str>
next
end
config element-list
edit waf ws security
set xpath <xpath_str>
set direction {request | response}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 658

next
end
next
end

Variable Description Default

Enter a name that can be referenced by other parts of the No
"<ws-security_rule_name>"
configuration. default.
Select the encryption algorithm.
l 3EDS

l AES-128

l AES-256
encryption-algorithm {3EDS |
Available only when response-security-status {enable | disable} 3EDS
AES-128 | AES-256}
is
enable, and response-operation {Sign | Encrypt | Sign &
Encrypt | Encrypt & Sign} is Encrypt, Sign & Encrypt, or Encrypt
& Sign.
Select which part of the SOAP messages to encrypt.
encryption-part {Element Value Element
l Element Value
| Element Markup} Value
l Element Markup

Select the key transport algorithm.

key-transport-algorithm {RSA-
l RSA-15 RSA-15
15 | RSA-OAEP}
l RSA-OAEP

Select the operation that FortiWeb performs for the encryped

request-operation {Sign Verify SOAP messages from the client.
Sign
& Decrypt | Decrypt | Sign l Sign Verify & Decrypt
Verify
Verify} l Decrypt

l Sign Verify

request-security-status {enable Enable to configure FortiWeb to decrypt, sign and verify the
disable
| disable} encryped SOAP messages from the client.
Select the operation that FortiWeb performs for the SOAP
messages returned from the server.
response-operation {Sign |
l Sign
Encrypt | Sign & Encrypt | Sign
l Encrypt
Encrypt & Sign}
l Sign & Encrypt

l Encrypt & Sign

response-security-status Enable to configure FortiWeb to encrypt , and sign the SOAP

disable
{enable | disable} messages returned from the server.
Select the signature algorithm.
signature-algorithm {RSA-SHA- RSA-
l RSA-SHA-1
1 | HMAC-SHA-1} SHA-1
l HMAC-SHA-1

Select the XML client certificate group created from XML

Certificate > Client Certifcate Group.
xml-client-certificate-group Available only when request-operation {Sign Verify & Decrypt |
No
<xml-client-certificate_group_ Decrypt | Sign Verify} is enable, and the request-operation
default.
str> {Sign Verify & Decrypt | Decrypt | Sign Verify} is Sign Verify &
Decrypt or Sign Verify.
Or

FortiWeb CLI Reference Fortinet Technologies Inc.

config 659

Variable Description Default

Available only when response-security-status {enable | disable}
is enable, and the response-operation {Sign | Encrypt | Sign &
Encrypt | Encrypt & Sign} is Encrypt, Sign & Encrypt or Encrypt &
Sign.
Select the XML server certificate uploaded from XML
Certificate>
Server Certifcate.
Available only when request-security-status {enable | disable} is
enable, and the request-operation {Sign Verify & Decrypt |
xml-server-certificate <xml- No
Decrypt | Sign Verify} is Sign Verify & Decrypt or Decrypt .
server-certificate_str> default.
Or
Available only when response-security-status {enable | disable}
is enable, and the response-operation {Sign | Encrypt | Sign &
Encrypt | Encrypt & Sign} is Sign, Sign & Encrypt, or Encrypt &
Sign.
"<namespace-mapping_name_ Enter the index number of an entry to create a namespace No
id>" mapping. default.
No
namespace <namespace_str> Enter the namespace.
default.
No
prefix <prefix _str> Enter a prefix for the namaspace.
default.
No
"<element-list_name_id>" Enter the index number of an entry to create an element list.
default.
No
xpath <xpath_str> Enter an XPath to specify which part of the XML file to process.
default.
Select either Request or Response to define in which direction
direction {request | response} request
the XPath applies to.

Related topics

l Configuring XML protection on page 1

l system certificate xml-client-certificate on page 245
l system certificate xml-client-certificate-group on page 249
l system certificate xml-server-certificate on page 357

waf x-forwarded-for

Use this command to configure FortiWeb’s use of X-Forwarded-For: and X-Real-IP:.

For behavior of this feature and requirements, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 660

Syntax
config waf x-forwarded-for
edit "<x-forwarded-for_name>"
set block-based-on-original-ip {enable | disable}
set ip-location {left | right}
set original-ip-header "<HTTP-header-key_str>"
set tracing-original-ip {enable | disable}
set x-forwarded-proto {enable | disable}
set x-forwarded-for-support {enable | disable}
set x-real-ip {enable | disable}
set skip-private-original-ip {enable | disable}
set add-source-port {enable | disable}
set x-forwarded-port {enable | disable}
config ip-list
edit <entry_index>
set ip "<load-balancer_ip>"
next
end
next
end

Variable Description Default

"<x-forwarded-for_name>" Enter the name of the new or existing group. The No default.
maximum length is 63 characters.
To display the list of existing groups, enter:
edit ?

block-based-on-original-ip Enable to be able to block requests that violate your disable

{enable | disable} policies by using the original client’s IP derived from this
HTTP X-header.
When disabled, only attack logs and reports will use the
original client’s IP.

ip-location {left | right} Select whether to extract the original client’s IP from either left
the left or right end of the HTTP X-header line.
Most proxies put the request’s origin at the left end, which
is the default setting. Some proxies, however, place it on
the right end.

original-ip-header "<HTTP- Enter the key of the X-header, such as X-Forwarded- No default.
header-key_str>" For X-Real-IP, without the colon ( : ), that contains the
original source IP address of the client. Also configure
tracing-original-ip {enable | disable} on page 661 and, for
security reasons, ip "<load-balancer_ip>" on page 662.
Maximum length is 256 characters.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 661

Variable Description Default

tracing-original-ip {enable | If FortiWeb is deployed behind a device that applies NAT, disable
disable} enable this option to derive the original client’s source IP
address from an HTTP X-header, instead of the SRC field
in the IP layer. Also configure original-ip-header "<HTTP-
header-key_str>" on page 660 and, for security reasons, ip
"<load-balancer_ip>" on page 662.
This HTTP header is often X-Forwarded-For: when
traveling through a web proxy, but can vary. For example,
the Akamai service uses True-Client-IP:.
For deployment guidelines and mechanism details, see the
FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
Caution: To combat forgery, configure the IP addresses of
load balancers and proxies that are trusted providers of
this header. Also configure those proxies/load balancers to
reject fraudulent headers, rather than passing them to
FortiWeb.

x-forwarded-proto {enable | Enable to add an X-Forwarded-Proto: header that disable

disable} indicates the protocol used in the client’s original request.
Requires Reverse Proxy or True Transparent Proxy mode.

x-forwarded-for-support Enable to include the X-Forwarded-For: HTTP header disable

{enable | disable} on requests forwarded to your web servers. Behavior
varies by the header already provided by the HTTP client
or web proxy, if any:
l Header absent—Add the header, using the source IP

address of the connection.

l Header present—Verify that the source IP address of

the connection is present in this header’s list of IP

addresses. If it is not, append it.
This option can be useful for web servers that log or
analyze clients’ IP addresses, and support the X-
Forwarded-For: header. When this option is disabled,
from the web server’s perspective, all connections appear
to be coming from the FortiWeb appliance, which performs
network address translation (NAT). But when enabled, the
web server can instead analyze this header to determine
the source and path of the original client connection.
This option applies only when FortiWeb is operating in
Reverse Proxy mode or True Transparent Proxy.

x-real-ip {enable | disable} Enable to include the X-Real-IP: HTTP header on disable
requests forwarded to your web servers. Behavior varies
by the header already provided by the HTTP client or web
proxy, if any. For details, see x-forwarded-for-support
{enable | disable} on page 661).

FortiWeb CLI Reference Fortinet Technologies Inc.

config 662

Variable Description Default

Like X-Forwarded-For:, this header is also used by

some proxies and web servers to trace the path, log, or
analyze based upon the packet’s original source IP
address.
This option applies only when FortiWeb is operating in
Reverse Proxy or True Transparent Proxy mode.

skip-private-original-ip Enable to skip the private original IP that indicates the enable
{enable | disable} service used in the client’s original request.

x-forwarded-proto {enable | Enable to add an HTTP header that indicates the service disable
disable} used in the client’s original request.
Usually if your FortiWeb is receiving HTTPS requests from
clients, and it is operating in Reverse Proxy mode,
SSL/TLS is being offloaded. FortiWeb has terminated the
SSL/TLS connection and the second segment of the
request, where it forwards to the back-end servers, is clear
text HTTP. In some cases, your back-end server may need
to know that the original request was, in fact, encrypted
HTTPS, not HTTP.

<entry_index> Enter the index number of the individual entry in the table. No default.
The valid range is 1–9,223,372,036,854,775,807.
Each list can contain a maximum of 256 IP addresses.

ip "<load-balancer_ip>" Type the IP address of a load balancer or proxy that is in No default.

front of the FortiWeb appliance (between the client and
FortiWeb).
To apply anti-spoofing measures and improve security,
FortiWeb trusts the contents of the HTTP header that you
specify in original-ip-header "<HTTP-header-key_str>" on
page 660 only if the packet arrived from one of the IP
addresses you specify here. It regards original-ip-header
"<HTTP-header-key_str>" on page 660 from other IP
addresses as potentially spoofed.
For packets from other IP addresses, FortiWeb ignores the
X-Forwarded-For: header and uses the source IP
address in the IP header as the client source address. This
IP address is displayed in the attack log message.

add-source-port {enable | Enable to add an X-Forwarded-For: header with the disable

disable} connection's source IP. If this field is enabled, the source
port of the request will be added as well.
Available only when FortiWeb operates in Reverse Proxy,
True Transparent Proxy, or WCCP mode.

x-forwarded-port {enable | Enable to add an X-Forwarded-Port: header with the disable

disable} connection's destination port.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 663

Variable Description Default

Available only when FortiWeb operates in Reverse Proxy,

True Transparent Proxy, or WCCP mode.

Example

The following example defines a X-Forwarded-For rule that adds X-Forwarded-For:, X-Real-IP:, and X-
Forwarded-Proto: headers to traffic that FortiWeb forwards to a back-end server. It enables FortiWeb to use the
HTTP X-Header to identify and block the original client's IP. To protect against XFF spoofing, it also specifies the trusted
load-balancer 192.0.2.105 in the X-Forwarded-For IP list.
config waf x-forwarded-for
edit "load-balancer1"
set x-forwarded-for-support enable
set tracing-original-ip enable
set original-ip-header X-FORWARDED-FOR
set x-real-ip enable
set x-forwarded-proto enable
config ip-list
edit 1
set ip "192.0.2.105"
next
end
set block-based-on-original-ip enable
next
end

waf xml-exempted-urls

When you configure schema location to forbid using location field to perform malicious requests, you can use this
command to exempt specific URLs from XML protection.

Syntax
config waf xml-exempted-urls
edit "<xml-exempted-urls_name>"
config exempted-url-list
edit exempted-url-list <exempted-url-list_str>
set url-type {plain | regular}
set exempted-url <exempted-url_str>
next
end
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 664

Variable Description Default

"<xml-exempted-urls_ Enter the name for the Exempted URLs list. No

name>" default.

exempted-url-list Enter the ID for the he Exempted URLs list. No

<exempted-url-list_str> default.

url-type {plain | regular} Select whether the exempted-url <exempted-url_str> on No

page 664field must contain either default.
l plain —The field is a string that the request URL must

match exactly.
l regular—The field is a regular expression that

defines a set of matching URLs.

exempted-url <exempted- Depending on your selection in url-type {plain | regular} on No

url_str> page 664, enter either: default.
l plain —The literal URL, such as /index.php, that

the HTTP request must contain in order to match the

rule. The URL must begin with s slash (/).
l regular—A regular expression, such as ^/*.php,

matching the URLs to which the rule should apply. The

pattern does not require a slash ( / ), but it must match
URLs that begin with a slash, such as /index.cfm.

Related topics

l waf xml-validation on page 665

l waf xml-wsdl on page 671

waf xml-schema

Use this command to view XML schema files that have already been uploaded to FortiWeb. You can upload
XML schema files only in the web UI.
XML schema files specify the acceptable structure of an elements in an XML document. When you use XML schema
files to check XML content in HTTP requests, FortiWeb can determine whether content is allowed and validate that
content is well-formed.
XML schema files are included in XML protection rules. XML protection rules define acceptable parameters for XML
content in HTTP requests. Groups of XML protection rules are grouped into XML protection policies. For details, see waf
xml-validation on page 665.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 665

Syntax
config waf xml-schema file
edit "<xml_schema_file_name>"
end

Variable Description Default

"<xml_schema_file_name>" To display a list of existing XML schema files, enter: No

edit ? default.

Related topics

l waf xml-validation on page 665

waf xml-validation

Use this command to create XML protection rules and configure XML protection policies. You can create up to 256 rules
per policy.
XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML to attack web
servers. Using this command, you can configure FortiWeb to examine lcient requests for anomalies in XML. Configuring
XML protection can help ensure that the content of HTTP requests containing XML does not contain any potential
attacks.
XML protection is available in Reverse Proxy, True Transparent Proxy, and WCCP operating modes.

Syntax
config waf xml-validation rule
edit "<xml_rule_name>"
set action {alert | alert_deny | block-period | redirect | send_403_forbidden |
deny_no_log}
set block-period <period_int>
set expansion-entity-check {enable | disable}
set external-entity-check {enable | disable}
set host "<host_name_str>"
set host-status {enable | disable}
set request-file "<file_str>"
set request-type {plain | regular}
set schema-file "<schema_file_name>"
set severity {High Low | Medium | Info}
set trigger "<trigger_policy_name>"
set xml-attributes-check {enable | disable}
set xml-limit-attr-num <limit_int>
set xml-limit-attrname-len <limit_int>
set xml-limit-attrvalue-len <limit_int>
set xml-limit-cdata-len <limit_int>

FortiWeb CLI Reference Fortinet Technologies Inc.

config 666

set xml-limit-check {enable | disable}

set xml-limit-element-depth <limit_int>
set xml-limit-element-name-len <limit_int>
set data-format {xml | soap}
set
set wsdl-file <wsdl-file_name>
set validate-soapaction {enable | disable}
set validate-soap-headers {enable | disable}
set allow-additional-soap-headers {enable | disable}
set validate-soap-body {enable | disable}
set x-include-check {enable | disable}
set schema-location-check {enable | disable}
set schema-location-exempted-urls <schema-location-exempted-urls_str>
set soap-attachment {allow | disallow} on page 670
set ws-i-basic-profile-assertion {WSI1001 | WSI1002 | WSI1003 | WSI1004 | WSI1006
| WSI1007 | WSI1032 | WSI1033 | WSI1109 | WSI1110 | WSI1111 | WSI1201 |
WSI1202 | WSI1204 | WSI1208 | WSI1301 | WSI1307 | WSI1308 | WSI1309 | WSI1318
| WSI1601 | WSI1701} on page 670
set ws-i-basic-profile-wsdl-assertion {WSI1008 | WSI1116 | WSI1211} on page 670
next
end
config waf xml-validation policy
edit "<xml_policy_name>"
set enable-signature-detection {enable | disable}
config input-rule-list
edit <entry_index>
set "<xml_rule_1>"
next
end
next
end

Variable Description Default

"<xml_rule_name>" Enter a name that can be referenced by other parts of the No

configuration. You will use the name to select the rule in an default.
XML protection policy. The maximum length is 63 characters.

deny_no_log} and/or log message.

l alert_deny—Block the request (or reset the
connection) and generate an alert email and/or log
message.
You can customize the web page that FortiWeb returns
to the client with the HTTP status code. For details, see
"system replacemsg" on page 1.
l block-period—Block subsequent requests from the
client for a number of seconds. Also configure waf xml-
validation on page 665.
l redirect—Redirect the request to the URL that you

FortiWeb CLI Reference Fortinet Technologies Inc.

config 667

Variable Description Default

specify in the protection profile and generate an alert

email and/or log message. Also configure redirect-url
"<redirect_fqdn>" on page 643 and rdt-reason {enable |
disable} on page 643.
l send_403_forbidden—Reply to the client with an
HTTP 403 Access Forbidden error message and
generate an alert email and/or log message.
l deny_no_log—Deny a request. Do not generate a log
message.
Caution:FortiWeb ignores this setting when monitor-mode
{enable | disable} on page 152 is enabled.
Note: Logging and/or alert email will occur only if enabled
and configured. For details, see log disk on page 66 and log
alertMail on page 60.

block-period <period_int> Enter the amount of time (in seconds) that you want to block 600
subsequent requests from a client after FortiWeb detects a
rule violation. This setting is available only when waf xml-
validation on page 665 is block-period.
The valid range is 1–3,600 seconds.

expansion-entity-check Enable to trigger the waf xml-validation on page 665 if an disable

{enable | disable} HTTP request contains an XML recursive entity expansion.
To enable this option, you must first enable waf xml-
validation on page 665.

external-entity-check Enable to trigger the waf xml-validation on page 665 if an disable

{enable | disable} HTTP request contains an external entity in XML.
To enable this option, you must first enable waf xml-
validation on page 665.

host "<host_name_str>" Enter the name of a protected host that the Host: field of an No
HTTP request must match in order for the rule to apply. For default.
details, see server-policy allow-hosts on page 103.

host-status {enable | Enable to compare the XML rule to the Host: field in the disable
disable} HTTP header. If enabled, also configure waf xml-validation
on page 665.

request-file "<file_str>" Depending on your selection for waf xml-validation on page No

665, enter either: default.
l plain—The literal URL, such as /index.php, that the

HTTP request must contain in order to match the rule.

The URL must begin with a slash ( / ).
l regular—A regular expression, such as ^/*.php,

matching the URLs to which the rule should apply. The

pattern does not require a slash ( / ), but it must match
URLs that begin with a slash, such as /index.cfm.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 668

Variable Description Default

Do not include the domain name, such as

www.example.com, which is configured separately in waf
xml-validation on page 665.

request-type {plain | regular} Select whether waf xml-validation on page 665 must contain No
either: default.
l Simple String—The field is a string that the request

URL must match exactly.

l Regular Expression—The field is a regular expression

that defines a set of matching URLs.

schema-file "<schema_file_ Select an XML schema file. No

name>" To display a list of existing XML schema files, enter: default.
set schema-file ?

Note, if you select an XML schema file that references other

XML schema files, the other XML schema files must also be
uploaded to FortiWeb.

severity {High Low | When rule violations are recorded in the attack log, each log Low
Medium | Info} message contains a Severity Level field. Select which
severity level FortiWeb will use when it logs a violation of the
rule:
l Low

l Medium

l High

l Info

trigger "<trigger_policy_ Enter the name of the trigger, if any, to apply when the rule is No
name>" violated. The maximum length is 63 characters. For details, default.
see log trigger-policy on page 93.
To display a list of existing triggers, enter:
set trigger ?

xml-attributes-check Enable to configure waf xml-validation on page 665 and waf disable
{enable | disable} xml-validation on page 665.

xml-limit-attr-num <limit_ Enter the maximum number of attributes for each element. 20
int> The valid range is 1–256.
To configure this option, you must first enable waf xml-
validation on page 665.

xml-limit-attrname-len Enter the maximum attribute name length (in bytes) of each 64
<limit_int> element. The valid range is 1–1,024.
To configure this option, you must first enable waf xml-
validation on page 665.

xml-limit-attrvalue-len Enter the maximum attribute value length (in bytes) of each 1,024
<limit_int> element. The valid range is 1–2,048.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 669

Variable Description Default

To configure this option, you must first enable waf xml-

validation on page 665.

xml-limit-cdata-len <limit_ Enter the maximum Character Data (CDATA) length (in 4,096
int> bytes) in XML. The valid range is 1–4,096.
To configure this option, you must first enable waf xml-
validation on page 665.

xml-limit-check {enable | Enable to configure XML limits. disable

disable}

xml-limit-element-depth Enter the maximum element depth in XML. The valid range is 20
<limit_int> 1–256.
To configure this option, you must first enable waf xml-
validation on page 665.

xml-limit-element-name-len Enter the maximum element name length (in bytes) in XML. 64
<limit_int> The valid range is 1–1,024.
To configure this option, you must first enable waf xml-
validation on page 665.

"<xml_policy_name>" Enter the name of an XML protection policy. You will use the No
name to select the policy in other parts of the configuration. default.
The maximum length is 63 characters.

<entry_index> Enter the index number of an entry to create or modify a rule No

for the policy. The valid range is 1– default.
9,999,999,999,999,999,999.

"<xml_rule_1>" Enter the sequence number of an XML protection rule to add No

to the XML protection policy. The maximum length is 63 default.
characters.

data-format {xml | soap} Select the XML protection rule format. No

default.

wsdl-ip-port-override When enabled, only the URL will be used to match the disable
{enable | disable} service in WSDL. If a URL corresponds to multiple services,
the first service will be matched.

wsdl-file <wsdl-file_name> This field applies When the Data Format is SOAP. Enter a No
name for the WSDL file. default.

validate-soapaction {enable Enable to validate whether the soapAction in SOAP protocol No

| disable} complies with that in WSDL file. default.

validate-soap-headers Enable to validate whether the header elements in SOAP No

{enable | disable} protocol comply with those in WSDL file. default.

allow-additional-soap- Enable not to validate additional header elements. No

headers {enable | disable} default.

validate-soap-body {enable Enable to validate whether the body elements in SOAP No

FortiWeb CLI Reference Fortinet Technologies Inc.

config 670

Variable Description Default

| disable} protocol comply with those in WSDL file. default.

x-include-check {enable Enable to trigger the action {alert | alert_deny | block-period No

| disable} | redirect | send_403_forbidden | deny_no_log} on page 666 default.
if other XML contents are included in XML.

schema-location-check Enable to forbid using location field to perform malicious No

{enable | disable} requests. default.

schema-location-exempted- Select the exempted URL you have created to configure No

urls <schema-location- allowed location URLs. default.
exempted-urls_str> Available only when schema-location-check {enable
| disable} on page 670 is enabled.

enable-signature-detection Enable to scan for matches with attack and data leak disable
{enable | disable} signatures in Web 2.0 (XML AJAX), SOAP, and other XML
submitted by clients in the bodies of HTTP POST requests.

soap-attachment {allow Specify whether the SOAP message can carry attachments. Allow
| disallow} Available only when the data-format {xml | soap} on page 669
is SOAP.

ws-i-basic-profile-assertion Select WSI rules that SOAP messages will adhere to. No default
{WSI1001 | WSI1002 | Available only when the data-format {xml | soap} on page 669
WSI1003 | WSI1004 | is SOAP.
WSI1006 | WSI1007 |
WSI1032 | WSI1033 |
WSI1109 | WSI1110 |
WSI1111 | WSI1201 |
WSI1202 | WSI1204 |
WSI1208 | WSI1301 |
WSI1307 | WSI1308 |
WSI1309 | WSI1318 |
WSI1601 | WSI1701}

ws-i-basic-profile-wsdl- If you select these three rules, configure WSDL files first. No default
assertion {WSI1008 Available only when the data-format {xml | soap} on page 669
| WSI1116 | WSI1211} is SOAP.

Example

The below example creates an XML protection rule and applies the rule to a new XML protection policy.
config waf xml-validation rule
edit "example_rule_name_1"
set action block-period
set block-period 3000
set severity Medium
set trigger "example_trigger_policy_name"
set host-status enable
set host "example_host_name"
set request-type plain

FortiWeb CLI Reference Fortinet Technologies Inc.

config 671

set request-file "/index.php"

set schema-file "example_schema_file_name"
set xml-limit-check enable
set xml-limit-attr-num 64
set xml-limit-attrname-len 256
set xml-limit-attrvalue-len 1024
set xml-limit-cdata-len 2096
set xml-limit-element-depth 128
set xml-limit-element-name-len 128
set xml-entity-check enable
set expansion-entity-check enable
set external-entity-check enable
next
end
config waf xml-validation policy
edit "example_policy_name"
config input-rule-list
edit "example_rule_1"
set "example_rule_1"
next
end
next
end

Related topics

l waf xml-schema on page 664

l waf xml-wsdl on page 671
l waf web-protection-profile inline-protection on page 636

waf xml-wsdl

Use this command to view XML wsdl files that have already been uploaded to FortiWeb. You can upload XML wsdl files
only in the web UI.
WSDL files are XML files that describe how to use SOAP to invoke web service. To configure FortiWeb to verify legality
of WSDL files and check the SOAP message against WSDL and SOAP protocol, create an XML protection rule and
select a WSDL file for that rule. You can select only one WSDL file for each XML protection rule, but you can configure
FortiWeb to enforce multiple rules in XML protection policies.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wafgrp area. For details, see Permissions on page 46.

Syntax
config waf xml-wsdl file
edit "<xml_wsdl_file_name>"
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 672

Variable Description Default

"<xml_wsdl_file_name>" To display a list of existing XML WSDL files, enter: No default.

edit ?

Related topics

l waf xml-validation on page 665

wvs limit

Use this command to limit scanning related settings, such as the scanning report size, request interval, etc.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wvsgrp area. For details, see Permissions on page 46.

Syntax
config wvs limit
set report-path-size <report-path-size_int>
set request-interval <request-interval_int>
set scan-cpu-usage <scan-cpu-usage_int>
set scan-memory-usage <scan-memory-usage_int>
set single-report-size <single-report-size_int>
set verbose-output {enable | disable}
end

Variable Description Default

report-path-size <report- Type the size of the folders that store all scanning reports of 10240
path-size_int> all policies (1024~51200 M)

request-interval <request- Type the number of seconds between each request 1

interval_int> (1~1000 ms).

scan-cpu-usage <scan-cpu- Set the CPU limit. When the CPU of all scanning processes 70
usage_int> exceeds certain parentage of the total CPU, the scanning
will be killed (10~80 percent).

scan-memory-usage <scan- Set the memory limit. When the memory of all scanning 40
memory-usage_int> processes exceeds certain parentage of the total memory ,
the scanning will be killed (10~80 percent).

single-report-size <single- The size of the scanning report file for the first scanning in a 512
report-size_int> single policy (1~5120 M).

verbose-output {enable | Control the output.txt contents. Enable to output disable

disable} detailed debug information, which causes large
output.txt file.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 673

Example

This example shows how to configure scanning related limitations.

config wvs limit
set report-path-size 10500
set request-interval 3
set scan-cpu-usage 60
set single-report-size 700
set verbose-output disable
end

Related topics

l wvs policy on page 673

l wvs schedule on page 679
l wvs profile on page 675
l wvs template on page 680

wvs policy

Use this command to define a web vulnerability scan policy. The policy enables you to set the frequency of the
vulnerability scan, schedule the scan, and choose a format for the scan report. The policy also enables you to select an
email policy that determines who receives the scan report.
Before you can complete a web vulnerability scan policy, you must first configure a scan profile using the FortiWeb web
UI and a scan schedule using either the web UI or the command wvs schedule on page 679.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wvsgrp area. For details, see Permissions on page 46.

Syntax
config wvs policy
edit "<wvs-policy_name>"
set type {runonce | schedule}
set schedule "<wvs-schedule_name>"
set profile "<wvs-profile_name>"
set email "<email-policy_name>"
set report_format {html pdf xml}
set runtime <count_int>
next
end

FortiWeb CLI Reference Fortinet Technologies Inc.

config 674

Variable Description Default

"<wvs-policy_name>" Enter the name of a new or existing web vulnerability scan No default.
policy. The maximum length is 63 characters.
To display the list of existing policies, enter:
edit ?

type {runonce | schedule} Select either: runonce

l runonce—Run the scan immediately after you

complete the policy.

l schedule—Run the scan on a schedule. Also

configure analyzer-policy "<fortianalyzer-policy_

name>" on page 94.

schedule "<wvs-schedule_ Enter the name of an existing web vulnerability scan No default.
name>" schedule. The maximum length is 63 characters. For
details, see wvs schedule on page 679.
To display the list of existing schedules, enter:
set schedule ?
This setting is applicable only if type {runonce | schedule}
on page 674 is schedule.

profile "<wvs-profile_name>" Enter the name of an existing web vulnerability scan No default.
profile. The maximum length is 63 characters.
To display a list of the existing profiles, enter:
set profile ?

email "<email-policy_name>" Enter the name of an existing email policy. When the scan No default.
completes, the FortiWeb appliance will send email in the
specified format to the email addresses in the policy. The
maximum length is 63 characters. For details, see log
email-policy on page 67.
To display the list of existing policy, enter:
set email ?

report_format {html pdf xml} Select one or more file formats of the report to attach when html
emailing it.

runtime <count_int> Not configurable. No default.

To reset the value to zero, enter:
set runtime 0

Example

The following example defines a recurring vulnerability scan with email report output in RTF and text format.
config wvs policy
edit "wvs-policy1"
set type schedule
set schedule "wvs-schedule1"
set report_format xml

FortiWeb CLI Reference Fortinet Technologies Inc.

config 675

set profile "wvs-profile1"

set email "EmailPolicy1"
next
end

Related topics

l wvs profile on page 675

l wvs schedule on page 679

wvs profile

Use this command to configure web vulnerability scan profiles.

A web vulnerability scan (WVS) profile defines the web server to scan, as well as the specific vulnerabilities to scan for.
The WVS profiles are associated with WVS policies, which determine when to perform the scan and how to publish the
results of the scan defined by the profile.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wvsgrp area. For details, see Permissions on page 46.

Syntax
config wvs profile
edit "<wvs_profile_name>"
set scan-target <scan-target_str>
set scan-template <scan-template_id>
set request-timeout <request-timeout_int>
set ignore-session-cookies {enable | disable}
set user-agent-type {custom | random}
set custom-user-agent <custom-user-agent_str>
set custom-header0 <custom-header0_str>
set custom-header1 <custom-header1_str>
set custom-header2 <custom-header2_str>
set custom-header3 <custom-header3_str>
set custom-header4 <custom-header4_str>
set custom-header5 <custom-header5_str>
set custom-header6 <custom-header6_str>
set custom-header7 <custom-header7_str>
set custom-header8 <custom-header8_str>
set custom-header9 <custom-header9_str>
set sub-path-limit <sub-path-limit_int>
set max-scan-time <max-scan-time_int>
set max-crawl-time <max-crawl-time_int>
set max-params-limit <max-params-limit_int>
set max-file-size <max-file-size_int>
set max-HTTP-retries <max-HTTP-retries_int>
set specify-urls-for-scanning {enable | disable}
set follow-regex <follow-regex_int>
set ignore-regex <ignore-regex_int>
set HTTP-basic-authentication {enable | disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 676

set basic-username <basic-username_str>

set basic-password <basic-password_str>
set form-based-authentication {enable | disable}
set form-based-username <form-based-username_str>
set form-based-password <form-based-password_str>
set form-based-auth-url <form-based-auth-url_str>
set username-field <username-field_str>
set password-field <password-field_str>
set cookie-jar-file <cookie-jar-file_str>
set session-check-url <session-check-url_str>
set session-check-str <session-check-url_str> on page 678
set data-format <data-format_str>

end

Variable Description Default

"<wvs_profile_name>" Type a unique name for the profile name. The maximum No default.
length is 63 characters.

scan-target <scan-target_ Enter the URL that you want to scan, such as No default.
str> www.mytestwvs.com.

scan-template <scan- Select an existing scan template that you want to use in the No default.
template_id> profile.

request-timeout <request- Type the number of seconds for the vulnerability scanner to 0
timeout_int> wait for a response from the website before it assumes that
the request will not successfully complete, and continues
with the next request in the scan. It will not retry timeout
requests.

ignore-session-cookies If enabled, the scanner will ignore all session cookies sent disable
{enable | disable} by the target web application.

user-agent-type {custom | Custom: when there is no user-agent in custom headers, custom

random} the actual user-agent sent is FortiWeb WVS; when user-
agent is set in custom headers, the actual user-agent sent
is the value set in custom-user-agent <custom-user-agent_
str> on page 676.
random: When the user-agent-type is random, and there
is no user-agent in custom headers, the actual user-agent
sent is random; when user-agent is set in custom headers,
the actual user-agent sent is random.

custom-user-agent <custom- Enter the custom user-agent value. No default.

user-agent_str>

custom-header0 <custom- You can define the host, user agent, and other common No default.
header0_str> headers in the request.

custom-header1 <custom- You can define the host, user agent, and other common No default.
header1_str> headers in the request.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 677

Variable Description Default

custom-header2 <custom- You can define the host, user agent, and other common No default.
header2_str> headers in the request.

custom-header3 <custom- You can define the host, user agent, and other common No default.
header3_str> headers in the request.

custom-header4 <custom- You can define the host, user agent, and other common No default.
header4_str> headers in the request.

custom-header5 <custom- You can define the host, user agent, and other common No default.
header5_str> headers in the request.

custom-header6 <custom- You can define the host, user agent, and other common No default.
header6_str> headers in the request.

custom-header7 <custom- You can define the host, user agent, and other common No default.
header7_str> headers in the request.

custom-header8 <custom- You can define the host, user agent, and other common No default.
header8_str> headers in the request.

custom-header9 <custom- You can define the host, user agent, and other common No default.
header9_str> headers in the request.

sub-path-limit <sub-path- Enter the maximum number of requests for sub path of 75
limit_int> each URL.

max-scan-time <max-scan- Enter the maximum scanning time. 120

time_int>

max-crawl-time <max-crawl- Enter the maximum crawling time (minutes). 60

time_int>

max-params-limit <max- Enter the maximum number of requests for each URL, and 25
params-limit_int> parameter set.

max-file-size <max-file-size_ Indicate the maximum file size (in bytes) that the scanner 400,000
int> will retrieve from the remote server.

max-HTTP-retries <max- Indicate the maximum number of retries when requesting 2

HTTP-retries_int> an URL. The valid value range is 1–10.

specify-urls-for-scanning Enable to specify the URL to be scanned. disable

{enable | disable}

follow-regex <follow-regex_ follow-regex is .*. When crawling, do not follow links No default.
int> that match this regular expression.

ignore-regex <ignore-regex_ An empty string (nothing to be ignored), when crawling, No default.

int> only follow that matches this regular expression. ignore-
regex has precedence over follow-regex.

HTTP-basic-authentication Enable the HTTP basic authentication. disable

{enable | disable}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 678

Variable Description Default

basic-username <basic- Enter the username of the web application. No default.

username_str>

basic-password <basic- Enter the password for the username. No default.

password_str>

form-based-authentication Enable the form based authentication. disable

{enable | disable}

form-based-username The username parameter name, for example, "uname" if No default.

<form-based-username_str> the HTML looks like <input type="text"
name="uname">...

form-based-password The password parameter name, for example, "pwd" if the No default.
<form-based-password_str> HTML looks like <input type="password"
name="pwd">...

form-based-auth-url <form- Enter the target URL for security auditing, and the URL No default.
based-auth-url_str> shall include HTTP or HTTPs tag.

username-field <username- Enter the username for using in the authentication process. No default.
field_str>

password-field <password- Enter the password for the username. No default.

field_str>

cookie-jar-file <cookie-jar- Designate a cookie jar file. The cookie jar file must be in No default.
file_str> mozilla format.

session-check-url <session- Enter the URL where the packets are sent to. No default.
check-url_str>

session-check-str <session- Enter the string in the response message. If the string can No default.
check-url_str> be checked, the authentication succeeds; otherwise, the
authentication will be re-launched.

data-format <data-format_ Add extra parameters here for authentication as required No default.
str> by some websites, for example,
%u=%U&%p=%P&security_level- 0&form-submit.
The default value %u=%U&%p=%P includes the
values for Username Field and Password Field.

Related topics

l wvs policy on page 673

l wvs schedule on page 679
l wvs template on page 680

FortiWeb CLI Reference Fortinet Technologies Inc.

config 679

wvs schedule

Use this command to schedule a web vulnerability scan.

Vulnerability scanning can detect known vulnerabilities on your web servers and web applications, helping you to design
protection profiles. Vulnerability scans start from an initial directory, then scan for vulnerabilities in web pages located in
the same directory or subdirectory as the initial URL.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
wvsgrp area. For details, see Permissions on page 46.

Syntax
config wvs schedule
edit "<schedule_name>"
set type {recurring | onetime}
set date "<time_str>" "<date_str>"
set time "<time_str>"
set wday {Sunday Monday Tuesday Wednesday Thursday Friday Saturday}
next
end

Variable Description Default

"<schedule_name>" Enter the name of new or existing WVS schedule. The No default.
maximum length is 63 characters.
To display the list of existing schedule, enter:
edit ?

type {recurring | onetime} Select either: onetime

l onetime—Run the scan only when an administrator

manually initiates it. Also configure date "<time_str>"

"<date_str>" on page 679.
l recurring—Run the scan periodically, on a

schedule. Also configure time "<time_str>" on page

680 and wday {Sunday Monday Tuesday Wednesday
Thursday Friday Saturday} on page 680.

date "<time_str>" "<date_ For a one-time web vulnerability scan, enter the time and No default.
str>" date for the scan to run.
The time format is hh:mm and the date format is
yyyy/mm/dd, where:
l hh is the hour according to a 24-hour clock

l mm is the minute

l yyyy is the year

l mm is the month

l dd is the day

The yyyy range is 2001–2050.

FortiWeb CLI Reference Fortinet Technologies Inc.

config 680

Variable Description Default

This only applies if type {recurring | onetime} on page 679 is

onetime.

time "<time_str>" Enter the time the vulnerability scan is to be performed. No default.
The time format is hh:mm, where:
l hh is the hour according to a 24-hour clock

l mm is the minute

This only applies if type {recurring | onetime} on page 679 is

recurring.

wday {Sunday Monday For a recurring scan only, enter one or more days of the No default.
Tuesday Wednesday week the scan is to be performed.
Thursday Friday Saturday} This setting only applies if type {recurring | onetime} on
page 679 is recurring.

Example

The following example schedules a recurring vulnerability scan to run every Sunday and Thursday at 1:00 AM.
config wvs schedule
edit "WVS-schedule1"
set type recurring
set time 01:00
set wday Sunday Thursday
next
end

Related topics

l wvs profile on page 675

l wvs policy on page 673

wvs template

Use this command to pre-define the scan profile.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
wvsgrp area. For details, see Permissions on page 46.

Syntax
config wvs template
edit "<wvs_template_name>"
set audit {BLIND_SQLI | BUFFER_OVERFLOW | CORS_ORIGIN...}
set bruteforce {BASIC_AUTH | FORM_AUTH}
set crawl {ARCHIVE_DOT_ORG | BING_SPIDER | CONTENT_NEGOTIATION...}

FortiWeb CLI Reference Fortinet Technologies Inc.

config 681

set grep {ANALYZE_COOKIES | BLANK_BODY | CACHE_CONTROL...}

set infrastructure {AFD | ALLOWED_METHODS | DETECT_REVERSE_PROXY...}
end

Variable Description Default

"<wvs_template_name>" Enter a name for the scan template. No

default.

audit {BLIND_SQLI | Configure the plugins for a scan template. No

BUFFER_OVERFLOW | default.
CORS_ORIGIN...}

bruteforce {BASIC_AUTH |
FORM_AUTH}

crawl {ARCHIVE_DOT_
ORG | BING_SPIDER |
CONTENT_
NEGOTIATION...}

grep {ANALYZE_COOKIES
| BLANK_BODY | CACHE_
CONTROL...}

infrastructure {AFD |
ALLOWED_METHODS |
DETECT_REVERSE_
PROXY...}

Example

This example shows how to configure a wvs template.

config wvs template1
edit template1
set audit BLIND_SQLI
set bruteforce BASIC_AUTH
set crawl CONTENT_NEGOTIATION
set infrastructure AFD
set grep CACHE_CONTROL
end

Related topics

l wvs policy on page 673

l wvs schedule on page 679
l wvs profile on page 675

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 682

diagnose

The diagnose commands display diagnostic information that help you troubleshoot problems. These commands do not
have an equivalent in the web UI.

debug

Use this command to turn debug log output on or off.

Debug logging can be very resource intensive. To minimize the performance impact on your FortiWeb appliance, use
packet capture only during periods of minimal traffic, with a local console CLI connection rather than a Telnet or SSH CLI
connection, and be sure to stop the command when you are finished.
By default, the most verbose logging that is available from the web UI for any log type is the Information severity level.
Due to their usually unnecessary nature, logs at the severity level of Debug are disabled and hidden. They can only be
enabled and viewed from the CLI. Typically this is done only if your configuration seems to be correct, you cannot
diagnose the problem without more information, and possibly suspect that you may have found either a hardware failure
or software bug.
To generate debug logs, you must:
Set the verbosity level for the specific module whose debugging information you want to view, via a debug log command
such as:
debug application hasync [{-1 | 0 | 1 | 2 | 4 | 8}]

If necessary configure any filters specific to the module whose debugging information you are viewing, such as:
debug flow filter server-ip "10.0.0.10"

If necessary start debugging specific to the module, such as:

debug flow trace start

Enable debug logs overall. To do this, enter:

debug enable

View the debug logs. For convenience, debugging logs are immediately outputted to your local console display or
terminal emulator, but debug log files can also be uploaded to a server.
To do this, use the command:
debug upload

For more complex issues or bugs, this may be required in order to send debug information to Fortinet Customer Service
& Support (HTTPs://support.fortinet.com).

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 683

Debug logs will be generated only if the application is running. To verify this, use
system top on page 745. Otherwise, use debug crashlog on page 689 instead.

The CLI will display debug logs as they occur until you either:
l Disable it by either typing:
diagnose debug disable
or setting all modules’ debug log verbosity back to 0. To reset all verbosity levels simultaneously, you can use the
command:
diagnose debug reset
l Close your terminal emulator, thereby ending your administrative session.
l Send a termination signal to the console by pressing Ctrl+C.
l Reboot the appliance. To do this, you can use the command:
execute reboot
To use this command, your administrator account’s access control profile requires only r permission in any profile
area.

Syntax
diagnose debug {enable | disable}

Variable Description Default

debug {enable | disable} Select whether to enable or disable recording of logs at the debug disable
severity level.

Related topics

l debug application
l log

debug application

Use this command to view and set the verbosity level of debug logs for each module.
Before you can see any debug logs, you must first enable debug log output using the command debug.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 684

Syntax
diagnose debug application <module_name> <verbosity-level_int>

Variable Description Default

<module_name> The name of the module that you want to set the debug log no default
verbosity level for.
Enter diagnose debug application ? to display all the
available module names if you don't know the exact name of
the module.

<verbosity-level_int> Specify the verbosity level to output to the CLI display after 0
the command executes.
The valid range is 0–7, where 0 disables debug logs for the
module and 7 generates the most verbose logging.
If you omit the number, the CLI displays the current verbosity
level. For example:
autosync debug level is 0

Related topics

l debug on page 682

l debug console timestamp on page 687
l debug info on page 698
l debug reset on page 701
l debug upload on page 703

debug asan

Use this command to collect memory violation events.

To use this command, your administrator account’s access control profile requires r permission to the mntgrp area. For
details, see Permissions on page 46.

Syntax
diagnose debug asan <program> {enable | disable}

Variable Description Default

<program> Enter the name of program for which you want to collect the no default
memory violation events.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 685

Variable Description Default

You can run diagnose debug asan show to check all the
programs that support ASAN and their corresponding
enable/disable state.

{enable | disable} enable disable

When enabled, the system will perform the following actions
(using proxyd as an example):
1. Backup "/bin/proxyd" to "/bin/proxyd.bak"
2. Create symbolic link between "/bin/proxyd" and
"/var/log/debug/symbol/asan/bin/proxyd"
3. Kill proxyd
This cause the proxyd daemon to respawn with the ASAN
version. You leave the system in its state and let the ASAN
version of proxyd daemon run and collect memory violation
events.
Please note the changes above is not persistent across
reboot. If the system is reloaded, the normal version of
daemon will be running.
disable
Once the data is collected, you use disable to revert back
to the normal daemon. The system will perform the following
actions (using proxyd as an example):
1. Rename "/bin/proxyd.bak" to "/bin/proxyd"
2. Kill proxyd
This cause the daemon to respawn with the original
executable.
Please note that respawning will cause traffic interruption.

debug cli

Use this command to set the debug level for the command line interface (CLI).
Before you will be able to see any debug logs, you must first enable debug log output using the command debug on page
682.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug cli <cli_int>

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 686

Variable Description Default

cli <cli_int> Specify the verbosity level to output to the CLI display after the 3
command executes.
The valid range is 0–7, where 0 disables debug logs for the CLI and
7 generates the most verbose logging.
If you omit the number, the CLI displays the current verbosity level.
For example:
cli debug level is 0

Related topics

l debug on page 682

l debug console timestamp on page 687
l debug info on page 698
l debug reset on page 701
l debug upload on page 703

debug cmdb

Use this command to enable the debug log for the configuration management database (CMDB).
Before you will be able to see any debug logs, you must first enable debug log output using the command debug on page
682.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug cmdb <cmdb_int>

Variable Description Default

cmdb <cmdb_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables SNMP debugging and 7
generates the most verbose logging.
If you omit the number, the CLI displays the current verbosity level:
cmdb debug level is 0

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 687

Related topics

l debug on page 682

l debug console timestamp on page 687
l debug info on page 698
l debug reset on page 701
l debug upload on page 703

debug comlog

Use this command for the comlog related operations.

To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug comlog {info|read|clear|disable|enable}

Variable Description Default

{info|read|clear|disable|enable} Enable: Enable to record COMlog. Enable

Disable: Disable the recording of the COMlog.
info: View the COMlog status including status
(enable or disable), log space, and log size.
read: Record the console log to /var/log/gui_
upload/console.log. You can download the
console.log from System > Maintaince >
Backup&Restore > GUI File Download.
dump: print the console log to command line
interface(CLI).
clear: Dump the console log.

It also can be enabled or disabled by this command:

config system global
set console-log {disable|enable}
end

debug console timestamp

Use this command to enable or disable the timestamp in debug logs.

Before you will be able to see any debug logs, you must first enable debug log output using the command debug on page
682.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 688

To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug console timestamp {enable | disable}

Variable Description Default

timestamp {enable | disable} Enable to add timestamps to debug output. disable

If you omit the selection, the CLI displays the current timestamp
status:
console timestamp is disabled.

Related topics

l debug reset on page 701

l debug info on page 698

debug coredumplog

Use this command to record the stack information in the core file of the proxyd program.
Before you will be able to see any debug logs, you must first enable debug log output using the command enable-debug-
log {enable | disable} on page 338.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug coredumplog show
diagnose debug coredumplog clear

Related Topic

l debug on page 682

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 689

debug crashlog

Use this command to show crash logs from application proxies that have call back traces, segmentation faults, or
memory register dumps, or to delete the crash log.
Before you will be able to see any debug logs, you must first enable debug log output using the command enable-debug-
log {enable | disable} on page 338.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug crashlog show
diagnose debug crashlog clear

Example
diagnose debug crashlog show

Output similar to the following appears in the CLI:

2011-02-08 06:20:46 <18632> firmware FortiWeb-1000B 4.20,build0403,110131
2011-02-08 06:20:46 <18632> application proxy
2011-02-08 06:20:46 <18632> *** signal 11 (Segmentation fault) received ***
2011-02-08 06:20:46 <18632> Register dump:
2011-02-08 06:20:46 <18632> RAX: 00000000 RBX: 00000001 RCX: 00000001 RDX: 00000001
2011-02-08 06:20:46 <18632> RSI: 008d91a4 RDI: 00000000 RBP: 2b8f90ee2b10 RSP: 0072af60
2011-02-08 06:20:46 <18632> RIP: 008d8660 EFLAGS: 2b8f9aaa0010
2011-02-08 06:20:46 <18632> CS: 86b0 FS: 0000 GS: 008d
2011-02-08 06:20:46 <18632> Trap: 7fff26859ee0 Error: 008d8710 OldMask: 00440f90
2011-02-08 06:20:46 <18632> CR2: 00010202
2011-02-08 06:20:46 <18632> Backtrace:
2011-02-08 06:20:46 <18632> [0x008d8660] => /bin/xmlproxy (g_proxy+0x00000000)
2011-02-08 06:20:46 proxy received SEGV signal - 11

debug daemonlog

Use this command to process call information on specific interface records.

Before you will be able to see any debug logs, you must first enable debug log output using the command enable-debug-
log {enable | disable} on page 338.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 690

Syntax
diagnose debug daemonlog show
diagnose debug daemonlog clear

Related Topic

l debug on page 682

debug dnsproxy list

Use this command to display the DNS cache that stores the results of resolving all fully qualified domain names in the
server pools. The update time and update interval information will also be listed in the output.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug dnsproxy list

Example

If the domain specified for the server pool member is www.example.org and has resolved to 123.126.104.68,
output similar to the following is displayed:
diagnose debug dnsproxy list
Domain Name: www.example.org
IPv4 Last Update:2019-08-12 01:23:58
IPv4 Update Interval (TTL):109 seconds
Domain IPv4 Addresses:123.126.104.68
IPv6 Last Update:2019-08-12 01:23:30
IPv6 Update Interval(TTL):119 seconds
Domain IPv6 Addresses:2408:80f0:4100:4007::4 2408:80f0:4100:4007::5

Related topics

l system dns on page 256

debug emerglog

Use this command to view or erase disk read-only error logs.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 691

Before you will be able to see any debug logs, you must first enable debug log output using the command debug on page
682.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug emerglog {show | clear}

Variable Description Default

{show | clear} Enter show to view disk read-only error logs. No default
Enter clear to delete error logs.

debug flow filter

Use these commands to generate only packet flow debug logs that match your filter criteria, such as a specific
destination IP address. You can also use these commands to delete the packet flow debug log filter, so that all packet
flow debug logs are generated.
Before you will be able to see any debug logs, you must first enable debug log output using the command debug on page
682.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug flow filter reset
diagnose debug flow filter client-ip <source_ipv4 | source_ipv6>
client-ip <source_ipv4 | source_ipv6>
diagnose debug flow filter server-ip <destination_ipv4 | destination_ipv6>

Variable Description Default

client-ip <source_ipv4 | Enter the source (SRC) IP address of connections. This will No
source_ipv6> generate only packet flow debug log messages involving default.
that source IP address.
Note: This filter operates at the IP layer, not the HTTP layer.
If a load balancer or other web proxy is deployed in front of
FortiWeb, and therefore all connections for HTTP requests
appear to originate from this IP address, configuring this
filter will have no effect.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 692

Variable Description Default

Similarly, if multiple clients share an Internet connection via

NAT or explicit web proxy, configuring this filter will only
isolate connections that share this IP address. It will not be
able to filter out a single client based on individual HTTP
sessions from that IP.

server-ip <destination_ipv4 | Enter the destination (DST) IP address of the connection, No

destination_ipv6> either the: default.
l Virtual server on FortiWeb (if FortiWeb is operating in

Reverse Proxy mode)

l Protected web server on the back end (all other

operation modes)
This will generate only packet flow debug log messages
involving that server IP address.

Related topics

l debug flow trace on page 694

debug flow filter module-detail

Use this command to include or exclude debug logs from each FortiWeb feature module as the packet is processed
when generating packet flow debug logs. This can be useful if you suspect that a module is encountering errors, or need
to know which module is dropping the packet.
You can also specify a source or destination IP address to include or exclude debug logs from one FortiWeb module
involving the IP address.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug flow filter module-detail status {on | off}
diagnose debug flow filter module-detail module {all | x-forworded-for | ip-list | ip-
reputation | quarant-ip | known-engine | geo-block | ...| url-rewriting}

diagnose debug flow filter module-detail client-ip <source_ipv4 | source_ipv6>

client-ip <source_ipv4 | source_ipv6>
diagnose debug flow filter module-detail server-ip <destination_ipv4 | destination_ipv6>

Variable Description Default

status {on | off} Select whether to include (on) or exclude (off) details from each module off
that processes the packet.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 693

Variable Description Default

module {all | x-forworded- Select the name of module that needs to be traced (separated by space) or No
for | ip-list | ip-reputation | select all for all modules. default.
quarant-ip | known- Available only when status {on | off} is on.
engine | geo-block | ...|
url-rewriting}

client-ip <source_ipv4 | Enter the source (SRC) IP address of connections. This will generate only No
source_ipv6> packet flow debug log messages involving that source IP address. default.
Note: This filter operates at the IP layer, not the HTTP layer.
If a load balancer or other web proxy is deployed in front of FortiWeb, and
therefore all connections for HTTP requests appear to originate from this IP
address, configuring this filter will have no effect.
Similarly, if multiple clients share an Internet connection via NAT or explicit
web proxy, configuring this filter will only isolate connections that share this
IP address. It will not be able to filter out a single client based on individual
HTTP sessions from that IP.

server-ip <destination_ Enter the destination (DST) IP address of the connection, either the: No
ipv4 | destination_ipv6> l Virtual server on FortiWeb (if FortiWeb is operating in Reverse Proxy default.
mode)
l Protected web server on the back end (all other operation modes)

This will generate only packet flow debug log messages involving that
server IP address.

Related topics

l debug flow trace on page 694

l debug flow reset on page 693
l debug flow filter on page 691

debug flow reset

Use this command to reset the configuration of packet flow debug log messages.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug flow reset

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 694

Related topics

l debug flow filter on page 691

l debug flow filter module-detail on page 692

debug flow trace

Use this command to trace the flow of packets through the FortiWeb appliance’s processing modules and network stack.
Before you will be able to see any debug logs, you must first enable debug log output using the command debug on page
682.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug flow trace {start | stop}

Variable Description Default

trace {start | stop} Select whether to enable (start) or disable (stop) the No
recording of packet flow trace debug log messages. default.

Example

This example configures a filter based on the packet destination IP 192.0.2.48, enables messages from each packet
processing module, enables packet flow traces, then finally begins generating the debug logs that are enabled for output
(in this case, only packet trace debug logs).
Because the filters are configured before debug logging is enabled, the administrator can type the filter without being
interrupted by debug log output to the CLI.
diagnose debug flow filter server-ip 192.0.2.48
diagnose debug flow filter module-detail status on
diagnose debug flow trace start
diagnose debug enable

Output:
FortiWeb # session_id=251 packet_id=0 policy_name=policy1 msg="Receive packet from client
172.20.120.225:49428"
session_id=251 packet_id=0 msg="HTTP parsing client packet success"
session_id=251 packet_id=0 policy_name="policy1" msg="
Module name:WAF_IP_LIST_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_GEO_BLOCK_LIST, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PROTECTED_SERVER_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_ALLOW_METHOD_PROCESS, Execution:3, Process error:0, Action:ACCEPT

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 695

Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_SESSION_MANAGEMENT, Execution:4, Process error:1, Action:ACCEPT
Module name:WAF_HTTP_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_LAYER4_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_AUTHENTICATION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_GLOBAL_ALLOW_LIST, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_URL_ACCESS_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_BRUCE_FORCE_LOGIN, Execution:3, Process error:0, Action:ACCEPT
Module name:HTTP_CONSTRAINTS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_COOKIE_POISON, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_UPLOAD_RESTRICTION_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:ROBOT_CONTROL_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PARAMETWER_VALIDATION_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_CHUNK_DECODE, Execution:3, Process error:2, Action:ACCEPT
Module name:WAF_FILE_UNCOMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_SIG_DETECT_PROCESS, Execution:4, Process error:1, Action:ACCEPT
Module name:WAF_HIDDEN_FIELD_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_URL_REWRITING, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_COMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_CERTIFICATE_FORWARD, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_AUTOLEARN, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_STATISTIC, Execution:3, Process error:0, Action:ACCEPT
"
session_id=502 packet_id=0 policy_name=policy1 msg="Receive packet from client
172.20.120.225:49429"
session_id=502 packet_id=0 msg="HTTP parsing client packet success"
session_id=502 packet_id=0 policy_name="policy1" msg="
Module name:WAF_IP_LIST_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_GEO_BLOCK_LIST, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PROTECTED_SERVER_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_ALLOW_METHOD_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_SESSION_MANAGEMENT, Execution:4, Process error:1, Action:ACCEPT
Module name:WAF_HTTP_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_LAYER4_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_AUTHENTICATION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_GLOBAL_ALLOW_LIST, Execution:4, Process error:1, Action:ACCEPT
Module name:WAF_URL_ACCESS_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_BRUCE_FORCE_LOGIN, Execution:1, Process error:0, Action:ACCEPT
Module name:HTTP_CONSTRAINTS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_COOKIE_POISON, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_UPLOAD_RESTRICTION_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:ROBOT_CONTROL_PROCESS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_PARAMETWER_VALIDATION_PROCESS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_CHUNK_DECODE, Execution:3, Process error:2, Action:ACCEPT
Module name:WAF_FILE_UNCOMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_SIG_DETECT_PROCESS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_HIDDEN_FIELD_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_URL_REWRITING, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_COMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_CERTIFICATE_FORWARD, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_AUTOLEARN, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_STATISTIC, Execution:3, Process error:0, Action:ACCEPT
"
session_id=0 packet_id=0 policy_name=policy1 msg="Receive packet from client
192.0.2.48:47368"

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 696

session_id=1 packet_id=0 policy_name=policy1 msg="Receive packet from client

192.0.2.48:59682"
session_id=252 packet_id=0 policy_name=policy1 msg="Receive packet from client
192.0.2.48:47376"
session_id=503 packet_id=0 policy_name=policy1 msg="Receive packet from client
192.0.2.48:59687"
session_id=754 packet_id=0 policy_name=policy1 msg="Receive packet from client
192.0.2.48:47382"
session_id=2 packet_id=0 policy_name=policy1 msg="Receive packet from client
192.0.2.48:47385"
session_id=253 packet_id=0 policy_name=policy1 msg="Receive packet from client
192.0.2.48:47387"
diag debug disable

FortiWeb #

Session lines contain the name of the matching server policy (policy_name), the packet identifier (packet_ID), and
TCP session ID (session_id), as well as a log message (msg) indicating one or more of the following:
l The source IP address and port number of the packet (e.g. Receive packet from client
192.0.2.225:49428)
l The success or failure of FortiWeb’s HTTP parser’s attempt to analyze the HTTP headers and payload of the packet
into pieces that can be scanned or modified by modules (e.g. HTTP parsing client packet success or
Packet dropped by detection module,and module number=11)

If the debug logs indicate that the HTTP protocol parser may be encountering an
error condition, you can temporarily disable it and allow packets to bypass it to verify
if this is the case. For details, see noparse {enable | disable} on page 152.

If enabled, module lines contain messages from each FortiWeb feature module as it processes the packet (e.g. Module
name:WAF_PROTECTED_SERVER_CHECK for the feature that tests for an allowed Host: name in the request). The
module logs are displayed in their order of execution; for details, see the FortiWeb Administration Guide:
HTTPs://docs.fortinet.com/fortiweb/admin-guides
These messages indicate:
l Whether or not the module executed, and if not, the reason (e.g. Execution:1)
l Processing errors, if any (e.g. Process error:0)
l Whether a module has allowed or blocked the packet (e.g. Action:ACCEPT or Action:FOLLOWUP_ACCEP)
For non-execution reasons, possible status codes are:
l Execution:1—The module is disabled, and therefore is being skipped.
l Execution:2—The module is not supported in the current deployment mode, and therefore is being skipped.
l Execution:3—The client IP address is allowlisted, and therefore the module is being skipped.
l Execution:4—URL access policy has caused the module to be skipped.

Related topics

l server-policy policy on page 140

l server-policy server-pool on page 168

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 697

l server-policy custom-application application-policy on page 1

l waf url-access url-access-rule on page 610
l policy on page 728
l debug flow filter on page 691
l debug flow filter module-detail on page 692
l debug on page 682

debug ha

Use this command debug HA related issues.

Syntax
diagnose debug ha
l all {enable | disable}
Enable to track all debugs.
l arp {enable | disable}
Enable to track HA ARP.
l basic {enable | disable}
Enable to debug basic issues. The output including configuration, upgrade, file, and messages.
l cloud {enable | disable}
Enable to debug for public cloud platform HA AP switching.
l configuration {enable | disable}
Enable to track HA configuration synchronization.
l errors {enable | disable}
Enable to track HA errors during synchronization.
l file {enable | disable}
Enable to track any file in HA synchronization.
l heartbeat {enable | disable}
Enable to track HA heartbeat packets.
l list
List all debug settings.
l message {enable | disable}
Enable to track HA sync messages, such as GEODB/Licenses.
l state {enable | disable}
Enable to track HA state changes and monitor ports state changes.
l udp-tunnel {enable | disable}
Enable to track HA unicast.
l upgrade {enable | disable}
Enable to track firmware upgrade.
l write-to-debugfile {enable | disable}
Enable to write HA console debug output to file.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 698

debug info

Use this command to display a list of debug log settings.

To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug info

Example
diagnose debug application ssl 8
diagnose debug application dssl 8
diagnose debug application ustack 8
diagnose debug info

Output similar to the following appears in the CLI:

debug output: disable
console timestamp: disable
ssl debug level: 8
ustack debug level: 8
dssl debug level: 8
CLI debug level: 3

If you have not modified any verbosity levels, only this default output appears:
FortiWeb # diagnose debug info
debug output: disable
console timestamp: disable
CLI debug level: 3

Related topics

l debug reset
l debug
l debug application
l debug console timestamp
l debug cli

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 699

debug init

Use this command to record packet flow trace log messages.

Syntax
diagnose debug init {enable | disable}

Variable Description Default

init {enable | disable} Select whether to enable (start) or disable (stop) the No
recording of packet flow trace debug log messages. default.
If you omit the selection, the CLI displays the current
timestamp status:
init output: disabled

debug jemalloc-heap

If the jemallc profile is activated and the memory usage exceeds the configured threshold, the heap file will be generated
in directory /var/log/gui_upload.
You can use this command to show or clear the heap files. At most 10 heap files are kept on device.

Syntax
diagnose debug jemalloc-heap {show | clear}

Related commands

To activate or deactivate jemallc profile:

diagnose system kill 43 <pid_of_proxyd>

To parse the heap file via jeprof tool:

diagnose system jeprof

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 700

debug kernlog

Use this command to record the print information of the kernel.

Syntax
diagnose debug kernlog show
diagnose debug kernlog clear

Related Topic

l debug on page 682

debug netstatlog

Use this command to record the print information of the netstat -anlt when the proxyd program is overloaded.
Before you will be able to see any debug logs, you must first enable debug log output using the command enable-debug-
log {enable | disable} on page 338.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug netstatlog show
diagnose debug netstatlog clear

Related Topic

l debug on page 682

debug proxy log

Use this command to print the logs generated by proxyd.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 701

Syntax
diagnose debug proxy log {1 | 2 | 3}

1: Print error messages.

2: Print error messages and warnings.
3: Print error messages, warnings, and other logs.

Related Topic

l debug on page 682

debug reset

Use this command to reset all debug log settings to default settings for the currently installed firmware version. If you
have not upgraded or downgraded the firmware, this restores the factory default settings.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug reset

Related topics

l debug info
l debug console timestamp
l debug application
l debug cli

debug shell-access history show

Use this command to show the history of commands executed in Shell.

To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp
area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 702

Syntax
diagnose debug shell-access history show

Please note that to view the history you must have enabled shell-access in config system global.
Run the following commands to enable shell access and specify trusted hosts.
config system global
set shell-access enable
set shell-history-size <int>
set shell-trusthostv4 <IPv4_address_range>
set shell-trusthostv6 <IPv6_address_range>
end

For more information, see config system global.

debug trace report

Use this command to start or stop collecting debug logs.

Only administrators or users with the prof_admin access file have permission to this command.

Syntax
diagnose trace report {start | stop} on page 702

Variable Description Default

trace report {start | stop} Select whether to enable (start) or disable (stop) collecting debug No default
logs.

Related topics

l debug on page 682

debug trace tcpdump

Use this demand to trace packets with tcpdump.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 703

Syntax
diagnose trace tcpdump "<filter_str>" {any | "<interface_str>"} "<max-packet-count_int>"
{reset}

Variable Description Default

"<filter_str>" Specify which protocols and port numbers that you do or do not want No default
to capture, such as 'tcp and port 80 and host IP1 and (
IP2 or IP3 )', or leave this field blank for no filters.
Note that please use the same filter expression as tcpdump for this
filter, you can refer to the Linux main page of TCPDUMP
(HTTP://www.tcpdump.org/manpages/tcpdump.1.html).

{any | "<interface_str>"} Select the network interface on which you want to capture packets, any
such as port1, or any for all interfaces.

"<max-packet-count_int>" Specify the maximum packets you want to capture for the policy. 4000
Capture will stop automatically if the total captured packets hit the
count.

{reset} Reset all the settings to default. No default

Related topics

l debug on page 682

debug upload

Use this command to upload debug logs to an FTP server. This can be used if you want to view logs outside of the CLI,
or if you need to provide debug log files to Fortinet Customer Service & Support:
HTTPs://support.fortinet.com
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax
diagnose debug upload <ftp_ipv4> <user_str> <password_str> <upload-dir_str>

Variable Description Default

<ftp_ipv4> Enter the IP address or domain name of the FTP server. No

default.

<user_str> Enter a valid user account name to log in to the FTP server. No

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 704

Variable Description Default

default.

<password_str> Enter the password for the user account. No

default.

<upload-dir_str> Enter the directory path on the FTP server where FortiWeb No
will upload files. default.

Example
diagnose debug upload 192.0.2.5 user1 1passw0Rd C:/uploads

Related topics

l debug on page 682

l db rebuild on page 759

hardware bypass info

Use this command to display bypass firmware version information.

To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.
Please note this command is only supported on FortiWeb 2000F, 3000F and 4000F.

Syntax
diagnose hardware bypass info

hardware check

Use this command to check the appliance hardware for errors. In the case of FortiWeb, this command checks virtual
hardware—the vCPUs.
For example, to troubleshoot a logging problem, use the following command to check the log disk for errors:
diagnose hardware check logdisk

If the disk does not pass the check, it is likely the source of the problem.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 705

Syntax
diagnose hardware check {all | psu | sslcard | cpu |logdisk | memory |nic}

Variable Description Default

{all | psu | sslcard | Enter the type of hardware to check, or enter all to check all No
cpu |logdisk | memory |nic} hardware. default.
For FortiWeb-VM versions, the sslcard option is not
available.
Note:
l sslcard is only supported on FortiWeb 600D, 1000D,

3000D, 3000DFSX, 4000D, 1000E, 2000E, 3000E,

3010E, 4000E, 2000F, 3000F, and 4000F.
l psu is only supported on FortiWeb2000E, 3000E,
3010E, 4000E, 2000F, 3000F and 4000F.

Example

The following command checks the log disk:

diagnose hardware check logdisk

Output similar to the following appears in the CLI:

logdisk check Pass
size Pass 1952
disk-number Pass 2
raid-level Pass raid1

hardware cpld info

Use this command to display the cpld firmware version information.

Syntax
diagnose hardware cpld info

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 706

hardware cpu

Use this command to display a list of hardware specifications on the FortiWeb appliance for CPUs. In the case of
FortiWeb-VM, this command displays virtual hardware information—the vCPUs.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose hardware cpu [list]

Example
diagnose hardware cpu list

Output similar to the following appears in the CLI:

processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Xeon(R) CPU E5405 @ 2.00GHz
stepping : 10
cpu MHz : 1995.056
cache size : 6144 KB
physical id : 0
siblings : 4
core id : 0
cpu cores : 4
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36
clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc pni monitor ds_
cpl vmx tm2 cx16 xtpr lahf_lm
bogomips : 3994.51
clflush size : 64
cache_alignment : 64
address sizes : 38 bits physical, 48 bits virtual
power management:

Related topics

l system top on page 745

l hardware mem on page 709
l system performance on page 790

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 707

hardware fail-open

Fail-to-wire/bypass behavior is available for specific models only. For details, see system fail-open on page 260.

hardware harddisk

Use this command to display a list of hard disks and their capacity in megabytes (MB) in the FortiWeb appliance. In the
case of FortiWeb-VM, this will instead be for virtual hardware.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose hardware harddisk [list]

Example
diagnose hardware harddisk list

Output similar to the following appears in the CLI:

name size(M)
sda 625.56
sdb 32212.25

On a FortiWeb 1000C with a single properly functioning internal hard disk plus its internal flash disk, this command
should show two file systems:
name size(M)
sda 1000204.89
sdb 1971.32

where sda, the larger file system, is from the hard disk used to store non-configuration/firmware data. If it does not
appear, you can reboot and attempt to run a file system check to fix the file system and mount it.
Similarly FortiWeb 3000D shows:
name size(M)
sda 1999844.15
sdb 2055.21

Related topics

l hardware logdisk info on page 709

l hardware raid list on page 713

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 708

l system flash on page 730

l system mount on page 744
l system performance on page 790

hardware interrupts

Use this command to display input/output (I/O) interrupt requests (IRQs) on the FortiWeb appliance. (In the case of
FortiWeb-VM, this will instead be for virtual hardware.)
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose hardware interrupts list

Example
diagnose hardware interrupts list

Output similar to the following appears in the CLI:

CPU0
0: 225 IO-APIC-edge timer
1: 597 IO-APIC-edge i8042
2: 0 XT-PIC-XT-PIC cascade
12: 6 IO-APIC-edge i8042
14: 0 IO-APIC-edge ide0
15: 0 IO-APIC-edge ide1
16: 151462 IO-APIC-fasteoi vmxnet ether
17: 1080446 IO-APIC-fasteoi ioc0, vmxnet ether
18: 357613 IO-APIC-fasteoi vmxnet ether
19: 150107 IO-APIC-fasteoi vmxnet ether
NMI: 0 Non-maskable interrupts
LOC: 103791489 Local timer interrupts
SPU: 0 Spurious interrupts
PMI: 0 Performance monitoring interrupts
IWI: 0 IRQ work interrupts
RES: 0 Rescheduling interrupts
CAL: 0 Function call interrupts
TLB: 0 TLB shootdowns
MCE: 0 Machine check exceptions
MCP: 346 Machine check polls
ERR: 0
MIS: 0

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 709

Related topics

l system performance on page 790

hardware logdisk info

Use this command to display the capacity, partitions, mount status, and RAID level (if any) of the hard disk FortiWeb
uses to store logs and other data. For FortiWeb-VM, information for virtual hardware (the vDisk) is displayed.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose hardware logdisk info

Example

This example shows normal output for a FortiWeb-VM installation: there is no RAID, and it has been allocated a 40 GB
vDisk. If the disk were mounted as read-only, this would indicate that the disk had failed to mount normally, and would be
the cause if no new log messages were being recorded.
diagnose hardware logdisk info

The CLI displays output that is similar to the following:

disk number: 1
disk[0] size: 31.46GB
raid level: no raid exists
partition number: 1
mount status: read-write

Related topics

l hardware harddisk on page 707

l log on page 715
l system mount on page 744
l system performance on page 790

hardware mem

Use this command to display the usage statistics of ephemeral memory (RAM), including swap pages and shared
memory (Shmem), on the FortiWeb appliance. In the case of FortiWeb-VM, this will instead be for virtual hardware—the

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 710

vRAM.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose hardware mem list

Example
diagnose hardware mem list

Output similar to the following appears in the CLI:

MemTotal: 1026808 kB
MemFree: 397056 kB
Buffers: 121248 kB
Cached: 86112 kB
SwapCached: 0 kB
Active: 324664 kB
Inactive: 66608 kB
Active(anon): 186544 kB
Inactive(anon): 8856 kB
Active(file): 138120 kB
Inactive(file): 57752 kB
Unevictable: 46008 kB
Mlocked: 46008 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 1564 kB
Writeback: 0 kB
AnonPages: 229920 kB
Mapped: 12632 kB
Shmem: 11488 kB
Slab: 36564 kB
SReclaimable: 6552 kB
SUnreclaim: 30012 kB
KernelStack: 640 kB
PageTables: 8820 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 513404 kB
Committed_AS: 1216900 kB
VmallocTotal: 34359738367 kB
VmallocUsed: 38960 kB
VmallocChunk: 34359682723 kB
DirectMap4k: 8192 kB
DirectMap2M: 1040384 kB

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 711

Related topics

l policy on page 728

l system flash on page 730
l system top on page 745
l system performance on page 790

hardware nic

Use this command to display a list of hardware specifications for the network interface card (NIC) physical ports on the
FortiWeb appliance. (In the case of FortiWeb-VM, this will instead be for virtual hardware—the vNICs—and therefore the
driver will be a virtual driver such as vmxnet, and the interrupt will be a virtual IRQ address.)
If the FortiWeb’s network hardware has failed, this command can help to detect it. For example, if you know that the
network cable is good and the configuration is correct, but this command displays Link detected: no), the physical
network port may be broken.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose hardware nic list [<interface_name>]

Variable Description Default

list [<interface_name>] Optionally, enter the name of a physical network interface, No

such as port1, to display its link status, configuration, default.
hardware information, status, and connectivity statistics
such as collision errors.
If you omit the name of a NIC port, the CLI returns a list of all
physical network interfaces, as well as the loopback
interface (lo):
lo
port1
port2
port3
port4

Note: The detected physical link status from this command

is not the same as its configured administrative status.
For example, even though you have used config system
interface on page 313 to configure port1 with set status
down, if the cable is physically plugged in, diagnose
hardware nic list port1 will indicate correctly that
the link is up (Link detected: yes).

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 712

Example
diagnose hardware nic list

Output similar to the following appears in the CLI:

driver vmxnet
version 2.0.9.0
firmware-version N/A
bus-info 0000:00:11.0

Supported ports TP
Supported link modes 1000baseT/Full
Supports auto-negotiation: No
Advertised link modes: Not reported
Advertised auto-negotiation: No

Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD 0
Transceiver: internal
Auto-negotiation off
Link detected yes

Interrupt 18
Base address 0x1400

RX packets 171487
RX errors 167784
RX dropped 0
RX overruns 0
RX frame 0
TX packets 202724
TX errors 0
TX dropped 0
TX overruns 0
TX carrier 0
TX collisions 0
TX queuelen 1000
RX bytes 72772373 (69.4 Mb)
TX bytes 32288070 (30.7 Mb)

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 713

Related topics

l system interface on page 312

l hardware interrupts on page 708
l network ip on page 717
l network sniffer on page 721
l network tcp list on page 726
l network udp list on page 727
l system ha mac on page 737
l traceroute on page 785
l system performance on page 790

hardware raid list

Use this command to run a diagnostic test of each hard disk in the RAID array that FortiWeb has. It also displays the
capacity and RAID level. Because FortiWeb-VM has no RAID, this command is not applicable to it.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose hardware raid list

Example
diagnose hardware raid list

Output similar to the following (from a FortiWeb 3000D) appears in the CLI window:
disk-number size(M) level
0(OK),1(OK), 1877274 raid1

Related topics

l system raid on page 328

l hardware harddisk on page 707
l system mount on page 744
l create-raid level on page 757
l create-raid rebuild on page 758
l system performance on page 790

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 714

hardware raid-card info

Use this command to display raid-card firmware version information.

Syntax
diagnose hardware raid-card info

index

Use this command to view (list) or clear logs, or to examine (show) or configure logs.
To use this command, your administrator account’s access control profile must have rw or w permission to the loggrp
area. For details, see Permissions on page 46.

Syntax
diagnose index all show
diagnose index all clear
diagnose index {alog | dlog | elog | tlog} clear
diagnose index {alog | dlog | elog | tlog} list <index_int>
diagnose index {alog | dlog | elog | tlog} set <queue_int>
diagnose index {alog | dlog | elog | tlog} show

Variable Description Default

index {alog | dlog | elog | tlog} Select which log files to view or affect: No
l alog—Attack logs. default.
l dlog—Debug logs.

l elog—Event logs.

l tlog—Traffic logs.

list <index_int> Enter the number of most recent logs to display. No

default.

set <queue_int> Enter the maximum length of the log before it is flushed and No
written to disk. The valid range is 0–32,768. default.

Example

This example displays a list of logs processed.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 715

diagnose index all show

Related topics

l log attack-log on page 61

l log event-log on page 70
l log traffic-log on page 92
l debug on page 682
l hardware logdisk info on page 709

log

Use this command to view (list) or clear log messages, or to examine (show) or configure logging queues.
To use this command, your administrator account’s access control profile must have rw or w permission to the loggrp
area. For details, see Permissions on page 46.

Syntax
diagnose log {all | alog | dlog | elog | tlog} [show | start | stop]

Variable Description Default

log {all | alog | dlog | elog | Select which log files to view: No
tlog} l all—All logs default.
l alog—Attack logs

l dlog—Debug logs

l elog—Event logs

l tlog—Traffic logs

[show | start | stop] Displays the log messages or specifies a time to start or stop
logging.

Example

This example sets a time to start the display of log messages, displays log information starting at that time, and stops the
display of log messages. The appliance’s responses are displayed in bold.
FortiWeb # dia log all start
start tracking log
FortiWeb # dia log all show
time span starts from 2014-07-31 18:31:53.000000
Total time span is 10.754097 seconds
Time spent on waiting is 10.527346 seconds
Time spent on preprocessing is 0.000000 seconds
event log processed: 0

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 716

traffic log processed: 0

attack log processed: 0
FortiWeb # dia log all stop
stop tracking log

Related topics

l log attack-log on page 61

l log event-log on page 70
l log traffic-log on page 92
l debug on page 682
l hardware logdisk info on page 709

network arp

Use this command to add or delete an address resolution protocol (ARP) table entry, or to display the ARP table. The
ARP table is used to resolve the IP addresses that correspond to a network interface card’s physical MAC address,
thereby determining which IP addresses can be reached directly through a link.
To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp
area. For details, see "Permissions" on page 1.

Syntax
diagnose network arp add <interface_name> {<interface_ipv4> | interface_ipv6>} <mac-address_
hex>
diagnose network arp delete <interface_name> {<interface_ipv4> | interface_ipv6>}
diagnose network arp list
diagnose network arp flush

Variable Description Default

<interface_name> Enter the name of the interface to add or delete from the ARP No
table. default.

{<interface_ipv4> | Enter the IP address of the interface. No

interface_ipv6>} default.

<mac-address_hex> Enter the MAC address of the interface. No

default.

Example

This example displays a list of ARP table entries.

FortiWeb # diagnose network arp list
port_ha: 169.254.0.2 fc:aa:14:75:c0:e0 reachable

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 717

port1: 10.0.0.1 00:09:0f:77:11:1d stale

port2: 10.65.13.3 00:0c:29:02:f1:bb reachable
lo: 10::13:101 0: 0: 0: 0: 0: 0 noarp
port2: ff02::16 33:33: 0: 0: 0:16 noarp
vlan66: ff02::16 33:33: 0: 0: 0:16 noarp
port7: ff02::2 33:33: 0: 0: 0: 2 noarp
port_ha: ff02::2 33:33: 0: 0: 0: 2 noarp
port_tn: ff02::16 33:33: 0: 0: 0:16 noarp
port7: ff02::16 33:33: 0: 0: 0:16 noarp
port_ha: ff02::16 33:33: 0: 0: 0:16 noarp
gretap0: ff02::16 33:33: 0: 0: 0:16 noarp

Related topics

l network route on page 718

l network ip on page 717
l router static on page 98
l system interface on page 312

network ip

Use these commands to add or delete a network interface, loopback interface, or virtual server (which functions
somewhat like a virtual network interface) IP address, or to list the table of network interface IPs.

Back up the configuration before deleting a network interface table entry. FortiWeb
presents no confirmation message, and in some cases such as the loopback
interface, provides no undelete mechanism.

To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose network ip add <interface_name> {<interface_ipv4> | interface_ipv6}
{<interface_ipv4mask> |<interface_v6mask>}
diagnose network ip delete <interface_name> {<interface_ipv4> | interface_ipv6}
diagnose network ip list

Variable Description Default

<interface_name> Enter the name of the interface to add or delete from the No
network interface table. default.

{<interface_ipv4> | Enter the IP address of the network interface. No

interface_ipv6} default.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 718

Variable Description Default

{<interface_ Enter the subnet mask. No

ipv4mask> |<interface_ default.
v6mask>}

Example

This example displays a list of enabled network interfaces, including the loopback (lo).
FortiWeb # diagnose network ip list
lo: 127.0.0.1/24
port1: 10.200.123.2/16
lo: ::1/128
port1: fe80::20c:29ff:fec3:34a6/64
port5: fe80::20c:29ff:fec3:34ce/64
port9: fe80::20c:29ff:fec3:34f6/64
port2: fe80::20c:29ff:fec3:34b0/64
port6: fe80::20c:29ff:fec3:34d8/64
port10: fe80::20c:29ff:fec3:3400/64
port3: fe80::20c:29ff:fec3:34ba/64
port7: fe80::20c:29ff:fec3:34e2/64
port4: fe80::20c:29ff:fec3:34c4/64
port8: fe80::20c:29ff:fec3:34ec/64
port_tn: fe80::1854:64ff:fe68:fd55/64

Example

This example deletes the IP of a virtual server on port2.

diagnose network ip delete port1 192.0.2.221

Related topics

l network route on page 718

l network arp on page 716
l system interface on page 312

network route

Use this command to add or delete a route in the routing table, or to list the routing table.
This command displays all individual entries, including automatically configured routes for the loopback interface and
VLANs, and also displays each route’s priority. Unlike network rtcache on page 720, it displays all known routes,
regardless of whether they have been recently used.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 719

Do not delete routes unless you are sure. FortiWeb does not ask you to confirm the
deletion, and there is no undelete mechanism. For example, if you accidentally
delete a loopback interface route, you must recreate it manually.

To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose network route add {<source_ipv4mask> | <source_ipv6mask>} <delay_int>
{<destination_ipv4mask> | <destination_ipv6mask>} <delay_int> <delay_
int><priority_int>
diagnose network route delete {<source_ipv4mask> | <source_ipv6mask>} <delay_int>
{<destination_ipv4mask> | <destination_ipv6mask>} <delay_int> <delay_int>
<priority_int>
diagnose network route list

Variable Description Default

{<source_ipv4mask> | Enter the IP address and network mask of the source, No

<source_ipv6mask>} separated by a space. default.

<interface_name> Enter the name of the interface to add or delete from the No
routing table. default.

{<destination_ipv4mask> | Enter the IP address and network mask of the source, No

<destination_ipv6mask>} separated by a space. default.

{<gateway_ipv4> | Enter the IP address of the next hop router (sometimes No

<gateway_ipv6>} called a gateway) to which this route sends packets. default.

<priority_int> Enter the priority of the route in the routing table. The lower 0
the number, the higher the priority. The valid range is 1–256.

Example

This example displays the routing table.

FortiWeb # diagnose network route list
0.0.0.0/0(none)->10.200.0.0/16(port1) via 0.0.0.0, pri 0 prot 2 scope 253
::/0(none)->fe80::/64(port1) via ::, pri 256 prot 2 scope 0
::/0(none)->fe80::/64(port2) via ::, pri 256 prot 2 scope 0
::/0(none)->fe80::/64(port3) via ::, pri 256 prot 2 scope 0
::/0(none)->fe80::/64(port4) via ::, pri 256 prot 2 scope 0
::/0(none)->fe80::/64(port5) via ::, pri 256 prot 2 scope 0
::/0(none)->fe80::/64(port6) via ::, pri 256 prot 2 scope 0
::/0(none)->fe80::/64(port7) via ::, pri 256 prot 2 scope 0
::/0(none)->fe80::/64(port8) via ::, pri 256 prot 2 scope 0
::/0(none)->fe80::/64(port9) via ::, pri 256 prot 2 scope 0
::/0(none)->fe80::/64(port10) via ::, pri 256 prot 2 scope 0
::/0(none)->fe80::/64(port_tn) via ::, pri 256 prot 2 scope 0

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 720

Example

This example adds a route to the routing table.

diagnose network route add 10::/64 port1 10:200::1/64 port1 10::1 0

Related topics

l router all on page 1

l ping on page 768
l ping6 on page 769
l traceroute on page 785
l network rtcache on page 720
l router static on page 98

network rtcache

Use this command to display the routing cache.

Unlike network route on page 718, this command displays the cache of the most recently used routes, not necessarily
the entire configuration. (You may have configured many routes, and these configurations will be saved to disk and
appear in network route on page 718, but rarely used ones will not usually appear in the route cache, which keeps
recently used routes in RAM for performance reasons.)
To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose network rtcache list

Example

This example displays the ARP cache.

172.20.120.52(port1)->256.256.256.256(lo) via 0.0.0.0, pri 0 prot 0 scope 0, ref 0 lastuse
3181 expires 0 error 0 used 855
172.20.120.100(port3)->172.20.120.256(lo) via 0.0.0.0, pri 0 prot 0 scope 0, ref 0 lastuse
434 expires 0 error 0 used 0
172.20.120.230(port1)->256.256.256.256(lo) via 0.0.0.0, pri 0 prot 0 scope 0, ref 0 lastuse
47386 expires 0 error 0 used 7
10.0.1.1(none)->10.0.1.1(lo) via 0.0.0.0, pri 0 prot 0 scope 0, ref 0 lastuse 223 expires 0
error 0 used 29551
0.0.0.0(none)->10.0.1.1(lo) via 0.0.0.0, pri 0 prot 0 scope 0, ref 0 lastuse 223 expires 0
error 0 used 7387
::(none)->::1(lo) via ::, pri 0 prot 0 scope 0 ref 1 lastuse 155845 expires 0 error 0 used
417

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 721

::(none)->2607:f0b0:f:420:20c:29ff:fe4d:3ad3(lo) via ::, pri 0 prot 0 scope 0 ref 1 lastuse

354923 expires 0 error 0 used 1
::(none)->2607:f0b0:f:420:20c:29ff:fe4d:3ae7(lo) via ::, pri 0 prot 0 scope 0 ref 1 lastuse
2590615 expires 0 error 0 used 0
::(none)->2607:f0b0:f:420:20c:29ff:fe4d:3af1(lo) via ::, pri 0 prot 0 scope 0 ref 1 lastuse
2590615 expires 0 error 0 used 0
::(none)->2607:f0b0:f:420::(port1) via ::, pri 256 prot 0 scope 0 ref 0 lastuse 2590616
expires 214715722 error 0 used 0
::(none)->ff00::(port4) via ::, pri 256 prot 0 scope 0 ref 0 lastuse 2590615 expires 0 error
0 used 0
::(none)->ff00::(lo) via ::, pri -1 prot 0 scope 0 ref 1 lastuse 449431651 expires 0 error -
101 used 1

Example

This example adds a route to the routing table.

diagnose network route add vlan2 160.1.12.0 256.0.0.0 172.20.01.169 32 3 verify

Related topics

l router all on page 1

l ping on page 768
l ping6 on page 769
l traceroute on page 785
l network route on page 718
l router static on page 98

network sniffer

Use this command to perform a packet trace on one or more network interfaces.
Packet capture, also known as sniffing or packet analysis, records some or all of the packets seen by a network interface
(that is, the network interface is used in promiscuous mode). By recording packets, you can trace connection states to
the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to
detect.
FortiWeb appliances have a built-in sniffer. Packet capture on FortiWeb appliances is similar to that of FortiGate
appliances. Packet capture output appears on your CLI display until you stop it by pressing Ctrl+C, or until it reaches the
number of packets that you have specified to capture.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 722

Packet capture can be very resource intensive. To minimize the performance impact
on your FortiWeb appliance, use packet capture only during periods of minimal
traffic, with a local console CLI connection rather than a Telnet or SSH CLI
connection, and be sure to stop the command when you are finished.

If your FortiWeb model uses Data Plane Development Kit (DPDK) for packet
processing (for example, models 3000E, 3010E and 4000E) and is operating in
Offline Protection mode, you cannot use this command with ports that are configured
as data capture ports. To use the command with this type of port, disable the
corresponding server policy or configure the policy with a different data capture port.

To use this command, your administrator account’s access control profile must have at least r permission to the prof_
admin area. For details, see Permissions on page 46.

Syntax
diagnose network sniffer [{any | "<interface_name>"} [{none | "<filter_str>"} [{1 | 2 |
3} [<packets_int>]]]]

Variable Description Default

{any | "<interface_name>"} Enter the name of a network interface whose packets you No default.
want to capture, such as port1, or type any to capture
packets on all network interfaces.
If you omit this and the following parameters for the
command, the command captures all packets on all
network interfaces.

{none | "<filter_str>"} Enter either none to capture all packets, or type a filter that none
specifies which protocols and port numbers that you do or
do not want to capture, such as "tcp port 25".
Filters use tcpdump (HTTP://www.tcpdump.org) syntax:
"[[src|dst] host {<host1_fqdn> | <host1_
ipv4>}] [and|or] [[src|dst] host {<host2_
fqdn> | <host2_ipv4>}] [and|or]
[[arp|ip|gre|esp|udp|tcp] port <port1_
int>] [and|or] [[arp|ip|gre|esp|udp|tcp]
port <port2_int>]"
To display only the traffic between two hosts, specify the IP
addresses of both hosts. To display only forward or reply
packets, indicate which host is the source, and which is the
destination.
For example, to display UDP port 1812 traffic between
1.example.com and either 2.example.com or
3.example.com, you would enter:

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 723

Variable Description Default

"udp and port 1812 and src host
1.example.com and dst $ 2.example.com or
2.example.com $"

{1 | 2 | 3} Type one of the following integers indicating the depth of 1

packet headers and payloads to capture:
l 1—Display the packet capture timestamp, plus basic

fields of the IP header: the source IP address, the

destination IP address, protocol name, and
destination port number.
Does not display all fields of the IP header; it omits:
l IP version number bits
l Internet header length (ihl)
l type of service/differentiated services code point
(tos)
l explicit congestion notification
l total packet or fragment length
l packet ID
l IP header checksum
l time to live (TTL)
l fragment offset
l options bits
l 2—All of the output from 1, plus the packet payload in

both hexadecimal and ASCII.

l 3—All of the output from 2, plus the link layer

(Ethernet) header.
For troubleshooting purposes, Fortinet Technical Support
may request the most verbose level (3).

<packets_int> Enter the number of packets to capture before stopping. Packet

If you do not specify a number, the command will continue capture
to capture packets until you press Ctrl+C. continues
until you
press
Ctrl + C.

Example

The following example captures three packets of traffic from any port number or protocol and between any source and
destination (a filter of none), which passes through the network interface named port1. The capture uses a low level of
verbosity (indicated by 1).
Commands that you would type are highlighted in bold; responses from the FortiWeb appliance are not bolded.
FortiWeb# diagnose network sniffer port1 none 1 3
filters=[none]
0.918957 192.168.0.1.36701 -> 192.168.0.2.22: ack 2598697710
0.919024 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697710 ack 2587945850

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 724

0.919061 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697826 ack 2587945850

If you are familiar with the TCP protocol, you may notice that the packets are from the middle of a TCP connection.
Because port 22 is used (highlighted above in bold), which is the standard port number for SSH, the packets might be
from an SSH session.

Example

The following example captures packets traffic on TCP port 80 (typically HTTP) between two hosts, 192.168.0.1
and 192.168.0.2. The capture uses a low level of verbosity (indicated by 1). Because the filter does not specify either
host as the source or destination in the IP header (src or dst), the sniffer captures both forward and reply traffic.
Commands that you would type are highlighted in bold; responses from the FortiWeb appliance are not bolded.
FortiWeb# diagnose network sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and
tcp port 80' 1

A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator
presses Ctrl+C. The sniffer then confirms that five packets were seen by that network interface. Below is a sample
output.
192.168.0.2.3625 -> 192.168.0.1.80: syn 2057246590
192.168.0.1.80 -> 192.168.0.2.3625: syn 3291168205 ack 2057246591
192.168.0.2.3625 -> 192.168.0.1.80: ack 3291168206
192.168.0.2.3625 -> 192.168.0.1.80: psh 2057246591 ack 3291168206
192.168.0.1.80 -> 192.168.0.2.3625: ack 2057247265
5 packets received by filter
0 packets dropped by kernel

Example

The following example captures TCP port 443 (typically HTTPS) traffic occurring through port1, regardless of its
source or destination IP address. The capture uses a high level of verbosity (indicated by 3).
The number of packets to capture is not specified, so the packet capture continues until the administrator presses
Ctrl+C. The sniffer then states how many packets were seen by that network interface.
Verbose output can be very long. As a result, output shown below is truncated after only one packet.
Commands that you would type are highlighted in bold; responses from the FortiWeb appliance are not bolded.
FortiWeb# diagnose network sniffer packet port1 'tcp port 443' 3
interfaces=[port1]
filters=[tcp port 443]
10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898
0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E.
0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .<s.@.@.;..W....
0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-f........
0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab ..Or............

Instead of reading packet capture output directly in your CLI display, you usually should save the output to a plain text file
using your CLI client. Saving the output provides several advantages. Packets can arrive more rapidly than you may be
able to read them in the buffer of your CLI display, and many protocols transfer data using encodings other than US-

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 725

ASCII. It is often, but not always, preferable to analyze the output by loading it into in a network protocol analyzer
application such as Wireshark (HTTP://www.wireshark.org/).
For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output to a file. Methods may vary.
See the documentation for your CLI client.

Requirements

l Terminal emulation software such as PuTTY

(HTTP://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
l A plain text editor such as Notepad
l A Perl interpreter
l Network protocol analyzer software such as Wireshark (HTTP://www.wireshark.org)

To view packet capture output using PuTTY and Wireshark

On your management computer, start PuTTY.

Use PuTTY to connect to the FortiWeb appliance using either a local console, SSH, or Telnet connection. For details,
see Connecting to the CLI on page 33.
Type the packet capture command, such as:
diag network sniffer packet port1 'tcp port 443' 3 100

but do not press Enter yet.

In the upper left corner of the window, click the PuTTY icon to open its drop-down menu, then select Change Settings.
In the Category tree on the left, go to Session > Logging.
Select Printable output.
In Log file name, click the Browse button, then choose a directory path and file name such as
C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain text file. You do not need to
save it with the .log file extension.
Click Apply.
Press Enter to send the CLI command to the FortiMail appliance, beginning packet capture.
If you have not specified a number of packets to capture, when you have captured all packets that you want to analyze,
press Ctrl + C to stop the capture.
Close the PuTTY window.
Open the packet capture file using a plain text editor such as Notepad.
Delete the first and last lines, which look like this:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 6/27/2023.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~=
FortiWeb-2000 #

These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you do not
delete them, they could interfere with the script in the next step.
Convert the plain text file to a format recognizable by your network protocol analyzer application.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 726

You can convert the plain text file to a format recognizable by Wireshark (.pcap) using the fgt2eth.pl Perl script. To
download fgt2eth.pl, see the Fortinet Knowledge Base article "Using the FortiOS built-in packet sniffer:"
HTTP://kb.fortinet.com/kb/documentLink.do?externalId=11186
The fgt2eth.pl script is provided as-is, without any implied warranty or technical support, and requires that you first
install a Perl module compatible with your operating system.
To use fgt2eth.pl, open a command prompt, then enter a command such as the following:
fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap

where:
l fgt2eth.pl is the name of the conversion script; include the path relative to the current directory, which is
indicated by the command prompt
l packet_capture.txt is the name of the packet capture’s output file; include the directory path relative to your
current directory
l packet_capture.pcap is the name of the conversion script’s output file; include the directory path relative to
your current directory where you want the converted output to be saved

Methods to open a command prompt vary by operating system.

On Windows XP, go to Start > Run and enter cmd.
On Windows 7, click the Start (Windows logo) menu to open it, then enter cmd.

Open the converted file in your network protocol analyzer application. For further instructions, see the documentation for
that application.

network tcp list

Use this command to view a list of TCP raw socket details, including:
l sl—Kernel socket hash slot.
l local_address—IP address and port number pair of the local FortiWeb network interface in hexadecimal, such
as DD01010A:0050.
l rem_address—Remote host’s network interface and port number pair. If not connected, this will contain
00000000:0000.
l st—TCP state code (e.g. OA for listening, 01 for established, or 06 for timeout wait)
l tx_queue—Kernel memory usage by the transmission queue.
l rx_queue—Kernel memory usage by the retransmission queues.
l tr, tm-> when, retrnsmt—Kernel socket state debugging information.
l uid—User ID of the socket’s creator (on FortiWeb, always 0).
l timeout—Connection timeout.
l inode—Pseudo-file system i-node of the process.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 727

Syntax
diagnose network tcp list

Example
diagnose network tcp list
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
0: DD01010A:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 333597 1
ffff88003b825880 299 0 0 2 -1
1: 2F7814AC:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 228018 1
ffff88003b824680 299 0 0 2 -1
2: 1B01A8C0:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2692 1
ffff88003b6ec6c0 299 0 0 2 -1
3: 0100007F:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2691 1
ffff88003b6eccc0 299 0 0 2 -1
4: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2433 1
ffff88003b489280 299 0 0 2 -1
5: 00000000:0017 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2400 1
ffff88003b489880 299 0 0 2 -1
6: 0100007F:22B8 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2687 1
ffff88003b488680 299 0 0 2 -1
7: DD01010A:01BB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 333598 1
ffff88003bbf3940 299 0 0 2 -1
8: 2F7814AC:01BB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 228017 1
ffff88003b824080 299 0 0 2 -1
9: 1B01A8C0:01BB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2689 1
ffff88003b6ed8c0 299 0 0 2 -1
10: 0100007F:01BB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2688 1
ffff88003b488080 299 0 0 2 -1
11: 00000000:208D 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2441 1
ffff88003b488c80 299 0 0 2 -1
12: 2F7814AC:0016 E17814AC:FEF2 01 00000000:00000000 02:000909FE 00000000 0 0 272209 4
ffff88003bbf2d40 20 3 1 5 -1

Related topics

l network arp on page 716

l network ip on page 717

network udp list

Use this command to view a list of UDP raw socket details, including:
l sl—Kernel socket hash slot.
l local_address—IP address and port number pair of the local FortiWeb network interface in hexadecimal, such
as DD01010A:0050.
l rem_address—Remote host’s network interface and port number pair. If not connected, this will contain
00000000:0000.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 728

l st—TCP state code in hexadecimal (e.g. 0A for listening, 01 for connection established, or 06 for waiting for data)
l tx_queue—Kernel memory usage by the transmission (Tx) queue.
l rx_queue—Kernel memory usage by the retransmission (Rx) queues. This is not used by UDP, since the protocol
itself does not support retransmission.
l tr, tm-> when, retrnsmt—Kernel socket state debugging information. These are not used by UDP, since the
protocol itself does not support retransmission.
l uid—User ID of the socket’s creator (on FortiWeb, always 0).
l timeout—Connection timeout.
l inode—Pseudo-file system inode of the process.
l ref, pointer—Pseudo-file system references.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose network udp list

Example
diagnose network udp list
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref
pointer drops
307: 00000000:00A1 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2498 2
ffff88003acba080 0
447: 00000000:3F2D 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2874 2
ffff88003acbac80 0

Related topics

l network arp on page 716

l network ip on page 717

policy

Use this command to view the process ID, live sessions, and traffic statistics associated with a server policy.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
diagnose policy pserver [list "<policy_name>"]
diagnose policy session [list "<policy_name>"]
diagnose policy traffic [list "<policy_name>"]

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 729

diagnose policy period-blockip [list "<policy_name>"]

diagnose policy period-blockip [delete "<policy_name>"]{ipv4 | ipv6}
diagnose policy total-session [list "<session_number>"]
diagnose policy "<policy_name>"

Variable Description Default

pserver [list "<policy_ Displays the status of physical servers covered by the policy. No
name>"] default.

session [list "<policy_ Displays IP session information for TCP and UDP No
name>"] connections. default.

traffic [list "<policy_name>"] Displays traffic throughput (bandwidth usage) information. No

default.

period-blockip [list "<policy_ Displays client IP addresses whose requests are temporarily No
name>"] blocked because the client violated a rule in the specified default.
policy with an Action value of Period Block.

period-blockip [delete Unblocks the specified client IP address that FortiWeb has No
"<policy_name>"]{ipv4 | ipv6} blocked because it violated a rule in the specified policy with default.
an Action value of Period Block. (FortiWeb can still block
the address because it violates a rule in a different policy.)

total-session [list "<session_ Displays the total number of the current connections. No
number>"] default.

"<policy_name>" Enter the name of an existing server policy. No

default.

Example

This example shows the output of the pserver list command. The alive value indicates the status of the server
health check:

Integer Health check status Health Check Status icon in Policy Status
dashboard

0 Failed Red

1 Passed Green

2 Disabled Grey

diagnose policy pserver list Policy1

policy(Policy1)
server-pool(FortiWeb_server_pool):
total = 1
server[0]
id: 1
ip: 10.20.1.22
port: 80

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 730

alive: 2
session: 0
status: 1

Related topics

l server-policy policy on page 140

l network ip on page 717
l debug flow filter on page 691
l system performance on page 790

system endpoint-control

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax

To check client information such as IP address, MAC address, FortiClient SN, run:
diagnose system endpoint-control clients

To check EMS tags, run:

diagnose system endpoint-control tags

To check the EMS server connection status, run:

diagnose system endpoint-control test

system flash

Use this command to change the currently active firmware partition or to display partition information stored on the flash
drive.
FortiWeb appliances have 2 partitions that each contain a firmware image: one is the primary and one is the backup. If
the FortiWeb appliance is unable to successfully boot using the primary firmware partition, it may boot using the
alternative firmware partition. The second partition can contain another version of the firmware.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 731

Syntax
diagnose system flash default <partition_int>
diagnose system flash list

Variable Description Default

<partition_int> Enter the number of the partition that will be used as the No
primary firmware partition during the next reboot or startup. default.
The other partition will become the backup firmware
partition.

Example

This example lists the partition settings.

diagnose system flash list

Below is a sample output.

Image# Version TotalSize(KB) Used(KB) Use% Active
1 FV-1KB-4.30-FW-build0521-110120 38733 33125 86% No
2 FV-1KB-4.30-FW-build0522-110112 38733 33125 86% Yes
3 836612 16980 2 % No

Related topics

l restore image on page 778

l system status on page 791

system ha backup-config

Use this command to export the configuration file of the HA nodes. It only backs up the configurations synchronized
between HA nodes. The most common scenario for using this command is to compare the configuration files between
the HA nodes and check which part of the configuration is not synchronized as expected.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
diagnose system ha backup-config <node-id>

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 732

Example
diagnose system ha backup-config 1

system ha confd_status

Use this command to display the HA information.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
diagnose system ha confd_status

Example

The following is an example of the output.

HA information

Model=FortiWeb-1000E 6.37,build1102(GA),200911, Mode=active-active-high-volume

Group=2

HA group member information: is_manage_primary=1.

LocalSN: FV-1KE44179XXXXX confd
member cnt: 2
msg_queue:0 file_queue:0 md5_rep_ignore:0 do_md5sum:14030
FV-1KE4417900091: primary
pending:0 update:0 time:0 sync:0
SYS: 1C5663E93F5FEE916C06CF9F383999CB
CLI: FA6AD08C032E3DB66954E6B33D848CB3
FV-1KE4417900092: secondary

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 733

pending:2773937 update:2773937 time:2773937 sync:0

SYS: 1C5663E93F5FEE916C06CF9F383999CB
CLI: FA6AD08C032E3DB66954E6B33D848CB3

system ha dev-info

Use this command to display the network interface information of the HA nodes, including port name, index number, Mac
addresses.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
diagnose system ha dev-info

Example

The following is an example of the output.

SN: FV-1KE44XXXXXX91
Name Phyindex Mac
port7 3 00:0b:ab:f5:3e:94
port8 4 00:0b:ab:f5:3e:95
port9 5 00:0b:ab:f5:3e:96
port10 6 00:0b:ab:f5:3e:97
port1 7 74:fe:48:20:4f:5f
port2 8 74:fe:48:20:4f:60
port3 9 74:fe:48:20:4f:61
port4 10 74:fe:48:20:4f:62
port5 11 74:fe:48:20:4f:61
port6 12 74:fe:48:20:4f:62
mgmt1 13 74:fe:48:20:4f:65
mgmt2 14 74:fe:48:20:4f:66
port11 18 00:0b:ab:f5:4f:72

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 734

port12 19 00:0b:ab:f5:4f:73
SN: FV-1KE44XXXXXX92
Name Phyindex Mac
port7 3 00:0b:ab:f5:3e:2c
port8 4 00:0b:ab:f5:3e:2d
port9 5 00:0b:ab:f5:3e:2e
port10 6 00:0b:ab:f5:3e:2f
port1 7 74:fe:48:20:38:8c
port2 8 74:fe:48:20:38:8d
port3 9 74:fe:48:20:38:8e
port4 10 74:fe:48:20:38:8f
port5 11 74:fe:48:20:38:8e
port6 12 74:fe:48:20:38:8f
mgmt1 13 74:fe:48:20:38:92
mgmt2 14 74:fe:48:20:38:93
port11 18 00:0b:ab:f5:50:ca
port12 19 00:0b:ab:f5:50:cb

system ha export-eventlog

Use this command to export event logs of the secondary node in the HA cluster. This command should be run on the
primary node.
To download the logs, first run the following command to enable file upload:
config system settings
set enable-file-upload enable
end

Then, go to System > Maintenance > Backup&Restore to download the logs.

Syntax
diagnose system ha export-eventlog <node-index> <start-time> <end-time>

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 735

Example
diagnose system ha export-eventlog 2 29/12/2019:00:00:00 31/12/2019:00:00:00

system ha file-log

Use this command to manage the HA event logs.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
diagnose system ha file-log {clear | disable | enable | show | status}

enable Enable the system to generate HA event log and store it in var/log/gui_upload/ha_
event_log.

disable Disable generating HA event logs.

clear Clear the HA log files in var/log/gui_upload/ha_event_log.

show Display HA event logs in console.

status Show the status of the HA event log, whether it is enabled or not.

system ha file-stat

Use this command to display the current status of FortiGuard subscription services files and the MD5 checksum for
system and configuration files.

Syntax
diagnose system ha file-stat

Example

Below is a sample output.

FortiWeb Security Service:
2021-01-03
Last Update Time: 2017-02-17 Method: Scheduled
Signature Build Number-0.00177

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 736

FortiWeb Antivirus Service:

2021-01-03
Last Update Time: 2017-02-17 Method: Scheduled
Regular Virus Database Version-42.00885
Extended Virus Database Version-42.00814
FortiWeb IP Reputation Service:
2021-01-03
Last Update Time: 2017-02-17 Method: Scheduled
Signature Build Number-3.00315
System files MD5SUM: 5660BD9FA1F6C86E8A31B2A139045F17
CLI files MD5SUM: 71BF206315679018536D9E19B37CBEAE

Related topics

l ha disconnect on page 763

l ha manage on page 764
l system ha status on page 740
l system status on page 791

system ha interface-macinfo

Use this command to display the virtual MAC addresses of the HA node.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
diagnose system ha interface-macinfo

Example

Below is a sample output.

mgmt1 origin mac 74:fe:48:20:4f:65

mgmt2 origin mac 74:fe:48:20:4f:66
port1 origin mac 74:fe:48:20:4f:5f
port2 origin mac 74:fe:48:20:4f:60
port3 origin mac 74:fe:48:20:4f:61
port4 origin mac 74:fe:48:20:4f:62
port5 origin mac 74:fe:48:20:4f:61
port6 origin mac 74:fe:48:20:4f:62

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 737

port7 origin mac 0:b:ab:f5:3e:94

port8 origin mac 0:b:ab:f5:3e:95
port9 origin mac 0:b:ab:f5:3e:96
port10 origin mac 0:b:ab:f5:3e:97
port11 origin mac 0:b:ab:f5:4f:72
port12 origin mac 0:b:ab:f5:4f:73

Related topics

l system ha mac on page 737

l ha manage on page 764
l system ha status on page 740
l system status on page 791

system ha mac

Use this command to display the virtual MAC addresses and link statuses of each network interface of appliances in the
HA group.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
diagnose system ha mac

Example

This example indicates that the links are “up” (linkfail=0) for port1 and port3 on the currently active appliance in the
HA pair. While operating in HA, the network interfaces are using a Layer 1 data link (MAC) address that begins with the
hexadecimal string 00:09:0F:09:00:.
diagnose system ha mac

Below is a sample output.

HA mac msg
name=port1, phyindex=0, 00:09:0F:09:00:01, linkfail=0
name=port2, phyindex=1, 00:09:0F:09:00:02, linkfail=1
name=port3, phyindex=2, 00:09:0F:09:00:03, linkfail=0
name=port4, phyindex=3, 00:09:0F:09:00:04, linkfail=1

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 738

Related topics

l ha disconnect on page 763

l ha manage on page 764
l system ha status on page 740
l system status on page 791
l system ha on page 287

system ha md5fixed

This command will interfere the functioning of HA features. Do not use this command unless you are instructed by
FortiWeb's support engineers or developers.

system ha md5sum-gen

This command will interfere the functioning of HA features. Do not use this command unless you are instructed by
FortiWeb's support engineers or developers.

system ha nodes

Use this command to display the HA node information.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
diagnose system ha nodes

Example

Below is a sample output.

SN Local Used State Count

FV-1KE44XXXXXX91 1 1 0 3
FV-1KE44XXXXXX92 0 1 0 2

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 739

system ha sessions_stat

Use this command to display the HA session status.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
diagnose system ha sessions_stat

Example

Below is a sample output.

count: 0
searched: 0
new: 0
new_expect: 0
new_fail: 0
new_cancel: 0
new_unknown: 0
confirmed: 0
confirmed_fail: 0
select: 0
select_fail: 0
tuple_fail: 0
nat_request: 0
nat_done: 0
expectation: 0
sync_tx: 0
sync_tx_full: 0
sync_tx_schedule: 0
sync_tx_error: 0

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 740

system ha status

Use this command to display the HA group ID, as well as the serial number, role (active or standby), and device priority
of each appliance belonging to the HA cluster.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
diagnose system ha status

Example

This example lists the HA group ID, serial numbers, and device priorities.
diagnose system ha status

Below is a sample output.

HA information

Model=FV-1KD-5.30-FW-build0431, Mode=a-p Group=2

HA group member information: is_manage_primary=1.

FV-1KD3A13800012, primary, 4, 0, 196417
FV-1KD3A13800091, secondary, 6, 0, 185787

In this example, in the information for FV-1KD3A13800012, 4 is the priority of the appliance and 0 is the number of ports
that have been down.
If the value of the priority or ports down is 100, the parameter is “invalid.” For example, if the appliance has not yet joined
the HA cluster.

Related topics

l ha disconnect on page 763

l ha manage on page 764
l system ha status on page 740
l system status on page 791

system ha sync-config

Use this command to display or change the enable/disable status of the HA synchronization

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 741

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax

Use the following command to show whether the HA synchronization is enabled or not.
diagnose system ha sync-config get-status

Use the following command to enable or disable HA synchronization.

diagnose system ha sync-config set-status {enable | disable}

system ha sync-stat

Use this command to display the status of the high availability (HA) synchronization process.

Syntax
diagnose system ha sync-stat

Status Description

INIT Initiation. Last synchronization completed and system is ready and

waiting for next synchronization.

SENDING Synchronization is in process; data is sending.

SUCCESS Success in data sending; synchronization is complete.

SEND_TIMEOUT Data sending timeout; synchronization is incomplete.

Example

This example lists the HA synchronization status.

diagnose system ha sync-stat

Below is a sample output.

Image INIT
Config INIT
System INIT
CLI INIT
Signature SUCCESS
GeoDB SUCCESS
AV SUCCESS
IpReputation SUCCESS
HarvestCredentials SUCCESS

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 742

Related topics

l ha disconnect on page 763

l ha manage on page 764
l system ha status on page 740
l system status on page 791

system ha traffic-distribution

Use this command to display the traffic distribution information of the HA group.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
diagnose system ha traffic-distribution

Example

Below is a sample output.

Traffic group information:

Name :Auto_Cluster_Group_1
Work Sn:FV-1KE4417900091
Vip List:name index ip4 ip6
FortiWeb_Vserver_Vip1 10.51.1.240/16 10:51::1:240/64

Node List:id sn
1 FV-1KE4417900091
2 FV-1KE4417900092

Name :Auto_Cluster_Group_2
Work Sn:FV-1KE4417900091
Vip List:name index ip4 ip6
FortiWeb_Vserver_Vip22 10.51.1.241/16 10:51::1:241/64

Node List:id sn
1 FV-1KE4417900091
2 FV-1KE4417900092

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 743

system jeprof

If the jemallc profile is activated and the memory usage exceeds the configured threshold, the heap file will be generated
in directory /var/log/gui_upload.
You can use this command to parse the heap file via jeprof tool. At most 10 heap files are kept on device.

Syntax
diagnose system jeprof

Related commands

To activate or deactivate jemallc profile:

diagnose system kill 43 <pid_of_proxyd>

To check the generated heap file:

diagnose debug jemalloc-heap show

To clear generated heap file:

diagnose debug jemalloc-heap clear

system kill

Use this command to terminate a process currently running on FortiWeb, or send another signal from the FortiWeb OS to
the process.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
diagnose system kill <signal_int> <pid_int>

Variable Description Default

<signal_int> Enter the ID of the signal to send to the process. This in an No

integer between 1 and 32. Some common signals are: default.
l 1—Varies by the process’s interpretation, such as re-

read configuration files or re-initialize (hang up;

SIGHUP).

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 744

Variable Description Default

For example, the FortiWeb web UI verifies its

configuration files, then restarts gracefully.
l 2—Request termination by simulating the pressing of
the interrupt keys, such as Ctrl + C (interrupt; SIGINT).
l 3—Force termination immediately and do a core dump
(quit; SIGQUIT).
l 9—Force termination immediately (kill; SIGKILL).
l 15—Request termination by inter-process
communication (terminate; SIGTERM).
l 43—Request to activate or deactivate the jemallc
profile. If you run it the first time, jemallc profile is
activated. Running the same command again will
deactivate the jemallc profile. The following <pid_int>
should be defined with the pid of the proxyd.
Considering jemalloc profile has a big impact on the
system performance, it's recommended to deactivate it
after jemalloc profile debug.

<pid_int> Enter the process ID where the signal is sent to. No

To list all current process IDs, use system top on page 745. default.

Related topics

l system top on page 745

l hardware cpu on page 706
l hardware mem on page 709
l system performance on page 790

system mount

Use this command to display a list of mounted file systems, including their available disk space, disk usage, and mount
locations.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
diagnose system mount list

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 745

Example
diagnose system mount list

Output from a FortiWeb 3000D:

Filesystem 1M-blocks Used Available Use% Mounted on
/dev/ram0 97 87 10 89% /
none 4823 0 4823 0% /tmp
none 16077 0 16077 0% /dev/shm
/dev/sdb1 189 45 134 25% /data
/dev/sdb3 961 17 895 1% /home
/dev/sda1 1877275 271 1781644 0% /var/log

Related topics

l hardware logdisk info on page 709

l hardware raid list on page 713

system top

Use this command to view a list of the most system-intensive processes and to change the refresh rate.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
diagnose system top [<delay_int> [<delay_int>]]

Variable Description Default

<delay_int> Enter the process list refresh interval in seconds. 5

<max-lines> Set the maximum number of top processes to display. All

processes
are shown.

Once you execute this command, it continues to run and display in the CLI window until you enter q (quit).
While the command is running, you can press Shift + P to sort the five columns of data by CPU usage (the default) or
Shift + M to sort by memory usage.

Example

This example displays a list of the top FortiWeb processes and sets the update interval at 10 seconds.
diagnose system top 10

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 746

Below is a sample output.

Run Time: 0 days, 0 hours and 48 minutes
0U, 0S, 100I; 1002T, 496F
xmlproxy 152 S 1.3 4.7
updated 54 S 0.1 0.3
monitord 57 S 0.1 0.3
sys_monito 58 S 0.1 0.3
xmlproxy 56 S 0.0 8.2
alertmail 76 S 0.0 4.6
cli 396 S 0.0 1.2
cli 301 S 0.0 1.2
cmdbsvr 43 S 0.0 1.0
HTTPsd 147 S 0.0 1.0
cli 403 R 0.0 0.9
data_analy 60 S 0.0 0.6
HTTPsd 308 S 0.0 0.6
cli 379 S 0.0 0.5
hasync 63 S 0.0 0.4
hatalk 62 S 0.0 0.4
synconf 64 S 0.0 0.4
al_daemon 59 S 0.0 0.3
miglogd 53 S 0.0 0.3

The first line indicates the up time. The second line lists the processor and memory usage, where the parameters from
left to right mean:
l U—Percent of user CPU usage (in this case 0%)
l S—Percent of system CPU usage (in this case 0%)
l I—Percentage of CPU idle (in this case 100%)
l T—Total memory in kilobytes (in this case 2008 KB)
l F—Available memory in kilobytes (in this case 445 KB)
The five columns of data provide the process name (such as updated), the process ID (pid), the running status, the
CPU usage, and the memory usage. The status values are:
l S—Sleeping (idle)
l R—Running
l Z—Zombie (crashed)
l <—High priority
l N—Low priority

Related topics

l system kill on page 743

l hardware cpu on page 706
l hardware mem on page 709
l system performance on page 790

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 747

system update info

Use this command to display recent error messages and the following information about FortiGuard signatures, IP lists,
and engine packages and the geography-to-IP mapping database:
l Current version
l Time of last update
l Next scheduled update time
l Previous version history

Syntax
diagnose system update info

Example

FortiWeb signature
----------
Version: 0.00146
Expiry Date: Thu Jan 01 1970
Last Update Date: Sat Dec 05 11:00:46 2015
Next Update Date: Wed Jan 13 11:00:00 2016

Historical versions
----------
0.00146
0.00144
0.00144
0.00144
0.00139

FortiWeb GEODB
----------
Version: GEO-533LITE 20141104
Expiry Date: N/A
Last Update Date: Tue Dec 01 10:53:35 2015
Next Update Date: N/A
Historical versions

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 748

----------
GEO-533LITE 20141007
N/A

Regular Antivirus
----------
Version: 30.00946
Expiry Date: Thu Mar 13 2014
Last Update Date: Sat Dec 05 11:03:30 2015
Next Update Date: Wed Jan 13 11:00:00 2016
Historical versions
----------
30.00859
30.00785
30.00698
29.00326
29.00302
29.00279
29.00256
14.00922

Extended Antivirus
----------
Version: 30.00871
Expiry Date: Thu Mar 13 2014
Last Update Date: Sat Dec 05 11:03:30 2015
Next Update Date: Wed Jan 13 11:00:00 2016

Historical versions
----------
30.00708
30.00540
29.00219
14.00922

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 749

IP Reputation
----------
Version: 2.00649
Expiry Date: Thu Jan 01 1970
Last Update Date: Sat Dec 05 11:00:46 2015
Next Update Date: Wed Jan 13 11:00:00 2016

Historical versions
----------
2.00642
2.00635
2.00628
2.00596
2.00594
2.00592
2.00590
1.00020

Latest errors
----------
Wed Jan 13 10:04:02 2016 Failed to establish connection with 192.168.100.205:443 when install anti-virus packages.
Wed Jan 13 10:03:02 2016 Failed to establish connection with 192.168.100.205:443 when install essential packages.
Wed Jan 13 10:02:00 2016 Failed to establish connection with 192.168.100.205:443 when install anti-virus packages.
Wed Jan 13 10:01:00 2016 Failed to establish connection with 192.168.100.205:443 when install essential packages.
Wed Jan 13 09:04:06 2016 Failed to establish connection with 192.168.100.205:443 when install anti-virus packages.
Wed Jan 13 09:03:06 2016 Failed to establish connection with 192.168.100.205:443 when install essential packages.
Wed Jan 13 09:02:04 2016 Failed to establish connection with 192.168.100.205:443 when install anti-virus packages.
Wed Jan 13 09:01:04 2016 Failed to establish connection with 192.168.100.205:443 when install essential packages.
Wed Jan 13 08:04:07 2016 Failed to establish connection with 192.168.100.205:443 when install anti-virus packages.
Wed Jan 13 08:03:07 2016 Failed to establish connection with 192.168.100.205:443 when install essential packages.

FortiWeb CLI Reference Fortinet Technologies Inc.

diagnose 750

test application

Use this command to check if an IP address is in irdb (IP reputation database) and geodb databse.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see Permissions on page 46.

Syntax

diagnose test application irdb <IP_address>

diagnose test application geodb <IP_address>

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 751

execute

The execute command has an immediate and decisive effect on your FortiWeb appliance and, for that reason, should
be used with care. Unlike config commands, most execute commands do not result in any configuration change.

backup cert-config

Use this command to back up certificates of a FortiWeb appliance to a TFTP server.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute backup cer-config <filename_str> <tftp_ipv4> [<password_str>]

Variable Description Default

<filename_str> Enter the name of the file to be used for the backup file, such No
as FortiWeb_backup.zip. default.

<tftp_ipv4> Enter the IP address of the TFTP server. No

default.

[<password_str>] Enter a password to be used when decompressing the No

backup file. default.
Caution: Remember the password or keep it in a secure
location. You will be required to enter the same password
when restoring an encrypted backup file. If you forget or lose
the password, you won't be able to use that encrypted
backup file.

Example

This example backs up certificates of the FortiWeb appliance on a TFTP server at IP address 192.0.2.23. The file is
encrypted with the password P@ssword1.
execute backup cert-config tftp FortiWeb_backup.zip 192.0.2.23 P@ssword1

Related topics

l backup cli-config on page 752

l backup full-config on page 753

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 752

l system backup on page 225

backup cli-config

Use this command to manually back up the configuration file to a TFTP server.

This method does not include uploaded files such as:

l Error pages

l WSDL files

l W3C Schema

l Vulnerability scan settings

If your configuration has these files, use either a full TFTP or FTP/SFTP backup
instead. For details, see backup full-config on page 753 or system backup on page
225.
This command also does not include settings that remain at their default values for
the currently installed version of the firmware. If you require a backup that includes
those settings, instead use backup full-config on page 753.

Alternatively, you can back up the configuration to an FTP or SFTP server. For details, see system backup on page 225.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute backup cli-config tftp <filename_str> <tftp_ipv4> [<password_str>]

Variable Description Default

<filename_str> Enter the name of the file to be used for the backup file, such No
as FortiWeb_backup.conf. default.

<tftp_ipv4> Enter the IP address of the TFTP server. No

default.

[<password_str>] Enter a password to be used when encrypting the backup file No

to a .zip extension file. default.
If you don't provide a password, the backup file will be stored
as a clear file with a .zip extension.
Caution: Remember the password or keep it in a secure
location. You will be required to enter the same password
when restoring an encrypted backup file. If you forget or lose
the password, you won't be able to use that encrypted
backup file.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 753

Example

This example uploads the FortiWeb appliance’s system configuration to a file named fweb.zip on a TFTP server at IP
address 192.0.2.23. The file will not be password-encrypted.
execute backup cli-config tftp fweb.zip 192.0.2.23

Related topics

l backup full-config on page 753

l restore config on page 777
l system backup on page 225

backup full-config

Use this command to manually back up the entire configuration file, including those settings that remain at their default
values, to a TFTP server.

We strongly recommend that you password-encrypt this backup and store it in a

secure location. This backup method includes sensitive data such as your HTTPS
certificates’ private keys. Unauthorized access to private keys compromises the
security of all HTTPS requests using those certificates.

Alternatively, you can back up the configuration to an FTP or SFTP server. For details, see system backup on page 225.
This backup includes settings that remain at their default values increases the file size of the backup, but may be useful
in some cases, such as when you want to compare the default settings with settings that you have configured.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute backup full-config tftp <filename_str> <tftp_ipv4> [<password_str>]

Variable Description Default

<filename_str> Enter the name of the file to be used for the backup file, such No
as FortiWeb_backup.conf. default.

<tftp_ipv4> Enter the IP address of the TFTP server. No

default.

[<password_str>] Enter a password to be used when encrypting the backup file No

to a .zip extension file. default.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 754

Variable Description Default

If you don't provide a password, the backup file will be stored

as a clear file with a .zip extension.
Caution: Remember the password or keep it in a secure
location. You will be required to enter the same password
when restoring an encrypted backup file. If you forget or lose
the password, you will not be able to use that encrypted
backup file.

Example

This example uploads the FortiWeb appliance’s entire configuration, including uploaded error page and HTTPS
certificate files, to a file named fweb.zip on a TFTP server at IP address 192.0.2.23. The file is encrypted with the
password P@ssword1.
execute backup full-config tftp fweb.zip 192.0.2.23 P@ssword1

Related topics

l backup cli-config on page 752

l system backup on page 225

backup full-config-with-ML-data

Use this command to manually back up the entire configuration file with machine learning data, including those settings
that remain at their default values, to a TFTP server.

We strongly recommend that you password-encrypt this backup and store it in a

Syntax
execute backup full-config-with-ML-data tftp <filename_str> <tftp_ipv4> [<password_str>]

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 755

Variable Description Default

<filename_str> Enter the name of the file to be used for the backup file, such No
as FortiWeb_backup.conf. default.

<tftp_ipv4> Enter the IP address of the TFTP server. No

default.

[<password_str>] Enter a password to be used when encrypting the backup file No

Example

This example uploads the FortiWeb appliance’s entire configuration with machine learning data, including uploaded
error page and HTTPS certificate files, to a file named fweb.zip on a TFTP server at IP address 192.0.2.23. The file
is encrypted with the password P@ssword1.
execute backup full-config-with-ML-data tftp fweb.zip 192.0.2.23 P@ssword1

Related topics

l backup full-config on page 753

l backup cli-config on page 752
l system backup on page 225

backup web-protection-profile

Use this command to back up web protection profiles of a FortiWeb appliance to a TFTP server.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute backup web-protection-profile <filename_str> <tftp_ipv4>[<password_str>]

Variable Description Default

<filename_str> Enter the name of the backup file, such as config.zip. No

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 756

Variable Description Default

default.

<tftp_ipv4> Enter the IP address of the TFTP server. No

default.

[<password_str>] Enter a password to be used when encrypting the backup No

.zip extension file. This is optional. default.
If you don't provide a password, the backup file will be stored
as a clear file with a .zip extension.
Caution: Remember the password or keep it in a secure
location. You will be required to enter the same password
when restoring an encrypted backup file. If you forget or lose
the password, you won't be able to use that encrypted
backup file.

Example

This example backs up web protection profiles of the FortiWeb appliance on a TFTP server at IP address 192.0.2.23.
The file is encrypted with the password P@ssword1.
execute backup web-protection-profile tftp config.zip 192.0.2.23 P@ssword1

Related topics

l system backup on page 225

batch

Use this command to execute commands in a group. If a command in the group fails or an operation cannot be
completed, every command in the group can be rolled back, whether they were successful or not.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
execute batch start
execute batch status
execute batch lastlog
execute batch recover
execute batch end

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 757

Variable Description Default

start Enter to initiate batch mode. Every subsequent command No

will be grouped until you enter the execute batch end default.
command.

status Enter to determine whether batch mode is running. If batch No

mode is running, you will see this message: default.
Batch mode is running...

If batch mode is not running, you will see this command:

Batch mode is stopped...

lastlog Enter to view the executed commands in the current batch No

mode. default.

recover Enter to rollback every command that has been executed in No

the current batch mode. default.

end Enter to turn off batch mode. No

default.

create-raid level

Use the this command to initialize the RAID.

Currently, only RAID level 1 is supported, and only on FortiWeb 1000B/C/D/E, 2000E, 3000C/CFsx, 3000E, and 4000E
shipped with FortiWeb 4.0 MR1 or later.
On older appliances that have been upgraded to FortiWeb 4.0 MR1, RAID cannot be activated.

Back up any data before initializing the array.

Back up the data regularly. RAID is not a substitute for regular backups. RAID 1
(mirroring) is designed to improve hardware fault tolerance, but cannot negate all
risks.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
execute create-raid level {raid1}

Variable Description Default

level {raid1} Enter the RAID level. Currently, only RAID level 1 is raid1
supported.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 758

Related topics

l system raid on page 328

l hardware raid list on page 713
l create-raid rebuild on page 758

create-raid rebuild

Use the this command to rebuild the RAID.

Currently, only RAID level 1 is supported, and only on FortiWeb-1000B, 1000C, 3000C/CFsx, 3000E, and 4000E
shipped with FortiWeb 4.0 MR1 or later.
On older appliances that have been upgraded to FortiWeb 4.0 MR1, RAID cannot be activated.

Back up the data regularly. RAID is not a substitute for regular backups. RAID 1
(mirroring) is designed to improve hardware fault tolerance, but cannot negate all
risks.
Rebuilding the array due to disk failure may result in some loss of packet log data.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
execute create-raid rebuild

Example

This example rebuilds the RAID array.

execute create-raid rebuild

The CLI displays the following:

This operation will clear all data on disk :0!
Do you want to continue? (y/n)

After you enter y (yes), the CLI displays additional messages.

Related topics

l system raid on page 328

l hardware raid list on page 713

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 759

date

Use this command to display or set the system date.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
execute date <date_str>

Variable Description Default

date <date_str> Enter the current date for the FortiWeb appliance’s time No
zone, using the format yyyy-mm-dd, where: default.
l yyyy is the year. Valid years are 2001 to 2037.

l mm is the month. Valid months are 01 to 12.

l dd is the day of the month. Valid days are 01 to 31.

If you do not specify a date, the command returns the current

system date. Shortened values, such as 06 instead of 2006
for the year or 1 instead of 01 for the month or day, are not
valid.

Example

This example sets the date to September 23, 2017:

execute date 2017-09-23

Related topics

l time on page 785

db rebuild

Use this command to clean and rebuild the FortiWeb appliance’s database for disklog. Please note in HA mode, running
execute db rebuild on master appliance will take effect on all slaves simultaneously.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

For some cases, it would take a long time to complete database rebuild depending on how
many logs the system has. While the database is rebuilding, new generated logs are
postponed to be written to the database so the newly generated logs are not available
immediately on GUI. The logs are all saved in log files. No logs would be lost.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 760

Syntax
execute db rebuild

Related topics

l formatlogdisk on page 763

l debug upload on page 703

dnscache-cleanup

Use this command to clean up all the DNS proxy cache information.

Syntax
execute dnscache-cleanup
This operation will clean up all the dnsproxy cache information!
Do you want to continue? (y/n)

erase-disk

Use this command to erase the hard disk or flash memory.

This command requires a console connection to the appliance and is available only when Federal Information
Processing Standards (FIPS) and Common Criteria (CC) compliant mode is enabled. For details, see system fips-cc on
page 266.

Syntax
execute erase-disk { flash | disk } [<erase-times> ]

Variable Description Default

{ flash | disk } Specify whether to erase the flash memory or the hard disk. No
default.

<erase-times> Enter the number of times to overwrite the specified memory 1

with random data.
The valid range is 1–35.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 761

factoryreset

Use this command to reset the FortiWeb appliance to its default settings for the currently installed firmware version. If
you have not upgraded or downgraded the firmware, this restores factory default settings.

Back up your configuration first. This command resets all changes that you have
made to the FortiWeb appliance’s configuration file and reverts the system to the
default values for the firmware version. Depending on the firmware version, this
could include factory default settings for the IP addresses of network interfaces. For
details about creating a backup, see backup cli-config on page 752.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute factoryreset

Related topics

l backup cli-config on page 752

l backup full-config on page 753
l restore config on page 777

fctems

Use this command to verify or unverify the EMS server, or show the verification status.

Syntax

To verify the certificate of an EMS server , run:

execute fctems verify <ems_name>

To disconnect from an EMS server , run:

execute fctems unverify <ems_name>

To check whether an EMS server is verified, run:

execute fctems is-verified <ems_name>

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 762

Related topics

l system endpoint-control on page 258

l fctems on page 761
l server-policy ztna-profile on page 201
l server-policy ztna-rule on page 203

fdnserver delete

Use this command to delete all FDS servers. FortiWeb will update the FDS servers during the next update.

Syntax
execute fdnserver delete

Related topics

fdnserver show on page 762

fdnserver show

Use this command to show the list of all current FDS servers.

Syntax
execute fdnserver show

Related topics

fdnserver delete on page 762

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 763

formatlogdisk

Use this command to clear the logs from the FortiWeb appliance’s hard disk and reformat the disk.

l This operation deletes all locally stored log files.

l The system will reboot after this command is executed.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.
When you execute this command, the FortiWeb appliance displays the following message:
This operation will clear all data on the log disk and take a few minutes according to
the disk size!!
Do you want to continue? (y/n)

Syntax
execute formatlogdisk

Related topics

l db rebuild on page 759

ha disconnect

Use this command to manually force a FortiWeb appliance to leave the HA group, without unplugging any cables. This
can be useful, for example, if you need to remove a standby appliance from the HA cluster in order to configure it for
standalone operation, and want to do so without disrupting traffic, and without unplugging cables.
Behavior varies by which appliance you eject:
l Active—Failover occurs. The standby remains as a member of the HA group, and will elect itself as the new active
appliance, assuming all of the HA cluster’s configured IP addresses and traffic processing duties.
l Standby—No failover occurs. The active appliance remains actively processing traffic.
To ensure that you can re-connect to the ejected appliance’s GUI or CLI via a remote network connection (not only via its
local console), this command requires that you specify an IP address and port name that will become its new
management interface. By default, it will be accessible via HTTP, HTTPS, SSH, and telnet.
All other network interfaces on the ejected appliance will be brought down and reset to 0.0.0.0/0.0.0.0. To configure
them, you must connect to the ejected appliance’s GUI or CLI.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 764

Syntax
execute ha disconnect <serial-number_str> <interface_name> <interface_ipv4mask/ipv6mask>

Variable Description Default

disconnect <serial-number_ Enter the serial number of the FortiWeb appliance that you No
str> want to disconnect from the cluster. default.
To display the serial number of each appliance in the HA
group, enter:
execute ha disconnect ?

<interface_name> Enter the name of the network interface, such as port1, that No
will be configured as the ejected appliance’s management default.
interface.

<interface_ Enter the IP address and netmask that will be configured as No

ipv4mask/ipv6mask> the ejected appliance’s management interface. default.

Example

This example ejects the standby appliance whose serial number is FV-1KC3R11111111, assigning its port1 to be the
web UI interface, reachable at 192.0.2.123.
execute ha disconnect FV-1KC3R11111111 port1 192.0.2.123/24 192::2:123/64

After the command completes, to reconfigure the ejected appliance, you could then use either a web browser or SSH
client to connect to 192.0.2.123 in order to reconfigure it for standalone operation.

Related topics

l ha disconnect on page 763

l ha manage on page 764
l ha md5sum on page 765
l system ha status on page 740
l system ha mac on page 737
l system status on page 791

ha manage

Use this command to log in to another appliance in the HA group via the HA link. In most cases, you log into a standby
appliance (also called the secondary) from the main (primary) appliance, but you can also use a standby appliance to
access the main appliance.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 765

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
execute ha manage <cluster-index>

Variable Description Default

<cluster-index> Enter an index value that the FortiWeb HA feature assigns to No

a cluster member based on its serial number. default.
The cluster member with the highest serial number has a
cluster index of 0, the one with the second-highest serial
number has a cluster index of 1, and so on.
To display the index numbers of the cluster members, enter:
execute ha manage ?

Example

In this example, you are logged in to the main appliance.

execute ha manage ?
<id> please input peer box index.
<2> Subsidary unit FV-1KD3A12345678
<3> Subsidary unit FV-1KD3A11345678

The cluster index and serial number of the appliance you are currently logged in to is not displayed.
Enter 3 to connect to the standby appliance with serial number FV-1KD3A11345678. The CLI prompt changes to the
host name of this unit and the login prompt is displayed.
To return to the primary unit, enter exit.

Related topics

l ha disconnect on page 763

l ha md5sum on page 765
l ha synchronize on page 766
l system ha status on page 740
l system ha mac on page 737

ha md5sum

Use this command to retrieve the CLI system configuration MD5 from the appliances in an HA cluster.
This information allows you to confirm whether the HA configuration is synchronized.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 766

Syntax
execute ha md5sum

Example

Below is a sample output.

FortiWeb # execute ha md5sum
FV-1KD3A15800048<Primary>
SYS: A4BA318B0762E202B4CAE44173F08CB5
CLI: 408268C68309651DC4C9D8C094B1EF0F
FV-1KD3A14800059<Secondary>
SYS: A4BA318B0762E202B4CAE44173F08CB5
CLI: 408268C68309651DC4C9D8C094B1EF0F

Related topics

l ha disconnect on page 763

l ha manage on page 764

ha synchronize

Use this command to manually control the synchronization of configuration files and FortiGuard service-related
packages from the active HA appliance to the standby appliance.
Typically, most HA synchronization happens automatically, whenever changes are made. However, in some cases, you
may want to use this command to manually initiate full or partial HA synchronization, including to
l Delay synchronization to a more convenient time if you are planning to make large batch changes, and therefore
delayed synchronization is preferable for network performance reasons
l Manually force synchronization of files that are not automatically synchronized
l Trigger automatic synchronization if it has been interrupted due to HA link failure, daemon crashes, etc.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
execute ha synchronize {all | avupd | cli | geodb | sys}

Variable Description Default

synchronize {all | avupd | cli | Select which part of the configuration and/or FortiGuard No
geodb | sys} service-related packages to synchronize. default.
l all—Entire configuration, including CLI configuration,

system files, and signature databases.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 767

Variable Description Default

l avupd—Only the FortiGuard Antivirus service package,

including the virus signatures, scan engine, and proxy.
l cli—Only the core CLI configuration file (FortiWeb_
system.conf). You can use the show command to view
the contents of the configuration file.
l geodb—Only the geography-to-IP address mappings.
Similar to firmware, these can be downloaded from the
Fortinet Customer Service & Support website:
HTTPs://support.fortinet.com
l sys—Only the IP Reputation Database (IRDB) and
system files such as X.509 certificates.
Note: This command has no effect if you use the command
execute ha synchronize stop to pause it manually.

Example

This example shows how to manually synchronize the virus signature and engine package to the standby appliance.
FortiWeb # execute ha synchronize avupd
starting synchronize with HA primary...

Related topics

l ha disconnect on page 763

l ha manage on page 764
l ha md5sum on page 765

icap-cache-clear

ICAP server receives files from FortiWeb to verify whether the files pose a threat and returns the results to FortiWeb. The
results are stored in FortiWeb cache for a certain period so that during then FortiWeb does not re-submit the file to ICAP
server.
Use this command to clear ICAP cache. You can specify the hash value of the file to clear the cached results for specific
files, or clear all cache.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
execute icap-cache-clear sha256 <sha256 strings of file1> <sha256 strings of file2> ...
execute icap-cache-clear all

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 768

Variable Description Default

<sha256 strings of file1> Enter the sha256 strings of the files to be cleared. Up to 32 No
<sha256 strings of file2> ... hash value strings are allowed. default.

all Clear all cache. No

default.

Example
FortiWeb # execute icap-cache-clear sha256 XXXXXXXXXXXXX XXXXXXXXXXXXXX
FortiWeb # execute icap-cache-clear all

ping

Use this command to perform an ICMP ECHO request (also called a ping) to a host by specifying its fully qualified domain
name (FQDN) or IPv4 address, using the options configured by ping-options.
Pings are often used to test IP-layer connectivity during troubleshooting.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
execute ping {<host_fqdn> | <host_ipv4>}

Variable Description Default

ping {<host_fqdn> | <host_ Type either the IPv4 address or fully qualified domain name No
ipv4>} (FQDN) of the host. default.

Example

This example pings a host with the IP address 192.0.2.10.

execute ping 192.0.2.10

The CLI displays the following:

PING 192.0.2.10 (192.0.2.10): 56 data bytes
64 bytes from 192.0.2.10: icmp_seq=0 ttl=128 time=0.5 ms
64 bytes from 192.0.2.10: icmp_seq=1 ttl=128 time=0.2 ms
64 bytes from 192.0.2.10: icmp_seq=2 ttl=128 time=0.2 ms
64 bytes from 192.0.2.10: icmp_seq=3 ttl=128 time=0.2 ms
64 bytes from 192.0.2.10: icmp_seq=4 ttl=128 time=0.2 ms
--- 192.0.2.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 769

round-trip min/avg/max = 0.2/0.2/0.5 ms

The results indicate that a route exists between the FortiWeb appliance and 192.0.2.10. It also indicates that during
the sample period, there was no packet loss, and the average response time was 0.2 milliseconds.

Example

This example pings a host with the IP address 192.0.2.78.

execute ping 192.0.2.78

The CLI displays the following:

PING 192.0.2.78 (192.0.2.78): 56 data bytes

After several seconds, no output appears. The administrator halts the ping by pressing Ctrl+C. The CLI displays the
following:
--- 192.0.2.78 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

The results indicate the host may be down, or there is no route between the FortiWeb appliance and 192.0.2.78. To
determine the point of failure along the route, further diagnostic tests are required, such as traceroute on page 785.

Related topics

l system interface on page 312

l server-policy vserver on page 199
l ping-options on page 770
l ping6 on page 769
l telnettest on page 783
l traceroute on page 785
l network ip on page 717
l hardware nic on page 711
l network sniffer on page 721

ping6

Use this command to perform an ICMP ECHO request (also called a ping) to a host by specifying its IPv6 address, using
the options configured in ping-options on page 770.
Pings are often used to test IP-layer connectivity during troubleshooting.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 770

Syntax
execute ping6 {<host_fqdn> | <host_ipv6>}

Variable Description Default

ping6 {<host_fqdn> | <host_ Enter either the IP address or fully qualified domain name No
ipv6>} (FQDN) of the host. default.

Example

This example pings a host with the IP address 2001:0db8:85a3:::8a2e:0370:7334.

execute ping6 2607:f0b0:f:420::

The CLI displays the following:

PING 2607:f0b0:f:420:: (2607:f0b0:f:420::): 56 data bytes

After several seconds, no output appears. The administrator halts the ping by pressing Ctrl+C. The CLI displays the
following:
--- 2607:f0b0:f:420:: ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

The results indicate the host may be down, or there is no route between the FortiWeb appliance and
2607:f0b0:f:420::. To determine the point of failure along the route, further diagnostic tests are required, such as
traceroute on page 785.

Related topics

l system interface on page 312

l server-policy vserver on page 199
l ping6-options on page 772
l telnettest on page 783
l traceroute on page 785
l network ip on page 717
l hardware nic on page 711
l network route on page 718
l network sniffer on page 721

ping-options

Use these commands to configure the behavior of the ping on page 768 command.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 771

To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
execute ping-options data-size <bytes_int>
execute ping-options df-bit {yes | no}
execute ping-options pattern <bufferpattern_hex>
execute ping-options repeat-count <repeat_int>
execute ping-options source {auto | <interface_ipv4>}
execute ping-options timeout <seconds_int>
execute ping-options tos {<service_type>}
execute ping-options ttl <hops_int>
execute ping-options validate-reply {yes | no}
execute ping-options view-settings

Variable Description Default

data-size <bytes_int> Enter datagram size in bytes.This allows you to send out 56
packets of different sizes for testing the effect of packet
size on the connection. If you want to configure the pattern
that will be used to buffer small datagrams to reach this
size, also configure pattern <bufferpattern_hex> on page
771.

df-bit {yes | no} Enter either yes to set the DF bit in the IP header to no
prevent the ICMP packet from being fragmented, or enter
no to allow the ICMP packet to be fragmented.

pattern <bufferpattern_hex> Enter a hexadecimal pattern, such as 00ffaabb, to fill the No default.
optional data buffer at the end of the ICMP packet. The
size of the buffer is determined by data-size <bytes_int> on
page 771.

repeat-count <repeat_int> Enter the number of times to repeat the ping. 5

source {auto | <interface_ Select the network interface from which the ping is sent. auto
ipv4>} Enter either auto or a FortiWeb network interface IP
address.

timeout <seconds_int> Enter the ping response timeout in seconds. 2

tos {<service_type>} Enter the IP type-of-service option value, either: default

l default—Do not indicate. That is, set the TOS byte

to 0.
l lowcost—Minimize cost.

l lowdelay—Minimize delay.

l reliability—Maximize reliability.

l throughput—Maximize throughput.

ttl <hops_int> Enter the time-to-live (TTL) value. 64

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 772

Variable Description Default

validate-reply {yes | no} Select whether or not to validate ping replies. no

view-settings Display the current ping option settings. No default.

Example

This example sets the number of pings to three and the source IP address to 192.0.2.1, then views the ping options to
verify their configuration.
execute ping-option repeat-count 3
execute ping-option source 192.0.2.1
execute ping-option view-settings

The CLI would display the following:

Ping Options:
Repeat Count: 3
Data Size: 56
Timeout: 2
TTL: 64
TOS: 0
DF bit: unset
Source Address: 192.0.2.1
Pattern:
Pattern Size in Bytes: 0
Validate Reply: no

Related topics

l ping on page 768

l traceroute on page 785

ping6-options

Use these commands to configure the behavior of the ping6 on page 769 command.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
execute ping6-options data-size <bytes_int>
execute ping6-options pattern <bufferpattern_hex>
execute ping6-options repeat-count <repeat_int>
execute ping6-options source {auto | <interface_ipv6>}
execute ping6-options timeout <seconds_int>
execute ping6-options tos {<service_type>}

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 773

execute ping6-options ttl <hops_int>

execute ping6-options validate-reply {yes | no}
execute ping6-options view-settings

Variable Description Default

data-size <bytes_int> Enter datagram size in bytes. This allows you to send out 56
packets of different sizes for testing the effect of packet
size on the connection. If you want to configure the pattern
that will be used to buffer small datagrams to reach this
size, also configure pattern <bufferpattern_hex> on page
771.

repeat-count <repeat_int> Enter the number of times to repeat the ping. 5

source {auto | <interface_ Select the network interface from which the ping is sent. auto
ipv6>} Enter either auto or a FortiWeb network interface IP
address.

timeout <seconds_int> Enter the ping response timeout in seconds. 2

tos {<service_type>} Enter the IP type-of-service option value, either: default

l default—Do not indicate. That is, set the TOS byte

to 0.
l lowcost—Minimize cost.

l lowdelay—Minimize delay.

l reliability—Maximize reliability.

l throughput—Maximize throughput.

ttl <hops_int> Enter the time-to-live (TTL) value. 64

validate-reply {yes | no} Select whether or not to validate ping replies. no

view-settings Display the current ping option settings. No default.

Example

This example sets the number of pings to 3, then views the ping options to verify their configuration.
execute ping6-option repeat-count 3
execute ping6-option view-settings

The CLI would display the following:

IPV6 Ping Options:
Repeat Count: 3
Data Size: 56
Timeout: 2
Interval: 1

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 774

TTL: 64
TOS: 0
Source Address: auto
Pattern:
Pattern Size in Bytes: 0
Validate Reply: no

Related topics

l ping6 on page 769

l traceroute on page 785

reboot

Use this command to restart the FortiWeb appliance.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute reboot

Example

This example shows the reboot command in action.

execute reboot

The CLI displays the following:

This operation will reboot the system !
Do you want to continue? (y/n)

After you enter y (yes), the CLI displays the following:

System is rebooting...

If you are connected to the CLI through a local console, the CLI displays messages while the reboot is occurring.
If you are connected to the CLI through the network, the CLI will not display any notification while the reboot is occurring,
as this occurs after the network interfaces have been shut down. Instead, you may notice that the connection is
terminated. Time required by the reboot varies by many factors, such as whether or not hard disk verification is required,
but may be several minutes.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 775

Related topics

l shutdown on page 782

l system performance on page 790

redis rebuild

Use this command to clean and rebuild the database for ML and Client Management. Please note in HA mode, running
execute db rebuild on master appliance will take effect on all slaves simultaneously. It will reboot the system.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute redis rebuild

Related topics

l formatlogdisk on page 763

l debug upload on page 703

remove vmlicense

Use this command to remove a FortiWeb-VM license.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.
For more information on FortiWeb-VM licenses, see the FortiWeb-VM Install Guide:
HTTPs://docs.fortinet.com/fortiweb/hardware

Syntax
execute remove vmlicense

Example

This example shows the remove command in action.

execute remove vmlicense

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 776

The CLI displays the following:

This operation will remove existing license!
Do you want to continue? (y/n)

After you enter y (yes), the CLI displays the following:

removing license ......

Related Topics

l restore vmlicense on page 780

restore cert-config

Use this command to restore certificates of a FortiWeb appliance from a TFTP server.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute restore cer-config <filename_str> <tftp_ipv4>[<password_str>]

Variable Description Default

<filename_str> Enter the name of the file to be used for the backup file, such No
as FortiWeb_backup.zip. default.

<tftp_ipv4> Enter the IP address of the TFTP server. No

default.

[<password_str>] Enter a password to be used when decompressing the No

Example

This example restores certificates of the FortiWeb appliance on a TFTP server at IP address 192.0.2.23. The file is
encrypted with the password P@ssword1.
execute restore cert-config tftp FortiWeb_backup.zip 192.0.2.23 P@ssword1

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 777

Related topics

l restore config on page 777

restore config

Use this command to restore the configuration from a configuration backup file on an TFTP server, or to install primary or
backup firmware.

Back up the configuration before restoring the configuration. This command restores
configuration changes only, and does not affect settings that remain at their default
values. Default values may vary by firmware version. For backup commands, see
backup cli-config on page 752 and backup full-config on page 753.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute restore config tftp <filename_str> <tftp_ipv4> [<password_str>]

Variable Description Default

<filename_str> Enter the name of the backup or firmware image file. No

default.

<tftp_ipv4> Enter the IP address of the TFTP server. No

default.

[<password_str>] Enter the password that was used to encrypt the backup file, No
if any. default.
If you do not provide a password, the backup file must have
been stored as a clear file with a .zip extension.

Example

This example downloads a configuration file named backup.zip from the TFTP server, 192.0.2.23, to the FortiWeb
appliance. The backup file was encrypted with the password P@ssword1.
execute restore config tftp backup.zip 192.0.2.23 P@ssword1

The FortiWeb appliance then applies the configuration backup and reboots.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 778

Related topics

l backup full-config on page 753

l restore config on page 777
l restore image on page 778
l restore secondary-image on page 779

restore image

Use this command to install firmware on the primary partition and reboot.

Back up the configuration before installing new firmware. Installing new firmware can
change default settings and reset settings that are incompatible with the new
version. For backup commands, see backup full-config on page 753 and backup cli-
config on page 752.

Unlike installing firmware via TFTP during a boot interrupt, installing firmware using this command will attempt to
preserve settings and files, and not necessarily restore the FortiWeb appliance to its firmware/factory default
configuration.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute restore image ftp <filename_str> <ftp_ipv4>
execute restore image tftp <filename_str> <tftp_ipv4>

Variable Description Default

<filename_str> Enter the name of the firmware image file. No default.

<ftp_ipv4> Enter the IP address of the TFTP server. No default.

<tftp_ipv4> Enter the IP address of the FTP server. No default.

Example

This example installs a firmware file named firmware.out from the TFTP server, 192.0.2.23, to the FortiWeb
appliance.
execute restore image tftp firmware.out 192.0.2.23

The FortiWeb appliance downloads the firmware file, installs it, and reboots.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 779

Related topics

l backup cli-config on page 752

l backup full-config on page 753
l restore config on page 777
l restore secondary-image on page 779
l system flash on page 730
l system status on page 791

restore secondary-image

Use this command to install backup firmware on the secondary partition and reboot.

Syntax
execute restore secondary-image ftp <filename_str> <ftp_ipv4>
execute restore secondary-image tftp <filename_str> <tftp_ipv4>

Variable Description Default

<filename_str> Enter the name of the firmware image file. No default.

<ftp_ipv4> Enter the IP address of the FTP server. No default.

<tftp_ipv4> Enter the IP address of the TFTP server. No default.

Example

This example installs a firmware file named firmware.out from the TFTP server, 192.0.2.23, to the FortiWeb
appliance.
execute restore secondary-image tftp firmware.out 192.0.2.23

The FortiWeb appliance downloads the firmware file, installs it, and reboots.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 780

Related topics

l backup cli-config on page 752

l backup full-config on page 753
l restore config on page 777
l restore image on page 778
l system flash on page 730
l system status on page 791

restore vmlicense

Use this command to upload a FortiWeb-VM license file from an FTP or TFTP server.
After you enter the command, FortiWeb prompts you to confirm the upload.
After the license is authenticated successfully, the following message is displayed:
“*ATTENTION*: license registration status changed to 'VALID', please logout and re-login”

Syntax
execute restore vmlicense {ftp | tftp} "<license-file_str>" {"<ftp_ipv4>" | "<user_
str>":"<password_str>"@"<ftp_ipv4>" | "<tftp_ipv4>"}

Variable Description Default

{ftp | tftp} Specify whether to connect to the server using file transfer No
protocol (FTP) or trivial file transfer protocol (TFTP). default.

"<license-file_str>" Enter the name of the license file. No

default.

"<ftp_ipv4>" Enter the IP address of the FTP server. No

default.

"<user_str>" Enter the user name that FortiWeb uses to authenticate with No
the server. default.

"<password_str>" Enter the password for the account specified by <user_str>. No

default.

"<tftp_ipv4>" Enter the IP address of the TFTP server. No

default.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 781

Example

This example uploads the license file FVVM040000010871.lic from the TFTP server 192.0.2.23 to the FortiWeb
appliance.
execute restore vmlicense tftp FVVM040000010871.lic 192.0.2.23

The FortiWeb appliance uploads the file, and then prompts you to log out and log in again.

sandbox-cache-clear

Use this command to clear Sandbox cache. You can specify the hash value of the file to clear the cached results for
specific files, or clear all cache.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
execute sandbox-cache-clear sha256 <sha256 strings of file1> <sha256 strings of file2>
...
execute sandbox-cache-clear all

Variable Description Default

<sha256 strings of file1> Enter the sha256 strings of the files to be cleared. Up to 32 No
<sha256 strings of file2> ... hash value strings are allowed. default.

all Clear all cache. No

default.

Example
FortiWeb # execute sandbox-cache-clear sha256 XXXXXXXXXXXXX XXXXXXXXXXXXXX
FortiWeb # execute sandbox-cache-clear all

session-cleanup

Use this command to immediately clean up all sessions.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 782

Syntax
execute session-cleanup

shutdown

Use this command to prepare the FortiWeb appliance to be powered down by halting the software, clearing all buffers,
and writing all cached data to disk.

Power off the FortiWeb appliance only after issuing this command. Unplugging or
switching off the FortiWeb appliance without issuing this command could result in
data loss.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute shutdown

Example

This example shows the reboot command in action.

execute shutdown

The CLI displays the following:

This operation will halt the system
(power-cycle needed to restart)!Do you want to continue? (y/n)

After you enter y (yes), the CLI displays the following:

System is shutting down...(power-cycle needed to restart)

If you are connected to the CLI through a local console, the CLI displays a message when the shutdown is complete.
If you are connected to the CLI through the network, the CLI will not display any notification when the shutdown is
complete, as this occurs after the network interfaces have been shut down. Instead, you may notice that the connection
times out.

Related topics

l reboot on page 774

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 783

telnet

Use this command to open a Telnet connection to a server using IPv4 to port 23.

Telnet connections are not secure. Eavesdroppers could easily obtain your
administrator password. Only use telnet over a trusted, physically secured network,
such as a direct connection between your computer and the appliance.

To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
execute telnet "<host_ipv4>"

Variable Description Default

telnet "<host_ipv4>" Enter the IP address of the host. No default.

Example

This example Telnets to a host with the IP address 192.0.2.10.

execute telnet 192.0.2.10
login: admin
Password: *******

Related topics

l telnettest on page 783

l ping on page 768
l ping6 on page 769

telnettest

Use this command to open a Telnet connection to a server using an IPv4 or IPv6 address or fully qualified domain name
(FQDN). This command can be useful for troubleshooting. For example, when the server does not support the HTTP
versions, methods, headers, and so on, that the client uses.

Telnet connections are not secure. Eavesdroppers could easily obtain your
administrator password. Only use Telnet over a trusted, physically secured network,
such as a direct connection between your computer and the appliance, and from the
appliance to the server.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 784

To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

Syntax
execute telnettest {"<host_ipv4>" | "<host_ipv6>" | "<host_fqdn>"}

Variable Description Default

telnettest {"<host_ipv4>" | Enter the IP address or fully qualified domain name (FQDN) No
"<host_ipv6>" | "<host_ of the host. default.
fqdn>"}

Example

This example Telnets to a host with the IPv4 address 192.0.2.10 on port 80, the IANA standard port for HTTP.
FortiWeb# exec telnettest 192.0.2.10:80
Connected

GET /

Entering interactive mode. Type CTRL-D to exit.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>Get to /index.html not supported.<br />
</p>
<hr>
<address>Apache/2.2.22 (Unix) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8x Server at irene.local Port
80</address>
</body></html>
Connection closed.

Connection status to 192.0.2.10 port 80:

Connecting to remote host succeeded.

Related topics

l telnet on page 783

l ping on page 768
l ping6 on page 769

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 785

time

Use this command to display or set the system time.

To use this command, your administrator account’s access control profile must have either w or rw permission to the
sysgrp area. For details, see Permissions on page 46.

Syntax
execute time [<time_str>]

Variable Description Default

time [<time_str>] Enter the current date for the FortiWeb appliance’s time No
zone, using the format hh:mm:ss, where: default.
l hh is the hour. Valid hours are 00–23

l mm is the minute. Valid minutes are 00–59.

l ss is the second. Valid seconds are 00–59.

If you do not specify a time, the command returns the current

system time.
Shortened values, such as 1 instead of 01 for the hour, are
valid. For example, you could enter either 01:01:01 or
1:1:1.

Example

This example sets the system time to 15:31:03:

execute time 15:31:03

Related topics

l date on page 759

traceroute

Use this command to use ICMP to test the connection between the FortiWeb appliance and another network device, and
display information about the time required for network hops between the device and the FortiWeb appliance.
To use this command, your administrator account’s access control profile must have at least r permission to the sysgrp
area. For details, see Permissions on page 46.

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 786

Syntax
execute traceroute {"<host_fqdn>" | "<host_ipv4>"}

Variable Description Default

traceroute {"<host_fqdn>" | Enter either the IP address or fully qualified domain name No
"<host_ipv4>"} (FQDN) of the host. default.

Example

This example tests connectivity between the FortiWeb appliance and docs.fortinet.com. In this example, the trace times
out after the first hop, indicating a possible connectivity problem at that point in the network.
FortiWeb# execute traceroute docs.fortinet.com
traceroute to docs.fortinet.com (65.39.139.196), 30 hops max, 38 byte packets
1 192.0.2.200 (192.0.2.200) 0.324 ms 0.427 ms 0.360 ms
2 * * *

Example

This example tests the availability of a network route to the server example.com.
execute traceroute example.com

The CLI displays the following:

traceroute to example.com (192.168.1.10), 32 hops max, 72 byte packets
1 172.16.1.2 0 ms 0 ms 0 ms
2 10.10.10.1 <static.isp.example.net> 2 ms 1 ms 2 ms
3 10.20.20.1 1 ms 5 ms 1 ms
4 10.10.10.2 <core.isp.example.net> 171 ms 186 ms 14 ms
5 10.30.30.1 <isp2.example.net> 10 ms 11 ms 10 ms
6 10.40.40.1 73 ms 74 ms 75 ms
7 192.168.1.1 79 ms 77 ms 79 ms
8 192.168.1.2 73 ms 73 ms 79 ms
9 192.168.1.10 73 ms 73 ms 79 ms
10 192.168.1.10 73 ms 73 ms 79 ms

Example

This example attempts to test connectivity between the FortiWeb appliance and example.com. However, the FortiWeb
appliance could not trace the route, because the primary or secondary DNS server that the FortiWeb appliance is
configured to query could not resolve the FQDN example.com into an IP address, and it therefore did not know to which
IP address it should connect. As a result, an error message is displayed.
FortiWeb# execute traceroute example.com
traceroute: unknown host example.com
Command fail. Return code 1

FortiWeb CLI Reference Fortinet Technologies Inc.

execute 787

To resolve the error message in order to perform connectivity testing, the administrator would first configure the
FortiWeb appliance with the IP addresses of DNS servers that can resolve the FQDN example.com. For details, see
system dns on page 256.

Related topics

l ping on page 768

l ping-options on page 770
l network ip on page 717
l hardware nic on page 711
l network sniffer on page 721

update-now

Use this command to initiate an update of the predefined robots, data types, suspicious URLS, and attack signatures
used by your FortiWeb appliance.
FortiWeb appliances receive updates from the FortiGuard Distribution Network (FDN). The FDN is a world-wide network
of FortiGuard Distribution Servers (FDS). FortiWeb appliances connect to the FDN by connecting to the FDS nearest to
the FortiWeb appliance by its configured time zone.
The time required for the update varies with the availability of the updates, the size of the updates, and the speed of the
FortiWeb appliance’s network connection. If event logging is enabled, and the FortiWeb appliance cannot connect
successfully, it will log the message update failed, failed to connect any fds servers! or FortiWeb
is unauthorized

To use this command, your administrator account’s access control profile must have either w or rw permission to the
mntgrp area. For details, see Permissions on page 46.

Syntax
execute update-now

FortiWeb CLI Reference Fortinet Technologies Inc.

get 788

get

The get command displays parts of your FortiWeb appliance’s configuration in the form of a list of settings and their
values.
Unlike show, get displays all settings, even if they are still in their default state.
For example, you might get the current DNS settings:
get system dns
primary : 192.0.2.19
secondary : 0.0.0.0
domain : example.com

Notice that the command displays the setting for the secondary DNS server, even though it has not been configured, or
has reverted to its default value.
Also unlike show, unless used from within an object or table, get requires that you specify the object or table whose
settings you want to display.
For example, at the root prompt, this command would be valid:
get system dns

and this command would not be valid:

get

Like show, depending on whether or not you have specified an object, get may display one of two different outputs,
either the configuration that you have just entered but not yet saved, or as it currently exists on the flash disk.
For example, immediately after configuring the secondary DNS server setting but before saving it, get displays two
different outputs (differences highlighted in bold):
FortiWeb# config system dns
FortiWeb (dns)# set secondary 192.0.2.10
FortiWeb (dns)# get
primary : 192.0.2.19
secondary : 192.0.2.10
domain : example.com
FortiWeb (dns)# get system dns
primary : 192.0.2.19
secondary : 0.0.0.0
domain : example.com

The first output from get indicates the value that you have configured but not yet saved; the second output from get
indicates the value that was last saved to disk.
If you were to now enter end, saving your setting to disk, get output for both syntactical forms would again match.
However, if you were to enter abort at this point and discard your recently entered secondary DNS setting instead of
saving it to disk, the FortiWeb appliance’s configuration would therefore match the second output, not the first.

FortiWeb CLI Reference Fortinet Technologies Inc.

get 789

If you have entered settings but cannot remember how they differ from the existing
configuration, the two different forms of get, with and without the object name, can
be a useful way to remind yourself.

Most get commands, such as get system dns, are used to display configured settings. You can find relevant
information about such commands in the corresponding config commands in the config chapter.
Other get commands, such as system performance on page 790, are used to display system information that is not
configurable. This chapter describes this type of get command.
The get commands require at least read (r) permission to applicable administrator profile groups.

Although not explicitly shown in this section, for all config on page 60commands,
there are related get and show on page 794 commands which display that part of
the configuration. get and show commands use the same syntax as their related
config command, unless otherwise mentioned. For syntax examples and
descriptions of each configuration object, field, and option, see config on page 60.

When ADOMs are enabled, if you log in as admin, the top level of the shell changes: the two top level items are get
global and get vdom:
l get global displays settings that only admin or other accounts with the prof_admin access profile can change.
l get vdom displays each ADOM and its respective settings.
This menu and CLI structure change is not visible to non-global accounts; ADOM administrators’ navigation menus
continue to appear similar to when ADOMs are disabled, except that global settings such as network interfaces, HA, and
other global settings do not appear.

system fortisandbox-statistics

Use this command to display a count of uploaded files that FortiSandbox has evaluated in the past seven days, by
evaluation result.
FortiWeb organizes the statistics using the following categories:
l Detected (total malicious files detected)
l Clean
l Risk-low (total low-risk malicious files detected)
l Risk-medium (total medium-risk malicious files detected)
l Risk-high (total high-risk malicious files detected)

Syntax
get system fortisandbox-statistics

FortiWeb CLI Reference Fortinet Technologies Inc.

get 790

Example
FortiWeb # get system fortisandbox-statistics
detected : 0
clean : 0
risk-low : 0
risk-medium : 0
risk-high : 0

Related topics

l system fortisandbox on page 278

l waf file-upload-restriction-policy on page 451
l log reports on page 75

system performance

Displays the FortiWeb appliance’s CPU usage, memory usage, average system load, and up time.
Normal idle load varies by hardware platform, firmware, and configured features. To determine your specific baseline for
idle, configure your system completely, reboot, then view the system load. After at least 1 week of uptime with typical
traffic volume, view the system load again to determine the normal non-idle baseline.
System load is the average of percentages relative to the maximum possible capability of this FortiWeb appliance’s
hardware. It includes:
l Average system load
l Number of HTTP daemon/proxy processes or children
l Memory usage
l Disk swap usage

Syntax
get system performance

Example
FortiWeb # get system performance
CPU states: 4% used, 96% idle
Memory states: 18% used
System Load: 1
Up: 28 days, 11 hours, 38 minutes

FortiWeb CLI Reference Fortinet Technologies Inc.

get 791

Related topics

l system status on page 791

l hardware cpu on page 706
l hardware mem on page 709
l hardware raid list on page 713
l system kill on page 743
l system top on page 745
l policy on page 728
l reboot on page 774

system status

Use this command to display system status information, including:

l FortiWeb firmware version, build number and date
l FortiWeb appliance serial number and boot loader (“Bios”) version
l Log hard disk availability
l Host name
l Operation mode, such as Reverse Proxy or Transparent Inspection
l Current HA status for all appliances in the HA cluster (if HA is enabled)

Syntax
get system status

Example
get system status
International Version:FortiWeb-1000C 5.01,build0039,130726
Serial-Number:FV-1KC3R11700094
Bios version:04000002
Log hard disk:Available
Hostname:FortiWeb
Operation Mode:Reverse Proxy
Current HA mode=active-passive, Status=main
HA member :
Serial-Number Priority HA-Role
FV-1KC3R11700136 5 standby
FV-1KC3R11700094 1 main

FortiWeb CLI Reference Fortinet Technologies Inc.

get 792

Related topics

l system performance on page 790

l system ha status on page 740

waf predefined-global-allow-list

Use this command to get the global object allow list. This feature reduces false positives and improves performance.

Syntax

get waf predefined-global-allow-list

waf signature-rules

Use this command to list the IDs, names, and descriptions of signature rules.
You specify signatures in the config waf signature command using the signature ID only. This command allows
you to view the names and descriptions of the IDs.

Syntax
get waf signature-rules

Example
get waf signature-rules

This example output is the first four entries that the CLI displays when FortiWeb is configured with the default signatures
only.
rule id : 110000009
main class id : 110000000
main class name : Bad Robot
sub class id : 000000000
sub class name : Bad Robot
rule description : This signature prevents Google Skipfish scanner from exploiting a
vulnerability to include an arbitrary remote file with malicious PHP code and
executing it in the context of the webserver process.
This attack can be achieved in HTTP request arguments.

rule id : 110000010
main class id : 110000000
main class name : Bad Robot

FortiWeb CLI Reference Fortinet Technologies Inc.

get 793

sub class id : 000000000

sub class name : Bad Robot
rule description : This signature checks whether the request came from Google Skipfish Web
scanner.
The signature check region: user-agent field in HTTP request header.

rule id : 110000011
main class id : 110000000
main class name : Bad Robot
sub class id : 000000000
sub class name : Bad Robot
rule description : This signature checks whether the request contains a string of a content
scraper, which could be a part of virus.
The signature check region: user-agent field in HTTP request header.

rule id : 110000012
main class id : 110000000
main class name : Bad Robot
sub class id : 000000000
sub class name : Bad Robot
rule description : This signature checks whether the request came from Acunetix Web
Vulnerability Scanner.
The signature check region: HTTP request url.

Related topics

l waf signature on page 555

FortiWeb CLI Reference Fortinet Technologies Inc.

show 794

show

The show command displays parts of your FortiWeb appliance’s configuration in the form of commands that are required
to achieve that configuration from the firmware’s default state.
The show commands require at least read (r) permission to applicable administrator profile groups.

Although not explicitly shown in this section, for all config on page 60 commands,
there are related get on page 788 and show commands which display that part of the
configuration. get and show commands use the same syntax as their related
config command, unless otherwise mentioned. For syntax examples and
descriptions of each configuration object, field, and option, see config on page 60.

Unlike get, show does not display settings that are assumed to remain in their default state.
For example, you might show the current DNS settings:
FortiWeb# show system dns
config system dns
set primary 172.16.1.10
set domain "example.com"
end

Notice that the command does not display the setting for the secondary DNS server. This indicates that it has not been
configured, or has reverted to its default value.
Like get, depending on whether or not you have specified an object, show may display one of two different outputs,
either the configuration:
l that you have just entered but not yet saved, or
l as it currently exists on the flash disk, respectively.
For example, immediately after configuring the secondary DNS server setting but before saving it, show displays two
different outputs (differences highlighted in bold):
FortiWeb# config system dns
FortiWeb (dns)# set secondary 192.168.1.10
FortiWeb (dns)# show
config system dns
set primary 172.16.1.10
set secondary 192.168.1.10
set domain "example.com"
end
FortiWeb (end)# show system dns
config system dns
set primary 172.16.1.10
set domain "example.com"
end

The first output from show indicates the value that you have configured but not yet saved; the second output from show
indicates the value that was last saved to disk.

FortiWeb CLI Reference Fortinet Technologies Inc.

show 795

If you have entered settings but cannot remember how they differ from the existing
configuration, the two different forms of show, with and without the object name, can
be a useful way to remind yourself.

If you were to now enter end, saving your setting to disk, show output for both syntactical forms would again match.
However, if you were to enter abort at this point and discard your recently entered secondary DNS setting instead of
saving it to disk, the FortiWeb appliance’s configuration would therefore match the second output, not the first.
When ADOMs are enabled, and if you log in as admin, the top level of the shell changes: the two top level items are
show global and show vdom.
l show global displays settings that only admin or other accounts with the prof_admin access profile can change.
l show vdom displays each ADOM and its respective settings.
This menu and CLI structure change is not visible to non-global accounts; ADOM administrators’ navigation menus
continue to appear similar to when ADOMs are disabled, except that global settings such as network interfaces, HA, and
other global settings do not appear.

FortiWeb CLI Reference Fortinet Technologies Inc.

www.fortinet.com

Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiGate Security 7.2 Lab Guide-Online
No ratings yet
FortiGate Security 7.2 Lab Guide-Online
203 pages
Microsoft Teams Training Guide
100% (1)
Microsoft Teams Training Guide
38 pages
Chatgpt Guide
100% (1)
Chatgpt Guide
56 pages
الهاكر الأخلاقي الجزء الأول
No ratings yet
الهاكر الأخلاقي الجزء الأول
27 pages
FortiOS 7.2.6 Administration Guide
No ratings yet
FortiOS 7.2.6 Administration Guide
3,244 pages
Firewall Policies
100% (1)
Firewall Policies
3,195 pages
FortiProxy 7.0 Administration Guide
No ratings yet
FortiProxy 7.0 Administration Guide
507 pages
FortiGate CLI Reference
100% (2)
FortiGate CLI Reference
726 pages
FortiOS-6 2 0-Cookbook
100% (1)
FortiOS-6 2 0-Cookbook
877 pages
Student Guide FortiWeb 5.8.1
100% (2)
Student Guide FortiWeb 5.8.1
43 pages
FortiOS-6.2.0-Cookbook-Security Rating Service
100% (1)
FortiOS-6.2.0-Cookbook-Security Rating Service
1,362 pages
Mastering HTML A Beginners Guide (Sufyan Bin Uzayr) (Z-Library)
No ratings yet
Mastering HTML A Beginners Guide (Sufyan Bin Uzayr) (Z-Library)
341 pages
Fortiweb v5.8.0 Administration Guide
No ratings yet
Fortiweb v5.8.0 Administration Guide
932 pages
Fortiadc v7.4.2 Cli Reference Guide
No ratings yet
Fortiadc v7.4.2 Cli Reference Guide
627 pages
Lôi
No ratings yet
Lôi
275 pages
LAB 01 System and Network Settings
No ratings yet
LAB 01 System and Network Settings
22 pages
FortiAnalyzer 5.4.5 CLI Reference
0% (1)
FortiAnalyzer 5.4.5 CLI Reference
224 pages
Fortigate Firewall Commandline
100% (1)
Fortigate Firewall Commandline
11 pages
Iso 14229 5 2022
No ratings yet
Iso 14229 5 2022
12 pages
FortiOS-6 2 3-Cookbook
No ratings yet
FortiOS-6 2 3-Cookbook
1,501 pages
Sicf Tutorial Part3
No ratings yet
Sicf Tutorial Part3
9 pages
El Desafío de Escribir Un Ensayo Sobre El Totalitarismo en 1984
100% (1)
El Desafío de Escribir Un Ensayo Sobre El Totalitarismo en 1984
6 pages
Sahil Bhardwaj Method BSC
No ratings yet
Sahil Bhardwaj Method BSC
9 pages
1998 Softail PDF
No ratings yet
1998 Softail PDF
436 pages
Fortiweb v6.1.0 Admin Guide PDF
No ratings yet
Fortiweb v6.1.0 Admin Guide PDF
862 pages
FortiGate CLI Reference 01-400-93051-20090415
No ratings yet
FortiGate CLI Reference 01-400-93051-20090415
754 pages
Visual Basic para Excel - Manual de Refer en CIA
No ratings yet
Visual Basic para Excel - Manual de Refer en CIA
911 pages
Fortiweb Admin Guide PDF
No ratings yet
Fortiweb Admin Guide PDF
847 pages
FortiOS-6 2 0-Cookbook PDF
No ratings yet
FortiOS-6 2 0-Cookbook PDF
614 pages
01-28010-0015-20050617 FortiGate CLI Reference
No ratings yet
01-28010-0015-20050617 FortiGate CLI Reference
400 pages
FortiWeb 6.3.3 Administration Guide
No ratings yet
FortiWeb 6.3.3 Administration Guide
892 pages
FortiOS-6 2 0-Cookbook
No ratings yet
FortiOS-6 2 0-Cookbook
1,370 pages
FortiNAC-OS-F 7.2.4-CLI Reference Guide
No ratings yet
FortiNAC-OS-F 7.2.4-CLI Reference Guide
33 pages
FortiOS-6 2 0-Cookbook PDF
No ratings yet
FortiOS-6 2 0-Cookbook PDF
792 pages
Fortiweb v6.0.2 Admin Guide PDF
No ratings yet
Fortiweb v6.0.2 Admin Guide PDF
833 pages
FortiOS-6 2 0-Cookbook PDF
No ratings yet
FortiOS-6 2 0-Cookbook PDF
1,221 pages
FortiOS-6 2 0-Cookbook PDF
No ratings yet
FortiOS-6 2 0-Cookbook PDF
614 pages
Fortiadc 5.1.0 Cli Reference PDF
No ratings yet
Fortiadc 5.1.0 Cli Reference PDF
454 pages
Fortiweb v7.0.1 Cli Reference
No ratings yet
Fortiweb v7.0.1 Cli Reference
758 pages
Fortiweb v6.0.2 Cli Reference
No ratings yet
Fortiweb v6.0.2 Cli Reference
665 pages
FortiWeb 5 6 CLI Reference Revision1
No ratings yet
FortiWeb 5 6 CLI Reference Revision1
636 pages
Fortiweb v6.3.4 Cli Reference
No ratings yet
Fortiweb v6.3.4 Cli Reference
712 pages
FortiWeb 5 0 CLI Reference Revision2
No ratings yet
FortiWeb 5 0 CLI Reference Revision2
568 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
342 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
357 pages
Fortigate Cli Ref 54
No ratings yet
Fortigate Cli Ref 54
438 pages
Fortiadc v7.4.0 Cli Reference Guide
No ratings yet
Fortiadc v7.4.0 Cli Reference Guide
595 pages
FortiWebRevision1 v003
No ratings yet
FortiWebRevision1 v003
555 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
353 pages
Verizon Samsung Galaxy S5 User Manual SM G900V, Kitkat, English
No ratings yet
Verizon Samsung Galaxy S5 User Manual SM G900V, Kitkat, English
167 pages
FortiAnalyzer 7.2.1 CLI Reference
No ratings yet
FortiAnalyzer 7.2.1 CLI Reference
291 pages
Fortigate Cli Ref 54
No ratings yet
Fortigate Cli Ref 54
459 pages
PCCSA - Prepaway.premium - Exam.50q: Number: PCCSA Passing Score: 800 Time Limit: 120 Min File Version: 1.0
No ratings yet
PCCSA - Prepaway.premium - Exam.50q: Number: PCCSA Passing Score: 800 Time Limit: 120 Min File Version: 1.0
17 pages
FortiAnalyzer 7.0.0 CLI Reference
No ratings yet
FortiAnalyzer 7.0.0 CLI Reference
276 pages
FortiAnalyzer 7.0.2 CLI Reference
No ratings yet
FortiAnalyzer 7.0.2 CLI Reference
283 pages
FortiManager 7.0.0 CLI Reference
No ratings yet
FortiManager 7.0.0 CLI Reference
275 pages
FortiManager 5.6.6 CLI Reference PDF
No ratings yet
FortiManager 5.6.6 CLI Reference PDF
253 pages
FortiAnalyzer 7.6.1 CLI Reference
No ratings yet
FortiAnalyzer 7.6.1 CLI Reference
298 pages
FortiManager 7.2.2 CLI Reference
No ratings yet
FortiManager 7.2.2 CLI Reference
294 pages
Paul Pedley - Free Business and Industry Information On The Web
No ratings yet
Paul Pedley - Free Business and Industry Information On The Web
125 pages
Manual CLI Fortigate 5.0
No ratings yet
Manual CLI Fortigate 5.0
178 pages
Fortigate-Cli-Ref-5.4.8 2018-01-26
No ratings yet
Fortigate-Cli-Ref-5.4.8 2018-01-26
459 pages
Vmware Sdwan Troubleshooting Guide
No ratings yet
Vmware Sdwan Troubleshooting Guide
88 pages
Fort I Net Open Ports
No ratings yet
Fort I Net Open Ports
14 pages
Using The WAGO 750-340 PROFINET Coupler As Remote I/O With A Siemens S7 PLC
No ratings yet
Using The WAGO 750-340 PROFINET Coupler As Remote I/O With A Siemens S7 PLC
30 pages
Windows 10 - Wikipedia
No ratings yet
Windows 10 - Wikipedia
28 pages
Fortiweb Script Reference Guide 7.04
No ratings yet
Fortiweb Script Reference Guide 7.04
19 pages
8.1 Social Media
No ratings yet
8.1 Social Media
5 pages
01 Intro
No ratings yet
01 Intro
6 pages
L5 - Electronic Communication
No ratings yet
L5 - Electronic Communication
14 pages
Castellanos 2016
No ratings yet
Castellanos 2016
13 pages
FortiTester-7 2 3-CLIReference
No ratings yet
FortiTester-7 2 3-CLIReference
11 pages
Cookbook Vtiger PDF
No ratings yet
Cookbook Vtiger PDF
4 pages
Convocatoria I - Is Vi - Student - Jhonny Alejandro Paez
No ratings yet
Convocatoria I - Is Vi - Student - Jhonny Alejandro Paez
9 pages
Forticlient 7.4.3 Linux Release Notes
No ratings yet
Forticlient 7.4.3 Linux Release Notes
16 pages
Connect Plus Final Revision - Model Answer
No ratings yet
Connect Plus Final Revision - Model Answer
10 pages
ABHA APIs
No ratings yet
ABHA APIs
6 pages
Configuring GRE Tunnel - PKT
No ratings yet
Configuring GRE Tunnel - PKT
5 pages
Call Center QA Independent Contractor Policy Manual
No ratings yet
Call Center QA Independent Contractor Policy Manual
4 pages
Blockchain Cryptocurrency
No ratings yet
Blockchain Cryptocurrency
3 pages
MultiBio 800
No ratings yet
MultiBio 800
2 pages
10.5: Bypass The Installer's System Requirements Check - Mac OS X Hints
No ratings yet
10.5: Bypass The Installer's System Requirements Check - Mac OS X Hints
1 page
Abhishek New Resume
No ratings yet
Abhishek New Resume
2 pages
Professional C++
From Everand
Professional C++
Marc Gregoire
2/5 (3)
Linux Command Line and Shell Scripting Bible
From Everand
Linux Command Line and Shell Scripting Bible
Richard Blum
3/5 (3)
You Are Not Stupid: Computers and Technology Simplified
From Everand
You Are Not Stupid: Computers and Technology Simplified
Jack C. Stanely
No ratings yet
Human Resources A to Z: A Practical Field Guide for People Managers
From Everand
Human Resources A to Z: A Practical Field Guide for People Managers
Ted Smith
No ratings yet
Introduction to Coding in Hours With Python Level 1: A Guide to Programming for Students With No Prior Experience (Learn Coding Basics With Python)
From Everand
Introduction to Coding in Hours With Python Level 1: A Guide to Programming for Students With No Prior Experience (Learn Coding Basics With Python)
Jack C. Stanely
No ratings yet
The Project Management Handbook: Simplified Agile, Scrum and Devops for BeginnersSim: Tech and computers simplified
From Everand
The Project Management Handbook: Simplified Agile, Scrum and Devops for BeginnersSim: Tech and computers simplified
Jack C. Stanely
No ratings yet
WAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay Networks
From Everand
WAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay Networks
Mamta Devi
No ratings yet

Fortiweb v7.2.1 Cli Reference

Uploaded by

Fortiweb v7.2.1 Cli Reference

Uploaded by

CLI Reference

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

December 23, 2022

December 23, Initial release.

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

server-policy pattern threat-score-profile 121

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

Related topics 232

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

system firewall dnat policy 273

FortiWeb CLI Reference Fortinet Technologies Inc.

system interface 312

FortiWeb CLI Reference Fortinet Technologies Inc.

system sso-admin 349

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

Related topics 492

FortiWeb CLI Reference Fortinet Technologies Inc.

waf machine-learning-policy 537

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

Related topics 696

FortiWeb CLI Reference Fortinet Technologies Inc.

hardware harddisk 707

FortiWeb CLI Reference Fortinet Technologies Inc.

network rtcache 720

FortiWeb CLI Reference Fortinet Technologies Inc.

system ha interface-macinfo 736

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

fdnserver delete 762

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

Related topics 785

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

This document uses the conventions described in this section.

Cautions, notes, & tips

Highlight important, possibly unexpected but non-destructive, details about a

Present best practices, troubleshooting, performance tips, or alternative methods.

FortiWeb CLI Reference Fortinet Technologies Inc.

CLI input config system dns

CLI output FortiWeb# diagnose hardware logdisk info

File content <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>

Navigation Go to VPN > IPSEC > Auto Key (IKE).

Publication For details, see the FortiWeb Administration Guide:

FortiWeb CLI Reference Fortinet Technologies Inc.

Using the CLI

The command line interface (CLI) is an alternative to the web UI.

Connecting to the CLI

You can access the CLI in two ways:

Connecting to the CLI using a local console

l A computer with an available serial communications (COM) port

FortiWeb CLI Reference Fortinet Technologies Inc.

To connect to the CLI using a local console connection

Speed (baud) 9600

Flow control None

Enabling access to the CLI through the network

FortiWeb CLI Reference Fortinet Technologies Inc.

FortiWeb CLI Reference Fortinet Technologies Inc.

set allowaccess ping HTTPs ssh

Connecting to the CLI using SSH

l A computer with an RJ-45 Ethernet port

To connect to the CLI using SSH