Fortiweb v6.0.2 Cli Reference

FortiWeb CLI Reference
VERSION 6.0.2
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
January 31, 2019
FortiWeb 6.0.2 CLI Reference
1st Edition
Change log 3
Change log
11/23/2018 Initial release.
FortiWeb 6.0.2 CLI Reference Fortinet Inc.

TABLE OF CONTENTS
Change log 3
Introduction 31
Scope 31
Conventions 32
IP addresses 32
Cautions, notes, & tips 32
Typographic conventions 32
Command syntax 33
What’s new 34
Using the CLI 39
Connecting to the CLI 39
Connecting to the CLI using a local console 39
Enabling access to the CLI through the network (SSH or Telnet or CLI Console widget) 40
Connecting to the CLI using SSH 42
Connecting to the CLI using Telnet 43
Command syntax 44
Terminology 44
Indentation 45
Notation 45
Command syntax notation 46
Subcommands 48
Table commands 49
Example of table commands 50
Field commands 50
Example of field commands 51
Permissions 51
Access profile permissions 51
Tips & tricks 54
Help 54
Shortcuts & key commands 54
Command abbreviation 55
Special characters 55
Entering special characters 56
Language support & regular expressions 56
Screen paging 57
Baud rate 58
Editing the configuration file in a text editor 58
Pipeline 'grep' command 59

Administrative domains (ADOMs) 60
Differences between administrator accounts when ADOMs are enabled 60
Defining ADOMs 62
Assigning administrators to an ADOM 63
config 65
log alertMail 67
Syntax 68
Example 68
Related topics 68
log attack-log 68
Syntax 69
Example 70
Related topics 70
log custom-sensitive-rule 71
Syntax 71
Example 73
Related topics 73
log disk 73
Syntax 73
Example 74
Related topics 74
log email-policy 75
Syntax 75
Example 77
Related topics 78
log event-log 78
Syntax 78
Example 79
Related topics 79
log forti-analyzer 79
Syntax 80
Example 80
Related topics 80
log fortianalyzer-policy 81
Syntax 81
Example 81
Related topics 82
log ftp-policy 82
Syntax 82
Related topics 83

log reports 83
Syntax 84
Example 91
Related topics 92
log sensitive 92
Syntax 93
Example 93
Related topics 93
log siem-message-policy 93
Syntax 94
Example 94
Related topics 95
log siem-policy 95
Syntax 95
Example 96
Related topics 96
log syslogd 97
Syntax 97
Example 98
log syslog-policy 98
Syntax 98
Example 99
Related topics 99
log traffic-log 100
Syntax 100
Example 100
Related topics 101
log trigger-policy 101
Syntax 101
Example 102
Related topics 102
router policy 103
Syntax 103
Related topics 104
router setting 104
Syntax 105
Example 105
Related topics 106
router static 106
Syntax 106

Example 107
Related topics 107
server-policy allow-hosts 108
Syntax 109
Example 110
Related topics 110
server-policy custom-application application-policy 110
Syntax 111
Example 111
Related topics 112
server-policy custom-application url-replacer 112
Syntax 114
Example 116
Related topics 116
server-policy health 116
Syntax 117
Example 120
Related topics 120
server-policy http-content-routing-policy 121
Syntax 121
Example 126
Related topics 127
server-policy pattern custom-data-type 127
Syntax 127
Example 127
Related topics 128
server-policy pattern custom-global-white-list-group 128
Syntax 128
Example 130
Related topics 130
server-policy pattern custom-susp-url 130
Syntax 130
Example 130
Related topics 131
server-policy pattern custom-susp-url-rule 131
Syntax 131
Example 132
Related topics 132
server-policy pattern data-type-group 132
Syntax 132

Example 136
Related topics 137
server-policy pattern suspicious-url-rule 137
Syntax 137
Example 138
Related topics 139
server-policy pattern threat-weight 139
Syntax 139
Example 142
Related Topics 142
server-policy persistence-policy 142
Syntax 142
Example 146
Related topics 146
server-policy policy 146
Syntax 147
Example 169
Related topics 170
server-policy server-pool 170
Syntax 171
Example 192
Related topics 192
server-policy service custom 192
Syntax 193
Example 193
Related topics 193
server-policy service predefined 193
Syntax 194
Example 194
Related topics 194
server-policy setting 194
Syntax 195
Related topics 196
server-policy vserver 196
Syntax 196
Example 197
Related topics 197
system accprofile 198
Syntax 198
Example 200

Related topics 200
system admin 201
Syntax 201
Example 205
Related topics 206
system admin-certificate ca 206
Syntax 206
Example 207
system admin-certificate local 207
Syntax 207
Example 208
system advanced 208
Syntax 209
Related topics 210
system antivirus 210
Syntax 210
system autoupdate override 212
Syntax 212
Related topics 212
system autoupdate schedule 212
Syntax 213
Example 213
Related topics 214
system autoupdate tunneling 214
Syntax 214
Example 215
Related topics 215
system backup 215
Syntax 215
Example 217
Related topics 218
system central-management 218
Syntax 218
Example 218
system certificate ca 218
Syntax 219
Example 219
Related topics 220
system certificate ca-group 220
Syntax 220

Example 221
Related topics 221
system certificate crl 221
Syntax 222
Related topics 222
system certificate crl-group 222
Syntax 223
Related topics 223
system certificate intermediate-certificate 223
Syntax 224
Example 224
Related topics 225
system certificate intermediate-certificate-group 225
Syntax 225
Related topics 225
system certificate local 226
Syntax 226
Example 227
Related topics 229
system certificate remote 229
Syntax 229
Example 229
Related topics 230
system certificate server-certificate-verify 230
Syntax 230
Related topics 230
system certificate sni 231
Syntax 231
Related topics 232
system certificate tsl-ca 233
Syntax 233
Related topics 233
system certificate urlcert 233
Syntax 234
Related topics 234
system certificate verify 234
Syntax 235
Related topics 235
system conf-sync 235
Syntax 236

Related topics 238
system console 238
Syntax 238
Example 239
Related topics 239
system decoding enhancement 239
Syntax 239
Example 240
Related Topic(s) 241
system device-tracking 241
Syntax 241
Example 242
Related Topics 242
system dns 242
Syntax 243
Example 243
Related topics 243
system eventhub 244
Syntax 244
Related topics 245
system fail-open 245
Syntax 246
Related topics 246
system fds proxy 246
Syntax 246
Example 247
system feature-visibility 247
Syntax 248
Related Topics 248
system fips-cc 248
Syntax 249
system firewall address 249
Syntax 249
Related topics 250
system firewall service 250
Syntax 250
Related topics 251
system firewall firewall-policy 251
Syntax 251
Example 253

Related topics 253
system firewall snat-policy 254
Syntax 254
Related Topic 255
system fortigate-integration 255
Syntax 256
Related topics 256
system fortisandbox 257
Syntax 257
Example 258
Related topics 258
system global 258
Syntax 258
Example 265
Related topics 265
system ha 265
Syntax 266
Example 277
Related topics 278
system hsm info 278
Syntax 278
Related topics 279
system hsm partition 279
Syntax 280
Related topics 280
system interface 280
Syntax 280
Example 286
Example 286
Related topics 287
system ip-detection 287
Syntax 287
Related topics 287
system network-option 287
Syntax 288
Example 290
Related topics 291
system password-policy 291
Syntax 291
Example 292

system raid 293
Syntax 293
Example 293
Related topics 294
system replacemsg 294
Syntax 294
Related topics 295
system replacemsg-image 296
Syntax 296
Related topics 296
system settings 296
Syntax 298
Related topics 299
system snmp community 299
Syntax 300
Example 303
Related topics 303
system snmp sysinfo 304
Syntax 304
Example1234 305
Related topics 305
system snmp user 306
Syntax 306
Example 309
Related topics 309
system tcpdump 309
Syntax 310
Related topics 310
system v-zone 310
Syntax 311
Example 312
Related topics 312
system wccp 312
Syntax 313
Example 315
Related topics 315
user admin-usergrp 315
Syntax 316
Example 317
Related topics 317

user kerberos-user 317
Syntax 317
Related topics 318
user ldap-user 318
Syntax 318
Example 321
Related topics 321
user local-user 322
Syntax 322
Example 322
Related topics 323
user ntlm-user 323
Syntax 323
Example 324
Related topics 324
user pki-user 324
Syntax 324
Example 325
user radius-user 325
Syntax 326
Related topics 327
user saml-user 327
Syntax 327
Example 328
Related topic 328
user user-group 329
Syntax 329
Example 330
Related topics 331
wad file-filter 331
Syntax 331
Example 332
Related topics 332
wad website 332
Syntax 333
Example 336
Related topics 336
waf allow-method-exceptions 337
Syntax 337
Example 339

Related topics 339
waf allow-method-policy 339
Syntax 340
Example 341
Related topics 341
waf application-layer-dos-prevention 341
Syntax 341
Example 343
Related topics 343
waf base-signature-disable 343
Syntax 344
Example 344
Related topics 344
waf brute-force-login 344
Syntax 345
Example 347
Related topics 347
waf cookie-security 347
Syntax 348
Related topics 351
waf csrf-protection 351
Syntax 352
Example 354
waf custom-access policy 355
Syntax 355
Example 356
Related topics 356
waf custom-access rule 356
Syntax 356
Example 368
Related topics 368
waf custom-protection-group 368
Syntax 369
Example 369
Related topics 370
waf custom-protection-rule 370
Syntax 370
Example 375
Related topics 375
waf device-reputation 375

Syntax 375
Example 378
Related Topics 378
waf exclude-url 378
Syntax 378
Example 379
Related topics 380
waf file-compress-rule 380
Syntax 380
Example 381
Related topics 382
waf file-uncompress-rule 382
Syntax 382
Example 383
Related topics 384
waf file-upload-restriction-policy 384
Syntax 384
Related topics 387
waf file-upload-restriction-rule 387
Syntax 388
Example 390
Related topics 390
waf ftp-command-restriction-rule 390
Syntax 391
Related Topic 393
waf ftp-file-security 393
Syntax 393
Related Topic 395
waf geo-block-list 395
Syntax 396
Example 397
Related topics 397
waf geo-ip-except 397
Syntax 397
Example 398
Related topics 398
waf hidden-fields-protection 398
Syntax 398
Related topics 399
waf hidden-fields-rule 399

Syntax 400
Example 403
Related topics 403
waf http-authen http-authen-policy 403
Syntax 404
Example 405
Related topics 406
waf http-authen http-authen-rule 406
Syntax 406
Example 408
Related topics 408
waf http-connection-flood-check-rule 408
Syntax 409
Related topics 410
waf http-constraints-exceptions 410
Syntax 410
Example 414
Related topics 415
waf http-header-security 415
Syntax 415
Example 417
waf http-protocol-parameter-restriction 418
Syntax 418
Example 421
Related topics 421
waf http-request-flood-prevention-rule 421
Syntax 422
Example 424
Related topics 424
waf input-rule 424
Syntax 425
Example 429
Related topics 429
waf ip-intelligence 429
Syntax 430
Example 432
Related topics 432
waf ip-intelligence-exception 433
Syntax 433
Example 433

Related topics 433
waf ip-list 433
Syntax 434
Example 435
Related topics 436
waf layer4-access-limit-rule 436
Syntax 436
Example 439
Related topics 439
waf layer4-connection-flood-check-rule 439
Syntax 440
Example 441
Related topics 441
waf machine-learning 441
Syntax 442
Related Topic 444
waf machine-learning-policy 444
Syntax 444
Related Topics 449
waf mitb-policy 449
Syntax 449
Related topics 450
waf mitb-rule 450
Syntax 450
Related topics 452
waf openapi-file 452
Syntax 452
Related topics 452
waf openapi-validation-policy 452
Syntax 452
Related topics 453
waf padding-oracle 453
Syntax 453
Example 457
Related topics 457
waf page-access-rule 457
Syntax 458
Example 460
Related topics 460
waf parameter-validation-rule 461

Syntax 461
Example 461
Related topics 462
waf signature 462
Syntax 464
Example 470
Related topics 471
waf site-publish-helper authentication-server-pool 471
Syntax 471
Example 472
Related topics 472
waf site-publish-helper keytab_file 472
waf site-publish-helper policy 473
Syntax 473
Example 474
Related topics 475
waf site-publish-helper rule 475
Syntax 476
Example 484
Related topics 485
waf start-pages 485
Syntax 486
Example 489
Related topics 489
waf url-access url-access-policy 489
Syntax 489
Example 490
Related topics 490
waf url-access url-access-rule 490
Syntax 491
Example 495
Related topics 495
waf url-rewrite url-rewrite-policy 496
Syntax 496
Related topics 496
waf url-rewrite url-rewrite-rule 497
Syntax 498
Related topics 504
waf user-tracking policy 504
Syntax 504

waf user-tracking rule 505
Syntax 505
Example 510
Related topics 511
waf web-cache-exception 511
Syntax 511
Related topics 513
waf web-cache-policy 513
Syntax 513
Related topics 516
waf web-protection-profile autolearning-profile 516
Syntax 517
Related topics 518
waf web-protection-profile inline-protection 518
Syntax 519
Related topics 531
waf web-protection-profile offline-protection 531
Syntax 532
Related topics 539
waf websocket-security rule 539
Syntax 540
Related topics 541
waf websocket-security policy 541
Syntax 541
Related topics 542
waf x-forwarded-for 542
Syntax 542
Example 545
waf xml-schema 545
Syntax 546
Related topics 546
waf xml-validation 546
Syntax 546
Example 551
Related topics 552
waf xml-wsdl 552
Syntax 552
Related topics 552
wvs policy 553
Syntax 553

Example 554
Related topics 554
wvs profile 554
Syntax 555
Example 555
Related topics 555
wvs schedule 556
Syntax 556
Example 557
Related topics 557
diagnose 558
debug 559
Syntax 560
Related topics 561
debug application autolearn 561
Syntax 561
Related topics 562
debug application confd-hamsg 562
Syntax 562
Example 563
Related topics 563
debug application detect 563
Syntax 564
Related topics 564
debug application dssl 564
Syntax 564
Related topics 565
debug application fds 565
Syntax 565
Related topics 566
debug application hasync 566
Syntax 566
Example 566
Related topics 567
debug application hatalk 567
Syntax 567
Example 568
Related topics 568
debug application http 569
Syntax 569

Related topics 569
debug application miglogd 569
Syntax 570
Related topics 570
debug application mulpattern 570
Syntax 570
Related topics 571
debug application proxy 571
Syntax 571
Related topics 572
debug application proxy-error 572
Syntax 572
Related topics 572
debug application snmp 573
Syntax 573
Related topics 573
debug application ssl 573
Syntax 574
Example 574
Related topics 574
debug application sysmon 574
Syntax 574
Related topics 575
debug application ustack 575
Syntax 575
Related topics 576
debug application waf-fds-update 576
Syntax 576
Related topics 576
debug cli 577
Syntax 577
Related topics 577
debug cmdb 577
Syntax 577
Related topics 578
debug console timestamp 578
Syntax 578
Related topics 578
debug coredumplog 579
Syntax 579

Related Topic 579
debug crashlog 579
Syntax 579
Example 579
debug daemonlog 580
Syntax 580
Related Topic 580
debug dnsproxy list 580
Syntax 580
Example 580
Related topics 581
debug emerglog 581
Syntax 581
debug flow filter 581
Syntax 581
Related topics 582
debug flow filter module-detail 582
Syntax 582
Related topics 583
debug flow reset 583
Syntax 583
Related topics 583
debug flow trace 583
Syntax 583
Example 583
Related topics 586
debug info 586
Syntax 586
Example 586
Related topics 587
debug init 587
Syntax 587
debug kernlog 588
Syntax 588
Related Topic 588
debug netstatlog 588
Syntax 588
Related Topic 588
debug reset 589
Syntax 589

Related topics 589
debug trace report 589
Syntax 589
Related topics 590
debug trace tcpdump 590
Syntax 590
Related topics 590
debug upload 590
Syntax 591
Example 591
Related topics 591
hardware check 591
Syntax 591
Example 592
hardware cpu 592
Syntax 592
Example 592
Related topics 593
hardware fail-open 593
hardware harddisk 593
Syntax 593
Example 593
Related topics 594
hardware interrupts 594
Syntax 594
Example 594
Related topics 595
hardware logdisk info 595
Syntax 595
Example 595
Related topics 595
hardware mem 596
Syntax 596
Example 596
Related topics 597
hardware nic 597
Syntax 597
Example 598
Related topics 599
hardware raid list 599

Syntax 599
Example 599
Related topics 599
index 600
Syntax 600
Example 600
Related topics 600
log 601
Syntax 601
Example 601
Related topics 601
network arp 602
Syntax 602
Example 602
Related topics 602
network ip 603
Syntax 603
Example 603
Example 604
Related topics 604
network route 604
Syntax 604
Example 605
Example 605
Related topics 605
network rtcache 605
Syntax 606
Example 606
Example 606
Related topics 606
network sniffer 607
Syntax 607
Example 609
Example 609
Example 609
network tcp list 611
Syntax 612
Example 612
Related topics 612
network udp list 613

Syntax 613
Example 613
Related topics 613
policy 614
Syntax 614
Example 614
Related topics 615
system flash 615
Syntax 615
Example 616
Related topics 616
system ha file-stat 616
Syntax 616
Example 616
Related topics 616
system ha mac 617
Syntax 617
Example 617
Related topics 617
system ha status 617
Syntax 618
Example 618
Related topics 618
system ha sync-stat 618
Syntax 618
Example 619
Related topics 619
system kill 619
Syntax 619
Related topics 620
system mount 620
Syntax 620
Example 620
Related topics 621
system top 621
Syntax 621
Example 621
Related topics 622
system update info 622
Syntax 622

Example 623
execute 625
backup cert-config 625
Syntax 625
Example 626
Related topics 626
backup cli-config 626
Syntax 627
Example 627
Related topics 627
backup full-config 627
Syntax 628
Example 628
Related topics 628
backup web-protection-profile 628
Syntax 629
Example 629
Related topics 629
batch 629
Syntax 629
create-raid level 630
Syntax 630
Related topics 631
create-raid rebuild 631
Syntax 631
Example 631
Related topics 631
date 632
Syntax 632
Example 632
Related topics 632
db rebuild 632
Syntax 632
Related topics 633
erase-disk 633
Syntax 633
factoryreset 633
Syntax 633
Related topics 634
formatlogdisk 634

Syntax 634
Related topics 634
ha disconnect 634
Syntax 635
Example 635
Related topics 635
ha manage 636
Syntax 636
Example 636
Related topics 636
ha md5sum 637
Syntax 637
Example 637
Related topics 637
ha synchronize 637
Syntax 637
Example 638
Related topics 638
ping 638
Syntax 639
Example 639
Example 639
Related topics 640
ping6 640
Syntax 640
Example 640
Related topics 641
ping-options 641
Syntax 641
Example 642
Related topics 643
ping6-options 643
Syntax 643
Example 644
Related topics 644
reboot 644
Syntax 644
Example 645
Related topics 645
remove vmlicense 645

Syntax 645
Example 645
Related Topics 646
restore cert-config 646
Syntax 646
Example 646
Related topics 646
restore config 647
Syntax 647
Example 647
Related topics 647
restore image 648
Syntax 648
Example 648
Related topics 648
restore secondary-image 649
Syntax 649
Example 649
Related topics 649
restore vmlicense 650
Syntax 650
Example 651
session-cleanup 651
Syntax 651
shutdown 651
Syntax 651
Example 651
Related topics 652
telnet 652
Syntax 652
Example 652
Related topics 652
telnettest 653
Syntax 653
Example 653
Related topics 654
time 654
Syntax 654
Example 654
Related topics 654

traceroute 655
Syntax 655
Example 655
Example 655
Example 655
Related topics 656
update-now 656
Syntax 656
get 657
system fortisandbox-statistics 658
Syntax 658
Example 659
Related topics 659
system performance 659
Syntax 659
Example 659
Related topics 659
system status 660
Syntax 660
Example 660
Related topics 660
waf predefined-global-white-list 660
Syntax 661
waf signature-rules 661
Syntax 661
Example 661
Related topics 662
show 663

Introduction
This document describes how to use the command line interface (CLI) of FortiWeb. It assumes that you have already
successfully deployed FortiWeb and completed basic setup by following the instructions in the FortiWeb Administration
Guide: http://docs.fortinet.com/fortiweb/admin-guides.
Scope
At this stage:
l You have administrative access to the web UI and/or CLI.

l The FortiWeb appliance is integrated into your network.
l You have completed firmware updates, if applicable.
l The system time, DNS settings, administrator password, and network interfaces are configured.
l You have set the operation mode.
l You have configured basic logging.
l You have created at least one server policy.
l You have completed at least one phase of auto-learning to jump-start your configuration.
Once that basic installation is complete, you can use this document. This document explains how to use the CLI to:
l Update the FortiWeb appliance.

l Reconfigure features.
l Use advanced features, such as XML protection and reporting.
l Diagnose problems.
This document does not cover the web UI or first-time setup. For that information, see the FortiWeb Administration
Guide: http://docs.fortinet.com/fortiweb/admin-guides.
(Undefined variable:
FortinetVariables.ProductName) FortiWeb 5.5 Fortinet Technologies, Inc.
Patch 4 CLI Reference
32
Conventions
This document uses the conventions described in this section.
IP addresses
To avoid IP conflicts that would occur if you used examples in this document with public IP addresses that belong to a
real organization, the IP addresses used in this document are fictional. They belong to the private IP address ranges
defined by these RFCs.
RFC 1918: Address Allocation for Private Internets
https://tools.ietf.org/html/rfc1918
RFC 5737: IPv4 Address Blocks Reserved for Documentation
RFC 3849: IPv6 Address Prefix Reserved for Documentation
For example, even though a real network’s Internet-facing IP address would be routable on the public Internet, in this
document’s examples, the IP address would be shown as a non-Internet-routable IP such as 192.0.2.108,
198.51.100.155, or 203.0.113.79.
Cautions, notes, & tips

This document uses the following guidance and styles for notes, tips and cautions.
Warn you about procedures or feature behaviors that could have unexpected or
undesirable results including loss of data or damage to equipment.
Highlight important, possibly unexpected but non-destructive, details about a feature’s

behavior.
Present best practices, troubleshooting, performance tips, or alternative methods.
Typographic conventions

33
Convention Example
Button, menu, text box, field, From Minimum log level, select Notification.
or check box label
config system dns

CLI input set primary <address_ipv4>
end
CLI output FortiWeb# diagnose hardware logdisk info

disk number: 1
disk[0] size: 31.46GB
raid level: no raid exists
partition number: 1
mount status: read-write
Emphasis HTTP connections are not secure and can be intercepted by a third party.
File content <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>

<BODY><H4>You must authenticate to use this service.</H4>
Hyperlink https://support.fortinet.com
Keyboard entry Enter a name for the remote VPN peer or client, such as Central_
Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides.
Command syntax
The CLI requires that you use valid syntax, and conform to expected input constraints. It will reject invalid commands.
For command syntax conventions such as braces, brackets, and command constraints such as <address_ipv4>, see
"Notation" on page 45.

What’s new 34
What’s new
The tables below list commands newly added commands for FortiWeb 6.0.2.
Command Change
config system global (page 258)
New.
set admin-lockout-threshold "<admin- Configure the number of invalid logon attempts
lockout-threshold_int>" before the account is locked out.
set admin-lockout-duration "<minutes_int>" Configure the length of time the account remains
locked.
config system password-policy (page 291)
set status {enable | disable}

set min-length-option {enable | disable}
set mini-length "<mini-length_int>"
set single-admin-mode {enable | disable}
set character-requirements {enable
| disable}
set min-upper-case-letter "<min-upper-
case-letter_int>"
set min-lower-case-letter "<min-lower- New.
case-letter_int>" Configure a password policy for administrator
set mini-number "<mini_number_int>" accounts that set rules for password characteristics.
set min-non-alphanumeric "<min-non-
alphanumeric_int>"
set forbid-password-reuse {enable
| disable}
set history-password-number "<history-
password-number_int>"
set expire-status {enable | disable}
set expire-day "<expire-day_int>"
config system admin (page 201)
New.
set force-password-change {enable |
disable} Configure force password change for next login.
config system interface (page 280)
New.
set dynamic_dns1 "<dynamic_dns1_str>"
set dynamic_dns2 "<dynamic_dns2_str>"
When the mode is dhcp, configure the DNS server IP
address.
config system ha (page 1)

What’s new 35
Command Change
New.
set network-type {flat | udp-tunnel} Configure the common HA mode flat or udp-tunnel
mode on OpenStack platform.
config system v-zone (page 310)
set multicast-snooping {enable | New.

disable} Configure multicast snooping.
config system snmp sysinfo (page 304)
New.
set engine-id "<engine-id_str>"
Configure the SNMP engineID string.
config system snmp community (page 299)
set events {cpu-high | intf-ip | log-

full | mem-low | netlink-down-
status | netlink-up-status | policy-
start | policy-stop | pserver-
failed | sys-ha-cluster-status-
change | sys-ha-member-join | sys- New.
ha-member-leave | sys-mode-change | Configure HA cluster and member.
waf-access-attack | waf-amethod-
attack | waf-blogin-attack | waf-
hidden-fields | waf-pvalid-attack |
waf-signature-detection | waf-url-
access-attack | waf-spage-attack}
config system snmp user (page 306)
set trapevent {cpu-high | intf-ip | log-

full | mem-low | netlink-down-
status | netlink-up-status | policy-
start | policy-stop | pserver-
failed | sys-ha-cluster-status-
change | sys-ha-member-join | sys- New.
ha-member-leave | sys-mode-change | Configure HA cluster and member.
waf-access-attack | waf-amethod-
attack | waf-blogin-attack |waf-
hidden-fields | waf-pvalid-attack |
waf-signature-detection | waf-url-
access-attack | waf-spage-attack}
config system network-option (page 287)
set route-priority {system | dhcp} New.

set dns-priority {system | dhcp} Configure the route IP address and DNS.
config log attack-log (page 68)

What’s new 36
Command Change
set packet-log {account-lockout-

detection | anti-virus-detection |
cookie-security | credential-db-
detection | csrf-detection | custom-
access | custom-protection-rule | fsa-
detection | hidden-fields-failed |
http-protocol-constraints | illegal- New.
file-type | illegal-filesize | Add machine learning, openapi validation, and
illegal-json-format | illegal-xml- websocket security attack logs.
format | ip-intelligence | padding-
oracle | parameter-rule-failed |
signature-detection | trojan-detection
| user-tracking-detection | xml-
protection | machine-learning |
openapi-validation | websocket-
security}
config log email-policy (page 75)
set send-email-based-on-interval-time New.

{enable | disable} Configure sending emails by interval.
config system certificate server-certificate-

verify (page 230)
edit "certificate_verificator_name>" New.

set ca "<ca-group_name>" Configure to verify the validity of the back end server
set crl "<crl-group_name>" certificate.
config waf websocket-security rule (page 1)
edit "<websocket-security_rule_name>"
set host-status {enable | disable}
set host <host_str>
set url-type {enable | disable}
set url <url_str>
set block-websocket-traffic {enable
| disable}
set action {alert | deny_no_log | alert_
deny}
New.
set max-frame-size <max-frame-size_int>
set max-message-size <max-message-size_
Configure WebSocket security rule settings.
int>
set block-extensions {enable | disable}
set enable-attack-signatures {enable
| disable}
set allow-plain-text {enable | disable}
set allow-binary-text {enable | disable}
set allowed-origin-list <allowed-origin-
list_id>
config waf websocket-security policy (page 1)

What’s new 37
Command Change
edit "<policy_name>"
New.
config rule-list id
set rule "<rule_name>" Configure WebSocket secuity policy.
config waf openapi-file (page 452)
New.
edit "<openapi-file_name>"
Edit OpenAPI file name.
config waf openapi-validation-policy (page 452)
edit "<openapi-validation-policy_name>"
set action {alert | alert_deny |
block-period | redirect | send_
403_forbidden | deny_no_log}
set block-period "<seconds_int>"
New.
set severity {Low | Medium | High |
Info} Configure OpenAPI validation policy related
set trigger "<trigger-policy_name>" settings.
config schema-file
edit schema-file name
set openapi-file <datasource>
end
config waf mitb-rule (page 450)
edit mitb-rule_name
set action {alert| alert_deny}
set severity {High | Medium | Low |
Info}
set trigger "<trigger-policy_name>"
set host "<host_str>"
set request-url "<request-url_str>"
set request-type {regular | plain} New.
set post-url "<post-url_str>" Configure MiTB rule related settings.
edit protected-parameter-list_name
set type {regular-input | password-
input}
set obfuscate {enable | disable}
set encrypt {enable | disable}
set anti-keyLogger {enable | disable}
edit allowed-external-domains-list_id
set domain "<domain_str>"
config waf mitb-policy (page 449)
edit "<mitb-policy_name>"
config rule list New.
edit "<rule-list_id>" Configure the MiTB policy.
set "<mitb-rule_name>"

What’s new 38
Command Change
config waf web-protection-profile inline-

protection (page 518)
New.
set mitb-protection Configure MiTB protection parameter list name.
set openapi-validation-policy Configure OpenAPI validation policy name.
set websocket-security-policy Configure WebSocket security policy name.
config waf web-protection-profile offline-

protection (page 531)
New.
set openapi-validation-policy
Configure the OpenAPI validation policy name.
config waf machine-learning-policy (page 444)
set allow-method {enable | disable}

set allow-method-exceptions {none others
get post head options trace connect
delete put patch webdav rpc} New.
set ip-list-type {Trust | Black} Configure the HTTP request methods.
config source-ip-list Configure the sample collection from the Source IP
edit What’s new list.
set What’s new
next
end
config server-policy server-pool (page 170)
set server-certificate-verify {enable |

disable}
New.
set server-certificate-verify-action
{alert | alert_deny | redirect } Configure the server certificate verification settings.
set server-certificate-verify-policy
config backup web-protection-profile (page 628) New.

Use this command to back up web protection
profiles.

Using the CLI 39
Using the CLI
The command line interface (CLI) is an alternative to the web UI.
You can use either interface or both to configure the FortiWeb appliance. In the web UI, you use buttons, icons, and
forms. In the CLI, you either type text commands or upload batches of commands from a text file, like a configuration
script.
If you are new to FortiWeb, or if you are new to the CLI, this section can help you to become familiar with using it.
Connecting to the CLI
You can access the CLI in two ways:
l Locally—Connect your computer, terminal server, or console directly to the FortiWeb appliance’s console port.
l Through the network—Connect your computer through any network attached to one of the FortiWeb appliance’s
network ports. To connect using a Secure Shell (SSH) or Telnet client, enable the network interface for Telnet or SSH
administrative access. Enable HTTP/HTTPS administrative access to connect using the CLI Console widget in the web
UI.
Local access is required in some cases, including when you're:
l Installing FortiWeb for the first time and it's not yet configured to connect to your network, unless you reconfigure
your computer’s network settings for a peer connection, you may only be able to connect to the CLI using a local
console connection. For details, see the FortiWeb Administration Guide:
http://docs.fortinet.com/fortiweb/admin-guides
l Restoring the firmware and FortiWeb utilizes a boot interrupt. Network access to the CLI is not available until after the
boot process completes, and therefore local CLI access is the only viable option.
Before you can access the CLI through the network, you must enable SSH, HTTP/HTTPS, and/or Telnet on the network
interface through which you will access the CLI.
Connecting to the CLI using a local console

Local console connections to the CLI are formed by directly connecting your management computer or console to the
FortiWeb appliance, using its DB-9 console port.
Requirements
l A computer with an available serial communications (COM) port

l The RJ-45-to-DB-9 or null modem cable included in your FortiWeb package
l Terminal emulation software such as PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
The following instructions describe connecting to the CLI using PuTTY; steps may vary
with other terminal emulators.

Using the CLI 40
To connect to the CLI using a local console connection
1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiWeb appliance’s console port to the serial
communications (COM) port on your management computer.
2. On your management computer, start PuTTY.

3. In the Category tree on the left, go to Connection > Serial and configure these settings:
Serial line to connect to COM1 (or, if your computer has multiple serial ports, the name of the connected
serial port)
Speed (baud) 9600
Data bits 8
Stop bits 1
Parity None
Flow control None
4. In the Category tree on the left, go to Session (not the sub-node, Logging).
5. From Connection type, select Serial.
6. Click Open.
7. Press the Enter key to initiate a connection.
8. Enter a valid administrator account name (such as admin) then press Enter.
9. Enter the password for that administrator account and press Enter. By default, there is no password for the admin
account.
The CLI displays the following text, followed by a command line prompt:
Welcome!
You can now enter CLI commands, and configure access to the CLI through SSH or Telnet. For details, see
"Enabling access to the CLI through the network (SSH or Telnet or CLI Console widget)" on page 40.
Enabling access to the CLI through the network

(SSH or Telnet or CLI Console widget)
SSH, Telnet, or CLI Console widget (via the web UI) access to the CLI requires connecting your computer to the
FortiWeb appliance using one of its RJ-45 network ports. You can either connect directly, using a peer connection
between the two, or through any intermediary network.
If you do not want to use an SSH/Telnet client and you have access to the web UI, you
can alternatively access the CLI through the network using the CLI Console widget
in the web UI. For details, see the FortiWeb Administration Guide:

Using the CLI 41
You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your
computer is not connected directly or through a switch, you must also configure the FortiWeb appliance with a static
route to a router that can forward packets from the FortiWeb appliance to your computer. For details, see "router static"
on page 106.
You can do this using either:
l A local console connection (see the following procedure)

l The web UI (see the FortiWeb Administration Guide; http://docs.fortinet.com/fortiweb/admin-guides)
Requirements
l A computer with an available serial communications (COM) port and RJ-45 port
l The RJ-45-to-DB-9 or null modem cable included in your FortiWeb package
l A crossover Ethernet cable (if connecting directly) or straight-through Ethernet cable (if connecting through a switch or
router)
l Prior configuration of the operating mode, network interface, and static route
To enable SSH or Telnet access to the CLI using a local console connection
1. Using the network cable, connect the FortiWeb appliance’s network port either directly to your computer’s network
port, or to a network through which your computer can reach the FortiWeb appliance.
2. Note the number of the physical network port.

3. Using a local console connection, connect and log into the CLI. For details, see "Connecting to the CLI using a local
console" on page 39.
4. Enter the following commands:

config system interface
edit <interface_name>
set allowaccess {http https ping snmp ssh telnet}
end
where:
l <interface_name> is the name of the network interface associated with the physical network port, such as port1
l {http https ping snmp ssh telnet} is the complete, space-delimited list of permitted administrative
access protocols, such as https ssh telnet; omit protocols that you do not want to permit
For example, to exclude HTTP, SNMP, and Telnet, and allow only HTTPS, ICMP ECHO (ping), and SSH
administrative access on port1:
edit "port1"
set allowaccess ping https ssh
next
end
Telnet is not a secure access method. SSH should be used to access the CLI from the
Internet or any other untrusted network.

Using the CLI 42
5. To confirm the configuration, enter the command to view the access settings for the interface.
show system interface <interface_name>
The CLI displays the settings, including the management access settings, for the interface.
6. If you will be connecting indirectly, through one or more routers or firewalls, configure the appliance with at least one
static route so that replies from the CLI can reach your client. See "router static" on page 106.
To connect to the CLI through the network interface, see "Connecting to the CLI using SSH" on page 42 or
"Connecting to the CLI using Telnet" on page 43.
Connecting to the CLI using SSH

Once you configure the FortiWeb appliance to accept SSH connections, you can use an SSH client on your
management computer to connect to the CLI.
Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. Supported SSH
protocol versions, ciphers, and bit strengths vary by whether or not you have enabled FIPS-CC mode or are using a low
encryption (LENC) version, but generally include SSH version 2 with AES-128, 3DES, Blowfish, and SHA-1.
Requirements
l A computer with an RJ-45 Ethernet port

l a crossover Ethernet cable
l a FortiWeb network interface configured to accept SSH connections (see "Enabling access to the CLI through the network
(SSH or Telnet or CLI Console widget)" on page 40)
l an SSH client such as PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
The following procedure describes connection using PuTTY software; steps may vary
with other terminal emulators.
To connect to the CLI using SSH

Initially, the Session category of settings is displayed.
2. In Host Name (or IP Address), enter the IP address of a network interface on which you have enabled SSH
administrative access.
3. In Port, enter 22.

4. For Connection type, select SSH.
5. Click Open.
The SSH client connects to the FortiWeb appliance.
The SSH client may display a warning if this is the first time you are connecting to the FortiWeb appliance and its
SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiWeb appliance but
it used a different IP address or SSH key. If your management computer is directly connected to the FortiWeb
appliance with no network hosts between them, this is normal.

Using the CLI 43
6. Click Yes to verify the fingerprint and accept the FortiWeb appliance’s SSH key. You will not be able to log in until
you have accepted the key.
7. Enter a valid administrator account name (such as admin) and press Enter.
Alternatively, you can log in using an SSH key. For details, see "system admin" on page 201.
8. Enter the password for this administrator account and press Enter.
If three incorrect login or password attempts occur in a row, you will be disconnected.
Wait one minute, then reconnect to attempt the login again.
The FortiWeb appliance displays a command prompt—its host name followed by a #. You can now enter CLI
commands.
Connecting to the CLI using Telnet

Once the FortiWeb appliance is configured to accept Telnet connections, you can use a Telnet client on your
management computer to connect to the CLI.
Telnet is not a secure access method. SSH should be used to access the CLI from the
Internet or any other untrusted network.
Requirements
l A computer with an RJ-45 Ethernet port

l A crossover Ethernet cable
l A FortiWeb network interface configured to accept Telnet connections (see "Enabling access to the CLI through the
network (SSH or Telnet or CLI Console widget)" on page 40)
The following procedure describes connection using PuTTY software; steps may vary with
other terminal emulators.
To connect to the CLI using Telnet

2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled Telnet
administrative access.
3. In Port, enter 23.

4. For Connection type, select Telnet.
5. Click Open.
6. Type a valid administrator account name (such as admin) and press Enter.
7. Type the password for this administrator account and press Enter.

Using the CLI 44
The FortiWeb appliance displays a command prompt—its host name followed by a #. You can now enter CLI
commands.
If three incorrect login or password attempts occur in a row, you will be disconnected. Wait
one minute, then reconnect to attempt the login again.
Command syntax
When entering a command, the CLI requires that you use valid syntax and conform to expected input constraints. It will
reject invalid commands.
For example, if you do not type the entire object that will receive the action of a command operator such as config,
the CLI will return an error message such as:
Command fail. CLI parsing error
This document uses the following conventions to describe valid command syntax.
Terminology
Each command line consists of a command word followed by words for the configuration data or other specific item that
the command uses or affects, for example:
get system admin
This document uses the below terms to describe the function of each word in the command line.
Command syntax terminology
l Command—A word that begins the command line and indicates an action that FortiWeb should perform on a part of
the configuration or host on the network, such as config or execute. Together with other words, such as fields or
values, that you terminate by pressing the Enter key, it forms a command line. Exceptions include multi-line
command lines, which can be entered using an escape sequence. For details, see "Shortcuts & key commands" on
page 54.
Valid command lines must be unambiguous if abbreviated. For details, see "Command abbreviation" on page 55.

Using the CLI 45
Optional words or other command line permutations are indicated by syntax notation. For details, see "Notation" on
page 45.
If you do not enter a known command, the CLI will return an error message such as:
Unknown action 0
l Subcommand—A kind of command that is available only when nested within the scope of another command. After
entering a command, its applicable subcommands are available to you until you exit the scope of the command, or
until you descend an additional level into another subcommand. Indentation is used to indicate levels of nested
commands. For details, see "Indentation" on page 45.
Not all top-level commands have subcommands. Available subcommands vary by their containing scope. For details,
see "Subcommands" on page 48.
l Object—A part of the configuration that contains tables and/or fields. Valid command lines must be specific enough
to indicate an individual object.
l Table—A set of fields that is one of possibly multiple similar sets that each have a name or number, such as an
administrator account, policy, or network interface. These named or numbered sets are sometimes referenced by
other parts of the configuration that use them. For details, see "Notation" on page 45.
l Field—The name of a setting, such as ip or hostname. Fields in some tables must be configured with values.
Failure to configure a required field will result in an invalid object configuration error message, and the FortiWeb
appliance will discard the invalid table.
l Value—A number, letter, IP address, or other type of input that is usually the configuration setting held by a field.
Some commands, however, require multiple input values which may not be named but are simply entered in
sequential order in the same command line. Valid input types are indicated by constraint notation. For details, see
"Notation" on page 45.
l Option—A kind of value that must be one or more words from a fixed set of options. For details, see "Notation" on
page 45.
Indentation
Indentation indicates levels of nested commands, which indicate what other subcommands are available from within
the scope.
For example, the edit subcommand is available only within a command that affects tables, and the next
subcommand is available only from within the edit subcommand:
edit port1
set status up
next
end
For details about available subcommands, see "Subcommands" on page 48.
Notation
Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as
<address_ipv4>, indicate which data types or string patterns are acceptable value input.

Using the CLI 46
If you do not use the expected data type, the CLI returns an error message such as:
object set operator error, -4003 discard the setting
The request URL must start with "/" and without domain name.
or:
invalid unsigned integer value :-:
value parse error before '-'

Input value is invalid.
and may either reject or discard your settings instead of saving them when you type
end.
Command syntax notation
Square brackets [ ] A non-required (optional) word or words. For example:

[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and its
accompanying option, such as:
verbose 3
A word or series of words that is constrained to a set of options delimited

by either vertical bars or spaces.
Curly braces { }
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
Mutually exclusive options. For example:
Options delimited {enable | disable}

by vertical bars |
indicates that you must enter either enable or disable, but must not
enter both.
Non-mutually exclusive options. For example:

{http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any order,
in a space-delimited list, such as:
Options delimited ping https ssh
by spaces
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options, instead

Using the CLI 47
of replacing it, or if the list is comma-delimited, the exception will be

noted.
Angle brackets < > A word constrained by data type.
To define acceptable input, the angled brackets contain a descriptive

name followed by an underscore ( _ ) and suffix that indicates the valid
data type. For example:
<retries_int>
indicates that you should enter a number of retries, such as 5.
Data types include:
l <xxx_name>—A name referring to another part of the configuration,

such as policy_A.
l <xxx_index>—An index number referring to another part of the

configuration, such as 0 for the first static route.
l <xxx_pattern>—A regular expression or word with wild cards that

matches possible variations, such as *@example.com to match all e-
mail addresses ending in @example.com.
l <xxx_fqdn>—A fully qualified domain name (FQDN), such as

mail.example.com.
l <xxx_email>—An email address, such as

[email protected].
l <xxx_url>—A uniform resource locator (URL) and its associated

protocol and host name prefix, which together form a uniform resource
identifier (URI), such as http://www.fortinet.com/.
l <xxx_ipv4>—An IPv4 address, such as 192.0.2.99.
l <xxx_v4mask>—A dotted decimal IPv4 netmask, such as

255.255.255.0.
l <xxx_ipv4mask>—A dotted decimal IPv4 address and netmask

separated by a space, such as 192.0.2.99 255.255.255.0.
l <xxx_ipv4/mask> — A dotted decimal IPv4 address and CIDR-

notation netmask separated by a slash, such as such as
192.0.2.99/24.
l <xxx_ipv6>—A colon(:)-delimited hexadecimal IPv6 address, such

as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
l <xxx_v6mask>—An IPv6 netmask, such as /96.
l <xxx_ipv6mask>—An IPv6 address and netmask separated by a

space.
l <xxx_str>—A string of characters that is not another data type, such

Using the CLI 48
as P@ssw0rd. Strings containing spaces or special characters must be

surrounded in quotes or use escape sequences. For details, see "Special
characters" on page 55.
l <xxx_int>—An integer number that is not another data type, such as

15 for the number of minutes.
Subcommands
Once you connect to the CLI, you can enter commands.
Each command line consists of a command word that is usually followed by words for the configuration data or other
specific item that the command uses or affects, for example:
get system admin
Subcommands are available from within the scope of some commands. When you enter a subcommand level, the
command prompt changes to indicate the name of the current command scope. For example, after entering:
config system admin
the command prompt becomes:

(admin)#
Applicable subcommands are available to you until you exit the scope of the command, or until you descend an
additional level into another subcommand.
For example, the edit subcommand is available only within a command that affects tables; the next subcommand is
available only from within the edit subcommand:
edit port1
set status up
next
end
Available subcommands vary by command. From a command prompt within config, two types of subcommands
might become available:
l Commands that affect fields (see "Field commands" on page 50)

l Commands that affect tables (see "Table commands" on page 49)
Subcommand scope is indicated in this CLI Reference Guide by indentation. For

details, see "Indentation" on page 45.
Syntax examples for each top-level command in this CLI Reference Guide do not
show all available subcommands. However, when nested scope is demonstrated, you
should assume that subcommands applicable for that level of scope are available.

Using the CLI 49
Table commands
delete <table_name> Remove a table from the current object.
For example, in config system admin, you could delete an

administrator account named newadmin by typing delete newadmin
and pressing Enter. This deletes newadmin and all its fields, such as
newadmin’s first-name and email-address.
delete is only available within objects containing tables.
Create or edit a table in the current object.
For example, in config system admin:
l Edit the settings for the default admin administrator account by typing edit
admin.
l Add a new administrator account with the name newadmin and edit
edit <table_name> newadmin‘s settings by entering edit newadmin.
edit is an interactive subcommand: further subcommands are available
from within edit.
edit changes the prompt to reflect the table you are currently editing.
edit is only available within objects containing tables.
end Save the changes to the current object and exit the config command. This
returns you to the top-level command prompt.
List the configuration of the current object or table.
l In objects, get lists the table names (if present), or fields and their values.
get
l In a table, get lists the fields and their values.
For more information on get commands, see "get" on page 657.
purge Remove all tables in the current object.
For example, in config user local-user, you could type get to

see the list of all local user names, then type purge and then y to confirm
that you want to delete all users.
purge is only available for objects containing tables.
Caution: Back up the FortiWeb appliance before performing a purge

because it cannot be undone. To restore purged tables, the configuration
must be restored from a backup. For details, see "backup cli-config" on
page 626.
Caution: Do not purge system interface or system admin

tables. This can result in being unable to connect or log in, requiring the
FortiWeb appliance to be formatted and restored.

Using the CLI 50
Display changes to the default configuration. Changes are listed in the

show form of configuration commands.
For more information on show commands, see "show" on page 663.
Example of table commands

From within the system admin object, you might enter:
edit admin_1
The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1
table:
new entry 'admin_1' added
(admin_1)#
Field commands
abort Exit both the edit and/or config commands without saving the fields.
Save the changes made to the current table or object fields, and exit the
end
config command. To exit without saving, use abort instead.
get List the configuration of the current object or table.
l In objects, get lists the table names (if present), or fields and their values.
l In a table, get lists the fields and their values.
Save the changes you have made in the current table’s fields, and exit the
edit command to the object prompt. To save and exit completely to the
root prompt, use end instead.
next next is useful when you want to create or edit several tables in the same
object, without leaving and re-entering the config command each time.
next is only available from a table prompt; it is not available from an

object prompt.
set <field_name> <value> Set a field’s value.
For example, in config system admin, after entering edit admin,

you could enter set password newpass to change the password of
the admin administrator to newpass.
Note: When using set to change a field containing a space-delimited list,

enter the whole new list. For example, set <field> <new-value>
will replace the list with the <new-value> rather than appending <new-
value> to the list.
Display changes to the default configuration. Changes are listed in the form of
show
configuration commands.

Using the CLI 51
unset <field_name> Reset the table or object’s fields to default values.
For example, in config system admin, after entering edit admin,

entering unset password resets the password of the admin
administrator account to the default (in this case, no password).
Example of field commands

From within the admin_1 table, you might enter:
set password "my1stExamplePassword"
to assign the value my1stExamplePassword to the password field. You might then enter the next command to
save the changes and edit the next administrator’s table.
Permissions
Depending on the account that you use to log in to the FortiWeb appliance, you may not have complete access to all
CLI commands or areas of the web UI.
Access profiles control which commands and areas an administrator account can access. Access profiles assign either:
l Read (view access)

l Write (change and execute access)
l Both Read and Write
l No access
to each area of the FortiWeb software. For details about configuring the access profile for an administrator account to
use, see "system accprofile" on page 198.
Access profile permissions
Admin Users System > Admin ... except Settings Web UI
admingrp config system admin

config system accprofile
CLI
Auth Users User ... Web UI
authusergrp config user ... CLI
Autolearn Auto Learn > Auto Learn Profile > Auto Learn Profile Web UI
Configuration
config server-policy custom-application ...

config waf web-protection-profile autolearning-profile
learngrp CLI
Note: Because generating an auto-learning profile also generates its required
components, this area also confers Write permission to those components in

Using the CLI 52
the Web Protection Configuration/wafgrp area.
Log & Report Log&Report ... Web UI
config log ...

loggrp
execute formatlogdisk
CLI
Maintenance System > Maintenance except System Time tab Web UI
diagnose system ...

execute backup ...
execute factoryreset
mntgrp execute reboot CLI
execute restore ...
execute shutdown
diagnose system flash ...
Network System > Network ... Web UI

Configuration
config router ...

netgrp config system dns CLI
config system v-zone
diagnose network ... except sniffer ...
System System ... except Network, Admin, and Maintenance tabs Web UI
Configuration
config system except accprofile, admin, dns, interface,

and v-zone
diagnose hardware ...
diagnose network sniffer ...
diagnose system ... except flash ...
sysgrp
execute date ... CLI
execute ha ...
execute ping ...
execute ping-option ...
execute traceroute ...
execute time ...
Server Policy Policy > Server Policy ... Web UI

Configuration
Server Objects ...
Application Delivery ...
config server-policy ... except custom-application ...

config waf file-compress-rule
config waf file-uncompress-rule
traroutegrp
config waf http-authen ...
CLI
config waf url-rewrite ...
diagnose policy ...

Using the CLI 53
Web Anti- Web Anti-Defacement ... Web UI

Defacement
Management
wadgrp config wad ... CLI
Web Protection Policy > Web Protection ... Web UI

Configuration
Web Protection ...
DoS Protection ...
config system dos-prevention
config waf except:
l config waf file-compress-rule

l config waf file-uncompress-rule
wafgrp l config waf http-authen ... CLI
l config waf url-rewrite ...
l config waf web-custom-robot
l config waf web-protection-profile autolearning-profile
l config waf web-robot
l config waf x-forwarded-for
Web Vulnerability Web Vulnerability Scan ... Web UI

Scan Configuration
wvsgrp config wvs ... CLI
* For each config command, there is an equivalent get/show command, unless otherwise noted.
config access requires write permission.
get/show access requires read permission.
Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted.
The admin administrator account is similar to a root administrator account. This administrator account always has full
permission to view and change all FortiWeb configuration options, including viewing and changing all other
administrator accounts. Its name and permissions cannot be changed. It is the only administrator account that can reset
another administrator’s password without being required to enter that administrator’s existing password.
Set a strong password for the admin administrator account, and change the
password regularly. By default, this administrator account has no password. Failure to
maintain the password of the admin administrator account could compromise the
security of your FortiWeb appliance.
For complete access to all commands, you must log in with the admin administrator account.

Using the CLI 54
Tips & tricks
Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.
This section includes:
l "Help" on page 54
l "Shortcuts & key commands" on page 54
l "Command abbreviation" on page 55
l "Special characters" on page 55
l "Language support & regular expressions" on page 56
l "Screen paging" on page 57
l "Baud rate" on page 58
l "Editing the configuration file in a text editor" on page 58
l "Pipeline 'grep' command" on page 59
Help
To display brief help during command entry, enter the question mark (?) key:
l At the command prompt to display a list of the commands available and a description of each.
l After a command keyword to display a list of the objects available with that command and a description of each.
l After entering a word or part of a word to display a list of valid word completions or subsequent words, and to display a
description of each.
Shortcuts & key commands

Action Keys
List valid word completions or subsequent words. ?
If multiple words could complete your entry, display all possible completions with
helpful descriptions of each.
Complete the word with the next available match.

Tab
Press the key multiple times to cycle through available matches.
Recall the previous command. Up arrow, or
Command memory is limited to the current session. Ctrl + P
Down arrow, or
Recall the next command.
Ctrl + N
Move the cursor left or right within the command line. Left or Right arrow

Using the CLI 55
Action Keys
Move the cursor to the beginning of the command line. Ctrl + A
Move the cursor to the end of the command line. Ctrl + E
Move the cursor backwards one word. Ctrl + B
Move the cursor forwards one word. Ctrl + F
Delete the current character. Ctrl + D
Abort current interactive commands, such as when entering multiple lines. Ctrl + C
If you are not currently within an interactive command such as config or edit, this
closes the CLI connection.
Continue typing a command on the next line for a multi-line command.
For each line that you want to continue, terminate it with a backslash ( \ ). To \ then Enter
complete the command line, terminate it by pressing the spacebar and then the Enter
key, without an immediately preceding backslash.
Command abbreviation
You can abbreviate words in the command line to their smallest number of non-ambiguous characters. For example, the
command get system status could be abbreviated to:
g sy st
If you enter an ambiguous command, the CLI returns an error message such as:
ambiguous command before 's'
Value conflicts with system settings.
Special characters
Special characters <, >, (, ), #, ', and " are usually not permitted in CLI. If you use them, the CLI will often return an
error message such as:
The string contains XSS vulnerability characters
value parse error before '%^@'

Input not as expected.
Some may be enclosed in quotes or preceded with a backslash ( \ ) character.

Using the CLI 56
Entering special characters
Character Key
? Ctrl + V then ?
Tab Ctrl + V then Tab
Space Enclose the string in quotation marks: "Security Administrator"
(to be interpreted as part of Enclose the string in single quotes: 'Security Administrator'
a string value, not to end
Precede the space with a backslash: Security\ Administrator
the string)
'
(to be interpreted as part of \'

the string)
" \"
(to be interpreted as part of

the string)
\ \\
Language support & regular expressions

The CLI currently supports the following languages:
l English
l Japanese
l Simplified Chinese
l Traditional Chinese
Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the nature of the
item being configured. CLI commands, objects, field names, and options must use their exact ASCII characters, but
some items with arbitrary names or values may be input using your language of choice.
For example, the host name must not contain special characters, and so the web UI and CLI will not accept most
symbols and other non-ASCII encoded characters as input when configuring the host name. This means that languages
other than English often are not supported. However, some configuration items, such as names and comments, may be
able to use the language of your choice.
To use other languages in those cases, you must use the correct encoding.
FortiWeb stores inputs using Unicode UTF-8 encoding, but it is not normalized from other encodings into UTF-8 before
stored. If your input method encodes some characters differently than in UTF-8, your configured items may not display
or operate as expected.

Using the CLI 57
Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular
expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8, matches may
not be what you expect.
For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as yen symbols ( ¥ ) and vice versa. A
regular expression intended to match HTTP requests containing money values with a yen symbol therefore may not
work it if the symbol is entered using the wrong encoding.
For best results, you should use:
l UTF-8 encoding.
l Only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters that are
also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and other encodings.
l Regular expressions that match HTTP requests.
l The same encoding as your HTTP clients.
HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by the client’s operating system
or input language. If you cannot predict the client’s encoding, you may only be able to match any parts of the request
that are in English, because regardless of the encoding, the values for English characters tend to be encoded identically.
For example, English words may be legible regardless of interpreting a web page as either ISO 8859-1 or as GB2312,
whereas simplified Chinese characters might only be legible if the page is interpreted as GB2312.
To configure your FortiWeb appliance using other encodings, you may need to switch language settings on your
management computer, including for your web browser or Telnet or SSH client. For instructions on how to configure
your management computer’s operating system language, locale, or input method, see its documentation.
If you choose to configure parts of the FortiWeb appliance using non-ASCII characters, verify that all systems
interacting with the FortiWeb appliance also support the same encodings. You should also use the same encoding
throughout the configuration if possible in order to avoid needing to switch the language settings of your web browser or
Telnet or SSH client while you work.
Similarly to input, your web browser or CLI client should usually interpret display output as encoded using UTF-8. If it
does not, your configured items may not display correctly in the web UI or CLI. Exceptions include items such as regular
expressions that you may have configured using other encodings in order to match the encoding of HTTP requests that
the FortiWeb appliance receives.
To enter non-ASCII characters in the CLI:
l CLI access via the web UI—Configure your web browser to interpret the page as
UTF-8 encoded. The console will then display non-ASCII characters in commands
in their character code equivalent.
l CLI access via a Telnet or SSH client—Configure the client to send and
receive characters using UTF-8 encoding. Depending on the client, you may have
to enter non-ASCII characters in commands in their character code equivalent.
Screen paging
When output spans multiple pages, you can configure the CLI to pause after each page. When the display pauses, the
last line displays --More--. You can then either:
l Press the spacebar to display the next page.

l Enter Q to truncate the output and return to the command prompt.

Using the CLI 58
This may be useful when displaying lengthy output, such as the list of possible matching commands for command
completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer of your terminal
emulator, you can simply display one page at a time.
To configure the CLI display to pause after each full screen:

config system console
set output more
end
For details, see "system console" on page 238.
Baud rate
You can change the default baud rate of the local console connection. For details, see "system console" on page 238.
Editing the configuration file in a text editor

Editing the configuration file with a plain text editor can be time-saving if:
l You have many changes to make

l Are not sure where the setting is in the CLI
l Own several FortiWeb appliances
This is true especially if your plain text editor provides advanced features such as regular expressions for find-and-
replace, or batch changes across multiple files. Several free text editors are available with these features, such as
Text Wrangler (http://www.barebones.com/products/textwrangler)and Notepad++ (http://notepad-plus-plus.org).
Do not use a rich text editor such as Microsoft Word. Rich text editors insert special
characters into the file in order to apply formatting, which may corrupt the configuration
file.
To edit the configuration on your computer
1. Use execute backup cli-config (page 626) or execute backup full-config (page 627) to
download the configuration file to a TFTP server, such as your management computer.
2. Edit the configuration file using a plain text editor that supports Unix-style line endings.
Do not edit the first line. The first lines of the configuration file (preceded by a # character)
contains information about the firmware version and FortiWeb model. If you change the
model number, the FortiWeb appliance will reject the configuration file when you attempt
to restore it.
3. Use execute restore config (page 647) to upload the modified configuration file back to the FortiWeb
appliance.
The FortiWeb appliance downloads the configuration file and checks that the model information is correct. If it is,
the FortiWeb appliance loads the configuration file and checks each command for errors. If a command is invalid,
the FortiWeb appliance ignores the command. If the configuration file is valid, the FortiWeb appliance restarts and
loads the new configuration.

Using the CLI 59
Pipeline 'grep' command

FortiWeb supports 'grep' in get and show to search for desired information and present the results in a format you
want.
The 'grep' command format is as follows:

get <xxx> [ [path] <object>] | grep [options] <search string>
show [ [path] <object>] | grep [options] <search string>
For example:

Using the CLI 60
The following options are supported:
-n Add 'line_no:' prefix.
-o Show only the matching part of the line.
-v Select non-matching lines.
-i Ignore the case.
-w Match whole words only.
-x Match whole lines only.
-F PATTERN is a literal (not regexp).
-E PATTERN is an extended regexp.
Administrative domains (ADOMs)
Administrative domains (ADOMs) enable the admin administrator to constrain other FortiWeb administrators’ access
privileges to a subset of policies and protected host names. This can be useful for large enterprises and multi-tenant
deployments such as web hosting.
ADOMs are not enabled by default. Enabling and configuring administrative domains can only be performed by the
admin administrator.
Enabling ADOMs alters the structure of and the available functions in the GUI and CLI according to whether you're
logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator
account’s assigned access profile.
Differences between administrator accounts when ADOMs are enabled

admin
Other
administrator
administrators
account
Access to config global Yes No
Can create administrator accounts Yes No
Can create & enter all ADOMs Yes No
If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing unrestricted
access and ADOM configuration.
config global contains settings used by the FortiWeb itself and settings shared by ADOMs, such as RAID and
administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring
other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM.

Using the CLI 61
If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A
subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, policies, servers, and
LDAP queries specific to your ADOM. You cannot access global configuration settings or enter other ADOMs.
By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all
policies and servers. By creating ADOMs that contain a subset of policies and servers, and assigning them to
administrator accounts, you can restrict other administrator accounts to a subset of the FortiWeb’s total protected
servers.
The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM,
and cannot configure ADOMs or global settings.
To enable ADOMs
1. Log in with the admin account.

Other administrators do not have permissions to configure ADOMs.
Back up your configuration. Enabling ADOMs changes the structure of your configuration,
and moves non-global settings to the root ADOM. For details about how to back up the
configuration, see "backup full-config" on page 627.

config system global
set adom-admin enable
end
FortiWeb terminates your administrative session.
3. Log in again.
When ADOMs are enabled, and if you log in as admin, the top level of the shell changes: the two top level items are
config global and config vdom.
l config global contains settings that only admin or other accounts with the prof_admin access profile can
change.
l config vdom contains each ADOM and its respective settings.
This menu and CLI structure change is not visible to non-global accounts; ADOM administrators’ navigation menus
continue to appear similar to when ADOMs are disabled, except that global settings such as network interfaces, HA,
and other global settings do not appear.
4. Continue by defining ADOMs. For details, see "Defining ADOMs" on page 62.
To disable ADOMs
1. Delete all ADOM administrator accounts.
Back up your configuration. Disabling ADOMs changes the structure of your configuration,
and deletes most ADOM-related settings. It keeps settings from the root ADOM only. For
details about how to back up the configuration, see "backup full-config" on page 627.


Using the CLI 62
set adom-admin disable

end
FortiWeb terminates your administrative session.
3. Continue by reconfiguring the appliance. For details, see the FortiWeb Administration Guide:
See also
l "Permissions" on page 51
l "Defining ADOMs" on page 62
l "Assigning administrators to an ADOM" on page 63
l "system admin" on page 201
l "system accprofile" on page 198
Defining ADOMs
Some settings can only be configured by the admin account—they are global. Global settings apply to the appliance
overall regardless of ADOM, such as:
l Operation mode
l Network interfaces
l System time
l Backups
l Administrator accounts
l Access profiles
l FortiGuard connectivity settings
l HA and configuration sync
l SNMP
l RAID
l X.509 certificates
l TCP SYN flood anti-DoS setting
l Vulnerability scans
l "ping" on page 638 and other global operations that exist only in the CLI
Only the admin account can configure global settings.
In the current release, some settings, such as user accounts for HTTP authentication,
anti-defacement, and logging destinations are read-only for ADOM administrators.
Future releases will allow ADOM administrators to configure these settings separately
for their ADOM.
Other settings can be configured separately for each ADOM. They essentially define each ADOM. For example,
the policies of adom-A are separate from adom-B.

Using the CLI 63
Initially, only the root ADOM exists, and it contains settings such as policies that were global before ADOMs were
enabled. Typically, you will create additional ADOMs, and few if any administrators will be assigned to the root
ADOM.
After ADOMs are created, the admin account usually assigns other administrator accounts to configure their ADOM-
specific settings. However, as the root account, the admin administrator does have permission to configure all settings,
including those within ADOMs.
To create an ADOM
1. Log in with the admin account.

config vdom
edit <adom_name>
where <adom_name> is the name of your new ADOM. Alternatively, to configure the default root ADOM, type
root.
The maximum number of ADOMs you can add varies by your FortiWeb model. The
number of ADOMs is limited by available physical memory (RAM), and therefore also
limits the maximum number of policies and sessions per ADOM. For details, see the
FortiWeb Administration Guide:
The new ADOM exists, but its settings are not yet configured.
3. Either:
l Assign another administrator account to configure the ADOM (continue with "Assigning administrators to an ADOM"
on page 63), or
l Configure the ADOM yourself by entering commands such as:
config log...
config server-policy...
config system...
config waf...
See also
l "Assigning administrators to an ADOM" on page 63

l "Administrative domains (ADOMs)" on page 60
Assigning administrators to an ADOM

The admin administrator can create other administrators and assign their account to an ADOM, constraining them to
that ADOM’s configurations and data.

Using the CLI 64
To assign an administrator to an ADOM
1. If you have not yet created any administrator access profiles, create at least one. For details, see "system accprofile"
on page 198.
2. In the administrator account’s accprofile "<access-profile_name>" (page 202) setting, select the new
access profile.
(Administrators assigned to the prof_admin access profile will have global access. They cannot be restricted to an
ADOM.)
3. In the administrator account’s domains "<adom_name>" (page 203) setting, select the account’s assigned
ADOM. Currently, in this version of FortiWeb, administrators cannot be assigned to more than one ADOM.
See also
l "Defining ADOMs" on page 62

config 65
config
The config commands configure your FortiWeb appliance’s feature settings.
This section describes the following commands:
log alertMail system conf-sync waf file-upload-

restriction-rule
log attack-log system console
waf ftp-command-
log custom-sensitive-rule system device-
restriction-rule
tracking
log disk
waf ftp-file-security
system dns
log email-policy
waf geo-block-list
system eventhub
log event-log
waf geo-ip-except
system fail-open
log forti-analyzer
waf hidden-fields-
system fds proxy
log fortianalyzer-policy protection
system feature-
log ftp-policy waf hidden-fields-rule
visibility
log reports waf http-authen http-
system fips-cc
authen-policy
log sensitive
system firewall
waf http-authen http-
log siem-message-policy address
authen-rule
log siem-policy system firewall
waf http-connection-flood-
firewall-policy
log syslogd check-rule
system firewall
log syslog-policy waf http-constraints-
service
exceptions
log traffic-log
system firewall
waf http-header-security
log trigger-policy snat-policy
waf http-protocol-
router policy system fortigate-
parameter-restriction
integration
router setting waf http-request-flood-
system
router static prevention-rule
fortisandbox
server-policy allow-hosts waf input-rule
system global
server-policy custom- waf ip-intelligence
system ha
application application- waf ip-intelligence-
policy system hsm info
exception
server-policy custom- system hsm
waf ip-list
application url-replacer partition
waf layer4-access-limit-
server-policy http-content- system interface
rule
routing-policy
system ip-

config 66
server-policy pattern detection waf layer4-connection-

custom-data-type flood-check-rule
system network-
server-policy pattern option waf machine-learning
custom-global-white-list-
system password- waf machine-learning-
group
policy policy
server-policy pattern
system raid waf mitb-policy
custom-susp-url
system replacemsg waf mitb-rule
server-policy pattern
custom-susp-url-rule system waf openapi-file
replacemsg-image
server-policy pattern data- waf openapi-validation-
type-group system settings policy
server-policy pattern system snmp waf padding-oracle
threat-weight community
waf page-access-rule
server-policy pattern system snmp
waf parameter-validation-
suspicious-url-rule sysinfo
rule
server-policy persistence- system snmp user
waf signature
policy
system tcpdump
waf site-publish-helper
server-policy policy
system v-zone authentication-server-pool
server-policy server-pool
system wccp waf site-publish-helper
server-policy service keytab_file
user admin-
custom
usergrp waf site-publish-helper
server-policy setting policy
user kerberos-
server-policy vserver user waf site-publish-helper
rule
system accprofile user ldap-user
waf start-pages
system admin user local-user
waf url-access url-access-
system admin-certificate ca user ntlm-user
policy
system admin-certificate user pki-user
waf url-access url-access-
local
user radius-user rule
system advanced
user saml-user waf url-rewrite url-
system antivirus rewrite-policy
user user-group
system autoupdate override waf url-rewrite url-
wad file-filter
rewrite-rule
system autoupdate schedule
wad website
waf user-tracking policy
system autoupdate tunneling
waf allow-method-
waf user-tracking rule
system backup exceptions
waf web-cache-exception
system central-management waf allow-method-
policy waf web-cache-policy
system certificate ca

config 67
system certificate ca-group waf application- waf web-protection-profile

layer-dos- autolearning-profile
system certificate crl
prevention
waf web-protection-profile
system certificate crl-
waf base- inline-protection
group
signature-disable
waf web-protection-profile
system certificate
waf brute-force- offline-protection
intermediate-certificate
login
waf websocket-security
system certificate
waf cookie- rule
intermediate-certificate-
security
group waf websocket-security
waf csrf- policy
system certificate local
protection
waf x-forwarded-for
system certificate remote
waf custom-access
waf xml-schema
system certificate server- policy
certificate-verify waf xml-validation
waf custom-access
system certificate sni rule waf xml-wsdl
system certificate tsl-ca waf custom- waf websocket-security

protection-group
wvs policy
waf custom-
wvs profile
protection-rule
wvs schedule
waf device-
reputation
waf exclude-url
waf file-
compress-rule
waf file-upload-
restriction-
policy
Although not usually explicitly shown in each config command’s “Syntax” section, for all
config commands, there are related get (page 657) and show (page 663) commands
which display that part of the configuration, either in the form of a list of settings and
values, or commands that are required to achieve that configuration from the firmware’s
default state, respectively. get and show commands use the same syntax as their related
config command, unless otherwise mentioned.
log alertMail
Use this command to enable or disable alert emails, and to choose which email policy to use with them. Alert emails
notify administrators or other personnel when an alert condition occurs, such as a system failure or network attack.

config 68
The email address information and the alert message intervals are configured separately for each email policy. For
details about the severity levels of log messages associated with an email policy, see "log email-policy" on page 75.
To use this command, your administrator account’s access control profile must have either w or rw permission to the
loggrp area. For details, see "Permissions" on page 51.
Syntax
config log alertMail
set email-policy "<policy_name>"
end
Variable Description Default
status {enable | disable} Enable to generate an alert email when the FortiWeb appliance disable
records a log message, if that log message meets or exceeds the
severity level configured in "log email-policy" on page 75.
Enter the name of a previously configured email policy. The

maximum length is 63 characters.
email-policy "<policy_ No
name>" To display a list of the existing email policies, type: default.
set email-policy ?
Example
This example enables alert email when either a system event or attack log message is logged. The alert email is sent
using the recipients configured in emailpolicy1.
config log alertMail
set status enable
set email-policy "emailpolicy1"
end
Related topics
l "log email-policy" on page 75
log attack-log
Use this command to configure recording of attack log messages on the local FortiWeb disk.
You must enable disk log storage and select log severity levels using config log disk
(page 73) before any attack logs can be stored on disk.
Also use this command to define specific packet payloads to retain when storing attack logs.

config 69
Packet payloads can be retained for specific attack types or validation failures detected by the FortiWeb appliance.
Packet payloads supplement the log message by providing the actual data that triggered the attack log, which may help
you to fine-tune your regular expressions to prevent false positives. You can also examine changes to attack behavior
for subsequent forensic analysis. Alternatively, for more extensive packet logging, you can run a packet trace. For
details, see "network sniffer" on page 607.
If the offending HTTP request exceeds 4 kilobytes (KB), the FortiWeb appliance retains only 4 KB’ of the part of the
payload that triggered the log message.
You can view attack log packet payloads from the Packet Log column using the web UI. For details, see the FortiWeb
Administration Guide:
Packet payloads can contain sensitive information. You can prevent sensitive data from display in the packet payload by
applying sensitivity rules that detect and obscure sensitive information. For details, see "log sensitive" on page 92.
Syntax
config log attack-log
setstatus {enable | disable}
sethttp-parse-error-output {enable | disable}
setpacket-log {account-lockout-detection | anti-virus-detection | cookie-
security | credential-db-detection | csrf-detection | custom-access | custom-
protection-rule | fsa-detection | hidden-fields-failed | http-protocol-
constraints | illegal-file-type | illegal-filesize | illegal-json-format |
illegal-xml-format | ip-intelligence | padding-oracle | parameter-rule-failed
| signature-detection | trojan-detection | user-tracking-detection | xml-
protection | machine-learning | openapi-validation | websocket-security}
set no-ssl-error {enable | disable}
end
status {enable | disable} Enable to record attack log messages on the disk. enable
To record attack logs, disk log storage must be enabled, and

the severity levels selected using the config log disk
(page 73) command.
http-parse-error-output Enable while debugging only, to log errors of the HTTP protocol
disable
{enable | disable} parser.
packet-log {account- Select one or more detected attack types or validation failures. No
lockout-detection | anti- FortiWeb keeps packet payloads from its HTTP parser buffer default.
virus-detection | cookie-
security | credential-db- with their associated attack log message.
detection | csrf-
Separate each attack type with a space. To add or remove a
detection | custom-access
| custom-protection-rule packet payload type, re-type the entire space-delimited list
with the new option included or omitted.

config 70
| fsa-detection | hidden- Some options have historical names. Correlations with current
fields-failed | http- feature names are:
protocol-constraints |
illegal-file-type | l custom-protection-rule—Custom signature detection
illegal-filesize |
(not predefined)
illegal-json-format |
illegal-xml-format | ip- To empty this list and keep no packet payloads, effectively
intelligence | padding- disabling the feature, enter unset packet-log.
oracle | parameter-rule-
failed | signature-
detection | trojan-
detection | user-
tracking-detection | xml-
protection | machine-
learning | openapi-
validation | websocket-
security}
Enable to stop FortiWeb from logging SSL errors.

no-ssl-error {enable | This setting is useful when you use high-level security disable
disable}
settings, which generate a high volume of these types of
errors.
Example
This example enables log storage on the hard disk and sets information as the minimum severity level that a log
message must meet in order for the log to be stored. It also enables retention of packet payloads that triggered custom
protection rules along with their correlating attack logs. Conversely, it disables any other packet payload retention that
may have been enabled before, because it completely replaces the list each time it is configured.
config log disk
set status enable
set severity information
end
set status enable
set packet-log custom-protection-rule
end
Related topics
l "log sensitive" on page 92
l "log custom-sensitive-rule" on page 71
l "log event-log" on page 78
l "log traffic-log" on page 100
l "debug application miglogd" on page 569
l "log " on page 601

config 71
log custom-sensitive-rule
Use this command to configure custom rules to obscure sensitive information that is not obscured in log message
packet payloads by the predefined sensitivity rules.
Use this command in conjunction with config log sensitive (page 92).
If enabled to do so, a FortiWeb appliance will obscure predefined data types, including user names and passwords in
log message packet payloads. If other sensitive data in the packet payload is not obscured by the predefined data types,
you can create your own data type sensitivity rules, such as ages or other identifying numbers.
Sensitive data definitions are not retroactive. They will hide strings in subsequent log
messages, but will not affect existing log messages.
This command is relevant only if you have enabled the FortiWeb appliance to keep packet payloads along with their
associated log messages, and have selected to obscure logs according to custom data types. For details, see "log
attack-log" on page 68 and "log sensitive" on page 92.
Syntax
config log custom-sensitive-rule
edit "<custom-sensitive-rule_name>"
set expression "<sensitive-type_pattern>"
set field-name "<parameter-name_pattern>"
set field-value "<parameter-value_pattern>"
set type {field-mas-rule | general-mask-rule}
next
end
"<custom-sensitive-rule_ Enter the name of a new or existing rule. The maximum No default.
name>" length is 63 characters.
To display the list of existing rules, enter:

edit ?
Enter a regular expression that matches all and only the

strings or numbers that you want to obscure in the packet
payloads.
expression "<sensitive-
type_pattern>" No default.
For example, to hide a parameter that contains the age of
users under 13, you could enter:
age\=[1-13]

config 72
Expressions must not start with an asterisk ( * ). The

type {field-mas-rule | Select either general-mask-rule (a regular expression general-

general-mask-rule} that will match any substring in the packet payload) or mask-
field-mask-rule (a regular expression that will match rule
only the value of a specific form input).
If you select general-mask-rule, configure

expression "<sensitive-type_pattern>" (page
71).
If you select field-mask-rule, configure field-name

"<parameter-name_pattern>" (page 72) and
field-value "<parameter-value_pattern>"
(page 72).
Enter a regular expression that matches all and only the input
field-name "<parameter- names whose values you want to obscure. The input name itself
No default.
name_pattern>" will not be obscured. If you wish to do this, use general-
mask-rule instead. The maximum length is 255 characters.
field-value "<parameter- Enter a regular expression that matches all and only the No default.
value_pattern>" input values that you want to obscure. The maximum length
is 255 characters.
For example, to hide a parameter that contains the age of

users under 13, for field-name "<parameter-name_
pattern>" (page 72), enter age, and for field-value
"<parameter-value_pattern>" (page 72), enter [1-
13].
Valid expressions must not start with an asterisk ( * ).
Caution: Field masks using asterisks are greedy: a match

for the parameter’s value will obscure it, but will also
obscure the rest of the parameters in the line. To avoid this,
enter an expression whose match terminates with, but does
not consume, the parameter separator.
For example, if parameters are separated with an

ampersand ( & ), and you want to obscure the value of the
field name username but not any of the parameters that
follow it, you could enter the field value:
.*?(?=\&)
This would result in:

username****&age=13&origurl=%2Flogin

config 73
Example
This example enables the FortiWeb appliance to keep all types of packet payloads with their associated log messages.
It also enables and defines a custom sensitive data type (applies to age 13 or less) that will be obscured in logs.
set status enable
set packet-log anti-virus-detection cookie-poison custom-access custom-protection-rule
hidden-fields-failed http-protocol-constraints illegal-file-type illegal-xml-format ip-
intelligence padding-oracle parameter-rule-failed signature-detection
end
config log sensitive
set type custom-rule
end
edit rule1
set type general-mask-rule
set expression "age\\=[1-13]*$"
next
end
Related topics
l "log attack-log" on page 68
log disk
Use this command to enable and configure recording of log messages to the local hard disk.
Logging must be enabled for each individual log type before log messages are recorded to
disk. For details, see "log attack-log" on page 68, "log event-log" on page 78, and "log
traffic-log" on page 100 for details.
You can use SNMP traps to notify you when disk space usage exceeds 80%. For details, see "system snmp community"
on page 299.
You can generate reports based on log messages that you save to the local hard disk. For details, see "log reports" on
page 83.
Syntax
config log disk
set diskfull overwrite
set severity {alert | critical | debug | emergency | error | information |
notification | warning}
set log-used-disk <log-used-disk_int>
end

config 74
status {enable | Enable to store log messages on the local hard disk. Log enable
disable} messages are stored only if logging is enabled for the
individual log types using config log attack-log
(page 68), config log event-log (page 78), and
config log traffic-log (page 100). Also
configure diskfull overwrite (page 74) and
severity {alert | critical | debug |
emergency | error | information |
notification | warning} (page 74).
Select overwrite to delete the oldest log file in order

to free disk space, and then store the new log message.
diskfull overwrite overwrite
This field is available only if status {enable |
disable} (page 74) is enable.
severity {alert | Select the severity level that a log message must meet or information
critical | debug | exceed in order to cause the FortiWeb appliance to record it.
emergency | error |
information |
log-used-disk <log-used- This field is unique for Docker platform. Enter the log disk size.
10 G
disk_int> The valid range is 10–500 G.
Example
This example enables logging of event and attack logs and recording of the log messages to the local hard disk. Only
the log messages with a severity of notification or higher are recorded. If all free space on the hard disk is
consumed and a new log message is generated, the diskfull option determines that the FortiWeb will overwrite the
oldest log message. The log messages are saved to a separated log file for each message type.
config log disk
set status enable
set severity notification
set diskfull overwrite
end
Related topics
l "system snmp community" on page 299
l "log reports" on page 83
l "formatlogdisk" on page 634

config 75
log email-policy
Use this command to create an email policy. An email policy identifies email recipients, email address, email
connection requirements and authentication information, if required.
You can configure multiple email policies and apply those policies as required in different situations. The FortiWeb
appliance can be configured to send email for different situations, such as to alert administrators when certain system
events or rule violations occur, or when log reports are available for distribution.
Syntax
config log email-policy
edit "<email-policy_name>"
set mailfrom "<address_str>"
set mailto1 "<recipient_email>"
set smtp-server {"<smtp_ipv4>" | "<smtpfqdn>"}
set smtp-port <smtp-port_int>
set smtp-auth {enable | disable}
set smtp-username "<auth_str>"
set smtp-password "<password_str>"
set interval <interval_int>
set connection-security {NONE | STARTTLS | SSL/TLS}
set attach-compression {enable | disable}
set send-email-based-on-interval-time {enable | disable}
set company-logo "<company-logo_str>"
set company-name "<company-name_str>"
next
end
"<email-policy_name>" Enter the name of an email policy. The maximum length is 63 No default.
characters.
Enter the sender email address, such as

mailfrom "<address_str>" [email protected], that the FortiWeb appliance will No default.
use when sending email. The maximum length is 63 characters.
mailto1 "<recipient_ Enter the email address of the first recipient, such as No default.
email>" [email protected], to which the FortiWeb appliance will
send email. You must enter one email address for alert email to
function. The maximum length is 63 characters.
mailto2 "<recipient_ Enter the email address of the second recipient, if any, to which No default.

config 76
the FortiWeb appliance will send alert email. The maximum

email>"
length is 63 characters.
mailto3 "<recipient_ Enter the email address of the third recipient, if any, to which the No default.
email>" FortiWeb appliance will send alert email. The maximum length is
63 characters.
Enter the IP address or fully qualified domain name (FQDN) of

smtp-server {"<smtp_ the SMTP server, such as mail.example.com, that the
ipv4>" | "<smtpfqdn>"} No default.
FortiWeb appliance can use to send email. The maximum length
is 63 characters.
smtp-port <smtp-port_ Enter the port on the SMTP server that listens for alerts and 25
int> generated reports from FortiWeb.
The valid range is 1–65,535.
Enable if the SMTP server requires authentication. Also enable if

smtp-auth {enable |
disable} authentication is not required but is available and you want the disable
FortiWeb appliance to authenticate.
smtp-username "<auth_ If you enable smtp-auth {enable | disable} No default.

str>" (page 76), enter the user name that the FortiWeb appliance
will use to authenticate itself with the SMTP relay. The
This field is available only if you enable smtp-auth

{enable | disable} on page 76.
If you enable smtp-auth {enable | disable} on

page 76, enter the password that corresponds with the user
smtp-password name.
"<password_str>" No default.
This field is available only if you enable smtp-auth
{enable | disable} on page 76.
severity {alert | Select the severity threshold that log messages must meet or emergency
critical | debug | exceed in order to cause an email alert.
emergency | error |
information |
Enter the number of minutes FortiWeb waits to send an

additional alert if an alert condition of the specified severity
interval <interval_int> level continues to occur after the initial alert. 1
The valid range is 1–2,147,483,647.
connection-security Select one of the following options: NONE

{NONE | STARTTLS |
SSL/TLS} l NONE—FortiWeb applies no security protocol to email.

config 77
l STARTTLS—Encrypts the connection to the SMTP

server using STARTTLS.
l SSL/TLS—Encrypts the connection to the SMTP server
using SSL/TLS.
Enable or disable the compression for an alert email policy. With

attach-compression the compression function being enabled, event logs and alerts
disable
{enable | disable} will be attached to the emails in ZIP format, otherwise they will
be attached in TXT format.
send-email-based-on- Enable/disable sending emails by interval time. No default.

interval-time {enable |
disable}
Set the company logo in the email policy by entering a

Base64 string (base64 encoding) of the image. Only JPG
company-logo "<company- format is supported. Size limit is 36 KB.
logo_str>" No default.
You are strongly recommended to upload a company logo
through the FortiWeb GUI.
company-name "<company- Set the company name in the email policy. The maximum length No default.
name_str>" is 63 characters.
Example
This example creates email policy for use in multiple situations. When the email policy is attached to rule violations or
log reports, FortiWeb sends an email from [email protected], to [email protected] and
[email protected], using an SMTP server mail.example.com. The SMTP server requires authentication.
The FortiWeb appliance authenticates as fortiweb when connecting to the SMTP server.
FortiWeb logs messages more severe than a notification. As long as events continue to trigger notification-level log
messages, FortiWeb sends an alert email every 10 minutes. (Log messages of other severity levels trigger alert email at
their default intervals.) All the related log messages will be attached to the emails in ZIP format.
When the configuration is complete, log in to the web UI to send a sample alert email to test the configuration and the
email system.
config log email-policy
edit "Email_Policy1"
set mailfrom "[email protected]"
set mailto1 "[email protected]"
set mailto2 "[email protected]"
set smtp-server "mail.example.com"
set smtp-auth enable
set smtp-username "fortiweb"
set smtp-password "fortiWebPassworD2"
set interval 10
set attach-compression enable
next
end

config 78
Related topics
l "log alertMail" on page 67
l "log trigger-policy" on page 101
l "system dns" on page 242
l "router static" on page 106
log event-log
Use this command to configure recording of event log messages, and then use other commands to store those
messages on the local FortiWeb disk, in local FortiWeb memory, or both. Use other commands to configure a traffic log
and attack log.
You must enable disk and/or memory log storage and select log severity levels before
FortiWeb will store any event logs.
Syntax
config log event-log
set cpu-high <percentage_int>
set mem-high <percentage_int>
set logdisk-high <percentage_int>
set trigger-policy "<trigger-policy_name>"
end
status {enable | disable} Enable to record event log messages. enable
To select the destination and the severity threshold of the

stored log messages, see "log disk" on page 73.
Enter a threshold level as a percentage beyond which CPU

cpu-high <percentage_int> usage triggers an event log entry. 60
The valid range is 60–99.
mem-high <percentage_int> Enter a threshold level as a percentage beyond which memory 60

usage triggers an event log entry.

config 79
Enter a threshold level as a percentage beyond which log disk

logdisk-high <percentage_ usage triggers an event log entry. 60
int>
trigger-policy "<trigger- Enter the name of the trigger to apply when the CPU, memory, No
policy_name>" log disk usage, or number of sessions meets or exceeds the default.
threshold (see "log trigger-policy" on page 101). The maximum
To display the list of existing trigger policies, enter:

set trigger ?
Example
This example enables recording of event logs, enables disk log storage and memory log storage, and sets alert as the
minimum severity level that a log message must achieve for storage.
config log disk
set status enable
set severity alert
end
config log event-log
set status enable
end
Related topics
l "log disk" on page 73
log forti-analyzer
Use this command to configure the FortiWeb appliance to send its log messages to a remote FortiAnalyzer appliance.
You must first define one or more FortiAnalyzer policies using config log fortianalyzer-policy (page 81).
Logs sent to FortiAnalyzer are controlled by FortiAnalyzer policies and trigger actions that you configure on the FortiWeb
appliance, and are associated with various types of violations.
Logs stored remotely cannot be viewed from the web UI, and cannot be used by FortiWeb to build reports. If you require
these features, record logs locally as well as remotely.

config 80
Usually, you should set trigger actions for specific types of violations. Failure to do so will
result in the FortiWeb appliance logging every occurrence, which could result in high log
volume and reduced system performance. Excessive logging for an extended period of
time may cause premature hard disk failure.
Syntax
config log forti-analyzer
set fortianalyzer-policy "<policy_name>"
end
fortianalyzer-policy Enter the name of an existing FortiAnalyzer policy to use No default.

"<policy_name>" when storing log information remotely. The maximum
To view a list of the existing FortiAnalyzer policies, enter :

set fortianalyzer-policy ?
status {enable | Enable to record event log messages to FortiAnalyzer if it meets

disable
disable} or exceeds the severity level configured in severity.
critical | debug | exceed in order to cause the FortiWeb appliance to save it to
emergency | error |
FortiAnalyzer.
information |
Example
This example enables FortiAnalyzer logging and recording of the log messages. Only the log messages with a severity
of error or higher are recorded.
set status enable
set severity error
end
Related topics
l "log fortianalyzer-policy" on page 81

config 81
log fortianalyzer-policy
Use this command to create policies for use by protection rules to store log messages remotely on a FortiAnalyzer
appliance. For example, once you create a FortiAnalyzer policy, you can include it in a trigger policy, which in turn can
be applied to a trigger action in a protection rule.
You need to create a FortiAnalyzer policy if you also plan to send log messages to a FortiAnalyzer appliance.
Syntax
config log fortianalyzer-policy
config fortianalyzer-server-list
edit <entry_index>
set ip-address "<forti-analyzer_ipv4>"
set enc-algorithm {disable | default}
end
next
end
"<policy_name>" Enter the name of the new or existing FortiAnalyzer policy. No

The maximum length is 63 characters. default.
To display a list of the existing policies, enter:

edit ?
No
<entry_index> Enter the index number of the individual entry in the table.
default.
ip-address "<forti- Enter the IP address of the remote FortiAnalyzer appliance. No

analyzer_ipv4>" default.
enc-algorithm {disable | Specifies whether FortiWeb transmits logs to the FortiAnalyzer

disable
default} appliance using SSL.
Example
This example creates a policy entry and assigns an IP address, then enables FortiAnalyzer logging for log messages
with a severity of error or higher.
config log fortianalyzer-policy
edit "fa-policy1"
config fortianalyzer-policy
edit 1
set ip-address "192.0.2.133"

config 82
end
next
end
set fortianalyzer-policy "fa-policy1"
set status enable
set severity error
end
Related topics
l "log forti-analyzer" on page 79
log ftp-policy
Use this command to configure a connection to an FTP or TFTP server. The config log reports configuration
uses this policy to specify a server that FortiWeb sends reports to.
Syntax
config log ftp-policy
set type {ftp | tftp}
set server "<ftp-server_ipv4>"
set ftp_auth {enable | disable}
set ftp_user "<ftp-user_str>"
set ftp_passwd "<ftp_pswd>"
set ftp-dir "<ftp-dir_str>"
end
"<policy_name>" Enter the name of a new or existing FTP/TFTP policy. The No

maximum length is 63 characters. default.
To display the list of existing policies, enter:

edit ?
type {ftp | tftp} Specify whether the server is FTP or TFTP. ftp
server "<ftp-server_ Enter the IP address of the FTP or TFTP server. No

ipv4>" default.
Specify whether the server requires a user name and password for
ftp_auth {enable | authentication, rather than allowing anonymous connections.
disable
disable}
Available only if type {ftp | tftp} (page 82) is ftp.

config 83
ftp_user "<ftp-user_str>" Enter the user name that FortiWeb uses to authenticate with the No
server. default.
Available only if ftp_auth {enable | disable} (page 82)

is enable.
Enter the password for the specified username.

No
ftp_passwd "<ftp_pswd>"
Available only if ftp_auth {enable | disable} (page 82) default.
is enable.
ftp-dir "<ftp-dir_str>" Enter the location on the server where FortiWeb stores reports. No
default.
Related topics
log reports
Use this command to configure report profiles.
When generating a report, FortiWeb appliances collate information collected from their log files and present the
information in tabular and graphical format.
In addition to log files, your FortiWeb appliance requires a report profile to generate a report. A report profile is a group
of settings that contains the report name, file format, subject matter, and other aspects that the FortiWeb appliance
considers when generating the report.
FortiWeb appliances can generate reports automatically, according to the schedule that you configure in the report
profile, or manually in the web UI when you click the Run now icon in the report profile list. You may want to create one
report profile for each type of report that you will generate on demand or periodically, by schedule.
Generating reports can be resource intensive. To avoid email processing performance

impacts, you may want to generate reports during times with low traffic volume, such
as at night.
The number of results in a section’s table or graph varies by the report type.
Ranked reports (top x, or top y of top x) can include a different number of results per cross-section, then combine
remaining results under “Others.” For example, in “Top Attack Severity by Hour of Day,” the report includes the top x
hours, and their top y attacks, then groups the remaining results.
l scope_top1 <topX_int> (page 91) is x.

l scope_top2 <topY_int> (page 91) is y.
Before you generate a report, collect log data that will be the basis of the report. For information on enabling logging to
the local hard disk, see "log attack-log" on page 68 and "log disk" on page 73.

config 84
Creating a report profile is considerably easier in the web UI. Go to

Log&Report > Report Config.
Syntax
config log reports
edit "<report_name>"
set custom_company "<org_str>"
set custom_footer_options {custom | report-title}
set custom_header "<header_str>"
set custom_header_logo "<filename_hex_str>"
set custom_title_logo "<filename_hex_str>"
set email_attachment_compress {enable | disable}
set email_attachment_name "<filename_str>"
set email_body "<message_str>"
set email_subject "<subject_str>"
set filter_string "<log-filter_str>"
set include_nodata {yes | no}
set on_demand {enable | disable}
set output_email {html mht pdf rtf txt}
set output_email_policy "<policy_name>"
set output_file {html mht pdf rtf txt}
set output_ftp {html pdf rtf txt mht}
set output_ftp_policy "<ftp-policy_name>"
set period_end "<time_str>" "<date_str>"
set period_last_n <n_int>
set period_start "<time_str>" "<date_str>"
set period_type {last-14-days | last-2-weeks | last-30-days | last-7-days |
lastmonth | last-n-days | last-n-hours | last-n-weeks | last-quarter |
last-week | other | this-month | this-quarter | this-week | thiyear |
today | yesterday}
set report_desc "<comment_str>"
set report_title "<title_str>"
set report_attack_activity {attacks-type attacks-url attacks-date-type attacks-
month-type attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-
type attacks-dst-ip attacks-type-ip attacks-method-type attacks-cat
attacks-policy attacks-day attacks-ts attacks-td attacks-proto attacks-
date-severity attacks-month-severity attacks-day-severity attacks-hour-
severity attacks-sessionid attacks-srccountry attacks-signature-id attacks-
type-signature-id attacks-fortisandbox attacks-httphost attacks-username
attacks-httprefer attacks-httpversion threat-weight-client-device attacks-
client-device cat-client-device attack-summary attack-details}
set report_event_activity {ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-
day ev-warn-hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-
day ev-aler-hour ev-aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-
day ev-hour ev-hour-cat ev-day ev-day-cat ev-stat ev-day-login ev-week-
login ev-user-logint}
set report_traffic_activity {net-pol net-srv net-src net-dst net-src-dst net-
dst-src net-date-dst net-hour-dst net-day-dst net-month-dst net-date-src
net-hour-src net-day-src net-month-src net-srccountry net-httphost net-
username net-httprefer net-httpversion net-client-device}

config 85
set report_pci_activity {pci-attacks-date-type pci-attacks-month-type pci-

attacks-day-type pci-attacks-hour-type}
set schedule_type {daily | dates | days | none}
set schedule_days {sun | mon | tue | wed | thu | fri | sat}
set schedule_dates "<dates_str>"
set schedule_time "<time_str>"
set scope_include_summary {yes | no}
set scope_include_table_of_content {yes | no}
set scope_top1 <topX_int>
set scope_top2 <topY_int>
next
end
"<report_name>" Enter the name of a new or existing report profile. The No

The profile name will be included in the report header.
To display the list of existing report names, enter:

edit ?
Enter the name of your department, company, or other

organization, if any, that you want to include in the report
summary. If the text is more than one word or contains special
custom_company "<org_ characters, enclose it in double quotes ( " ). The maximum No
str>" default.
For details about enabling the summary, see scope_

include_summary {yes | no} (page 90).
custom_footer_options Select either: report-

{custom | report-title} title
l report-title—Use "<report_name>" (page 85) as
the footer text.
l custom—Provide different footer text.
Enter the text, if any, that you want to include at the bottom of
each report page. If the text is more than one word or contains
custom_footer "<footer_ special characters, enclose it in double quotes ( " ). The No
str>" maximum length is 127 characters. default.
This setting is available only if custom_footer_options
{custom | report-title} (page 85) is custom.
custom_header "<header_ Enter the text, if any, that you want to include at the top of each No
str>" report page. If the text is more than one word or contains special default.
characters, enclose it in double quotes ( " ). The maximum length
is 127 characters.

config 86
Enter the file name of a custom logo that you have previously
custom_header_logo uploaded to the FortiWeb appliance. The logo image will be No
"<filename_hex_str>" included in the report header. The maximum length is 255 default.
characters.
custom_title_logo Enter the file name of a custom logo that you have previously No
"<filename_hex_str>" uploaded to the FortiWeb appliance. The logo image will be default.
included in the report title. The maximum length is 255 characters.
Enable to enclose the generated report formats in a

compressed archive attached to the email.
email_attachment_compress
This field is required if you have enabled email output by disable
{enable | disable}
enabling one or more of the file formats for email output in
output_email {html mht pdf rtf txt} (page 87).
email_attachment_name Enter the file name that will be used for the reports attached No
"<filename_str>" to the email. The maximum length is 63 characters. default.
This field is required if you have enabled email output by

Enter the message body of the email. The maximum length is

383 characters.
email_body "<message_ No
str>" This field is required if you have enabled email output by default.
email_subject "<subject_ Enter the subject line of the email. The maximum length is No
str>" 191 characters. default.
This field is required if you have enabled email output by

Enter a log message filter string that includes or excludes log

filter_string "<log- messages based upon matching log field values. The No
filter_str>" maximum length is 1,023 characters. default.
For example syntax, see "Example" on page 91.
include_nodata {yes | no} Select whether to include (yes) or hide (no) reports which are no
empty because there is no matching log data.
Enable to run the report one time only. After the FortiWeb
on_demand {enable |
disable} appliance completes the report, it removes the report profile disable
from its hard disk.

config 87
Enter disable to schedule a time to run the report, and to

keep the report profile for subsequent use.
output_email {html mht Select one or more file types for the report when mailing generated No
pdf rtf txt} reports. default.
If you set a value for output_email, enter the name of the

email policy that contains settings for sending the report by
output_email_policy email. The maximum length is 63 characters. No
"<policy_name>" default.
For details about email policies, see "log email-policy" on
page 75.
output_file {html mht pdf Select one or more file types for the report when saving to the html
rtf txt} FortiWeb hard disk.
output_ftp {html pdf rtf Select one or more file types for the report when FortiWeb sends No
txt mht} reports to an FTP or TFTP server. default.
output_ftp_policy "<ftp- Enter the policy that defines a connection to the appropriate server. No
policy_name>" For details, see "log ftp-policy" on page 82. default.
Enter the time and date that define the end of the span of
time whose log messages you want to use when generating
the report.
The time format is hh:mm and the date format is

yyyy/mm/dd, where:
l hh is the hour according to a 24-hour clock

l mm is the minute
period_end "<time_str>" l yyyy is the year No
"<date_str>" l mm is the month default.
l dd is the day
This setting appears only when you select a period_type
{last-14-days | last-2-weeks | last-30-
days | last-7-days | lastmonth | last-n-
days | last-n-hours | last-n-weeks | last-
quarter | last-week | other | this-month |
this-quarter | this-week | thiyear |
today | yesterday} (page 88) of other.
period_last_n <n_int> Enter the number that defines n if the period_type No

{last-14-days | last-2-weeks | last-30- default.

config 88

today | yesterday} (page 88) contains that variable.
The valid range is from 1 to 2,147,483,647.

of last-n-days, last-n-hours, or last-n-weeks.
Enter the time and date that defines the beginning of the
span of time whose log messages you want to use when
generating the report.

yyyy/mm/dd, where:

l mm is the minute
period_start "<time_str>" l yyyy is the year No
"<date_str>" l mm is the month default.
l dd is the day
{last-14-days | last-2-weeks | last-30-
today | yesterday} (page 88) of other.
period_type {last-14- Select the span of time whose log messages you want to use last-7-
days | last-2-weeks | when generating the report. days
last-30-days | last-7-
days | lastmonth | last- If you select last-n-days, last-n-hours, or last-
n-days | last-n-hours |
nweeks, you must also define n by entering period_last_
last-n-weeks | last-
quarter | last-week | n <n_int> (page 87).
other | this-month |
this-quarter | this-
If you select other, you must also define the start and end of
week | thiyear | today | the report’s time range by entering period_start
yesterday} "<time_str>" "<date_str>" (page 88) and period_
end "<time_str>" "<date_str>" (page 87).
The span of time will be included in the summary, if enabled.

For information on enabling the summary, see scope_
Enter a description of the report, if any, that you want to

include in the report summary. If the text is more than one
report_desc "<comment_ word or contains special characters, surround it with double No
str>" default.
quotes ( " ). The maximum length is 63 characters.

config 89
report_title "<title_ Enter a title, if any, that you want to include in the report No
str>" summary. If the text is more than one word or contains special default.
characters, enclose it in double quotes ( " ). The maximum

report_attack_activity
{attacks-type attacks-url
attacks-date-type
attacks-month-type
attacks-day-type attacks-
hour-type attacks-type-
dev attacks-dst-type
attacks-dst-ip attacks-
type-ip attacks-method-
type attacks-cat attacks-
policy attacks-day
attacks-ts attacks-td Enter zero or more options to indicate which charts based
attacks-proto attacks-
upon attack logs to include in the report.
date-severity attacks-
month-severity attacks- For example, to include “Attacks By Policy,” enter a list of No
day-severity attacks- default.
charts that includes attacks-policy. To include “Top
hour-severity attacks-
sessionid attacks- Attacked HTTP Methods by Type,” enter a list of charts that
srccountry attacks- includes attacks-method-type.
signature-id attacks-
type-signature-id
attacks-fortisandbox
attacks-httphost attacks-
username attacks-
httprefer attacks-
httpversion threat-
weight-client-device
attacks-client-device
cat-client-device attack-
summary attack-details}
report_event_activity Enter zero or more options to indicate which charts based No

{ev-all ev-all-cat ev- upon event logs to include in the report. default.
all-type ev-crit-hour ev-
crit-day ev-warn-hour ev- For example, to include “Top Event Categories by Status”,
warn-day ev-info-hour ev-
enter a list of charts that includes ev-stat.
info-day ev-emer-hour ev-
emer-day ev-aler-hour ev-
aler-day ev-err-hour ev-
err-day ev-noti-hour ev-
noti-day ev-hour ev-hour-
cat ev-day ev-day-cat ev-
stat ev-day-login ev-
week-login ev-user-
logint}

config 90
report_traffic_activity
{net-pol net-srv net-src
net-dst net-src-dst net-
dst-src net-date-dst net-
Enter zero or more options to indicate which charts based
hour-dst net-day-dst net-
month-dst net-date-src upon traffic logs to include in the report. No
net-hour-src net-day-src default.
For example, to include “Top Sources By Day of Week”, enter
net-month-src net-
srccountry net-httphost a list of charts that includes net-day-src.
net-username net-
httprefer net-httpversion
net-client-device}
report_pci_activity {pci- Enter zero or more options to indicate which charts based upon PCI No
attacks-date-type pci- attack logs to include in the report. default.
attacks-month-type pci-
attacks-day-type pci-
attacks-hour-type}
Select when the FortiWeb appliance will automatically run the

report. If you reboot the FortiWeb appliance while the report is
being generated, report generation resumes after the boot
process is complete.
schedule_type {daily |
dates | days | none} If schedule_type is daily, dates or days, specify the none
schedule_time, schedule_days, or schedule_
dates when the report will be generated.
If schedule_type is none, the report will be generated only

when you manually initiate it.
schedule_days {sun | If schedule_type {daily | dates | days | none} No

mon | tue | wed | thu | (page 90) is days, select the day of the week when the report default.
fri | sat}
should be generated.
If schedule_type {daily | dates | days | none}

schedule_dates "<dates_ (page 90) is dates, select the specific date of the month, from 1 to No
str>" 31, when the report should be generated. Separate multiple dates default.
with spaces.
schedule_time "<time_ If schedule_type {daily | dates | days | 00:00

str>" none} (page 90) is not none, select the time of day when the
report should be run.
The time format is hh:mm, where:

l mm is the minute
scope_include_summary Enter yes to include a summary section at the beginning of

yes
{yes | no} the report. The summary includes:

config 91
l "<report_name>" (page 85)

l custom_company "<org_str>" (page 85)
l report_desc "<comment_str>" (page 88)
l the date and time when the report was generated using this
profile
l the span of time whose log messages were used to
generate the report, according to period_type {last-
14-days | last-2-weeks | last-30-days |
last-7-days | lastmonth | last-n-days |
last-n-hours | last-n-weeks | last-
quarter | last-week | other | this-
month | this-quarter | this-week |
thiyear | today | yesterday} (page 88)
scope_include_table_of_ Enter yes to include a table of contents at the beginning of the yes
content {yes | no} report. The table of contents includes links to each chart in the
report.
Enter x number of items (up to 30) to include in the first cross-

section of ranked reports.
For some report types, you can set the top ranked items for
scope_top1 <topX_int> the report. These reports have “Top” in their name, and will 6
always show only the top x entries. Reports that do not
include “Top” in their name show all information. Changing
the values for top field will not affect these reports.
scope_top2 <topY_int> Enter y number of items (up to 30) to include in the second 3
cross-section of ranked reports.
For some report types, you can set the number of ranked
items to include in the report. These reports have “Top” in
their name, and will always show only the top x entries. Some
report types have two levels of ranking: the top y sub-entries
for each top x entry.
Reports that do not include “Top” in their name show all

information. Changing the values for top field will not affect
these reports.
Example
This example configures a report to be generated every Saturday at 1 PM. The report, whose title is Report 1,
includes all available charts, and covers the last 14 days’ worth of event, traffic, and attack logs. However, it only uses
logs where the source IP address was 192.0.2.20. Each time it is generated, it will be saved to the hard disk in both
HTML and PDF file formats and will be sent by email in PDF format to recipients defined within the “Log report analysis”
email policy.
config log reports

config 92
edit "eport_1"
set Report_attack_activity attacks-type attacks-url attacks-date-type attacks-month-type
attacks-day-type attacks-hour-type attacks-type-dev attacks-dst-type attacks-dst-ip
attacks-type-ip attacks-method-type attacks-cat attacks-policy attacks-day attacks-ts
attacks-td attacks-proto attacks-date-severity attacks-month-severity attacks-day-
severity attacks-hour-severity attacks-sessionid attacks-signature-id attacks-
srccounty attacks-type-signature-id
set Report_event_activity ev-all ev-all-cat ev-all-type ev-crit-hour ev-crit-day ev-warn-
hour ev-warn-day ev-info-hour ev-info-day ev-emer-hour ev-emer-day ev-aler-hour ev-
aler-day ev-err-hour ev-err-day ev-noti-hour ev-noti-day ev-hour ev-hour-cat ev-day
ev-day-cat ev-stat
set Report_traffic_activity net-pol net-srv net-src net-dst net-src-dst net-dst-src net-
date-dst net-hour-dst net-day-dst net-month-dst net-date-src net-hour-src net-day-src
net-month-src
set custom_company "Example, Inc."
set custom_footer_options custom
set custom_header "A fictitious corporation."
set custom_title_logo "titlelogo.jpg"
set filter_string (and src==\'192.0.2.20\')
set include_nodata yes
set output_file html pdf
set output_email html
set output_email_policy log_report_analysis
set period_type last-n-days
set report_desc "A sample report."
set report_title Report 1
set schedule_type days
set custom_footer "Weekly report for Example, Inc."
set period_last_n 14
set schedule_days sat
set schedule_time 01:00
next
end
Related topics
l "log ftp-policy" on page 82
log sensitive
Use this command to configure whether the FortiWeb appliance will obscure sensitive information, such as user names
and passwords, in log messages for which packet payloads are enabled. Each packet payload has predefined sensitivity
rules based on the payload data type. If needed, you can also create custom sensitivity rules to obscure other payload
data types using config log custom-sensitive-rule (page 71).
This command is relevant only if you have enabled the FortiWeb appliance to keep packet payloads along with their
associated log messages. For details, see "log attack-log" on page 68 and "log traffic-log" on page 100.

config 93
Syntax
set type {custom-rule | pre-defined-rule}
end
type {custom-rule | pre- Select whether the FortiWeb appliance will obscure packet No
defined-rule} payloads according to predefined data types and/or custom default.
data types.
For details, see "log custom-sensitive-rule" on page 71.
Example
This example enables the FortiWeb appliance to use a custom sensitive rule to obscure packet payload information that
displays information about users that are age 13 and under.
set type custom-rule
end
edit "custom-sensitive-rule1"
set type general-mask-rule
set expression "age\\=[1-13]*$"
next
end
Related topics
l "log custom-sensitive-rule" on page 71
log siem-message-policy
Use this command to configure the FortiWeb appliance to send its log messages to one or more a remote ArcSight
SIEM (security information and event management) servers.
You must first define one or more SIEM policies using config log siem-policy (page 95).
Logs sent to the ArcSight server are controlled by SIEM policies and trigger actions that you configure on the FortiWeb
appliance, and are associated with various types of violations.
Logs stored remotely cannot be viewed from the web UI, and cannot be used by FortiWeb to build reports. If you require
these features, record logs locally as well as remotely.

config 94
Usually, you should set trigger actions for specific types of violations. Failure to do so will
result in the FortiWeb appliance logging every occurrence, which could result in high log
volume and reduced system performance. Excessive logging for an extended period of
time may cause premature hard disk failure.
Syntax
config log siem-message-policy
set siem-policy "<policy_name>"
end
siem-policy "<policy_ Enter the name of an existing SIEM policy to use when No default.
name>" storing log information remotely. The maximum length is
63 characters.
To view a list of the existing SIEM policies, enter:

set siem-policy ?
severity {alert |
critical | debug | Select the severity level that a log message must meet or
emergency | error | exceed in order to cause the FortiWeb appliance to save it to information
information | the ArcSight server.
status {enable | Enable to record event log messages to the ArcSight server if it disable
disable} meets or exceeds the severity level specified by severity
{alert | critical | debug | emergency |
error | information | notification |
warning} (page 94).
Example
This example enables ArcSight SIEM logging and recording of the log messages. Only the log messages with a severity
of error or higher are recorded.
config log siem-message-policy
set status enable
set severity error
set siem-policy SIEM_Policy1
end

config 95
Related topics
l "log siem-policy" on page 95
log siem-policy
Use this command to configure a connection to one or more ArcSight SIEM (security information and event
management) servers, IBM QRadar servers or Azure Security Center (if your FortiWeb-VM is deployed on Microsoft
Azure). The policy is used by the log syslogd configuration to define the specific ArcSight server, QRadar server or
Azure Event Hub on which log messages are stored. For details, see "log syslogd" on page 97.
Syntax
config log siem-policy
config siem-server-list
edit <entry_index>
set type <arcsight-cef | qradar-leef | azure-cef>
set port <port_int>
set server "<siem_ipv4>"
end
next
end
"<policy_name>" Enter the name of a new or existing SIEM policy. The No default.

edit ?
<entry_index> Enter the index number of the individual entry in the table. No default.
type <arcsight-cef | Enter to store log messages to a SIEM (Security arcsight-

qradar-leef | azure-cef> Information and Event Management) server. According to cef
the specified SIEM policy, FortiWeb will carry out one of the
following actions:
l arcsight-cef—Store log messages remotely to an

ArcSight server
l qradar-leef—Store log messages remotely to a
QRadar server
l azure-cef—Send log messages to Azure Event Hub
(only available for FortiWeb-VM installed on Azure)

config 96
FortiWeb sends log entries in CEF (Common Event

Format) format. There is a 256 byte limit for URLs.
If this option is enabled, but no trigger action is selected for

a specific type of violation, FortiWeb records every
occurrence of that violation to the resource specified by
SIEM Policy.
The Azure CEF policy type requires you to complete Azure
event hub settings using the config system
eventhub (page 244) CLI command.
Note: Before you enable this option, verify that log

frequency is not too great. If logs are very frequent,
enabling this option can decrease performance and cause
the FortiWeb appliance to send many log messages to the
resource.
Note: You cannot view logs stored remotely from the

FortiWeb web UI.
Enter the port where the ArcSight or QRadar server listens for
port <port_int> 514
log output.
server "<siem_ipv4>" Enter the IP address of the ArcSight or QRadar server. No default.
Example
This example creates SIEM_Policy1. FortiWeb contacts the ArcSight server using its IP address, 192.0.2.10.
Communications occur over the standard port number for ArcSight, UDP port 514. The FortiWeb appliance sends log
messages to the server in CEF format.
config log siem-policy
edit "SIEM_Policy1"
config siem-server-list
edit 1
set type arcsight-cef
set port 514
set server "192.0.2.10"
end
next
end
Related topics

config 97
log syslogd
Use this command to configure the FortiWeb appliance to send log messages to a Syslog server defined by config
log syslog-policy (page 98) .
For improved performance, unless necessary, avoid logging highly frequent log types.
While logs sent to your Syslog server do not persist in FortiWeb’s local RAM, FortiWeb still
must use bandwidth and processing resources while sending the log message.
Syntax
config log syslogd
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp |
kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 |
local7 | mail | ntp | user}
set policy "<syslogd-policy_name>"
end
status {enable | Enable to send log messages to the Syslog server defined disable
disable} by config log syslog-policy (page 98). Also
configure:
l facility {alert | audit | auth |

authpriv | clock | cron | daemon | ftp |
kernel | local0 | local1 | local2 |
local3 | local4 | local5 | local6 |
local7 | mail | ntp | user} (page 97)
l policy "<syslogd-policy_name>" (page 98)
l severity {alert | critical | debug |
emergency | error | information |
notification | warning} (page 98)
facility {alert |
audit | auth | Enter the facility identifier that the FortiWeb appliance will
authpriv | clock | use to identify itself when sending log messages to the first
cron | daemon | ftp | Syslog server.
kernel | local0 |
To easily identify log messages from the FortiWeb local7
local1 | local2 |
local3 | local4 | appliance when they are stored on the Syslog server, enter
local5 | local6 | a unique facility identifier, and verify that no other network
local7 | mail | ntp |
user}
devices use the same facility identifier.

config 98
critical | debug | exceed in order to cause the FortiWeb appliance to send it to
emergency | error |
the first Syslog server.
information |
If logging to a Syslog server is enabled, enter the name of

a Syslog policy which describes the Syslog server to which
policy "<syslogd- the log message will be sent. The maximum length is 63
policy_name>" characters. No default.
For details about on Syslog policies, see "log syslog-policy"

on page 98.
Example
This example enables storage of log messages with the notification severity level and higher on the Syslog server.
The network connections to the Syslog server are defined in Syslog_Policy1. The FortiWeb appliance uses the
facility identifier local7 when sending log messages to the Syslog server to differentiate its own log messages from
those of other network devices using the same Syslog server.
config log syslogd
set status enable
set facility local7
set policy "Syslog_Policy1"
end
log syslog-policy
Use this command to configure a connection to one or more Syslog servers. Each policy can specify connections for up
to three Syslog servers. The log syslogd configuration uses the policy to define the specific Syslog server or servers
on which log messages are stored. For details, see config log syslogd (page 97).
Syntax
config log syslog-policy
config syslog-server-list
edit <entry_index>
set csv {enable | disable}
set port <port_int>
set server "<syslog_ipv4>"
set tls {enable | disable}
end
next
end

config 99
"<policy_name>" Enter the name of a new or existing Syslog policy. The No default.
The name of the report profile will be included in the

report header.

edit ?
Enter the index number of the individual entry in the table.

<entry_index> No default.
You can create up to 3 connections.
csv {enable | disable} Enable if the Syslog server requires the FortiWeb appliance to disable
send log messages in comma-separated value (CSV) format,
instead of the standard Syslog format.
Enter the port number on which the Syslog server listens.

port <port_int> 514
server "<syslog_ipv4>" Enter the IP address of the Syslog server. No default.
Enables TLS to establish a secure connection between

tls {enable | disable} disable
FortiWeband the specified Syslog server for sending log data.
Example
This example creates Syslog_Policy1. The Syslog server is contacted by its IP address, 192.168.1.10.
Communications occur over the standard port number for Syslog, UDP port 514. The FortiWeb appliance sends log
messages to the Syslog server in CSV format.
config log syslog-policy
edit "Syslog_Policy1"
config log-server-list
edit 1
set server "192.168.1.10"
set port 514
set csv enable
end
next
end
Related topics
l "log syslogd" on page 97

config 100
log traffic-log
Use this command to have the FortiWeb appliance record traffic log messages on its local disk. This command also lets
you save packet payloads with the traffic logs.
You must enable disk log storage and select log severity levels using config log disk
(page 73) before any traffic logs are stored on disk.
Packet payloads supplement the log message by providing the actual data associated with the traffic log, which may
help you to analyze traffic patterns.
You can view packet payloads in the Packet Log column when viewing a traffic logs using the web UI. For details, see
the FortiWeb Administration Guide:
Syntax
config log traffic-log
set packet-log {enable | disable}
end
status {enable | disable} Enable to record traffic log messages if disk log storage is enabled, disable
and the logs meet or exceed the severity levels selected using
config log disk (page 73).
Enable to keep packet payloads stored with their associated

packet-log {enable | traffic log message.
disable
disable}
For details about obscuring sensitive information in packet
payloads, see "log sensitive" on page 92.
message-event {enable | disable

disable}
Example
This example enables disk log storage, sets information as the minimum severity level that a log message must
achieve for storage, enables recording of traffic logs and retention of all packet payloads along with the traffic logs.
config log disk
set status enable
set severity information
end

config 101
config log traffic-log

set status enable
set packet-log enable
end
Related topics
log trigger-policy
Use this command to configure a trigger policy for use in the notification process.
You apply trigger policies to individual conditions that have an associated action and severity, such as attacks and rule
violations. A trigger policy has the following components:
l An email policy (contains the details associated with the recipient email account)
l A Syslog policy (contains details required to communicate with the Syslog server)
l A FortiAnalyzer policy (contains the IP address of the remote FortiAnalyzer appliance)
The trigger policy determines whether an email is sent to administrators when a certain condition occurs and whether
the log messages associated with the condition are stored on a Syslog server or FortiAnalyzer.
You define the email, Syslog, and FortiAnalyzer policies before you apply the trigger policy to an individual condition.
For details, see "log email-policy" on page 75, "log syslog-policy" on page 98, and "log fortianalyzer-policy" on page 81.
Syntax
config log trigger-policy
edit "<trigger-policy_name>"
set email-policy "<email-policy_name>"
set syslog-policy "<syslog-policy_name>"
set analyzer-policy "<fortianalyzer-policy_name>"
set siem-policy "<siem-policy_name>"
next
end
"<trigger-policy_name>" Enter the name of a new or existing trigger policy. The maximum No
length is 63 characters. default.

config 102
Enter the name of the email policy to be used with the trigger
policy. The maximum length is 63 characters.
email-policy "<email- If the conditions associated with the trigger policy occur, the No
policy_name>" email policy determines the recipients of the notification email default.
messages associated with the condition.
For details, see "log email-policy" on page 75.
syslog-policy "<syslog- Enter the name of the Syslog policy to be used with the trigger No
policy_name>" policy. The maximum length is 63 characters. default.
If the conditions associated with the trigger policy occur, the

Syslog policy determines which Syslog server the messages
are sent to.
For details, see "log syslog-policy" on page 98.
analyzer-policy
Enter the name of an existing FortiAnalyzer policy to be used
with the trigger policy. The maximum length is 63 characters. No
"<fortianalyzer-policy_
name>" default.
For details, see "log fortianalyzer-policy" on page 81.
siem-policy "<siem- Enter the name of an existing SIEM policy to be used with the No
policy_name>" trigger policy. The maximum length is 63 characters. default.
For details, see "log siem-policy" on page 95.
Example
This example creates Trigger_policy1, which uses emailpolicy1 to send email notifications about the
condition to specific recipients, and Syslog_Policy1 to submit the log messages to a specific Syslog server.
config log trigger-policy
edit "Trigger_policy1"
set syslog-policy "Syslog_Policy1"
set email-policy "emailpolicy1"
next
end
Related topics
l "log syslog-policy" on page 98
l "log fortianalyzer-policy" on page 81
l "waf http-protocol-parameter-restriction" on page 418
l "waf signature" on page 462

config 103
router policy
Use this command to configure policy routes that redirect traffic away from a static route.
For example, you can divert traffic for intrusion protection scanning (IPS). It is also useful if your FortiWeb protects web
servers for different customers (for example, the clients of a Managed Security Service Provider).
Policy routes can direct traffic to a specific network interface and gateway based on the packet’s source and destination
IP address.
netgrp area. For details, see "Permissions" on page 51.
Syntax
config router policy
edit <policy_index>
set iif "<incoming_interface_name>"
set src "<source_ip>"
set dst "<destination_ip>"
set oif "<outgoing_interface_name>"
set gateway "<router_ip>"
set priority <priorty_int>
next
end
<policy_index> Enter the index number of the policy route. No

default.
"<incoming_interface_ Enter the name of the interface, such as port1, on which No

name>" FortiWeb receives packets it applies this routing policy to. default.
src "<source_ip>" Enter the source IP address and netmask to match, separated 0.0.0.0
with a space. 0.0.0.0
FortiWeb routes matching traffic through the specified

interface and gateway.
Enter the destination IP address and netmask to match,

separated with a space. 0.0.0.0
dst "<destination_ip>"
FortiWeb routes matching traffic through the specified 0.0.0.0
interface and gateway.
"<outgoing_interface_ Enter the name of the interface, such as port2, through which No
name>" FortiWeb routes packets that match the specified IP address default.
information.

config 104
Enter the IP address of a next-hop router.
gateway "<router_ip>" A gateway address is not required for the particular routing 0.0.0.0
policies used as static routes in an one-arm topology. Leave
this blank for a one-arm network topology.
priority <priorty_int> Enter a value between 1 and 200 that specifies the priority of the 200
route.
When packets match more than one policy route, FortiWeb directs
traffic to the route with the lowest value.
Related topics
l "router setting" on page 104
router setting
Use this command to change how FortiWeb handles non-HTTP/HTTPS traffic (for example, SSH and FTP) when it is
operating in Reverse Proxy mode.
When this setting is disabled (the default) and FortiWeb is operating in Reverse Proxy mode, the appliance drops any
non-HTTP/HTTPS traffic.
When this setting is enabled and FortiWeb is operating in Reverse Proxy mode, the appliance handles non-
HTTP/HTTPS protocols in the following ways:
l Any non-HTTP/HTTPS traffic destined for a virtual server on the appliance is dropped.
l For any non-HTTP/HTTPS traffic destined for another destination (for example, a back-end server), FortiWeb acts as a
router and forwards it based in its destination address.
This command has no effect when FortiWeb is operating in transparent modes, which allow and forward non-
HTTP/HTTPS packets by default.
Use this setting only if necessary. For security and performance reasons, if you
have a FortiGate with an Internet/public address virtual IP (VIP) that forwards traffic to
your FortiWeb, and your FortiWeb is on the same subnet as your web servers, do not
use this setting. Instead, configure the VIP to forward:
l only HTTP/HTTPS to FortiWeb, which forwards it to your servers

l specific traffic such as SSH or SFTP directly to your servers
This avoids latency related to an extra hop. It also avoids accidentally forwarding
unscanned protocols.
Routing is best effort. Not all protocols may be supported, such as Citrix Receiver
(formerly ICA).

config 105
FortiWeb appliances are designed to provide in-depth protection specifically for the HTTP and HTTPS protocols.
Because of this, when in Reverse Proxy mode, by default, FortiWeb does not forward non-HTTP/HTTPS
protocols to your protected web servers. That is, IP-based forwarding is disabled. Traffic is only forwarded if picked up
and scanned by the HTTP Reverse Proxy. This provides a secure default configuration by blocking traffic to services that
might have been unintentionally left open and should not be accessible to the general public.
In some cases, however, a web server provides more services, not just HTTP or HTTPS. A typical exception is a server
that also allows SFTP and SSH access. In these cases, enable routing to allow FortiWeb to route the non-HTTP/HTTPS
traffic to the server using the server’s IP address. For HTTP/HTTPS services, direct traffic to the IP address of the
FortiWeb virtual server, which forwards requests to the back-end server after inspection.
This command has no equivalent in the web UI.
Use the following commands to retrieve information about current static route values:
config router setting
get route static
end
Use the following commands to view the current value of ip-forward:

get route setting
end
Syntax
set ip-forward {enable | disable}
set ip6-forward {enable | disable}
end
ip-forward {enable | Enable to forward non-HTTP/HTTPS traffic if its IPv4 IP address disable
disable} matches a static route.
ip6-forward {enable | Enable to forward non-HTTP/HTTPS traffic if its IPv6 IP address

disable
disable} matches a static route.
Example
This example enables forwarding of non-HTTP/HTTPS traffic, based upon whether the IP address matches a route for
the web servers’ subnet, and regardless of HTTP proxy pickup.
set ip-forward enable
end

config 106
Related topics
l "router policy" on page 103
l "router all" on page 1
router static
Use this command to configure static routes, including the default gateway.
Static routes direct traffic existing the FortiWeb appliance—you can specify through which network interface a packet
will leave, and the IP address of a next-hop router that is reachable from that network interface. The router is aware of
which IP addresses are reachable through various network pathways, and can forward those packets along pathways
capable of reaching the packets’ ultimate destinations.
A default route is a special type of static route. A default route matches all packets, and defines a gateway router that
can receive and route packets if no more specific static route is defined for the packet’s destination IP address.
During installation and setup, you should have configured at least one static route, a default route, that points to your
gateway. You may configure additional static routes if you have multiple gateway routers, each of which should receive
packets destined for a different subset of IP addresses.
For example, if a web server is directly attached to one of the network interfaces, but all other destinations, such as
connecting clients, are located on distant networks such as the Internet, you might need to add only one route: a default
route for the gateway router through which the FortiWeb appliance connects to the Internet.
The FortiWeb appliance examines the packet’s destination IP address and compares it to those of the static routes. If
more than one route matches the packet, the FortiWeb appliance applies the route with the smallest index number. For
this reason, you should give more specific routes a smaller index number than the default route.
Syntax
config router static
edit <route_index>
set device "<interface_name>"
set dst "<destination_ip>"
set gateway "<router_ip>"
next
end
<route_index> Enter the index number of the static route. If multiple routes No
match a packet, the one with the smallest index number is default.
applied.

config 107
Enter the name of the network interface device, such as port1,

No
device "<interface_name>" through which traffic subject to this route will be outbound. The
default.
dst "<destination_ip>" Enter the destination IP address and netmask of traffic that 0.0.0.0
will be subject to this route, separated with a space. 0.0.0.0
To indicate all traffic regardless of IP address and netmask

(that is, to configure a route to the default gateway), enter
0.0.0.0 0.0.0.0 or ::/0.
Enter the IP address of a next-hop router.
Caution: The gateway IP address must be in the same

subnet as the interface’s IP address. If you change the
gateway "<router_ip>" interface’s IP address later, the new IP address must also be 0.0.0.0
in the same subnet as the interface’s default gateway
address. Otherwise, all static routes and the default gateway
will be lost.
Example
This example configures a default route that forwards all packets to the gateway router 192.0.2.1, through the
network interface named port1.
config router static
edit 0
set dst "0.0.0.0 0.0.0.0"
set gateway "192.0.2.1"
set device port1
next
end
Related topics
l "router policy" on page 103
l "system interface" on page 280
l "server-policy policy" on page 146
l "wad website" on page 332
l "traceroute" on page 655
l "network arp" on page 602
l "network ip" on page 603

config 108
l "network route" on page 604

server-policy allow-hosts
Use this command to configure protected host groups.
A protected host group contains one or more IP addresses and/or fully qualified domain names (FQDNs). Each entry in
the protected host group defines a virtual or real web host, according to the Host: field in the HTTP header of requests
from clients, that you want the FortiWeb appliance to protect.
For example, if your web servers receive requests with HTTP headers such as:
GET /index.php HTTP/1.1
Host: www.example.com
you might define a protected host group with an entry of www.example.com and select it in the policy. This would
reject requests that are not for that host.
A protected hosts group is usually not the same as a physical server.
Unlike a physical server, which is a single IP at the network layer, a protected host group should contain all network IPs,
virtual IPs, and domain names that clients use to access the web server at the application (HTTP) layer.
For example, clients often access a web server via a public network such as the Internet. Therefore the protected host
group contains domain names, public IP addresses, and public virtual IPs on a network edge router or firewall that are
routable from that public network. But the physical server is only the IP address that the FortiWeb appliance uses to
forward traffic to the server and, therefore, is often a private network address (unless the FortiWeb appliance operates
in Offline Protection or either of the transparent modes).
Protected host groups can be used by:
l Policies
l Input rules
l Server protection exceptions
l Start page rules
l Page access rules
l URL access rules
l Allowed method exceptions
l HTTP authentication rules
l Hidden fields rules
l Many others
Rules can use protected host definitions to apply rules only to requests for a protected host. If you do not specify a
protected host group in the rule, the rule will be applied based upon other criteria such as the URL, but regardless of the
Host: field.

config 109
Policies can use protected host definitions to block connections that are not destined for a protected host. If you do not
select a protected host group in a policy, connections will be accepted or blocked regardless of the Host: field.
traroutegrp area. For details, see "Permissions" on page 51.
Syntax
config server-policy allow-hosts
edit "<protected-hosts_name>"
set default-action {allow | deny | deny_no_log}
config host-list
edit <protected-host_index>
set action {allow | deny | deny_no_log}
set host {"<host_ipv4>" | "<host_fqdn>" | "<host_ipv6>"}
next
end
next
end
"<protected-hosts_name>" Enter the name of a new or existing group of protected hosts. No

To display the list of existing groups, enter:

edit ?
Select whether to accept or deny HTTP requests whose Host:

default-action {allow |
deny | deny_no_log} field does not match any of the host definitions that you will add to allow
this protected hosts group.
<protected-host_index> Enter the index number of a protected host within its group. No
Each host-list can contain up to 64 IP addresses and/or fully default.
qualified domain names (FQDNs).
The valid range is 1–9,223,372,036,854,775,807.
Select whether to accept or deny HTTP requests whose Host:

action {allow | deny |
deny_no_log} field matches the host definition in host {"<host_ipv4>" | allow
"<host_fqdn>" | "<host_ipv6>"} (page 109).
host {"<host_ipv4>" | Enter the IP address or FQDN of a virtual or real web host, as No
"<host_fqdn>" | "<host_ it appears in the Host: field of HTTP headers, such as default.
ipv6>"}
www.example.com. The maximum length is 255 characters.
If clients connect to your web servers through the IP address of

a virtual server on the FortiWeb appliance, this should be the
IP address of that virtual server or any domain name to which
it resolves, not the actual IP address of the web server.
For example, if a virtual server 192.0.2.1/24 forwards traffic to

config 110
the physical server 192.0.2.155, for protected hosts, you

would enter:
l 192.0.2.1, the address of the virtual server

l www.example.com, the domain name that resolves to the
virtual server
Example
This example configures a protected hosts group named example_com_hosts that contains a website’s domain
names and its IP address in order to match HTTP requests regardless of which form they use to identify the host.
config server-policy allow-hosts
set default-action deny
edit "example_com_hosts"
config host-list
edit 0
set host "example.com"
next
edit 1
set host "www.example.com"
next
edit 2
set host "10.0.0.1"
next
end
next
end
Related topics
l "waf allow-method-exceptions" on page 337
l "server-policy custom-application application-policy" on page 110
l "waf input-rule" on page 424
l "waf start-pages" on page 485
l "waf page-access-rule" on page 457
l "waf hidden-fields-rule" on page 399
server-policy custom-application application-policy
Some web applications build URLs differently than expected by FortiWeb, which causes FortiWeb to create incorrect
auto-learning data.
To solve this kind of problem, FortiWeb uses application policy plug-ins that recognize the non-standard application
URLs so that the auto-learning profile can work properly.

config 111
First create a URL interpreter and then use this command to create an application policy to use it. For details, see
"server-policy custom-application url-replacer" on page 112.
Syntax
config server-policy custom-application application-policy
config rule-list
edit <entry_index>
set plugin-name "<url-replacer_name>"
set type {URL_Replacer}
next
end
next
end
"<policy_name>" Enter the name of a new or existing application policy. The No default.

edit ?
Enter the index number of the individual rule in the table. The
valid range is 1–9,999,999,999,999,999,999.
plugin-name "<url- Enter the name of an existing URL interpreter. The maximum No default.
replacer_name>" length is 63 characters.
Enter the name of the plug-in type. Currently, only the URL_ URL_
type {URL_Replacer}
Replacer option is supported. Replacer
Example
This example adds two existing URL replacer plug-ins to an application policy.
config server-policy custom-application application-policy
edit "replacer-policy1"
config rule-list
edit 1
set plugin-name "url-replacer1"
next
edit 2
set plugin-name "url-replacer2"
next
end
next
end

config 112
Related topics
l "server-policy custom-application url-replacer" on page 112
l "waf web-protection-profile autolearning-profile" on page 516
server-policy custom-application url-replacer
When web applications have dynamic URLs or unusual parameter styles, you must adapt auto-learning to recognize
them.
By default, auto-learning assumes that your web applications use the most common URL structure:
l All parameters follow a question mark ( ? ). They do not follow a hash ( # ) or other separator character.
l If there are multiple name-value pairs, each pair is separated by an ampersand ( & ). They are not separated by a semi-
colon ( ; ) or other separator character.
l All paths before the question mark ( ? ) are static—they do not change based upon input, blending the path with
parameters (sometimes called a dynamic URL).
For example, the page at:
/app/main
always has that same path. After a person logs in, the page’s URL doesn’t become:
/app/marco/main
or
/app#deepa
For another example, the URL does not dynamically reflect inventory, such as:
/app/sprockets/widget1024894
Some web applications, however, embed parameters within the path structure of the URL, or use unusual or non-
uniform parameter separator characters. If you do not configure URL replacers for such applications, it can
cause your FortiWeb appliance to gather auto-learning data incorrectly. This can cause the following
symptoms:
l Auto-learning reports do not contain a correct URL structure.

l URL or parameter learning is endless.

config 113
l When you generate a protection profile from auto-learning, it contains many more URLs than actually exist, because auto-
learning cannot predict that the URL is actually dynamic.
l Parameter data is not complete, despite the face that the FortiWeb appliance has seen traffic containing the parameter.
For example, with Microsoft Outlook Web App (OWA), the user’s login name could be embedded within the path
structure of the URL, such as:
/owa/tom/index.html
/owa/mary/index.html
instead of suffixed as a parameter, such as:

/owa/index.html?username=tom
/owa/index.html?username=mary
Auto-learning would continue to create new URLs as new users are added to OWA. Auto-learning would also expend
extra resources learning about URLs and parameters that are actually the same. Additionally, auto-learning may not be
able to fully learn the application structure, as each user may not request the same URLs.
To solve this, you would use this command and config server-policy custom-application
application-policy (page 110) to apply a URL replacer that recognizes the user name within the OWA URL as if
it were a standard, suffixed parameter value so that auto-learning can function properly.
For example, if the URL is:

/application/value
and the URL replacer settings are:
Setting name Value
type {pre-defined | custom-defined} custom-defined

(page 114)
url "<original-url_str>" (page 114) (/application/)([^/]+\\.[^/]+)
new-url "<new-url_str>" (page 115) $0
param "<value_str>" (page 115) $1
new-param "<replaced-param_name>" (page setting

115)
then the URL will be interpreted by auto-learning as:

/application?setting=value
To apply interpret non-standard URLs:
1. Create the custom URL replacer.

2. Add the URL replacer to a custom application policy. For details, see "server-policy custom-application application-
policy" on page 110.
3. Apply the custom application policy in an auto-learning profile. For details, see "waf web-protection-profile
autolearning-profile" on page 516.
4. Finally, apply the auto-learning profiles in a server policy. For details, see "server-policy policy" on page 146.

config 114
Syntax
config server-policy custom-application url-replacer
edit "<interpreter_name>"
set type {pre-defined | custom-defined}
set app-type {jsp | owa-2003}
set url "<original-url_str>"
set new-url "<new-url_str>"
set param "<value_str>"
set new-param "<replaced-param_name>"
next
end
"<interpreter_name>" Enter the name of a new or existing URL interpreter. The No

To display the list of existing URL interpreter, enter:

edit ?
Select either:
l pre-defined—Use one of the predefined URL replacers

for well-known web applications, which you select in app-
type {pre-defined | type {jsp | owa-2003} (page 114). pre-
custom-defined} l custom-defined—Define your own URL replacer by defined
configuring url "<original-url_str>" (page 114),
new-url "<new-url_str>" (page 115), param
"<value_str>" (page 115), and new-param
"<replaced-param_name>" (page 115)
app-type {jsp | owa-2003} If type is pre-defined, select which predefined URL jsp
interpreter to use, either:
l jsp—Use the URL replacer designed for Java server

pages (JSP) web applications, where parameters are often
separated by semi-colons ( ; ).
l owa-2003—User the URL replacer designed for Microsoft
Outlook Web App (OWA) 2003, where user name and
directory parameters are often embedded in the URL.
Enter a regular expression, such as ^/(.*)/(.*)$,

matching all and only the URLs to which the URL replacer
should apply. No
url "<original-url_str>"
default.
The pattern does not require a backslash ( / ). However, it
must at least match URLs that begin with a slash as they

config 115
appear in the HTTP header, such as /index.html. Do not

include the domain name, such as www.example.com.
This setting is used only if type {pre-defined |

custom-defined} (page 114) is custom-defined. The
Note: Auto-learning consider URLs up to approximately 180

characters long (assuming single-byte character encoding,
after FortiWeb has decoded any nested hexadecimal or other
URL encoding—therefore, the limit is somewhat dynamic). If
the URL is greater than that buffer size, auto-learning will not
be able to learn it, and so will ignore it. No event log will be
created in this case.
Note: If this URL replacer will be used sequentially in its set

of URL replacers, instead of being mutually exclusive, this
regular expression should match the URL produced by the
previous interpreter, not the original URL from the request.
new-url "<new-url_str>" Enter either a literal URL, such as /index.html, or a No

regular expression with a back-reference (such as /$1) default.
defining how the URL will be interpreted.

Note: Back-references can only refer to capture groups (parts

of the expression surrounded with parentheses) within the
same URL replacer. Back-references cannot refer to capture
groups in other URL replacers.
Enter either the parameter’s literal value, such as user1, or a

back-reference (such as /$0) defining how the value will be
interpreted. No
param "<value_str>"
This setting is used only if type {pre-defined | default.
new-param "<replaced- Enter either the parameter’s literal name, such as No

param_name>" username, or a back-reference (such as $2) defining how default.
the parameter’s name will be interpreted in the auto-learning
report.


config 116
Note: Back-references can only refer to capture groups (parts

of the expression surrounded with parentheses) within the
same URL replacer. Back-references cannot refer to capture
groups in other URL replacers.
Example
This example assumes the HTTP request URL from a client is /mary/login.asp. The URL replacer interprets the
URL to be /login.asp?username=mary.
config server-policy custom-application url-replacer
edit "url-replacer1"
set type custom-defined
set url "^/(.*)/(.*)$"
set new-url "/$1"
set param "$0"
set new-param "username"
next
end
Related topics
server-policy health
Use this command to configure server health checks.
Tests for server responsiveness (called “server health checks” in the web UI) poll web servers that are members of a
server pool to determine their availability before forwarding traffic. Server health checks can use TCP, HTTP/HTTPS,
ICMP ECHO_REQUEST (ping), TCP SSL, or TCP half-open.
The FortiWeb appliance polls the server at the frequency set in the interval <seconds_int> (page 119) option.
If the appliance does not receive a reply within the timeout period, and you have configured the health check to retry, it
attempts a health check again; otherwise, the server is deemed unresponsive. The FortiWeb appliance reacts to
unresponsive servers by disabling traffic to that server until it becomes responsive.
If a back-end server will be unavailable for a long period, such as when a server is
undergoing hardware repair, it is experiencing extended downtime, or when you have
removed a server from the server pool, you can improve the performance of your FortiWeb
appliance by disabling the back-end server, rather than allowing the server health check to
continue to check for responsiveness. For details, see "server-policy server-pool" on page
170.
To apply server health checks, select them in a server pool configuration. For details, see "server-policy server-pool" on
page 170.

config 117
To use this command, your administrator account’s access control profile requires either w or rw permission to the
Syntax
config server-policy health
edit "<health-check_name>"
set relationship {and |or}
configure health-list
edit <entry_index>
set type {icmp | tcp | http | https | tcp-ssl | tcp-half-open}
set timeout <seconds_int>
set retry-times <retries_int>
set interval <seconds_int>
set url-path "<request_str>"
set method {get | head | post}
set match-type {response-code | match-content | all}
set response-code {response-code_int}
set match-content "<match-content_str>"
next
end
"<health-check_name>" Enter the name of the server health check. The No default.
To display the list of existing server health checks,

enter:
edit ?
Enter the name of the trigger to apply when the

health check detects a failed server (see "log trigger-
policy" on page 101). The maximum length is 63
trigger-policy
"<trigger-policy_name>"
characters. No default.

set trigger ?
relationship {and |or} l and—FortiWeb considers the server to be responsive and

when it passes all the tests in the list.
l or—FortiWeb considers the server to be responsive
when it passes at least one of the tests in the list.
Enter the index number of the individual rule in the table.

type {icmp | tcp | Select either: ping

http | https | tcp-ssl |

config 118
tcp-half-open} l icmp—Send ICMP type 8 (ECHO_REQUEST) and listen

for either ICMP type 0 (ECHO_RESPONSE) indicating
responsiveness, or timeout indicating that the host is not
responsive.
l tcp—Send TCP SYN and listen for either TCP SYN
ACK indicating responsiveness, or timeout indicating that
the host is not responsive.
l http—Send an HTTP request and listen for the code
specified by response-code, the page content
specified by match-content, or both the code and the
content, or timeout indicating that the host is not
responsive.
Apply to server pool members only if the SSL setting for

the member is disabled.
l https—Send an HTTPS request and listen for the code
specified by response-code, the page content
specified by match-content, or both the code and the
content, or timeout indicating that the host is not
responsive.

the member is enabled.
l tcp-ssl—Send an HTTPS request. FortiWeb
considers the host to be responsive if the SSL handshake
is successful, and closes the connection once the
handshake is complete. This type of health check
requires fewer resources than http or https.

the member is enabled.
l tcp-half-open—Send TCP SYN and listen for either
TCP SYN ACK indicating responsiveness, or timeout
indicating that the host is not responsive. If the response
is SYN ACK, send TCP RST to terminate the connection.
This type of health check requires fewer resources from
the pool member than tcp.
Enter the number of seconds which must pass after the

timeout <seconds_int> server health check to indicate a failed health check. The 3
valid range is 1–10 .
retry-times <retries_ Enter the number of times, if any, a failed health check will 3
int> be retried before the server is determined to be
unresponsive. The valid range is 1–10.

config 119
Enter the number of seconds between each server health

interval <seconds_int> 10
check. The valid range is from 1–10.
url-path "<request_str>" Enter the URL, such as /index.html, that No default.

FortiWeb uses in the HTTP/HTTPS request to verify
the responsiveness of the server.
If the web server successfully returns this URL, and

its content matches the expression specified by
match-content, FortiWeb considers it to be
responsive.
Available when type {icmp | tcp | http |

https | tcp-ssl | tcp-half-open} (page
117) is http or https.
Specify whether the health check uses the HEAD,

GET, or POST method.
method {get | head |
Available when type {icmp | tcp | http | get
post}
host "<host_str>" Optionally, enter the HTTP host header name of a specific No default.
host.
This is useful if the pool member hosts multiple websites

(virtual hosting environment).

https | tcp-ssl | tcp-half-open} (page 117)
is http or https.
l response-code—If the web server successfully

returns the URL specified by url-path and the code
specified by response-code, FortiWeb considers the
server to be responsive.
l match-content—If the web server successfully
returns the URL specified by url-path and its content
match-type {response- matches the match-content value, FortiWeb
considers the server to be responsive. match-
code | match-content |
all} content
l all—If the web server successfully returns the URL
specified by url-path and its content matches the
match-content value, and the code specified by
response-code, FortiWeb considers the server to be
responsive.

config 120
response-code {response- Enter the response code that you require the server to 200
code_int} return to confirm that it is available, if match-type
is response-code or all.

Enter a regular expression that matches the content

that must be present in the HTTP reply to indicate
proper server connectivity, if match-type is
match-content "<match- match-content or all.
content_str>" No default.
Example
This example configures a server health check that periodically requests the main page of the website, /index. If a
physical server does not successfully return that page (which contains the word “About”) every 10 seconds (the default),
and fails the check at least three times in a row, FortiWeb considers it unresponsive and forwards subsequent HTTP
requests to other physical servers in the server farm.
config server-policy health
edit "status_check1"
set trigger-policy "notification-servers1"
configure health-list
edit 1
set type http
set retry-times 3
set url-path "/index"
set method get
set match-type match-content
set regular About
next
end
Related topics
l "server-policy server-pool" on page 170

config 121
server-policy http-content-routing-policy
Use this command to configure HTTP header-based routing.
Instead of dynamically routing requests to a server pool simply based upon load or connection distribution at the TCP/IP
layers, as basic load balancing does, you can forward them based on headers in the HTTP layer.
HTTP header-based routes define how FortiWeb routes requests to server pools. They are based on one or more of the
following HTTP header elements:
l Host
l URL
l Parameter
l Referer
l Cookie
l Header
l Source IP
l X.509 certificate
This type of routing can be useful if, for example, a specific web server or group of servers on the back end support
specific web applications, functions, or host names. That is, your web servers or server pools are not identical, but
specialized. For example:
l 192.0.2.1—Hosts the website and blog

l 192.0.2.2 and 192.0.2.3—Host movie clips and multimedia
l 192.0.2.4 and 192.0.2.5—Host the shopping cart
If you have configured request rewriting, configure HTTP content-based routing using the original request URL and/or
Host: name, as it appears before FortiWeb has rewritten it. For details about rewriting, see "waf url-rewrite url-rewrite-
To apply your HTTP-based routes, select them when you configure the server policy. For details, see "server-policy
Syntax
config server-policy http-content-routing-id
edit "<routing-policy_name>"
set server-pool "<server-pool_name>"
config content-routing-match-list
edit <entry_index>
set match-object {http-host | http-request | url-parameter | http-referer
| http-cookie | http-header | source-ip | x509-certificate-Subject |
x509-certificate-Extension | https-sni}
set match-condition {match-begin | match-end | match-sub | match-domain |
match-dir | match-reg | ip-range | ip-range6 | equal}
set x509-subject-name {E | CN | OU | O | L | ST | C}
set match-expression "<match-expression_str>"
set name "<name_str>"

config 122
set name-match-condition {match-begin | match-end | match-sub | match-reg

| equal}
set value "<value_str>"
set value-match-condition {match-begin | match-end | match-sub | match-reg
| equal}
set start-ip "<start_ip>"
set end-ip "<end_ip>"
set end-ip "<end_ip>"
set concatenate {and | or}
next
end
next
end
"<routing-policy_name>" Enter the name of the HTTP content routing policy. The No

edit ?
Enter the name of the server pool to which FortiWeb forwards

server-pool "<server- traffic when the traffic matches rules in this policy. No
pool_name>" default.
For details, see "server-policy server-pool" on page 170.
<entry_index> Enter the index number of the individual rule in the table. The valid No
range is 1–9,999,999,999,999,999,999. default.
Enter the type of object that FortiWeb examines for matching

values:
l http-host—Host: field
l http-request—A URL
l url-parameter—A URL parameter and value
match-object {http-host | l http-referer—Referer: field
http-request | url- l http-cookie—A cookie name and value
parameter | http-referer
| http-cookie | http- l http-header—A header name and value No
header | source-ip | l source-ip—An IPv4 address or address range or IPv6 address default.
x509-certificate-Subject
or address range
| x509-certificate-
Extension | https-sni} l x509-certificate-Subject—A specified Relative
Distinguished Name (RDN) in the X509 certificate Subject field.
Also specify x509-subject-name.
l x509-certificate-Extension—Additional fields that the
extensions field adds to the X509 certificate
l https-sni— Select this option so that FortiWeb will forward
requests based on the SNI in the SSL handshake.
match-condition {match- Enter the type of value to match. Values can be a literal value No

config 123
begin | match-end | that appears in the object or a regular expression. default.

match-sub | match-
domain | match-dir | The value of match-object {http-host | http-
match-reg | ip-range | request | url-parameter | http-referer |
ip-range6 | equal} http-cookie | http-header | source-ip |
x509-certificate-Subject | x509-
certificate-Extension | https-sni} (page 122)
determines which content types you can specify.
If match-object is http-host, http-request, http-

referer, or x509-certificate-Extension:
l match-begin—The object to match begins with the specified

string.
l match-end—The object to match ends with the specified string.
l match-sub—The object to match contains the specified string.
l equal—The object to match is the specified string.
If match-object is http-host only:
l match-domain—The object to match contains the specified

string between the periods in a domain name.
For example, if match-expression is abc, the condition

matches the following hostnames:
dname1.abc.com
dname1.dname2.abc.com
However, the same Match Simple String value does not match
the following hostnames:
abc.com No
dname.abc default.
If match-object is http-request:
l match-dir—The object to match contains the specified string

between delimiting characters (slash) in a domain name.
For example, if match-expression is abc, the condition

matches the following hostnames:
test.com/abc/
test.com/dir1/abc/
However, the same match-string value does not match the

following hostnames:

config 124
test.com/abc
test.abc.com
If match-object is source-ip:
l ip-range—The source IP to match is an IPv4 IP address or

within a range of IPv4 IP addresses.
l ip-range6—The source IP to match is an IPv6 IP address or
within a range of IPv6 IP addresses.
If match-object is http-host, http-request, http-
referer, source-ip, or x509-certificate-
Extension:
l match-reg—The object to match has a value that matches the

specified regular expression.
x509-subject-name {E | Enter the attribute type to match. No

CN | OU | O | L | ST | C} default.
Available when match-object {http-host | http-
request | url-parameter | http-referer | http-
cookie | http-header | source-ip | x509-
certificate-Subject | x509-certificate-
Extension | https-sni} (page 122) is x509-
certificate-Subject.
Enter a value to match in the object element specified by

match-object {http-host | http-request |
url-parameter | http-referer | http-cookie
| http-header | source-ip | x509-
certificate-Subject | x509-certificate-
Extension | https-sni} (page 122) and match-
match-expression "<match- condition. No
expression_str>" default.
Examples:
l A literal URL, such as /index.php, that a matching HTTP

request contains.
l An expression, such as ^/*.php, that matches a URL.
Tip: When you enter a regular expression using the web UI,
you can validate its syntax.
name "<name_str>" Enter the name of the object to match. The value can be a No
literal value or a regular expression. default.
For example, the name of a cookie embedded by traffic

controller software on one of the servers.
Available only if match-object {http-host | http-

config 125
request | url-parameter | http-referer |

http-cookie | http-header | source-ip |
certificate-Extension | https-sni} (page 122) is
url-parameter, http-cookie, or http-header.
Enter the type of value to match. The value is specified by

name and can be a literal value that appears in the object or a
regular expression.
name-match-condition l match-begin—The name to match begins with the specified

{match-begin | match-end string. No
| match-sub | match-reg | l match-end—The name to match ends with the specified string. default.
equal}
l match-sub—The name to match contains the specified string.
l equal—The name to match is the specified string.
l match-reg—The name to match matches the specified regular
expression.
value "<value_str>" Enter the object value to match. The value can be a literal No
value or a regular expression. default.
Available if match-object {http-host | http-

request | url-parameter | http-referer |
http-cookie | http-header | source-ip |
url-parameter, http-cookie, or http-header.
Enter the type of value to match. The value is specified by

value and can be a literal value or a regular expression.
l match-begin—The value to match begins with the specified

value-match-condition string.
{match-begin | match-end No
| match-sub | match-reg | l match-end—The value to match ends with the specified string.
default.
equal} l match-sub—The value to match contains the specified string.
l equal—The value to match is the specified string.
l match-reg—The value to match matches the specified regular
expression.
start-ip "<start_ip>" Enter the first IP address in a range of IP addresses. No

default.
Available if match-condition {match-begin |
match-end | match-sub | match-domain |
match-dir | match-reg | ip-range | ip-
range6 | equal} (page 122) is ip-range or ip-
range6.

config 126
Enter the last IP address in a range of IP addresses.
Available if match-object {http-host | http-

request | url-parameter | http-referer | No
end-ip "<end_ip>" http-cookie | http-header | source-ip | default.
source-ip
reverse {enable | When enabled, FortiWeb will route requests to the server pool that
disable} do not match the specified values for the Match Object.
Select either:
l and—A matching request matches this entry in addition to other

concatenate {and | or} entries in the HTTP content routing list. and
l or—A matching request matches this entry or other entries in the
list.
Example
This HTTP content routing policy routes requests for www.example.com/school to the server pool school-site.
The content routing has three rules: one matches the host (www.example.com), a second matches the sessid
cookie, and a third matches the /school URL. In combination, the first and third rules match the request for
www.example.com/school.
config server-policy http-content-routing-policy
edit "content_routing_policy1"
set server-pool school-site
config content-routing-match-list
edit 1
set match-condition match-reg
set match-expression "www.example.com "
next
edit 2
set match-object http-cookie
set name sessid
set value "hash[a-fA-F0-7]*"
set name-match-condition match-reg
set value-match-condition match-reg
next
edit 3
set match-object http-request
set match-expression "/school"
next
end
next
end

config 127
Related topics
l "waf url-rewrite url-rewrite-policy" on page 496
server-policy pattern custom-data-type
Use this command to configure custom data types to augment the predefined data types. You can add custom data
types to input rules to define the data type of an input, and to auto-learning profiles to detect valid input parameters.
Syntax
config server-policy pattern custom-data-type
edit "<custom-data-type_name>"
set expression "<regex_pattern>"
next
end
"<custom-data-type_name>" Enter the name of the custom data type. The maximum length No
is 63 characters. default.
To display the list of existing types, enter:

edit ?
Enter a regular expression that defines the data type. It should

expression "<regex_ No
pattern>" match all data of that type, but nothing else. The maximum length
default.
is 2,071 characters.
Example
This example configures two custom data types.
config server-policy pattern custom-data-type
edit "Level 3 Password-custom"
set expression "^aaa"
next
edit "Custom Data Type 1"
set expression "^555"
next
end

config 128
Related topics
l "server-policy pattern data-type-group" on page 132
server-policy pattern custom-global-white-list-group
Use this command to configure objects that will be exempt from scans.
When enabled, whitelisted items are not flagged as potential problems, nor incorporated into auto-learning data. This
feature reduces false positives and improves performance.
To include white list items during policy enforcement and auto-learning reports, you must first disable them in the global
white list.
Syntax
config server-policy pattern custom-global-white-list-group
edit <entry_index>
set type {Cookie | Parameter | URL}
set domain "<cookie_fqdn>"
set path "<url_str>"
set request-type {plain | regular}
set request-file "<url_str>"
next
end
<entry_index> Enter the index number of the individual rule in the table. The valid No
range is 1–9,223,372,036,854,775,807. default.
status {enable | disable} Enable to exempt this object from all scans. enable
type {Cookie | Indicate the type of the object. Depending on your selection, the URL
Parameter | URL} remaining settings vary.
Enter the partial or complete domain name or IP address as it

appears in the cookie, such as:
www.example.com
No
domain "<cookie_fqdn>"
.google.com default.
192.0.2.50
If clients sometimes access the host via IP address instead of

config 129
DNS, create white list objects for both.
This setting is available if type {Cookie |

Parameter | URL} (page 128) is set to Cookie.
Caution: Do not whitelist untrusted subdomains that use

vulnerable cookies. It could compromise the security of that
domain and its network.
name "<name_str>" Depending on your selection in type {Cookie | No

Parameter | URL} (page 128), either: default.
l Enter the name of the cookie as it appears in the HTTP request,

such as NID.
l Enter the name of the parameter as it appears in the HTTP URL
or body, such as rememberme.
Parameter | URL} (page 128) is set to Cookie or
Parameter.
Enter the path as it appears in the cookie, such as / or

/blog/folder. No
path "<url_str>"
This setting is available if type {Cookie | default.
Parameter | URL} (page 128) is set to Cookie.
request-type {plain | Indicate whether the request-file "<url_str>" (page plain

regular} 129) field contains a literal URL (plain), or a regular
expression designed to match multiple URLs (regular).

Parameter | URL} (page 128) is set to URL.
Depending on your selection in the request-type

{plain | regular} (page 129) field, enter either:
l The literal URL, such as /robots.txt, that the HTTP request

must contain in order to match the rule. The URL must begin with
a backslash ( / ).
l A regular expression, such as ^/*.html, matching all and only
request-file "<url_str>" the URLs to which the rule should apply. The pattern does not
require a slash ( / ); however, it must at match URLs that begin
with a backslash, such as /index.html.
Do not include the domain name, such as
www.example.com.

Parameter | URL} (page 128) is set to URL.

config 130
Example
This example exempts requests for robots.txt from most scans.
config server-policy pattern custom-global-white-list-group
edit 1
set request-file "/robots.txt"
next
end
Related topics
l "waf web-protection-profile inline-protection" on page 518
server-policy pattern custom-susp-url
Use this command to configure custom suspicious URL requests to augment the list of predefined suspicious URL
requests. You can add custom suspicious URLs to a custom suspicious URL rule.
Syntax
config server-policy pattern custom-susp-url
edit "<custom-susp-url_name>"
set expression "<url_pattern>"
next
end
"<custom-susp-url_name>" Enter the name of the custom URL. The maximum length is No
63 characters. default.
To display the list of existing URLs, enter:

edit ?
Enter either a simple string or a regular expression to defines the

expression "<url_ No
pattern>" custom URL request to check for. The maximum length is 2,071
default.
characters.
Example
This example configures a custom suspicious URL named Suspicious-URL 1 and defines the custom expression
associated with that suspicious URL.
config server-policy pattern custom-susp-url
edit "Suspicious URL 1"

config 131
set expression "^/schema.xml$"

next
end
Related topics
l "server-policy pattern suspicious-url-rule" on page 137
server-policy pattern custom-susp-url-rule
Use this command to add one or more existing custom suspicious URLs to a custom suspicious URL rule.
Custom suspicious URL rules can augment the predefined suspicious URL rules. You can add custom suspicious URL
rules to input rules.
Syntax
config server-policy pattern custom-susp-url-rule
edit "<rule_name>"
config type-list
edit <entry_index>
set custom-susp-url "<suspicious-url_name>"
next
end
next
end
"<rule_name>" Enter the name of a new or existing rule. The maximum length No

edit ?
Enter the index number of the individual entry in the table. The valid No
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
custom-susp-url Enter the name of an existing custom URL already defined No

"<suspicious-url_name>" using config server-policy pattern custom- default.
susp-url (page 130). The maximum length is 63 characters.

edit ?

config 132
Example
This example configures a custom suspicious URL rule using an existing custom suspicious URL.
config server-policy pattern custom-susp-url-rule
edit "Suspicious Rule 1"
config type-list
edit 1
set custom-susp-url "Suspicious URL 1"
next
end
next
end
Related topics
l "server-policy pattern custom-susp-url" on page 130
server-policy pattern data-type-group
Use this command to configure data type groups.
A data type group selects a subset of one or more predefined data types. Each of those entries in the data type group
defines a type of input that the FortiWeb appliance should attempt to recognize and track in HTTP sessions when
gathering data for an auto-learning profile.
For example, if you include the Email data type in the data type group, auto-learning profiles that use the data type
group might discover that your web applications use a parameter named username whose value is an email address.
If you know that your network’s HTTP sessions do not include a specific data type, omit it from the data type group to
improve performance. The FortiWeb appliance will not expend resources scanning traffic for that data type.
Data type groups are used by auto-learning profiles. For details, see "server-policy policy" on page 146.
Syntax
config server-policy pattern data-type-group
edit "<data-type-group_name>"
config type-list
edit <entry_index>
set data-type {Address | Canadian_Post_code | Canadian_Province_Name |
Canadian_SIN | China_Post_Code | Country_Name | Credit_Card_Number |
Danmark_Postalcode | Dates_and_Times | Email | GPA | GUID | ip_
address | Indian_Vehicle_Number | Italian_mobile_phone | Kuwait_Civil_
ID | L1_Password | L2_Password | Markup_or_Code | Microsoft_product_
key | NINO | Netherlands_Postcode | Num | personal_name | Phone |
Quebec_Postal_Code | String | Swedish_personal_number | Swedish_
Postalcode | UAE_land_phone | UK_Bank_code | UK_postcode | US_SSN |
US_State_Name | US_Street_Address | US_Zip_Code | Unix_device_name |
Uri | Windows_file_name}
next

config 133
end
next
end
"<data-type-group_ Enter the name of the data type group. The maximum length is No
name>" 63 characters. default.

edit ?
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
data-type {Address | For each data-type entry, enter one of the following No
Canadian_Post_code | predefined data types exactly as shown (available options may default.
Canadian_Province_
Name | Canadian_SIN | vary due to FortiGuard updates):
China_Post_Code |
l Address—Canadian postal codes and United States ZIP code and
Country_Name | Credit_
Card_Number | Danmark_ ZIP + 4 codes.
Postalcode | Dates_and_ l Canadian_Post_code—Canadian postal codes such as
Times | Email | GPA | K2H 7B8 or k2h7b8. Does not match hyphenations such as K2H-
GUID | ip_address |
Indian_Vehicle_Number |
7B8.
Italian_mobile_ l Canadian_Province_Name—Modern and older names and
phone | Kuwait_Civil_ abbreviations of Canadian provinces in English, as well as some
ID | L1_Password | L2_ abbreviations in French, such as Quebec, IPE, Sask, and Nunavut.
Password | Markup_or_
Code | Microsoft_ Does not detect province names in French, such as Québec.
product_key | NINO | l Canadian_SIN—Canadian Social Insurance Numbers (SIN) such
Netherlands_Postcode | as 123-456-789.
Num | personal_name |
Phone | Quebec_ l China_Post_Code—Chinese postal codes such as 610000.
Postal_Code | l Country_Name—Country names, codes, and abbreviations in
String | Swedish_ English characters, such as CA, Cote d’Ivoire, Brazil, Russian
personal_number |
Swedish_Postalcode | Federation, Brunei, and Dar el Salam.
UAE_land_phone | UK_ l Credit_Card_Number—American Express, Carte Blanche,
Bank_code | UK_ Diners Club, enRoute, Japan Credit Bureau (JCB), Master Card,
postcode | US_SSN | US_ Novus, and Visa credit card numbers.
State_Name | US_Street_
Address | US_Zip_Code | l Danmark_Postalcode—Danish postal code (“postnumre”) such
Unix_device_name | as DK-1499 and dk-1000. Does not match codes that are not
Uri | Windows_file_ prefixed by “DK-”, nor numbers that do not belong to the range of
name}
valid codes, such as 123456 or dk 12.
l Dates_and_Times—Dates and times in various formats such as
+13:45 for time zone offsets, 1:01 AM, 1am, 23:01:01, and
01.01.30 AM for times, and 31.01.2009, 31/01/2009, 01/31/2000,
2009-01-3, 31-01-2009, 1-31-2009, 01 Jan 2009, 01 JAN 2009, 20-
Jan-2009 and February 29, 2009 for dates.
l Email—Email addresses such as
[email protected]

config 134
l GPA—A student’s grade point average based on the 0.0-to-4.0 point

system, where an “A” is worth 4 points and an “F” is worth 0 points.
Does not match GPAs weighted on the 5 point scale for honors, IB,
or AP courses, such as 4.1. The exception is 5.5, which it will match.
l GUID—A globally unique identifier used to identify partition types in
the hard disk’s master boot record (MBR), such as BFDB4D31-3E35-
4DAB-AFCA-5E6E5C8F61EA. Partition types are relevant on
computers which boot via EFI, using the MBR, instead of an older-
style BIOS.
l ip_address—A public or private IPv4 address, such as 10.0.0.1.

Does not match IPv6 addresses.
l Indian_Vehicle_Number—An Indian Vehicle Registration
Number, such as mh 12 bj 1780.
l Italian_mobile_phone—Italian mobile phone numbers with
the prefix for international calls, such as +393471234567, or
without, such as 3381234567. Does not match numbers with a dash
or space after the area code, nor VoIP or land lines.
l Kuwait_Civil_ID—Personal identification number for Kuwait,
such as 273032401586. Must begin with 1, 2, or 3, and follow all
other number patterns for valid civil IDs.
l L1_Password—A string of at least 6 characters, with one or more
each of lower-case characters, upper-case characters, and digits,
such as aBc123. Level 1 passwords are “weak” passwords, generally
easier to crack than level 2 passwords.
l L2_Password—A strong password with a string of at least 8
characters, with one or more each of lower-case characters, upper-
case characters, digits, and special characters, such as aBc123$%.
l Markup_or_Code—HTML comments, wiki code, hexadecimal
HTML color codes, quoted strings in VBScript and ANSI SQL, SQL
statements, and RTF bookmarks such as:
• #00ccff, 
•
[link url="http://example.com/url?var=A&var2=
B"]
• SELECT * FROM TABLE
• {\*\bkmkstart TagAmountText}
Does not match ANSI escape codes, which are instead detected as
strings.
l Microsoft_product_key—An alphanumeric key for activation
of Microsoft software, such as ABC12-34DEF-GH567-IJK89-
LM0NP. Does not match keys which are non-hyphenated, nor where
letters are not capitalized.
l Netherlands_Postcode—Netherlands postal codes
(“postcodes”) such as 3000 AA or 3000AA. Does not match postal

config 135
codes written in lower-case letters, such as 3000aa.

l NINO—A United Kingdom National Insurance Number (NINO), such
as AB123456D. Does not match NINOs written in lower-case
letters, such as ab123456d.
l Num—Numbers in various monetary, decimal, comma-separated

value (CSV) and other formats such as 123, +1.23, $1,234,567.89,
1'235.140, and -123.45e-6. Does not detect hexadecimal numbers,
which are instead detected as strings or code, and Social Security
Numbers, which are instead detected as strings.
l personal_name—A person’s full or abbreviated name in
English. It can contain punctuation, such as A.J. Schwartz,
Jean-Pierre Ferko, or Jane O’Donnell. Does not match names
written in other languages with accented Latinate characters,
hanzu, kanji, or hangul, such as Renée Wächter or 林美 .
l Phone—Australian, United States, and Indian phone numbers in
various formats such as (123)456-7890, 1.123.456.7890,
0732105432, and +919847444225.
l Quebec_Postal_Code—Postal codes written in the style
sometimes used by Quebecers, with hyphens between the two
parts, such as h2j-3c4 or H2J-3C4.
l String—Character strings such as alphanumeric words, credit
card numbers, United States Social Security Numbers (SSN), UK
vehicle registration numbers, ANSI escape codes, and hexadecimal
numbers in formats such as user1, 123-45-6789, ABC 123 A,
4125632152365, [32mHello, and 8ECCA04F.
l Swedish_Postalcode—Postal codes (“postnummer”) for
Sweden, with or without spaces or hyphens, such as S 751 70,
s75170, or S-751-70. Requires the initial S or s letter. Does not
match invalid postal codes such as ones that begin with a 0, or ones
that do not begin with the letter S or s.
l Swedish_personal_number—Personal identification number
(“personnummer”) for Sweden, such as 19811116-7845. Must be
hyphenated. Does not match PINs for persons whose age is 100 or
greater.
l UAE_land_phone—Telephone number for the United Arab
Emirates, such as 04 - 3452499 or 04 3452499. Does not match
phone numbers beginning with 01 or 08.
l UK_Bank_code—Bank sort codes for the United Kingdom, such as
09-01-29. Must be hyphenated.
l UK_postcode—Postal codes for the United Kingdom, with or
without spaces, such as SW1A 2AA or SW1A2AA.
l Unix_device_name—Standard Linux or UNIX non-loopback
wired Ethernet network interface names, such as eth0. Does not
match names for any other type of device, such as lo, hdda, or ppp.

config 136
l Uri—Uniform resource identifiers (URI) such as:

http://www.example.com
ftp://ftp.example.com
mailto:[email protected]
l US_SSN—United States Social Security Numbers (SSN) such as
123-45-6789.
l US_State_Name—United States state names and modern postal
abbreviations such as HI and Wyoming. Does not detect older
postal abbreviations such as Fl. or Wyo.
l US_Street_Address—United States city and street address,
possibly including an apartment or suite number. City and street
may be either separated with a space or written on two lines
according to US postal conventions, such as:
123 Main Street Suite #101
Honolulu, HI 10001
Does not match:
l ZIP + 4 codes that include spaces, or do not have a hyphen (e.g.
“10001 - 1111” or “10001 1111”)

l city abbreviations of 2 characters (e.g. “NY” instead of “NYC”)
l Washington D.C. addresses
l multiline addresses on Mac OS X, Linux or Unix computers
l unabbreviated state names (e.g. “Delaware”)
l addresses ending with the country (e.g. “USA”)
l addresses beginning with numbers written as words (e.g. “Seven
Main Street” instead of “7 Main Street”)
l US_Zip_Code—United States ZIP code and ZIP + 4 codes such as
34285-3210.
l Windows_file_name—A valid windows file name, such as
Untitled.txt. Does not match file extensions, or file names without
their extensions.
To display available options, enter:
set data-type ?
Note: The web UI displays the regular expressions that define

each predefined data type. For details, see the FortiWeb
Example
This example configures a data type group named data-type-group1 that detects addresses and phone numbers
when an auto-learning profile uses it.
config server-policy pattern data-type-group
edit "data-type-group1"

config 137
config type-list
edit 1
set data-type Address
next
edit 2
set data-type Phone
next
end
next
end
Related topics
server-policy pattern suspicious-url-rule
Use this command to add one or more predefined suspicious URL rules to a suspicious URL rule group.
Each entry in a suspicious URL group defines a type of URL that the FortiWeb appliance considers to be possibly
malicious when gathering data for an auto-learning profile.
HTTP requests for URLs typically associated with administrative access to your web applications or web server, for
example, may be malicious if they originate from the Internet instead of your management LAN. You may want to
discover such requests for the purpose of designing blacklist page rules to protect your web server.
If you know that your network’s web servers are not vulnerable to a specific type of suspicious URL, such as if the URL is
associated with attacks on Microsoft IIS web servers but all of your web servers are Apache web servers, omit it from the
suspicious URL group to improve performance. The FortiWeb appliance will not expend resources scanning traffic for
that type of suspicious URLs.
To see the regular expressions used in the predefined suspicious URL rules, in the web UI, go to Auto Learn >
Predefined Pattern > URL Pattern.
Suspicious URL groups are used by auto-learning profiles. For details, see "server-policy policy" on page 146.
Syntax
config server-policy pattern suspicious-url-rule
edit "<rule-group_name>"
config type-list
edit <entry_index>
set server-type { Abyss | Apache | Appweb | BadBlue | Blazix | Cherokee |
ColdFusion | IIS | JBoss | Jetty | Jeus_WebContainer | LotusDomino |
Tomcat | WebLogic | WebSEAL | WebSiphon | Xerver | ZendServer |
aolserver | ghttpd | lighttpd | lilhttpd | localweb2000 |
mywebserver | ngnix | omnihttpd | samba | squid | svn | webshare |
xeneo | xitami | zeus | zope}
next
end
set custom-susp-url-rule "<rule_name>"

config 138
next
end
next
end
"<rule-group_name>" Enter the name of the suspicious URL rule group. The No

edit ?
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
server-type { Abyss | For each rule index, select the type of the web server, application, No
Apache | Appweb | or servlet. FortiWeb will detect attempts to access URLs that are default.
BadBlue | Blazix |
usually sensitive for that software.
Cherokee | ColdFusion |
IIS | JBoss | Jetty |
Jeus_WebContainer |
LotusDomino | Tomcat |
WebLogic | WebSEAL |
WebSiphon | Xerver |
ZendServer | aolserver |
ghttpd | lighttpd |
lilhttpd | localweb2000 |
mywebserver | ngnix |
omnihttpd | samba |
squid | svn | webshare |
xeneo | xitami | zeus |
zope}
Enter the name of a custom suspicious URL rule. For details, see
"<rule_name>"
"server-policy pattern custom-susp-url-rule" on page 131.
Example
This example configures a suspicious URL rule group named suspicious-url-group1 that detects HTTP requests
for administratively sensitive URLs for some common web servers that could represent attack attempts and includes a
custom suspicious URL rule.
config server-policy pattern suspicious-url-rule
edit "suspicious-url-group1"
config type-list
edit 1
set server-type Apache
next
edit 2
set server-type Apache
next
edit 3
set server-type Tomcat
next

config 139
edit 4
set server-type WebLogic
next
end
set custom-susp-url-rule Suspicious URL 1
next
end
Related topics
l "server-policy pattern custom-susp-url" on page 130
server-policy pattern threat-weight
Use this command to configure the global threat weight of security violations. When a security violation is detected, the
threat weight of the security violation is used to calculate the reputation of the device that launched the event. Access to
networks and servers can be managed according to a device's reputation calculated using the total threat weight of the
device.
For details about Threat Weight, see the FortiWeb Administration Guide:
admingrp area. For details, see "Permissions" on page 51.
Syntax
config server-policy pattern threat-weight
set allow-method {off | low | med | high | crit}
set brute-force-login {off | low | med | high | crit}
set cookie-security-policy {off | low | med | high | crit}
set crit <value_int>
set csrf-protection {off | low | med | high | crit}
set custom-policy {off | low | med | high | crit}
set custom-signature {off | low | med | high | crit}
set dos-protection {off | low | med | high | crit}
set file-upload-restriction {off | low | med | high | crit}
set ftp-security {off | low | med | high | crit}
set geo-ip {off | low | med | high | crit}
set hidden-field-protection {off | low | med | high | crit}
set high <value_int>
set http-protocol-constraints {enable | disable}
set illegal-json-format {off | low | med | high | crit}
set illegal-xml-format {off | low | med | high | crit}
set ip-list {off | low | med | high | crit}
set ip-reputaton {off | low | med | high | crit}
set low <value_int>
set med <value_int>
set padding-oracle-protection {off | low | med | high | crit}
set page-access {off | low | med | high | crit}
set parameter-validation {off | low | med | high | crit}

config 140
set signature {enable | disable}

set start-pages {off | low | med | high | crit}
set url-access {off | low | med | high | crit}
set user-tracking {off | low | med | high | crit}
end
allow-method {off | low Set the threat weight for HTTP request method violations. med
| med | high | crit}
brute-force-login {off
| low | med | high | Set the threat weight for attempted brute force logins. crit
crit}
cookie-security-policy Set the threat weight for cookie poisoning and other cookie-based high
{off | low | med | high | attacks.
crit}
Set the value for a critical threat weight. The range of accepted
crit <value_int> values is 0-100. The value of higher levels must be larger than 50
lower levels.
csrf-protection {off Set the threat weight for cross-site request forgery attacks. high
| low | med | high |
crit}
custom-policy {off | low

| med | high | crit} Set the threat weight for custom policy violations. high
custom-signature {off Set the threat weight for attack signature and data leak signatures. high
crit}
dos-protection {off | low

| med | high | crit} Set the threat weight for denial of service (DOS) attacks. high
file-upload-restriction Set the threat weight for violations of upload restriction policies. high
{off | low | med | high |
crit}
geo-ip {off | low | med | Set the threat weight for requests from blocked countries or regions
high
high | crit} based on the associated source IP address.
hidden-field-protection Set the threat weight for attempts to tamper with hidden field rules. high
{off | low | med | high |
crit}
Set the value for a high threat weight. The range of accepted values
high <value_int> is 0-100. The value of higher levels must be larger than lower 30
levels.
http-protocol-constraints Set to enable threat weights for HTTP protocol constraints. Once enable
{enable | disable}

config 141
enabled, the threat weight for each HTTP protocol constraint may
be set using config waf http-protocol-parameter-
restriction (page 418).
illegal-json-format {off
| low | med | high | Set the threat weight for illegal formatting in JSON data. high
crit}
illegal-xml-format {off Set the threat weight for illegal XML formatting. high
crit}
ip-list {off | low | med

| high | crit} Set the threat weight for requests from blacklisted IP addresses. high
ip-reputaton {off | low Set the threat weight for requests from IP addresses with a poor crit
| med | high | crit} reputation.
Set the value for a low threat weight. The range of accepted values
low <value_int> is 0-100. The value of higher levels must be larger than lower 5
levels.
med <value_int> Set the value for a medium threat weight. The range of accepted 10
values is 0-100. The value of higher levels must be larger than
lower levels.
padding-oracle-protection
{off | low | med | high | Set the threat weight for padding oracle attacks. crit
crit}
page-access {off | low Set the threat weight for page order rule violations. med
parameter-validation {off
| low | med | high | Set the threat weight for input rule violations. high
crit}
signature {enable Set to enable threat weights for signatures. Once enabled, the enable
| disable} threat weight for each signature may be set using config waf
signature (page 462).
start-pages {off | low

| med | high | crit} Set the threat weight for start page rule violations. med
url-access {off | low Set the threat weight for URL access rule violations. med
user-tracking {off | low

| med | high | crit} Set the threat weight for user tracking rule violations. med
ftp-security {off | low Set the threat weight for ftp security rule violations. med

config 142
Example
This example adjusts the threat weight of DOS attacks.
set dos-protection crit
end
This example disables signatures.

set signature disable
end
This example adjusts the risk level value of critical security violations.
config server-policy-pattern threat-weight
set crit 60
end
Related Topics
l "system device-tracking" on page 241

server-policy persistence-policy
Use this command to configure a persistence method and timeout that you can apply to server pools. The persistence
policy applies to all members of the server pool.
After FortiWeb has forwarded the first packet from a client to a pool member, some protocols require that subsequent
packets also be forwarded to the same back-end server until a period of time passes or the client indicates that it has
finished transmission.
To apply a persistence policy, select it when you configure a server pool. For details, see "server-policy server-pool" on
page 170.
Syntax
config server-policy persistence-policy
edit "<persistence-policy_name>"
set type { source-ip | persistent-cookie | asp-sessionid | php-sessionid | jsp-
sessionid | insert-cookie | http-header | url-parameter | rewrite-cookie |
embedded-cookie | ssl-session-id }
set cookie-name "<cookie-name_str>"
set timeout "<timeout_int>"
set ipv4-netmask "<v4mask>"
set ipv6-mask-length "<v6mask>"
set http-header "<http-header_str>"

config 143
set url-parameter "<url-parameter_str>"

set cookie-path "<cookie-path_str>"
set cookie-domain "<cookie-domain_str>"
next
end
"<persistence-policy_ Enter the name of the persistence policy. The No default.

name>" maximum length is 63 characters.
To display the list of existing persistence policies,

enter:
edit ?
l source-ip—Forwards subsequent requests with

the same client IP address and subnet as the initial
request to the same pool member. To define how
FortiWeb derives the appropriate subnet from the
IP address, configure ipv4-netmask
"<v4mask>" (page 145) and ipv6-mask-
length "<v6mask>" (page 145).
l persistent-cookie—If an initial request
contains a cookie whose name matches the
cookie-name "<cookie-name_str>" (page
144) value, FortiWeb forwards subsequent
requests that contain the same cookie value to the
same pool member as the initial request.
type { source-ip |
persistent-cookie | l asp-sessionid—If a cookie in the initial
asp-sessionid | php- request contains an ASP .NET session ID value,
sessionid | jsp- FortiWeb forwards subsequent requests with the
sessionid | insert- same session ID value to the same pool member source-ip
cookie | http-header |
as the initial request. FortiWeb preserves the
url-parameter |
rewrite-cookie | original cookie name.
embedded-cookie | ssl- l php-sessionid—If a cookie in the initial
session-id } request contains a PHP session ID value, FortiWeb
forwards subsequent requests with the same
session ID value to the same pool member as the
initial request. FortiWeb preserves the original
cookie name.
l jsp_sessionid—FortiWeb forwards
subsequent requests with the same JSP session ID
as the inital request to the same pool member.
FortiWeb preserves the original cookie name.
l insert-cookie—FortiWeb inserts a cookie with
the name specified by cookie-name
"<cookie-name_str>" (page 144) to the initial
request and forwards all subsequent requests with

config 144
this cookie to the same pool member. FortiWeb

uses this cookie for persistence only and does not
forward it to the pool member. Also specify
cookie-path "<cookie-path_str>" (page
145) and cookie-domain "<cookie-
domain_str>" (page 145).
l http-header—Forwards subsequent requests
with the same value for an HTTP header as the
initial request to the same pool member. Also
configure http-header.
l url-parameter—Forwards subsequent
requests with the same value for a URL parameter
as the initial request to the same pool member.
Also configure url-parameter.
l rewrite-cookie—If the HTTP response has a
Set-Cookie: value that matches the value
specified by cookie-name "<cookie-name_
str>" (page 144), FortiWeb replaces the value
with a randomly generated cookie value. FortiWeb
forwards all subsequent requests with this
generated cookie value to the same pool member.
l embedded-cookie—If the HTTP response
contains a cookie with the name specified by
cookie-name "<cookie-name_str>" (page
144), FortiWeb preserves the original cookie value
and adds a randomly generated cookie value and a
~ (tilde) as a prefix. FortiWeb forwards all
subsequent requests with this cookie and prefix to
the same pool member.
l ssl-session-id—If a cookie in the initial
request contains an SSL session ID value,
FortiWeb forwards subsequent requests with the
same session ID value to the same pool member
as the initial request. FortiWeb preserves the
original cookie name.
For persistence types that use cookies, you can use
the sessioncookie-enforce setting to maintain
persistence for transactions within a session. For
details, see "server-policy policy" on page 146.
Enter a value to match or the name of the cookie that

cookie-name "<cookie- FortiWeb inserts.
name_str>" No default.
Available only when the persistence type uses a
cookie.

config 145
timeout "<timeout_ Enter the maximum amount of time between requests 300
int>" that FortiWeb maintains persistence, in seconds.
FortiWeb stops forwarding requests according to the

established persistence after this amount of time has
elapsed since it last received a request from the client
with the associated property (for example, an IP
address or cookie). Instead, it again selects a pool
member using the load balancing method specified in
the server pool configuration.
Enter the IPv4 subnet used for session persistence.
For example, if IPv4 Netmask is 255.255.255.255,

FortiWeb can forward requests from IP addresses
ipv4-netmask 192.0.2.1 and 192.0.2.2 to different server pool
255.255.255.255
"<v4mask>" members.
If IPv4 Netmask is 255.255.255.0, FortiWeb forwards

requests from IP addresses 192.0.2.1 and 192.0.2.2
to the same pool member.
ipv6-mask-length Enter the IPv6 network prefix used for session persistence. 128
"<v6mask>"
http-header "<http- Enter the name of the HTTP header that the persistence
header_str>" No default.
feature uses to route requests.
url-parameter "<url- Enter the name of the URL parameter that the persistence No default.
parameter_str>" feature uses to route requests.
Enter a path attribute for the cookie that FortiWeb inserts,

if type { source-ip | persistent-cookie |
asp-sessionid | php-sessionid | jsp-
cookie-path "<cookie-
path_str>"
sessionid | insert-cookie | http-header | No default.
url-parameter | rewrite-cookie |
embedded-cookie | ssl-session-id } (page
143) is insert-cookie.
cookie-domain Enter a domain attribute for the cookie that FortiWeb No default.
"<cookie-domain_str>" inserts, if type { source-ip | persistent-
cookie | asp-sessionid | php-sessionid |
jsp-sessionid | insert-cookie | http-
header | url-parameter | rewrite-cookie |
embedded-cookie | ssl-session-id } (page
143) is insert-cookie.

config 146
Example
This example creates the persistence policy ip-persistence. When this policy is applied to a server pool, FortiWeb
forwards initial requests from an IP address using the load-balancing algorithm configured for the pool. It forwards any
subsequent requests with the same client IP address as the initial request to the same pool member. After FortiWeb
has not received a request from the IP address for 400 seconds, it forwards any subsequent initial requests from the IP
address using the load-balancing algorithm.
config server-policy persistence-policy
edit "ip-persistence"
set type source-ip
set timeout 400
next
end
Related topics
Use this command to configure HTTP and FTP server policies.
FortiWeb applies only one server policy to each connection.
HTTP policy behavior varies by the operation mode. FTP server policies are available only in Reverse Proxy mode. For
details, see the FortiWeb Administration Guide:
When you switch the operation mode, FortiWeb deletes server policies from the
configuration file if they are not applicable in the current operation mode.
To determine which type of server policy to create, configure protocol {HTTP | FTP} (page 159). If you're
planning to configure an FTP server policy, you'll need to confirm that system feature-visibility (page 247) is
enabled. For details, see "system feature-visibility" on page 247.
Before you configure an HTTP server policy, you can configure several policies and profiles:
l Configure a virtual server and server pool. For details, see "server-policy vserver" on page 196 and "server-policy server-
pool" on page 170.
l To route traffic based on headers in the HTTP layer, configure one or more HTTP content routing policies. For details, see
"server-policy http-content-routing-policy" on page 121.
l To restrict traffic based upon which hosts you want to protect, configure a group of protected host names. For details, see
"server-policy allow-hosts" on page 108.
l If you want the FortiWeb appliance to gather auto-learning data, generate or configure an auto-learning profile and its
required components. For details, see "waf web-protection-profile autolearning-profile" on page 516 and "server-policy
custom-application application-policy" on page 110.

config 147
l If you plan to authenticate users, you need to configure users, user groups, and authentication rules and policy, and
include the policy in an inline web protection profile. For details, see "user ldap-user" on page 318, "user local-user" on
page 322, "user ntlm-user" on page 323, "user user-group" on page 329, "waf http-authen http-authen-rule" on page 406,
and "waf http-authen http-authen-policy" on page 403.
l To apply a web protection profile to a server policy, you must first configure them. For details, see "waf web-protection-
profile inline-protection" on page 518 (Reverse Proxy mode or either of the transparent modes), or "waf web-protection-
profile offline-protection" on page 531 (Offline Protection mode) .
l If you want to use the FortiWeb appliance to apply SSL to connections instead of using physical servers, you must also
import a server certificate or create a Server Name Indication (SNI) configuration. For details, see "system certificate local"
on page 226, "system certificate sni" on page 231. , and "system certificate urlcert" on page 233.
l If you want the FortiWeb appliance to verify the certificate provided by an HTTP client to authenticate themselves, you
must also define a certificate verification rule. If you want to specify whether a client is required to present a personal
certificate or not based on the request URL, create a URL-based client certificate group. For details, see "system
certificate verify" on page 234.
You can also use SNMP traps to notify you of policy status changes, or when a policy enforces your network usage
policy. For details, see "system snmp community" on page 299.
Before you configure an FTP server policy, you can configure several policies and profiles:
l Configure an FTP command restriction rule. For details, see "waf ftp-command-restriction-rule" on page 390.
l Configure an FTP file check rule. For details, see "waf ftp-file-security" on page 393.
l Enable IP reputation intelligence. For details, see "waf ip-intelligence" on page 429.
l Create a geo IP rule. For details, see "waf geo-block-list" on page 395.
l Create an IP list. For details, see "waf ip-list" on page 433.
l Configure an FTP security inline profile. For details, see waf ftp-propredefined-global-white-listtection-profile.
Syntax
config server-policy policy
set allow-hosts "<hosts_name>"
set block-port <port_int>
set case-sensitive {enable | disable}
set certificate "<certificate_name>"
set client-certificate-forwarding {enable | disable}
set server-policy policy
set client-certificate-forwarding-sub-header "<header_str>"
set client-real-ip {enable | disable}
set client-timeout <seconds_int>
set comment "<comment_str>"
set data-capture-port <port_int>
set deployment-mode {server-pool | http-content-routing | offline-protection |
transparent-servers | wccp-servers}
set ftp-protection-profile <profile_name>
set half-open-threshold <packets_int>
set hpkp-header "<hpkp_name>"
set hsts-header {enable | disable}
set hsts-max-age <timeout_int>
set http-header-timeout <seconds_int>

config 148
set http-pipeline {enable | disable}

set http-to-https {enable | disable}
set https-service "<service_name>"
set implicit_ssl {enable | disable}
set intermediate-certificate-group "<CA-group_name>"
set internal-cookie-httponly {enable | disable}
set internal-cookie-secure {enable | disable}
set monitor-mode {enable | disable}
set noparse {enable | disable}
set ocspstapling {enable | disable}
set ocspstapling-group "<group_name>"
set policy-id
set prefer-current-session {enable |disable}
set protocol {HTTP | FTP}
set server-pool "<server-pool_name>"
set service "<service_name>"
set sessioncookie-enforce {enable | disable}
set server-side-sni {enable | disable}
set sni {enable | disable}
set sni-certificate "<sni_name>"
set sni-strict {enable | disable}
set ssl {enable | disable}
set ssl-cipher {medium | high | custom}
set ssl-client-verify "<verifier_name>"
set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}
set ssl-noreg {enable | disable}
set ssl-quiet-shutdown {enable | disable}
set ssl-session-timeout <ssl-session-timeout_int>
set syncookie {enable | disable}
set tcp-recv-timeout <seconds_int>
set tls-v10 {enable | disable}
set urlcert {enable | disable}
set urlcert-group "<urlcert-group_name>"
set urlcert-hlen <len_int>
set vserver "<vserver_name>"
set v-zone "<bridge_name>"
set waf-autolearning-profile "<profile_name>"
set web-protection-profile "<profile_name>"
config http-content-routing-list
edit <entry_index>
set content-routing-policy-name "<content-routing_name>"
set is-default {yes | no}
set profile-inherit {enable | disable}
set web-protection-profile "<profile_name>"
next
end
next
end
"<policy_name>" Enter the name of the policy. The No default.

config 149
To display the list of existing policies,

enter:
edit ?
Enter the name of a protected hosts

group to allow or reject connections
based upon whether the Host: field in
the HTTP header is empty or does or
does not match the protected hosts
group. The maximum length is 63
characters.
To display the list of existing groups,

enter:
edit ?
If you do not select a protected hosts

allow-hosts "<hosts_name>" No default.
group, FortiWeb accepts pr blocks
requests based upon other criteria in the
policy or protection profile, but
regardless of the Host: field in the
HTTP header.
Note: Unlike HTTP 1.1, HTTP 1.0 does

not require the Host: field. The
FortiWeb appliance does not block HTTP
1.0 requests because they do not have
this field, regardless of whether or not
you have selected a protected hosts
group.
block-port <port_int> Enter the number of the physical network No default.

interface port that FortiWeb uses to send
TCP RST (reset) packets when a request
violates the policy. The valid range varies
by the number of physical ports on the
NIC.
For example, to send TCP RST from

port1, enter:
set block-port port1
Available only when the operating mode

is Offline Protection.
case-sensitive {enable | disable} Enable to differentiate uniform resource No default.

config 150
locators (URLs) according to upper case

and lower case letters for features that
act upon the URLs in the headers of
HTTP requests, such as start page rules,
black list rules, white list rules, and page
access rules.
For example, when enabled, an HTTP

request involving
http://www.Example.com/ would
not match protection profile features
that specify
http://www.example.com
(difference highlighted in bold).
certificate "<certificate_name>" Enter the name of the certificate that No default.

FortiWeb uses to encrypt or decrypt SSL-
secured connections. The maximum
To display the list of existing certificates,

enter:
edit ?
If sni {enable | disable} (page

160) is enable, FortiWeb uses a Server
Name Indication (SNI) configuration
instead of or in addition to this server
certificate. For details, see sni
{enable | disable} (page 160).
This option is used only if https-

service "<service_name>" (page
156) is configured.
Enable to include the X.509 personal

certificate presented by the client during
the SSL/TLS handshake, if any, in an X-
Client-Cert: HTTP header when
forwarding the traffic to the protected
client-certificate-forwarding {enable | web server. disable
disable}
FortiWeb still validates the client
certificate itself, but this can be useful if
the web server requires the client
certificate for the purpose of server-side
identity-based functionality.

config 151
client-certificate-forwarding-cert- Enter a custom certificate header that x-client-

header "<header_str>" will include the Base64 certificate of the cert
X.509 personal certificate presented by
the client during the SSL/TLS handshake
when it forwards the traffic to the
protected web server.
Enter a custom subject header that will

include the subject of the X.509 personal
client-certificate-forwarding-sub- x-client-
header "<header_str>" certificate presented by the client during the dn
SSL/TLS handshake when it forwards the
traffic to the protected web server.
client-real-ip {enable | disable} Enter enable to configure FortiWeb to disable

use the source IP address of the client
that originated the request when it
connects to a back-end server on behalf
of that client.
By default, when the operation mode is

Reverse Proxy, the source IP for
connections between FortiWeb and
back-end servers is the address of a
FortiWeb network interface.
Note: To ensure FortiWeb receives the

server's response, configure FortiWeb as
the server’s gateway.
Available only if the operating mode is

Reverse Proxy.
Enter the amount of time (in seconds)

that FortiWeb will keep open a
connection with an idle client that isn't
client-timeout <seconds_int> 0
sending data. The valid range is 1–1200.
A value of 0 means that there is no
timeout.
comment "<comment_str>" Enter a description or other comment. If the No default.

comment is more than one word or contains
special characters, surround the comment
with double quotes ( " ). The maximum length
is 999 characters.
Enter the network interface of incoming

data-capture-port <port_int> traffic that the policy attempts to apply a
profile to. The IP address is ignored.

config 152

offline inspection.
deployment-mode {server-pool | http- Specify the distribution method that No default.

content-routing | offline-protection | FortiWeb uses when it forwards
transparent-servers | wccp-servers}
connections accepted by this policy.
l server-pool—Forwards
connections to a server pool.
Depending on the pool configuration,
FortiWeb either forwards connections
to a single physical server or domain
server or distributes the connection
among the pool members. Also
configure server-pool
"<server-pool_name>" (page
159). This option is available only if
the operating mode is Reverse Proxy
mode.
l http-content-routing—Use
HTTP content routing to route HTTP
requests to a specific server pool. This
option is available only if the FortiWeb
appliance is operating in Reverse
Proxy mode.
l offline-detection — Allows
connections to pass through the
FortiWeb appliance and applies an
Offline Protection profile. Also
configure server-pool
"<server-pool_name>" (page
159). This is the only option available
if operating mode is Offline
Protection.
l transparent-servers—Allows
connections to pass through the
FortiWeb appliance and applies a
protection profile. Also configure
server-pool "<server-pool_
name>" (page 159). This is the only
option available when the operating
mode is either True Transparent
Proxy or Transparent Inspection.
l wccp-servers—FortiWeb is a Web
Cache Communication Protocol
(WCCP) client that receives traffic

config 153
from a FortiGate configured as a

WCCP server. Also configure
server-pool "<server-pool_
name>" (page 159). This is the only
option available when the operation
mode is WCCP.
Enter the FTP security profile to apply to

connections that this policy monitors. If
you haven't created a profile yet, see waf No
ftp-protection-profile <profile_name>
ftp-propredefined-global-white- default.
listtection-profile or instructions about
creating one.
half-open-threshold <packets_int> Enter the maximum number of TCP SYN 8192

packets, including retransmission, that
FortiWeb allows to be sent per second to
a destination address. If this threshold is
exceeded, the FortiWeb appliance treats
the traffic as a DoS attack and ignores
additional traffic from that source
address.

is Reverse Proxy or True Transparent
Proxy and syncookie {enable |
disable} (page 165) is enabled.
Select an HPKP profile, if any, to use to

verify certificates when clients attempt to
access a server.
HPKP prevents attackers from carrying

hpkp-header "<hpkp_name>" No default.
out Man in the Middle (MITM) attacks
with forged certificates.

is Reverse Proxy.
hsts-header {enable | disable} Enable to combat MITM attacks on disable

HTTP by injecting the RFC 6797
(http://tools.ietf.org/html/rfc6797) strict
transport security header into the reply,
such as:
Strict-Transport-Security:
max-age=31536000;

config 154
includeSubDomains
This header forces the client to use

HTTPS for subsequent visits to this
domain. If the certificate does not
validate, it also causes a fatal connection
error: the client’s web browser does not
display any dialog that allows the user to
override the certificate mismatch error
and continue.
Available only if https-service

"<service_name>" (page 156) is
configured.
Enter the time to live in seconds for the

HSTS header.
Available only if hsts-header

hsts-max-age <timeout_int> 7776000
{enable | disable} (page 153) is
enabled.
The valid range is 3,600–31,536,000.
http2 {enable | disable} FortiWeb's HTTP/2 security inspection is disable

only supported for Revers Proxy mode
and True Transparent Proxy mode. This
option enables FortiWeb operating in
Reverse Proxy mode (see opmode
{offline-protection |
reverse-proxy |
transparent | transparent-
inspection | wccp} (page 298)) to
negotiate HTTP/2 with clients via SSL
ALPN (Application-Layer Protocol
Negotiation) during the SSL handshake if
the client's browser supports HTTP/2
protocol. With the HTTP/2 being
enabled, FortiWebcan recognize HTTP/2
traffic and apply the security services to
it. To enable HTTP/2 communication
between the FortiWeb and back-end web
servers for HTTP/2 inspections in
Reverse Proxy mode, see http2
Available only when opmode is set to

reverse-proxy, deployment-
mode {server-pool | http-

config 155
content-routing | offline-
protection | transparent-
servers | wccp-servers} (page
152) is set to server-pool and
https-service "<service_
name>" (page 156) is set correctly.
FortiWeb supports HTTP/2 only for
HTTPS connections and HTTP Content
Routing is not supported for HTTP/2.
When opmode is set to transparent

and deployment-mode is set to
transparent-servers, this is not
available. It only requires http2
{enable | disable} (page 180) to
enable the HTTP/2 security inspections
in True Transparent Proxy mode; this
option here is not required. For more
details about HTTP/2 support, see the
http://docs.fortinet.com/fortiweb/admin-
guides
Enter the amount of time (in seconds)

that FortiWeb will wait for the whole
HTTP request header after a client sets
http-header-timeout <seconds_int> 0
up a TCP connection. The valid range is
0–1200. A value of 0 means that there is
no timeout.
http-pipeline {enable | disable} Specify whether FortiWeb accelerates enable

transactions by bundling them inside the
same TCP connection, instead of waiting
for a response before sending/receiving
the next request. This can increase
performance when pages containing
many images, scripts, and other auxiliary
files are all hosted on the same domain,
and therefore logically could use the
same connection.
When FortiWeb is operating in Reverse

Proxy or True Transparent Proxy mode, it
can automatically use HTTP pipelining
for requests with the following
characteristics:
l HTTP version is 1.1

config 156
l The Connection general-header field does

not include the "close" option (for example,
Connection: close)
l The HTTP method is GET or HEAD
Specify enable to automatically redirect

all HTTP requests to the HTTPS service
with the same URL and parameters.
Also configure https-service and ensure

service uses port 443 (the default).
http-to-https {enable | disable} FortiWeb does not apply the protection disable
profile for this policy (specified by web-
protection-profile
"<profile_name>" (page 168)) to
the redirected traffic.
Available only when the operation mode

is Reverse Proxy.
https-service "<service_name>" Enter the custom or predefined service No default.

that defines the port number on which
the virtual server receives HTTPS traffic.
The maximum length is 63 characters.
To display the list of existing services,

enter:
edit ?

is Reverse Proxy. For other operation
modes, use the server pool configuration
to enable SSL inspection instead.
Enter the name of an intermediate

certificate authority (CA) group, if any,
that FortiWeb uses to validate the CA
signing chain in a client’s certificate. The
intermediate-certificate-group "<CA- To display the list of existing groups,
group_name>" No default.
enter:
edit ?

configured.

config 157
internal-cookie-httponly {enable Enable to assign an httponly flag to enable

| disable} internal cookies. This feature is
independent of the Cookie Security
policy, if any, that you have in use.
Enable to assign a secure flag to

internal cookies. This flag can only be
internal-cookie-secure {enable assigned if the connection is over SSL.
disable
| disable} This feature is independent of the
Cookie Security policy, if any, that you
have in use.
monitor-mode {enable | disable} Enable to override deny and redirect disable

actions defined in the server protection
rules for the selected policy. This setting
enables FortiWeb to log attacks without
performing the deny or redirect action,
and to collect more information to build
an auto learning profile for the attack.
Disable to allow FortiWeb to perform

attack deny/redirect actions as defined
by the server protection rules.
Enable this option to apply the server

policy as a pure proxy, without parsing
the content. In this case, the policy
allows all traffic to pass through the
FortiWeb appliance without applying any
protection rules. See also "debug
application http" on page 569 and "debug
flow trace" on page 583.
This option applies to server policy only

noparse {enable | disable} disable
when the FortiWeb appliance operates in
Reverse Proxy or True Transparent Proxy
mode.
Caution: Use this only during debugging

and for as brief a period as possible. This
feature disables many protection
features. See also http-parse-
error-output {enable |
disable} (page 69).
ocspstapling {enable | disable} Enable OCSP stapling for the certificate disable
you specified in certificate
"<certificate_name>" (page 150).

config 158
This option is available only if https-

156) is configured.
Enter the custom OCSP group that

defines the CA certificate and URL of the
OCSP server corresponding to the
certificate specified in certificate
"<certificate_name>" (page 150).
ocspstapling-group "<group_name>" For details, see "system certificate No default.
remote" on page 229.
This option is available only if

ocspstapling {enable |
disable} (page 157) is set to
enable.
policy-id A 64-bit random integer assigned to each No

server policy. The policy-id is a default.
unique identification number for each
server policy.
When administrative domains (ADOMs)

are enabled, ADOMs can create unique
server policies with policy names that are
identical to other server policies created
by different ADOMs, so the policy-id
can easily differentiate between different
policies created by different ADOMs that
may share the same policy name.
Enable to forward subsequent requests

from an identified client connection to
the same server pool as the initial
connection from the client.
This option allows FortiWeb to improve

its performance by skipping the process
of matching HTTP header content to
prefer-current-session
{enable |disable} content routing policies for connections it disable
has already evaluated and routed.
Available only when deployment-

mode {server-pool | http-
content-routing | offline-
152) is http-content-routing.

config 159
protocol {HTTP | FTP} Select one of the following: HTTP
l HTTP—Specifies that the server policy

governs HTTP traffic. Specific options for
configuring an HTTP server policy become
available.
l FTP—Specifies that the server policy
governs FTP traffic. Specific options for
configuring an FTP server policy become
available.
Enter the name of the server pool whose

members receive the connections.
To display the list of existing servers,

enter:
edit ?
This field is applicable only if

deployment-mode {server-
pool | http-content-
routing | offline-
server-pool "<server-pool_name>" No default.
152) is server-pool, offline-
protection or transparent-
servers.
Caution: Multiple virtual servers/policies

can forward traffic to the same server
pool. If you do this, consider the total
maximum load of connections that all
virtual servers forward to your server
pool. This configuration can multiply
traffic forwarded to your server pool,
which can overload it and cause dropped
connections.
service "<service_name>" Enter the custom or predefined service No default.

that defines the port number on which
the virtual server receives HTTP traffic.
To display the list of existing services,

enter:
edit ?

config 160
is Reverse Proxy.
l enable—When FortiWeb maintains

session persistence using cookies, it inserts
a cookie in subsequent transactions in a
session if the transaction does not contain a
control cookie.
This option is useful if your environment
uses TCP multiplexing, which combines
HTTP requests from multiple clients in a
single session for load balancing or other
sessioncookie-enforce {enable | purposes.
disable
disable}
l disable—When FortiWeb maintains
session persistence using cookies, it tracks
or inserts the cookie for the first transaction
of a session only. It does not track or insert a
cookie in subsequent transactions in the
session, even if the transaction does not
contain a control cookie.
For details about configuring session
persistence, see "server-policy
persistence-policy" on page 142.
server-side-sni {enable | disable} Specify whether FortiWeb supports disable

Server Name Indication (SNI) for back-
end servers that it applies this policy to.
Enable this feature when the operating

mode is Reverse Proxy, end-to-end
encryption is required, and the back-end
web server itself requires SNI support.
When the operating mode is Reverse

Proxy, True Transparent Proxy, or
WCCP, you enable server-side SNI
support using server pool configuration.
Enable to use a Server Name Indication

(SNI) configuration instead of or in
addition to the server certificate specified
by certificate <certificate_
sni {enable | disable} name>. disable
The SNI configuration enables FortiWeb
to determine which certificate to present
on behalf of the members of a pool
based on the domain in the client

config 161
request. For details, see "system

certificate sni" on page 231.
If you specify both a SNI configuration

and a certificate, FortiWeb uses the
certificate specified by certificate
"<certificate_name>" (page 150)
when the requested domain does not
match a value in the SNI configuration.
If you enable sni-strict

{enable | disable} (page 161),
FortiWeb always ignores the value of
certificate "<certificate_
name>" (page 150).

configured.
sni-certificate "<sni_name>" Enter the name of the Server Name No default.

Indication (SNI) configuration that
specifies which certificate FortiWeb uses
when encrypting or decrypting SSL-
secured connections for a specified
domain.
The SNI configuration enables FortiWeb

to present different certificates on behalf
of the members of a pool according to
the requested domain.
If only one certificate is required to

encrypt and decrypt traffic that this policy
applies to, specify certificate
"<certificate_name>" (page 150)
instead.

configured.
Select to configure FortiWeb to ignore the

value of certificate "<certificate_
name>" (page 150) when it determines which
sni-strict {enable | disable} certificate to present on behalf of server pool disable
members, even if the domain in a client
request does not match a value in the
specified SNI configuration.

config 162
ssl {enable | disable} Enable so that connections between disable

clients and FortiWeb use SSL/TLS.
Enabling ssl will allow you to configure
additional SSL options and settings,
including specifying supported
SSL protocols and uploading certificates.
Specify whether the set of cipher suites

that FortiWeb allows creates a medium-
security, high-security, or custom
configuration.
If custom, also specify ssl-custom-

cipher.
This is not allowed to set to custom if

ssl-cipher {medium | high | custom} http2 is set to enable. medium
For details, see the FortiWeb
guides
configured.
ssl-client-verify "<verifier_name>" Enter the name of a certificate verifier, if No default.

any, to use when an HTTP client
presents their personal certificate. If you
do not select one, the client is not
required to present a personal certificate.
If the client presents an invalid

certificate, the FortiWeb appliance does
not allow the connection.
To be valid, a client certificate must:
l Not be expired
l Not be revoked by either the certificate
revocation list (CRL) (see "system certificate
verify" on page 234)
l Be signed by a certificate authority (CA)
whose certificate you have imported into the
FortiWeb appliance; if the certificate has
been signed by a chain of intermediate CAs,
those certificates must be included in an
intermediate CA group (see

config 163
intermediate-certificate-group
"<CA-group_name>" (page 156))
l Contain a CA field whose value matches the
CA certificate
l Contain an Issuer field whose value
matches the Subject field in the CA
certificate
Personal certificates, sometimes also
called user certificates, establish the
identity of the person connecting to the
website.
You can require that clients present a

certificate alternatively or in addition to
HTTP authentication. For details, see
guides
To display the list of existing verifiers,

type:
edit ?
This option is used only if https-

156) is configured.
The client must support TLS 1.0, TLS

1.1, or TLS 1.2.
Specify one or more cipher suites that ECDHE-

FortiWeb allows. ECDSA-
AES256-
Separate the name of each cipher with a GCM-SHA384
space. To remove from or add to the list ECDHE-RSA-
of ciphers, retype the entire list. AES256-
GCM-SHA384
Valid values are: ECDHE-
ssl-custom-cipher {<cipher_1> <cipher2> ECDSA-
<cipher3> ...} ECDHE-ECDSA-AES256-GCM-SHA384 CHACHA20-
ECDHE-RSA-AES256-GCM-SHA384 POLY1305
DHE-DSS-AES256-GCM-SHA384 ECDHE-RSA-
DHE-RSA-AES256-GCM-SHA384 CHACHA20-
ECDHE-ECDSA-CHACHA20-POLY1305 POLY1305
ECDHE-RSA-CHACHA20-POLY1305 ECDHE-
DHE-RSA-CHACHA20-POLY1305 ECDSA-
ECDHE-ECDSA-AES256-CCM8 AES128-
ECDHE-ECDSA-AES256-CCM GCM-SHA256

config 164
DHE-RSA-AES256-CCM8
DHE-RSA-AES256-CCM
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-CCM8
ECDHE-ECDSA-AES128-CCM
DHE-RSA-AES128-CCM8
DHE-RSA-AES128-CCM
ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-
ECDHE-RSA-AES256-SHA384 AES128-
DHE-RSA-AES256-SHA256 GCM-SHA256
DHE-DSS-AES256-SHA256 ECDHE-
ECDSA-
ECDHE-ECDSA-CAMELLIA256-SHA384
AES256-
ECDHE-RSA-CAMELLIA256-SHA384 SHA384
DHE-RSA-CAMELLIA256-SHA256 ECDHE-RSA-
DHE-DSS-CAMELLIA256-SHA256 AES256-
ECDHE-ECDSA-AES128-SHA256 SHA384
ECDHE-RSA-AES128-SHA256 ECDHE-
DHE-RSA-AES128-SHA256 ECDSA-
DHE-DSS-AES128-SHA256 AES128-
ECDHE-ECDSA-CAMELLIA128-SHA256 SHA256
ECDHE-RSA-CAMELLIA128-SHA256 ECDHE-RSA-
DHE-RSA-CAMELLIA128-SHA256 AES128-
DHE-DSS-CAMELLIA128-SHA256 SHA256
ECDHE-ECDSA-AES256-SHA ECDHE-
ECDHE-RSA-AES256-SHA ECDSA-
DHE-RSA-AES256-SHA AES256-SHA
DHE-DSS-AES256-SHA ECDHE-RSA-
DHE-RSA-CAMELLIA256-SHA AES256-SHA
DHE-DSS-CAMELLIA256-SHA ECDHE-
ECDHE-ECDSA-AES128-SHA ECDSA-
ECDHE-RSA-AES128-SHA AES128-SHA
DHE-RSA-AES128-SHA ECDHE-RSA-
AES128-SHA
DHE-DSS-AES128-SHA
AES256-
DHE-RSA-CAMELLIA128-SHA
GCM-SHA384
DHE-DSS-CAMELLIA128-SHA
AES128-
AES256-GCM-SHA384 GCM-SHA256
AES256-CCM8 AES256-
AES256-CCM SHA256
AES128-GCM-SHA256 AES128-
AES128-CCM8 SHA256
AES128-CCM
AES256-SHA256
CAMELLIA256-SHA256
AES128-SHA256
CAMELLIA128-SHA256
AES256-SHA
CAMELLIA256-SHA
AES128-SHA
CAMELLIA128-SHA
DHE-RSA-SEED-SHA

config 165
ECDHE_RSA_DES_CBC3_SHA
DES_CBC3_SHA
ssl-noreg {enable | disable} Specify whether FortiWeb ignores enable

requests from clients to renegotiate TLS
or SSL.
Protects against denial-of-service (DoS)

attacks that use TLS/SSL renegotiation
to overburden the server.

configured.
When FortiWeb is configured as an SSL

server, you can set SSL session timeout
ssl-session-timeout <ssl-session-
intervals via the CLI. This is available only in
timeout_int>
Reverse Proxy and True Transparent Proxy
modes.
status {enable | disable} Enable to allow the policy to be used No default.

when evaluating traffic for a matching
policy.
Note: You can use SNMP traps to notify

you of changes to the policy’s status. For
details, see "system snmp community"
on page 299.
Enable to detect TCP SYN flood attacks.
For details, see the FortiWeb

syncookie {enable | disable} http://docs.fortinet.com/fortiweb/admin- disable

guides
is Reverse Proxy or True Transparent
Proxy.
tcp-recv-timeout <seconds_int> Enter the amount of time (in seconds) 0

that FortiWeb will wait for a client to
send a request after the client sets up a
TCP connection. The valid range is 0–
300. A value of 0 means that there is no
timeout.
tls-v10 {enable | disable} Specifies whether clients can connect enable

config 166
securely to FortiWeb using the TLS 1.0

cryptographic protocol.
This must be set to disable if http2

set to enable.

configured.
tls-v11 {enable | disable} Specifies whether clients can connect enable

This must be set to disable if http2

set to enable.

configured.
Specifies whether clients can connect

tls-v12 {enable | disable} enable
configured.
urlcert {enable | disable} Specifies whether FortiWeb uses a URL- disable

based client certificate group to
determine whether a client is required to
present a personal certificate.

configured.
Enter the URL-based client certificate

group that determines whether a client is
required to present a personal certificate.
If the URL the client requests does not

urlcert-group "<urlcert-group_name>" match an entry in the group, the client is No default.
not required to present a personal
certificate.
For details about creating a group, see

"system certificate urlcert" on page 233.

config 167
urlcert-hlen <len_int> Specifies the maximum allowed length No default.

for an HTTP request with a URL that
matches an entry in the URL-based
client certificate group, in kilobytes.
FortiWeb blocks any matching requests

that exceed the specified size.
This setting prevents a request from

exceeding the maximum buffer size.
Enter the name of a virtual server that

provides the IP address and network
interface of incoming traffic that
FortiWeb routes and to which the policy
applies a protection profile. The
vserver "<vserver_name>" No default.
To display the list of existing virtual
servers, enter:
edit ?

Reverse Proxy.
v-zone "<bridge_name>" Enter the name of the bridge that No default.

specifies the network interface of the
incoming traffic that the policy applies a
protection profile to. The maximum
To display the list of existing bridges,

enter:
edit ?

True Transparent Proxy or Transparent
Inspection.
Enter the name of the auto-learning

profile, if any, to use to discover attacks,
URLs, and parameters in your web
waf-autolearning-profile "<profile_ servers’ HTTP sessions. The maximum
name>" No default.
To display the list of existing profiles,

enter:

config 168
edit ?
You can view data gathered using an

auto-learning profile in an auto-learning
report and use it to generate inline or
Offline Protection profiles. For details,
see the FortiWeb Administration Guide:
guides
This option appears only if
deployment-mode {server-
pool | http-content-
routing | offline-
152) is offline-detection.
web-protection-profile "<profile_name>" Enter the name of the web protection or No default.

detection profile to apply to connections
that this policy accepts. The maximum
To display the list of existing profiles,

enter:
edit ?
Note: If the connection fails when you

have selected a certificate verifier, verify
that the certificate meets the web
browser’s requirements. Web browsers
may have their own certificate validation
requirements in addition to FortiWeb
requirements. For example, personal
certificates for client authentication may
be required to either:
l Not be restricted in usage/purpose by the

CA, or
l Contain a Key Usage field that contains
Digital Signature or have a
ExtendedKeyUsage or
EnhancedKeyUsage field whose value
contains Client Authentication
If the certificate does not satisfy browser
requirements, although it may be
installed in the browser, when the

config 169
FortiWeb appliance requests the client’s

certificate, the browser may not display a
certificate selection dialog to the user, or
the dialog may not contain that
certificate. In that case, verification fails.
For browser requirements, see your web
browser’s documentation.
<entry_index> Enter the index number of the individual entry No default.

in the table.
Enter the name of a HTTP content

routing policy that this server policy uses.
content-routing-policy-name "<content-
routing_name>" To display the list of existing error pages, No default.
enter:
edit ?
is-default {yes | no} Enter yes to specify that FortiWeb applies No default.
the protection profile to any traffic that does
not match conditions specified in the HTTP
content routing policies.
Enter enable to specify that FortiWeb

applies the web protection profile for the
profile-inherit {enable | disable} disable
server policy to connections that match the
routing policy.
implicit_ssl {enable | disable} Enable so that FortiWeb will communicate No default.

with the pool member using implicit SSL.
For HTTPS connection, when disabled,

FortiWeb sends ssl alert message to the client
ssl-quiet-shutdown {enable | or server pool first, and then FIN.
disable
disable} When enabled, FortiWeb directly sends FIN
message instead of sending ssl alert
message.
Example
This example configures a web protection server policy. FortiWeb forwards HTTPS connections received by the virtual
server named virtual_ip1 to a server pool named apache1, which contains a single physical server. FortiWeb uses
the certificate named certificate1 during SSL negotiations with the client, then forwards traffic to the server pool.
config server-policy policy
edit "https-policy"
set deployment-mode server-pool
set vserver "virtual_ip1"
set server-pool "apache1"

config 170
set web-protection-profile "inline-protection1"

set https-service HTTPS
set certificate "certificate1"
set ssl-client-verify
set case-sensitive disable
set status enable
next
end
Related topics
l "server-policy allow-hosts" on page 108
l "system certificate local" on page 226
l "system certificate remote" on page 229
l "server-policy http-content-routing-policy" on page 121
l "server-policy service custom" on page 192
l "server-policy vserver" on page 196
l "system settings" on page 296
l "system v-zone" on page 310
l "waf web-protection-profile offline-protection" on page 531
l "debug application dssl" on page 564
l "debug application http" on page 569
l "debug application ssl" on page 573
l "debug application ustack" on page 575
l "debug flow filter" on page 581
l "policy" on page 614
Use this command to configure an HTTP or FTP server pool.
Server pools define a group of one or more physical or domain servers (web servers) that FortiWeb distributes
connections among, or where the connections pass through to, depending on the operation mode. Reverse Proxy mode
actively distributes connections; Offline Protection and either of the transparent modes do not actively distribute
connections.
To apply the server pool configuration, do one of the following:
l Select it in a server policy directly.

l Select it in an HTTP content writing policy that you can, in turn, select in a server policy.
For details, see "server-policy policy" on page 146 and "server-policy http-content-routing-policy" on page 121.

config 171
To determine which type of server policy to create, configure protocol {HTTP | FTP} (page 175). If you're
planning to configure an FTP server policy, you'll need to confirm that system feature-visibility (page 247) is
enabled. For details, see "system feature-visibility" on page 247.
Syntax
config server-policy server-pool
edit "<server-pool_name>"
set health "<health-check_name>"
set http-reuse {aggressive | always | never | safe}
set lb-algo {least-connections | round-robin | weighted-round-robin | uri-hash
| full-uri-hash | host-hash | host-domain-hash | src-ip-hash}
set persistence "<persistence-policy_name>"
set protocol {HTTP | FTP}
set reuse-conn-idle-time <int>
set reuse-conn-max-count <int>
set reuse-conn-max-request <int>
set reuse-conn-total-time <int>
set server-balance {enable | disable}
set server-pool-id
set type {offline-protection | reverse-proxy | transparent-servers-for-ti |
transparent-servers-for-tp | transparent-servers-for-wccp}
config pserver-list
edit <entry_index>
set analyzer-policy "<fortianalyzer-policy_name>"
set backup-server {enable | disable}
set certificate-verify "<verifier_name>"
set client-certificate "<client-certificate_name>"
set client-certificate-forwarding {enable | disable}
set client-certificate-forwarding-cert-header "<header_str>"
set client-certificate-forwarding-sub-header "<header_str>"
set client-certificate-proxy {enable | disable}
set client-certificate-proxy-sign-ca <sign_ca>
set conn-limit <conn-limit_int>
set domain "<server_fqdn>"
set health-check-inherit {enable | disable}
set hlck-domain <hlck-domain_str>
set hpkp-header "<hpkp_name>"
set hsts-max-age <timeout_int>
set http2 {enable | disable}
set implicit_ssl {enable | disable}
set intermediate-certificate-group "<CA-group_name>"
set ip {"address_ipv4" | "address_ipv6"}
set ocspstapling {enable | disable}
set ocspstapling-group "<group_name>"
set port <port_int>
set server-certificate-verify {enable | disable}
set server-certificate-verify-action {alert | alert_deny | redirect}
set server-certificate-verify-policy "<policy_name>"
set recover <recover_int>
set server-side-sni {enable | disable}

config 172
set server-type {physical | domain}

set session-id-reuse {enable | disable}
set session-ticket-reuse {enable | disable}
set sni {enable | disable}
set sni-certificate "<sni_name>"
set sni-strict {enable | disable}
set ssl-cipher {medium | high | custom}
set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}
set ssl-noreg {enable | disable}
set ssl-quiet-shutdown {enable | disable}
set ssl-session-timeout <ssl-session-timeout_int>
set status {disable |enable | maintain}
set url-cert {enable | disable}
set urlcert-group "<urlcert-group_name>"
set urlcert-hlen <len_int>
set warm-rate <warm-rate_int>
set warm-up <warm-up_int>
set weight <weight_int>
next
end
next
end
"<server-pool_name>" Enter the name of the server pool. The maximum length is No default.
63 characters.
To display the list of existing servers, enter:

edit ?
comment "<comment_str>" Enter a description or other comment. If the comment is more

than one word or contains special characters, surround the
No default.
comment with double quotes ( " ). The maximum length is 199
characters.
health "<health-check_ Enter the name of a server health check FortiWeb uses to No default.
name>" determine the responsiveness of server pool members. The
When you specify a health check for the pool, by default, all
pool members use that health check. To select a different
health check for a pool member, in the pool member
configuration, specify disable for health-check-
inherit and the health check to use for health.
To display the list of existing health checks, enter:

config 173
edit ?
Available only if type {offline-protection |

reverse-proxy | transparent-servers-for-
ti | transparent-servers-for-tp |
transparent-servers-for-wccp} (page 176) is
reverse-proxy and server-balance {enable |
Note: If a pool member is unresponsive, wait until the

server becomes responsive again before disabling its server
health check. Server health checks record the up or down
status of the server. If you deactivate the server health
check while the server is unresponsive, the server health
check cannot update the recorded status, and FortiWeb
continues to regard the physical server as if it were
unresponsive. You can determine the physical server’s
connectivity status using the Service Status widget or an
SNMP trap. For details, see "system snmp community" on
page 299.
http-reuse {aggressive Configure multiplexing so that FortiWeb uses a single

| always | never | safe} connection to a server for requests from multiple clients.
Enter one of these options:
l aggressive—The first request from a client can use a

cached server connection only when the cached server
connection has been used by more than one client.
l always—Client requests will use an available connection
never
cached server connection.
l never—Disable multiplexing.
l safe—A client will establish a new connection for the first
request, but will use an available cached server connection for
subsequent requests.
Note: This option is available only when the protocol
{HTTP | FTP} (page 175) is HTTP.
lb-algo {least- Select the load-balancing algorithms that FortiWeb uses round-
connections | round- when it distributes new connections among server pool robin
robin | weighted-round-
robin | uri-hash | full- members.
uri-hash | host-hash |
l least-connections—Distributes new connections
host-domain-hash | src-
ip-hash} to the member with the fewest number of existing, fully-
formed connections.
l round-robin—Distributes new connections to the
next member of the server pool, regardless of weight,
response time, traffic load, or number of existing
connections. Unresponsive servers are avoided.

config 174
l weighted-round-robin—Distributes new
connections using the round robin method, except that
members with a higher weight value receive a larger
percentage of connections.
l uri-hash—Distributes new TCP connections using a
hash algorithm based on the URI found in the HTTP
header, excluding hostname.
l full-uri-hash—Distributes new TCP connections
using a hash algorithm based on the full URI string found
in the HTTP header. The full URI string includes the
hostname and path.
l host-hash—Distributes new TCP connections using a
hash algorithm based on the hostname in the HTTP
Request header Host field.
l host-domain-hash—Distributes new TCP
connections using a hash algorithm based on the domain
name in the HTTP Request header Host field.
l src-ip-hash—Distributes new TCP connections
using a hash algorithm based on the source IP address
of the request.
Note: When protocol {HTTP | FTP} (page 175) is
set to FTP, only round-robin, weighted-round-
robin, least-connections, and src-ip-hash are
available.
For hash-based methods, if you specify a value for

persistence, after an initial client request, FortiWeb
routes any subsequent requests according to the
persistence method. Otherwise, it routes subsequent
requests according to the hash-based algorithm.

reverse-proxy and server-balance {enable |
persistence Enter the name of the persistence policy that specifies a

"<persistence-policy_ session persistence method and timeout to apply to the
name>"
pool.
For details, see "server-policy persistence-policy" on page No default.

142.


config 175
protocol {HTTP | FTP} Select one of the following: HTTP
l HTTP—Specifies that the server pool governs HTTP traffic.

Specific options for configuring an HTTP server pool become
available.
l FTP—Specifies that the server pool governs FTP traffic.
Specific options for configuring an FTP server pool become
available.
reuse-conn-idle-time Enter an idle time limit for a cached server connection. If a

<int> cached server connection remains idle for the set duration, 10
it will be closed. The valid range is 1–1000.
reuse-conn-max-count Enter the maximum number of allowed cached server 100

<int> connections. If FortiWeb meets the set number, no more
cached server connections will be established. The valid
range is 1–1000 for each pserver.
Note: The minimum number of cached connections

depends on the number of CPU kernels of the FortiWeb
platform. For example, a FortiWeb 4000E has 40 CPU
kernels, so there are always at least 40 reusable
connections for each pserver. In addition, the valid range is
set for each pserver; if there are two pservers and you enter
a value of 1000, there will be up to 2000 reusable
connections.
reuse-conn-max-request Enter the maximum number of HTTP responses that the

<int> cached server connection may handle. If a cached server
100
connection meets the set number, it will be closed. The
valid range is 1–1000.
reuse-conn-total-time Enter the maximum time limit in which a cached server 100
<int> connection may be reused. If a cached server connection
exists for longer than the set limit, it will be closed. The
server-balance {enable | Specifies whether the pool contains a single server or

disable} multiple members.
If the value is enabled, FortiWeb uses the specified load-

balancing algorithm to distribute TCP connections among
the members. If a member is unresponsive to the specified disable
server health check, FortiWeb forwards subsequent
connections to another member of the pool.
Available only when type {offline-protection |


config 176
reverse-proxy.
server-pool-id A 64-bit random integer assigned to each server policy. The No

policy-id is a unique identification number for each default.
server policy.
When administrative domains (ADOMs) are enabled,

ADOMs can create unique server policies with policy names
that are identical to other server policies created by different
ADOMs, so the policy-id can easily differentiate
between different policies created by different ADOMs that
may share the same policy name.
type {offline- Select the current operation mode of the appliance to

protection | reverse- display the corresponding pool options.
proxy | transparent-
servers-for-ti | For details, see opmode {offline-protection |
transparent-servers-for- reverse-
reverse-proxy | transparent |
tp | transparent-servers- proxy
for-wccp} transparent-inspection | wccp} (page 298).
Note: This option is applicable only when the protocol

<entry_index> Enter the index number of the member entry within the No default.
server pool. The valid range is 1–
9,223,372,036,854,775,807.
For round robin-style load-balancing, the index number

indicates the order in which FortiWeb distributes
connections.
backup-server {enable | Enter enable to configure this pool member as a backup server.
disable}
FortiWeb only routes connections for the pool to a backup server
when all the other members of the server pool fail their server
health check.
disable
The backup server mechanism does not work if you do not
specify server health checks for the pool members.
If you select this option for more than one pool member,
FortiWeb uses the load balancing algorithm to determine which
member to use.
certificate Enter the name of the certificate that FortiWeb uses to No default.
"<certificate_name>" decrypt SSL-secured connections.
Available only if ssl {enable | disable} (page 185)

config 177
is enable. The maximum length is 63 characters.
To display the list of existing certificates, enter:

edit ?

certificate-verify Enter the name of a certificate verifier, if any, to use when

"<verifier_name>" an HTTP client presents their personal certificate. If you do
not specify one, the client is not required to present a
personal certificate.
However, if ssl {enable | disable} (page 185) is

enable and the domain in the client request matches an
entry in the specified SNI policy, FortiWeb uses the SNI
configuration to determine which certificate verifier to use.
Personal certificates, sometimes also called user

certificates, establish the identity of the person connecting
to the website. For details about how the client’s certificate
is verified, see ssl-client-verify "<verifier_
name>" (page 162).
You can require that clients present a certificate

alternatively or in addition to HTTP authentication. For
details, see config waf http-authen http- No default.
authen-rule (page 406).
Available only if ssl {enable | disable} (page 185)

is transparent-servers-for-tp and ssl is
enable. For Reverse Proxy mode, configure this setting in
the server policy instead. See ssl-client-verify
"<verifier_name>" (page 162).
To display the list of existing verifiers, enter:

edit ?
Note: The client must support TLS 1.0, TLS 1.1, or TLS
1.2.

client-certificate Enter the client certificate that FortiWeb uses to connect to disable
"<client-certificate_ this server pool member.
name>"
Used when connections to this pool member require a valid
client certificate.

config 178

reverse-proxy or transparent-servers-for-tp
and ssl {enable | disable} (page 185) is enable.
To upload a client certificate for FortiWeb, see the

client-certificate- Enable to configure FortiWeb to include any X.509 personal

forwarding {enable | certificates presented by clients during the SSL/TLS
disable}
handshake with the traffic it forwards to the pool member.

ti | transparent-servers-for-tp | disable
transparent-servers-for-tp and ssl
{enable | disable} (page 185) is enable.

client-certificate- Enter a custom certificate header that will include the x-client-
forwarding-cert-header Base64 certificate of the X.509 personal certificate cert
"<header_str>"
presented by the client during the SSL/TLS handshake
when it forwards the traffic to the protected web server.

client-certificate- Enter a custom subject header that will include the subject
forwarding-sub-header of the X.509 personal certificate presented by the client
"<header_str>"
during the SSL/TLS handshake when it forwards the traffic x-client-
to the protected web server. dn

client-certificate-proxy Enable to configure seamless PKI integration. When this disable

{enable | disable} option is configured, FortiWeb attempts to verify client
certificates when users make requests and resigns new
certificates that it sends to the server.

config 179
Also configure client-certificate-proxy-sign-

ca <sign_ca> (page 179).

client-certificate-proxy- Select a Sign CA FortiWeb will use to verify and resign new
sign-ca <sign_ca> client certificates.
No default.
conn-limit <conn-limit_ Specifies the maximum number of TCP connections that 0

int> FortiWeb forwards to this pool member.
For no limit, specify 0 (the default value).
The valid range is 0–1,048,576.
domain "<server_fqdn>" Enter the fully-qualified domain name of the web server to
include in the pool, such as www.example.com.
Warning: Server policies do not apply features that do not

yet support IPv6 to domain servers whose DNS names
resolve to IPv6 addresses.
Tip: For domain servers, FortiWeb queries a DNS server to

query and resolve each web server’s domain name to an IP
No default.
address. For improved performance, do one of the
following:
l use physical servers instead

l ensure highly reliable, low-latency service to a DNS
server on your local network
Available only if server-type {physical |
domain} (page 184) is domain.
health-check-inherit Select either: enable

{enable | disable}
l enable—Use the health check specified by health in
the server pool configuration.
l disable—Use the health check specified by health
in this pool member configuration.
hlck-domain <hlck-
Enter the domain name of the server pool. No default.
domain_str>
hpkp-header "<hpkp_name>" Enter an HPKP profile, if any, to use to verify certificates disable

when clients attempt to access a server.

config 180
HPKP prevents attackers from carrying out Man in the

Middle (MITM) attacks with forged certificates.
Available only when the operating mode is True

Transparent Proxy.

hsts-header {enable | Enable to combat MITM attacks on HTTP by injecting the

disable} RFC 6797 (http://tools.ietf.org/html/rfc6797) strict
transport security header into the reply, such as:
Strict-Transport-Security: max-
age=31536000; includeSubDomains
This header forces the client to use HTTPS for subsequent

visits to this domain. If the certificate does not validate, it
also causes a fatal connection error: the client’s web
browser does not display a dialog that allows the user to
disable
override the certificate mismatch error and continue.


hsts-max-age <timeout_ Enter the time to live in seconds for the HSTS header. 7776000
int>
This setting applies only if hsts-header {enable |

http2 {enable | disable} Enable to allow HTTP/2 communication between the

FortiWeb and this back-end web server for HTTP/2 security
inspections in Reverse Proxy mode; or enable HTTP/2
security inspections in True Transparent Proxy mode.
When HTTP/2 security inspection is enabled in Reverse disable

Proxy mode (see "server-policy policy" on page 146):
1. enable—Make sure the traffic is transferred in HTTP/2
between FortiWeb and this web server, if this web server
supports HTTP/2.

config 181
Note: Make sure that this back web server really supports
HTTP/2 before you enable this, or connections will go failed.
2. disable—Make FortiWeb to converse HTTP/2 to HTTP/1.x
for this web server, or converse HTTP/1.x to HTTP/2 for the
clients, if this web server does not support HTTP/2.
When FortiWeb operates in True Transparent Proxy
mode( see opmode {offline-protection |
reverse-proxy | transparent |
transparent-inspection | wccp} (page 298)):
1. enable—Enable HTTP/2 security inspection. It only
requires this option to be enabled and the SSL be well-
configured to enable the HTTP/2 security inspection. No
HTTP/2 configuration is required for config server-
policy policy (page 146). When HTTP/2 inspection is
enabled in True Transparent Proxy mode, FortiWeb performs
no protocol conversions between HTTP/1.x and HTTP/2,
which means HTTP/2 connections will not be established
between clients and back-end web servers if the web servers
do not support HTTP/2.
2. disable—Disable HTTP/2 security inspection.
Note:
1. This option is available only if type {offline-
protection | reverse-proxy | transparent-
servers-for-ti | transparent-servers-for-
tp | transparent-servers-for-wccp} (page 176)
is set to reverse-proxy or transparent-servers-
for-tp; and when type is transparent-servers-
for-tp, this option is available only if ssl {enable |
2. Please confirm your FortiWeb operation mode and the HTTP
versions your back-end web servers are running first to make
appropriate configuration here, so that HTTP/2 inspection
can work correctly with your web servers.
3. For details about HTTP/2 support, see the FortiWeb
implicit_ssl {enable Enable so that FortiWeb will communicate with the pool disable
| disable} member using implicit SSL.

{HTTP | FTP} (page 175) is set to FTP.

config 182
intermediate-certificate- Enter the name of a group of intermediate certificate

group "<CA-group_name>" authority (CA) certificates, if any, that FortiWeb presents to
clients to complete the signing chain for them and validate
the server certificate’s CA signature.
If clients receive certificate warnings that the server

certificate configured in certificate
"<certificate_name>" (page 176) has been signed
by an intermediary CA, rather than directly by a root CA or
other CA currently trusted by the client, configure this
option.
Alternatively, include the entire signing chain in the server

certificate itself before uploading it to the FortiWeb
appliance, thereby completing the chain of trust with a CA
already known to the client. For details, see the FortiWeb
Administration Guide: No default.
{enable | disable} (page 185) is enable. For
Reverse Proxy mode, configure this setting in the server
policy instead. For details, see intermediate-
certificate-group "<CA-group_name>" (page
156).

ip {"address_ipv4" | Enter the IP address of the web server to include in the No default.
"address_ipv6"} pool.
Warning: Server policies do not apply to features that do

not yet support IPv6 to servers specified using IPv6
addresses.
Available only if server-type {physical |

domain} (page 184) is physical.
ocspstapling {enable | Enable OCSP stapling for the certificate you specified in
disable} certificate "<certificate_name>" (page 176).
This option is available only if SSL is enabled. disable


config 183
ocspstapling-group Enter the custom OCSP group that defines the CA No default.
"<group_name>" certificate and URL of the OCSP server corresponding to
the certificate specified in certificate
"<certificate_name>" (page 176). For details, see
"system certificate remote" on page 229.

port <port_int> 80
Enter the TCP port number where the pool member listens for
(HTTP)/21
connections. The valid range is 1–65,535.
(FTP)
recover <recover_int> Specify the number of seconds that FortiWeb waits before it 0
forwards traffic to this pool member after a health check
indicates that this server is available again.
The default is 0 (disabled).
After the recovery period elapses, FortiWeb assigns

connections at the rate specified by warm-rate
<warm-rate_int> (page 190).
Examples of when the server experiences a recovery and

warm-up period:
l A server is coming back online after the health check monitor

detected it was down.
l A network service is brought up before other daemons have
finished initializing and therefore the server is using more CPU
and memory resources than when startup is complete.
To avoid connection problems, specify the separate warm-
up rate, recovery rate, or both.
Tip: During scheduled maintenance, you can also

manually apply these limits by setting status
{disable |enable | maintain} (page 188) to
maintain.
server-side-sni {enable | Specify whether FortiWeb supports Server Name Indication

disable} (SNI) for back-end servers that it applies this policy to.
Enable this feature when the operating mode is transparent

proxy, end-to-end encryption is required, and the back-end disable
web server itself requires SNI support.
When the operating mode is Reverse Proxy, you enable

server-side SNI support using the server policy.

config 184

server-type {physical | Specify whether to specify the pool member by IP address or physical
domain} domain.
session-id-reuse {enable Enable so that FortiWeb reuses the session ID when

| disable} establishing an SSL connection to a pserver. If the SSL
connection has a server name, FortiWeb can only reuse a
session ID for the specified pserver. If both a session ticket disable
and ID exist for a pserver, FortiWeb will reuse the ticket.
Note: This option is available only when ssl {enable |

session-ticket-reuse Enable so that FortiWeb reuses the session ticket when disable
{enable | disable} establishing an SSL connection to a pserver. If the SSL
connection has a server name, FortiWeb can only reuse a
session ticket for the specified pserver.
Note: This option is available only when ssl {enable |

sni {enable | disable} Enable to use a Server Name Indication (SNI) configuration
instead of or in addition to the server certificate specified by
certificate "<certificate_name>" (page 176).
The SNI configuration enables FortiWeb to determine

which certificate to present on behalf of the members of a
pool based on the domain in the client request. For details,
see config system certificate sni (page 231).
If you specify both a SNI configuration and a certificate,

FortiWeb uses the certificate specified by certificate
"<certificate_name>" (page 176) when the
requested domain does not match a value in the SNI
configuration. disable
If you enable sni-strict {enable | disable}

(page 185), FortiWeb always ignores the value of
certificate "<certificate_name>" (page 176).


config 185
sni-certificate "<sni_ Enter the name of the Server Name Indication (SNI) No default.
name>" configuration that specifies which certificate FortiWeb uses
when encrypting or decrypting SSL-secured connections for
a specified domain.
The SNI configuration enables FortiWeb to present

different certificates on behalf of the members of a pool
according to the requested domain.
If only one certificate is required to encrypt and decrypt

traffic that this policy applies to, specify certificate
"<certificate_name>" (page 176) instead.
Available only if sni {enable | disable} (page 184)

is enabled.

sni-strict {enable | Select to configure FortiWeb to ignore the value of

disable} certificate "<certificate_name>" (page 176)
when it determines which certificate to present on behalf of
server pool members, even if the domain in a client request disable
does not match a value in the specified SNI configuration.

ssl {enable | disable} For Reverse Proxy, Offline Protection, and Transparent No default.
Inspection modes, specifies whether connections between
FortiWeb and the pool member use SSL/TLS.
For True Transparent Proxy and WCCP modes, specifies

whether FortiWeb performs SSL/TLS processing for the
pool members and connections between FortiWeb and the
pool member use SSL/TLS.
For Offline Protection and transparent modes, also

configure certificate "<certificate_name>"
(page 176). FortiWeb uses the certificate to decrypt and
scan connections before passing the encrypted traffic
through to the pool members (SSL inspection).
For True Transparent Proxy, also configure certificate

"<certificate_name>" (page 176) and additional SSL
settings as required. FortiWeb handles SSL negotiations
and encryption and decryption, instead of the pool member
(SSL offloading).

config 186
For Reverse Proxy mode, you can configure SSL offloading

for all members of a pool using a server policy. For details,
see "server-policy policy" on page 146.
Note: When this option is enabled, the pool member must

be configured to apply SSL.
Note: Ephemeral (temporary key) Diffie-Hellman

exchanges are not supported if the FortiWeb appliance is
operating in Transparent Inspection or Offline Protection
mode.
ssl-cipher {medium | high For Reverse Proxy mode, specifies whether secure
| custom} connections between FortiWeb and the server pool member
use a medium-security, high-security, or custom set of
cipher suites.

whether secure connections between clients and FortiWeb
and between FortiWeb and the server pool member use a
medium-security, high-security, or custom set of cipher
suites.
If custom, also specify ssl-custom-cipher

{<cipher_1> <cipher2> <cipher3> ...} (page
186).
medium
Do not set to custom if http2 {enable | disable}
(page 180) is set to enable.
For details, see the FortiWeb Administration Guide:
reverse-proxy, transparent-servers-for-tp,
or transparent-servers-for-wccp, and ssl
ssl-custom-cipher Specify one or more cipher suites that FortiWeb allows. ECDHE-
{<cipher_1> <cipher2> ECDSA-
<cipher3> ...} Separate the name of each cipher with a space. To remove AES256-
from or add to the list of ciphers, retype the entire list. GCM-SHA384
ECDHE-RSA-
Valid values are: AES256-
GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-
ECDHE-RSA-AES256-GCM-SHA384 ECDSA-
DHE-DSS-AES256-GCM-SHA384 CHACHA20-

config 187
DHE-RSA-AES256-GCM-SHA384 POLY1305
ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-
ECDHE-RSA-CHACHA20-POLY1305 CHACHA20-
DHE-RSA-CHACHA20-POLY1305 POLY1305
ECDHE-ECDSA-AES256-CCM8 ECDHE-
ECDHE-ECDSA-AES256-CCM ECDSA-
DHE-RSA-AES256-CCM8 AES128-
DHE-RSA-AES256-CCM GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-
ECDHE-RSA-AES128-GCM-SHA256 AES128-
GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
ECDHE-
DHE-RSA-AES128-GCM-SHA256
ECDSA-
ECDHE-ECDSA-AES128-CCM8 AES256-
ECDHE-ECDSA-AES128-CCM SHA384
DHE-RSA-AES128-CCM8 ECDHE-RSA-
DHE-RSA-AES128-CCM AES256-
ECDHE-ECDSA-AES256-SHA384 SHA384
ECDHE-RSA-AES256-SHA384 ECDHE-
DHE-RSA-AES256-SHA256 ECDSA-
DHE-DSS-AES256-SHA256 AES128-
ECDHE-ECDSA-CAMELLIA256-SHA384 SHA256
ECDHE-RSA-CAMELLIA256-SHA384 ECDHE-RSA-
DHE-RSA-CAMELLIA256-SHA256 AES128-
DHE-DSS-CAMELLIA256-SHA256 SHA256
ECDHE-ECDSA-AES128-SHA256 ECDHE-
ECDHE-RSA-AES128-SHA256 ECDSA-
DHE-RSA-AES128-SHA256 AES256-SHA
DHE-DSS-AES128-SHA256 ECDHE-RSA-
ECDHE-ECDSA-CAMELLIA128-SHA256 AES256-SHA
ECDHE-RSA-CAMELLIA128-SHA256 ECDHE-
DHE-RSA-CAMELLIA128-SHA256 ECDSA-
AES128-SHA
DHE-DSS-CAMELLIA128-SHA256
ECDHE-RSA-
ECDHE-ECDSA-AES256-SHA
AES128-SHA
ECDHE-RSA-AES256-SHA
AES256-
DHE-RSA-AES256-SHA GCM-SHA384
DHE-DSS-AES256-SHA AES128-
DHE-RSA-CAMELLIA256-SHA GCM-SHA256
DHE-DSS-CAMELLIA256-SHA AES256-
ECDHE-ECDSA-AES128-SHA SHA256
ECDHE-RSA-AES128-SHA AES128-
DHE-RSA-AES128-SHA SHA256
DHE-DSS-AES128-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
AES256-GCM-SHA384
AES256-CCM8
AES256-CCM
AES128-GCM-SHA256
AES128-CCM8
AES128-CCM
AES256-SHA256
CAMELLIA256-SHA256
AES128-SHA256

config 188
CAMELLIA128-SHA256
AES256-SHA
CAMELLIA256-SHA
AES128-SHA
CAMELLIA128-SHA
DHE-RSA-SEED-SHA
ECDHE_RSA_DES_CBC3_SHA
DES_CBC3_SHA
ssl-noreg {enable | Select to configure FortiWeb to ignore requests from clients

disable} to renegotiate TLS or SSL.
Protects against denial-of-service (DoS) attacks that use

TLS/SSL renegotiation to overburden the server.

reverse-proxy | transparent-servers-for- enable

status {disable |enable | To specify the status of the pool member, enter one of the enable
maintain} following values:
l enable—Specifies that this pool member can receive new

sessions from FortiWeb.
l disable—Specifies that this pool member does not receive
new sessions from FortiWeb and FortiWeb closes any current
sessions as soon as possible.
l maintain—Specifies that this pool member does not receive
new sessions from FortiWeb but FortiWeb maintains any
current connections.
tls-v10 {enable | For Reverse Proxy mode, specifies whether secure

disable} connections between FortiWeb and the server pool member
can use the TLS 1.0 cryptographic protocol.

and between FortiWeb and the server pool member can use enable
the TLS 1.0 cryptographic protocol.
This must be set to disable if http2 {enable |

disable} (page 180) is set to enable.

config 189
tls-v11 {enable | For Reverse Proxy mode, specifies whether secure enable

and between FortiWeb and the server pool member can use
This must be set to disable if http2 {enable |


tls-v12 {enable | For Reverse Proxy mode, specifies whether secure


and between FortiWeb and the server pool member can use
enable
url-cert {enable | Specifies whether FortiWeb uses a URL-based client disable

disable} certificate group to determine whether a client is required to
present a personal certificate.
Available only if https-service "<service_name>"

(page 156) is configured.

config 190

urlcert-group "<urlcert- Enter the URL-based client certificate group that

group_name>" determines whether a client is required to present a
If the URL the client requests does not match an entry in

the group, the client is not required to present a personal
certificate. No default.
For details about creating a group, see "system certificate

urlcert" on page 233.

urlcert-hlen <len_int> Enter the maximum allowed length for an HTTP request No default.
with a URL that matches an entry in the URL-based client
certificate group, in kilobytes.
FortiWeb blocks any matching requests that exceed the

specified size.
This setting prevents a request from exceeding the

maximum buffer size.

warm-rate <warm-rate_int> Specify the maximum connection rate (per second) while
the pool member is starting up.
The default is 10 connections per second. The valid range is

1–86,400.
The warm up calibration is useful with servers that bring up

the network service before other daemons are initialized. As
these types of servers come online, CPU and memory are
more utilized than they are during normal operation. For
10
these servers, you define separate rates based on warm-up
and recovery behavior.
For example, if warm-up <warm-up_int> (page 191)

is 5 and warm-rate is 2, the maximum number of new
connections increases at the following rate:
l 1st second—Total of 2 new connections allowed (0+2).

l 2nd second—2 new connections added for a total of 4 new
connections allowed (2+2).

config 191
l 3rd second—2 new connections added for a total of 6 new

l 4th second—2 new connections added for a total of 8 new
l 5th second—2 new connections added for a total of 10 new
warm-up <warm-up_int> Specify for how long (in seconds) FortiWeb forwards traffic 0
at a reduced rate after a health check indicates that this
pool member is available again but it cannot yet handle a
full connection load.
For example, when the pool member begins to respond but

startup is not fully complete.
The default is 0 (disabled).
weight <weight_int> If the server pool uses the weighted round robin load-
balancing algorithm, type the numerical weight of the pool
member. Members with a greater weight receive a greater 0
proportion of connections.
ssl-session-timeout When FortiWeb is configured as an SSL server, you can set SSL No default.
<ssl-session-timeout_ session timeout intervals via the CLI. This is available only in
int> Reverse Proxy and True Transparent Proxy modes.
ssl-quiet-shutdown For HTTPS connection, when disabled, FortiWeb sends ssl alert
{enable | disable} message to the client or server pool first, and then FIN.
Disable
When enabled, FortiWeb directly sends FIN message instead of
sending ssl alert message.
server-certificate- Enable so that FortiWeb appliance will verify certificates Disable

verify {enable | presented by HTTP server.
disable}
server-certificate-
verify-policy Enter the certificate verity policy name. No default.
"<policy_name>"
server-certificate- Select which action the FortiWeb appliance will take when it No default.
verify-action {alert detects a certificate violation.
| alert_deny |
redirect}

config 192
Example
This example configures a server pool named server-pool1. It consists of two physical servers: 192.0.2.10 and
192.0.2.11.
When both servers are available, FortiWeb forwards connections to the server with the smallest number of connections.
config server-policy server-pool
edit "server-pool1"
set type reverse-proxy
set server-balance enable
set lb-algo least-connections
config pserver-list
edit 1
set status enable
set server-type physical
set ip "192.0.2.10"
set ssl disable
set port 8081
next
edit 2
set status enable
set server-type physical
set ip "192.0.2.11"
set ssl disable
set port 8082
next
end
next
end
Related topics
l "server-policy http-content-routing-policy" on page 121
l "server-policy health" on page 116
l "server-policy persistence-policy" on page 142
l waf ftp-propredefined-global-white-listtection-profile
l "system feature-visibility" on page 247
server-policy service custom
Use this command to configure a custom service.
You can add a custom services to a policy to define the protocol and listening port of a virtual server. For details, see
"server-policy policy" on page 146.

config 193
Syntax
config server-policy service custom
edit "<service_name>"
set port <port_int>
set protocol TCP
next
end
"<service_name>" Enter the name of the new or existing custom network service. No
To display the list of existing services, enter:

edit ?
Enter the port number on which a virtual server will receive TCP/IP
No
port <port_int> connections for HTTP or HTTPS requests. The valid range is 1–
default.
65,535.
Example
This example configures a service definition named SOAP1.
config server-policy service custom
edit "SOAP1"
set port 8081
set protocol TCP
next
end
Related topics
server-policy service predefined
Use this command to view a predefined service.
This command only displays predefined services. It cannot be used to modify them. If you
attempt to edit the port number and protocol, the appliance will discard your settings.

config 194
Predefined Internet services can be selected in a policy in order to define the protocol and listening port of a virtual
server. For details, see "server-policy policy" on page 146.
Syntax
config server-policy service predefined
edit "<service_name>"
show
next
end
"<service_name>" Enter the name of a predefined network service, such as HTTP No

or HTTPS. The maximum length is 63 characters. default.
To display the list of existing services, enter:

edit ?
Example
This example shows the default settings for all of the predefined services.
show
Output:
edit HTTP
set port 80
set protocol TCP
next
edit HTTPS
set port 443
set protocol TCP
next
end
Related topics
server-policy setting
Use this command to configure the server policy settings.

config 195
Syntax
config server-policy setting
set core-file-count <core-file-count_int>
set enable-core-file {enable | disable}
set enable-session-statistics {enable | disable}
set enable-single-worker {enable | disable}
set hsm {enable | disable}
set no-session-limit {enable | disable}
set no-ssl-encrypt-then-mac {enable | disable}
set offline-session-timeout {seconds_int}
set use-first-ack-mac {enable | disable}
set dpdk {enable | disable}
set high-compatibility-mode {enable | disable}
end
core-file-count <core- The maximum core dump file number. The valid values are 3 No
file-count_int> and 5. default
enable-core-file {enable No
| disable} Enable/disable generating the core dump files.
default
enable-session-statistics Enable/disable session statistics for FortiView. No

{enable | disable} default
enable-single-worker No
{enable | disable} Enable/disable single worker mode.
default
hsm {enable | disable} Specifies whether the settings you use to integrate FortiWeb with No
an HSM (hardware security module) are displayed in the web UI. default
no-session-limit {enable Enable not to limit the maximum concurrency sessions of virtual No
| disable} machine. default
no-ssl-encrypt-then-mac Disable to include the encrypt-then-mac extension in the packets disable

{enable | disable} sent by the client.
Once enabled, machine learning only observes the source MAC of

use-first-ack-mac {enable two ACK packets for a URL at Three-way handshake.
enable
| disable} If disabled, machine leaning observes all ACK packets, which
continues refreshing MAC, with the performance affected.
dpdk {enable | disable} Enable/disable DPDK for packet processing. No

default
high-compatibility-mode
{enable | disable} Enable to accelerate SSL transport. disable
offline-session-timeout Enter the offline session timeout. The valid range is seconds 30– No
{seconds_int} 1200 seconds. default

config 196
Related topics
server-policy vserver
Use this command to configure virtual servers.
Before you can create a policy, you must first configure a virtual server which defines the network interface or bridge and
IP address on which traffic destined for an individual physical server or server farm will arrive.
When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a physical
server or a server farm. The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:
l The traffic arrives on the network interface or bridge associated with the virtual server
l For Reverse Proxy mode, the destination address is the IP address of a virtual server (the destination IP address is ignored
in other operation modes, except that it must not be identical with the physical server’s IP address)
Virtual servers can be on the same subnet as physical servers. This configuration
creates a one-arm HTTP proxy. For example, the virtual server 192.0.2.1/24
could forward to the physical server 192.0.2.2.
However, this is not recommended. Unless your network’s routing configuration

prevents it, it could allow attackers that are aware of the physical server’s IP
address to bypass FortiWeb by accessing the physical server directly.
To apply virtual servers, select them within a server policy. For details, see "server-policy policy" on page 146.
Syntax
config server-policy vserver
edit "<virtual-server_name>"
set interface "<interface_name>"
set vip "<virtual-ip_ipv4mask>"
set vip6 "<virtual-ip_ipv6mask>"
set use-interface-ip {enable | disable}
next
end
"<virtual-server_name>" Enter the name of the new or existing virtual server. The disable
To display the list of existing servers, enter:

config 197
edit ?
No
status {enable | disable} Enable to accept traffic destined for this virtual server.
default.
interface "<interface_ Enter the name of the network interface or bridge, such as No
name>" port1 or bridge1, to which the virtual server is bound, and default.
on which traffic destined for the virtual server will arrive. The
To display the list of existing interfaces, enter:

edit ?
vip "<virtual-ip_ 0.0.0.0

ipv4mask>" Enter the IPv4 address and subnet of the virtual server.
0.0.0.0
vip6 "<virtual-ip_ Enter the IPv6 address and subnet of the virtual server. ::/0
ipv6mask>"
For FortiWeb-VM on Microsoft Azure, specify whether the virtual

use-interface-ip
{enable | disable} server uses the IP address of the specified interface, instead of an disable
IP specified by vip or vip6.
Example
This example configures a virtual server named inline_vip1 on the network interface named port1.
The port number on which the virtual server will receive traffic is defined separately, in the policies that use this virtual
server definition.
config server-policy vserver
edit "inline_vip1"
set status enable
set interface port1
set vip "192.0.2.1 255.255.255.0"
next
end
Related topics
l "ping" on page 638

config 198
system accprofile
Use this command to configure access control profiles for administrators.
If you have configured RADIUS queries for authenticating administrators, you

can override the locally-selected access profile by using a RADIUS VSA. For
details, see "system admin" on page 201.
Access profiles determine administrator accounts’ permissions.
When an administrator has only read access to a feature, the administrator can access the web UI page for that feature,
and can use the get and show CLI command for that feature, but cannot make changes to the configuration. There are
no Create or Apply buttons, or config CLI commands. Lists display only the View icon instead of icons for Edit,
Delete or other modification commands. Write access is required for modification of any kind.
In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job
that each administrator does (“role”), such as user account creation or log auditing. Access profiles can limit each
administrator account to their assigned role. This is sometimes called role-based access control (RBAC).
The prof_admin access profile, a special access profile assigned to the admin administrator account and required by
it, does not appear in the list of access profiles. It exists by default and cannot be changed or deleted, and consists of
essentially UNIX root-like permissions.
If you create more administrator accounts, whether to harden security or simply to prevent accidental modification,
create other access profiles with the minimal degrees and areas of access that each role requires. Then assign each
administrator account the appropriate role-based access profile.
For example, for a person whose only role is to audit the log messages, you might make an access profile named
auditor that only has Read permissions to the Log & Report area.
For information on how each access control area correlates to which CLI commands that administrators can access, see
"Permissions" on page 51
To use this command, your administrator account’s access control profile must have both r and w permissions to items
in the admingrp category.
Syntax
edit "<access-profile_name>"
set admingrp {none | r | rw | w}
set authusergrp {none | r | rw | w}
set learngrp {none | r | rw | w}
set loggrp {none | r | rw | w}
set mlgrp {none | r | rw | w}
set mntgrp {none | r | rw | w}
set netgrp {none | r | rw | w}
set sysgrp {none | r | rw | w}
set traroutegrp {none | r | rw | w}
set syncookie {enable | disable}
set webgrp {none | r | rw | w}
set wvsgrp {none | r | rw | w}
next

config 199
end
"<access-profile_name>" Enter the name of the access profile. The maximum length is No
To display the list of existing profiles, enter:

edit ?
Enter the degree of access that administrator accounts using

this access profile will have to the system administrator
admingrp {none | r | rw | configuration. none
w}
Available only when administrative domains (ADOMs) are
disabled. For details, see .
authusergrp {none | r | Enter the degree of access that administrator accounts using this none
rw | w} access profile will have to the HTTP authentication user
configuration.
Enter the degree of access that administrator accounts using this

learngrp {none | r | rw |
w} access profile will have to the auto-learning profiles and their none
resulting auto-learning reports.
loggrp {none | r | rw | Enter the degree of access that administrator accounts using this none
w} access profile will have to the logging and alert email configuration.
mlgrp {none | r | rw | Enter the degree of access that administrator accounts using this
none
w} access profile will have to the machine learning configuration.
mntgrp {none | r | rw | Enter the degree of access that administrator accounts using none
w} this access profile will have to maintenance commands.
Unlike the other rows, whose scope is an area of the

configuration, the maintenance access control area does not
affect the configuration. Instead, it indicates whether the
administrator can perform special system operations such as
changing the firmware.

netgrp {none | r | rw |
w} access profile will have to the network interface and routing none
configuration.
sysgrp {none | r | rw | Enter the degree of access that administrator accounts using this none
w} access profile will have to the basic system configuration (except for
areas included in other access control areas such as admingrp).

traroutegrp {none | r |
rw | w} access profile will have to the server policy (formerly called traffic none
routing) configuration.

config 200
wadgrp {none | r | rw | Enter the degree of access that administrator accounts using this none
w} access profile will have to the web anti-defacement configuration.
webgrp {none | r | rw | Enter the degree of access that administrator accounts using this
none
w} access profile will have to the web protection profile configuration.
wvsgrp {none | r | rw | Enter the degree of access that administrator accounts using this none
w} access profile will have to the web vulnerability scanner.
Example
This example configures an administrator access profile named full_access, which permits both read and write
access to all special operations and parts of the configuration.
Even though this access profile configures full access, administrator accounts using this
access profile will not be fully equivalent to the admin administrator. The admin
administrator has some special privileges that are inherent in that account and cannot be
granted through an access profile, such as the ability to reset other administrators’
passwords without knowing their current password. Other accounts should therefore not be
considered a substitute, even if they are granted full access.

edit "full_access"
set admingrp rw
set authusergrp rw
set learngrp rw
set loggrp rw
set mlgrp rw
set mntgrp rw
set netgrp rw
set sysgrp rw
set traroutegrp rw
set wadgrp rw
set webgrp rw
set wvsgrp rw
next
end
Related topics

config 201
system admin
Use this command to configure FortiWeb administrator accounts. In its factory default configuration, a FortiWeb
appliance has one administrator account, named admin. That administrator has permissions that grant full access to
the FortiWeb configuration and firmware. After connecting to the web UI or the CLI using the admin administrator
account, you can configure additional administrator accounts with various levels of access to different parts of the
FortiWeb configuration.
Administrators can access the web UI and the CLI through the network, depending on administrator account’s trusted
hosts, ADOMs, and the administrative access protocols enabled for each of the FortiWeb appliance’s network
interfaces. For details, see "system interface" on page 280, , and "Connecting to the CLI" on page 39.
To prevent multiple administrators from logging in simultaneously, which could allow them
to inadvertently overwrite each other’s changes, enable . For details, see .
Syntax
config system admin
edit "<administrator_name>"
set accprofile "<access-profile_name>"
set accprofile-override {enable | disable}
set domains "<adom_name>"
set password "<password_str>"
set email-address "<contact_email>"
set first-name "<name_str>"
set last-name "<surname_str>"
set mobile-number "<cell-phone_str>"
set phone-number "<phone_str>"
set trusthost1 "<management-computer_ipv4mask>"
set ip6trusthost1 "<management-computer_ipv6mask>"
set type {local-user | remote-user}
set admin-usergroup "<remote-auth-group_name>"
set wildcard {enable | disable}
set sshkey "<sshkey_str>"
set force-password-change {enable | disable}
next
end
"<administrator_name>" Enter the name of the administrator account, such as No

admin1 or [email protected], that can be referenced default.

config 202
in other parts of the configuration.
Do not use spaces or special characters except the ‘at’ symbol

( @ ). The maximum length is 63 characters.
To display the list of existing accounts, enter:

edit ?
Note: This is the user name that the administrator must

provide when logging in to the CLI or web UI. If using an
external authentication server such as RADIUS or Active
Directory, this name will be passed to the server via the
remote authentication query.
Enter the name of an access profile that gives the

permissions for this administrator account. See also "system
accprofile" on page 198. The maximum length is 63
characters.
You can select prof_admin, a special access profile used by

the admin administrator account. However, selecting this
access profile will not confer all of the same permissions of
the admin administrator. For example, the new administrator
would not be able to reset lost administrator passwords.

edit ?
Tip: Alternatively, if your administrator accounts authenticate

accprofile "<access- via a RADIUS query, you can assign their access profile No
profile_name>" through the RADIUS server using RFC 2548 default.
(http://www.ietf.org/rfc/rfc2548.txt) Microsoft Vendor-
specific RADIUS Attributes.
On the RADIUS server, create an attribute named:
ATTRIBUTE FortiWeb-Access-Profile 7
then set its value to be the name of the access profile that you
want to assign to this account. Finally, in the CLI, use
accprofile-override {enable | disable} (page
202) to enable the override.
If none is assigned on the RADIUS server, or if it does not

match the name of an existing access profile on FortiWeb,
FortiWeb will fail back to use the one locally assigned by this
setting.
accprofile-override Enable to use the access profile indicated by the RADIUS disable
{enable | disable} query response, and ignore accprofile "<access-

config 203
profile_name>" (page 202).
This setting applies only if admin-usergroup

"<remote-auth-group_name>" (page 205) is
configured to use a RADIUS query to authenticate this
account.
This setting applies only if ADOMs are enabled. See .
Enter the name of an administrative domain (ADOM) to

assign and restrict this administrative account to it. No
domains "<adom_name>"
default.
This setting applies only if ADOMs are enabled. See .
password "<password_str>" Enter a password for the administrator account. The No

maximum length is 32 characters. The minimum length is 1 default.
character.
For improved security, the password should be at least 8

characters long, be sufficiently complex, and be changed
regularly.
This setting applies only when type is local-user. For

accounts defined on a remote authentication server, the
FortiWeb appliance will instead query the server to verify
whether the password given during a login attempt matches
the account’s definition.
email-address "<contact_ Enter an email address that can be used to contact this No
email>" administrator. The maximum length is 63 characters. default.
first-name "<name_str>" Enter the first name of the administrator. The maximum length is No
Enter the surname of the administrator. The maximum length is 63 No

last-name "<surname_str>"
characters. default.
mobile-number "<cell- Enter a cell phone number that can be used to contact this No
phone_str>" administrator. The maximum length is 63 characters. default.
phone-number "<phone_ Enter a phone number that can be used to contact this No
str>" administrator. The maximum length is 63 characters. default.
trusthost1 "<management- Enter the IP address and netmask of a management 0.0.0.0

computer_ipv4mask>" computer or management LAN from which the administrator 0.0.0.0
is allowed to log in to the FortiWeb appliance. You can specify
up to three trusted hosts.
To allow login attempts from any IP address, enter

0.0.0.0/0.0.0.0. If you allow administrators to log in

config 204
from any IP address, consider choosing a longer and more

complex password, and limiting administrative access to
secure protocols to minimize the security risk. For details
about administrative access protocols, see "system interface"
on page 280.
Note: For improved security, restrict all three trusted host

addresses to the IP addresses of computers from which only
this administrator will log in.
Enter a second IP address and netmask of a management

computer or management LAN from which the administrator
trusthost2 "<management- is allowed to log in to the FortiWeb appliance. 0.0.0.0
computer_ipv4mask>" 0.0.0.0
0.0.0.0/0.0.0.0.
trusthost3 "<management- Enter a third IP address and netmask of a management 0.0.0.0

computer_ipv4mask>" computer or management LAN from which the administrator 0.0.0.0
is allowed to log in to the FortiWeb appliance.

0.0.0.0/0.0.0.0.
Enter the IP address and netmask of a management

computer or management LAN from which the administrator
is allowed to log in to the FortiWeb appliance. You can specify
up to three trusted hosts.
To allow login attempts from any IP address, enter ::/0.
Caution: If you allow logins from any IP address, consider

choosing a longer and more complex password, and limiting
ip6trusthost1 administrative access to secure protocols to minimize the
"<management-computer_ security risk. Unlike IPv4, IPv6 does not isolate public from ::/0
ipv6mask>"
private networks via NAT, and therefore can increase
availability of your FortiWeb’s web UI/CLI to IPv6 attackers
unless you have carefully configured your firewall/FortiGate
and routers. For details about administrative access
protocols, see "system interface" on page 280.
Note: For improved security, restrict all three trusted host

addresses to the IP addresses of computers from which only
this administrator will log in.
ip6trusthost2 Enter a second IP address and netmask of a management ::/0

"<management-computer_ computer or management LAN from which the administrator
ipv6mask>"
is allowed to log in to the FortiWeb appliance.

config 205
Enter a third IP address and netmask of a management

ip6trusthost3 computer or management LAN from which the administrator
"<management-computer_ is allowed to log in to the FortiWeb appliance. ::/0
ipv6mask>"
type {local-user | Select either: No

remote-user} default.
l local-user—Authenticate this account locally, with the
FortiWeb appliance itself.
l remote-user—Authenticate this account via a remote server
such as an LDAP or RADIUS server. Also configure admin-
usergroup "<remote-auth-group_name>" (page 205).
Enter the name of the remote authentication group whose

settings the FortiWeb appliance will use to connect to a
remote authentication server when authenticating login
attempts for this account. The maximum length is 63
admin-usergroup "<remote- characters. No
auth-group_name>" default.
edit ?
For details about configuring remote authentication groups,

see "user admin-usergrp" on page 315.
wildcard {enable | Used when administrator accounts authenticate via a No

disable} RADIUS query. default.
This setting applies only if the value of type {local-

user | remote-user} (page 205) is remote-user.
The public key used for connecting to the CLI using a public-
private key pair.
For more information on connecting to the CLI using a public- No

sshkey "<sshkey_str>"
private key pair, see “Connecting to the CLI” in the FortiWeb default.
force-password-change Enable/disable force password change for next login. Disable

{enable | disable} This field can be configured only when Password Policy is
enabled in System > Admin > Settings.
Example
This example configures an administrator account with an access profile that grants only permission to read logs. This
account can log in only from an IP address on the management LAN (192.0.2.1/24), or from one of two specific IP

config 206
addresses (192.0.2.15 and 192.0.2.50).

config system admin
edit "log-auditor"
set accprofile "log_read_access"
set password "P@ssw0rd"
set email-address "[email protected]"
set trusthost1 "192.0.2.1 255.255.255.0"
set trusthost2 "192.0.2.15 255.255.255.255"
set trusthost3 "192.0.2.50 255.255.255.255"
set force-password-change enable
end
To display all dashboard status and widget settings, enter:

config system admin
show
Related topics
l "system global" on page 258
l "user admin-usergrp" on page 315
system admin-certificate ca
When FortiWeb's certificate-based Web UI login is applied. Besides the administrators' certificates information, the
corresponding certificate authority (CA) certificates are required to be stored on the FortiWeb appliance. Certificate
authorities validate and sign other certificates in order to indicate to third parties that those other certificates are
authentic and can be trusted. FortiWeb authorizes the administrator's login by verifying its certificate with the
corresponding CA.
Use this command to show the names of the CA certificates that are relative to the administrators' certificates. You use
the web UI to upload these certificates.
CA certificates are not used directly here (no set operations are defined), but they are required when you create a PKI
user (an administrator that FortiWeb authorizes base on his certificate) on the FortiWeb. For details, see "user pki-user"
on page 324.
For information about certificate-based Web UI login, see the FortiWeb Administration Guide:
Syntax
show system admin-certificate ca

config 207
Example
config system admin-certificate ca
edit "CA_Cert_1"
next
edit "CA_Cert_2"
next
end
system admin-certificate local
The FortiWeb appliance presents its own HTTPS server certificate for secure connections (HTTPS) to its Web UI. By
default, A Fortinet factory certificate is used as the certificate, which is named defaultcert in FortiWeb. You can
also import other certifications to FortiWeb and replace the defaultcert with any of them for secure Web UI
connections.
Use this command to edit the comment associated with the these FortiWeb's administration certificates that are stored
locally on the FortiWeb appliance.
To replace the certificate that FortiWeb uses for the secure accesses to its Web UI, see .
For information on how to upload a certificate file to change FortiWeb's default certificate, see the FortiWeb
Syntax
config system admin-certificate local
edit "<certificate_name>"
set certificate "<certificate_str>"
set passwd "<passwd_str>"
set private-key "<private-key_str>"
set flag 0
set status ok
set type certificate
next
end
"<certificate_name>" Enter the name of a certificate file. The maximum length is 63 No default.
characters.
comment "<comment_str>" Enter a description or other comment. If the comment

No default.
contains more than one word or contains an apostrophe,

config 208
surround the comment in double quotes ( " ). The maximum

certificate Enter the sequence number of the certificate file. No default.

"<certificate_str>"
passwd "<passwd_str>" When exporting the private key file from certificate factories,
you can choose to enter a password to encrypt the file. Thus
No default.
when you import the file into FortiWeb, you shall enter this
password. This is optional.
private-key "<private- Enter the sequence number of the key file. No default.
key_str>"
flag 0 Indicate if a password was saved. This is used by FortiWeb for

0
backwards compatibility.
status ok Indicates the status of an imported certificate: ok
l na—Indicates that the certificate was successfully

imported, and is currently selected for use by the FortiWeb
appliance.
l ok—Indicates that the certificate was successfully imported
but is not selected as the certificate currently in use. To use
the certificate, see .
l pending—Indicates that the certificate request was
generated, but must be downloaded, signed, and imported
before it can be used as a local certificate.
type certificate Indicates whether the file is a certificate or a certificate

certificate
signing request (CSR).
Example
This example adds a comment to the certificate named certificate1.
config system admin-certificate local
edit "certificate1"
set comment "This is a certificate that FortiWeb uses for secure Web UI connections."
next
end
system advanced
Use this command to configure several system-wide options that determine how FortiWeb scans traffic.
sysgrp area. For details, see "Permissions" on page 51.

config 209
Syntax
config system advanced
set circulate-url-decode {enable | disable}
set decoding-enhancement {enable | disable}
set max-cache-size <cache_int>
set max-dlp-cache-size <percentage_int>
set max-dos-alert-interval <seconds_int>
set share-ip {enable | disable}
set anypktstream {enable | disable}
end
circulate-url-decode Enable to detect URL-embedded attacks that are obfuscated enable

{enable | disable} using recursive URL encoding (that is, multiple levels’ worth
of URL encoding).
Encoded URLs can be legitimately used for non-English

URLs, but can also be used to avoid detection of attacks that
use special characters. Encoded URLs can now be decoded
to scan for these types of attacks. Several encoding types are
supported.
For example, you could detect the character A that is encoded

as either %41, %x41, %u0041, or \t41.
Disable to decode only one level’s worth of the URL, if

encoded.
decoding-enhancement Enable to decode cookies and parameters using base64 or

{enable | disable} CSS for specified URLs. To configure decoding
disable
enhancement, see config system decoding
enhancement (page 239).
max-cache-size <cache_ Type the maximum size (in KB) of the body of the HTTP 512
int> response from the web server that FortiWeb will cache per
URL for body compression, decompression, rewriting, and
XML detection.
Increasing the body cache may decrease performance.
Valid values range from 32 to 4096. The default value is 64.
Increasing the body cache may decrease performance.
max-dlp-cache-size Type the maximum percentage of max-cache-size

<percentage_int> <cache_int> (page 209)—the body of the HTTP response
from the web server—that FortiWeb buffers and scans.
12
Responses are cached to improve performance on
compression, decompression, and rewriting on often-
requested URLs.

config 210
max-dos-alert-interval Type the maximum amount of time that FortiWeb will converge 180
<seconds_int> into a single log message during a DoS attack or padding oracle
attack.
share-ip {enable | Enable to analyze the ID field of IP headers in order to

disable} attempt to detect when multiple clients share the same
source IP address. To configure the difference between
packets’ ID fields that FortiWeb will treat as a shared IP, see
"system ip-detection" on page 287.
disable
Enabling this option is required for features that have a
separate threshold for shared IP addresses, such as brute
force login prevention. If you disable the option, those
features will behave as if there is only a single threshold,
regardless of whether the source IP is shared by many clients.
anypktstream {enable | Enable to configure FortiWeb to scan partial TCP connections. disable
disable}
In some cases, FortiWeb is deployed after a client has already
created a connection with a back-end server. If this option is
disabled, FortiWeb ignores any traffic that is part of a pre-existing
session.
Related topics
l "system ip-detection" on page 287
l "waf brute-force-login" on page 344
l "waf application-layer-dos-prevention" on page 341
system antivirus
Use this command to configure system-wide FortiGuard Antivirus scan settings.
Syntax
config system antivirus
set default-db {basic | extended}
set scan-bzip2 {enable | disable}
set uncomp-size-limit <limit_int>
set uncomp-nest-limit <limit_int>
set use-fsa {enable | disable}

config 211
end
default-db {basic | Select which of the antivirus signature databases to use when basic
extended} scanning HTTP POST requests for viruses, either:
l basic—Select to use only the signatures of viruses and

greyware that have been detected by FortiGuard’s
networks to be recently spreading in the wild.
l extended—Select to use all signatures, regardless of
whether the viruses or greyware are currently spreading.
Enable to scan archives that are compressed using the BZIP2

algorithm.
scan-bzip2 {enable |
Tip: Scanning BZIP2 archives can be very CPU-intensive. To enable
disable}
improve performance, block the BZIP2 file type, then disable
this option.
uncomp-size-limit <limit_ Type the maximum size in kilobytes (KB) of the memory 5000
int> buffer that FortiWeb will use to temporarily undo the
compression that a client or web server has applied to traffic,
in order to inspect and/or modify it. For details, see "waf file-
uncompress-rule" on page 382.
Caution: Unless you configure otherwise, compressed

requests that are too large for this buffer will pass through
FortiWeb without scanning or rewriting. This could allow
malware to reach your web servers, and cause HTTP
body rewriting to fail. If you prefer to block requests
greater than this buffer size, configure waf http-
protocol-parameter-restriction (page 418). To be
sure that it will not disrupt normal traffic, first configure
action to be alert. If no problems occur, switch it to
alert_deny.
The maximum acceptable values are:
102400 KB: FortiWeb 100D, 400C, 400D, 600D, 1000C,

3000CFsx, 3000DFsx, 4000C
204800 KB: FortiWeb 1000D, 2000D, 3000D, 4000D, 1000E,

2000E, 3010E
358400 KB: FortiWeb 3000E, 4000E
uncomp-nest-limit <limit_ Type the maximum number of allowed levels of compression

12
int> (“nesting”) that FortiWeb will attempt to decompress.
use-fsa {enable Enable to use the Signature Database from FortiSandbox to disable
| disable} supplement the AV Signature Database. If enabled, FortiWeb will

config 212
download the malware package from FortiSandbox's Signature

Database every minute.
system autoupdate override
Use this command to override the default Fortiguard Distribution Server (FDS).
If you cannot connect to the FortiGuard Distribution Network (FDN) or if your organization provides updates using their
own FortiGuard server, you can override the FDS server setting so that the FortiWeb appliance connects to this server
instead of the default server on Fortinet’s public FDN.
mntgrp area. For details, see "Permissions" on page 51.
Syntax
config system autoupdate override
set address {"<fds_fqdn>" | "<fds_ipv4>"}
set fail-over {enable | disable}
end
status {enable | disable} Enable to override the default list of FDN servers, and connect to a disable
specific server.
address {"<fds_fqdn>" | Enter either the IP address or fully qualified domain name (FQDN) No
"<fds_ipv4>"} of the FDS override. default.
fail-over {enable | Enable to fail over to one of the public FDN servers if FortiWeb enable
disable} cannot reach the server specified in your FDS override.
Related topics
l "system autoupdate schedule" on page 212
system autoupdate schedule
Use this command to configure how the FortiWeb appliance will access the Fortinet Distribution Network (FDN) to
retrieve updates. The FDN is a world-wide network that delivers FortiGuard service updates of predefined robots, data
types, suspicious URLS, IP address reputations, and attack signatures used to detect attacks such as:
l Cross-site scripting (XSS)

l SQL injection

config 213
l Common exploits
Alternatively, you can manually upload update packages. For details, see the
FortiWeb appliances connect to the FDN by connecting to the Fortinet Distribution Server (FDS) nearest to the
FortiWeb appliance based on its configured time zone.
In addition to manual update requests, FortiWeb appliances support an automatic scheduled updates, by which the
FortiWeb appliance periodically polls the FDN to determine if there are any available updates.
If you want to connect to a specific FDS, you must enter config system autoupdate override (page 212). If
your FortiWeb appliance must connect through a web proxy, you must also enter config system autoupdate
tunneling (page 214).
Syntax
config system autoupdate schedule
set frequency {daily | every | weekly}
set time "<time_str>"
set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday}
end
status {enable | disable} Enable to periodically request signature updates from the FDN. disable
frequency {daily | Select the frequency with which the FortiWeb appliance will
every
every | weekly} request signature updates.
time "<time_str>" Enter the time at which the FortiWeb appliance will request 00:00
signature updates.

l mm is the minute
day {Sunday | Monday |

Select which day of the week that the FortiWeb appliance will
Tuesday | Wednesday |
Thursday | Friday | request signature updates. This option applies only if frequency Monday
Saturday} is weekly.
Example
This example configures weekly signature update requests on Sunday at 2:00 PM.
config system autoupdate schedule

config 214
set status enable

set frequency weekly
set day Sunday
set time 14:00
end
Related topics
l "system autoupdate override" on page 212
l "system autoupdate tunneling" on page 214
system autoupdate tunneling
Use this command to configure the FortiWeb appliance to use a proxy server to connect to the Fortinet Distribution
Network (FDN).
The FortiWeb appliance will connect to the proxy using the HTTP CONNECT method, as described in RFC 2616
(http://tools.ietf.org/rfc/rfc2616.txt).
Syntax
config system autoupdate tunneling
set address {"<proxy_fqdn>" | "<proxy_ipv4>"}
set port <port_int>
set username "<proxy-user_str>"
set password "<proxy-password_str>"
end
status {enable | disable} Enable to connect to the FDN through a web proxy. disable
address {"<proxy_fqdn>" | Enter either the IP address or fully qualified domain name (FQDN) No
"<proxy_ipv4>"} of the web proxy. The maximum length is 63 characters. default.
port <port_int> Enter the port number on which the web proxy listens for 0
connections. The valid range is 0–65,535.
If the proxy requires authentication, enter the FortiWeb appliance’s

username "<proxy-user_ No
str>" login name on the web proxy. The maximum length is 49
default.
characters.
password "<proxy- If the proxy requires authentication, enter the password for the No
password_str>" FortiWeb appliance’s login name on the web proxy. The maximum default.

config 215
Example
This example configures the FortiWeb appliance to connect through a web proxy that requires authentication.
config system autoupdate tunneling
set status enable
set address "192.168.1.10"
set port 1443
set username "fortiweb"
set password "myPassword1"
end
Related topics
system backup
Use this command to configure automatic backups of the system configuration to an FTP or SFTP server. You can
either run the backup immediately or schedule it to run periodically.
The backup can include all uploaded files such as error pages, WSDL files, certificates, and private keys. Fortinet
recommends that if you have many such files, that you include them in the backup. This saves you valuable time if you
need to restore the configuration in an emergency.
Fortinet strongly recommends that you password-encrypt this backup, and store it in a
secure location. This backup method includes sensitive data such as your HTTPS
certificates’ private keys. Unauthorized access to private keys compromises the security of
all HTTPS requests using those certificates.
To restore a backup, see "backup full-config" on page 627.
Syntax
config system backup
edit "<backup_name>"
set config-type {full-config |cli-config | waf-config}
set encryption {enable | disable}
set encryption-passwd "<password_str>"
set ftp-auth {enable | disable}
set ftp-user "<user_str>"
set ftp-passwd "<password_str>"
set ftp-dir "<directory-path_str>"
set ftp-server {"<server_ipv4>" | "<server_fqdn>"}
set protocol-type {ftp | sftp}
set schedule_type {now | days}
set schedule_days {sun mon tue wed thu fri sat}
set schedule_time "<time_str>"
next

config 216
end
"<backup_name>" Enter the name of the backup configuration. The maximum No

To display the list of existing backups, enter:

edit ?
Select either:
l full-config — Include both the configuration file and

other uploaded files, such a certificate and error page files,
config-type {full-
in the backup. cli-
config |cli-config | waf-
config} l cli-config — Include only the configuration file in the config
backup.
l waf-config — Include only the web protection profiles
in the backup.
encryption {enable | Enable to encrypt the backup file with a .zip extension. disable
disable}
Caution: Unlike when downloading a backup from the web UI
to your computer, this does include all certificates and private
keys. Fortinet strongly recommends that you password-
encrypt this backup, and store it in a secure location.
Enter the password that will be used to encrypt the backup

encryption-passwd file.
"<password_str>"
This field appears only if you enable encryption
ftp-auth {enable | Enable if the server requires that you provide a user name and disable
disable} password for authentication, rather than allowing anonymous
connections. When enabled, you must also configure ftp-
user "<user_str>" (page 216) and ftp-passwd
"<password_str>" (page 216).
Disable for FTP servers that allow anonymous uploads.
Enter the user name that the FortiWeb appliance will use to
authenticate with the server. The maximum length is 127
characters. No
ftp-user "<user_str>"
default.
This variable is not available unless ftp-auth {enable |
ftp-passwd "<password_ Enter the password corresponding to the account specified in No

str>" ftp-user "<user_str>". The maximum length is 127 characters. default.
This variable is not available unless ftp-auth {enable |

config 217
ftp-dir "<directory-path_ Enter the directory path on the server where you want to store the No
str>" backup file. The maximum length is 127 characters. default.
ftp-server {"<server_ Enter either the IP address or fully qualified domain name (FQDN) No
ipv4>" | "<server_fqdn>"} of the server. The maximum length is 127 characters. default.
protocol-type {ftp |
sftp} Select whether to connect to the server using FTP or SFTP. ftp
schedule_type {now | Select one of the schedule types: now

days}
l now—Use this to initiate the FTP backup immediately upon
ending the command sequence.
l days—Enter this to allow you to set days and a time to run the
backup automatically. You must also configure schedule_
days {sun mon tue wed thu fri sat} (page 217) and
schedule_time "<time_str>" (page 217)
Enter one or more days of the week when you want to run a
periodic backup. Separate each day with a blank space.
For example, to back up the configuration on Monday and

schedule_days {sun mon Friday, enter: No
tue wed thu fri sat} default.
set schedule_days mon,fri
This command is available only if schedule_type

{now | days} (page 217) is days.
schedule_time "<time_ Enter the time of day to run the backup. 00:00
str>"

l mm is the minute
This command is available only if "schedule_type {now |
days}" on page 217 is days.
Example
This example configures a scheduled, full configuration backup every Sunday and Friday at 1:15 AM. The FortiWeb
appliance authenticates with the FTP server using an account named fortiweb1 and its password, P@ssword1. It
does not encrypt the backup file.
config system backup
edit "Scheduled_Backup"
set config-type full-config
set protocol-type ftp
set ftp-auth enable

config 218
set ftp-user "fortiweb1"

set ftp-passwd "P@ssword1"
set ftp-server "172.20.120.01"
set ftp-dir "/config-backups"
set schedule_type days
set schedule_days sun,fri
set schedule_time "01:15"
next
end
Related topics
l "restore config" on page 647
l "backup cli-config" on page 626
system central-management
Use this command to enable cross domain access feature for central management in the web UI and CLI.
Syntax
config system central management
set cm-access {enable | disable}
set system central-management
end
cm-access {enable | disable} Enable/disable the cross domain access feature disable
for central management.
system central-management Enter the URL to access FortiWeb Manager. disable
Example
This example shows enabling central management feature.
config system central-management
set cm-accsss enable
set allow-origin https://10.200.111.100
end
system certificate ca
Use this command to show the names of certificates for a certificate authority (CA). You use the web UI to upload these
certificates.

config 219
Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates
are authentic and can be trusted
CA certificates are not used directly, but must first be grouped in order to be selected in a certificate verification rule. For
details, see "system certificate ca-group" on page 220.
For information on how to upload a certificate file, see the FortiWeb Administration Guide:
Syntax
show system certificate ca
config system certificate ca
set certificate "<certificate_ str>"
next
end
"<certificate_name>" Enter the name of a certificate file. The maximum length is 63 No

certificate "<certificate_ No
str>" Set the certificate. Only certificates in PEM format may be set.
default.
Example
This example creates two CA certificate items, CA_Cert_1 and CA_Cert_2.

config system certificate ca
edit "CA_Cert_1"
next
edit "CA_Cert_2"
next
end
This example adds a certificate to CA_Cert_1

config system certificate local
edit "CA_Cert_1"
set certificate "-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQCbXq6VYR1CijANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
SU4xEjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQmFuZ2Fsb3JlMREwDwYD
VQQKDAhGb3J0aW5ldDEMMAoGA1UECwwDTEFCMQ0wCwYDVQQDDAR0ZXN0MSMwIQYJ
KoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0LmNvbTAeFw0xMjEyMDUxMDE1NTla
Fw0xNDEyMDUxMDE1NTlaMIGKMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0
YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxETAPBgNVBAoMCEZvcnRpbmV0MQwwCgYD
VQQLDANMQUIxDTALBgNVBAMMBHRlc3QxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRA

config 220
Zm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArvHH
eXZJilTr4TbH/5O5jFxKQ5dILr/561JOJ5UZWtgs9VhXSuCzmrs6FX35vyc7NR+9
tCbMrl7qA68MxBMuu6phf2r77M9bsp3rOZE2nFR+lhjpWrXBk7/puFLBbI2yqh8d
7DB25m5pI0ClmbdJ5GGlc/1wHULQhFQSYCMSVjc34esvaLE8oAVFWHAZX14dbAbj
gC4CMbayzJZaYEfh/7suMwvdwS3sYjOwZYq6DFEF5ZPpKN+ji9J+8EmAvaZS2m3M
fFdPFf4eEAgsHmYasqxH7s4Ksc2zTm3cG5srRCqEsEddhoblI1JvmApoN2JiNiYJ
hYiEPyJdf2z+dADwXwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCbA8kKwVRPri/d
L8okLny6FygJ0auPbuRQCUGAWpfdKdXn6iyMlLuR066j82o2yrQ0ddgRcdaExT0I
RCoC2NqhzZvy8JJW2A+KTXutwdGGg8ckHQ5UVRtNo/lPZ6Quz8AsswzNk2Qx6OtF
FcTEBNxVTHKabQR46ChIa3sG032Wiuj6Y2Rv77mTmmDRZnrY8QGZd2zMm3riAqUf
IGil0/yg0AhA+ZBt5rer3X+GTknhDAPJ+yU2WS1c8pPj3A3DI0+xwTOq/sNCqTmc
xb7Q1VM/1kiOE9YaPasAJuQ7WHmnd8J0vHw1/e+whf/lsKxV0ClBNL/JdlyNAMvy
isnZYL58
-----END CERTIFICATE-----"
next
end
Related topics
l "system certificate ca-group" on page 220
l "system certificate verify" on page 234
system certificate ca-group
Use this command to group certificate authorities (CA).
CAs must belong to a group in order to be selected in a certificate verification rule.
Syntax
config system certificate ca-group
edit "<ca-group_name>"
config members
edit <ca_index>
set type {CA | TSL}
set publish-dn {enable | disable}
set tsl "<tsl_name>"
set name "<ca_name>"
next
end
next
end
"<ca-group_name>" Enter the name of a certificate authority (CA) group. The maximum No

config 221
Enter the index number of a CA within its group. The valid range is No
<ca_index>
1–999,999,999,999,999,999. default.
name "<ca_name>" Enter the name of a previously uploaded CA certificate. No

default.
type {CA | TSL} Select to upload CA certificate or TSL. CA
tsl "<tsl_name>" Enter the name of a TSL. No

default.
Enable to list only certificates related to the specified CA

Group. This is beneficial when a client installs many
publish-dn {enable certificates in its browser or when apps don't list client
enable
| disable} certificates. If you enable this option, also enable the option in
a certificate verification rule. For details, see "system
certificate verify" on page 234.
Example
This example groups two CA certificates into a CA group named caVEndors1.
config system certificate ca-group
edit "caVendors1"
config members
edit 1
set name "CA_Cert_1"
next
edit 2
set "name CA_Cert_2"
next
end
next
end
Related topics
l "certificate ca" on page 1
system certificate crl
Use this command to edit the URL associated with a previously uploaded certificate revocation list (CRL).
To ensure that your FortiWeb appliance validates only certificates that have not been revoked, you should periodically
upload a current certificate revocation list, which may be provided by certificate authorities (CA).

config 222
For information on how to upload a CRL, see the FortiWeb Administration Guide:
Syntax
config system certificate crl
edit "<crl_name>"
set type {http | local | scep}
set url "<crl_str>"
next
end
"<crl_name>" Enter the name of a CRL. The maximum length is 63 characters. No

default.
certificate No
"<certificate_str>" Set the certificate. Only certificates in PEM format may be set.
default.
type {http | local | Specify how you set the certificate. local
scep}
http—query for the certificate from a HTTP server
local—set the certificate through certificate <certificate_str_

pem>.
scep—query for the certificate from a SCEP server
If type {http | local | scep} (page 222) is set as http

No
url "<crl_str>" or scep, enter the URL of the certificate. The maximum length is
default.
127 characters.
Related topics
l "certificate ca" on page 1
l "system certificate crl-group" on page 222
system certificate crl-group
Use this command to create a group of CRLs that you have already uploaded to FortiWeb.

config 223
To ensure that FortiWeb validates only certificates that have not been revoked, you should periodically upload current
certificate revocation lists (CRL) that may be provided by certificate authorities (CA). Once you've uploaded the CRL(s)
you want to use, create CRL groups to include in your FortiWeb configuration.
For more information about CRLs and CRL groups, see the FortiWeb Administration Guide:
Syntax
config system certificate crl-group
edit <crl_group_name>
config members
edit <entry_index>
set <crl_name>
next
end
next
end
<crl_group_name> Type the name of the CRL group. You will use this name to select No
the CRL group in other parts of the configuration. The maximum default.
No
<entry_index> Type the index number of the individual entry in the table.
default.
<crl_name> Type the name of a CRL that you want to include in the group. The No
maximum length is 63 characters. For details, see "system default.
certificate crl" on page 221.
Related topics
l "system certificate crl" on page 221
system certificate intermediate-certificate
Use this command to show the names of uploaded intermediate CA certificate. You upload these certificates using the
web UI.
For information on how to upload an intermediate certificate file, see the FortiWeb Administration Guide:

config 224
Syntax
show system certificate intermediate-certificate
config system certificate intermediate-certificate
next
end

str>" Set the certificate. Only certificates in PEM format may be set.
default.
Example
This example creates three intermediate certificate items, Inter_Cert_1, Inter_Cert_2 and Inter_Cert_3.
config system certificate intermediate-certificate
edit "Inter_Cert_1"
next
edit "Inter_Cert_2"
next
edit "Inter_Cert_3"
next
end
This example adds a certificate to Inter_Cert_1

edit "Inter_Cert_1"

config 225
isnZYL58
next
end
Related topics
l "certificate inter-ca" on page 1
l "system certificate intermediate-certificate-group" on page 225
system certificate intermediate-certificate-group
Use this command to group intermediate CA certificates.
Intermediate CAs must belong to a group in order to be selected in a certificate verification rule.
Syntax
config system certificate intermediate-certificate-group
edit "<intermediate-ca-group_name>"
config members
edit <intermediate-ca_index>
set name "<ca_name>"
next
end
next
end
"<intermediate-ca-group_ Enter the name of an intermediate certificate authority (CA) group. No

name>" The maximum length is 63 characters. default.
Enter the index number of an intermediate CA within its group. The No

<intermediate-ca_index>
valid range is 1–9,999,999,999,999,999,999. default.
name "<ca_name>" Enter the name of a previously uploaded intermediate CA No

certificate. The maximum length is 63 characters. default.
Related topics
l "certificate inter-ca" on page 1
l "system certificate intermediate-certificate" on page 223

config 226
system certificate local
Use this command to edit the comment associated with a server certificate that is stored locally on the FortiWeb
appliance.
You can also configure settings for a certificate that works with an HSM (hardware security module). For details about
HSM integration, see "system hsm info" on page 278 and the FortiWeb Administration Guide:
FortiWeb appliances require these certificates to present when clients request secure connections, including when:
l Administrators connect to the web UI (HTTPS connections only)

l Web clients use SSL or TLS to connect to a virtual server, if you have enabled SSL off-loading in the policy (HTTPS
connections and Reverse Proxy mode)
l Web clients use SSL or TLS to connect to a physical server (HTTPS connections and true transparent mode)
FortiWeb appliances also require certificates in order to decrypt and scan HTTPS connections travelling through it if
operating in Offline Protection or Transparent Inspection modes.
Which certificate will be used, and how, depends on the purpose.
l For connections to the web UI, the FortiWeb appliance presents its default certificate. The FortiWeb appliance’s default
certificate does not appear in the list of local certificates. It's used only for connections to the web UI and cannot be
removed.
l For SSL off-loading or SSL decryption, upload certificates that do not belong to the FortiWeb appliance, but instead
belong to the protected hosts. Then, select which one the FortiWeb appliance will use when configuring the SSL option in
a policy or server farm.
For information on how to upload a certificate file, see the FortiWeb Administration Guide:
Syntax
set status {na | ok | pending}
set type {certificate | csr}
set flag {0 | 1}
set is-hsm {no | yes}
set partition-number "<partition_name>"
set private-key "<private_key_str>"
set passwd "<password>"
next
end

config 227

Enter a description or other comment. If the comment contains

more than one word or contains an apostrophe, surround the No
comment "<comment_str>"
comment in double quotes ( " ). The maximum length is 127 default.
characters.
status {na | ok | Indicate the status of an imported certificate: No

pending} default.
l na—Indicates that the certificate was successfully imported, and
is currently selected for use by the FortiWeb appliance.
l ok—Indicates that the certificate was successfully imported but is
not selected as the certificate currently in use. To use the
certificate, select it in a policy or server farm.
l pending—Indicates that the certificate request was generated,
but must be downloaded, signed, and imported before it can be
used as a local certificate.
Indicate whether the file is a certificate or a certificate signing No

type {certificate | csr}
request (CSR). default.
flag {0 | 1} Indicate if a password was saved. This is used by FortiWeb for No
backwards compatibility. default.
Specify whether you configured the CSR for this certificate to work
is-hsm {no | yes} no
with an integrated HSM.
partition-number Enter the name of the HSM partition you selected when you created No
"<partition_name>" the CSR for this certificate. default.
certificate No
"<certificate_str>" Set the certificate. Only certificates in PEM format may be set.
default.
private-key "<private_ Set the private key for the certificate. Only private keys in PEM No
key_str>" format may be set. default.
No
passwd "<password>" Enter the password for the certificate.
default.
Example
This example adds a comment to the certificate named certificate1.
edit "certificate1"
set comment "This is a certificate for the host www.example.com."
next
end

config 228
This example adds a certificate named certificate2

edit "certificate2"
set private-key "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,82EAF556E3621A07
ZYqcytKrfYGksrp/6rFf4Ma3rIiW/63EiyxHFLSl8NVOLfM+AWHYm5flnKJI4Ava
iZnv64QlmLxTSDgU+/rS9XBaDlg6DKoIDtDTlVvg99vU3I9TrU+LRMPaLCidVw/h
GMlKtvF8UGFACAM1HwTJ/zBejgaAN0ZKcmxDNX0RwgHQwTP1/dwXRae+uk9dK8Ya
kw9jcu5SM7aQuUKEFdvdkhI9fo8uMH8lKwSViaDx50/BZfEQx5+cRHooS/AZfnnr
BjBlaAZA+zjuvp5mbDh76CO8+i+++09e4g5Kj83ZoRfVXkOUonfRug5FvAT7YFEi
lgnG+ChW5BrDtOq25Y4jQcPyqM9dL8lkpMhfK+rayGWVyOfQAX0AtNNM0itbjb7U
m78N71RVjjz4We2QCkIBv5AibsPgJwq54M6VDZ3CIJ+f2QVvvypnN2UjV1epih6N
yS0RxVqwC2HObwdbffviMjH1a5AOSIFnEYHOAwAxIf3nlZWAf1HhW8Oc6IofqTuO
R5SeWnoYxFVFakhGcyMRw3sd/ekTp8tRoK8QbINn3L38AEMtp8HKSHWm+MWdIQeK
WNYW4AZsrKfmXIQpGzuaan50fh6y6eVevxB9zx/uVN2XxD/TmDs5KnLjw7A4ks7V
Ds0c8bSLOT8BE+qfb7I/mUjVbsbGxgX40ducmm/C7HR/bgbSV2u6PK92ieQ22q6q
7RATzFtvHuJ3OmJtrMKhlHGMHVSA01GhheL3m2JhHMKMoJfwhYLab1+UCV4n5GOi
MogQY9UQ022WRCtpTPes5Sl5IMVY/Oj1nP/QcUMK8a7iPtAZWPYN7HEPXDfU/Urm
52HbC0fSQ/eGG5gQ7kDy9N/aLZf9wDMgj5zjX2lmnMT/h1sD29+bUCoo4ODT2Kk1
i6HyZX+J6KNDYM5aNOdhyZabVZBZOU1GvtLMzzrd5pEugFs7Rzt0+NJ54d7jGgav
0QwKCKIDevSdZG0ZeXLTvQONF9Pzo6i/E3uwIKuHFAnTAtq6UrKveRLtWWXuSBim
AAifL8s23T0BJAa75C6b3+F5IUTC/K9e5vrUbBDWDsjSjsWgbkoPBDlEpWLI+Ogu
Th6nZeQx0U+gt1bC+bJTIKdVDbxgjVGXIEvmnzc7KU0cBHmmIQggqfQwdVTeSVUx
z9JefVD9accpoem6ghdS/0xaQztbdvb5NAM9LX2o/HFECThcLWGke/jxgAKvFQX4
MZBFy1UukQeCgHfwJCIMw1D/tupKwAqzsvm351E0C8eTuC1OWFvtkzQNoFkyD2vS
gWSFKz85nswSMkobWFNJxMmDuS1QlAHUFuzpcVOJgrE6DMpdYE3DeKmsVMsLsNM/
l7H3SlnvEptVf3fm5PpCxtOM60nqsQuveHEgkmk5gt8CLtE8bV81yv7JDvkXUFV2
5HlFRZ/RZAQgAeKiAS6REwHuE/dEhZKh7Jq2o02G0NXeAXR/WqeN0SWSw0dEVf39
TMARg27X27zx0Wg2g8pBC1nxA1zyzMfYI2OTwvFZFNPVenGCVUw1dFt8eolAOscO
LakQuCWrFrW7kiRQlxVK/o67fKTkBVt7zM5WjBEO3beGWe2TkRUWUg==
-----END RSA PRIVATE KEY-----"
isnZYL58
next
end

config 229
Related topics
l "certificate local" on page 1
system certificate remote
Use this command to configure an OCSP server.
Once an OCSP server is configured, OCSP stapling may be enabled. When OCSP stapling is enabled, FortiWeb
periodically fetches the revocation status of the specified certificate from the OCSP server and caches the response for
a period if the revocation status is contained in the response.
For more information on OCSP stapling, see the FortiWeb Administration Guide:
Syntax
config system certificate remote
edit "<ocsp_name>"
set ocsp_url "<url>"
next
end
"<ocsp_name>" Enter the name of an OCSP group. The maximum length is 63 No

characters. This group can be used if OCSP stapling is enabled default
in a server policy.
name>" A CA certificate that has been imported in FortiWeb.
default
comment "<comment_str>" Optionally, enter a comment for the OCSP group. No

default
Enter URL of the OCSP server corresponding to the specified CA No

ocsp_url "<url>"
certificate. default
Example
This example creates an OCSP group for the CA certificate CA_Cert_1.

config 230
config system certificate remote

edit ocsp_ca_cert_1
set certificate "CA_Cert_1"
set comment "OCSP for CA_Cert_1"
set ocsp_url "http://ocsp.example.com"
next
end
Related topics
l "system certificate ca" on page 218
system certificate server-certificate-verify
Use this command to configure how the FortiWeb appliance will verify certificates presented by HTTP server.
Syntax
config system certificate server-certificate-verify
edit "<certificate_verificator_name>"
set ca "<ca-group_name>"
set crl "<crl-group_name>"
next
end
"<certificate_ Enter the name of a certificate verifier. The maximum length is 63 No

verificator_name>" characters. default.
Enter the name of an existing CA Group that you want to use to No

ca "<ca-group_name>"
authenticate client certificates. default.
crl "<crl-group_name>" Enter the name of an existing CRL Group, if any, to use to verify the No
revocation status of client certificates. default.
Related topics

config 231
system certificate sni
In some cases, the members of a server pool or a single pool member host multiple secure websites that use different
certificates. Use this command to create a Server Name Indication (SNI) configuration that identifies the certificate to
use by domain.
You can select a SNI configuration in a server policy only when the operating mode is Reverse Proxy mode and an
HTTPS configuration is applied to the policy.
Not all web browsers support SNI. Go to the following location for a list of web browsers that support SNI:
http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_
indication.5B10.5D
Syntax
config system certificate sni
edit "<sni_name>"
config members
edit <entry_index>
set domain-type {plain | regular}
set domain "<server_fqdn>"
set local-cert "<local-cert_name>"
set inter-group "<intermediate-cagroup_name>"
set verify "<certificate_verificator_name>"
end
next
end
"<sni_name>" Enter the name of an Server Name Indication (SNI) configuration. No

default.
<entry_index> Enter the index number of an SNI configuration entry. The valid No
range is 1–9,999,999,999,999,999,999. default.
domain-type {plain | Specify plain to match a domain to certificates using a literal plain
regular} domain specified in domain. Specify regular to match multiple
domains to certificates using a regular expression specified in
domain.
domain "<server_fqdn>" Enter the domain of the secure website (HTTPS) that uses the
certificate specified by local-cert "<local-cert_
name>" (page 232). No
default.
Enter a literal domain if domain-type {plain |
regular} (page 231) is set to plain; or enter a regular

config 232
expression if domain-type is set to regular.
local-cert "<local-cert_ Enter the name of the server certificate that FortiWeb uses to
name>" encrypt or decrypt SSL-secured connections for the website
specified by domain "<server_fqdn>" (page 231).
inter-group Enter the name of a group of intermediate certificate authority

"<intermediate-cagroup_ (CA) certificates, if any, that FortiWeb presents to validate the
name>"
CA signature of the certificate specified by local-cert
"<local-cert_name>" (page 232).
If clients receive certificate warnings that an intermediary CA

has signed the server certificate configured in local-cert
"<local-cert_name>" (page 232), rather than by a root
CA or other CA currently trusted by the client directly,
configure this option.
Alternatively, include the entire signing chain in the server

certificate itself before uploading it to the FortiWeb appliance,
thereby completing the chain of trust with a CA already known
to the client. See the FortiWeb Administration Guide:
verify "<certificate_ Enter the name of a certificate verifier, if any, that FortiWeb
verificator_name>" uses when an HTTP client presents its personal certificate. If
you do not select one, the client is not required to present a
Personal certificates, sometimes also called user certificates,

establish the identity of the person connecting to the website
(PKI authentication).
You can require that clients present a certificate alternatively

or in addition to HTTP authentication. For details, see "waf
http-authen http-authen-rule" on page 406.
To display the list of existing verifiers, enter:

edit ?
Note: The client must support TLS 1.0.
Related topics
l "system certificate intermediate-certificate-group" on page 225

config 233
system certificate tsl-ca
Use this command to show the names of Trust Service Lists (TSL) for a certificate authority (CA). You use the web UI to
upload the TSL.
For information on how to upload a TSL, see the FortiWeb Administration Guide:
Syntax
config system certificate tsl-ca
edit "<tsl-ca_name>"
set type {file | url}
set distribute-url
next
end
"<tsl-ca_name>" Enter the name of a TSL. No

default
No
type {file | url} Select the way to upload a TSL.
default
distribute-url Enter the distribution URL of the TSL. No

default
Related topics
l system certificate ca
l system certificate ca-group
system certificate urlcert
Use this command to configure the URL-based client certificate feature for a server policy or server pool. This feature
allows you to require a certificate for some requests and not for others. Whether a client is required to present a
personal certificate or not is based on the requested URL and the rules you specify in the URL-based client certificate
group.
A URL-based client certificate group specifies the URLs to match and whether the matched request is required to
present a certificate or exempt from presenting a certificate.

config 234
When the URL-based client certificate feature is enabled, clients are not required to present a certificate if the request
URL is specified as exempt in the URL-based client certificate group rule or URL of the request does not match a rule.
Syntax
config system certificate urlcert
edit "<url-cert-group_name>"
config list
edit <entry_index>
set url "<url_str>"
set require {enable | disable}
end
next
end
"<url-cert-group_name>" Enter the name for the URL-based client certificate group. No
default.
Enter the index number of an URL-based client certificate group No

<entry_index>
entry. default.
url "<url_str>" Enter a URL to match. No

default.
When the URL of a client request matches this value and the
value of require is enable, FortiWeb requires the client to
present a private certificate.
Specify whether client requests with the URL specified by url

are required to present a personal certificate.
require {enable | No
disable} When you select disable, FortiWeb does not require client default.
requests with the specified URL to present a personal
certificate.
Related topics
system certificate verify
Use this command to configure how the FortiWeb appliance will verify certificates presented by HTTP clients.
To apply a certificate verification rule, select it in a policy. For details, see "server-policy policy" on page 146.

config 235
Syntax
config system certificate verify
edit "<certificate_verificator_name>"
set ca "<ca-group_name>"
set crl "<crl-group_name>"
set publish-dn {enable | disable}
set strictly-need-cert {enable | disable}
next
end
"<certificate_ Enter the name of a certificate verifier. The maximum length is 63 No

verificator_name>" characters. default.
Enter the name of an existing CA Group that you want to use to No

ca "<ca-group_name>"
authenticate client certificates. default.
crl "<crl-group_name>" Enter the name of an existing CRL Group, if any, to use to verify the No
revocation status of client certificates. default.
Enable to list only certificates related to the specified CA

Group. This is beneficial when a client installs many
publish-dn {enable | certificates in its browser or when apps don't list client
disable
disable} certificates. If you enable this option, also enable the option in
a CA Group. For details, see "system certificate ca-group" on
page 220.
strictly-need-cert Enable to strictly require verifying the client certificate. enable

{enable | disable}
Related topics
system conf-sync
Use this command to configure non-HA configuration synchronization settings.

config 236
This command configures, but does not execute, the synchronization. To do this, use
the web UI.
This command works only when administrative domains (ADOMs) are disabled.
This type of synchronization is used between FortiWeb appliances that are not part of a native FortiWeb high availability
(HA) pair, such as when you need to clone the configuration once, or when HA is provided by an external device.
Syntax
config system conf-sync
set ip "<remote-fortiweb_ipv4>"
set sync-type {full-sync | partial-sync}
set server-port <port_int>
set auto-sync {enable | disable}
set frequency {daily | every | weekly}
set day {Friday | Monday | Saturday | Sunday | Thursday | Tuesday | Wednesday}
set time "<hh:mm>"
end
ip "<remote-fortiweb_ Enter the IP address of the remote FortiWeb appliance that you 0.0.0.0
ipv4>" want to synchronize with the local FortiWeb appliance.
password "<password_ Type the administrator password for the remote FortiWeb
str>" No default.
appliance. The maximum length is 63 characters.
sync-type {full-sync | Select one of the synchronization types. partial-

partial-sync} sync
For all operation modes except WCCP, full-sync
updates the entire configuration of the peer FortiWeb
appliance except for the following items:
l Network interface used for synchronization (prevents sync from

accidentally breaking connectivity with future syncs)
l Access profiles
l HA settings
For the WCCP operation mode, full-sync updates the
entire configuration except for the following items:
l config system interface
l config route static
l config route policy
l config system wccp

config 237
l Access profiles
l HA settings
For all operation modes, partial-sync updates the
configuration of the peer FortiWeb appliance, except for
the following items:
router ...
server-policy health
server-policy http-content-routing-policy
server-policy persistence-policy
server-policy service custom
server-policy service predefined
server-policy vserver
system ...
Type the port number of the remote (peer) FortiWeb

appliance that is used to connect to the local appliance for
configuration synchronization. The valid range is from 1 to
server-port <port_int> 65,535. 955
Caution: The port number used with this command must
be different than the port number used with the command
or the submitting operation will fail.
auto-sync {enable Enable to automatically synchronize the configurations disable

| disable} hourly, daily, or weekly. Also configure the frequency,
day, and time commands accordingly.
Enter how often you want the configurations to synchronize:
l daily—Synchronizes the configuration every day at a

specified time. Also configure the day and time commands.
For example, Selecting 10:30 will synchronize the
configurations every day at 10:30.
frequency {daily | every l every—Synchronizes the configuration after an interval you No
| weekly} default.
set using the time command. For example, entering 05:00
for the time command will synchronize the configurations
every five hours.
l weekly—Synchronizes the configuration on a specific day and
time. For example, selecting Sunday for day and 5:15 for
time will synchronize the configurations every Sunday at 5:15.
day {Friday | Monday If auto-sync is enabled and the frequency is set to No

| Saturday | Sunday weekly, enter the day of the week on which you want the default.
| Thursday | Tuesday |

config 238
Wednesday} configurations to synchronize.
Enter the time of day or interval at which the configurations

will be synchronized:
l daily—Sets the time of day at which the configurations will

be synchronized. No
time "<hh:mm>"
l every—Sets the interval at which the configurations will be default.
synchronized.
l weekly—Sets the time of day at which the configurations will
be synchronized.
Related topics
system console
Use this command to configure the management console settings. Usually this is set during the early stages of
installation and needs no adjustment.
Syntax
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
set mode {batch | line}
set output {more | standard}
set shell {cli | sh}
end
baudrate {9600 | 19200 | Select the baud rate of the console connection. The rate should 9600
38400 | 57600 | 115200} conform to the specifications of your specific FortiWeb appliance.
mode {batch | line} Select the console input mode: either batch or line. line
output {more | standard} Select either: standard
l more—When displaying multiple pages’ worth of output,

pause after displaying each page’s worth of text. When
the display pauses, the last line displays --More--. You
can then either:

config 239
• Press the spacebar to display the next page.

• Type Q to truncate the output and return to the
command prompt.
l standard—Do not pause between pages’ worth of
output, and do not offer to truncate output.
Select either:
shell {cli | sh} l cli—Command-line shell. cli
l sh—Busybox shell.
Example
This example configures the local console connection to operate at 9,600 baud, and to show long output in a paged
format.
set baudrate 9600
set output more
end
Related topics
system decoding enhancement
Use this command to configure decoding enhancement. You can decode cookies and parameters using base64 or CSS
for specified URLs.
To configure decoding enhancement, you must first enable the feature. For details, see "system advanced" on page
208.
Syntax
config system decoding-enhancement
edit <entry_index>
set url-type {plain | regular}
set url-pattern "<url_string>"
config field-list
edit <entry_index>
set base64-decoding {enable | disable}
set css-decoding {enable | disable}
set field-name "<parameter_cookie_str>"
set field-name-type {plain | regular}
set field-type {parameter | cookie}

config 240
next
end
next
end
<entry_index> Enter the index number of the decoding rule that you want to No
create or modify. default.
url-type {plain Enter to select between:

| regular}
l plain—A simple string; a string of text that contains a literal No
URL. default.
l regular—A regular expression; a string of text that defines a
search pattern for a URL that may come in many variations.
url-pattern "<url_ Enter the URL path for which you want the decoding rule to No
string>" apply. default.
<entry_index> Enter the index number of the field that you want to create or No
modify. default.
base64-decoding {enable Configure to enable Base64 decoding for the field. disable
| disable}
css-decoding {enable
| disable} Configure to enable CSS decoding for the field. disable
field-name "<parameter_ Enter the parameter or cookie string for the field. No
cookie_str>" default.
field-name-type {plain Enter to select between:

| regular}
l plain—A simple string; a string of text that contains a literal No
URL. default.
l regular—A regular expression; a string of text that defines a
search pattern for a URL that may come in many variations.
field-type {parameter Enter to select between: No

| cookie} default.
l parameter—Enter to set a parameter field for the field.
l cookie—Enter to set a cookie field for the field.
Example
This example enables decoding enhancement and creates a decoding rule with a parameter field type.
config system advanced
set decoding-enhancement enable
end
config system decoding-enhancement
edit 1

config 241
set url-type plain

set url-pattern "/decoding"
config field-list
edit 1
set base64-decoding enable
set css-decoding enable
set field-type parameter
set field-name-type plain
set field-name key
next
end
next
end
Related Topic(s)
l "system advanced" on page 208
system device-tracking
Use this command to adjust device tracking settings. FortiWeb's device tracking feature identifies suspected attackers
based on the computers they are using.
For information on device tracking, see the FortiWeb Administration Guide:
Syntax
config system device-tracking
set block-duration <hours_int>
set cleanup-historical-threat-weight-period {1-week | 3-days | 12-hours | 24-
hours | never}
set database-query-timeout <seconds_int>
set delete-inactive-device-interval {days_int}
set fingerprinting-interval <minutes_int>
end
block-duration <hours_int> Enter the amount of time (in hours) that FortiWeb will block No
a device within a single cleanup-historical- default.
threat-weight-period.
cleanup-historical-threat- Select the amount of time that FortiWeb will store threat weight
weight-period {1-week | 3-
days | 12-hours | 24-hours
information for a device. Once threat weight information has never
| never} been stored for longer than the selected amount of time,

config 242
FortiWeb will remove that information.
database-query-timeout Enter the maximum amount of time (in seconds) that FortiWeb 3
<seconds_int> will wait for a response when it queries the database for threat
weight information for a device. The default value is 4. The valid
range is 1–30.
Enter the amount of time (in days) that FortiWeb will store
delete-inactive-device-
interval {days_int} data for an inactive device before FortiWeb removes the 0
data for that device. The valid range is 0–30.
fingerprinting-interval Enter the interval (in minutes) in which FortiWeb will update the 60
<minutes_int> device fingerprint of a currently tracked device. The valid range is
60–1440.
Example
This example adjusts the device tracking settings.
config system device-tracking
set cleanup-historical-threat-weight-period 1-week
set block-duration 10
set database-query-timeout 15
set delete-inactive-device-interval 3
set fingerprinting-interval 70
end
Related Topics

l "server-policy pattern threat-weight" on page 139
system dns
Use this command to configure the FortiWeb appliance with its local domain name, and the IP addresses of the domain
name system (DNS) servers that the FortiWeb appliance will query to resolve domain names such as
www.example.com into IP addresses.
FortiWeb appliances require connectivity to DNS servers for DNS lookups. Use either the DNS servers supplied by your
Internet service provider (ISP) or the IP addresses of your own DNS servers. You must provide unicast, non-local
addresses for your DNS servers. Local host and broadcast addresses will not be accepted.
For improved performance, use DNS servers on your local network.

config 243
Syntax
config system dns
set primary "<dns_ipv4>"
set secondary "<dns_ipv4>"
set domain "<local-domain_str>"
end
primary "<dns_ipv4>" Enter the IP address of the primary DNS server. 8.8.8.8
secondary "<dns_ipv4>" Enter the IP address of the secondary DNS server. 0.0.0.0
domain "<local-domain_ Enter the name of the local domain to which the FortiWeb No
str>" appliance belongs, if any. The maximum length is 127 default.
characters.
This field is optional. It will not appear in the Host: field of

HTTP headers for client connections to protected web
servers.
Note: You can also configure the host name. For details, see
.
Example
This example configures the FortiWeb appliance with the name of the local domain to which it belongs, example.com. It
also configures its host name, fortiweb. Together, this configures the FortiWeb appliance with its own fully qualified
domain name (FQDN), fortiweb.example.com.
set hostname "fortiweb"
end
config system dns
set domain "example.com"
end
Related topics
l

config 244
system eventhub
When FortiWeb-VM is deployed on Azure, use this command to manually configure the FortiWeb appliance to send log
messages to Azure Event Hubs.
Alternatively, you can create the configuration automatically using a PowerShell script. For details, see the FortiWeb-
VM Azure Install Guide:
https://docs.fortinet.com/fortiweb/hardware
When the event hub configuration is complete, FortiWeb sends health logs to Azure Event Hub.
If you also create a corresponding Azure CEF SIEM policy (see config log siem-policy (page 95)), FortiWeb
also sends security logs to Azure Event Hub.
This command is available for FortiWeb-VM running on Microsoft Azure only.
You can use the Azure classic portal to obtain the values that the config system eventhub settings require. For
detailed instructions, see the FortiWeb-VM Azure Install Guide:
Syntax
config system eventhub
set appliance_id "<subscription_str>"
set policy_saskey "<primary-key_str>"
set policy_name "<policy-name_str>"
set eventhub_name "<ehub-name_str>"
set servicebus_namespace "<servicebus-namespace_str>"
end
status {enable | disable} Enter enable to activate the Azure event hub configuration. disable
appliance_id Enter the subscription (ID) that has the access to the Azure Event No
"<subscription_str>" Hub default.
policy_saskey "<primary- Enter the primary shared access key that the specified policy No
key_str>" (by policy_name <policy-name_str>) uses for default.
Shared Access Signature authentication on the Azure Event
Hub.
policy_name "<policy- Enter the name of the Shared Access policy created for the No
name_str>" Azure Event Hub. default.

config 245
eventhub_name "<ehub- Enter the name of the Azure Event Hub that is associated with No
name_str>" the specified service bus (by servicebus_namespace default.
<servicebus-namespace_str>).
servicebus_namespace
Enter the Service Bus Namespace that the Event Hub is No
"<servicebus-namespace_
str>" created at. default.
Related topics
l "log siem-message-policy" on page 93
system fail-open
If your appliance’s hardware model, network cabling, and configuration supports it, you can configure fail-to-wire/bypass
behavior. This allows traffic to pass through unfiltered between 2 ports (a link pair) while the FortiWeb appliance is shut
down, rebooting, or has unexpectedly lost power such as due to being accidentally unplugged or PSU failure.
Fail-open is supported only:
l when the operation mode is True Transparent Proxy, Transparent Inspection, or WCCP
l in standalone mode (not HA)
l for a bridge (V-zone) between ports wired to a CP7 processor or other hardware which provides support for fail-to-wire
l FortiWeb 600D: port1 + port2
l FortiWeb1000C: port3 + port4
l FortiWeb 1000D: port3 + port4 or port5 + port6
l FortiWeb 1000E: port3 + port4 + port5 + port6
l FortiWeb 2000E: port1 + port2 or port3 + port4
l FortiWeb3000C/D: port5 + port6
l FortiWeb3000E/4000E: port9 + port10, port11 + port12, port13 + port14, or port15 + port16
l FortiWeb 3010E: port3 + port4, port9 + port10, port11 + port12, port13 + port14 or port15 + port16
l FortiWeb4000C/D: port5 + port6 or port7 + port8
l FortiWeb3000CFsx/DFsx: port5 + port6 or port7 + port8
FortiWeb-400B/400C, FortiWeb HA clusters, and ports not wired to a CP7/fail-open chip do not support fail-to-wire.
In the case of HA, don’t use fail-open—instead, use a standby HA appliance to

provide full fault tolerance.
Bypass results in degraded security while FortiWeb is shut down, and therefore HA is
usually a better solution: it ensures that degraded security does not occur if one of the
appliances is shut down. If it is possible that both of your HA FortiWeb appliance
could simultaneously lose power, you can add an external bypass device such as
FortiBridge.

config 246
Fail-to-wire may be useful if you are required by contract to provide uninterrupted connectivity, or if you consider
connectivity interruption to be a greater risk than being open to attack during the power interruption.
Syntax
config system fail-open
set port3-port4 {poweroff-bypass | poweroff-cutoff}
end
port3-port4 {poweroff- Select either: poweroff-

bypass | poweroff- bypass
cutoff} l poweroff-bypass—Behave like a wire when powered off,
allowing connections to pass directly through from one port to
the other, bypassing policy and profile filtering.
l poweroff-keep—Interrupt connectivity when powered off.
Note: The name of this setting varies by which ports are
wired together for bypass in your specific hardware model.
Related topics
l "system ha" on page 265
system fds proxy
Use this command to configure the FortiWeb proxy to override the default list of FDN servers and connect to a specific
FDS IP address.
Before using this command, you must configure FortiWeb to act as a proxy server. To do so, set fds-proxy to
enable. See system global for how to enable fds-proxy.
Syntax
config system fds proxy override
set override_switch {enable | disable}
set address "<fds_IPv4>"
end
config system fds proxy schedule

set frequency {every | daily | weekly}
set time
set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday}

config 247
end
override_switch {enable | disable} Enable to override the default list of FDN servers disable
and connect to a specific server.
address "<fds_IPv4>" Enter either an IP address or fully qualified No

domain name (FQDN) of the FDS override. default.
status {enable | disable} Enable to schedule updating the database per certain disable
frequency.
frequency {every | daily | weekly} No

Set the database update frequency.
default.
time Set the hour and minute ranges; hh: 0–23, mm 0–59 No
or 60=random. default.
day {Sunday | Monday | Tuesday |

Set the specific day during one week to update the No
Wednesday | Thursday | Friday |
Saturday} database. default.
Example
This example enables configuration of the FDS proxy and configures a proxy at 192.0.2.1 with a port of 8989.
set fds-proxy enable
end
config system fds proxy

set override_switch enable
set address "192.0.2.1"
set port 8989
end
system feature-visibility
Use this command to enable or disable the ability to view configuration options for these features in the web UI and CLI:
l Device tracking
l FTP security
l Auto learn
When enabled, device tracking options will be available for these commands:
l config system device-tracking (page 241)

l config waf web-protection-profile inline-protection (page 518)
l config waf device-reputation (page 375)
When enabled, FTP security options will be available for these commands:

config 248
l config waf ftp-propredefined-global-white-listtection-profile (page 1)

l config waf ftp-command-restriction-rule (page 390)
l config waf ftp-file-security (page 393)
l config server-policy policy (page 146)
l config server-policy server-pool (page 170)
By default, feature visibility for these features is disabled. While disabled, options for configuring these features are
hidden in the web UI and CLI. If you're planning to configure and implement these features in your FortiWeb
configuration, you'll need to enable feature visibility for them first.
Syntax
config system feature-visibility
set ftp-security (enable | disable}
set device-tracking {enable | disable}
set auto-learn {enable | disable}
end
ftp-security (enable | disable} Enable to display FTP security rule, profile, and disable
policy configuration options.
device-tracking {enable | disable} Enable to display device tracking rule, profile, and
disable
auto-learn {enable | disable} Enable to display auto learn rule, profile, and disable
Related Topics
l "waf device-reputation" on page 375
l "waf ftp-command-restriction-rule" on page 390
l "waf ftp-file-security" on page 393
system fips-cc
Use this command to enable and configure Federal Information Processing Standards (FIPS) and Common Criteria
(CC) compliant mode.

config 249
Syntax
config system fips-cc
set entropy-token {dynamic | enable | disable}
set reseed-interval <reseed-interval_int>
set ssl-client-restrict {enable | disable}
end
status {enable | disable} Enable/disable FIPS operation mode. This can be disable
done only by the console.
entropy-token {dynamic | enable Use the entropy token to seed the RNG in FIPS-CC
| disable} mode.
l When the status is enable, the entropy token
is used to seed or reseed the RNG, and it
must be inserted to FortiWeb.
l When the status is disable, the entropy token
is not used to seed or reseed the RNG, but
the old method will be used to seed or reseed
disable
the RNG.
l When the status is dynamic, it means when
entropy token is present, the entropy token
will be used to seed or reseed the RNG; if the
token is not present, the old method will be
used to seed or reseed the RNG.
reseed-interval <reseed-interval_ Set the interval to reseed the RNG. The valid range is 1440
int> 0–1440 minutes.
ssl-client-restrict {enable
| disable} Enable/disable ciphers restriction. disable
system firewall address
Use this command to configure IP addresses and address ranges that FortiWeb's built-in stateful firewall uses. You use
the address configuration in a firewall policy. For details, see "system firewall firewall-policy" on page 251.
Syntax
config system firewall address
edit "<firewall-address_name>"
set type {ip-netmask | ip-range}
set ip-netmask "<firewall-address_ipv4mask>"
set ip-address-value "<firewall-address_ipv4>"

config 250
end
"<firewall-address_name>" Enter a name that identifies this firewall address configuration. No

default.
Select how this configuration specifies a firewall address or

type {ip-netmask | ip-
addresses: ip-
range} l ip-netmask—A single IP address and netmask. range
l ip-range—A single IP address or a range of IP addresses.
ip-netmask "<firewall- Enter an IPv4 address and subnet mask, separated by a No

address_ipv4mask>" forward slash ( / ). For example, 192.0.2.2/24. default.
Available when type {ip-netmask | ip-range} (page

250) is ip-netmask.
Enter a single IP address or a range of addresses. For example,

192.0.2.1, or 192.0.2.1-192.0.2.255.
ip-address-value No
"<firewall-address_ipv4>" default.
Available when type {ip-netmask | ip-range} (page 250)
is ip-range.
Related topics
l "system firewall firewall-policy" on page 251
l "system firewall service" on page 250
system firewall service
Use this command to configure the protocols and ports that FortiWeb's built-in stateful firewall uses. You use the service
configuration in a firewall policy. For details, see "system firewall firewall-policy" on page 251.
Syntax
config system firewall service
edit "<firewall-service_name>"
set protocol {TCP | UDP | ICMP}
set source-port-min <source-port-min_int>
set source-port-max <source-port-max_int>
set destination-port-min <source-port-min_int>
set destination-port-max <source-port-max_int>
end

config 251
"<firewall-service_name>" Enter a name that identifies this firewall service configuration. No

default.
protocol {TCP | UDP |

ICMP} Select the protocol for this firewall service configuration. TCP
source-port-min <source- Enter the start port in the range of source ports for this firewall 0
port-min_int> service.
source-port-max <source- Enter the end port in the range of source ports for this firewall
65535
port-max_int> service
destination-port-min Enter the start port in the range of destination ports for this 0
<source-port-min_int> firewall service.
destination-port-max Enter the end port in the range of destination ports for this firewall
65535
<source-port-max_int> service
Related topics
l "system firewall address" on page 249
l "system firewall firewall-policy" on page 251
system firewall firewall-policy
Use this command to configure the policies that FortiWeb's built-in stateful firewall uses to determine which traffic to
allow and deny.
The firewall policy uses address and service configurations that you create separately. For details, see "system firewall
address" on page 249 and "system firewall service" on page 250.
Syntax
config system firewall firewall-policy
set default-action {deny | accept}
config firewall-policy-match-list
edit <entry_index>
set in-interface "<incoming_interface_name>"
set out-interface "<outgoing_interface_name>"
set src-address "<firewall-address_name>"
set dest-address "<firewall-address_name>"
set service "<firewall-service_name>"
set action {deny | accept}
set vzone-enable {enable | disable}
set vzone "<vzone_name>"

config 252
end
default-action {deny | Select either: accept

accept}
l deny—Firewall blocks traffic that does not match a policy rule.
However, administrative access is still allowed on network
interfaces for which it has been configured.
l accept—Firewall allows traffic that does not match a policy rule.
No
<entry_index> Enter the index number of the policy rule in the table.
default.
in-interface "<incoming_ Enter the name of the interface (for example, port1) on No
interface_name>" which FortiWeb receives packets it applies this firewall policy default.
rule to.
Enter the name of the interface (for example, port2)

out-interface "<outgoing_ No
interface_name>" through which FortiWeb routes packets it applies this firewall
default.
policy rule to.
src-address "<firewall- Enter the name of the firewall address configuration that No
address_name>" specifies the source IP address or addresses to which this default.
policy applies.
For details about creating firewall address configurations, see

"system firewall address" on page 249.
Enter the name of the firewall address configuration that

specifies the source IP address or addresses to which this
dest-address "<firewall- policy rule applies. No
address_name>" default.
service "<firewall- Enter the name of the firewall service configuration that No
service_name>" specifies the protocols and ports to which this policy rule default.
applies.

Enter either:
l deny—Firewall blocks traffic that matches this policy rule.

action {deny | accept} However, administrative access is still allowed on network deny
interfaces for which it has been configured.
l accept—Firewall allows traffic that matches this policy rule.

config 253
vzone-enable {enable | Select to enable a V-zone (bridge). If this option is enabled, disable
disable} select a V-zone to use. V-zones allow network connections to
travel through FortiWeb's physical network ports without
explicitly connecting to one of its IP addresses.
This option is available only when the operation mode is True

Transparent Proxy or Transparent Inspection mode.
Select a configured V-zone. For details about creating a V- No

vzone "<vzone_name>"
zone, see "system v-zone" on page 310. default.
Example
This example configures a firewall policy to deny any HTTP services but coming from specified sources.
edit "alloowed_source"
set type ip-range
set ip-address-value "172.22.203.100-172.22.203.115"
end
edit "site1"
set type ip-netmask
set ip-netmask "206.11.0.2/24"
end
config system firewall service
edit "http"
set protocol TCP
set destination-port-min 80
set destination-port-max 80
end
config system firewall firewall-policy
set default-action deny
config firewall-policy-match-list
edit 1
set in-interface port1
set out-interface port2
set src-address site1
set dest-address site1
set service http
set action accept
next
end
end
Related topics
l "system firewall address" on page 249
l "system firewall service" on page 250

config 254
system firewall snat-policy
Use this command to configure a firewall SNAT policy. Firewall SNAT policies translate a matching source IP address to
a single IP address or an IP address in an address pool.
Firewall SNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating
modes.
FortiWeb applies a firewall SNAT policy only if IP forwarding is enabled. For details
about IP forwarding, see "router setting" on page 104.
Syntax
config system firewall snat-policy
edit policy_name
set from “<source_ipv4_mask>”
set out-interface “<egress_port>”
set to “<destination_ipv4_mask>”
set trans-to-ip “<translation_ipv4>”
set trans-to-ip-end “<last_ipv4>”
set trans-to-ip-start “<first_ipv4>”
set trans-to-type {ip | pool}
policy_name Enter a name that identifies the firewall SNAT policy. Don't No
use spaces or special characters. The maximum length is default.
63 characters.
Enter the IP address and subnet mask to match the source

IP address in the packet header that you want to translate.
from “<source_ipv4_mask>” 0.0.0.0/0
An example from is 192.0.2.0/24. The IP address
must be an IPv4 address.
out-interface “<egress_ Select the interface that FortiWeb will use to forward traffic No
port>” that matches the from “<source_ipv4_mask>” default.
(page 254).
Enter the IP address and subnet mask to match the

to “<destination_ipv4_ destination IP address in the packet header. An example
0.0.0.0/0
mask>” Destination is 192.0.2.1/24. The IP address must be
an IPv4 address.
trans-to-ip Enter the IP address that you want to translate the from 0.0.0.0
“<translation_ipv4>”

config 255
“<source_ipv4_mask>” (page 254) to. An example

IP address is 192.0.2.2. The IP address must be an
IPv4 address.
This option is available only when the trans-to-type

{ip | pool} (page 255) is set to IP Address.
Enter the last IP address in the SNAT pool. An example IP

address is 192.0.2.4. The IP address must be an IPv4
trans-to-ip-end “<last_ address. 0.0.0.0
ipv4>”
{ip | pool} (page 255) is set to pool.
trans-to-ip-start Enter the first IP address in the SNAT pool. An example IP 0.0.0.0

“<first_ipv4>” address is 192.0.2.3. The IP address must be an IPv4
address.

{ip | pool} (page 255) is set to pool.
Select one of the following:
l ip—Select to translate the from “<source_ipv4_

mask>” (page 254) to an IP address that you specify. To
specify an IP address, configure trans-to-ip
“<translation_ipv4>” (page 254).
trans-to-type {ip | pool} ip
l pool—Select to translate the from “<source_
ipv4_mask>” (page 254) to the next available IP
address in an IP address pool that you specify. To specify
an IP address pool, configure both trans-to-ip-
start “<first_ipv4>” (page 255) and to
“<destination_ipv4_mask>” (page 254).
Related Topic
system fortigate-integration
FortiGate appliances can maintain a list of source IPs that it prevents from interacting with the network and protected
systems. You can configure FortiWeb to receive this list of IP addresses at intervals you specify. Then, you configure an
inline protection profile to detect the IP addresses in the list and take an appropriate action.
This feature is available only if the operating mode is Reverse Proxy or True Transparent Proxy.

config 256
This command configures a FortiGate appliance that provides banned source IPs. To configure FortiWeb to detect the
quarantined IP addresses and take the appropriate action, configure the FortiGate Quarantined IPs settings in an inline
protection profile. For details, see "waf web-protection-profile inline-protection" on page 518.
Syntax
config system fortigate-integration
set address "<address_ipv4>"
set port <port_int>
set protocol {HTTP | HTTPS}
set username "<username_str>"
set schedule-frequency <schedule-frequency_int>
set flag {enable | disable}
end
address "<address_ipv4>" Enter the FortiGate IP address that is used for administrative No
access. default.
Specify the port that the FortiGate uses for administrative

port <port_int> access via HTTPs. 80
In most cases, this is port 443.
protocol {HTTP | HTTPS} Specify whether the FortiGate and FortiWeb communicate HTTP
securely using HTTPS.
Enter the name of the administrator account that FortiWeb No

username "<username_str>"
uses to connect to the FortiGate. default.
password "<password_str>" Enter the password for the FortiGate administrator account No
that FortiWeb uses. default.
Enter how often FortiWeb checks the FortiGate for an

schedule-frequency updated list of banned source IP addresses, in hours. 1
<schedule-frequency_int>
The valid range is 1 to 5.
flag {enable | disable} Enables or disables the transmission of quarantined source IP disable
address information from the specified FortiGate.
Related topics
l "waf file-upload-restriction-policy" on page 384
l "system fortisandbox-statistics" on page 658

config 257
system fortisandbox
Use this command to configure FortiWeb to submit all files that match your upload restriction rules to FortiSandbox.
FortiSandbox evaluates whether the file poses a threat and returns the result to FortiWeb. If FortiSandbox determines
that the file is malicious, FortiWeb performs the following tasks:
l Generates an attack log message that contains the result.

l For 10 minutes after it receives the FortiSandbox results, takes the action specified by the file security policy. During this
time, it does not re-submit the file to FortiSandbox.
Syntax
config system fortisandbox
set type {fsa | cloud}
set server "<server_ipv4>"
set cache-timeout <timeout_int>
set email "<email_str>"
set interval <interval_int>
set elog {enable | disable}
end
type {fsa | cloud} Specify whether FortiWeb submits files that match the upload fsa
restriction rules to a FortiSandbox physical appliance (or
FortiSandbox-VM) or to FortiSandbox Cloud.
The FortiSandbox Cloud option requires you to register your

FortiWeb and a FortiWeb FortiGuard Sandbox Cloud Service
subscription.
Enter the IP address of the FortiSandbox to send files to. No

server "<server_ipv4>"
Available only when type is fsa. default.
ssl {enable | disable} Enter enable to communicate with the specified disable
FortiSandbox using SSL.
Enter how long FortiWeb waits before it clears the hash table
entry for an uploaded file that was evaluated by
FortiSandbox, in hours.
cache-timeout <timeout_
72
int>
FortiWeb stores file evaluation results from FortiSandbox in a

config 258
hash table. Whenever a client uploads a file, FortiWeb looks

for a table entry that matches it. If there is a matching entry,
FortiWeb takes action based on the stored result. If there is
no matching entry, FortiWeb sends the file to FortiSandbox
for evaluation.
email "<email_str>" Enter the email address that FortiSandbox sends weekly No
reports and notifications to. default.
Enter a number that specifies how often FortiWeb retrieves

interval <interval_int> 5
statistics from FortiSandbox, in minutes.
elog {enable | disable} Enter so that FortiWeb will report event logs when it successfully disable
submits files to FortiSandbox.
Example
This example creates a connection to a FortiSandbox at 192.0.2.2 that retrieves statistics at the default interval (5
minutes) and sends a weekly report to [email protected].
config system fortisandbox
set server "192.0.2.2"
set ssl enable
set email "[email protected]"
end
Related topics
l "system fortisandbox-statistics" on page 658
system global
Use this command to configure system-wide settings such as language, display refresh rate and listening ports of the
web UI, the time zone and host name of the FortiWeb appliance, and NTP time synchronization.
Syntax
set admin-port <port_int>
set admin-sport <port_int>
set admin-lockout-threshold <admin-lockout-threshold_int>
set admin-lockout-duration <minutes_int>

config 259
set admintimeout <minutes_int>

set adom-admin {enable | disable}
set auth-timeout <milliseconds_int>
set cli-signature {enable | disable}
set confsync-port <port_int>
set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}
set dst {enable | disable}
set fds-proxy {enable | disable}
set force-us-only {enable | disable}
set hostname "<host_name>"
set admin-https-pki-required {enable | disable}
set https-certificate "<certificate_name>"
set ie6workaround {enable | disable}
set language {english |japanese | simch | trach}
set ntpserver {"<ntp_fqdn>" | "<ntp_ipv4>"}
set ntpsync {enable | disable}
set pre-login-banner {enable | disable}
set record-cli-fail-cmd {enable | disable}
set refresh <seconds_int>
set syncinterval <minutes_int>
set timezone "<time-zone-code_str>"
set tftp {enable | disable}
set ssh-fips {enable | disable}
end
admin-port <port_int> Enter the port number on which the FortiWeb 80

appliance listens for HTTP access to the web
UI. The valid range is 1–65,535.
admin-sport <port_int> Enter the port number on which the FortiWeb

appliance listens for HTTPS (SSL-secured)
443
access to the web UI. The valid range is 1–
65,535.
admin-lockout-threshold <admin- Enter the number of invalid logon attempts 3

lockout-threshold_int> before the account is locked out. The valid
range is 1–10.
admin-lockout-duration <minutes_ Set the length of time the account remains

int> locked. The valid range is 1–2147483647 60
seconds.
admintimeout <minutes_int> Enter the amount of time (in minutes) 5

after which an idle administrative session
with the web UI or CLI will be
automatically logged out. The valid range
is 1–48.
To improve security, do not increase the

idle timeout.

config 260
adom-admin {enable | disable} Enable to be able to restrict administrator

accounts to specific administrative
domains. See also domains "<adom_
name>" (page 203).
Note: After you type end, if this setting is

enabled, the CLI will terminate your
session and restructure the configuration
to use ADOMs. Global settings will disable
remain in the global configuration scope,
but objects that are configurable
separately per ADOM such as services
are moved to the root ADOM. To
continue by configuring additional
ADOMs, log in again, then go to
"Defining ADOMs" on page 62.
auth-timeout <milliseconds_int> Enter the number of milliseconds that 2000

FortiWeb will wait for the remote
authentication server to respond to its
query. The valid range is 1–60,000.
If administrator logins often time out, and

FortiWeb is configured to query an
external RADIUS or LDAP server,
increasing this value may help.
This setting only affects remote

authentication queries for administrator
accounts. To configure the query
connection timeout for end-user
accounts, use auth-timeout
<timeout_int> (page 404) instead.
cli-signature {enable | disable} Enable to be able to enter custom attack

signatures via the CLI.
Typically, attack signatures should be

entered using the web UI, where you can
verify syntax and test matching of your disable
regular expression. If you are sure that
your expression is correct, you can enable
this option to enter your custom signature
via the CLI.
confsync-port <port_int> Enter the port number the local FortiWeb 8333
uses to listen for a remote (peer)
FortiWeb.

config 261
Used when you have configured

FortiWeb to synchronize its configuration.
Caution: The port number must be

different than the port number set using
config server-policy custom-
application application-
policy (page 110).
dh-params {1024 | 1536 | 2048 | Specifies the key length that FortiWeb
3072 | 4096 | 6144 | 8192} presents in Diffie-Hellman exchanges. Most
2048
web browsers require a key length of at least
2048.
dst {enable | disable} Enable to automatically adjust the FortiWeb disable

appliance’s clock for daylight savings time
(DST).
fds-proxy {enable | disable} Enable to configure FortiWeb to act as a

proxy for the FDN.
disable
For details, see "system fds proxy" on
page 246.
force-us-only {enable | disable} Enable so that FortiWeb will receive disable

FortiGuard service updates from
FortiGuard servers located only in the
United States.
hostname "<host_name>" Enter the host name of this FortiWeb

appliance. Host names may include US-
ASCII letters, numbers, hyphens, and
underscores. The maximum length is 63
characters. Spaces and special
characters are not allowed.
The host name of the FortiWeb appliance

is used in several places.
FortiWeb
l It appears in the System Information
widget on the Status tab of the web
UI, and in the config router all
(page 1) CLI command.
l It is used in the command prompt of
the CLI.
l It is used as the SNMP system name.
For details about SNMP, see "system

config 262
snmp sysinfo" on page 304.

The System Information widget and
the config router all (page 1) CLI
command will display the full host name.
However, if the host name is longer than
16 characters, the CLI and other places
display the host name in a truncated form
ending with a tilde ( ~ ) to indicate that
additional characters exist, but are not
displayed.
For example, if the host name is

FortiWeb1234567890, the CLI prompt
would be FortiWeb123456789~#.
Note: You can also configure the local

domain name. For details, see "system
dns" on page 242.
admin-https-pki-required {enable | Enable to use certificate-based Web UI disable

disable} login.
Before enabling this, please make sure

the related configurations are set
correctly. For details, see "system admin-
certificate ca" on page 206, "user pki-
user" on page 324, and "user admin-
usergrp" on page 315.
https-certificate "<certificate_ Specifies the certificate that FortiWeb uses for

name>" the accesses to its Web UI through HTTPS.
This must be one of the certificates stored
defaultcert
locally on the FortiWeb for administration. For
details, see "system admin-certificate local" on
page 207.
ie6workaround {enable | disable} Enable to use the work around for a navigation disable
bar freeze issue caused by using the web UI
with Microsoft Internet Explorer 6.
language {english |japanese | Select which language to use when

simch | trach} displaying the web UI.
The display’s web pages will use UTF-8

encoding, regardless of which language english
you choose. UTF-8 supports multiple
languages, and allows all of them to be
displayed correctly, even when multiple
languages are used on the same web

config 263
page.
For example, your organization could

have websites in both English and
simplified Chinese. Your FortiWeb
administrators prefer to work in the
English version of the web UI. They could
use the web UI in English while writing
rules to match content in both English
and simplified Chinese without changing
this setting. Both the rules and the web
UI will display correctly, as long as all
rules were input using UTF-8.
Usually, your text input method or your

management computer’s operating
system should match the display, and
also use UTF-8. If they do not, you may
not be able to correctly display both your
input and the web UI at the same time.
For example, your web browser’s or

operating system’s default encoding for
simplified Chinese input may be GB2312.
However, you usually should switch it to
be UTF-8 when using the web UI, unless
you are writing regular expressions that
must match HTTP client’s requests, and
those requests use GB2312 encoding.
For more information on language

support in the web UI and CLI, see
"Language support & regular expressions"
on page 56.
Note: This setting does not affect the

display of the CLI.
ntpserver {"<ntp_fqdn>" | "<ntp_ Enter the IP address or fully qualified pool.ntp.org

ipv4>"} domain name (FQDN) of a Network Time
Protocol (NTP) server or pool, such as
pool.ntp.org, to query in order to
synchronize the FortiWeb appliance’s
clock. The maximum length is 63
characters.
For details about NTP and to find the IP

address of an NTP server that you can
use, go to:

config 264
http://www.ntp.org/
ntpsync {enable | disable} Enable to automatically update the system

date and time by connecting to a NTP server.
Also configure ntpserver {"<ntp_fqdn>" | "<ntp_ enable
ipv4>"}, syncinterval <minutes_int> and
timezone "<time-zone-code_str>".
pre-login-banner {enable | disable} Enable to add a login disclaimer message for disable
administrators logging in to FortiWeb.
This disclaimer is a statement that a user

accepts or declines. It is useful for
environments such as corporations that are
governed by strict usage policies for forensics
and legal reasons.
For details about modifying the disclaimer,

see "system replacemsg" on page 294.
record-cli-fail-cmd {enable Enable so that FortiWeb will generate an

| disable} event log if a CLI command fails or is disable
executed incorrectly.
refresh <seconds_int> Enter the automatic refresh interval (in 80

seconds) for the web UI’s System
Status Monitor widget.
The valid range is 0–
9,223,372,036,854,775,807. To disable
automatic refreshes, type 0.
syncinterval <minutes_int> Enter how often (in minutes) the

FortiWeb appliance should synchronize
its time with the Network Time Protocol
(NTP) server. 60
The valid range is 1–1440. To disable

time synchronization, type 0.
tftp {enable | disable} Specify whether FortiWeb can perform enable

backups, restoration, firmware updates and
other tasks using TFTP.
timezone "<time-zone-code_str>" Enter the two-digit code for the time zone
in which the FortiWeb appliance is
located. 04
The valid range is from 00 to 75. To

config 265
display a list of time zone codes, their

associated the GMT time zone offset,
and contained major cities, type
set timezone ?.
ssh-fips {enable | disable} A setting used with Federal Information disable

Processing Standards (FIPS) and Common
Criteria (CC) compliant mode.
When the FIPS-CC certification process is

complete, a separate document will provide
detailed information about this command.
Example
This example configures time synchronization with a public NTP server pool. The FortiWeb appliance is located in the
Pacific Time zone (code 04) and will synchronize its time with the NTP server pool every 60 minutes.
set timezone 08
set ntpsync enable
set ntpserver "pool.ntp.org"
set syncinterval 30
end
For an example that includes a hostname, see "system dns" on page 242.
Related topics
l "date" on page 632
l "time" on page 654
l "system status" on page 660
system ha
Use this command to configure the FortiWeb appliance to act as a member of a high availability (HA) cluster in order to
improve availability.
By default, FortiWeb appliances are each a single, standalone appliance and operate independently.

config 266
If you have purchased more than one FortiWeb appliance, you can configure them to form an active-passive or active-
active high availability (HA) FortiWeb cluster. This improves availability so that you can achieve your service level
agreement (SLA) uptimes even if hardware failures occur or maintenance periods are required.
If you have multiple FortiWeb appliances but do not need failover, you can still synchronize
the configuration. This can be useful for cloned network environments and externally load-
balanced active-active HA. For details, see "server-policy custom-application application-
HA requirements
l Two (for active-passive mode and active-active mode) or more (for active-active mode) identical physical FortiWeb
appliances and firmware versions
l Redundant network topology: if the active appliance fails, physical network cabling and routes must redirect web traffic to
the standby appliance
l At least one physical port on both HA appliances connected directly, via crossover cables, or through switches
FortiWeb-VM now supports HA. However, if you do not wish to use the native HA, you can
use your hypervisor or VM environment manager to install your virtual appliances over a
hardware cluster to improve availability. For example, VMware clusters can use vMotion or
VMware HA.
If FortiWeb HA is active-passive: one appliance is selected to be the active appliance (also called the primary, main, or
master), applying the policies for all connections. The other is a passive standby (also called the secondary, standby, or
slave), which assumes the role of the active appliance and begins processing connections only if the active appliance
fails.
If FortiWeb HA is active-active: all the cluster members are operating as active appliances together to simultaneously
handle the traffic between clients and the back web servers. In an active-active HA cluster, one of the member
appliances will be selected as the master appliance to centrally receive traffic from clients and back web servers to
distribute the traffic to all the cluster members (including itself) according to the specified load balancing algorithm.
An active-active HA cluster requires heartbeat detection and configuration and session synchronization between
the cluster members. If the master appliance fails, one of the slaves will take it over. An active-active HA cluster can be
created only in Reverse Proxy and True Transparent Proxy mode, and at most eight FortiWeb appliances are
allowed in the cluster.
For more information on HA, including troubleshooting, failover behavior, synchronized data, and network topology, see
https://docs.fortinet.com/fortiweb/admin-guides
Syntax
config system ha
set mode {active-passive | active-active | standalone}
set group-id <group_int>
set group-name "<pair-name_str>"
set priority <level_int>
set override {enable | disable}
set network-type {flat | udp-tunnel}

config 267
set tunnel-local "<class_ip>"

set tunnel-peer "<class_ip>"
set hbdev "<interface_name>"
set hbdev-backup "<interface_name>"
set lacp-ha-slave {enable | disable}
set link-failed-signal {enable | disable}
set hb-interval <milliseconds_int>
set hb-lost-threshold <seconds_int>
set arps <arp_int>
set arp-interval <seconds_int>
set monitor {"<interface_name>" ...}
set boot-time <limit_int>
set ha-mgmt-status {enable | disable}
set ha-mgmt-interface "<interface_name>"
set ha-mgmt-interface-gateway "<router_ipv4>"
set ha-mgmt-interface-gateway6 "<router_ipv6>"
set schedule {ip | leastconnection | round-robin} le {ip | leastconnection | round-
robin}
set session-sysession-sync-broadcast {enable | disable} nc-broadcast {enable | disable}
set session-sync-dev {"<interface_name>" ...}
set session-warm-up <seconds_int>
set weight-1 <weight_int>
set session-pickup {enable | disable}
set persistence-sync {enable | disable}
set eip-addr <class_ip>
set eip-aid <eip-aid_str>
set ha-eth-type <ha-eth-type_str>
set hc-eth-type <hc-eth-type_str>
set hbcast-eth-type <hbcast-eth-type_str>
set l2ep-eth-type <l2ep-eth-type_str>
set 17-persistence-sync {enable | disable}
end
mode {active-passive | Select one of the following: standalone

active-active |
standalone} l active-passive—Form an HA group with another
FortiWeb appliance. The appliances operate together, with
the standby assuming the role of the active appliance if it
fails.
l active-active—Form an HA group with other FortiWeb
appliances. All the appliances are active simultaneously to
handle the receiving traffic together.
l standalone—Operate each appliance independently.
Note: To avoid connectivity issues, do not use config

config 268
system ha to remove an appliance from an HA cluster.

Instead, use config ha disconnect (page 634),
which removes the appliance from the cluster and
changes the HA mode to standalone.
group-id <group_int> Enter a number that identifies the HA pair. 0
Both members of the HA pair must have the same

group ID. If you have more than one HA pair on the
same network, each HA pair must have a different
group ID.
Changing the group ID changes the cluster’s virtual MAC

address.
The valid range is 0 to 63.
group-name "<pair-name_ Enter a name to identify the HA pair if you have more than No default.
str>" one.
This setting is optional, and does not affect HA function.
priority <level_int> Enter the priority of the appliance when electing the 5
primary appliance in the HA pair. On standby devices, this
setting can be reconfigured using the CLI command
config ha manage (page 636).
This setting is optional. The smaller the number, the

higher the priority. The valid range is 0 to 9.
Note: By default, unless you enable override

{enable | disable} (page 268), uptime is more
important than this setting.
override {enable | Enable to make priority <level_int> (page 268) a disable

disable} more important factor than uptime when selecting the primary
appliance.
network-type {flat | udp- Select the common HA mode flat or udp-tunnel mode on flat
tunnel} OpenStack platform.
tunnel-local "<class_ip>" Set the local IP address on OpenStack platform. No default.

This filed can be configured only when the network type is upd-
tunnel.
tunnel-peer "<class_ip>" Set the peer IP address on OpenStack platform. No default.

This filed can be configured only when the network type is upd-
tunnel.

config 269
hbdev "<interface_name>" Select which port on this appliance that the main and No default.
standby appliances will use to send heartbeat signals and
synchronization data between each other (i.e. the HA
heartbeat link). The maximum length is 15 characters.
Connect this port to the same port number on the other

member of the HA cluster. (e.g., If you select port3 for
the primary heartbeat link, connect port3 on this
appliance to port3 on the other appliance.)
At least one heartbeat interface must be selected on each

appliance in the HA cluster. Ports that currently have an IP
address assigned for other purposes (that is, virtual
servers or bridges) cannot be re-used as a heartbeat link.
At least one heartbeat interface must be selected on each

appliance in the HA cluster. Ports that currently have an IP
address assigned for other purposes (that is, virtual
servers or bridges) cannot be re-used as a heartbeat link.
Tip: If enough ports are available, you can select both a

primary heartbeat interface and a secondary heartbeat
interface (hbdev-backup "<interface_name>"
(page 269)) on each appliance in the HA pair to provide
heartbeat link redundancy. You cannot use the same port
as both the primary and secondary heartbeat interface on
the same appliance, as this is incompatible with the
purpose of link redundancy.
Note: If a switch is used to connect the heartbeat

interfaces, the heartbeat interfaces must be reachable by
Layer 2 multicast.
hbdev-backup "<interface_ Select a secondary, standby port on this appliance that No default.
name>" the main and standby appliances will use to send
heartbeat signals and synchronization data between each
other (i.e. the HA heartbeat link).
It must not be the same network interface as hbdev

"<interface_name>" (page 269). The maximum
Connect this port to the same port number on the other

member of the HA cluster. (e.g., If you select port4 for
the secondary heartbeat link, connect port4 on this
appliance to port4 on the other appliance.)
Ports that currently have an IP address assigned for other

purposes (that is, virtual servers or bridges) cannot be re-
used as a heartbeat link.

config 270
lacp-ha-slave {enable Enable to provide support for 2 LACP interfaces, also disable
| disable} known as "bridges," "V-zones," or "aggregated links." For
more information about configuring bridges, see the
link-failed-signal Enable to ensure that all equipment in the network disable

{enable | disable} detects the new primary unit in a cluster after a failover
occurs.
When a failover occurs in an HA active-passive cluster,

the new primary unit broadcasts gratuitous ARP packets
so that switches will refresh their MAC forwarding tables
and detect the new primary unit. However, sometimes
switches will not immediately detect a failover and refresh
MAC forwarding tables to recognize a new primary unit.
This command shuts down each interface (except for the

heartbeat interfaces and reserve management interfaces)
of the former primary unit for about a second so that any
remaining equipment that did not automatically detect the
failover will refresh their MAC forwarding tables and
recognize the new primary unit,
arps <arp_int> Enter the number of times that the FortiWeb appliance 3
will broadcast address resolution protocol (ARP) packets
(IPv4 environment) or Neighbor Solicitation (NS) packets
(IPv6 environment) when it takes on the main role. Even
though a new NIC has not actually been connected to the
network, FortiWeb does this to notify the network that a
different physical port has become associated with the IP
address and virtual MAC of the HA pair.
This is sometimes called “using gratuitous ARP packets to

train the network,” and can occur when the main
appliance is starting up, or during a failover. Also
configure arp-interval <seconds_int> (page
271).
Normally, you do not need to change this setting.

Exceptions include:
l Increase the number of times the main appliance sends

gratuitous ARP packets if your HA pair takes a long time to
fail over or to train the network. Sending more gratuitous ARP
packets may help the failover to happen faster.
l Decrease the number of times the main appliance sends
gratuitous ARP packets if your HA pair has a large number of

config 271
VLAN interfaces and virtual domains. Because gratuitous

ARP packets are broadcast, sending them may generate a
large amount of network traffic. As long as the HA pair still
fails over successfully, you could reduce the number of times
gratuitous ARP packets are sent to reduce the amount of
traffic produced by a failover.
arp-interval <seconds_ Enter the number of seconds to wait between each 1

int> broadcast of ARP/NS packets.

Exceptions include:
l Decrease the interval if your HA pair takes a long time to fail

over or to train the network. Sending ARP packets more
frequently may help the failover to happen faster.
l Increase the interval if your HA pair has a large number of
VLAN interfaces and virtual domains. Because gratuitous
ARP packets are broadcast, sending them may generate a
large amount of network traffic. As long as the HA pair still
fails over successfully, you could increase the interval
between when gratuitous ARP packets are sent to reduce the
rate of traffic produced by a failover.
hb-interval Enter the number of 100-millisecond intervals to set the 1

<milliseconds_int> pause between each heartbeat packet that the one
FortiWeb appliance sends to the other FortiWeb
appliance in the HA pair. This is also the amount of time
that a FortiWeb appliance waits before expecting to
receive a heartbeat packet from the other appliance.
This part of the configuration is synchronized between the

active appliance and standby appliance.
The valid range is 1–20 (that is, between 100 and 2,000
milliseconds).
Note: Although this setting is synchronized between the

main and standby appliances, you should initially
configure both appliances with the same hb-interval
<milliseconds_int> (page 271) to prevent
inadvertent failover from occurring before the initial
synchronization.
hb-lost-threshold Enter the number of times one of HA appliances retries 3

<seconds_int> the heartbeat and waits to receive HA heartbeat packets

config 272
from the other HA appliance before assuming that the

other appliance has failed.
This part of the configuration is synchronized between the

main appliance and standby appliance.

Exceptions include:
l Increase the failure detection threshold if a failure is detected

when none has actually occurred. For example, during peak
traffic times, if the main appliance is very busy, it might not
respond to heartbeat packets in time, and the standby
appliance may assume that the main appliance has failed.
l Reduce the failure detection threshold or detection interval if
administrators and HTTP clients have to wait too long before
being able to connect through the main appliance, resulting
in noticeable down time.
Note: Although this setting is synchronized between the

main and standby appliances, you should initially
configure both appliances with the same hb-lost-
threshold <seconds_int> (page 271) to prevent
inadvertent failover from occurring before the initial
synchronization.
Note: You can use SNMP traps to notify you when a

failover is occurring. For details, see "system snmp
community" on page 299.
monitor {"<interface_ Enter the name of one or more network interfaces that No default.
name>" ...} each directly correlate with a physical link. These ports will
be monitored for link failure.
Separate the name of each network interface with a

space. To remove from or add to the list of monitored
network interfaces, retype the entire list.
Port monitoring (also called interface monitoring)

monitors physical network ports to verify that they are
functioning properly and linked to their networks. If the
physical port fails or the cable becomes disconnected, a
failover occurs. You can monitor physical interfaces, but
not VLAN subinterfaces or 4-port switches.
Note: To prevent an unintentional failover, do not
configure port monitoring until you configure HA on both
appliances in the HA pair, and have plugged in the cables
to link the physical network ports that will be monitored.

config 273
boot-time <limit_int> Enter the maximum number of seconds that a appliance 30

will wait for a heartbeat or synchronization connection
after the appliance returns online.
If this limit is exceeded, the appliance will assume that

the other unit is unresponsive, and assume the role of the
main appliance.
Due to the default heartbeat and synchronization

intervals, as long as the HA pair are cabled directly
together, the default value is usually sufficient. If the HA
heartbeat link passes through other devices, such as
routers and switches, however, a larger value may be
needed. You may notice this especially when updating the
firmware.
The valid range is 1–100 seconds.
ha-mgmt-status {enable | Specifies whether the network interface you select disable
disable} provides administrative access to this appliance when it is
a member of the HA cluster.
When this option is selected, you can access the

configuration for this cluster member using the IP address
of the specified network interface. The interface
configuration, including administrative access and other
settings, is not synchronized with other cluster members.
You can configure up to eight reserve management ports

in each HA cluster. You cannot configure routing for the
port you select.
ha-mgmt-interface Specifies the network interface that provides administrative No default.

"<interface_name>" access to this appliance when it is a member of the HA cluster.
ha-mgmt-interface-gateway Enter the IPv4 address of a next-hop router. Use this No default.
"<router_ipv4>" command so that the management port can manage
each unit in the cluster even if a client or reserve interface
is in a different subnet.
ha-mgmt-interface- Enter the IPv6 address of a next-hop router. Use this No default.
gateway6 "<router_ipv6>" command so that the management port can manage
each unit in the cluster even if a client or reserve interface
is in a different subnet.
schedule {ip | Specifies the load-balancing algorithm used by the master ip

leastconnection | round- appliance (in an active-active HA cluster) to distribute
robin}
received traffic over the available cluster members.
l ip—Consistently distribute the traffic coming from a source

config 274
to the same cluster member.

l leastconnection—Dynamically distribute traffic to a
cluster member who has the fewest connections processing.
l round-robin—Distribute traffic among the available
members in a circular order.
Note that FortiWeb's Session Management is not
supposed by the active-active HA deployment with the
algorithm By connections or Round-robin being used for
the load-balancing.
Available only when mode {active-passive |

active-active | standalone} (page 267) is
active-active.
session-sync-broadcast Specifies whether the master appliance in an active-active disable

{enable | disable} HA cluster synchronizes sessions to others in broadcast.
By default, session information is synchronized in unicast.
Broadcast will be recommended if a active-active HA
cluster contains many appliances.

active-active.
session-sync-dev The master appliance use the heartbeat interface (hbdev No default.
{"<interface_name>" ...} "<interface_name>" (page 269)) to synchronize its
session table to other appliances in an active-active HA
cluster by default. However, you can use extra interfaces
(up to four interfaces) for the session synchronization
when the HA cluster is in heavy traffic.
Specifies the network interface(s) of this FortiWeb

appliance for session synchronizations. For example,
typing set session-sync-dev port3 port4
port5 for using port3, port4 and port5 to synchronize
session information.
Note:
l Only the master appliance in the active-active HA cluster is
allowed to set session-sync-dev. The configuration
here will be synchronized to all the slave appliance in the
cluster by the master, and all the appliances send or receive
session information with the same interface configuration.
l The heartbeat interface will not participate in the session
synchronization anymore if other interfaces are specified
here.
l It can not specify the heartbeat interface to session-

config 275
sync-dev.
l Available only when mode {active-passive |
active-active.
session-warm-up <seconds_ Specifies the active-active HA warm-up time that the 10

int> master appliance will hold traffic distribution to wait for
the active-active HA negotiation (determine the master
and slave, and necessary synchronizations) completes
(when every time the active-active HA starts).

active-active.
weight-1 <weight_int> When the system ha (page 265) algorithm is ip, sets 1
the weight for the first unit in an active-active HA cluster.
The master unit performs weighted round-robin according

to the specified weight to distribute the first packet
coming from the source IP to cluster members.
The weight of each unit can be set with a range of 0–255.
weight-2 <weight_int> When the schedule algorithm is ip, sets the weight for 1
the second unit in an active-active HA cluster.

the weight for the third unit in an active-active HA cluster.

the weight for the fourth unit in an active-active HA
cluster.


config 276
the weight for the fifth unit in an active-active HA cluster.

the weight for the sixth unit in an active-active HA cluster.
The master unit perform weighted round-robin according

the weight for the seventh unit in an active-active HA
cluster.

the weight for the eighth unit in an active-active HA
cluster.

session-pickup {enable Enable so that the master unit in the HA cluster disable
| disable} synchronizes the session table with all cluster units. If a
cluster unit fails, the HA session table information is
available to the remaining cluster units which can use the
session table to resume connections without interruption.
Enable for session fail-over protection. If this is not

required, disabling may reduce CPU usage and reduce HA
heartbeat network bandwidth usage.
Note: Only sessions that have been established for longer

than 30 seconds will be synchronized.
persistence-sync {enable Enable/disable the persistence synchronization. disable

config 277
| disable}
eip-addr <class_ip> Enter the elastic IP address for HA on AWS. No default.
eip-aid <eip-aid_str> Enter the ID of the elastic IP for HA on AWS. No default.
ha-eth-type <ha-eth-type_ HA heartbeat packet Ethertype (4-digit hex). The range is No default.
str> 0x8890–0x889F.
hc-eth-type <hc-eth-type_ Tuple session HA heartbeat packet Ethertype (4-digit No default.

str> hex). The range is 0x8890–0x889F.
hbcast-eth-type <hbcast- Broadcast HA heartbeat packet Ethertype (4-digit hex). No default.

eth-type_str> The range is 0x8890–0x889F.
l2ep-eth-type <l2ep-eth- Telnet session HA heartbeat packet Ethertype (4-digit No default.

type_str> hex). The range is 0x8890–0x889F.
17-persistence-sync When FortiWeb is operating in HA Active-Passive (AP) disable

{enable | disable} mode, you can enable Layer 7 Persistence
Synchronization.
This option enables session synchronization when there's

a failover that causes the slave appliance to take over as
the new master, and is useful for web applications that
require sticky sessions.
Example
This example configures a FortiWeb appliance as one appliance in an active-passive HA pair whose group ID is 1. The
primary heartbeat occurs over port3, and the secondary heartbeat link is over port4. Priority is more important than
uptime when electing the main appliance. The appliance will wait 30 seconds after boot time for a heartbeat or
synchronization before assuming that it should be that main appliance. Aside from the heartbeat link, failover can also
be triggered by port monitoring of port1 and port2.
config system ha
set mode active-passive
set group-id 1
set priority 6
set override enable
set hbdev port3
set hbdev-backup port4
set arps 3
set arp-interval 2
set hb-interval 1
set hb-lost-threshold 3
set monitor port1 port2
set boot-time 30
end

config 278
Related topics
l "debug application hasync" on page 566
l "debug application hatalk" on page 567
l "system ha status" on page 617
l "ha disconnect" on page 634
l "ha manage" on page 636
l "ha synchronize" on page 637
system hsm info
Use this command to edit the configuration so that FortiWeb will work with SafeNet Luna SA HSM (hardware security
module). The HSM integration allows FortiWeb to retrieve a per-connection SSL session key instead of loading the local
private key and certificate.
Because the HSM configuration requires you to upload a server certificate, you can
create it using the web UI only. After you create the configuration in the web UI, this
command allows you to edit it.
For detailed information on integrating HSM with FortiWeb, see the FortiWeb
Before you can show or edit HSM configuration in the CLI and access HSM settings in the web UI, use the following
command to enable the HSM settings:
set hsm enable
Syntax
config system hsm info
set ip "<hsm_ipv4>"
set port <port_int>
set timeout <timeout_int>
set filename "<filename_str>"
set action {register | unregister}
end

config 279
ip "<hsm_ipv4>" Enter the IP address of the HSM. No

default.
Enter the port where FortiWeb establishes an NTLS

port <port_int> connection with the HSM. 1792
timeout <timeout_int> Enter a timeout value for the connection between HSM and No
FortiWeb. default.
Shows the name of the server certificate file from the HSM.
You cannot edit this option using the CLI. No
filename "<filename_str>"
default.
action {register | Enter register to register FortiWeb as a client of the HSM. No

unregister} default.
Related topics
l "system hsm partition" on page 279
system hsm partition
Use this command to edit information about the partition that the FortiWeb HSM client is assigned to. The partition
settings are part of the configuration that allows FortiWeb to work with SafeNet Luna SA HSM (hardware security
module).
Before you can show or edit HSM configuration in the CLI and access HSM settings in the web UI, use the following
command to enable the HSM settings:
set hsm enable
For additional HSM integration settings, see "system hsm info" on page 278.
For detailed information on integrating HSM with FortiWeb, see the FortiWeb Administration Guide:

config 280
Syntax
config system hsm partition
edit "<partition_name>"
set password <password_int>
end
"<partition_name>" Enter the name of a partition that the FortiWeb HSM client is No
assigned to. default.
No
password <password_int> Enter the partition password.
default.
Related topics
l system hsm info (page 278)
l system certificate local (page 226)
system interface
Use this command to configure:
l The network interfaces associated with the physical network ports of the FortiWeb appliance
l VLAN subinterfaces or 802.3ad link aggregates associated with physical network interfaces
Both the network interfaces and VLAN subinterfaces can include administrative access.
You can restrict which IP addresses are permitted to log in as a FortiWeb administrator through the network interfaces
and VLAN subinterfaces. For details, see "system admin" on page 201.
When the FortiWeb appliance is operating in either of the transparent modes, VLANs do
not support Cisco discovery protocol (CDP).
You can use SNMP traps to notify you when a network interface’s configuration changes, or when a link is brought down
or brought up. For details, see "system snmp community" on page 299.
To use this command, your administrator account’s access control profile must have either rw permission to the
Syntax
edit "<interface_name>"
set status {up | down}
set type {aggregate | physical | vlan | redundant}
set algorithm {layer2 | layer2_3 | layer3_4}

config 281
set allowaccess {http https ping snmp ssh telnet FWB-manager}

set ip6-allowaccess {http https ping snmp ssh telnet FWB-manager}
set wccp {enable | disable}
set description "<comment_str>"
set interface "<interface_name>"
set intf {"<port_name>" ...}
set ip "<interface_ipv4mask>"
set ip6 "<interface_ipv6mask>"
set mode {static | dhcp}
set ip6-mode {static | dhcp}
set vlanid <vlan-id_int>
set lacp-speed {fast | slow}
set mtu <mtu_int>
set dynamic_gateway <dynamic_gateway_str>
set dynamic_dns1 <dynamic_dns1_str>
set dynamic_dns2 <dynamic_dns2_str>
set azure-endpoint
config secondaryip
edit <entry_index>
set ip {"<interface_ipv4mask>" | "<interface_ipv6mask>"}
next
end
next
end
"<interface_name>" Enter the name of a network interface. The maximum length is 15 No

status {up | down} Enable (select up) to bring up the network interface so that it
is permitted to receive and/or transmit traffic.
Note: This administrative status from this command is not

the same as its detected physical link status.
up
For example, even though you have used config system
interface to configure port1 with set status up, if the
cable is physically unplugged, diagnose hardware nic
list port1 may indicate correctly that the link is down
(Link detected: no).
algorithm {layer2 | Select the connectivity layers that will be considered when layer2
layer2_3 | layer3_4} distributing frames among the aggregated physical ports.
l layer2—Consider only the MAC address. This results in

the most even distribution of frames, but may be disruptive
to TCP if packets frequently arrive out of order.
l layer2_3—Consider both the MAC address and IP

session. Queue frames involving the same session to the
same port. This results in slightly less even distribution, and
still does not guarantee perfectly ordered TCP sessions, but
does result in less jitter within the session.

config 282
l layer3_4—Consider both the IP session and TCP

connection. Queue frames involving the same session and
connection to the same port. Distribution is not even, but
this does prevent TCP retransmissions associated with link
aggregation.
allowaccess {http https Enter the IPv4 protocols that will be permitted for
ping snmp ssh telnet FWB- administrative connections to the network interface or VLAN
manager}
subinterface.
Separate each protocol with a space. To remove from or add

to the list of permitted administrative access protocols, retype
the entire list.
l ping—Allow ICMP ping responses from this network

interface.
l http—Allow HTTP access to the web UI.
Caution: HTTP connections are not secure and can be

intercepted by a third party. To reduce risk to the security of
your FortiMail appliance, enable this option only on network
interfaces connected directly to your management
computer.
l https—Allow secure HTTP (HTTPS) access to the web UI.
l snmp—Allow SNMP access. For details, see "system snmp

ping
https
Note: This setting only configures which network interface ssh
will receive SNMP queries. To configure which network
interface will send traffic, see "system snmp community" on
page 299.
l ssh—Allow SSH access to the CLI.
l telnet—Allow Telnet access to the CLI.
Caution: Telnet connections are not secure.

l FWB-manager — Allow FortiWeb Manager to use this
interface to administer this appliance.
Caution: Enable administrative access only on network

interfaces or VLAN subinterfaces that are connected to
trusted private networks or directly to your management
computer. If possible, enable only secure administrative
access protocols such as HTTPS or SSH. Failure to restrict
administrative access could compromise the security of your
FortiWeb appliance. Consider allowing ping only when
troubleshooting.

config 283
ip6-allowaccess {http Enter the IPv6 protocols that will be permitted for ping
https ping snmp ssh administrative connections to the network interface or VLAN
telnet FWB-manager}
subinterface.
Separate each protocol with a space. To remove from or add

to the list of permitted administrative access protocols, retype
the entire list.
l ping—Allow ICMP ping responses from this network

interface.
l http—Allow HTTP access to the web UI.
Caution: HTTP connections are not secure and can be

intercepted by a third party. To reduce risk to the security of
your FortiMail appliance, enable this option only on network
interfaces connected directly to your management
computer.
l https—Allow secure HTTP (HTTPS) access to the web UI.
l snmp—Allow SNMP access. For details, see "system snmp

Note: This setting only configures which network interface

will receive SNMP queries. To configure which network
interface will send traffic, see "system snmp community" on
page 299.
l ssh—Allow SSH access to the CLI.
l telnet—Allow Telnet access to the CLI.
Caution: Telnet connections are not secure.

l FWB-manager — Allow FortiWeb Manager to use this
interface to administer this appliance.
Caution: Enable administrative access only on network

interfaces or VLAN subinterfaces connected to trusted private
networks or directly to your management computer. If
possible, enable only secure administrative access protocols
such as HTTPS or SSH. Failure to restrict administrative
access could compromise the security of your FortiWeb
appliance. Consider allowing ping only when troubleshooting.
wccp {enable | disable} Specify whether FortiWeb uses the interface to communicate
with a FortiGate unit configured as a WCCP server. disable
Available only when the operation mode is WCCP.
description "<comment_ Enter a description or other comment. If the comment is more than No
str>" one word or contains an apostrophe, surround the comment with default.

config 284
double quotes ( " ). The maximum length is 63 characters.
interface "<interface_ Enter the name of the network interface with which the VLAN
name>" subinterface will be associated. The maximum length is 15
characters. No
default.
This field is available only if type {aggregate |
physical | vlan | redundant} (page 284) is vlan.
intf {"<port_name>" ...} Enter the names of 2 physical network interfaces or more that No
will be combined into the aggregate link. Only physical default.
network interfaces may be aggregated. The maximum length
is 15 characters each.
This field is available only if type {aggregate |

ip "<interface_ipv4mask>" Enter the IPv4 address and netmask of the network interface, if
any. The IP address must be on the same subnet as the network to
Varies by
which the interface connects. Two network interfaces cannot have
the
IP addresses on the same subnet. The default setting for port1 is
interface.
192.168.1.99 with a netmask of 255.255.255.0. Other
ports have no default.
ip6 "<interface_ Enter the IPv6 address and netmask of the network interface, if ::/0
ipv6mask>" any. The IP address must be on the same subnet as the network to
which the interface connects. Two network interfaces cannot have
IP addresses on the same subnet.
lacp-speed {fast | slow} Select the rate of transmission for the LACP frames (LACPUs)
between FortiWeb and the peer device at the other end of the
trunking cables, either:
l SLOW —Every 30 seconds.

l FAST—Every 1 second. slow
Note: This must match the setting on the other device. If the
rates do not match, FortiWeb or the other device could
mistakenly believe that the other’s ports have failed,
effectively disabling ports in the trunk.
type {aggregate | Indicates whether the interface is directly associated with a Varies by
physical | vlan single physical network port, a group of redundant interfaces, the
| redundant}
or is instead a VLAN subinterface or link aggregate. interface.
The default varies by whether you are editing a network

interface associated with a physical port (physical) or
creating a new subinterface/aggregate (vlan or
aggregate).

config 285
mode {static | dhcp} Specify whether the interface obtains its IPv4 address and
static
netmask using DHCP.
ip6-mode {static | dhcp} Specify whether the interface obtains its IPv6 address and static
netmask using DHCP.
vlanid <vlan-id_int> Enter the VLAN ID of packets that belong to this VLAN
subinterface.
l If one physical network port (that is, a VLAN trunk) will

handle multiple VLANs, create multiple VLAN
subinterfaces on that port, one for each VLAN ID that will
be received.
l If multiple, different physical network ports will handle the
same VLANs, on each of the ports, create VLAN
subinterfaces that have the same VLAN IDs.
The VLAN ID is part of the tag that is inserted into each
Ethernet frame in order to identify traffic for a specific VLAN.
VLAN header addition is handled automatically, and does not
require that you adjust the maximum transmission appliance
(MTU). Depending on whether the device receiving a packet
operates at Layer 2 or Layer 3 of the network, this tag may be
added, removed or rewritten before forwarding to other nodes
on the network.
For example, a Layer 2 switch or FortiWeb appliance 0

operating in either of the transparent modes would typically
add or remove a tag when forwarding traffic among members
of the VLAN, but would not route tagged traffic to a different
VLAN ID. In contrast, a FortiWeb appliance operating in
Reverse Proxy mode, inspecting the traffic to make routing
decisions based upon higher-level layers/protocols, might
route traffic between different VLAN IDs (also known as inter-
VLAN routing) if indicated by its policy, such as if it has been
configured to do WSDL-based routing.
For the maximum number of interfaces, including VLAN

subinterfaces, see the FortiWeb Administration Guide:
This field is available only when type {aggregate |
The valid range is between 1 and 4094 and must match the
VLAN ID added by the IEEE 802.1q-compliant router or switch
connected to the VLAN subinterface.
<entry_index> Enter the index number of the individual entry in the table. No
default.

config 286
ip {"<interface_ Type an additional IPv4 or IPv6 address and netmask for the
ipv4mask>" | "<interface_ network interface.
ipv6mask>"} No
Available only when ip-src-balance or ip6-src- default.
balance is enabled. For details, see "system network-
option" on page 287.
mtu <mtu_int> Enter the maximum transmission unit (MTU) that the 1500
interface supports.
Valid values are 512–9216 (for IPv4) or 1280–9216 (for IPv6).
You cannot specify an MTU for a VLAN interface that is larger

than the MTU of the corresponding physical interface.
dynamic_gateway This field applies only if the mode dhcp is selected.

No
<dynamic_gateway_str> The IP address is automatically assigned by DHCP server among
default.
the dhcp range and it may vary.
dynamic_dns1 <dynamic_ This field applies only if the mode dhcp is selected. No
dns1_str> The primary DNS server IP address. default.
dynamic_dns2 <dynamic_ This field applies only if the mode dhcp is selected. No
dns2_str> The secondary DNS server IP address. default.
azure-endpoint A setting related to FortiWeb-VM on the Microsoft Azure cloud No

computing platform. You cannot edit this setting. default.
Example
This example configures the network interface named port1, associated with the first physical network port, with the IP
address and subnet mask 192.0.2.1/24. It also enables ICMP ECHO (ping) and HTTPS administrative access to that
network interface, and enables it.
edit "port1"
set ip "192.0.2.1 255.255.255.0"
set allowaccess ping https
set status up
next
end
Example
This example configures the network subinterface named vlan_100, associated with the physical network interface
port1, with the IP address and subnet mask 192.0.2.1/24. It does not allow administrative access.
edit "vlan_100"
set type vlan
set ip "192.0.2.1 255.255.255.0"
set status up

config 287
set vlanid 100

set interface "port1"
next
end
Related topics
l "system v-zone" on page 310
l system ha
l "system network-option" on page 287
l "hardware nic" on page 597
l "network sniffer" on page 607
system ip-detection
Use this command to configure how FortiWeb analyzes the identification (ID) field in IP packet headers in order to
distinguish source IP addresses that are actually Internet connections shared by multiple clients, not single clients.
Syntax
config system ip-detection
set share-ip-detection-level {low | medium | high}
end
share-ip-detection-level Select how different packets’ ID fields can be before FortiWeb low
{low | medium | high} detects that an IP is shared by multiple clients.
Related topics
system network-option
Use this command to configure system-wide TCP connection options.

config 288
Syntax
config system network-option
set tcp-timestamp {enable | disable}
set tcp-tw-recycle {enable | disable}
set ip-src-balance {enable | disable}
set ip6-src-balance {enable | disable}
set tcp-buffer {default | high | max}
set arp_ignore {enable | disable}
set loopback-mtu <loopback-mtu_int>
set tcp-usertimeout <tcp-usertimeout_int>
set tcp-keepcnt <tcp-keepcnt_int>
set tcp-keepidle <tcp-keepidle_int>
set tcp-keepintvl <tcp-keepintvl_int>
set loopback-tso-gso {enable | disable}
set route-priority {system | dhcp}
set dns-priority {system | dhcp}
end
tcp-timestamp {enable | Enable to: enable

disable}
l Verify whether clients’ TCP timestamps are sequential
l Include TCP timestamps in packets from FortiWeb
Disabling this option can be useful when multiple clients are
in front of a source NAT gateway such as a FortiGate. If it
applies source NAT but forwards packets to FortiWeb
without modifying the TCP timestamp, packets received
from that source IP will appear to FortiWeb to have an
unstable timestamp. FortiWeb will therefore drop out-of-
sequence packets. Disabling therefore prevents packets
dropped due to this cause, and can improve performance in
that case.
Caution: Disabling this option affects FortiWeb’s dynamic

calculation of TCP retransmission timeout (RTO) and
therefore round trip time (RTT). If you disable the timestamp
when it is not necessary, this can result in decreased
application performance.
Enable to quickly recycle sockets that are ready to close (i.e.

in the TIME_WAIT state per the TCP RFC).
tcp-tw-recycle {enable | This option can be useful in networks with both sustained disable
disable}
high load and bursts of new connection requests. If all
sockets are busy, new connection requests may be refused.
Enabling this option frees sockets more quickly.

config 289
Caution: Enabling this option can cause issues with external

load balancers and HA failover if they are not expecting the
connection to close quickly. This can result in decreased
application performance. Generally, it is safer to wait for
sockets to safely close before they are reused.
ip-src-balance {enable | Enable to allow FortiWeb to connect to the back-end servers disable
disable} using more than one IPv4 address. FortiWeb uses a round-
robin load-balancing algorithm to distribute the connections
among the available IP addresses.
To specify the additional IP addresses, see "system interface"

on page 280.
This option is useful for performance testing when the

number of concurrent connections between FortiWeb and a
back-end server exceeds the number of ports that a single IP
can provide.
Enable to allow FortiWeb to connect to the back-end servers

using more than one IPv6 address. FortiWeb uses a round-
ip6-src-balance {enable | robin load-balancing algorithm to distribute the connections
among the available IP addresses. disable
disable}
To specify the additional IP addresses, see "system interface"

on page 280.
tcp-buffer {default | Specify high or max to increase the size of the TCP buffer. default
high | max}
This option is useful when amount of traffic between a server
pool member and FortiWeb is significantly larger than traffic
between FortiWeb and the client.
Specify how FortiWeb responds to ARP requests.
arp_ignore {enable | l disable—Reply for any local target IP address, configured on

any interface. disable
disable}
l enable—Reply only if the target IP address is local address
configured on the incoming interface.
loopback-mtu <loopback- If the operation mode is True Transparent Proxy, specify a 65536
mtu_int> global MTU for v-zones.
Caution: If this value is smaller than a v-zone's MTU, this

value replaces the larger value in the v-zone configuration.
Available only when the operation mode is True Transparent

Proxy.
tcp-usertimeout <tcp- Enter how long FortiWeb waits before it closes the connection 120

config 290
with a client that is not sending any data or responding with

usertimeout_int>
ACK to keepalive packets, in seconds.
tcp-keepcnt <tcp-keepcnt_ Enter only if no value is specified for tcp-usertimeout 3

int> <tcp-usertimeout_int> (page 289). Fortinet
recommends that you always specify a tcp-usertimeout
value.
Enter how long FortiWeb waits before it sends a client or

tcp-keepidle <tcp-
keepidle_int> server that keeps a connection with FortiWeb open without 60
sending data a keepalive packet, in seconds.
tcp-keepintvl <tcp- Enter how often FortiWeb sends a keepalive packet to a client 20
keepintvl_int> that keeps a connection open without sending data, in
seconds.
loopback-tso-gso {enable
| disable} Used for debugging. disable
route-priority {system | Configure the priority of route IP address obtained by the system No
dhcp} and dhcp, whose route IP address has the priority. default
dns-priority {system | Configure the priority of DNS obtained by the system and dhcp, No
dhcp} whose DNS has the priority. default
Example
This example assigns additional IP addresses to port1. FortiWeb uses a round-robin load-balancing algorithm to
distribute connections to back-end servers among the available IP addresses.
config system network-option
set ip-src-balance enable
end

edit port1
set type physical
set ip 192.0.2.71/24
set allowaccess https ping ssh snmp http telnet
config secondaryip
edit 1
set ip 192.0.2.72/24
next
edit 2
set ip 192.0.2.73/24
next
end
next
end

config 291
Related topics
system password-policy
Use this command to configure a password policy for administrator accounts that set rules for password characteristics.
Syntax
config system password-policy
set min-length-option {enable | disable}
set mini-length <mini-length_int>
set single-admin-mode {enable | disable}
set character-requirements {enable | disable}
set min-upper-case-letter <min-upper-case-letter_int>
set min-lower-case-letter <min-lower-case-letter_int>
set mini-number <mini_number_int>
set min-non-alphanumeric <min-non-alphanumeric_int>
set forbid-password-reuse {enable | disable}
set history-password-number <history-password-number_int>
set expire-status {enable | disable}
set expire-day <expire-day_int>
end
status {enable | disable} Enable to enforce password rules for disable

administrator accounts. When you configure
rules for the password policy, administrator
accounts that don't adhere to the password
policy will be prompted to update their password
upon logging in.
For some cloud platforms such as AWS, Azure,
and GCP, etc., it is enabled by default.
min-length-option {enable | disable} Enable/disable to set the minimum length for the
disable
password.
mini-length <mini-length_int> Enter the minimum password length. The valid 8

range is 8–128.
single-admin-mode {enable | disable} Enable/disable to activate single admin user

disable
login.

config 292
character-requirements {enable Enable/disable to set characters, upper/lower

| disable} 0
case, numbers (0–9), and special.
min-upper-case-letter <min-upper-case- Enter the number of upper case characters. The

letter_int> 0
min-lower-case-letter <min-lower-case- Enter the number of lower case characters. The 0

letter_int> valid range is 0–128.
mini-number <mini_number_int> Enter the number of number characters. The

valid range is 0–128. Only numbers 0–9 are 0
supported.
min-non-alphanumeric <min-non- Enter the number of special characters. The valid 0

alphanumeric_int> range is 0–128.
forbid-password-reuse {enable
| disable} Enable forbidding password re-use. disable
history-password-number <history- Enter the number of history passwords that can 3

password-number_int> not be re-used. The valid range is 1–10.
expire-status {enable | disable} Enable password expiration. disable
expire-day <expire-day_int> Enter the valid period for the password. The valid 90
range 1–999 days
Example
This example enables configuration of the password policy.
config system password-policy
set status enable
set system password-policy
set min-length 8
set single-admin-mode enable
set character-requirements enable
set min-upper-case-letter 2
set min-lower-case-letter 2
set min-number 2
set min-non-alphanumeric 3
set forbid-password-reuse enable
set history-password-number 2
set expire-status enable
set expire-day 100
end

config 293
system raid
Use this command to configure the RAID level.
Currently, only RAID level 1 is supported, and only on the following models shipped with FortiWeb 4.0 MR1 or later:
l FortiWeb-1000B
l FortiWeb-1000C
l FortiWeb-1000D
l FortiWeb-1000E
l FortiWeb-2000E
l FortiWeb-3000C
l FortiWeb-3000D
l FortiWeb-3000E
l FortiWeb-4000C
l FortiWeb-4000D
l FortiWeb-4000E
On older appliances that have been upgraded to FortiWeb 4.0 MR1 or later, RAID cannot be activated.
Back up the data regularly. RAID is not a substitute for regular backups. RAID 1 (mirroring)
is designed to improve hardware fault tolerance, but cannot negate all risks.
Syntax
config system raid
set level {raid1}
end
level {raid1} Enter the RAID level. Currently, only RAID level 1 is supported. raid1
Example
This example sets RAID level 1.
config system raid
set level raid1
end

config 294
Related topics
l "create-raid level" on page 630
l "create-raid rebuild" on page 631
l "hardware raid list" on page 599
system replacemsg
Use this command to customize the following FortiWeb HTML pages:
l Pages that FortiWeb presents to clients when it authenticates users. FortiWeb uses these pages when you configure
a site publishing configuration to use HTML form authentication for its client authentication method. For details, see
"waf site-publish-helper rule" on page 475.
l The error page FortiWeb uses to respond to an HTTP request that violates a policy that responds to violations with
the action alert and deny or period block.
l The “Server Unavailable!” page that FortiWeb returns to the client when none of the server pool members are
available either because they are disabled or in maintenance more, or they have failed the configured health check.
When you specify the HTML code for the web pages using the buffer setting, you enter
the complete HTML code with changes, even if you are only changing a word or fixing a
typographical error. The web UI provides a more convenient editing method that allows you
to see the effect of your changes as you edit.
FortiWeb uses these pages for all server policies. If you require a page content that is customized for a specific policy,
create an ADOM that contains the custom pages for that policy.
Syntax
config system replacemsg
edit {url-block | server-inaccessible | login | token | rsa-login | rsa-challenge
| pre-login-disclaimer}
setbuffer "<buffer_str>"
setcode <code_int>
setset format {html | none | text}
setset group {alert | site-publish}
setset header {8 bit | HTTP | no header type}
end
{url-block | server- Enter one of the following options to specify the page No default
inaccessible | login to modify:
| token | rsa-login

config 295
| rsa-challenge | l url-block—Attack block page

pre-login-
disclaimer} l server-inaccessible—Server unavailable message
l login—Authentication login page
l token—Token authentication page
l rsa-login—RSA SecurID authentication page
l rsa-challenge—RSA SecurID challenge page
l pre-login-disclaimer—A login disclaimer
message for administrators logging in to FortiWeb
Enter the HTML content for the page.

buffer "<buffer_ Because the code for an web page is usually more than
str>" Preset HTML content
one word and contains special characters, surround it
with double quotes ( " ).
code <code_int> If you are editing the url-block item, specify the 500
HTTP page return code as an integer.
You cannot edit this setting for other HTML pages.
Specifies the format of the replacement message.

set format {html | Currently, all messages are HTML. html
none | text}
Cannot be changed from the default.
set group {alert | Specifies whether the replacement page is used for alert (url-
site-publish} security features (blocking and server unavailable) or block, server-
site publishing feature. inaccessible)
Cannot be changed from the default. site-publish

(login, token,
rsa-login,
rsa-
challenge)
set header {8 bit | Specifies the header type for the message.
HTTP | no header HTTP
type} Cannot be changed from the default.
Related topics
l "system replacemsg-image" on page 296

config 296
system replacemsg-image
Use this command to add images that the FortiWeb HTML web pages can use. These pages are the ones that
FortiWeb uses for blocking, authentication, and unavailable servers.
You cannot edit the images that FortiWeb provides by default.
Syntax
config system replacemsgimage
edit "<image_name>"
set image-type {gif | jpg | png | tiff}
set image-base64 <image_code>
end
"<image_name>" Enter the name of the image to add. No

default
image-type {gif | jpg | No

png | tiff} Specify the image file format of the image to add.
default
image-base64 <image_code> Enter the HTTP page return code as clear text, Base64- No
encoded. default
Ensure the value has the following properties:
l Its length is divisible by 4 (a rule of Base64 encoding)

l It begins with characters that identify its format (for example,
R0lGO for GIF, iVBORw0K for PNG)
l The format matches the value of image-type
Related topics
l "system replacemsg" on page 294
system settings
Use this command to configure the operation mode and gateway of the FortiWeb appliance.
You will usually set the operation mode once, during installation. Exceptions include if you install the FortiWeb
appliance in Offline Protection mode for evaluation purposes, before deciding to switch to another mode for more
feature support in a permanent deployment.

config 297
Back up your configuration before changing the operation mode. Changing modes deletes
any policies not applicable to the new mode, TCP SYN flood protection settings, all static
routes, all V-zone (bridge) IPs, and all VLANs. You must re-cable your network topology to
suit the operation mode, unless you are switching between the two transparent modes,
which have similar network topology requirements.
The physical topology must match the operation mode. You may need to re-cable your deployment after changing this
setting. For details, see the FortiWeb Installation Guide.
There are four operation modes:
l Reverse proxy—Requests are destined for a virtual server’s network interface and IP address on the FortiWeb
appliance. The FortiWeb appliance applies the first applicable policy, then forwards permitted traffic to a real web
server. The FortiWeb appliance logs, blocks, or modifies violations according to the matching policy and its
protection profile. Most features are supported.
l Offline Protection — Requests are destined for a real web server instead of the FortiWeb appliance; traffic is
duplicated to the FortiWeb through a span port. The FortiWeb appliance monitors traffic received on the virtual
server’s network interface (regardless of the IP address) and applies the first applicable policy. Because it is not inline
with the destination, it does not forward permitted traffic. The FortiWeb appliance logs or blocks violations according
to the matching policy and its protection profile. If FortiWeb detects a malicious request, it sends a TCP RST (reset)
packet to the web server and client to attempt to terminate the connection. It does not otherwise modify traffic. (It
cannot, for example, apply SSL, load-balance connections, or support user authentication.)
Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than Alertcannot be guaranteed to be
successful in Offline Protection mode. The FortiWeb appliance will attempt to block traffic that violates the policy by
mimicking the client or server and requesting to reset the connection. However, the client or server may receive the
reset request after it receives the other traffic due to possible differences in routing paths.
Most organizations do not permanently deploy their FortiWeb appliances in Offline Protection mode. Instead, they
will use Offline Protection as a way to learn about their web servers’ protection requirements and to form some of the
appropriate configuration during a transition period, after which they will switch to one of the operation modes that
places the appliance inline between all clients and all web servers.
Switching out of Offline Protection mode when you are done with transition can prevent bypass problems that can
arise as a result of misconfigured routing. It also offers you the ability to offer some protection features that cannot
be supported in a span port topology used with offline detection.
l True transparent proxy — Requests are destined for a real web server instead of the FortiWeb appliance. The
FortiWeb appliance transparently proxies the traffic arriving on a network port that belongs to a Layer 2 bridge,
applies the first applicable policy, and lets permitted traffic pass through. The FortiWeb appliance logs, blocks, or
modifies violations according to the matching policy and its protection profile. No changes to the IP address
scheme of the network are required. This mode supports user authentication via HTTP but not HTTPS.
l Transparent Inspection — Requests are destined for a real web server instead of the FortiWeb appliance. The
FortiWeb appliance asynchronously inspects traffic arriving on a network port that belongs to a Layer 2 bridge,
applies the first applicable policy, and lets permitted traffic pass through. The FortiWeb appliance logs or blocks
traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It cannot, for
example, apply SSL, load-balance connections, or support user authentication.

config 298
Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than
Alertcannot be guaranteed to be successful in Transparent Inspection mode. The
FortiWeb appliance will attempt to block traffic that violates the policy. However, due to the
nature of asynchronous inspection, the client or server may have already received the
traffic that violated the policy.
The default operation mode is Reverse Proxy.
Feature support varies by operation mode. For details, see the FortiWeb Administration Guide:
You can use SNMP traps to notify you if the operation mode changes. For details, see "system snmp community" on
page 299.
Syntax
config system settings
set opmode {offline-protection | reverse-proxy | transparent | transparent-
inspection | wccp}
set gateway "<router_ipv4>"
set stop-guimonitor {enable | disable}
set enable-cache-flush {enable | disable}
set enable-debug-log {enable | disable}
set enable-machine-learning-debug {enable | disable}
set enable-file-upload {enable | disable}
end
opmode {offline- Select the operation mode of the FortiWeb appliance. reverse-
protection | reverse- proxy
proxy | transparent | If you have not yet adjusted the physical topology to suit the
transparent-inspection | new operation mode, see the FortiWeb
wccp}
You may also need to reconfigure IP addresses, VLANs,
static routes, bridges, policies, TCP SYN flood prevention,
and virtual servers, and on your web servers, enable or
disable SSL.
Note: If you select offline-protection, you can

configure the port from which TCP RST (reset) commands
are sent to block traffic that violates a policy. For details, see
block-port <port_int> (page 149).
gateway "<router_ipv4>" Type the IPv4 address of the default gateway. none

config 299
This setting is visible only if opmode {offline-

protection | reverse-proxy | transparent |
transparent-inspection | wccp} (page 298) is
either True Transparent Proxy, Transparent Inspection, or
WCCP.
FortiWeb will use the gateway setting to create a

corresponding static route under router static with the first
available index number. Packets will egress through port1,
the hard-coded management network interface for the
transparent operation modes.
stop-guimonitor {enable | Enable to configure FortiWeb to stop checking whether the enable
disable} process that generates the web UI (httpsd) is defunct.
In some cases, a process that has completed execution can

still have an entry in the process table, which can create a
resource leak.
When this setting is disabled, FortiWeb checks the process

and stops and reloads the web UI if it determines that the
process is defunct.
enable-cache-flush Enable to configure FortiWeb to clear its cache memory every 45

disable
{enable | disable} minutes and generate an event log message for the action.
enable-debug-log {enable Enable so that FortiWeb will record crash, daemon, kernel, enable
| disable} netstat, and core dump logs.
enable-machine-learning-
debug {enable | disable} Enable so that FortiWeb will record machine learning debug. enable
enable-file-upload Enable to upload the debugging file. disable

{enable | disable}
Related topics
system snmp community
Use this command to configure the FortiWeb appliance’s SNMP agent to belong to an SNMP version 1 or 2c
community, and to select which events cause the FortiWeb appliance to generate SNMP traps.
To configure the SNMP agent as a member of a SNMP version 3 community, see "system snmp user" on page 306.

config 300
The FortiWeb appliance’s simple network management protocol (SNMP) agent allows queries for system information
can send traps (alarms or event messages) to the computer that you designate as its SNMP manager. In this way you
can use an SNMP manager to monitor the FortiWeb appliance. You can add the IP addresses of up to eight SNMP
managers to each community, which designate the destination of traps and which IP addresses are permitted to query
the FortiWeb appliance.
An SNMP community is a grouping of equipment for network administration purposes. You must configure your
FortiWeb appliance to belong to at least one SNMP community so that community’s SNMP managers can query the
FortiWeb appliance’s system information and receive SNMP traps from the FortiWeb appliance.
You can add up to three SNMP communities. Each community can have a different configuration for queries and traps,
and the set of events which trigger a trap. Use SNMP traps to notify the SNMP manager of a wide variety of types of
events. Event types range from basic system events, such as high usage of resources, to when an attack type is
detected or a specific rule is enforced by a policy.
Before you can use SNMP, you must activate the FortiWeb appliance’s SNMP agent and add it as a member of at least
one community. For details, see "system snmp sysinfo" on page 304. You must also enable SNMP access on the
network interface through which the SNMP manager will connect. For details, see "system interface" on page 280.
On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the
FortiWeb appliance belongs, and compile the necessary Fortinet proprietary management information blocks (MIBs)
and Fortinet-supported standard MIBs. For information on MIBs, see the FortiWeb Administration Guide:
Syntax
config system snmp community
edit <community_index>
set name "<community_str>"
set events {cpu-high | intf-ip | log-full | mem-low | netlink-down-status |
netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-
cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-
mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-
attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection |
waf-url-access-attack | waf-spage-attack}
set query-v1-port <port_int>
set query-v1-status {enable | disable}
set query-v2c-port <port_int>
set query-v2c-status {enable | disable}
set trap-v1-lport <port_int>
set trap-v1-rport <port_int>
set trap-v1-status {enable | disable}
set trap-v2c-lport <port_int>
set trap-v2c-rport <port_int>
set trap-v2c-status {enable | disable}
config hosts
edit <snmp-manager_index>
set ip {"<manager_ipv4>" | "<manager_ipv6>"}
next
end
next

config 301
end
<community_index> Enter the index number of a community to which the FortiWeb No

appliance belongs. The valid range is 1– default.
9,999,999,999,999,999,999.
Enable to activate the community.

status {enable | disable} This setting takes effect only if the SNMP agent is enabled. disable
For details, see "system snmp sysinfo" on page 304.
name "<community_str>" Enter the name of the SNMP community to which the No
FortiWeb appliance and at least one SNMP manager belongs. default.
The FortiWeb appliance will not respond to SNMP managers

whose query packets do not contain a matching community
name. Similarly, trap packets from the FortiWeb appliance will
include community name, and an SNMP manager may not
accept the trap if its community name does not match.
Enter one or more of the following SNMP event names in

order to cause the FortiWeb appliance to send traps when
those events occur. Traps will be sent to the SNMP managers
in this community. Also enable traps.
l cpu-high—CPU usage has exceeded 80%.

events {cpu-high | intf- l intf-ip—A network interface’s IP address has changed. For
ip | log-full | mem-low | details, see "system interface" on page 280.
netlink-down-status |
l log-full—Local log disk space usage has exceeded 80%. If
netlink-up-status |
policy-start | policy- the space is consumed and a new log message is triggered, the
stop | pserver-failed | FortiWeb appliance will either drop it or overwrite the oldest log
sys-ha-cluster-status- message, depending on your configuration. For details, see "log
change | sys-ha-member- disk" on page 73.
join | sys-ha-member- No
leave | sys-mode-change | l mem-low—Memory (RAM) usage has exceeded 80%. default.
waf-access-attack | waf- l netlink-down-status—A network interface has been
amethod-attack | waf-
brought down (disabled). This could be due to either an
blogin-attack |waf-
hidden-fields | waf- administrator changing the network interface’s settings, or due to
pvalid-attack | waf- HA executing a failover.
signature-detection | l netlink-up-status—A network interface has been brought
waf-url-access-attack |
up (enabled).This could be due to either an administrator
waf-spage-attack}
changing the network interface’s settings, or due to HA executing
a failover.
l policy-start—A policy was enabled. For details, see "server-
policy policy" on page 146.
l policy-stop—A policy was disabled. For details, see "server-

config 302
l pserver-failed—A server health check has determined that

a physical server that is a member of a server farm is now
unavailable. For details, see "server-policy policy" on page 146.
on page 1.
l sys-ha-cluster-status-change—HA cluster status was
changed.
l sys-ha-member-join—HA member has joined.
l sys-ha-member-leave—HA member has left.
l sys-mode-change—The operation mode was changed. See
"system settings" on page 296.
l waf-access-attack—FortiWeb enforced a page access rule.

For details, see "waf page-access-rule" on page 457.
l waf-amethod-attack—FortiWeb enforced an allowed
methods restriction. For details, see "waf web-protection-profile
inline-protection" on page 518, "waf web-protection-profile offline-
protection" on page 531, and "waf allow-method-exceptions" on
page 337.
l waf-blogin-attack—FortiWeb detected a brute force login
attack. For details, see "waf brute-force-login" on page 344.
l waf-hidden-fields—FortiWeb detected a hidden fields
attack.
l waf-pvalid-attack—FortiWeb enforced an input/parameter
validation rule. For details, see "waf parameter-validation-rule" on
page 461.
l waf-signature-detection—FortiWeb enforced a
signature rule. For details, see "waf signature" on page 462.
l waf-url-access-attack—FortiWeb enforced a URL access
rule. See "waf url-access url-access-rule" on page 490.
l waf-spage-attack—FortiWeb enforced a start page rule.
See "waf start-pages" on page 485.
Enter the port number on which the FortiWeb appliance will listen
query-v1-port <port_int> for SNMP v1 queries from the SNMP managers of the community. 161
query-v1-status {enable | Enable to respond to queries using the SNMP v1 version of the enable
disable} SNMP protocol.
Enter the port number on which the FortiWeb appliance will listen
query-v2c-port <port_int> for SNMP v2c queries from the SNMP managers of the community. 161
query-v2c-status Enable to respond to queries using the SNMP v2c version of the enable
{enable | disable} SNMP protocol.

config 303
Enter the port number that will be the source (also called local) port
trap-v1-lport <port_int> 162
number for SNMP v1 trap packets. The valid range is 1–65,535.
trap-v1-rport <port_int> Enter the port number that will be the destination (also called 162
remote) port number for SNMP v1 trap packets. The valid range is
1–65,535.
trap-v1-status {enable | Enable to send traps using the SNMP v1 version of the SNMP
enable
disable} protocol.
trap-v2c-lport <port_int> Enter the port number that will be the source (also called local) port 162
number for SNMP v2c trap packets. The valid range is 1–65,535.
Enter the port number that will be the destination (also called
trap-v2c-rport <port_int> remote) port number for SNMP v2c trap packets. The valid range is 162
1–65,535.
trap-v2c-status {enable | Enable to send traps using the SNMP v2c version of the SNMP enable
disable} protocol.
Enter the index number of an SNMP manager for the community. No

<snmp-manager_index>
The valid range is 1–9,999,999,999,999,999,999. default.
ip {"<manager_ipv4>" | Enter the IP address of the SNMP manager that, if traps No

"<manager_ipv6>"} and/or queries are enabled in this community: default.
l Will receive traps from the FortiWeb appliance

l Will be permitted to query the FortiWeb appliance
SNMP managers have read-only access.
To allow any IP address using this SNMP community name to

query the FortiWeb appliance, enter 0.0.0.0.
Note: Entering 0.0.0.0 effectively disables traps if there are

no other host IP entries, because there is no specific
destination for trap packets. If you do not want to disable
traps, you must add at least one other entry that specifies the
IP address of an SNMP manager.
Example
For an example, see "system snmp sysinfo" on page 304.
Related topics
l "system snmp sysinfo" on page 304

config 304
system snmp sysinfo
Use this command to enable and configure basic information for the FortiWeb appliance’s SNMP agent.
Before you can use SNMP, you must activate the FortiWeb appliance’s SNMP agent and add it as a member of at least
one community. For details, see "system snmp community" on page 299. You must also enable SNMP access on the
network interface through which the SNMP manager will connect. For details, see "system interface" on page 280.
On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the
FortiWeb appliance belongs, and compile the necessary Fortinet proprietary management information blocks (MIBs)
and Fortinet-supported standard MIBs. For information on MIBs, see the FortiWeb Administration Guide:
Syntax
config system snmp sysinfo
set contact-info "<contact_str>"
set description "<description_str>"
set location "<location_str>"
set engine-id "<engine-id_str>"
end
contact-info "<contact_ Type the contact information for the administrator or other person No
str>" responsible for this FortiWeb appliance, such as a phone number default.
or name. The contact information can contain only letters (a-z, A-
Z), numbers, hyphens ( - ) and underscores ( _ ). The maximum
Type a description of the FortiWeb appliance. The string can

description No
"<description_str>" contain only letters (a-z, A-Z), numbers, hyphens ( - ) and
default.
underscores ( _ ). The maximum length is 63 characters.
location "<location_str>" Type the physical location of the FortiWeb appliance. The string No
can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and default.
underscores ( _ ). The maximum length is 63 characters.
Enable to activate the SNMP agent, enabling the FortiWeb

appliance to send traps and/or receive queries for the
communities in which you have enabled queries and/or traps.
status {enable | disable} disable
This setting enables queries only if SNMP administrative
access is enabled on one or more network interfaces. For
details, see "system interface" on page 280.

config 305
engine-id "<engine-id_ Enter the SNMP engineID string. The maximum is 24 No

str>" characters. default
Example1234
This example enables the SNMP agent, configures it to belong to a community named public whose SNMP manager is
192.0.2.20. The SNMP manager is not directly attached, but can be reached through the network interface named
port3.
This example also configures the SNMP agent to send traps using SNMP v2c for high CPU or memory usage, and when
the primary appliance fails; it also enables responses to SNMP v2c queries through the network interface named port3
(along with the previously enabled administrative access protocols, ICMP ping, HTTPS, and SSH).
config system snmp sysinfo
set contact-info "admin_example_com"
set description "FortiWeb-1000E"
set location "Rack_2"
set status enable
set engine-id 246
end
config system snmp community

edit 1
set status enable
set name public
set events cpu-high
set query-v1-status disable
set query-v2c-port 161
set query-v2c-status enable
set trap-v1-status disable
set trap-v2c-lport 162
set trap-v2c-rport 162
set trap-v2c-status enable
config hosts
edit 1
set interface port3
set ip 192.0.2.20
next
end
next
end
edit port3
set allowaccess ping https ssh snmp
next
end
Related topics

config 306
system snmp user
Use this command to configure the FortiWeb appliance’s SNMP agent to belong to an SNMP version 3 community, and
to select which events cause the FortiWeb appliance to generate SNMP traps.
To configure the SNMP agent as a member of a SNMP version version 1 or 2c community and for more information on
the SNMP agent, see "system snmp community" on page 299.
Syntax
config system snmp user
edit name "<user_str>"
set security-level { noauthnopriv | authnopriv | authpriv >
set auth-proto {sha1 | md5}
set auth-pwd "<auth-password_str>"
set priv-proto {aes | des}
set priv-pwd "<priv-password_str>"
set query-status {enable | disable}
set query-port <port_int>
set trap-status {enable | disable}
set trapport-local <port_int>
set trapport-remote <port_int>
set trapevent {cpu-high | intf-ip | log-full | mem-low | netlink-down-status |
netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-
cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-
mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-
attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection |
waf-url-access-attack | waf-spage-attack}
set "<snmp-manager_index>"
config hosts
edit "<snmp-manager_index>"
set {"<manager_ipv4> | <manager_ipv6>"}
next
end
next
end
name "<user_str>" Enter the name of the SNMP user to which the FortiWeb No
appliance and at least one SNMP manager belongs. The default.
The FortiWeb appliance does not respond to SNMP managers

whose query packets do not contain a matching community
name. Similarly, trap packets from the FortiWeb appliance

config 307
include the community name, and an SNMP manager may

not accept the trap if its community name does not match.
status {enable | disable} Enable to activate the community. disable
This setting takes effect only if the SNMP agent is enabled.

For details, see "system snmp sysinfo" on page 304.
security-level { Enter the security level. No

noauthnopriv | authnopriv default.
| authpriv > l noauthnopriv—No additional authentication or encryption
compared to SNMP v1 and v2.
l authnopriv—The SNMP manager needs to provide the
password specified in this community configuration. Also specify
auth-proto and auth-pwd.
l authpriv—Adds both authentication and encryption. Also
specify auth-proto, auth-pwd, priv-proto, and priv-
pwd. Ensure that the SNMP manager and FortiWeb use the
same protocols and passwords.
If the security-level option includes authentication,

auth-proto {sha1 | md5} sha1
specify the authentication protocol.
auth-pwd "<auth-password_ If the security-level option includes authentication, No

str>" specify the authentication password. default.
If the security-level option is authprivuser_name,

priv-proto {aes | des} aes
specify the encryption protocol.
priv-pwd "<priv-password_ If the security-level option is authprivuser_name, No

str>" specify the encryption password. default.
query-status {enable | Enable to respond to queries using the SNMP v3 version of the
enable
disable} SNMP protocol.
query-port <port_int> Enter the port number on which the FortiWeb appliance listens for 161
SNMP v3 queries from the SNMP managers of the community. The
valid range is 1–65,535.
trap-status {enable | Enable to send traps using the SNMP v3 version of the SNMP
enable
disable} protocol.
trapport-local <port_int> Enter the port number that is the source (also called local) port 162
number for SNMP v3 trap packets. The valid range is 1–65,535.
Enter the port number that is the destination (also called remote)
trapport-remote <port_
int> port number for SNMP v3 trap packets. The valid range is 1– 162
65,535.

config 308
trapevent {cpu-high | Enter the name of one or more the SNMP events. When No
intf-ip | log-full | mem- FortiWeb detects the specified events, it sends traps to the default.
low | netlink-down-
status | netlink-up- SNMP managers in this community. Also enable trap-
status | policy-start | status.
policy-stop | pserver-
failed | sys-ha-cluster- l cpu-high—CPU usage has exceeded 80%.
status-change | sys-ha- l intf-ip—A network interface’s IP address has changed. See
member-join | sys-ha- "system interface" on page 280.
member-leave | sys-mode-
change | waf-access- l log-full—Local log disk space usage has exceeded 80%. If
attack | waf-amethod- the space is consumed and a new log message is triggered, the
attack | waf-blogin- FortiWeb appliance will either drop it or overwrite the oldest log
attack |waf-hidden- message, depending on your configuration. For details, see "log
fields | waf-pvalid-
attack | waf-signature- disk" on page 73.
detection | waf-url- l mem-low—Memory (RAM) usage has exceeded 80%.
access-attack | waf-
l netlink-down-status—A network interface has been
spage-attack}
brought down (disabled). This could be due to either an
administrator changing the network interface’s settings, or due to
HA executing a failover.
l netlink-up-status—A network interface has been brought
up (enabled). This could be due to either an administrator
changing the network interface’s settings, or due to HA executing
a failover.
l policy-start—A policy was enabled. For details, see "server-
l policy-stop—A policy was disabled. For details, see "server-
l pserver-failed—A server health check has determined that
a physical server that is a member of a server farm is now
unavailable. For details, see "server-policy policy" on page 146.
l sys-ha-cluster-status-change—HA cluster status was
changed.
l sys-ha-member-join—HA member has joined.
l sys-ha-member-leave—HA member has left.
l sys-mode-change—The operation mode was changed. For
details, see "system settings" on page 296.
l waf-access-attack—FortiWeb enforced a page access rule.

For details, see "waf page-access-rule" on page 457.
l waf-amethod-attack—FortiWeb enforced an allowed
methods restriction. For details, see "waf web-protection-profile
inline-protection" on page 518, "waf web-protection-profile offline-
protection" on page 531, and "waf allow-method-exceptions" on
page 337.
l waf-blogin-attack—FortiWeb detected a brute force login
attack. For details, see "waf brute-force-login" on page 344.

config 309
l waf-hidden-fields—FortiWeb detected a hidden fields

attack.
l waf-pvalid-attack—FortiWeb enforced an input/parameter
validation rule. For details, see "waf parameter-validation-rule" on
page 461.
l waf-signature-detection—FortiWeb enforced a
signature rule. For details, see "waf signature" on page 462.
l waf-url-access-attack—FortiWeb enforced a URL access
rule. For details, see "waf url-access url-access-rule" on page 490.
l waf-spage-attack—FortiWeb enforced a start page rule. For
details, see "waf start-pages" on page 485.
"<snmp-manager_index>" Enter the index number of an SNMP manager for the community. No
Enter the IP address of the SNMP manager that can do the

following when you enable traps, queries, or both in this
community:
l Receive traps from the FortiWeb appliance

l Query the FortiWeb appliance
SNMP managers have read-only access.
{"<manager_ipv4> | No
<manager_ipv6>"} To allow any IP address using this SNMP community name to default.
query the FortiWeb appliance, enter 0.0.0.0 or ::.
Note: Entering 0.0.0.0 or :: effectively disables traps if

there are no other host IP entries, because there is no specific
destination for trap packets. If you do not want to disable
traps, add at least one other entry that specifies the IP
address of an SNMP manager.
Example
For an example, see "system snmp sysinfo" on page 304.
Related topics
l "system snmp sysinfo" on page 304
system tcpdump
Use this command to configure capturing packets.

config 310
To use this command, your administrator account’s access control profile must have rw permission to the netgrp
area. For details, see "Permissions" on page 51.
Syntax
config system tcpdump
edit file id
set "<filter_str>"
set {any | "<interface_str>"}
set "<max-packet-count_int>"
end
file id Enter the packet capture file ID. No

default
Specify the maximum packets you want to capture for

"<max-packet-count_int>" the policy. Capture will stop automatically if the total 4000
captured packets hit the count.
"<filter_str>" Specify which protocols and port numbers that you do No default.
or do not want to capture, such as 'tcp and port
80 and host IP1 and ( IP2 or IP3 )', or
leave this field blank for no filters.
Note that please use the same filter expression as
tcpdump for this filter, you can refer to the Linux main
page of TCPDUMP
(http://www.tcpdump.org/manpages/tcpdump.1.html).
Select the network interface on which you want to

{any | "<interface_
str>"} capture packets, such as port1, or any for all any
interfaces.
"<max-packet-count_int>" Specify the maximum packets you want to capture for 4000
the policy. Capture will stop automatically if the total
captured packets hit the count.
Related topics
l "debug" on page 559
system v-zone
Use this command to configure bridged network interfaces, also called v-zones.

config 311
Bridges allow network connections to travel through the FortiWeb appliance’s physical network ports without explicitly
connecting to one of its IP addresses.
For FortiWeb-VM, you must create vSwitches before you can configure a bridge. For
details, see the FortiWeb-VM Install Guide:
Syntax
edit "<bridge_name>"
set interfaces {"<interface_name>" "<interface_name>" ...}
set monitor {enable | disable}
set mtu <mtu_int>
set use-interface-macs {"<interface_name>" "<interface_name>" ...}
set multicast-snooping {enable | disable}
next
end
"<bridge_name>" Type the name of the bridge. The maximum length is 15 No

To display the list of existing bridges, type:

edit ?
Type the names of two or more network interfaces that currently

interfaces {"<interface_
have no IP address of their own, nor are members of another No
name>" "<interface_name>"
...} bridge, and therefore could be members of this bridge. Separate default.
each name with a space. The maximum length is 63 characters.
mtu <mtu_int> Enter the maximum transmission unit (MTU) that the bridge 1500
supports.
When you specify the MTU for a bridge, FortiWeb

automatically sets the MTU for the v-zone members to the
same value.
Valid values are 512–9216 (for IPv4) or 1280–9216 (for IPv6).
multicast-snooping No
Enable/disable multicast snooping.
{enable | disable} default
monitor {enable | Specifies whether FortiWeb automatically brings down all disable
disable} members of this v-zone if one member goes down.

config 312
Enter the names of network interfaces that are members of the

bridge and send and transmit traffic using the MAC address of their
corresponding FortiWeb network interface.
When the operation mode is True Transparent Proxy, by default,

traffic to the back-end servers preserves the MAC address of the
use-interface-macs
source. If you are using FortiWeb with front-end load balancers No
{"<interface_name>"
"<interface_name>" ...} that are in a high availability cluster that uses multiple bridges, this default.
mechanism can cause switching problems on failover. When the v-
zone uses the MAC address of the FortiWeb network interface
instead, a failover does not interrupt the flow of traffic.
Available only when the operation mode is True Transparent

Proxy.
Example
This example configures a true bridge between port3 and port4. The bridge has no virtual network interface, and so it
cannot respond to pings.
edit bridge1
set interfaces port3 port4
next
end
Related topics
system wccp
Use this command to configure FortiWeb as a Web Cache Communication Protocol (WCCP) client. This configuration
allows a FortiGate configured as a WCCP server to redirect HTTP and HTTPS traffic to FortiWeb for inspection.
If your WCCP configuration includes multiple WCCP clients, the WCCP server can balance the traffic load among the
clients. In addition, it detects when a client fails and redirects sessions to clients that are still available.
WCCP was originally designed to provide web caching with load balancing and fault tolerance and is described by the
Web Cache Communication Protocol Internet draft.
This feature requires the operation mode to be WCCP. For details, see "system settings" on page 296.
For information on connecting and configuring your network devices for WCCP mode, see the FortiWeb Administration
Guide:

config 313
For detailed information on configuring FortiGate and other Fortinet devices to act as a WCCP service group, see the
FortiGate WCCP topic in the FortiOS Handbook:
https://docs.fortinet.com/fortigate/admin-guides
Syntax
config system wccp
edit service-id <service-id_int>
set cache-id "<cache-id_ipv4>"
set router-list "<router-list_ipv4>"
set group-address "<group-address_ipv4>"
set authentication {enable | disable}
set password "<passwd_str>"
set cache-engine-method {GRE | L2}
set ports <ports_int>
set primary-hash [src-ip | dst-ip | src-port | dst-port}
set priority <priority_int>
set protocol <priority_int>
set assignment-weight <assignment-weight_int>
set assignment-bucket-format {ciso-implementation | wccp-v2}
set return-to-sender {enable | disable}
end
service-id <service-id_ Enter the service ID of the WCCP service group that this 51
int> WCCP client belongs to.
For HTTP traffic, the service ID is 0.
For other types of traffic (for example, HTTPS), the valid

range is 51–255. Do not use 1–50, which are reserved by
the WCCP standard.
Enter the IP address of the FortiWeb interface that

communicates with the WCCP server.
cache-id "<cache-id_
ipv4>" No default.
Ensure that the WCCP protocol is enabled for the specified
network interface. For details, see "system settings" on
page 296.
router-list "<router- Enter the IP addresses of the WCCP servers in the WCCP No default.
list_ipv4>" service group.
You can specify up to 8 servers. To configure more than 8

WCCP servers, use Group Address instead.
Enter the IP addresses of the clients for multicast WCCP

group-address "<group- configurations.
address_ipv4>" No default.
The multicast address allows you to configure a WCCP

config 314
service group with more than 8 WCCP clients.
The valid range of multicast addresses is 224.0.0.0–

239.255.255.255.
authentication {enable Specify whether communication between the WCCP server disable
| disable} and client is encrypted using the MD5 cryptographic hash
function.
Enter the password used by the WCCP server and clients.
All servers and clients in the group use the same password.
password "<passwd_str>" No default.
The maximum password length is 8 characters. Available
only when authentication {enable | disable}
(page 314) is enabled.
cache-engine-method Enter how the FortiGate unit transmits traffic to GRE

{GRE | L2} FortiWeb:
l GRE—The WCCP server encapsulates redirected packets

within a generic routing encapsulation (GRE) header. The
packets also have a WCCP redirect header.
l L2—The WCCP server overwrites the original MAC
header of the IP packets and replaces it with the MAC
header for the WCCP client.
Enter the port numbers of the sessions that this client

inspects. The valid range is 0–65535.
ports <ports_int> 80
Enter 0 to specify all ports.
primary-hash [src-ip | Enter the hashing scheme that the WCCP server uses src-ip dst-ip
dst-ip | src-port | in combination with assignment-weight to direct
dst-port}
traffic, when the WCCP service group has more than
one WCCP client.
Specify one or more of the following values:
l src-ip—Source IP address
l dst-ip—Destination IP address
l src-port—Source port
l dst-port—Destination port
Enter a value that specifies the priority that this service

group has.
priority <priority_int> 0
If more than one service group is available to scan the
traffic specified by ports and protocol, the WCCP

config 315
server transmits all the traffic to the service group with the
highest priority value.
protocol <priority_int> Enter the protocol of the network traffic the WCCP service 6
group transmits. For TCP sessions, enter 6.
Valid values are 0–255.
Enter a value that the WCCP server uses in combination

assignment-weight with primary-hash to direct traffic, when the WCCP
0
<assignment-weight_int> service group has more than one WCCP client. The valid
range is 0–255.
assignment-bucket- Enter the hash table bucket format for the WCCP ciso-
format {ciso- cache engine. implementation
implementation | wccp-
v2} l cisco-implementation—Source IP address
l wccp-v2—Web Cache Communication Protocol
version 2
return-to-sender Specify whether FortiWeb routes traffic back to the client

disable
{enable | disable} instead of the WCCP server.
Example
This example configures FortiWeb as a WCCP client that belongs to the WCCP service group 52 and specifies the
interface used for WCCP client functionality (192.0.2.100) and the WCCP server (192.0.2.1).
config system wccp
edit service-id 52
set cache-id "192.0.2.100"
set router-list "192.0.2.1"
set ports 80 443
set primary-hash src-ip dst-ip
Related topics
user admin-usergrp
Use this command to configure LDAP/RADIUS/PKI remote authentication groups that can be used when configuring a
FortiWeb administrator account.

config 316
Before you can add a remote authentication group, you must first define at least one query for either LDAP or RADIUS
accounts (see "user ldap-user" on page 318 or "server-policy custom-application application-policy" on page 110), or a
PKI user (see "user pki-user" on page 324).
authusergrp area. For details, see "Permissions" on page 51.
Syntax
config user admin-usergrp
edit "<group_name>"
config members
edit <entry_index>
set type {ldap | radius | pki}
set ldap-name "<query_name>"
set radius-name "<query_name>"
set pki-name "<pki_name>"
next
end
next
end
"<group_name>" Enter the name of the remote authentication group. The maximum No
<entry_index> Enter the index number of the individual entry in the table. The valid No
range is 1–9,999,999,999,999,999,999. default.
type {ldap | radius | Select the protocol used for the query, either LDAP, RADIUS or ldap
pki} PKI.
ldap-name "<query_name>" Enter the name of an existing LDAP account query. The
No
To display the list of existing queries, enter: default.
edit ?
radius-name "<query_ Enter the name of an existing RADIUS account query. The No
name>" maximum length is 63 characters. default.
To display the list of existing queries, enter:

edit ?
pki-name "<pki_name>" Enter the name of an existing PKI user. The maximum length No

config 317

edit ?
Example
This example creates a remote authentication group using an existing LDAP user query named LDAP Users 1.
Because remote authentication groups use LDAP queries by default, the LDAP query type is not explicitly configured.
config user admin-usergrp
edit "Admin LDAP"
config members
edit 0
set ldap-name "LDAP Users 1"
next
end
next
end
Related topics
l "user ldap-user" on page 318
user kerberos-user
Use this command to specify a Kerberos Key Distribution Center (KDC) that FortiWeb can use to obtain a Kerberos
service ticket for web applications on behalf of clients.
Because FortiWeb determines the KDC to use based on the realm of the web application, you do not have to specify the
KDC in the site publish rule.
For details, see "waf site-publish-helper rule" on page 475 and the FortiWeb Administration Guide:
Syntax
config user kerberos-user
edit "<kdc_name>"
set realm "<realm_str>"
set server "<kdc-server_ip>"
set port <kdc-port_int>
set status <kdc_status>
next
end

config 318
"<kdc_name>" Enter the name of the Key Distribution Center (KDC). No

default.
Enter the domain of the domain controller (DC) that the Key No
realm "<realm_str>"
Distribution Center (KDC) belongs to. default.
server "<kdc-server_ip>" Enter the IP address of the KDC. No

default.
In most cases, the KDC is located on the same server as the
DC.
No
port <kdc-port_int> Enter the port the KDC uses to listen for requests.
default.
status <kdc_status> Specify whether the KDC configuration is enabled. enable
Related topics
l "waf site-publish-helper rule" on page 475
l "waf site-publish-helper keytab_file" on page 472
user ldap-user
Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or
end users via an LDAP server.
To apply LDAP queries to end users, select a query in a user group that is then selected within an authentication rule,
which is in turn selected within an authentication policy, which is ultimately selected within an inline protection profile
used for web protection. For details, see "user user-group" on page 329.
To apply LDAP queries to administrators, select a query in an admin group and reference that group in a system
administrator configuration. For details, see "user admin-usergrp" on page 315.
Syntax
config user ldap-user
edit "<ldap-query_name>"
set bind-type {anonymous | simple | regular}
set common-name-id "<cn-attribute_str>"
set distinguished-name "<search-dn_str>"
set filter "<query-filter_str>"
set group_authentication {enable | disable}
set group_dn "<group-dn_str>"
set group-type {edirectory | open-ldap | windows-ad}
set password "<bind-password_str>"
set port <port_int>

config 319
set protocol {ldaps | starttls}

set server "<ldap_ipv4_domain>"
set ssl-connection {enable | disable}
set username "<bind-dn_str>"
next
end
"<ldap-query_name>" Enter the name of the LDAP user query. The maximum length No

edit ?
Select one of the following LDAP query binding styles:
l simple—Bind using the client-supplied password and a

bind DN assembled from the common-name-id "<cn-
attribute_str>" (page 319), distinguished-name
"<search-dn_str>" (page 319), and the client-supplied
user name.
bind-type {anonymous |
regular—Bind using a bind DN and password that you simple
simple | regular} l
configure in username "<bind-dn_str>" (page 321)

and password "<bind-password_str>" (page 320).
l anonymous—Do not provide a bind DN or password.

Instead, perform the query without authenticating. Select
this option only if the LDAP directory supports anonymous
queries.
common-name-id "<cn- Enter the identifier, often cn, for the common name (CN) No
attribute_str>" attribute whose value is the user name. The maximum length default.
is 63 characters.
Identifiers may vary by your LDAP directory’s schema.
Enter the distinguished name (DN) such as

distinguished-name ou=People,dc=example,dc=com, that, when prefixed with No
"<search-dn_str>" the common name, forms the full path in the directory to user default.
account objects. The maximum length is 255 characters.
filter "<query-filter_ Enter an LDAP query filter string, if any, that will be used to No
str>" filter out results from the query’s results based upon any default.
attribute in the record set. The maximum length is 255
characters.
This option is valid only when bind-type {anonymous |

simple | regular} (page 319) is regular.
group_authentication Enable to only include users that are members of an LDAP enable

config 320
group. Also configure group-type {edirectory |

open-ldap | windows-ad} (page 320) and group_dn
{enable | disable} "<group-dn_str>" (page 320).
This option is valid only when bind-type {anonymous |

simple | regular} (page 319) is regular.
group_dn "<group-dn_str>" Enter the distinguished name of the LDAP user group, such No
as ou=Groups,dc=example,dc=com. The maximum default.
This option is valid only when group_authentication

{enable | disable} (page 319) is enabled.
Select the schema that matches your server’s LDAP directory.
Group membership attributes may have different names

depending on an LDAP directory schemas. The FortiWeb
group-type {edirectory | appliance will use the group membership attribute that open-
open-ldap | windows-ad} matches your directory’s schema when querying the group ldap
DN.
This option is valid only when group_authentication

password "<bind-password_ Enter the password of the username "<bind-dn_str>" No

str>" (page 321). The maximum length is 63 characters. default.
This field may be optional if your LDAP server does not

require the FortiWeb appliance to authenticate when
performing queries, and does not appear if bind-type
{anonymous | simple | regular} (page 319) is
anonymous or simple.
Enter the port number where the LDAP server listens. The
The default port number varies by your selection in ssl-

port <port_int> connection {enable | disable} (page 321); port 389
389 is typically used for non-secure connections or for
STARTTLS-secured connections, and port 636 is typically
used for SSL-secured (LDAPS) connections.
protocol {ldaps | Select whether to secure the LDAP query using LDAPS or ldaps
starttls} STARTTLS. You may need to reconfigure port <port_int> to
correspond to the change in protocol.
This field is applicable only if ssl-connection


config 321
server "<ldap_ipv4_
domain>" Type the server IP or domain address of the LDAP server. 0.0.0.0
ssl-connection {enable | Enable to connect to the LDAP servers using an encrypted enable
disable} connection, then select the style of the encryption in protocol
{ldaps | starttls} (page 320).
Enter the bind DN, such as

cn=FortiWebA,dc=example,dc=com, of an LDAP user
account with permissions to query the distinguished-
name "<search-dn_str>" (page 319). The maximum
length is 255 characters. No
username "<bind-dn_str>"
This field may be optional if your LDAP server does not default.
require the FortiWeb appliance to authenticate when
performing queries, and does not appear if bind-type
{anonymous | simple | regular} (page 319) is
anonymous or simple.
Example
This example configures an LDAP user query to the server at 192.0.2.100 on port 389. SSL and TLS are disabled.
To bind the query, the FortiWeb appliance will use the bind DN cn=Manager,dc=example,dc=com, whose
password is mySecretPassword. Once connected and bound, the query for search for user objects in
ou=People,dc=example,dc=com, comparing the user name supplied by the HTTP client to the value of each
object’s cn attribute. Group authentication is disabled.
config user ldap-user
edit "ldap-user1"
set server "192.0.2.100"
set ssl-connection disable
set port 389
set common-name-id "cn"
set distinguished-name "ou=People,dc=example,dc=com"
set bind-type regular
set username "cn=Manager,dc=example,dc=com"
set password "mySecretPassword"
set group-authentication disable
next
end
Related topics
l "user user-group" on page 329

config 322
user local-user
Use this command to configure locally defined user accounts.
Local user accounts are used by the HTTP authentication feature to authorize HTTP requests. For details, see the
To incorporate local user accounts, add them to a user group that is selected within an authentication rule, which is in
turn selected within an authentication policy. For details, see "user user-group" on page 329.
Syntax
config user local-user
edit "<local-user_name>"
set username "<user_str>"
next
end
"<local-user_name>" Enter a name that can be referenced in other parts of the No

configuration. default.
To display the list of existing accounts, enter:

edit ?
Note: This is not the user name that the person must provide
when logging in to the CLI or web UI.
Enter the user name that the client must provide when logging
in, such as user1 or [email protected]. No
username "<user_str>"
default.
password "<password_str>" Enter the password for the local user account. The maximum length No
Example
This example configures a local user account that can be used for HTTP authentication.
config user local-user
edit "local-user1"
set username "user1"
set password "myPassword"

config 323
next
end
Related topics
user ntlm-user
Use this command to configure user accounts that will authenticate with the FortiWeb appliance via an NT LAN
Manager (NTLM) server.
NTLM queries can be made to a Microsoft Windows or Active Directory server that has been configured for NTLM
authentication. Both NTLM v1 and NTLM v2 versions of the protocol are supported.
NTLM user queries are used by the HTTP authentication feature to authorize HTTP requests. For details, see the
To incorporate NTLM user account queries, add them to a user group that is selected within an authentication rule,
which is in turn selected within an authentication policy. For details, see "user user-group" on page 329.
Syntax
config user ntlm-user
edit "<ntlm-query_name>"
set port <port_int>
set server "<ntlm_ipv4>"
next
end
"<ntlm-query_name>" Enter the name of the NTLM user query. The maximum length No

edit ?
Enter the port number where the NTLM server listens. The valid
port <port_int> 445
range is 1–65535.
server "<ntlm_ipv4>" Enter the IP address of the NTLM server. No

default.

config 324
Example
This example configures an NTLM query connection to a server at 192.0.2.101 on port 445.
config user ntlm-user
edit "ntlm-user1"
set server "192.0.2.101"
set port 445
next
end
Related topics
user pki-user
In FortiWeb's certificate-based Web UI login, a PKI user is the administrator that FortiWeb will authorizes his Web UI
access based on his PKI certificate. With this command, you can create a PKI user for FortiWeb to verify and authorize
the Web UI accesses from the user.
Before creating a PKI user, you must import the CA certificate (through FortiWeb Web UI) associated with the user to
the FortiWeb. For details, see "system admin-certificate ca" on page 206.
After the PKI user is created, include it in an admin group through "user admin-usergrp" on page 315.
Syntax
config user pki-user
edit "<pki-user_name>"
set cacert "<cacert_str>"
set subject "<subject_str>"
next
end
"<pki-user_name>" Enter the name of a PKI user. The maximum length is 63 No

cacert "<cacert_str>" Specifies the CA certificate associated with the PKI user's
certificate. It must be one of the CA certificates stored on the No
FortiWeb for administration. For details, see "system admin- default.
certificate ca" on page 206.

config 325
subject "<subject_str>" Specifies the subject of the PKI user's certificate, such as C = US, No
ST = Washington, O = yourorganization, CN = default.
yourname.
Example
This example adds a PKI user associated with the CA certificate CA_Cert_1.
config user pki-user
edit "pki_user1"
set cacert "CA_Cert_1"
set subject "C = US, ST = Washington, O = oganization, CN = Bradley Avery"
next
end
user radius-user
Use this command to configure RADIUS queries used to authenticate end-users and/or administrators.
If you use a RADIUS query for administrators, separate it from the queries for regular
users. Do not combine administrator and user queries into a single entry. Failure
to separate queries will allow end-users to have administrative access the FortiWeb web UI
and CLI.
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and
accounting functions. The FortiWeb authentication feature uses RADIUS user queries to authenticate and authorize
HTTP requests. (The HTTP protocol does not support active logouts, and can only passively log out users when their
connection times out. Therefore FortiWeb does not fully support RADIUS accounting.) RADIUS authentication with
realms (e.g., the person logs in with an account such as [email protected]) are supported.
To authenticate a user, the FortiWeb appliance sends the user’s credentials to RADIUS for authentication. If RADIUS
authentication succeeds, the user is successfully authenticated with the FortiWeb appliance. If RADIUS authentication
fails, the appliance refuses the connection. To override the default authentication scheme, select a specific
authentication protocol or change the default RADIUS port.
To incorporate RADIUS users, they must be in a user group selected within an authentication rule, which is in turn
selected within an authentication policy. For details, see "server-policy custom-application application-policy" on page
110.
For access profiles, FortiWeb appliances support RFC 2548

(http://www.ietf.org/rfc/rfc2548.txt) Microsoft Vendor-specific RADIUS Attributes. If you
do not want to use them, you can configure them locally instead. For details, see "system
accprofile" on page 198.

config 326
Syntax
config user radius-user
edit "<radius-query_name>"
set secret "<password_str>"
set server {radius_ipv4 | radius_ipv6 | domain name}
set server-port <port_int>
set auth-type {default | chap | ms_chap | ms_chap_v2 | pap}
set nas-ip "<nas_ipv4>"
set secondary-secret "<password_str>"
set secondary-server {radius2_ipv4 | domain name}
set secondary-server-port <port_int>
next
end
"<radius-query_name>" Enter a unique name that can be referenced in other parts of No

the configuration. default.
Do not use spaces or special characters. The maximum


edit ?
Note: This is the name of the query only, not the

administrator or end-user’s account name/login, which is
defined by either "<administrator_name>" (page 201)
or username "<user_str>" (page 322).
Enter the RADIUS server secret key for the primary RADIUS
No
secret "<password_str>" server. The primary server secret key should be a maximum of 16
default.
characters in length, but is allowed to be up to 63 characters.
server {radius_ipv4 | Enter the IP address or domain name of the RADIUS server to No
radius_ipv6 | domain query for users. default.
name}
Enter the port number where the RADIUS server listens. The valid
server-port <port_int> 1812
range is 1–65535.
auth-type {default | Enter the authentication method. The default option uses PAP, default
chap | ms_chap | ms_chap_ MS-CHAP-V2, and CHAP, in that order.
v2 | pap}
Enter the NAS IP address and called station ID. For details, see
RFC 2548 (http://www.ietf.org/rfc/rfc2548.txt). If you do not enter
nas-ip "<nas_ipv4>" an IP address, the IP address of the network interface that the 0.0.0.0
FortiWeb appliance uses to communicate with the RADIUS server
is applied.

config 327
secondary-secret Enter the RADIUS server secret key for the secondary RADIUS No
"<password_str>" server. The secondary server secret key should be a maximum of default.
16 characters in length, but is allowed to be up to 63 characters.
secondary-server
Enter the IP address or domain name of the secondary RADIUS No
{radius2_ipv4 | domain
name} server. default.
secondary-server-port Enter the port number where the secondary RADIUS server listens. 1812
<port_int> The valid range is 1–65535.
Related topics
user saml-user
Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or
end users via a Security Assertion Markup Language (SAML) server.
To use a SAML server for client authentication, select it in a site publish rule. For details, see "waf site-publish-helper
rule" on page 475.
Syntax
config user saml-user
edit "<saml_server_name>"
set entityID "<server_URL>"
set service-path "<server_URL_path>"
set slo-bind {post | redirect}
set slo-path "<slo_URL_path>"
set sso-bind <post>
set sso-path "<sso_URL_path>"
next
end
"<saml_server_name>" Enter a name that can be referenced by other parts of the No

configuration. The maximum length is 63 characters. default.
Enter the URL for the SAML server. The communications No

entityID "<server_URL>"
protocol must be HTTPS. default.

config 328
service-path "<server_ Enter a path for the SAML server at the URL you specified No
URL_path>" in entityID "<server_URL>" (page 327). default.
Select the binding that the server will use when the service
provider initiates a single logout request:
l POST—SAML protocol messages are transported via the

user's browser in an XHTML document using base64-
slo-bind {post encoding. POST
| redirect}
l REDIRECT—SAML protocol messages will be carried in
the URL of an HTTP GET request. Because the length of URLs
is limited, this option is best for shorter messages. If the
SAML message contains information that the IDP is not yet
aware of, you can sign the message for security purposes.
slo-path "<slo_URL_path>" Enter a partial URL that the IDP will use to confirm with the No
service provider that a user has been logged out. default.
Select the binding that the server will use to transport the SAML
sso-bind <post> POST
authentication request to the IDP.
sso-path "<sso_URL_path>" Enter a partial URL that the IDP will use to confirm with the No
service provider that a user has been authenticated. default.
Example
This example configures a SAML server at https://sp.example.com/samlsp. We specify the Service Path,
Assertion Consumer Service (ACS), and Single Logout Service (SLS). We use a POST binding for ACS and a
REDIRECT binding for SLS.
config user saml-user
edit "saml_example"
set entityID "https://sp.example.com/samlsp"
set service-path "/saml.sso"
set slo-bind redirect
set slo-path "/SLO/REDIRECT"
set sso-bind post
set sso-path "/SAML2/POST"
next
end
Related topic

config 329
user user-group
Use this command to configure user groups.
User groups are used by the HTTP authentication feature to authorize HTTP requests. A group can include a mixture of
local user accounts, LDAP, RADIUS, and NTLM user queries.
Before you can configure a user group, you must first configure any local user accounts or user queries that you want to
include. For details, see "user local-user" on page 322, "user ldap-user" on page 318, "server-policy custom-application
application-policy" on page 110, or "user ntlm-user" on page 323.
To apply user groups, select them in within an authentication rule, which is in turn selected within an authentication
policy, which is ultimately selected within an inline protection profile used for web protection. For details, see "waf http-
authen http-authen-rule" on page 406.
Syntax
config user user-group
edit "<user-group_name>"
set auth-type {basic | digest | NTLM}
config members
edit <entry_index>
set type {ldap | local | ntlm | radius}
set ldap-name "<query_name>"
set local-name "<query_name>"
set ntlm-name "<query_name>"
set radius-name "<query_name>"
next
end
next
end
"<user-group_name>" Enter the name of the user group. The maximum length is 63 No

edit ?
Select one of the following authentication types:
l basic—This is the original and most compatible

auth-type {basic | authentication scheme for HTTP. However, it is also the
least secure as it sends the user name and password basic
digest | NTLM}
unencrypted to the server.
l digest—Authentication encrypts the password and thus
is more secure than the basic authentication.

config 330
l NTLM—Authentication uses a proprietary protocol of

Microsoft and is considered to be more secure than basic
authentication.
range is 1–9,999,999,999,999,999,999. default.
Select the name of a LDAP user query.
Available if the value of type {ldap | local | No

ldap-name "<query_name>"
ntlm | radius} (page 330) is ldap. default.
local-name "<query_name>" Select the name of a local user account. No

default.
Available if the value of type {ldap | local |
ntlm | radius} (page 330) is local.
Select the name of a NTLM user query.
Available if the value of type {ldap | local | No

ntlm-name "<query_name>"
ntlm | radius} (page 330) is ntlm. default.
radius-name "<query_ Select the name of a RADIUS user query. No

name>" default.
Available if the value of type {ldap | local |
ntlm | radius} (page 330) is radius.
Select which type of user or user query that you want to add to
the group.
type {ldap | local | Note: You can mix all user types in the group. However, if the
authentication rule’s auth-type {basic | digest | local
ntlm | radius}
NTLM} (page 329) does not support a given user type, all user
accounts of that type will be ignored, effectively disabling
them.
Example
For an example, see "waf http-authen http-authen-policy" on page 403.

config 331
Related topics
l "user ldap-user" on page 318
l "user local-user" on page 322
l "user ntlm-user" on page 323
l "waf http-authen http-authen-rule" on page 406
wad file-filter
Use this command to specify the names of directories and files that you want to exclude from anti-defacement
monitoring. Alternatively, you can specify the folders and files you want FortiWeb to monitor and it will exclude any
others.
wadgrp area. For details, see "Permissions" on page 51.
Syntax
config wad file-filter
edit "<wad-file-filter_name>"
set filter-type {black-file-list | white-file-list}
edit <entry_index>
set file-type {directory | regular-file}
set file-name "<file_str>"
next
end
"<wad-file-filter_name>" Enter the name of the file filter you can reference in other parts of No
the configuration. default.
Specify the type of filter:
l black-file-list—A list of files or folders that the anti-

defacement feature does not monitor.
l white-file-list—A list of files or folders that the anti-
filter-type {black-file- No
list | white-file-list} defacement feature monitors. The feature ignores all other files default.
and folders.
FortiWeb still applies criteria in the anti-defacement
configuration to these items. For example, if the file size
exceeds the maximum, FortiWeb does not monitor it.
default.
file-type {directory |
regular-file} Specify the type of item to add to the list: No

config 332
l directory—A folder or directory path.

default.
l regular-file—A file.
file-name "<file_str>" Enter the name of the folder or file to add to the list. No
default.
Ensure that the name exactly matches the folder or file that
you want to specify. If file-type {directory |
regular-file} (page 331) is directory, include the /
(forward slash).
For example, if file-type is directory and you want to

add a folder abc that is under the root folder of a website,
enter /abc.
You can restrict the filter condition to a specific file by including

file path information in file-name. For example, a website
contains many files with the name 123.txt. To specify the
instance located in the abc folder only, enter
/abc/123.txt.
Example
This example creates a filter video-folder that excludes the folder /abc from anti-defacement monitoring when it
is applied to an anti-defacement monitoring configuration.
config wad file-filter
edit "video-folder"
set filter-type black-file-list
edit 1
set file-type directory
set file-name "/abc"
next
end
Related topics
l "wad website" on page 332
wad website
Use this command to enable and configure website defacement attack detection and automatic repair.
The FortiWeb appliance monitors the website’s files for any changes and folder modifications at specified time
intervals. If it detects a change that could indicate a defacement attack, the FortiWeb appliance notifies you, and can
quickly react by automatically restoring the website contents to the previous backup revision.

config 333
Optionally, you can specify a filter that either defines which files and folders FortiWeb does not scan when it looks for
changes (blacklist) or the specific files and folders you want it to monitor (whitelist). For details, see "wad file-filter" on
page 331.
FortiWeb automatically backs up website files and creates a revision in the following cases:
l When the FortiWeb appliance initiates monitoring for the first time, the FortiWeb appliance downloads a backup copy of
the website’s files and stores it as the first revision.
l If the FortiWeb appliance could not successfully connect during a monitor interval, it creates a new revision the next time it
re-establishes the connection.
When you intentionally modify the website, you must disable the monitor option;
otherwise, the FortiWeb appliance sees your changes as a defacement attempt and
undoes them.
Backup copies omit files exceeding the file size limit and/or matching the file extensions that you have configured the
FortiWeb appliance to omit. For details, see backup-max-fsize <limit_int> (page 334) and backup-skip-
ftype "<extensions_str>" (page 334).
wadgrp area. For details, see "Permissions" on page 51.
Syntax
config wad website
edit <entry_index>
set alert-email "<email-policy_name>"
set auto {disable | restore | acknowledge}
set backup-max-fsize <limit_int>
set backup-skip-ftype "<extensions_str>"
set connect-type {ftp | smb | ssh}
set description "<comment_str>"
set hostname-ip {"<host_ipv4>" | "<host_fqdn>"}
set interval-other <seconds_int>
set interval-root <seconds_int>
set monitor {enable | disable}
set monitor-depth <folders_int>
set port <port_int>
set share-name "<share_str>"
set user "<user_str>"
set web-folder "<path_str>"
set file-filter "wad-file-filter_name>"
next
end
<entry_index> Enter the index number of the individual entry in the table. The No
valid range is 1–16. default.

config 334
Enter the name of the email policy that specifies the email address
alert-email "<email- that FortiWeb sends an email to when it detects that the website No
policy_name>" changed. (See config log email-policy (page 75).)The default.
auto {disable | restore | Enter the action that FortiWeb takes when it detects that the disable
acknowledge} website has changed.
l disable—FortiWeb takes no action. You can use the

web UI to manually restore all or some of the changed
files.
l restore—Restore the website to the previous revision
number.
l acknowledge—Accept changes to the website.
Note: When you intentionally modify the website, type
acknowledge. Otherwise, the FortiWeb appliance detects
your changes as a defacement attempt and undoes them.
Enter a file size limit in kilobytes (KB) to indicate which files

will be included in the website backup. Files exceeding this
backup-max-fsize <limit_ size will not be backed up. The valid range is 1–1,048,576 10240
int>
kilobytes.
Note: Backing up large files can impact performance.
backup-skip-ftype Enter zero or more file extensions, such as iso,avi, to No

"<extensions_str>" exclude from the website backup. Separate each file default.
extension with a comma. The maximum length is 512
characters.
Note: Backing up large files, such as video and audio, can

impact performance.
Select which protocol to use when connecting to the website in

connect-type {ftp | smb |
ssh} order to monitor its contents and download website backups. For ftp
Microsoft Windows-style shares, enter smb.
description "<comment_ Enter a description or other comment. If the comment is more than No
str>" one word or contains special characters, surround the comment default.
with double quotes ( " ). The maximum length is 255 characters.
Enter the IP address or fully qualified domain name (FQDN)

of the physical server on which the website is hosted.
hostname-ip {"<host_ This will be used when connecting by SSH or FTP to the No
ipv4>" | "<host_fqdn>"} website to monitor its contents and download backup default.
revisions, and therefore could be different from the real or
virtual web host name that may appear in the Host: field of
HTTP headers.

config 335
interval-other <seconds_ Enter the amount of time (in seconds) between each 600
int> monitoring connection from the FortiWeb appliance to the
web server. During this connection, the FortiWeb appliance
examines the website’s subfolders to see if any files have
been changed by comparing the files with the latest backup.
If any file change is detected, the FortiWeb appliance will

download a new backup revision. If you've enabled auto
{disable | restore | acknowledge} (page 334),
the FortiWeb appliance will revert the files to their previous
version.
Enter the number of seconds between each monitoring

connection from the FortiWeb appliance to the web server.
During this connection, the FortiWeb appliance examines
web-folder "<path_str>" (page 336) (but not its
subfolders) to see if any files have been changed by
interval-root <seconds_ comparing the files with the latest backup. The valid range is
1–86,400. 60
int>
If any file change is detected, the FortiWeb appliance will

download a new backup revision. If you've enabled auto
{disable | restore | acknowledge} (page 334),
the FortiWeb appliance will revert the files to their previous
version.
monitor {enable | Enable to monitor the website’s files for changes, and to download enable
disable} backup revisions that can be used to revert the website to its
previous revision if the FortiWeb appliance detects a change
attempt.
Enter how many folder levels deep to monitor for changes to the
monitor-depth <folders_
int> website’s files. Files in subfolders deeper than this level will not be 5
backed up. The valid range is 1–10.
name "<name_str>" Enter a name for the website. The maximum length is 63 No
This name will not be used when monitoring the website, nor
will it be referenced in any other part of the configuration, and
therefore can be any identifier that is useful to you. It does not
need to be the website’s FQDN or virtual host name.
Enter the password for the user name you entered in user
No
password "<password_str>" "<user_str>" (page 336). The maximum length is 63
default.
characters.
port <port_int> Enter the port number on which the website’s physical server 21

config 336
listens. The standard port number for FTP is 21; the standard
port number for SSH is 22.
This is applicable only if connect-type {ftp | smb |

ssh} (page 334) is ftp or ssh.
Enter the name of the shared folder on the web server. The
maximum length is 63 characters. No
share-name "<share_str>"
This variable appears only if connect-type {ftp | default.
smb | ssh} (page 334) is smb.
user "<user_str>" Enter the user name that the FortiWeb appliance will use to log in No
to the website’s physical server. The maximum length is 63 default.
characters.
Enter the path to the website’s folder, such as public_

html, on the physical server. The path is relative to the initial
location when logging in with the user name that you specify
in user "<user_str>". The maximum length is 1,023 No
web-folder "<path_str>"
Available only if the value of connect-type {ftp |

smb | ssh} (page 334) is ftp or ssh.
file-filter "wad-file- Enter the filter that specifies either the files and folders that No
filter_name>" FortiWeb excludes from anti-defacement monitoring or the specific default.
files and folders to monitor.
Example
config wad website
edit 1
set alert-email "email_policy_1"
set connect-type ssh
set hostname-ip "192.0.2.10"
set monitor enable
set name "www.example.com"
set password "P@ssword1"
set port 22
set user "fortiweb"
set web-folder "public_html"
set file-filter "video-folder"
next
end
Related topics
l "wad file-filter" on page 331

config 337
waf allow-method-exceptions
Use this command to configure the FortiWeb appliance with combinations of URLs and host names, which are
exceptions to HTTP request methods that are generally allowed or denied according to the inline or Offline Protection
profile.
While most URL and host name combinations controlled by a profile may require similar HTTP request methods, you
may have some that require different methods. Instead of forming separate policies and profiles for those requests, you
can configure allowed method exceptions. The exceptions define specific HTTP request methods that are allowed by
specific URLs and hosts.
To apply allowed method exceptions, select them within an inline or Offline Protection profile. For details, see "waf web-
protection-profile inline-protection" on page 518 or "waf web-protection-profile offline-protection" on page 531.
Before you configure an allowed method exception, if you want to apply it only to HTTP requests for a specific real or
virtual host, you must first define the web host in a protected hosts group. For details, see "server-policy allow-hosts" on
page 108.
wafgrp area. For details, see "Permissions" on page 51.
Syntax
config waf allow-method-exceptions
edit "<method-exception_name>"
config allow-method-exception-list
edit <entry_index>
set allow-request {get post head options trace connect delete put patch
webdav rpc others}
set host "<protected-hosts_name>"
next
end
next
end
"<method-exception_name>" Enter the name of the allowed methods exception. The No

To display a list of the existing exceptions, enter:

edit ?
Enter the index number of the individual entry in the table. The No
<entry_index>

config 338
allow-request {get post Select one or more of the allowed HTTP request methods No
head options trace that are an exception for that combination of URL and host. default.
connect delete put patch
webdav rpc others} Methods that you do not select will be denied.
The OTHERS option includes methods not specifically

named in the other options. It often may be required by
WebDAV applications such as Microsoft Exchange Server and
Subversion, which may require HTTP methods not commonly
used by web browsers, such as PROPFIND and BCOPY. For
details, see RFC 4918 (http://tools.ietf.org/html/rfc4918).
Note: If a WAF Auto Learning Profile will be selected in

the policy with an Offline Protection profile that uses this
allowed method exception, you must enable the HTTP
request methods that will be used by sessions that you want
the FortiWeb appliance to learn about. If a method is
disabled, the FortiWeb appliance will reset the connection,
and therefore cannot learn about the session.
Enter the name of a protected host that the Host: field of an

HTTP request must be in order to match the exception. The
host "<protected-hosts_ maximum length is 255 characters. No
name>" default.
This setting is used only if host-status {enable |
host-status {enable | Enable to require that the Host: field of the HTTP request match disable
disable} a protected hosts entry in order to match the allowed method
exception. Also configure host "<protected-hosts_
name>" (page 338).
Depending on your selection in request-type

{plain | regular} (page 339), either:
l Enter the literal URL, such as /index.php, that is an

exception to the generally allowed HTTP request methods.
The URL must begin with a slash ( / ).
l Enter a regular expression, such as ^/*.php, matching all

and only the URLs which are exceptions to the generally
No
request-file "<url_str>" allowed HTTP request methods. The pattern is not required
default.
to begin with a slash ( / ). However, it must at least match
URLs that begin with a slash, such as /index.cfm.
For example, if multiple URLs on a host have identical

HTTP request method requirements, you would type a
regular expression matching all of and only those URLs.
Do not include the name of the web host, such as

www.example.com, which is configured separately in host

config 339
"<protected-hosts_name>" (page 338). The maximum

Note: Regular expressions beginning with an exclamation

point ( ! ) are not supported. For information on language and
regular expression matching, see the FortiWeb
request-type Indicate whether request-file "<url_str>" (page 338) is plain

{plain | regular} a literal URL (plain) or a regular expression (regular).
Example
This example adds an exception to the list of allowed methods (post) that can be used in HTTP requests. In addition to
the allowed methods already specified in protection profiles that use this exception, web hosts included in the protected
hosts group named example_com_hosts (such as example.com, www.example.com, and 192.0.2.10) are
allowed to receive POST requests to the Perl file that handles the guestbook.
config waf allow-method-exceptions
edit "auto-learn-profile2"
config allow-method-exception-list
edit 1
set allow-request post
set host "example_com_hosts"
set host-status enable
set request-file "/perl/guesbook.pl"
set request-type plain
next
end
next
end
Related topics
waf allow-method-policy
Use this command to allow only specific HTTP request methods.
To define specific exceptions to this policy, use config waf allow-method-exceptions (page 337).

config 340
Syntax
config waf allow-method-policy
edit "<allowed-methods_name>"
set allow-method {get post head options trace connect delete put patch webdav
rpc}
set severity {High | Medium | Low | Info}
set triggered-action "<trigger-policy_name>"
set allow-method-exception "<method-exception_name>"
next
end
"<allowed-methods_name>" Enter the name of a new or existing allowed methods policy. No

This field cannot be modified if you are editing an existing default.
allowed method exception. To modify the name, delete the
entry, then recreate it using the new name. The maximum

edit ?
Select one or more HTTP request methods that you want to

allow for this specific policy.
Methods that you do not select will be denied, unless

specifically allowed for a host and/or URL in analyzer-
policy "<fortianalyzer-policy_name>" (page
102).
The others option includes methods not specifically named

in the other options. It often may be required by WebDAV
allow-method {get post
head options trace applications such as Microsoft Exchange Server 2003 and No
connect delete put patch Subversion, which may require HTTP methods not commonly default.
webdav rpc} used by web browsers, such as PROPFIND and BCOPY. For
details, see RFC 2518 (http://tools.ietf.org/html/rfc4918).
Note: If a WAF Auto Learning Profile is used in the server

policy where the HTTP request method is applied (via the
Web Protection Profile), you must enable the HTTP request
methods that will be used by sessions that you want the
FortiWeb appliance to learn about. If a method is disabled, the
FortiWeb appliance will reset the connection, and therefore
cannot learn about the session.
severity {High | Medium | Select the severity level to use in logs and reports generated when High
Low | Info} a violation of the policy occurs.
triggered-action Enter the name of the trigger policy you want FortiWeb to No
"<trigger-policy_name>" apply when a violation of the HTTP request method policy default.

config 341
occurs. Trigger policies determine who will be notified by email

when the policy violation occurs, and whether the log message
associated with the violation are recorded. The maximum

set triggered-action ?
allow-method-exception Enter the name of an existing HTTP request method No

"<method-exception_name>" exception, if any, to apply to it. The maximum length is 63 default.
characters.
To display a list of the existing policy, enter:

set allow-method-exception ?
Example
This example allows the HTTP GET and POST methods and rejects others, except according to the exceptions defined
in MethodExceptions1.
config waf allow-method-policy
edit "allowpolicy1"
set allow-method get post
set triggered-action "TriggerActionPolicy1"
set allow-method-exception "MethodExceptions1"
next
end
Related topics
waf application-layer-dos-prevention
Use this command to create an HTTP-layer DoS protection policy. Once you create the policy, reference it in an inline
protection profile that is used by a server policy.
Syntax
config waf application-layer-dos-prevention
edit "<app-dos-policy_name>"
set enable-http-session-based-prevention {enable | disable}
set http-connection-flood-check-rule "<rule_name>"
set http-request-flood-prevention-rule "<rule_name>"
set enable-layer4-dos-prevention {enable | disable}

config 342
set layer4-access-limit-rule "<rule_name>"

set layer4-connection-flood-check-rule "<rule_name>"
next
end
"<app-dos-policy_name>" Enter the name of a new or existing rule. The maximum No


edit ?
Enable to use DoS protection based on session cookies. Also

enable-http-session-
configure http-connection-flood-check-rule
based-prevention disable
{enable | disable} "<rule_name>" (page 342) and http-request-flood-
prevention-rule "<rule_name>" (page 342).
http-connection-flood- Enter the name of an existing rule that sets the maximum No
check-rule "<rule_name>" number of HTTP requests per second to a specific URL. The default.
To display a list of the existing rules, enter:

set http-connection-flood-check-rule ?
This setting applies only if enable-http-session-

based-prevention {enable | disable} (page 342)
is enabled.
Enter the name of an existing rule that limits TCP connections

from the same client. The maximum length is 63 characters.
http-request-flood-
No
prevention-rule "<rule_ set http-request-flood-prevention-rule ?
name>" default.
This setting applies only if enable-http-session-
based-prevention {enable | disable} (page 342)
is enabled.
enable-layer4-dos- Enable to use DoS protection that is not based on session cookies. disable
prevention {enable | Also configure layer4-access-limit-rule "<rule_
disable}
name>" (page 342) and layer4-connection-flood-
check-rule "<rule_name>" (page 343).
Enter the name of a rule that limits the number of HTTP

requests per second from any source IP address. The
layer4-access-limit-rule maximum length is 63 characters. No
"<rule_name>" default.
set layer4-access-limit-rule ?

config 343
This setting applies only if enable-layer4-dos-

prevention {enable | disable} (page 342) is
enabled.
layer4-connection-flood- Enter the name of an existing rule that limits the number of No
check-rule "<rule_name>" TCP connections from the same source IP address. The default.

set layer4-connection-flood-check-rule ?
This setting applies only if enable-layer4-dos-

prevention {enable | disable} (page 342) is
enabled.
Example
This example shows the settings for a DoS protection policy that protects a web portal using existing DoS prevention
rules.
config waf application-layer-dos-prevention
edit "Web Portal DoS Policy"
set enable-http-session-based-prevention enable
set http-connection-flood-check-rule "Web Portal TCP Connect Limit"
set http-request-flood-prevention-rule "Web Portal HTTP Request Limit"
set enable-layer4-dos-prevention enable
set layer4-access-limit-rule "Web Portal HTTP Request Limit"
set layer4-connection-flood-check-rule "Web Portal Network Connect Limit"
next
end
Related topics
l "waf http-connection-flood-check-rule" on page 408
l "waf http-request-flood-prevention-rule" on page 421
l "waf layer4-access-limit-rule" on page 436
l "waf layer4-connection-flood-check-rule" on page 439
waf base-signature-disable
Use this command to disable individual or whole categories of data leak and attack signatures in every signature group
that currently exists.
For example, if you disable a certain signature ID with this command, the signature ID in every signature group you
have defined will be disabled.

config 344
Syntax
config waf base-signature-disable
edit "<signature-ID_name>"
next
end
"<signature-ID_name>" Enter the name of an individual signature or signature No

category ID. The maximum length is 63 characters. default.
For example, to disable the first cross-site scripting attack

signature everywhere it is currently selected, you would enter:
edit 010000001
Example
This example globally disables the XSS signature whose ID is 010000001.
config waf base-signature-disable
edit "010000001"
next
end
Related topics
waf brute-force-login
Use this command to configure brute force login attack sensors.
Brute force attacks attempt to penetrate systems by the sheer number of clients, attempts, or computational power,
rather than by intelligent insight. For example, in brute force attacks on authentication, multiple web clients may rapidly
try one user name and password combination after another in an attempt to eventually guess a correct login and gain
access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL.
Brute force login attack sensors track the rate at which each source IP address makes requests for specific URLs. If the
source IP address exceeds the threshold, the FortiWeb appliance penalizes the source IP address by blocking additional
requests for the time period that you indicate in the sensor.
To apply a brute force login attack sensor, select it within an inline protection profile. For details, see "waf web-
protection-profile inline-protection" on page 518.
You can use SNMP traps to notify you when a brute force login attack is detected. For details, see "system snmp

config 345
Syntax
config waf brute-force-login
edit "<brute-force-login_name>"
config login-page-list
edit <entry_index>
set access-limit-standalone-ip "<rate_int>"
set access-limit-share-ip "<rate_int>"
set host "<allowed-hosts_name>"
set ip-port-enable {enable | disable}
next
end
next
end
"<brute-force-login_ Enter the name of a new or existing brute force login attack No
name>" sensor. The maximum length is 63 characters. default.
To display a list of the existing sensor, enter:

edit ?
severity {High | Medium | Select the severity level to use in logs and reports generated when
High
Low | Info} a violation of the rule occurs.
trigger "<trigger-policy_ Enter the name of the trigger to apply when this policy is No
name>" violated. For details, see "log trigger-policy" on page 101. The default.

set trigger ?
Enter the rate threshold for source IP addresses that are

single clients. Request rates exceeding the threshold will
access-limit-standalone- cause the FortiWeb appliance to block additional requests for
the length of the time in block-period "<seconds_ 1
ip "<rate_int>"
int>" (page 346).
The valid range is 1–10000. To disable the rate limit, enter 0.
access-limit-share-ip Enter the rate threshold for source IP addresses that are 1
"<rate_int>" shared by multiple clients behind a network address

config 346
translation (NAT) device such as a firewall or router. Request

rates exceeding the threshold will cause the FortiWeb
appliance to block additional requests for the length of the
time in the block-period "<seconds_int>" (page
346).
The valid range is 1–10000. To disable the rate limit, enter 0.
Note: Blocking a shared source IP address could block

innocent clients that share the same source IP address with
an offending client. In addition, the rate is a total rate for all
clients that use the same source IP address. For these
reasons, you should usually enter a greater value for this field
than for access-limit-share-ip "<rate_int>"
(page 345).
Enter the length of time for which the FortiWeb appliance will
block additional requests after a source IP address exceeds a
block-period "<seconds_ rate threshold.
60
int>"
The block period is shared by all clients whose traffic
originates from the source IP address. The valid range is from
1 to 10,000 seconds.

HTTP request must be in order to match the sensor. The
host "<allowed-hosts_ No
name>" default.
This setting is applied only if host-status {enable |

host-status {enable | Enable to require that the Host: field of the HTTP request match disable
disable} a protected hosts entry in order to be included in the brute force
login attack sensor’s rate calculations. Also configure host
"<allowed-hosts_name>" (page 346).
Enable to apply the limit of login attempts specified by

access-limit-standalone-ip or access-limit-
share-ip per TCP/IP session.
ip-port-enable {enable |
disable}
When the value is disable, the limit is applied per source disable
IP.
Tip: If you need to cover both possibilities, create two

members.

config 347
request-file "<url_str>" Enter the literal URL, such as /login.php, that the HTTP No
request must match to be included in the brute force login default.
attack sensor’s rate calculations.
The URL must begin with a slash ( / ). Do not include the
name of the web host, such as www.example.com, which is
configured separately in host "<allowed-hosts_
name>" (page 346). The maximum length is 255 characters.
ip-port-enable {enable |
disable}
Example
This example limits IP addresses of individual HTTP clients to 3 requests per second, and NAT IP addresses to 20
requests per second, when they request the file login.php on the host www.example.com on TCP port 8080.
config waf brute-force-login
edit "brute_force_attack_sensor"
config login-page-list
edit 1
set host "www.example.com:8080"
set request-file "/login.php"
set access-limit-share-ip 20
set access-limit-standalone-ip 3
set block-period 120
next
end
next
end
Related topics
waf cookie-security
Use this command to configure FortiWeb features that prevent cookie-based attacks.

config 348
Syntax
config waf cookie-security
edit "<cookie-security_name>"
set security-mode {no |encrypted | signed}
set action {alert |alert_deny | block-period | remove_cookie | deny_no_log}
set block-period <block-period_int>
set severity {High |Medium | Low | Info}
set trigger "trigger-policy_name>"
set cookie-replay-protection-type {no | IP}
set max-age <max-age_int>
set secure-cookie {enable | disable}
set http-only {enable | disable}
set allow-suspicious-cookies{Never |Always | Custom}
set allow-time "<time_str>"
config cookie-security-exception-list
edit <entry_index>
set cookie-domain "<cookie-domain_str>"
set cookie-path "<cookie-path_str>"
end
next
end
"<cookie-security_name>" Enter the cookie security policy name. The maximum length is 63 No
security-mode {no Enter the security mode for the cookie security policy
|encrypted | signed}
l no—FortiWeb does not apply cookie tampering protection or
encrypt cookie values.
l encrypted—Encrypts cookie values the back-end web server

sends to clients. Clients see encrypted cookies only. FortiWeb
decrypts cookies submitted by clients before it sends them to
the back-end server.
l signed—Prevents tampering (cookie poisoning) by tracking

the cookie value. This option requires you to enable Session
Management in the protection policy and the client to support no
cookies. For details, see "waf web-protection-profile inline-
protection" on page 518.
When FortiWeb receives the first HTTP or HTTPS request from

a client, it uses a cookie to track the session. When you select
this option, the session-tracking cookie includes a hash value
that FortiWeb uses to detect tampering with the cookie from
the back-end server response. If FortiWeb determines the
cookie from the client has changed, it takes the specified action
according to action {alert |alert_deny | block-
period | remove_cookie | deny_no_log} (page

config 349
349).
action {alert |alert_deny Select one of the following actions that the FortiWeb
| block-period | remove_ appliance will perform when it detects cookie poisoning:
cookie | deny_no_log}
l alert—Accept the request and generate an alert email
and/or log message.
l alert_deny—Block the request (or reset the connection) and

generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the
client with the HTTP status code. For details, see "system
replacemsg" on page 294.
l block-period—Block subsequent requests from the client

for a number of seconds. Also configure block-period
<block-period_int> (page 349).
Note: If FortiWeb is deployed behind a NAT load balancer,

when using this option, you must also define an X-header that
indicates the original client’s IP. For details, see "waf x-
forwarded-for" on page 542. Failure to do so may cause
FortiWeb to block all connections when it detects a violation of
alert
this type.
l remove_cookie—Accept the request, but remove the

poisoned cookie from the datagram before it reaches the web
server, and generate an alert and/or log message.
l deny_no_log—Deny a request. Do not generate a log

message.
Caution: This setting will be ignored if monitor-mode

Note: Logging and/or alert email will occur only if enabled

and configured. See config log disk and config log alertemail.
Note: If you select an auto-learning profile with this rule, you

should select alert. If the action is alert_deny, for example,
the FortiWeb appliance will block the request or reset the
connection when it detects an attack, resulting in incomplete
session information for the auto-learning feature. For details
about auto-learning requirements, see "waf web-protection-
profile autolearning-profile" on page 516.
block-period <block- Enter the number of seconds to block a connection when action
period_int> {alert |alert_deny | block-period | remove_
60
cookie | deny_no_log} (page 349) is set to block-
period. The valid range is from 1 to 3,600 seconds.

config 350
severity {High |Medium | Select the severity level to use in logs and reports generated when
Low | Info} High
cookie poisoning is detected.
trigger "trigger-policy_ Enter the name of the trigger to apply when cookie poisoning
name>" is detected. For details, see "log trigger-policy" on page 101.
The maximum length is 63 characters. To display the list of No
existing trigger policies, type: default.
set trigger ?
cookie-replay-protection- Select whether FortiWeb uses the IP address of a request to

type {no | IP} determine the owner of the cookie.
Because the public IP of a client is not static in many

environments, Fortinet recommends that you do not enable no
Cookie Replay.
Available only when security-mode {no |encrypted

| signed} (page 348) is encrypted.
max-age <max-age_int> Set the cookie security attributes. Enter the maximum age, in
minutes, permitted for cookies that do not have an “Expires”
0
or “Max-Age” attribute. To configure no expiry age for cookies,
enter 0.
secure-cookie {enable | Set the cookie security attributes. Enable to add the secure
disable} flag to cookies, which forces browsers to return the cookie disable
only when the request is for an HTTPS page.
http-only {enable | Set the cookie security attributes. Enable to add the HttpOnly flag
disable} to cookies, which prevents client-side scripts from accessing the enable
cookie.
allow-suspicious-cookies Select whether FortiWeb allows requests that contain cookies

{Never |Always | Custom} that it does not recognize or that are missing cookies.
l When security-mode {no |encrypted | signed}

(page 348) is encrypted, suspicious cookies are cookies for
which FortiWeb does not have a corresponding encrypted
cookie value.
l When cookie-replay-protection-type {no | IP} Custom

(page 350) is IP, the suspicious cookie is a missing cookie that
tracks the client IP address.
In many cases, when you first introduce the cookie security

features, cookies that client browsers have cached earlier
generate false positives. To avoid this problem, either select
Never, or select Custom and enter an appropriate date on
which to start taking the specified action against suspicious

config 351
cookies.
l Never—FortiWeb does not take the action specified by action

against suspicious cookies.
l Always—FortiWeb always takes the specified action against
suspicious cookies.
l Custom—FortiWeb takes the specified action against suspicious
cookies starting on the date specified by allow-time "<time_
str>" (page 351). This feature is not available if security-
mode {no |encrypted | signed} (page 348) is signed.
allow-time "<time_str>" Set the date on which FortiWeb starts to take the specified action
No
against suspicious cookies if allow-suspicious-cookies
default.
{Never |Always | Custom} (page 350) is Custom.
<entry_index> Enter the index number of a new or existing entry in the exception No
list of the cookie security policy. default.
cookie-name "<cookie- No
name_str>" Set the exception cookie entry name.
default.
cookie-domain "<cookie- Enter the partial or complete domain name or IP address as it

domain_str>" No
appears in the cookie. For example: www.example.com,
default.
.google.com or 192.0.2.50.
cookie-path "<cookie- Enter the path as it appears in the cookie, such as / or No

path_str>" /blog/folder. default.
Related topics
waf csrf-protection
Use this command to protect against cross-site request forgery (CSRF). CSRF is an attack that exploits the trust that a
site has in a user's browser to transmit unauthorized commands.
The CRSF protection feature is not supported when the operation mode is Offline Protection or Transparent Inspection.
To protect back-end servers from CSRF attacks, you create two lists of items: a list of web pages to protect against
CSRF attacks, and a corresponding list of the URLs found in the requests that the pages generate. For more
information on configuring CSRF protection, including troubleshooting and adding parameter filters, see the FortiWeb
To apply a CSRF protection rule, you select it in an inline protection profile. For details, see "waf web-protection-profile
inline-protection" on page 518.

config 352
Before you configure a CSRF protection rule, if you want to apply it only to HTTP requests for a specific real or virtual
host, you must first define the web host in a protected hosts group. For details, see "server-policy allow-hosts" on page
108.
Syntax
config waf csrf-protection
edit "<csrf-rule_name>"
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <seconds_int>
set trigger <trigger-policy_name>
config csrf-page-list
edit <entry_index>
set host <host_name>
set request-url <url_str>
set parameter-filter {enable | disable}
set parameter-name <parameter-name_str>
set parameter-value-type {plain | regular}
set parameter-value <parameter-value_str>
next
end
config csrf-url-list
edit <entry_index>
set host <host_name>
set request-url <url_str>
set parameter-filter {enable | disable}
set parameter-name <parameter-name_str>
set parameter-value-type {plain | regular}
set parameter-value <parameter-value_str>
next
end
next
end
"<csrf-rule_name>" Enter the name of a new or existing rule. The maximum No


edit ?
action {alert | alert_

Enter the action that FortiWeb takes when it detects a
deny | block-period | alert
deny_no_log} missing or incorrect anti-CSRF parameter:

config 353
l alert—Accept the request and generate an alert email, a log

message, or both.
l alert_deny—Block the request (reset the connection) and
generate an alert email, a log message, or both.
l block-period—Block subsequent requests from the client for
a number of seconds. Also configure block-period
<seconds_int> (page 353).
message.
Note: Logging and alert email occur only if the corresponding

settings are enabled and configured. For details, see "log
disk" on page 73 and "log alertMail" on page 67.
block-period <seconds_ Enter the number of seconds that you want to block 60
int> subsequent requests from the client after the FortiWeb
appliance detects a CSRF attack.
This setting applies only if action {alert | alert_

deny | block-period | deny_no_log} (page 352)
is block-period.
severity {High | Medium | Select the severity level to use in any logs and reports that
Low
Low | Info} FortiWeb generates when a violation of this rule occurs.
trigger <trigger-policy_ Enter the name of the trigger to apply when this rule is No
name> violated. For details, see "log trigger-policy" on page 101. The default.

set trigger ?
No
<entry_index> Enter the index number of the individual entry in the table.
default.
host <host_name> Enter a protected host name (either a web host name or IP No
address) that the Host: field of the HTTP request matches. default.
This setting applies only if host-status {enable |

request-url <url_str> Enter either a literal URL or regular expression, depending on the No

config 354
value of request-type. default.
host-status {enable | Enter enableto apply this rule only to HTTP requests for disable
disable} specific web hosts. Also configure host.
Disable to match the rule based on the URL and any

parameter filter only.
Select whether request-url <url_str> (page 353) contains

request-type
{plain | regular} a literal URL (plain), or a regular expression designed to match plain
multiple URLs (regular).
parameter-filter {enable Enter enable to specify a parameter name and value to match. disable
| disable}
The parameter can be located in either the URL or the HTTP body
of a request.
parameter-name No
<parameter-name_str> Enter the name of the parameter name to match.
default.
parameter-value-type Select whether parameter-value <parameter-value_ plain

{plain | regular} str> (page 354) contains a literal value (plain) or a regular
expression designed to match multiple parameters (regular).
Enter either a literal parameter or regular expression, depending

on the value of parameter-value-type
parameter-value {plain | regular} (page 354). No
<parameter-value_str> default.
To match any parameter value, for parameter-value-type,
enter regular, and for parameter-value, enter * (asterisk).
Example
The web page csrf_login.html contains the following HTML form:
<form name="do_some_action" id="form1" action="csrf_test2.php" method="GET">
<input type="text" name="username" value=""/>
<Input type="text" name="password" value=""/>
<input type="submit" value="do Action"/>
</form>
This form generates the following request when the page is added to the list of pages protected by a CSRF protection
policy:
http://target-site.com/csrf_
test2.php?username=test&password=123&tknfv=3DF5BDCCIG3DCXNTE3RUNCTKRS3E36AD
The CSRF protection feature adds the parameter tknfv with a value that matches the session ID.
To create this example, you add csrf_login.html to the list of pages and /csrf_check2.php to the list of
URLs.

config 355
config waf csrf-protection

edit "csrf_rule1"
set action alert_deny
config csrf-page-list
edit 1
set request-url "csrf_login.html"
set request-type regular
next
end
config csrf-url-list
edit 1
set request-url "/csrf_check2.php"
next
end
next
end
waf custom-access policy
Use this command to configure custom access policies. Custom access policies group custom access rules.
To apply a custom access policy, select it within an inline protection profile or Offline Protection profile. For details, see
"waf web-protection-profile inline-protection" on page 518 or "waf web-protection-profile offline-protection" on page 531.
Syntax
config waf custom-access policy
edit "<custom-policy_name>"
config rule
edit <entry_index>
set rule-name "<custom-rule_name>"
next
end
next
end
"<custom-policy_name>" Enter the name of a new or existing custom policy. The No


edit ?
<entry_index>
range is 1–9,223,372,036,854,775,807. default.

config 356
rule-name "<custom-rule_ Enter the name of the existing custom access rule to add to the No
name>" policy. The maximum length is 63 characters. default.
Example
For an example, see "waf custom-access rule" on page 356.
Related topics
l "waf custom-access rule" on page 356
waf custom-access rule
Use this command to configure custom access rules.
What if you want to allow a web crawler, but only if it is not too demanding, and comes from a source IP that is known to
be legitimate for that crawler? What if you want to allow only a client that is a senior manager’s IP, and only if it hasn’t
been infected by malware whose access rate is contributing to a DoS?
Advanced access control rules provide a degree of flexibility for these types of complex conditions. You can combine any
or all of these criteria:
l Source IP
l User
l Http Session
l Rate limit (including rate limiting for specific types of content)
l HTTP header or response code
l URL
l Predefined or custom attack or data leak signature violation
l Transaction or packet interval timeout
l Real browser enforcement
l CAPTCHA enforcement
In the rule, add all criteria that you require allowed traffic to match.
Before you can apply a custom access rule, you must first group it with any others that you want to apply in a custom
access policy. For details, see "waf custom-access policy" on page 355.
Syntax
config waf custom-access rule
edit "<custom-access_name>"

config 357

set bot-recognition {captcha-enforcement | real-browser-enforcement | disable}
set max-attempt-times <attempts_int>
set validation-timeout <seconds_int>
config access-limit-filter
edit <entry_index>
set access-rate-limit <rate_int>
end
config http-header-filter
edit <entry_index>
set header-name-type {custom | predefined}
set header-field-check {enable | disable}
set predefined-header {host | connection | authorization | x-pad |
cookie | referer | user-agent | X-Forwarded-For | Accept}
set pre-header-type {plain | regular}
set pre-header-rev-match {enable | disable}
set custom-header-name "<key_str>"
set cus-header-type {plain | regular}
set cus-header-rev-match {enable | disable}
set header-value "<value_str>"
set http-method-check {enable | disable}
set http-method-value-type {plain | regular}
set http-method-value "<http-method-value_str>"
set http-method-rev-match {enable | disable}
end
config source-ip-filter
edit <entry_index>
set source-ip <ip_range>
set exclusive-match {no | yes}
end
config user-filter
edit <entry_index>
set reverse-match {no | yes}
set user-name "<user-name_str>"
end
config url-filter
edit <entry_index>
set reverse-match {no | yes}
end
config http-transaction
edit <entry_index>
set http-transation-timeout "<timeout_int>"
end
config response-code
edit <entry_index>
set <response-code_int>
set response-code-max <response-code_int>
end
config content-type
edit <entry_index>
set {text/html text/plain text/xml application/xml application/soap+xml
application/json}
end

config 358
config packet-interval
edit <entry_index>
set packet-interval-timeout <timeout_int>
end
config signature-class
edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 |
060000000 | 090000000| 100000000 | 110000000 | 120000000}
end
config custom-signature
edit <entry_index>
set custom-signature-enable {enable | disable}
set {custom-signature-group | custom-signature}
set "<custom-signature-name_str>"
end
config ftp-security
edit <entry_index>
set custom-signature-enable {enable | disable}
set {custom-signature-group | custom-signature}
set "<custom-signature-name_str>"
end
config occurrence
edit <entry_index>
set occurrence-num "<occurrence_int>"
set within "<within_int>"
set percentage-flag {enable | disable}
set percentage "<percentage_int>"
set traced-by {Source-IP | User | Http-Session}
end
next
end
"<custom-access_name>" Enter the name of a new or existing No default.

custom access rule. The maximum length
is 63 characters.
To display a list of the existing rule, enter:

edit ?
action {alert | alert_deny | Select the specific action to be taken

block-period | deny_no_log} when the request matches the signature.
l alert—Accept the request and

generate an alert email and/or log
message. alert
Note: If type {request |
response} (page 371) is response, it
does not cloak, except for removing
sensitive headers. Sensitive information
in the body remains unaltered.

config 359
l alert_deny—Block the request (or

reset the connection) and generate an
alert email and/or log message. This
option is applicable only if type is
signature-creation.
You can customize the web page that

FortiWeb returns to the client with the
HTTP status code. For details, see
"system replacemsg" on page 294.
l block-period—Block subsequent
requests from the client for a number of
seconds. Also configure block-
period <seconds_int> (page
359).
l deny_no_log—Deny a request. Do
not generate a log message.
Note: If FortiWeb is deployed behind a

NAT load balancer, when using this
option, you must also define an X-
header that indicates the original client’s
IP. Failure to do so may cause FortiWeb
to block all connections when it detects
a violation of this type. For details, see
"waf x-forwarded-for" on page 542.
block-period <seconds_int> Enter the length of time (in seconds) for 60

which the FortiWeb appliance will block
additional requests after a source IP
address violates this rule.
The block period is shared by all clients

whose traffic originates from the source IP
address.
The valid range is 1–10,000 .
severity {High | Medium | Low Select the severity level to use in logs and
| Info} reports generated when a violation of the rule High
occurs.
trigger "<trigger-policy_ Enter the name of the trigger to apply No default.

name>" when this policy is violated. For details,
see "log trigger-policy" on page 101. The
To display the list of existing trigger

config 360
policies, enter:
set trigger ?
bot-recognition {captcha- Select between:

enforcement | real-browser-
enforcement | disable} l captcha-enforcement—
Requires the client to successfully
fulfill a CAPTCHA request. If the
client cannot successfully fulfill
the request within the max
attempt-times, or doesn't
fulfill the request within the
validation-timeout,
FortiWeb applies the action and
sends the CAPTCHA block page.
l real-browser-
enforcement—Enable to return
a JavaScript to the client to test disable
whether it is a web browser or
automated tool when it violates
the access rule. If the client either
fails the test or does not return
results before the timeout
specified by validation-
timeout <seconds_int>
(page 361), FortiWeb applies the
specified action. If the client
appears to be a web browser,
FortiWeb allows the client to
violate the rule.
l disable—Disable this option to

simply apply the access rule.
max-attempt-times <attempts_ If captcha-enforcement is selected 3

int> for bot-recognition {captcha-
enforcement | real-browser-
enforcement | disable} (page
360), enter the maximum number of
attempts that a client may attempt to
fulfill a CAPTCHA request. The valid
range is 1–5.
Available only when captcha-

enforcement is selected for bot-
recognition.

config 361
validation-timeout <seconds_ Specifies the maximum amount of time that

int> FortiWeb waits for results from the web 20
browser test. The valid range is 5–30.
<entry_index> Enter the index number of the individual entry No default.

in the table. The valid range is 1–
9,999,999,999,999,999,999.
access-rate-limit <rate_int> Enter the rate threshold for source IP

addresses.
The valid range is 1–65535. To disable

the rate limit, enter 0.
1
Note: Blocking a shared source IP
address could block innocent clients that
share the same source IP address with an
offending client.
header-name-type {custom | Select whether to define the HTTP header predefined

predefined} filter by selecting a predefined HTTP
header name, or by typing the name of a
custom HTTP header. Also configure
header-value "<value_str>" and,
depending on which you indicate in this
option, either:
l predefined-header {host |
connection | authorization |
x-pad | cookie | referer |
user-agent | X-Forwarded-
For | Accept} (page 361)
l pre-header-type {plain |
regular} (page 362)
l pre-header-rev-match
{enable | disable} (page 362)
l pre-header-rev-match {enable | disable}

l pre-header-rev-match
{enable | disable} (page 362)
l pre-header-rev-match {enable | disable}
header-field-check {enable | Enable/disable checking the HTTP header

disable} No default.
field.
predefined-header {host | Select the name (key) of the HTTP header host
connection | authorization | such as Accept: that must be present in

config 362
x-pad | cookie | referer | order for the request to be allowed.

user-agent | X-Forwarded-
For | Accept} This field appears only if header-name-
type {custom | predefined}
(page 361) is predefined.
pre-header-type {plain | Indicate whether header-value

regular} "<value_str>" (page 363) is a literal
header value (plain) or a regular expression plain
that indicates multiple possible valid header
values (regular).
pre-header-rev-match Indicate how to use predefined- disable

{enable | disable} header {host | connection |
authorization | x-pad |
cookie | referer | user-agent
| X-Forwarded-For | Accept}
(page 361) and header-value
"<value_str>" (page 363) when
determining whether or not this condition
has been met.
l no—If the regular expression does match

the request object, the condition is met.
l yes—If the regular expression does not
match the request object, the condition is
met.
The effect is equivalent to preceding a regular
expression with an exclamation point ( ! ).
If all conditions are met, the FortiWeb
appliance will allow access.
custom-header-name "<key_ Enter the name (key) without the trailing

str>" colon ( : ), such as X-Real-IP, of the
HTTP header that must be present in
order for the request to be allowed. No default.
This field appears only if header-name-
type {custom | predefined}
(page 361) is custom.
cus-header-type {plain | Indicate whether header-value plain

regular} "<value_str>" (page 363) is a literal
header value (plain) or a regular
expression that indicates multiple possible
valid header values (regular).
cus-header-rev-match Indicate how to use custom-header- disable

config 363
{enable | disable} name "<key_str>" (page 362) and

header-value "<value_str>"
(page 363) when determining whether or
not this condition has been met.

the request object, the condition is met.
match the request object, the condition is
met.
If all conditions are met, the FortiWeb
appliance will allow access.
http-method-check Enable HTTP Method Check and configure a disable

{enable | disable} plain string or regular expression for the HTTP
method that FortiWeb will search for in the
header field.
http-method-value-type
Select a plain string or regular string. No default.
{plain | regular}
http-method-value "<http- To prevent accidental matches, specify as No default.

method-value_str>" much of the header’s value as possible. Do not
use an ambiguous substring.
http-method-rev-match When you enable HTTP Method Check, you

{enable | disable} can also enable HTTP Method Reverse
Match so that the request matches the disable
condition if the header does not contain the
HTTP method's exact value or regular
expression.
header-value "<value_str>" Depending on your selection in pre- No default.

header-type {plain | regular}
(page 362), either:
l Type the literal header value, such as

192.0.2.80, your specified HTTP header
must contain in order to match the filter.
Value matching is case sensitive. (If you
require a filter based upon more than one
HTTP header, create multiple entries in the
set, one for each HTTP header.).
l Type a regular expression, such as
192\.0\.2\.*, matching all and only the
header values which accepted HTTP header

config 364
values must match.

For details about language and regular
expression matching, see the FortiWeb
https://docs.fortinet.com/fortiweb/admin-
guides
Tip: To prevent accidental matches,
specify as much of the header’s value as
possible. Do not use an ambiguous
substring.
For example, entering the value

192.0.2.1 would also match the IPs
192.0.2.10-19 and 192.0.2.100-199. This
result may be unintended. The better
solution would be to configure either:
l A regular expression such as ^192.0.2.1$

or
l A source IP condition instead of an HTTP
header condition
source-ip <ip_range> Enter the IP address or IP address range

that specifies the clients that FortiWeb
allows.
For example:
l 1.2.3.4
l 2001::1
l 1.2.3.4-1.2.3.40 No default.
l 2001::1-2001::100
Depending on your configuration of how
FortiWeb will derive the client’s IP (see
"waf x-forwarded-for" on page 542), this
may be the IP address that is indicated in
an HTTP header rather than the IP
header.
exclusive-match {no | Set whether the condition can be met when No

yes} source IP does not match.
reverse-match {no | yes} Indicate how to use user-name

"<user-name_str>" (page 365) when
no
determining whether or not this rule’s
condition has been met.

config 365

the user name, the condition is met.
match the user name, the condition is met.
The effect is equivalent to preceding a
regular expression with an exclamation
point ( ! ).
user-name "<user-name_str>" Enter the user name to match. No default.
request-file "<url_str>" Enter a regular expression that defines

either all matching or all non-matching
URLs. Then, also configure reverse-
match {no | yes} (page 364).
For example, for the URL access rule to

match all URLs that begin with
/wordpress, you could enter
^/wordpress, then, in reverse-
match {yes | no}, select no. No default.
The pattern is not required to begin with a

slash ( / ). The maximum length is 255
characters.
Note: Regular expressions beginning with

an exclamation point ( ! ) are not
supported. Instead, use reverse-
match {yes | no}.
reverse-match {no | yes} Indicate how to use request-file no

"<url_str>" (page 365) when
determining whether or not this rule’s

the request URL, the condition is met.
match the request URL, the condition is met.

http-transation-timeout Enter a timeout value of 1–3600 seconds.

"<timeout_int>"
If the lifetime of a HTTP transaction 5
exceeds this value, the transaction
matches this condition.

config 366
<response-code_int> Specify the start and end code in a range No default.

of HTTP response codes.
To specify a single code, enter the same

value for the start and end codes (for
example, 404-404 or 500-503).
If its HTTP response code is within this

range, the HTTP transaction matches this
condition.
response-code-max <response- Specify the maximum start and end code in a

code_int> No default.
range of HTTP response codes.
{text/html text/plain Specify a file content type to match. application/soap+xml

text/xml application/xml application/xml
application/soap+xml Use with occurrence to detect and (or)text/xml
application/json} control web scraping (content scraping) text/html text/plain
application/json
activity.
packet-interval-timeout Specify the maximum number of seconds

<timeout_int> allowed between packets arriving from
either the client or server (request or
response packets), in seconds. Enter a 1
value from 1 to 60.
If the interval exceeds this value, the

HTTP transaction matches this condition.
{010000000 | 020000000 | Specify the ID of a signature class. No default.

030000000 | 040000000 |
050000000 | 060000000 | Ensure the signature is enabled in
090000000| 100000000 | signature configuration before you use it
110000000 | 120000000}
in an advanced access control rule. For
details, see "waf signature" on page 462.
status {enable | disable} Specify whether the HTTP transaction matches

this condition if it matches the specified disable
signature.
custom-signature-enable Specify whether the current custom signature disable

{enable | disable} filter is enabled.
{custom-signature-group | Specify whether "<custom-signature-

custom-signature} custom-signature-
name_str>" (page 366) specifies a custom
group
signature group or an individual signature.
"<custom-signature-name_str>" Specify the custom signature group or No default.

individual signature to match.

config 367
Ensure the signature is enabled in

signature configuration before you use it
in an advanced access control rule. For
details, see "waf signature" on page 462.
occurrence-num "<occurrence_ Specify the maximum number of times a

int>" transaction can match other filter types in
the current rule during the time period
specified by within.
Enter a value between 1–100,000. 1
If the number of matches exceeds this

threshold, the associated HTTP source
client IP address or client matches this
condition.
within "<within_int>" Specify the time period during which 1

FortiWeb counts the number of times
transactions match other filter types in the
current rule.
Enter a value between 1–600.
percentage-flag {enable | Specify whether the current filter matches

disable} when the rate of matches with other filter types
disable
in the current rule exceeds the percentage
"<percentage_int>" (page 367).
percentage "<percentage_int>" The maximum rate of matches with other No default.

filter types in the current rule, expressed
as percent of hits.
If percentage-flag {enable |
disable} (page 367) is enabled and the
number of matches exceeds this
threshold, the associated HTTP source
client IP address or client matches this
condition.
traced-by {Source-IP | User | Specify whether FortiWeb determines the

Http-Session} rate at which a transaction matches other
filter types in the current rule by counting
matches by source client IP address or by
client. source-ip
To specify user, ensure that the value of
http-session-management
enable.

config 368
Example
This example allows access to URLs beginning with “/admin”, but only if they originate from 192.0.2.5, and only if
the client does not exceed 5 requests per second.
Clients that violate this rule will be blocked for 60 seconds (the default duration). The violation will be logged in the
attack log using severity_level=High, and all servers configured in notification-servers1 will be used to
notify the network administrator.
config waf custom-access rule
edit "combo-IP-rate-URL-rule1"
set action block-period
set severity High
set trigger "notification-servers1"
config access-limit-filter
edit 1
set access-rate-limit 5
next
end
config source-ip-filter
edit 1
set source-ip "192.0.2.5"
next
end
config url-filter
edit 1
set request-file "/admin*"
next
end
next
end
config waf custom-access policy
edit "combo-IP-rate-URL-policy1"
config rule
edit 1
set rule-name "combo-access-rate-rule1"
next
end
next
end
Related topics
l "waf custom-access policy" on page 355
waf custom-protection-group
Use this command to configure custom protection groups, creating sets of custom protection rules that can be used with
attack signatures (“server protection rule”).

config 369
Before you can configure this command, you must first define your custom data leak and attack signatures. For details,
see "waf custom-protection-rule" on page 370.
Syntax
config waf custom-protection-group
edit "<custom-protection group_name>"
config type-list
edit <entry_index>
set custom-protection-rule "<rule_name>"
next
end
next
end
"<custom-protection Enter the name of a new or existing group. The maximum No

group_name>" length is 63 characters. default.
To display the list of existing group, enter:

edit ?
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
custom-protection-rule Enter the name of the custom protection rule to associate with No
"<rule_name>" the custom protection group. The maximum length is 63 default.
characters.

set custom-protection-rule ?
Example
This example groups custom protection rule 1 and custom protection rule 3 together within
Custom Protection group 1.
config waf custom-protection-group
edit "Custom Protection group 1"
config type-list
edit 1
set custom-protection-rule "custom protection rule 3"
next
edit 3
set custom-protection-rule "custom protection rule 1"
next
end
next
end

config 370
Related topics
l "waf custom-protection-rule" on page 370
waf custom-protection-rule
Use this command to configure custom data leak and attack signatures.
Before you enter custom signatures via the CLI, first enable .
To use your custom signatures, you must first group them so that they can be included in a rule. For details, see "waf
custom-protection-group" on page 368.
Syntax
config waf custom-protection-rule
edit "<custom-protection rule_name>"
set type {request | response}
set action {alert | alert_deny | alert_erase | redirect | block-period | send_
http_response | only_erase | deny_no_log}
set trigger "<trigger-policy_"name>
config meet-condition
edit <entry_index>
set operator {RE | GT | LT | NE | EQ}
set request-target {REQUEST_FILENAME REQUEST_URI REQUEST_HEADERS_NAMES
REQUEST_HEADERS REQUEST_COOKIES_NAMES REQUEST_COOKIES ARGS_NAMES ARGS_
VALUE REQUEST_RAW_URI REQUEST_BODY CONTENT_LENGTH HEADER_LENGTH BODY_
LENGTH COOKIE_NUMBER ARGS_NUMBER HTTP_METHOD}
set response-target {RESPONSE_BODY RESPONSE_HEADER CONTENT_LENGTH HEADER_
LENGTH BODY_LENGTH RESPONSE_CODE}
set threshold <threshold_int>
set case-sensitive {enable | disable}
set expression <regex_pattern>
next
end
next
end
"<custom-protection rule_ Enter the name of the new or existing custom signature. The No
name>"

config 371

edit ?
type {request | response} Specify the type of regular expression:
l request—The expression is an attack signature.

request
l response—The expression is a server information
disclosure signature.
action {alert | alert_ Select the specific action to be taken when the request alert
deny | alert_erase | matches the this signature.
redirect | block-period |
send_http_response | l alert—Accept the request and generate an alert email
only_erase | deny_no_log}
and/or log message.
Note: If type {request | response} (page 371) is

response, it does not cloak, except for removing sensitive
headers. Sensitive information in the body remains
unaltered.
l alert_deny—Block the request (or reset the connection)

and generate an alert email and/or log message. This option
is applicable only if type is signature-creation.
You can customize the web page that FortiWeb returns to

the client with the HTTP status code. For details, see
l alert_erase—Hide replies with sensitive information

(sometimes called “cloaking”). Block the reply (or reset the
connection) or remove the sensitive information, and
If the sensitive information is a status code, you can

customize the web page that FortiWeb returns to the client
with the HTTP status code. For details, see "system
Note: This option is not fully supported in Offline Protection

mode. Effects will be identical to alert; sensitive
information will not be blocked or erased.
l block-period—Block subsequent requests from the

client for a number of seconds. Also configure block-
period <seconds_int> (page 426).

when using this option, you must also define an X-header
that indicates the original client’s IP. Failure to do so may

config 372
cause FortiWeb to block all connections when it detects a

violation of this type. For details, see "waf x-forwarded-for"
on page 542.
l redirect—Redirect the request to the URL that you

specify in the protection profile and generate an alert email
and/or log message. Also configure redirect-url
"<redirect_fqdn>" (page 529) and rdt-reason
l send_http_response—Block and reply to the client with

an HTTP error message, and generate an alert email, a log
message, or both.
l only_erase—Hide replies with sensitive information

(sometimes called “cloaking”). Block the reply (or reset the
connection) or remove the sensitive information without
generating an alert email and/or log message. This option is
applicable only if type is response; and this option is not
supported in Offline Protection mode.


message.

Note: Logging and/or alert email will occur only if enabled and
configured. For details, see "log disk" on page 73 and "log
alertMail" on page 67.
Note: If an auto-learning profile will be selected in the policy

with Offline Protection profiles that use this rule, you should
select alert. If the action {alert | alert_deny |
alert_erase | redirect | block-period |
send_http_response | only_erase | deny_no_
log} (page 371) is alert_deny, the FortiWeb appliance
will reset the connection when it detects an attack, resulting in
incomplete session information for the auto-learning feature.
For details about auto-learning requirements, see "waf web-
protection-profile autolearning-profile" on page 516.
block-period <seconds_ If action {alert | alert_deny | alert_ 1

int> erase | redirect | block-period | send_
http_response | only_erase | deny_no_log}

config 373
(page 371) is block-period, enter the number of seconds

that you want to block subsequent requests from the client
after the FortiWeb appliance detects that the client has
violated the rule. For details about viewing the list of currently
blocked clients, see the FortiWeb Administration Guide:
severity {High | Medium | When rule violations are recorded in the attack log, each log
Low | Info} message contains a Severity Level (severity_level) field.
Medium
Select which severity level the FortiWeb appliance will use when it
logs a violation of the rule.
trigger "<trigger-policy_ Select which trigger policy, if any, that the FortiWeb appliance No
"name> will use when it logs and/or sends an alert email about a default.
violation of the rule. For details, see log trigger-
policy (page 101).

set trigger ?
The valid range is from 1–9,999,999,999,999,999,999. default.
operator {RE | GT | LT | l RE—The signature matches when the value of a selected target RE
NE | EQ} in the request or response matches the value of expression.
l GT—The signature matches when specified target has a value
greater than the value of threshold.
l LT—The signature matches when specified target has a value
less than the value of threshold.
l NE— The signature matches when specified target has a
different value than threshold.
l EQ— The signature matches when specified target has the same
value as threshold.
request-target {REQUEST_
FILENAME REQUEST_URI Enter the name of one or more locations in the HTTP request
REQUEST_HEADERS_NAMES to scan for a signature match.
REQUEST_HEADERS REQUEST_ No
COOKIES_NAMES REQUEST_ For example, ARGS_NAMES for the names of parameters or default.
COOKIES ARGS_NAMES ARGS_ REQUEST_COOKIES for strings in the HTTP Cookie:
VALUE REQUEST_RAW_URI
header.
REQUEST_BODY CONTENT_

config 374
LENGTH HEADER_LENGTH
BODY_LENGTH COOKIE_NUMBER
ARGS_NUMBER HTTP_METHOD}
response-target Enter the name of one or more locations in the HTTP response to No
{RESPONSE_BODY RESPONSE_ scan for a signature match. default.
HEADER CONTENT_LENGTH
HEADER_LENGTH BODY_LENGTH
RESPONSE_CODE}
threshold <threshold_int> Enter the value that FortiWeb compares to the target value to No
determine if a request or response matches. default.
case-sensitive {enable | Enable to differentiate upper case and lower case letters disable
disable} when evaluating the web server’s response for data leaks
according to expression <regex_pattern> (page
374).
For example, when enabled, an HTTP reply containing the

phrase Credit card would not match an expression that
looks for the phrase credit card (difference highlighted in
bold).
expression <regex_ When operator {RE | GT | LT | NE | EQ} (page

pattern> 373) is RE, type a regular expression that matches either an
attack from a client or a data leak from the server.
If action is Alert & Erase, enclose the portion of the regular

expression to erase in brackets.
For example, the following command erases the expression

"webattack" from the response packet:
edit "test"
No
set type response
set action alert_erase default.
edit 1
set response-target RESPONSE_BODY
set expression "(webattack)"
next
end
next
end
To prevent false positives, it should not match anything else.

The maximum length is 2,071 characters.

config 375
Example
This example configures a signature to detect and block an LFI attack that uses directory traversal through an
unsanitized controller parameter in older versions of Joomla. Each time it detects an attack, the trigger policy
named notification-servers1 sends an alert email and attack log messages whose severity level is High.
edit "Joomla_controller_LFI"
set type request
set severity High
edit 1
set request-target REQUEST_RAW_URI
set expression "^/index\.php\?option=com_ckforms\&controller=(\.\.\/)+?"
next
end
next
end
Related topics
l "waf custom-protection-group" on page 368
waf device-reputation
Use this command to create or edit a device reputation security policy.
When Device Tracking is enabled and a device reputation security policy is selected, FortiWeb evaluates the reputation
of client devices that trigger security violations. If a device triggers a security violation in a device reputation security
policy, it will acquire a lower device reputation. Access to networks and servers can be managed according to a device's
reputation.
For information on device reputation security policies, see the FortiWeb Administration Guide:
Syntax
config waf device-reputation reputation-security-policy
set action-for-high-level {alert | alert_deny | block-period | deny_no_log}
set action-for-low-level {alert | alert_deny | block-period | deny_no_log}
set action-for-medium-level {alert | alert_deny | block-period | deny_no_log}
set action-for-unindentified {alert | alert_deny | block-period | using_local_
action | deny_no_log}
set high-level-score-begin <weight_int>
set low-level-score-end <weight_int>

config 376
set reputation-exception-rule "<rule_name>"

next
config waf device-reputation reputation-exceptions
edit "<exception_name>"
config reputation-exceptions-list
edit <ID_int>
set feature-name "<exception_name>"
next
delete <ID_int>
purge <y/n>
end
next
end
"<policy_name>" Enter the name of the device reputation security policy to be No

created or edited. The maximum length is 63 characters. default.
Set the action for a device based on its risk level. The options
action-for-high-level are:
{alert | alert_deny alert_
| block-period | deny_no_ l alert—Accept the request and generate an alert email and/or deny
log}
log message.
action-for-low-level
You can customize the web page that returns to the
{alert | alert_deny
client with the HTTP status code. For details, see the alert
| block-period | deny_no_
log} FortiWeb Administration Guide:
action-for-medium-level
{alert | alert_deny a number of seconds. Also configure Block Period. alert_
| block-period | deny_no_ You can customize the web page that returns to the deny
log}
client with the HTTP status code. For details, see the
action-for-unindentified
{alert | alert_deny l using_local_action—Takes the local action specified in a using_
| block-period | using_ protection profile. local_
local_action | deny_no_ action
log} l deny_no_log—Deny a request. Do not generate a log
message.
high-level-score-begin Sets the weight range for a high risk level. The acceptable 200
<weight_int> range is 3–1000.
low-level-score-end Sets the weight range for a low risk level. The acceptable
<weight_int> 50
range is 2–1000.
reputation-exception-rule Enter the name of the device reputation exceptions, if any. No

config 377
Enter the name of the device reputation exception to be created or No

"<exception_name>"
edited. The maximum length is 63 characters. default.
<ID_int> Enter the Security Feature Name ID to be created or edited. No

default.
Enter the name of the security feature name to be included as

a reputation exception. The available security feature names
are:
l bad_robot
l cookie_security_policy
l cross_site_scripting
l cross_site_scripting_extended
l csrf_protection
l custom_policy
l custom_signature
l dos_protection
l file_upload_restriction
l generic_attacks
feature-name "<exception_ No
l generic_attacks_extended
name>" default.
l hidden_field_protection
l http_protocol_constraints
l illegal_json_format
l illegal_xml_format
l ip_reputation
l know_exploits
l padding_oracle_protection
l parameter_validation
l sql_injection
l sql_injection_extended
l sql_injection_syntax
l trojans
l user_tracking
delete <ID_int> Deletes a security feature from the list of device reputation No
exceptions according to its ID. default.
No
purge <y/n> Deletes all security feature exceptions.
default.

config 378
Example
This example creates a device reputation security policy and defines a device reputation exception.
config waf device-reputation reputation-security-policy
edit "<policy1>"
set action-for-high-level alert_deny
set action-for-low-level alert
set action-for-medium-level alert
set action-for-unindentified block-period
set block-period-unindentified-level 60
set high-level-score-begin 300
set low-level-score-end 100
set reputation-exception-rule "<exception_rule1>"
next
end
config waf device-reputation reputation-exceptions
edit "<exception1>"
config reputation-exceptions-list
edit 1
set feature-name trojans
next
end
end
Related Topics

l "server-policy pattern threat-weight" on page 139
waf exclude-url
Use this command to configure URLs that are exempt from a file compression or file decompression rule.
To apply an exclusion, include it in a compression or decompression rule. For details, see "waf file-compress-rule" on
page 380 or "waf file-uncompress-rule" on page 382.
Syntax
config waf exclude-url
edit "<rule_name>"
config exclude-rules
edit <entry_index>
set host "<protected-host_name>"
next

config 379
end
next
end
"<rule_name>" Enter the name of a new or existing exception. The maximum No

To display a list of the existing exceptions, enter:

edit ?
<entry_index>
host "<protected-host_ Enter the name of a protected host that the Host: field of an No
name>" HTTP request must be in order to match the exception. The default.

Enable to apply this exception only to HTTP requests for

specific web hosts. Also configure host "<protected-
host-status {enable | host_name>" (page 379). disable
disable}
Disable to match the exception based upon the other criteria,
such as the URL, but regardless of the Host: field.
request-file "<url_str>" Enter the literal URL, such as /archives, to which the exception No
applies. The URL must begin with a slash ( / ). Do not include the default.
name of the host, such as www.example.com, which is
configured separately using host. The maximum length is 255
characters.
Example
This example configures two exclusion rules, one for compression and the other for decompression. Either rule can be
referenced by name in a file compression or file decompression rule.
config waf exclude-url
edit "Compression Exclusion"
edit 1
set host "192.0.2.2"
set request-file "/archives"
next
end
next
edit "Decompression Exclusion"
edit 1

config 380

set request-file "/products.cfm"
next
end
next
end
Related topics
l "waf file-compress-rule" on page 380
l "waf file-uncompress-rule" on page 382
waf file-compress-rule
Use this command to compress specific file types in HTTP replies.
Compression can reduce bandwidth, which can reduce delivery time to end users. Modern browsers automatically
decompress files before they display web pages.
You can configure most web servers to compress files when they respond to a request. However, if you do not want to
configure each of your web servers separately, or if you want to offload compression for performance reasons, you can
configure FortiWeb to do the compression.
By default, the maximum pre-compressed file size is 64 KB. FortiWeb transmits files larger than the maximum without
compression. You can use the config system advanced command’s max-cache-size setting to adjust the
maximum files size. For details, see "system advanced" on page 208.
To apply a compression rule, select it in an inline protection profile. For details, see "waf web-protection-profile inline-
Syntax
edit "<rule_name>"
set compression-type {gzip | brotli}
set compression-level {level1 | level2 | level3 | level4 | level5 | level6 |
level7 | level8 | level9 | level10 | level11}
set exclude-url "<exclusion-rule_name>"
next
end
config content-types
edit "<content-types_id>"
set content-type "<content-type_name>"
end

config 381

edit ?
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
compression-type {gzip | Set the file compression type. No

brotli} default.
compression-level {level1
| level2 | level3 |
level4 | level5 | level6 No
| level7 | level8 | Set the compression level for the file to be compressed.
default.
level9 | level10 |
level11}
content-type "<content- Enter one of the following content types to compress it: No
type_name>" default.
l text/plain
l text/html
l application/xml(or)text/xml
l application/soap+xml
l application/x-javascript
l text/css
l application/javascript
l text/javascript
l application/json
l application/rss+xml
To compress multiple file types, add each file type in a

separate table entry with its own <entry_index> (page
381). See "Example" on page 381.
Enter the name of an exclusion to use with the rule, if any. For
exclude-url "<exclusion- No
rule_name>" details, see "waf exclude-url" on page 378. The maximum length is
default.
63 characters.
Example
This example configures a file compression rule that compresses CSS and HTML files, unless they match one of the
URLs in the exception named “Compression Exclusion 1.”
edit "file-compress-rule_name"
set compression-type gzip
set compression-level level2

config 382
set content-types
edit 1
set content-type text/css
next
edit 2
set content-type text/html
next
end
set exclude-url "Compression Exclusion 1"
next
end
Related topics
l "waf exclude-url" on page 378
waf file-uncompress-rule
Use this command to decompress a file that was already compressed by a protected web server.
Since the FortiWeb appliance cannot scan compressed files in order to perform features such as data leak prevention,
you can configure the FortiWeb appliance to decompress files based on the file type.
By default, the maximum file size that FortiWeb can decompress is 64 KB. FortiWeb
does not scan files larger than the maximum.
You can use the config system advanced command’s max-cache-size

setting to adjust the maximum files size. For details, see "system advanced" on page
208.
All decompressed files are recompressed after being scanned. As such, unlike "waf file-compress-rule" on page 380, the
effects of this command will not be visible to end-users.
To exclude specific URLs, see "waf exclude-url" on page 378.
To apply a decompression rule, select it in an inline or Offline Protection profile. For details, see "waf web-protection-
profile inline-protection" on page 518 or "waf web-protection-profile offline-protection" on page 531.
Syntax
edit "<rule_name>"
config content-type
edit <entry_index>
set content-type "<content-type_name>"
next
end
set exclude-url "<exclusion-rule_name>"
next

config 383
end

edit ?
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
content-type "<content- Specify one of the following content types: No

type_name>" default.
l text/plain
l text/html
l application/xml(or)text/xml
l application/soap+xml
l application/x-javascript
l text/css
l application/javascript
l text/javascript
l application/json
l application/rss+xml
To compress multiple file types, add each file type in a

separate table entry with its own <entry_index> (page
383). See "Example" on page 383.
Enter the name of an exclusion to use with the rule, if any. For
exclude-url "<exclusion- No
rule_name>" details, see "waf exclude-url" on page 378. The maximum length is
default.
63 characters.
Example
The following example creates a decompression rule with two content types and one exclusion rule.
edit "Online Store Uncompress Rule"
config content-types
edit 1
set content-type application/soap+xml
next
edit 2
set content-type application/xml(or)text/xml
next
end
set exclude-url "Uncompress Exclusion"
next
end

config 384
Related topics
l "waf exclude-url" on page 378
waf file-upload-restriction-policy
Use this command to set file security policies that FortiWeb will use to manage the types of files that can be uploaded to
your web servers.
The policies are composed of individual rules set using the config server-policy custom-application
application-policy (page 110) command. Each rule identifies the host and/or URL to which the restriction
applies and the types of files allowed. To apply a file security policy, select it within an inline or Offline Protection profile.
Syntax
config waf file-upload-restriction-policy
edit "<file-upload-restriction-policy_name>"
set trigger <trigger-policy_name>
set trojan-detection {enable | disable}
set av-scan {enable | disable}
set fortisandbox-check {enable | disable}
set hold-session-while-scanning-file {enable | disable}
set exchange-mail-detection {enable | disable}
set owa-protocol {enable | disable}
set activesync-protocol {enable | disable}
set mapi-protocol {enable | disable}
config rule
edit <entry_index>
set file-upload-restriction-rule <rule_name>
next
end
next
end
"<file-upload- Enter the name of an existing or new file security policy. The No
restriction-policy_name>" maximum length is 63 characters. default.

edit ?

config 385
Enter the action you want FortiWeb to perform when the

policy is violated:
l alert—Accept the request and generate an alert and/or

log message.

and generate an alert email and/or log message.

"system replacemsg" on page 294 and the FortiWeb

message.
deny | block-period | Note: If FortiWeb is deployed behind a NAT load balancer, alert
deny_no_log} when using this option, you must also define an X-header
on page 542.


and configured. For details, see "log disk" on page 73 and "log

select alert. If the action is alert_deny, the FortiWeb
appliance will reset the connection when it detects an attack,
resulting in incomplete session information for the auto-
learning feature. For details about auto-learning
requirements, see "waf web-protection-profile autolearning-
profile" on page 516.
block-period <seconds_ If action {alert | alert_deny | block-period | 1

int> deny_no_log} (page 385) is block-period, type the number
of seconds that violating requests will be blocked. The valid range
is 1–3,600.
severity {High | Medium | Select the severity level to use in logs and reports generated when Low

config 386
trigger <trigger-policy_ Enter the name of the trigger to apply when this policy is No
name> violated. For details, see "log trigger-policy" on page 101. The default.
To display the list of existing triggers, enter:

set trigger ?
Enter enable to scan for Trojans.
trojan-detection Attackers may attempt to upload Trojan horse code (written in

disable
{enable | disable} scripting languages such as PHP and ASP) to the back-end web
servers. The Trojan then infects clients who access an infected
web page.
av-scan {enable | Enter enable to scan for viruses, malware, and greyware. disable
disable}
Enter enable to send matching files to FortiSandbox for

evaluation.
Also specify the FortiSandbox settings for your FortiWeb. For

details, see "system fortisandbox" on page 257.
fortisandbox-check
disable
{enable | disable} FortiSandbox evaluates the file and returns the results to
FortiWeb.
If trojan-detection {enable | disable} (page 386) is

enable and FortiWeb detects a virus, it does not send the file to
FortiSandbox.
exchange-mail-detection Enter enable so that FortiWeb will scan email attachments disable
{enable | disable} in applications using OWA or ActiveSync protocols. If
enabled, FortiWeb will perform Trojan detection, an antivirus
scan, and will send the attachments to FortiSandbox.
Note: To perform Trojan detection, an antivirus scan, and

send attachments to FortiSandbox, you must enable
trojan-detection {enable | disable} (page
386), trojan-detection {enable | disable}
(page 386), and fortisandbox-check {enable |
disable} (page 386), respectively, in the file security policy.
Available only when exchange-mail-detection {enable

owa-protocol {enable | disable} (page 386) is set to enable. If enabled, FortiWeb
disable
| disable} will scan attachments in Exchange Email sent and received via a
web browser login.

config 387
activesync-protocol Available only when exchange-mail-detection {enable disable

{enable | disable} | disable} (page 386) is set to enable. If enabled, FortiWeb
will scan attachments in Exchange Email sent and received via a
mobile phone login.
<entry_index>
file-upload-restriction- Enter the name of an upload restriction rule to use with the No
rule <rule_name> policy, if any. For details, see "server-policy custom- default.
application application-policy" on page 110. The maximum

set file-upload-restriction-rule ?
Enable it, and FortiWeb waits for up to 30 minutes. If FortiWeb

holds the session for over 30 minutes while FortiSandbox scans
hold-session-while-
the file in the request, FortiWeb will forward the session without
scanning-file disable
{enable | disable}
taking any other actions.
This option is available only when you enable Send files to
FortiSandbox.
mapi-protocol {enable FortiWeb will scan attachments in Email sent and received via the disable
| disable} Messaging Application Programming Interface (MAPI), a new
transport protocol implemented in Microsoft Exchange Server 2013
Service Pack 1 (SP1).
Available only when Scan attachments in Email is enabled.
Related topics
l "system fortisandbox" on page 257
waf file-upload-restriction-rule
Use this command to define the specific host and request URL for which file upload restrictions apply, and define the
specific file types that can be uploaded to that host or URL.
To apply the rule, select it in a file security policy. For details, see "waf file-upload-restriction-policy" on page 384.

config 388
Syntax
config waf file-upload-restriction-rule
edit "<file-upload-restriction-rule_name>"
set request-file "<url_pattern>"
set request-type {regular | plain}
[set file-size-limit <size_int> ]
config file-types
edit <entry_index>
set file-type-id "<id_str>"
set file-type_name "<file-type-extension_str>"
next
end
next
end
"<file-upload- Enter the name of a new or existing rule. The maximum No

restriction-rule_name>" length is 63 characters. default.

edit ?
Enable to apply this exception only to HTTP requests for

host-status {enable | specific web hosts.
disable
disable}
host "<protected-host_ Enter the name of a protected host that the Host: field of an No
name>" HTTP request must be in order to match the rule. The default.


{regular | plain} (page 389), type either:
l The literal URL, such as /fileupload, that the HTTP

request must contain in order to match the signature
exception. The URL must begin with a slash ( / ).
request-file "<url_ No
pattern>" l A regular expression, such as ^/*.php, matching all and
default.
only the URLs to which the signature exception should
apply. The pattern is not required to begin with a slash ( / ).
However, it must at least match URLs that begin with a
slash, such as /index.cfm.

config 389
www.example.com, which is configured separately in

analyzer-policy "<fortianalyzer-policy_
name>" (page 102). The maximum length is 255 characters.

request-type {regular | Select whether analyzer-policy "<fortianalyzer- plain

plain} policy_name>" (page 102) will contain a literal URL (plain),
or a regular expression designed to match multiple URLs
(regular).
Optionally, enter a number to represent the maximum size in

file-size-limit <size_
int> kilobytes for any individual file. This places a size limit on allowed 0
file types. The valid range is 0–30720 KB.
<entry_index> Enter the index number of the individual entry in the table. Each No
entry in the table can define one file type. The valid range is 1– default.
9,999,999,999,999,999,999.
Select the numeric type ID that corresponds to the file type.

Recognized IDs are updated by FortiGuard services and may
vary. For a list of available IDs, select all file types in the GUI,
then use the CLI to view their corresponding IDs. Common
IDs include:
l 00001 (GIF)
l 00002 (JPG)
l 00003 (PDF)
l 00004 (XML)
No
file-type-id "<id_str>"
l 00005 (MP3) default.
l 00006 (MIDI)
l 00007 (WAVE)
l 00008 (FLV for a Macromedia Flash Video)
l 00009 (RAR)
l 00010 (ZIP)
l 00011 (BMP)
l 00012 (RM for RealMedia)

config 390
l 00013 (MPEG for MPEG v)
l 00014 (3GPP)
file-type_name "<file- Enter the extension, such as MP3, of the file type to allow to No
type-extension_str>" be uploaded. Recognized file types are updated by default.
FortiGuard services and may vary. For a list of available
names, use the GUI.
Note: Microsoft Office Open XML file types such as .docx,

xlsx, .pptx, and .vsdx are a type of ZIP-compressed XML. If
you specify restrictions for them, those signatures will take
priority. However, if you do not select a MSOOX restriction
but do have an XML or ZIP restriction, the XML and ZIP
restrictions will still apply, and the files will still be restricted.
Example
This example allows both MPEG and FLV files uploaded to the URL /file-uploads on the host
www.example.com.
config waf file-upload-restriction-rule
edit "file-upload-rule1"
set request-file "/file-uploads"
config file-types
edit 1
set file-type-id "00013"
set file-type-name "MPEG"
next
edit 2
set file-type-id "00008"
set file-type-name "FLV"
next
end
next
end
Related topics
waf ftp-command-restriction-rule
Use this command to create FTP command restriction rules to specify acceptable FTP commands that clients can use
to communicate with your server(s). Certain FTP commands can expose your server(s) to attack. For example, because

config 391
attackers can exploit the PORT command to carry out FTP bounce attacks, restricting the PORT command can harden
your network's security if you're using FTP.
For details about applying an FTP command restriction rule to an FTP server policy, see waf ftp-propredefined-global-
white-listtection-profile.
If ftp-security isn't enabled in feature-visibility, you must enable it

before you can create an FTP command restriction rule. To enable ftp-security,
see "system feature-visibility" on page 247.
Syntax
config waf ftp-command-restriction-rule
edit "<rule_name>"
set block-period <block_period_int>
set severity {High | Info | Low | Medium}
set trigger "<policy_name>"
next
end
config command-types
edit <entry_index>
set command-type <ftp_command>
next
end
"<rule_name>" Enter a unique name that can be referenced in other parts No

of the configuration. Don't use spaces or special characters. default.
Enter an index number of the individual entry in the table.

The valid range is 1–999,999,999,999,999,999. No
<entry_index>
You must create an entry index for each FTP command that default.
you plan to include in the rule.
command-type <ftp_ Enter an FTP command that you want to include in the rule. No
command> You can include these FTP commands in the rule: default.
l ABOR l MLSD l RNTO

l ACCT l MODE l SITE
l ALLO l NLST l SIZE
l APPE l OPTS l SMNT

config 392
l AUTH l PASS l STAT

l CDUP l PASV l STOR
l CWD l PORT l STOU
l DELE l PROT l STRU
l EPRT l PWD l SYST
l EPSV l QUIT l TYPE
l FEAT l REIN l USER
l HELP l REST l XCUP
l LIST l RETR l XMKD
l MDTM l RMD l XPWD
l MKD l RNFR l XRMD
Select which action FortiWeb will take when it detects a

violation of the rule:
l alert—Accept the connection and generate an alert

email and/or log message.
l alert_deny—Block the request (or reset the

connection) and generate an alert and/or log message.
deny | block-period l deny_no_log—Block the request (or reset the alert
| deny_no_log}
connection).

client for a number of seconds. Also configure waf ftp-
command-restriction-rule (page 390).
Note: This setting will be ignored if "server-policy policy" on
page 157is enabled in a server policy.
block-period <block_ Enter the number of seconds that you want to block 60
period_int> subsequent requests from a client after FortiWeb detects
that the client has violated the rule. The valid range is 1–
3,600.
This setting is available only if action {alert | alert_deny |

block-period | deny_no_log} (page 392) is set to
block-period.
When rule violations are recorded in the attack log, each log
message contains a Severity Level (severity_level)
severity {High | Info
field. Select which severity level FortiWeb will use when it
logs a violation of the rule: Medium
| Low | Medium}
l Info
l Low

config 393
l Medium
l High
trigger "<policy_name>" Enter the name of a trigger policy, if any, that FortiWeb will No
use when it logs and/or sends an alert email about a default.
violation of the rule.
Related Topic
l "waf ftp-file-security" on page 393
waf ftp-file-security
Use this command to create FTP file check rules so that FortiWeb places restrictions on uploading or downloading files
and scans files that clients attempt to upload to or download from your server(s). When configured, FortiWeb can also
send files to FortiSandbox for analysis and perform an antivirus scan.
For details about applying an FTP file check rule to an FTP server policy, see waf ftp-propredefined-global-white-
listtection-profile.
If ftp-security isn't enabled in feature-visibility, you must enable it

before you can create an FTP file check rule. To enable ftp-security, see
"system feature-visibility" on page 247.
Syntax
config waf ftp-file security
edit "<rule_name>"
set severity {High | Info | Low | Medium}
set trigger "<policy_name>"
set check-dir {both | download | upload}
set "waf ftp-file-security" on page 395
set send-files-to-fortisandbox {enable | disable}
next
end

config 394
"<rule_name>" Enter a unique name that can be referenced in other parts No

of the configuration. Don't use spaces or special characters. default.
Select which action FortiWeb will take when it detects a

l alert—Accept the connection and generate an alert


deny | block-period l deny_no_log—Block the request (or reset the alert_deny
| deny_no_log} connection).

client for a number of seconds. Also configure waf ftp-
file-security (page 393).
Note: This setting will be ignored if monitor-mode
{enable | disable} (page 157) is enabled in a server
policy.
block-period <block_ Enter the number of seconds that you want to block 60
period_int> subsequent requests from a client after FortiWeb detects
that the client has violated the rule. The valid range is 1–
3,600.
This setting is available only if waf ftp-file-security (page

393) is set to block-period.
field. Select which severity level FortiWeb will use when it
logs a violation of the rule:
severity {High | Info
Medium
| Low | Medium} l Info
l Low
l Medium
l High
trigger "<policy_name>" Enter the name of a trigger policy, if any, that FortiWeb will No
use when it logs and/or sends an alert email about a default.
violation of the rule.
Select one of the following:

check-dir {both
both—FortiWeb applies the rule to files being either upload
| download | upload} l
downloaded from or uploaded to your server(s).

config 395
l download—FortiWeb applies the rule to files being

downloaded from your server(s).
l upload—FortiWeb applies the rule to files being uploaded to
your server(s).
av-scan {enable Enable so that FortiWeb performs an antivirus scan on files disable
| disable} that match the waf ftp-file-security (page 393).
Enable so that FortiWeb sends files to FortiSandbox that

match the waf ftp-file-security (page 393).
Also specify the FortiSandbox settings for your FortiWeb.

send-files-to-
For details, see "system fortisandbox" on page 257.
fortisandbox {enable FortiSandbox evaluates the file and returns the results to disable
| disable}
FortiWeb.
If waf ftp-file-security (page 393) is enabled and

FortiWeb detects a virus, it does not send the file to
FortiSandbox.
Related Topic
l "waf ftp-command-restriction-rule" on page 390
waf geo-block-list
Use this command to define large sets of client IP addresses to block based upon their associated geographical
location.
Because network mappings may change as networks grow and shrink, if you use this
feature, be sure to periodically update the geography-to-IP mapping database. To
download the file, go to the Fortinet Customer Service & Support website:
Optionally, you can also specify a list of IP addresses or IP address ranges that are exempt from this blacklist. For
details, see "waf geo-ip-except" on page 397.
Alternatively, you can block clients individually (see "server-policy custom-application application-policy" on page 110) or
based upon their reputation (see "waf ip-intelligence" on page 429).
To apply the rule, select it in a protection profile. For details, see "waf web-protection-profile inline-protection" on page
518 or "waf web-protection-profile offline-protection" on page 531.

config 396
Syntax
config waf geo-block-list
edit "<geography-to-ip_name>"
set exception-rule "<geo-ip-except_name>"
config country-list
edit <entry_index>
set country-name "<region_name>"
next
end
next
end
"<geography-to-ip_name>" Enter the name of a new or existing rule. The maximum length No

edit ?
Low
trigger "<trigger-policy_ Enter the name of the trigger to apply when this rule is No

set trigger ?
exception-rule "<geo-ip- No
except_name>" Enter the name of a list of exceptions to this blacklist.
default.
range is 1–9,999,999,999,999,999,999. default.
Enter the name of a region (Antarctica or Bouvet

Island) or country (U.S.) as it is written in English. Surround
country-name "<region_ names with multiple words or apostrophes in double quotes. No
name>" default.
The list of locations varies by the currently installed IP-to-
geography mapping package. For a current list of locations,
use the web UI.

config 397
Example
This example creates a set of North American IP addresses that a server policy can use to block clients with IP
addresses belonging to Belize and Canada. FortiWeb does not block the IP addresses specified by the allow-north-
america exception list.
config waf geo-block-list
edit "north-america"
set exception rule "allow-north-america"
set severity Low
config country-list
edit 1
set country-name "Belize"
next
edit 2
set country-name "Canada"
next
end
next
end
Related topics
l "waf geo-ip-except" on page 397
l "waf ip-intelligence" on page 429
l "debug flow trace" on page 583
waf geo-ip-except
Use this command to specify IP addresses or ranges of IP addresses that are exceptions to the list of client IP addresses
that FortiWeb blocks based on their geographic location.
For details about creating the blacklist by country or region, see "waf geo-block-list" on page 395.
Syntax
config waf geo-ip-except
edit "<geo-ip-except_name>"
edit <entry_index>
set ip {"<address_ipv4>" | "<ip_range_ipv4>"}
next
end
next
end

config 398
"<geo-ip-except_name>" Enter the name of a new or existing list of exceptions. No

default.
edit ?
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
ip {"<address_ipv4>" | Enter the IP address or IP address range that is exempt from No

"<ip_range_ipv4>"} blocking based on its geographic location. default.
Example
This example adds the IP address range 192.0.2.0 to 192.0.2.5 to the geo-location blacklist exception list allow-
north-america.
config waf geo-ip-except
edit "allow-north-america"
set ip "92.0.2.0-192.0.2.5"
end
next
end
Related topics
l "waf geo-block-list" on page 395
waf hidden-fields-protection
Use this command to configure groups of hidden field rules.
To apply hidden field rule groups, select them within an inline protection profile. For details, see "waf web-protection-
profile inline-protection" on page 518.
Syntax
config waf hidden-fields-protection
edit "<hidden-field-group_name>"
config hidden_fields_list
edit <entry_index>
set hidden-field-rule "<hidden-field-rule_name>"
next

config 399
end
next
end
"<hidden-field-group_ Enter the name of a new or existing hidden field rule group. No

edit ?
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
hidden-field-rule Enter the name of an existing hidden field rule to add to the No
"<hidden-field-rule_ group. The maximum length is 63 characters. default.
name>"
set hidden-field-rule ?
Related topics
l "waf hidden-fields-rule" on page 399
waf hidden-fields-rule
Use this command to configure hidden field rules.
Hidden form inputs, like other types of parameters and inputs, can be vulnerable to tampering and can be used as a
vector for other attacks.
Unlike other inputs, they are often written into an HTML page by the web server when it serves that page to the client,
and are not visible on the rendered web page. As such, they are difficult to for users to unintentionally modify, and are
often incorrectly perceived as relatively safe by website owners.
Like other inputs, however, they are accessible through the JavaScript document object model (DOM), and as inputs,
can be used to inject invalid data into your databases or attempt to tamper with the session state.
Hidden field rules prevent such tampering. The FortiWeb appliance caches the values of a session’s hidden inputs as
they pass to the HTTP client, and verifies that they remain unchanged when the HTTP client submits a form.
You apply hidden field constraints by first grouping them into a hidden field group. For details, see "waf hidden-fields-
Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a specific real or virtual host,
you must first define the web host in a protected hosts group. For details, see "server-policy allow-hosts" on page 108.

config 400
Alternatively, you can use the web UI to fetch the request URL from the server and
scan it for hidden inputs, using the results to configure the hidden input rule. For
Syntax
config waf hidden-fields-rule
edit "<hidden-field-rule_name>"
set action {alert | alert_deny | redirect | block-period | send_403_forbidden |
deny_no_log}
set action-url0 "<url_str>"
config hidden-field-name
edit <entry_index>
set argument "<hidden-field_str>"
next
end
next
end
"<hidden-field-rule_ Enter the name of a new or existing rule. The maximum No

name>" length is 63 characters. default.

edit ?
Select one of the following actions that the FortiWeb

deny | redirect | block- appliance will perform when an HTTP request violates one of
the hidden field rules in the entry: alert
period | send_403_
forbidden | deny_no_log}

config 401
and/or log message.




on page 542.

l send_403_forbidden—Reply to the client with an

HTTP 403 Access Forbidden error message and

message.

client for a number of seconds.



should select alert. If the action is alert_deny, for
example, the FortiWeb appliance will block the request or
reset the connection when it detects an attack, resulting in
block-period <seconds_ If action {alert | alert_deny | redirect | 0

config 402
int> block-period | send_403_forbidden | deny_no_

log} (page 400) is block-period, enter the number of
seconds that the connection will be blocked. The valid range is 1–
3,600.

HTTP request must be in order to match the rule. The
host "<protected-hosts_ maximum length is 255 characters. No
name>" default.
host-status {enable | Enable to apply this hidden field rule only to HTTP requests disable
disable} for specific web hosts. Also configure host
"<protected-hosts_name>" (page 402).
Disable to match the input rule based upon the other criteria,
Enter the literal URL, such as /login.jsp, that contains

the hidden form.
The URL must begin with a slash ( / ). Do not include the No
request-file "<url_str>" name of the web host, such as www.example.com, which is default.
configured separately in host "<protected-hosts_
name>" (page 402). Regular expressions are not supported.
action-url0 "<url_str>" Add up to 10 URLs that are valid to use with the HTTP POST No
method when the client submits the form containing the hidden default.
action-url1 "<url_str>" fields in this rule.
action-url2 "<url_str>"
severity {High | Medium | Select the severity level to use in logs and reports generated when High

config 403
Enter the name of the trigger to apply when this rule is

violated. For details, see log trigger-policy (page
trigger "<trigger-policy_ 101). The maximum length is 63 characters. No
name>" default.
set trigger ?
argument "<hidden-field_ Enter the name of the hidden form input, such as No
str>" languagepref. The maximum length is 63 characters. default.
Example
This example blocks and logs requests from search.jsp if its hidden form input, whose name is “languagepref”, is posted
to any URL other than query.do.
config waf hidden-fields-rule
edit "hidden_fields_rule1"
set request-file "/search.jsp"
set action-url0 "/query.do"
config hidden-field-name
edit 1
set argument "languagepref"
next
end
next
end
Related topics
l "waf hidden-fields-protection" on page 398
waf http-authen http-authen-policy
Use this command to group HTTP authentication rules into HTTP authentication policies.
The FortiWeb appliance uses authentication policies with the HTTP authentication feature to authorize HTTP requests.
To apply HTTP authentication policies, select them in an inline protection profile. For details, see "waf web-protection-
profile inline-protection" on page 518.

config 404
Syntax
config waf http-authen http-authen-policy
edit "<auth-policy_name>"
set cache {enable | disable}
set alert-type {none | fail | success | all}
set cache-timeout <timeout_int>
set auth-timeout <timeout_int>
config rule
edit <entry_index>
set http-authen-rule "<http-auth-rule_name>"
next
end
next
end
"<auth-policy_name>" Enter the name of a new or existing HTTP authentication No

policy. The maximum length is 63 characters. default.

edit ?
Enable to cache client user names and passwords from

remote authentication such as LDAP queries. Also configure
cache-timeout <timeout_int> (page 404). No
cache {enable | disable}
default.
This can be used can improve performance by preventing
frequent queries.
alert-type {none | fail | Enter the instances when alerts will be issued for HTTP none
success | all} authentication attempts:
l none—No alerts are issued for HTTP authentication.

l fail—Alerts are issued only for HTTP authentication failures.
l success—Alerts are issued for successful HTTP authentication.
l all—Alerts are issued for all failed and successful HTTP
authentication.
Enter the query cache timeout, in seconds. The valid range is

cache-timeout <timeout_ 0–3,600.
300
int>
This option is available only when cache {enable |
auth-timeout <timeout_ Enter the connection timeout (in milliseconds) for the query to 2000
int> the FortiWeb’s query to the remote authentication server in

config 405
milliseconds.
The valid range is 0–60,000. To prevent dropped connections

if the authentication server does not answer queries quickly
enough, increase this value.
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
http-authen-rule "<http- Enter the name of an existing HTTP authentication rule. The No
auth-rule_name>" maximum length is 63 characters. default.

set http-authen-rule ?
Example
This example first configures a user group that contains both a local user account and an LDAP query.
config user user-group
edit "user-group1"
config members
edit 1
set type local
set local-name "user1"
next
edit 2
set ldap-name "user2"
set type ldap
next
end
next
end
Second, it configures a rule that requires basic HTTP authentication when requesting the URL
/employees/holidays.html on the host www.example.com. This URL will be identified as belonging to the
realm named “Restricted Area”. Users belonging to user-group1 can authenticate.
config waf http-authen http-authen-rule
edit "auth-rule1"
config rule
edit 1
set request-url "/employees/holidays.html"
set authen-type basic
set user-group "user-group1"
set user-realm "Restricted Area"
next
end
next
end

config 406
Third, it groups two HTTP authentication rules into an HTTP authentication policy that can be applied in an inline
protection profile.
config waf http-authen http-authen-policy
edit "http-auth-policy1"
config rule
edit 1
set http-authen-rule "http-auth-rule1"
next
edit 2
set http-authen-rule "http-auth-rule2"
next
end
next
end
Related topics
l "waf http-authen http-authen-rule" on page 406
waf http-authen http-authen-rule
Use this command to configure HTTP authentication rules.
Authentication rules are used by the HTTP authentication feature to define sets of request URLs that will be authorized
for each user group.
You apply authentication rules by adding them to an authentication policy, which is ultimately selected within an inline
protection profile for use in web protection. For details, see "waf http-authen http-authen-policy" on page 403.
Syntax
config waf http-authen http-authen-rule
edit "<auth-rule_name>"
config rule
edit <entry_index>
set authen-type {basic | digest | ntlm}
set request-url "<path_str>"
set user-group "<user-group_name>"
set user-realm "<realm_str>"
next
end
next
end

config 407
"<auth-rule_name>" Enter the name of a new or existing rule. The maximum length is 63 No

edit ?
Enter the name of a protected host that the Host: field of an HTTP
host "<protected-hosts_ request must be in order to match the HTTP authentication rule. No
This setting applies only if host-status is enable.
host-status {enable | Enable to apply this HTTP authentication rule only to HTTP disable
disable} requests for specific web hosts. Also configure host
"<protected-hosts_name>" (page 407).
Disable to match the HTTP authentication rule based upon the

other criteria, such as the URL, but regardless of the Host: field.
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
authen-type {basic | Select which type of HTTP authentication to use, either: basic
digest | ntlm}
l basic—Clear text, Base64-encoded user name and password.
Supports local user accounts, and RADIUS and LDAP user queries.
NTLM user queries are not supported.
l digest—Hashed user name, realm, and password. RADIUS, LDAP
and NTLM user queries are not supported.
l ntlm—Encrypted user name and password. Local user accounts and
RADIUS and LDAP user queries are not supported.
Enter the literal URL, such as /employees/holidays.html, that a

No
request-url "<path_str>" request must match in order to trigger HTTP authentication. The
default.
user-group "<user-group_ Enter the name of a user group that is authorized to use the URL in No
name>" request-url "<path_str>" (page 407). The maximum default.
To display the list of existing user groups, enter:

set user-group ?
Enter the realm, such as Restricted Area, to which the

request-url "<path_str>" (page 407) belongs. The No
user-realm "<realm_str>" maximum length is 63 characters. default.
Browsers often use the realm multiple times.

config 408
l It may appear in the browser’s prompt for the user’s credentials.

Especially if a user has multiple logins, and only one login is valid for
that specific realm, displaying the realm helps to indicate which user
name and password should be supplied.
l After authenticating once, the browser may cache the authentication
credentials for the duration of the browser session. If the user requests
another URL from the same realm, the browser often will automatically
re-supply the cached user name and password, rather than asking the
user to enter them again for each request.
The realm may be the same for multiple authentication rules, if all
of those URLs permit the same user group to authenticate.
For example, the user group All_Employees could have access

to the request-url "<path_str>" (page 407) URLs
/wiki/Main and /wiki/ToDo. These URLs both belong to the
realm named Intranet Wiki. Because they use the same realm
name, users authenticating to reach /wiki/Main usually will not
have to authenticate again to reach /wiki/ToDo, as long as both
requests are within the same browser session.
This field does not appear if authen-type is ntlm, which does

not support HTTP-style realms.
Example
For an example, see "waf http-authen http-authen-policy" on page 403.
Related topics
l "waf http-authen http-authen-policy" on page 403
waf http-connection-flood-check-rule
Use this command to limit the number of TCP connections per HTTP session. This can prevent TCP connection floods
from clients operating behind a shared IP with innocent clients.
Excessive numbers of TCP connections per session can occur if a web application or client is malfunctioning, or if an
attacker is attempting to waste socket resources to produce a DoS.
This command is similar to "waf layer4-connection-flood-check-rule" on page 439. However, this feature counts TCP
connections per session cookie, while TCP flood prevention counts only TCP connections per IP address. Because it
uses session cookies at the application layer instead of only TCP/IP connections at the network layer, this feature can
differentiate multiple clients that may be behind the same source IP address, such as when the source IP address hides
a subnet that uses network address translation (NAT). However, in order to work, the client must support cookies.

config 409
To apply this rule, include it in an application-layer DoS-prevention policy. For details, see "waf application-layer-dos-
prevention" on page 341.
Syntax
config waf http-connection-flood-check-rule
edit "<rule_name>"
set http-connection-threshold <limit_int>
next
end

edit ?

appliance will perform when the count exceeds the rate limit:
l alert—Accept the connection and generate an alert email

and/or log message.
l alert_deny—Block the connection and generate an alert email
and/or log message.
deny | block-period | message. alert
deny_no_log}


config 410
learning feature. For details about auto-learning requirements,

see "waf web-protection-profile autolearning-profile" on page
516.
block-period <seconds_ Enter the length of time (in seconds) for which the FortiWeb 1
int> appliance will block additional requests after a client exceeds
the rate threshold.
http-connection-threshold Enter the maximum number of TCP connections allowed from the
<limit_int> 1
same client. The valid range is 1–1,024.
severity {High | Medium | Select the severity level to use in logs and reports generated when Medium

violated. For details, see "log trigger-policy" on page 101. The
trigger-policy "<trigger- maximum length is 63 characters. No
policy_name>" default.
set trigger ?
Related topics
waf http-constraints-exceptions
Use set statements under this command to configure exceptions to existing HTTP protocol parameter constraints for
specific hosts.
Exceptions may be useful if you know that some HTTP protocol constraints, during normal use, will cause false positives
by matching an attack signature. Exceptions define HTTP constraints that will not be subject to HTTP protocol
constraint policy.
For example, if you enable max-http-header-length in a HTTP protocol constraint exception for a specific host,
FortiWeb ignores the HTTP header length check when executing the web protection profile for that host.
Syntax
config waf http-constraints-exceptions
edit "<http-exception_name>"
config http_constraints-exception-list

config 411
edit <entry_index>
set request-file "<url_pattern>"
set block-malformed-request {enable | disable}
set Illegal-content-length-check {enable | disable}
set Illegal-content-type-check {enable | disable}
set Illegal-header-name-check {enable | disable}
set Illegal-header-value-check {enable | disable}
set Illegal-host-name-check {enable | disable}
set Illegal-http-request-method-check {enable | disable}
set Illegal-responese-code-check {enable | disable}
set max-cookie-in-request {enable | disable}
set max-header-line-request {enable | disable}
set max-http-body-length {enable | disable}
set max-http-body-parameter-length {enable | disable}
set max-http-content-length {enable | disable}
set max-http-header-length {enable | disable}
set max-http-header-line-length {enable | disable}
set max-http-header-name-length {enable | disable}
set max-http-header-value-length {enable | disable}
set max-http-parameter-length {enable | disable}
set max-http-request-filename-length {enable | disable}
set max-http-request-length {enable | disable}
set max-url-param-name-len {enable | disable}
set max-url-param-value-len {enable | disable}
set max-url-parameter {enable | disable}
set max-url-parameter-length {enable | disable}
set number-of-ranges-in-range-header {enable | disable}
set parameter-name-check {enable | disable}
set parameter-value-check {enable | disable}
set redundant-header-check {enable | disable}
set source-ip-status {enable|disable}
set source-ip "<ip_range>"
set url-param-name-check {enable | disable}
set url-param-value-check {enable | disable}
next
end
next
end
"<http-exception_name>" Enter the name of a new or existing HTTP protocol constraint No

exception. The maximum length is 63 characters. default.
To display the list of existing exceptions, enter:

edit ?
request-file "<url_ Enter either: No

pattern>" default.

config 412
l The literal URL, such as /index.php, that the HTTP

request must contain in order to match the input rule. The
URL must begin with a slash ( / ).
l A regular expression, such as ^/*.php, matching all and
only the URLs to which the input rule should apply. The
pattern is not required to begin with a slash ( / ). However,
it must at least match URLs that begin with a slash, such
as /index.cfm.
host. The maximum length is 255 characters.
request-type {plain | Enter either plain or regular (for a regular expression) to

regular} No
match the string entered in request-file "<url_
default.
pattern>" (page 411).
host-status {enable | Enable to apply this exception only to HTTP requests for disable
disable} specific web hosts. Also configure analyzer-policy
"<fortianalyzer-policy_name>" (page 102).

block-malformed-request Enable to omit the constraint on syntax and FortiWeb parsing

{enable | disable} errors.
Caution: Some web applications require abnormal or very

large HTTP POST requests. Since allowing such errors and
excesses is generally bad practice and can lead to
vulnerabilities, use this option to omit the malformed request
scan only if absolutely necessary.
Illegal-content-length- Enable to omit the constraint on the maximum acceptable size in disable
check {enable | disable} bytes of the request body.
Illegal-content-type- Enable to omit the constraint on whether the Content Type:

check {enable | disable} disable
value uses the format <type>/<subtype>.
Illegal-header-name-check Enable to omit the constraint on whether the HTTP header name disable
{enable | disable} contains illegal characters.
Illegal-header-value- Enable to omit the constraint on whether the HTTP header value
check {enable | disable} disable
contains illegal characters.
Illegal-host-name-check Enable to omit the constraint on host names with illegal disable
{enable | disable} characters.
Illegal-http-request- Enable to omit the constraint on illegal HTTP request methods. disable

config 413
method-check {enable |
disable}
Illegal-responese-code- Enable to omit the constraint on whether the HTTP response code disable
check {enable | disable} is a 3-digit number.
max-cookie-in-request Enable to omit the constraint on the maximum number of cookies

{enable | disable} disable
per request.
max-header-line-request Enable to omit the constraint on the maximum number of HTTP disable
{enable | disable} header lines.
max-http-body-length
{enable | disable} Enable to omit the constraint on the maximum HTTP body length. disable
max-http-body-parameter- Enable to omit the constraint on the maximum acceptable size in disable
length {enable | disable} bytes of all parameters in the HTTP body of HTTP POST requests.
max-http-content-length Enable to omit the constraint on the maximum HTTP content

length.
max-http-header-length Enable to omit the constraint on the maximum HTTP header disable
{enable | disable} length.
max-http-header-line- Enable to omit the constraint on the maximum HTTP header line
length {enable | disable} disable
length.
max-http-header-name- Enable to omit the constraint on the maximum acceptable size in disable
length {enable | disable} bytes of a single HTTP header name.
max-http-header-value- Enable to omit the constraint on the maximum acceptable size in

length {enable | disable} disable
bytes of a single HTTP header value.
max-http-request- Enable to omit the constraint on the maximum HTTP request disable
filename-length {enable | filename length.
disable}
max-http-parameter-length Enable to omit the constraint on the maximum HTTP parameter

length.
max-http-request-length Enable to omit the constraint on the maximum HTTP request disable
{enable | disable} length.
max-url-param-name-len Enable to omit the constraint on the maximum acceptable length

in bytes of the parameter name.
max-url-param-value-len Enable to omit the constraint on the maximum acceptable length disable
{enable | disable} in bytes of the parameter value.
max-url-parameter Enable to omit the constraint on the maximum number of disable

config 414
{enable | disable} parameters in the URL.
max-url-parameter-length Enable to omit the constraint on the maximum length of disable

{enable | disable} parameters in the URL.
number-of-ranges-in-
Enable to omit the constraint on the maximum acceptable number
range-header {enable | disable
disable} of Range: fields of an HTTP header.
parameter-name-check Enable to omit the constraint on null characters in parameter disable

{enable | disable} names.
parameter-value-check Enable to omit the constraint on null characters in parameter

values.
Post-request-ctype-check Enable to omit the constraint on whether the Content-Type: disable

{enable | disable} header is available.
redundant-header-check Enable to omit the constraint on the redundant instances of

Content-Length, Content-Type and Host herder fields.
source-ip-status Enable to check requests for matching the HTTP constraint disable
{enable|disable} exceptions rule by their source IP addresses.
source-ip "<ip_range>" Enter the source IP of the protected requests to which this
exception applies. Only a single IPv4/IPv6 address, or a
IPv4/IPv6 range is acceptable.
For example:
l 1.2.3.4 No
l 2001::1 default.
l 1.2.3.4-1.2.3.40
l 2001::1-2001::100
Available only when source-ip-status
{enable|disable} (page 414) is enable.
url-param-name-check Enable to omit the constraint on illegal characters in the parameter disable
{enable | disable} name.
url-param-value-check Enable to omit the constraint on illegal characters in the parameter

value.
Example
This example omits header length limits for HTTP requests to www.example.com and 192.0.2.1 for
/login.asp.
config waf http-constraints-exceptions
edit "exception1"

config 415
config http_constraints-exception-list
edit 1
set max-http-header-length enable
set request-file "/login.asp"
next
edit 2
set host "192.0.2.1"
set max-http-body-length enable
set request-file "/login.asp"
next
end
next
end
Related topics
waf http-header-security
Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS,
clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers
so that the browsers avoid exposure to known vulnerabilities when handling requests.
For more information on HTTP Header Security, see the FortiWeb Administration Guide:
Syntax
config waf http-header-security
edit "<http-header-security_name>"
config http-header-security-list
set name {x-content-type-options | x-frame-options | x-xss-protection |
content-security-policy}
set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode |
block-mode}
set custom-value <custom-value_str>
set allow-from-source "<allow-from_str>"
set request-file "<request-file_str>"
set request-status {enable | disable}
next

config 416
end
next
end
"<http-header-security_ Enter of name of an HTTP header security policy. The No default.

name>" maximum length is 63 characters.
request-status {enable |
disable} Enable to set a URL Filter. disable
request-type {plain | Defines the Request URL Type as a simple string (plain) No default.
regular} or a regular expression (regular) for the URL Filter.
Available only if request-status {enable |

Sets the Request URL for the URL Filter.

request-file "<request-file_
str>" Available only if request-status {enable | No default.
<entry-index_int> Creates or edits a Secure Header Rule in the selected No default.

HTTP Header Security Policy.
Defines the Secure Header Type in the Secure Header

Rule. The following options are available:
l x-frame-options—Prevents browsers from

name {x-content-type-options Clickjacking attacks by providing appropriate restrictions
| x-frame-options | x-xss- on displaying pages in frames.
protection | content- No default.
l x-content-type-options—Prevents browsers from
security-policy}
MIME content-sniffing attacks by disabling the browser's
MIME sniffing function.
l x-xss-protection—Enables a browser's built-in Cross-
site scripting (XSS) protection.
value {nosniff | allow-from Defines the response according to the defined Secure No default.
| deny | sameorigin | Header Type.
sanitizing-mode | block-
mode} The x-frame-options header can be implemented
with one of the following options:
l deny—The browser will not allow any frame to be

displayed.
l sameorigin—The browser will not allow a frame to
be displayed unless the page of the frame originated
from the same site.
l allow-from—The browser will not allow a frame to
be displayed unless the page of the frame originated

config 417
from the specified domain.

The x-content-type-options header can be
implemented with one option:
l nosniff—The browser will not guess any content

type that is not explicitly specified when downloading
extensions.
The x-xss-protection header can be implemented
with one of the following options:
l sanitizing-mode—The browser will sanitize the

malicious scripts when a XSS attack is detected.
l block-mode—The browser will block the page when
a XSS attack is detected.
Sets the specified domain if the name {x-content-type-

options | x-frame-options | x-xss-
allow-from-source "<allow-
from_str>" protection | content-security-policy} (page No default.
416) is x-frame-options and the Header Value is set to
allow-from.
custom-value <custom-
value_str>
Example
This example creates a HTTP header security policy.
config waf http-header-security
edit http_header_security1
set request-status enable
set request-file "/bWAPP/clickjacking.php"
config http-header-security-list
edit 1
set name x-content-type-options
set value nosniff
next
edit 2
set name x-frame-options
set value deny
next
edit 3
set name x-xss-protection
set value block-mode
next
next
end

config 418
waf http-protocol-parameter-restriction
Use this command to configure HTTP protocol constraints.
HTTP constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the
HTML, XML, or other documents or encapsulated protocols carried in the content payload.
Use protocol constraints to prevent attacks such as buffer overflows in web servers that do not restrict elements of the
HTTP protocol to acceptable lengths, or mishandle malformed requests. Such errors can lead to security vulnerabilities.
You can also use protocol constraints to block requests that are too large for the memory
size you have configured for FortiWeb’s scan buffers. If your web applications do not
require large HTTP POST requests, enable waf http-protocol-parameter-
restriction (page 418) to harden your configuration. To configure the buffer size, see
system advanced (page 208).
You can configure each protocol parameter independently with a threat weight, action, severity, and trigger that
determines how an attack on that parameter is handled. For example, you can set the action for header constraints to
alert, the severity to high, and a trigger set to deliver an email each time FortiWeb detects a violation of these protocol
parameters.
To apply HTTP protocol constraints, select them in an inline or Offline Protection profile. For details, see "waf web-
protection-profile inline-protection" on page 518 and "waf web-protection-profile offline-protection" on page 531.
Syntax
config waf http-protocol-parameter-restriction
edit "<http-constraint_name>"
set <constraint_name>-check {enable | disable}
set <constraint_name>-action {alert | alert_deny | block-period | deny_no_log}
set <constraint_name>-block-period <seconds_int>
set <parameter_name>-threat-weight {off | low | med | high | crit}
set <constraint_name>-severity {High | Medium | Low | Info}
set <constraint_name>-trigger "<trigger-policy_name>"
next
end
"<http-constraint_name>" Enter the name of a new or existing HTTP No

protocol constraint. The maximum length is 63 default.
characters.
To display the list of existing constraints, enter:

edit ?

config 419
<constraint_name>-check {enable | Specify whether FortiWeb includes the specified

disable} constraint when it applies this set of constraints.
<constraint_name>-action {alert | Select one of the following actions that the alert
alert_deny | block-period | deny_no_ FortiWeb appliance will perform when an HTTP
log}
request violates one of the rules:
l alert—Accept the request and generate an

alert email and/or log message.

connection) and generate an alert email and/or
log message.
l deny_no_log—Deny a request. Do not

generate a log message.
You can customize the web page that FortiWeb

returns to the client with the HTTP status code.
For details, see "system replacemsg" on page
294.
l block-period—Block subsequent requests

from the client for a number of seconds. Also
configure <constraint_name>-block-
Note: If FortiWeb is deployed behind a NAT

load balancer, when using this option, you
must also define an X-header that indicates
the original client’s IP (see "waf x-forwarded-
for" on page 542). Failure to do so may cause
FortiWeb to block all connections when it
detects a violation of this type.
Caution: This setting is ignored when the value

of monitor-mode {enable | disable}
(page 157) is enable.
Note: Logging and/or alert email will occur only if

enabled and configured. For details, see "log
disk" on page 73 and "log alertMail" on page 67.
Note: If you select an auto-learning profile with

this rule, you should select alert. If the
action is alert_deny, for example, the
FortiWeb appliance will block the request or
reset the connection when it detects an attack,
resulting in incomplete session information for
the auto-learning feature. For details about auto-
learning requirements, see "waf web-protection-

config 420
profile autolearning-profile" on page 516.
Note: This is not a single setting. Configure the

action setting for each violation type. The
number of action settings equals the number of
violation types.
For example, for maximum HTTP header length

violations, you might type the accompanying
setting:
set max-http-header-length-action
alert
Note: Available actions vary depending on

operating mode and protocol parameter.
<constraint_name>-severity {High | Select the severity level to use in logs and Medium
Medium | Low | Info} reports generated when a violation of the rule
occurs.

severity setting for each violation type. The
number of severity settings equals the number of
violation types.

violations, you might type the accompanying
setting:
set max-http-header-length-
severity High
<constraint_name>-trigger "<trigger- Enter the name of the trigger to apply when this No
policy_name>" rule is violated (see config log trigger- default.
policy (page 101)). The maximum length is 63
characters.
To display the list of existing trigger policies,

enter:
set trigger ?

trigger setting for each violation type. The
number of trigger settings equals the number of
violation types.
violations, you might type accompanying setting:
set max-http-header-length-trigger
trigger-policy1

config 421
<constraint_name>-block-period If action is block-period, type the number of 0

<seconds_int> seconds that the connection will be blocked. The valid
range is 1–3,600.
<parameter_name>-threat-weight {off Set the threat weight for an event when No

| low | med | high | crit} FortiWeb detects a violation of a parameter default.
restriction rule. For details, see the FortiWeb
https://docs.fortinet.com/fortiweb/admin-
guides.
Example
This example limits the total size of the HTTP header, including all lines, to 2,048 bytes. If the HTTP header length
exceeds 2,048 bytes, the FortiWeb appliance takes an action to create a log message (alert), identifying the violation
as medium severity, and sends an email to the administrators defined within the trigger policy email-admin.
config waf http-protocol-parameter-restriction
edit "http-constraint1"
set max-http-header-length 2048
set max-http-header-length-action alert
set max-http-header-length-severity Medium
set max-http-header-length-trigger email-admin
next
end
Related topics
waf http-request-flood-prevention-rule
Use this command to limit the maximum number of HTTP requests per second coming from any client to a specific URL
on one of your protected servers.
The FortiWeb appliance tracks the requests using a session cookie. If the count exceeds the request limit, FortiWeb
performs the specified action.
To apply this rule, include it in an application-layer DoS-prevention policy. This feature is effective only when http-
session-management {enable | disable} (page 521) is enabled in the inline protection profile that uses the
parent DoS-prevention policy.

config 422
Syntax
config waf http-request-flood-prevention-rule
edit "<rule_name>"
set access-limit-in-http-session <limit_int>
set bot-recognition {captcha-enforcement | real-browser-enforcement |
disable}
next
end
"<rule_name>" Enter the name of a new or existing rule. The maximum No


edit ?
Enter the maximum number of HTTP connections allowed per

access-limit-in-http-
session <limit_int> second from the same client. The valid range is 0–4,096. To 0
disable the limit, enter 0.
action {alert | alert_ Select one of the following actions that the FortiWeb alert
deny | block-period | appliance will perform when the count exceeds the limit:
deny_no_log}
and/or log message.




that indicates the original client’s IP (see config waf x-
forwarded-for (page 542)). Failure to do so may cause
FortiWeb to block all connections when it detects a violation

config 423
of this type.

message.



Enable to return a JavaScript to the client to test whether it is

a web browser or automated tool when it exceeds the rate
limit.
If the client either fails the test or does not return results
bot-recognition {captcha- before the timeout specified by validation-timeout
enforcement | real-
browser-enforcement | <seconds_int> (page 423), FortiWeb applies the specified disable
disable} action. If the client appears to be a web browser, FortiWeb
allows the client to exceed the rate limit.
Disable this option to apply the rate limit regardless of

whether the client is a web browser (for example, Firefox) or
an automated tool (for example, wget).
max-attempt-times If captcha-enforcement is selected for bot- 3

<attempts_int> recognition {captcha-enforcement | real-
browser-enforcement | disable} (page 423), enter
the maximum number of attempts that a client may attempt
to fulfill a CAPTCHA request. The valid range is 1–5.
Available only when captcha-enforcement is selected

for bot-recognition.
Specify the maximum amount of time (in seconds) that FortiWeb

validation-timeout
<seconds_int> waits for results from the client for Real Browser Enforcement. The 20
block-period <seconds_ If action is block-period, type the number of seconds 60

int> that the connection will be blocked.
This setting applies only if action is block-period. The

config 424
valid is from 1 to 10,000 seconds.
Low | Info} Medium
a violation of the rule occurs.
trigger-policy "<trigger- Enter the name of the trigger to apply when this rule is No
policy_name>" violated. For details, see "log trigger-policy" on page 101. The default.

set trigger ?
Example
This example illustrates a rule that imposes a two-minute blocking period on clients that exceed the set request limit.
config waf http-request-flood-prevention-rule
edit "Web Portal HTTP Request Limit"
set access-limit-in-http-session 10
set severity Medium
set trigger-policy "Server_Policy_Trigger"
next
end
Related topics
waf input-rule
Use this command to configure input rules.
Input rules define whether or not parameters are required, and sets their maximum allowed length, for HTTP requests
matching the host and URL defined in the input rule.
Each input rule contains one or more individual rules. This enables you to define, within one input rule, all parameter
restrictions that apply to HTTP requests matching that URL and host name.
For example, one web page might have multiple inputs: a user name, password, and a preference for whether or not to
remember the login. Within the input rule for that web page, you could define separate rules for each parameter in the
HTTP request: one rule for the user name parameter, one rule for the password parameter, and one rule for the
preference parameter.
To apply input rules, select them within a parameter validation rule. For details, see "waf parameter-validation-rule" on
page 461.

config 425
Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you
must first define the web host in a protected hosts group. For details, see "server-policy allow-hosts" on page 108.
Syntax
config waf input-rule
edit "<input-rule_name>"
set action {alert | alert_deny | redirect | send_403_forbidden | block-
period | deny_no_log}
config rule-list
edit <entry_index>
set type-checked (enable | disable}
set argument-type <custom-data-type | data-type | regular-expression}
set argument-name-type {plain | regular}
set argument-name "<input_name>"
set argument-expression "<regex_pattern>"
set custom-data-type "<custom-data-type_name>"
set data-type "<predefined_name>"
set is-essential {yes | no}
set max-length <limit_int>
next
end
next
end
"<input-rule_name>" Enter the name of a new or existing rule. The maximum No


edit ?

appliance will perform when an HTTP request violates one of
the input rules in the entry:
deny | redirect | send_
l alert—Accept the request and generate an alert email and/or
log message. alert
403_forbidden | block-
period | deny_no_log} l alert_deny—Block the request (or reset the connection) and

config 426

l redirect—Redirect the request to the URL that you specify in
the protection profile and generate an alert email and/or log
message. Also configure redirect-url "<redirect_
fqdn>" (page 529) and rdt-reason {enable |
disable} (page 529).
l send_403_forbidden—Reply to the client with an HTTP
403 Access Forbidden error message and generate an


block-period <seconds_ Enter the number of seconds to block the source IP. The valid 60
int> range is 0–3,600.

deny | redirect | send_403_forbidden |
block-period | deny_no_log} (page 425) is block-
period.

HTTP request must be in order to match the rule. The
host "<protected-host_ maximum length is 255 characters. No
name>" default.
host-status {enable | Enable to apply this input rule only to HTTP requests for disable
disable} specific web hosts. Also configure host "<protected-
host_name>" (page 426).
Disable to match the input rule based upon the other criteria,

config 427

{plain | regular} (page 427), enter either:
l The literal URL, such as /index.php, that the HTTP request

must contain in order to match the input rule. The URL must
begin with a slash ( / ).
l A regular expression, such as ^/*.php, matching all and only
the URLs to which the input rule should apply. The pattern is not
required to begin with a slash ( / ). However, it must at least
match URLs that begin with a slash, such as /index.cfm.
No
request-file "<url_str>"
Do not include the name of the web host, such as default.
"<protected-host_name>" (page 426). The maximum

request-type Select whether request-file "<url_str>" (page 427) will plain

{plain | regular} contain a literal URL (plain), or a regular expression designed to
match multiple URLs (regular).
Low

set trigger ?
<entry_index>
is-essential {yes | no} Select yes if the parameter is required for HTTP requests to this no
combination of Host: field and URL. Otherwise, select no.
Enter the maximum allowed length of the parameter value.

max-length <limit_int> 0
The valid range is 0–1,024. To disable the limit, enter 0.
type-checked (enable | Enable to use predefined or configured data types when enable
disable} validating parameters. Also configure argument-type

config 428
<custom-data-type | data-type | regular-

expression} (page 428).
Disable to ignore data-type and custom-data-type

settings.
argument-type <custom-
No
data-type | data-type | Specify the type of argument.
regular-expression} default.
argument-name-type {plain Specify one of the following options:

| regular}
l plain—argument-name is the name attribute of the
parameter’s input tag exactly as it appears in the form on the web
page.
l regular—argument-name is a regular expression designed
to match the name attribute of the parameter’s input tag.
If argument-name-type {plain | regular} (page

428) is plain, specify the name of the input as it appears in
the HTTP content, such as username. The maximum length
argument-name "<input_ is 63 characters. No
name>" default.
If argument-name-type is regular, specify a regular
expression designed to match the name attribute of the
parameter’s input tag.
argument-expression Enter a regular expression that matches all valid values, and
"<regex_pattern>" no invalid values, for this input.
The maximum length is 2,071 characters.

point ( ! ) are not supported.
Enter the name of a custom data type, if any. The maximum

custom-data-type To display the list of custom data types, enter: No

"<custom-data-type_name>" default.
set custom-data-type ?
This setting applies only if type-checked (enable |

data-type "<predefined_ Select one of the predefined data types, if the input matches No
name>" one of them (available options vary by FortiGuard updates). default.
To display available options, enter:

set data type ?

config 429
For match descriptions of each option, see "server-policy

pattern data-type-group" on page 132.
Alternatively, configure argument-type <custom-

data-type | data-type | regular-
expression} (page 428). This option is ignored if you
configure argument-type, which also defines parameters
to which the input rule applies, but supersedes this option.
Example
This example blocks and logs requests for the file named login.php that do not include a user name and password, both
of which are required, or whose user name and password exceed the 64-character limit.
config waf input-rule
edit "input_rule1"
set request-file "/login.php?*"
request-type regular
config rule-list
edit 1
set argument-name "username"
set argument-type data-type
set data-type Email
set is-essential yes
set max-length 64
next
edit 2
set argument-name "password"
set data-type String
set is-essential yes
set max-length 64
next
end
next
end
Related topics
l "waf parameter-validation-rule" on page 461
waf ip-intelligence
Use this command to configure reputation-based source IP blacklisting.
Clients with suspicious behaviors or poor reputations include spammers, phishers, botnets, and anonymizing proxy
users. If you have purchased a subscription for the FortiGuard IP Reputation service, your FortiWeb can periodically

config 430
download an updated blacklist to keep your appliance current with changes in dynamic IPs, spreading virus infections,
and spammers changing service providers.
IP intelligence settings apply globally, to all policies that use this feature.
Before or after using this command, use "waf ip-intelligence-exception" on page 433 to configure any exemptions that
you want to apply. To apply IP reputation-based blocking, configuring these category settings first, then enable ip-
intelligence {enable | disable} (page 526) in the server policy’s protection profile.
Alternatively, you can block sets of many clients based upon their geographical origin (see "waf geo-block-list" on page
395) or manually by specific IPs (see "server-policy custom-application application-policy" on page 110).
Syntax
config waf ip-intelligence
edit <entry_index>
set action {alert | alert_deny | redirect | send_403_forbidden | block-period |
deny_no_log}
set category "<category_name>"
set severity {Low | Medium | High | Info}
next
end
<entry_index> Enter the index number of the individual entry in the table entry in No
the table. default.

appliance performs when a client’s source IP matches the
blacklist category:

and/or log message.

action {alert | alert_ and generate an alert email and/or log message.
deny | redirect | send_
You can customize the web page that FortiWeb returns to alert
403_forbidden | block-
period | deny_no_log} the client with the HTTP status code. For details, see



config 431

l send_403_forbidden—Reply to the client with an HTTP

403 Access Forbidden error message and generate an

message.
Caution: FortiWeb ignores this setting when monitor-

mode {enable | disable} (page 157) is enabled.

block-period <seconds_ Enter the number of seconds to block the source IP. The valid 60
int> range is 0–3,600.

deny | redirect | send_403_forbidden |
block-period | deny_no_log} (page 430) is block-
period.
Enter the name of an existing IP intelligence category, such as

"Anonymous Proxy" or Botnet. If the category name
category "<category_ contains a space, you must surround the name in double
name>" quotes. The maximum length is 63 characters.
Category names vary by the version number of your

FortiGuard IRIS package.
status {enable | disable} Enable to block clients whose source IP belongs to this category enable
according to the FortiGuard IRIS service.
severity {Low | Medium |
High | Info} field. Select which severity level the FortiWeb appliance uses Low
when a blacklisted IP address attempts to connect to your web
servers:

config 432
l Low
l Medium
l High
l Info
trigger "<trigger-policy_ Select which trigger, if any, that the FortiWeb appliance uses No
name>" when it logs and/or sends an alert email about a blacklisted IP default.
address’s attempt to connect to your web servers. For details,
see "log trigger-policy" on page 101. The maximum length is
63 characters.

set trigger ?
Example
The following command blacklists clients whose source IPs are currently known by Fortinet to be members of a botnet.
In the FortiGuard IRIS package for this example, “Botnet” is the first item in the list of categories.
When a botnet member makes a request, FortiWeb blocks the connection and continues to block it without re-
evaluating it for the next 6 minutes (360 seconds). FortiWeb logs the event with a high severity level and sends
notifications to the Syslog and email servers specified in notification-servers1.
config waf ip-intelligence
edit 1
set status enable
set action period_block
set severity High
set trigger-policy "notification-servers1"
next
end
Related topics
l "waf ip-intelligence-exception" on page 433

config 433
waf ip-intelligence-exception
Use this command to exempt IP addresses from reputation-based blocking. The settings apply globally, to all policies
that use this feature.
Syntax
config waf ip-intelligence-exception
edit <entry_index>
set ip "<client_ipv4>"
next
end
<entry_index> Enter the index number of the individual entry in the table entry in No
the table. The valid range is 1–9,999,999,999,999,999,999. default.
status {enable | disable} Enable to exempt clients from IP reputation-based blocking. disable
ip "<client_ipv4>" Enter the client’s source IP address. No

default.
Example
See "waf ip-intelligence" on page 429.
Related topics
waf ip-list
Use this command to define which source IP addresses are trusted clients, undetermined, or distrusted.
l Trusted IPs—Almost always allowed to access to your protected web servers. Trusted IPs are exempt from many (but
not all) of the restrictions that would otherwise be applied by a server policy. To determine skipped scans, see "debug flow
trace" on page 583.
l Neither—If a source IP address is neither explicitly blacklisted or trusted by an IP list policy, the client can access your
web servers, unless it is blocked by any of your other configured, subsequent web protection scan techniques. For details,
see "debug flow trace" on page 583.

config 434
l Blacklisted IPs—Blocked and prevented from accessing your protected web servers. Requests from blacklisted IP
addresses receive a warning message in response. The warning message page includes ID: 70007, which is the ID of all
attack log messages about requests from blacklisted IPs.
Because FortiWeb evaluates trusted and blacklisted IP policies before many other
techniques, defining these IP addresses can improve performance.
Alternatively, you can block sets of many clients based upon their reputation (see "waf ip-intelligence" on page 429) or
geographical origin (see "waf geo-block-list" on page 395).
Syntax
config waf ip-list
edit "<ip-list_name>"
config members
edit <entry_index>
set ip "<client_ip>"
set type {trust-ip | black-ip}
next
end
next
end
"<ip-list_name>" Enter the name of a new or existing rule. The maximum length No

edit ?
Enter the index number of the individual entry in the table entry in No
<entry_index>
the table. The valid range is 1–9,999,999,999,999,999,999. default.
ip "<client_ip>" Enter one of the following values: No

default.
l A single IP address that a client source IP must match, such as a
trusted private network IP address (e.g. an administrator’s
computer, 172.16.1.20).
l A range or addresses (for example, 172.22.14.1-
172.22.14.255 or 10:200::10:1-10:200:10:100).
type {trust-ip | black- Select either: trust-

ip} ip
l trust-ip—The source IP address is trusted and allowed

config 435
to access your web servers, unless it fails a previous scan

(see diagnose debug flow trace (page 583)).
l black-ip—The source IP address that is distrusted, and
is permanently blocked (blacklisted) from accessing your
web servers, even if it would normally pass all other scans.
Note: If multiple clients share the same source IP address,
such as when a group of clients is behind a firewall or router
performing network address translation (NAT), blacklisting the
source IP address could block innocent clients that share the
same source IP address with an offending client.
severity {Low | Medium | When rule violations are recorded in the attack log, each log No
High | Info} message contains a Severity Level (severity_level) default.
field. Select which severity level the FortiWeb appliance will
use when a blacklisted IP address attempts to connect to your
web servers:
l Low
l Medium
l High
Select which trigger, if any, that the FortiWeb appliance will

use when it logs and/or sends an alert email about a
blacklisted IP address’s attempt to connect to your web
trigger-policy "<trigger- servers. The maximum length is 63 characters. For details, No
policy_name>" see config log trigger-policy (page 101). default.

set trigger ?
Example
The following shows the configuration for a trusted host of 192.0.2.0 followed by a blacklisted client of 192.0.2.1.
config waf ip-list
edit "IP-List-Policy1"
config members
edit 1
set ip "192.0.2.0"
next
edit 2
set type black-ip
set ip "192.0.2.1"
set severity Medium
set trigger-policy "TriggerActionPolicy1"
next
end
next
end

config 436
Related topics
waf layer4-access-limit-rule
Use this command to limit the number of HTTP requests per second from any IP address to your web server. The
FortiWeb appliance tracks the number of requests. If the count of HTTP GET or POST requests exceeds the request
limit, FortiWeb performs the action you specified.
To apply this rule, include it in an application-layer DoS-prevention policy and include that policy in an inline protection
profile. For details, see "waf application-layer-dos-prevention" on page 341.
Syntax
config waf layer4-access-limit-rule
edit "<rule_name>"
set access-limit-standalone-ip <limit_int>
set access-limit-share-ip <limit_int>
set bot-recognition {captcha-enforcement | real-browser-enforcement}
next
end

edit ?
access-limit-standalone- Enter the maximum number of HTTP requests allowed per second
0
ip <limit_int> from any source IP address representing a single client. The valid

config 437
range is 0–65,536. To disable the limit, enter 0.
access-limit-share-ip Enter the maximum number of HTTP requests allowed per second 0
<limit_int> from any source IP address shared by multiple clients behind a
network address translation (NAT) device, such as a firewall or
router. The valid range is 0–65,536. To disable the limit, enter 0.

appliance will perform when the count exceeds either
threshold limit:

and/or log message.




action {alert | alert_ that indicates the original client’s IP. Failure to do so may
deny | block-period | cause FortiWeb to block all connections when it detects a alert
deny_no_log}
on page 542.

message.


bot-recognition {captcha- Select between: disable

enforcement | real-

config 438
browser-enforcement} l captcha-enforcement—Requires the client to successfully

fulfill a CAPTCHA request. If the client cannot successfully fulfill
the request within the max-attempt-times <attempts_
int> (page 438), or doesn't fulfill the request within the
validation-timeout <seconds_int> (page 438),
FortiWeb applies the action and sends the CAPTCHA block
page.
l real-browser-enforcement—Enable to return a JavaScript
to the client to test whether it is a web browser or automated tool
when it violates the access rule. If the client either fails the test or
does not return results before the timeout specified by
validation-timeout, FortiWeb applies the specified action.
If the client appears to be a web browser, FortiWeb allows the
client to violate the rule.
Disable this option to simply apply the access rule.
If captcha-enforcement is selected for bot-

recognition, enter the maximum number of attempts that
max-attempt-times a client may attempt to fulfill a CAPTCHA request. The valid
range is 1–5. 3
<attempts_int>
Available only when captcha-enforcement is selected for

bot-recognition.
block-period <seconds_ Enter the number of seconds to block access to the client. This 0
int> applies only when the action {alert | alert_deny |
block-period | deny_no_log} (page 437) setting is
block-period. The valid range is 0–10,000. To disable the limit,
enter 0.
Medium
trigger-policy "<trigger- Enter the name of the trigger to apply when this rule is No
policy_name>" violated. For details, see "log trigger-policy" on page 101. The default.

set trigger ?
Enter the maximum amount of time (in seconds) that FortiWeb

validation-timeout
<seconds_int> waits for results from the client for bot-recognition. The valid range 20
is 5–30.

config 439
Example
This examples includes two rules. One blocks connections for two minutes while the other creates an alert and denies
the connection.
config waf layer4-access-limit-rule
edit "Web Portal HTTP Request Limit"
set severity Medium
set trigger-policy "Web_Protection_Trigger"
next
edit "Online Store HTTP Request Limit"
set severity High
set trigger-policy "Web_Protection_Trigger"
next
end
Related topics
l "waf layer4-connection-flood-check-rule" on page 439
waf layer4-connection-flood-check-rule
Use this command to limit the number of fully-formed TCP connections per source IP address. This effectively prevents
TCP flood-style denial-of-service (DoS) attacks.
TCP flood attacks exploit the fact that servers must consume memory to maintain the state of the open connection until
either the timeout, or the client or server closes the connection. This consumes some memory even if the client is not
currently sending any HTTP requests.
Normally, a legitimate client forms a single TCP connection, through which they may make several HTTP requests. As a
result, each client consumes a negligible amount of memory to track the state of the TCP connection. However, an
attacker opens many connections with perhaps zero or one request each, until the server is exhausted and has no
memory left to track the TCP states of new connections with legitimate clients.
This command is similar to config waf http-connection-flood-check-rule (page 408). However, this
feature counts TCP connections per IP, while the other command counts TCP connections per session cookie.
It is also similar to syncookie in "server-policy policy" on page 146. However, this feature counts fully-formed TCP
connections, while the anti-SYN flood feature counts partially-formed TCP connections.
To apply this rule, include it in an application-layer DoS-prevention policy and include that policy in an inline protection
profile. For details, see "waf application-layer-dos-prevention" on page 341.

config 440
Syntax
config waf layer4-connection-flood-check-rule
edit "<rule_name>"
set layer4-connection-threshold <limit_int>
next
end

edit ?
layer4-connection- Enter the maximum number of TCP connections allowed from the
threshold <limit_int> 0
same IP address. The valid range is 0–65,536.
action {alert | alert_ Select one of the following actions that the FortiWeb alert
deny | block-period | appliance will perform when the count exceeds the rate limit:
deny_no_log}
l alert—Accept the connection and generate an alert email
and/or log message.
l alert_deny—Block the connection and generate an alert email
and/or log message.
message.



config 441
learning feature. For details about auto-learning requirements,

see "waf web-protection-profile autolearning-profile" on page
516.
Enter the length of time (in seconds) for which the FortiWeb
appliance will block additional requests after a source IP
block-period <seconds_ address exceeds the rate threshold.
1
int>
The block period is shared by all clients whose traffic
originates from the source IP address. The valid range is 1–
3,600.
severity {High | Medium | Select the severity level to use in logs and reports generated when Medium

violated. For details, see "log trigger-policy" on page 101. The
trigger-policy "<trigger- maximum length is 63 characters. No
set trigger ?
Example
This example illustrates a basic TCP flood check rule.
config waf layer4-connection-flood-check-rule
edit "Web Portal Network Connect Limit"
set layer4-connection-threshold 10
set severity Medium
set trigger-policy "Server_Policy_Trigger"
next
end
Related topics
l "waf layer4-access-limit-rule" on page 436
waf machine-learning
Use this command to enable the machine learning feature and configure its settings.

config 442
Syntax
config waf machine-learning url-replacer-rule
edit url-replacer-rule_name
set type {pre-defined | custom-defined}
set app-type {jsp | owa-2003}
set url-replacer-policy_name
set url "<url_str>"
set new-url "<new-url_str>"
set param "<param_str>"
set new-param "<new-param_str>"
next
end
config waf machine-learning url-replacer-policy
edit url-replacer-policy_name
config rule list
edit rule-id "<rule_id>"
set type URL_Replacer
set plugin-name "<plugin-name_str>"
next
end
next
end
url-replacer-rule_name Specify a unique name that can be No

referenced by other parts of the default.
configuration.
The name can be up to 63 characters
long with no space or special
character.
Select either of the following:

l Predefined—Use one of the
predefined URL replacers
which can be selected from the
Application Type below.
type {pre-defined | custom-defined} No default.
l Custom-Defined—Define your
own URL replacer by
configuring the URL Path, New
URL, Param Change, and New
Param fields below.
app-type {jsp | owa-2003} If you have selected Predefined in the No default.

Type field above, then you must click
the down arrow and select either of the
following from the list menu:
l JSP—Use the URL replacer

config 443
designed for Java server pages

(JSP) web applications, where
parameters are often
separated by semi-colon (;).
l OWA 2003— Use the URL

replacer designed for default
URLs in Microsoft Outlook
Web App (OWA), where user
name and directory
parameters are often
embedded within the URL, as
illustrated below:
(^/public/)(.*)
(^/exchange/)([^/]+)/*(([^/]+)/
(.*))*
These two application types
are predefined URL interpreter
plug-ins used by popular web
applications.
Enter a regular expression, such as (^/

[^/]+)/(.*), matching all and only the
URLs to which the URL replacer should
apply. The URL path can be up to 255
characters long.
url "<url_str>" The pattern does not require a No default.

backslash (/). However, it must at least
match URLs that begin with a
backslash as they appear in the HTTP
header, such as /index.html. Do not
include the domain name, such as
www.example.com.
new-url "<new-url_str>" Enter either a literal URL, such as No default.

/index.html, or a regular expression
with a back-reference (such as $1)
defining how the URL will be
interpreted. The new URL cab be up to
255 characters long.
Enter either the parameter’s literal

value, such as user1, or a back-
param "<param_str>" No default.
reference (such as $0) defining how
the value will be interpreted.

config 444
new-param "<new-param_str>" Type either the parameter’s literal No default.

name, such as username, or a
backreference (such as $2) defining
how the parameter’s name will be
interpreted in the auto-learning report.
You can use up to 255 characters.
Specify a unique name that can be

referenced by other parts of the
configuration.
url-replacer-policy_name No default.
The name can be up to 63 characters
long with no space or special
character.
rule-id "<rule_id>" Select the sequence number of the No default.

URL Replacer Rules
type URL_Replacer Select the type URL_Replacer. No default.
plugin-name "<plugin-name_str>" Enter the plugin name. No default.
Related Topic
l waf machine-learning-policy
waf machine-learning-policy
Use this command to create machine learning policies and configure related policy settings.
Syntax
config waf machine-learning-policy
edit waf machine-learning-policy
set hmm-engine {enable | disable}
setsample-collecting-mode {normal | fast}
set sample-limit-by-ip <sample-limit-by-ip_int>
set threat-model {enable | disable}
set svm-model {xss | sql-injection | code-injection | command-injection | lfi-
rfi | common-injection | remote-exploits}
set anomaly-detection-method {automatic | quantile}
set strictness-level-quantile-potential
set strictness-level-quantile-defnite
set strictness-level-automatic-potential
set strictness-level-automatic-defnite
set automatic-refresh-model {enable | disable}
set box-notch-count <box-notch-count_int>
set boxplot-checking-interval <boxplot-checking-interval_int>
set allow-method {enable | disable}

config 445
set allow-method-exceptions {none others get post head options trace connect
delete put patch webdav rpc}
set action-protential {alert | alert_deny | block-period}
set action-definitely {alert | alert_deny | block-period}
set action-page-method {alert | alert_deny | block-period}
set block-period-potential "<block-period-potential_int>"
set severity-page-method {High | Info | Low | Medium}
set block-period-definitely "<block-period-definitely_int>"
set severity-definitely {High | Info | Low | Medium}
set severity-potential {High | Info | Low | Medium}
set trigger-definitely "<policy_name>"
set trigger-potential "<policy_name>"
set block-period-page-method "<block-period-page-method_int>"
set severity-page-method {High | Info | Low | Medium}
set trigger-page-method "<policy_name>"
set app-change-sensitivity {High | Low | Medium}
set ip-list-type {Trust | Black}
set url-replacer-policy
config waf machine-learning-policy
edit "<allow-domain-name_id>"
set domain-name "<domain-name_str>"
set domain-index "<domain-index_id>"
set character-set {AUTO | ISO-8859-1 | ISO-8859-2 | ISO-8859-3 | ISO-8859-
4 | ISO-8859-5 | ISO-8859-6 | ISO-8859-7 | ISO-8859-8 | ISO-8859-9 |
ISO-8859-10 | ISO-8859-15 | GB2312 | BIG5 | ISO-2022-JP | ISO-2022-JP-
2 | Shift-JIS | ISO-2022-KR | UTF-8}
next
end
config source-ip-list
edit "<source-ip-list_id>"
set "<ip>"
next
end
machine-learning-policy_ Enter the ID of the machine learning policy. It's the number No default
id displayed in the "#" column of the machine learning policy table
on the Machine Learning Policy page. The valid range is 0–
65535.
hmm-engine {enable Enable to monitor access to the application and collect data to
enable
| disable} build a mathematical model behind every parameter.
sample-collecting-mode Normal Normal

{normal | fast} Up to 5000 samples will be collected to build a machine learning
model for the parameter. The default sample collection mode is
Normal.
Fast
Up to 2500 samples will be collected to build a machine learning
model for the parameter.

config 446
sample-limit-by-ip The limitation number of samples collected from each IP. The
30
<sample-limit-by-ip_int> valid range is 0–5000.
threat-model {enable Enable to scan anomalies to verify whether they are attacks. It enable
| disable} provides a method to check whether an anomaly is a real attack
by the trained Support Vector Machine Model.
svm-model {xss | sql-

injection | code- Enable or disable threat models for different types of threats such
injection | command- as cross-site scripting, SQL injection and code injection.
enable
injection | lfi-rfi | Currently, seven trained Support Vector Machine Model are
common-injection | provided for seven attack types.
remote-exploits}
anomaly-detection-method Automatic Automatic

{automatic | quantile} Automatic is the default method. Compared with Quantile
method, Automatic method is more complicated, so that it
requires longer time to detect anomalies, but it's more accurate.
Quantile
Quantile simply uses a threshold, and all probabilities above it are
identified as anomalies.
Enter the threshold value or choose the threshold numbers. The

strictness-level-
quantile-potential valid range is from 0 to 1. The higher the threshold, the more 0.3
anomalies will be triggered.
strictness-level- Enter the threshold value or choose the threshold numbers. The 0.1
quantile-defnite valid range is from 0 to 0.9. The higher the threshold, the more
anomalies will be triggered.
Enter the value for the strictness level. The valid range is from 0.1
strictness-level-
automatic-potential to 1.0. The higher the value is , the more potential anomalies will 0.3
be triggered.
strictness-level- Enter the value for the strictness level. The valid range is from 0.1 0.1
automatic-defnite to 0.9. The higher the value is , the more definite anomalies will
be triggered.
automatic-refresh-model Enable to let the system to relearn the argument related to the
enable
{enable | disable} HMM model.
box-notch-count <box- This option appears when you enable Dynamically update 2
notch-count_int> when parameters change.
The default value is 2, which means if 2 newly generated boxplots
don't overlap with any one of the sample boxplots, FortiWeb
automatically updates the machine learning model. You can set a
value from 1 to 3.
boxplot-checking- The interval to collect a boxplot after the parameter model

interval <boxplot-
15
changes to running status. The valid range is 1–15 minutes.

config 447
checking-interval_int>
allow-method {enable Enable to allow the system to learn and verify the HTTP method. enable
| disable}
allow-method-exceptions
{none others get post
Select the HTTP request method that is allowed to access the head,
head options trace
connect delete put patch URL. options
webdav rpc}
action-protential {alert Choose the action FortiWeb takes when potential attack is Alert
| alert_deny | block- verified.
period}
Alert—Accepts the connection and generates an alert email
and/or log message.
Alert & Deny—Blocks the request (or resets the connection) and
generates an alert and/or log message.
Period Block—Blocks the request for a certain period of time.
Choose the action FortiWeb takes when definite attack is verified.

action-definitely {alert
and/or log message. Alert &
| alert_deny | block-
period} Alert & Deny—Blocks the request (or resets the connection) and Deny
action-page-method Choose the action FortiWeb takes when HTTP method violation Alert &
{alert | alert_deny | is verified. Deny
block-period}
and/or log message.
Alert & Deny—Blocks the request (or resets the connection) and
Enter the number of seconds that you want to block the requests.
block-period-potential
The valid range is 1–3,600 seconds.
"<block-period- 60
potential_int>" This option only takes effect when you choose Period Block in
Action.
severity-potential {High Select the severity level for this anomaly type. The severity level Medium
| Info | Low | Medium} will be displayed in the alert email and/or log message.
severity-definitely
Select the severity level for this anomaly type. The severity level
{High | Info | Low High
| Medium} will be displayed in the alert email and/or log message.
trigger-definitely Select a trigger policy that you have set in Log&Report > Log No default.
"<policy_name>" Policy > Trigger Policy. If definite anomaly is detected, it will
trigger the system to send email and/or log messages according
to the trigger policy.

config 448
Enter the number of seconds that you want to block the requests.
block-period-definitely
The valid range is 1–3,600 seconds.
"<block-period- 60
definitely_int>" This option only takes effect when you choose Period Block in
Action.
block-period-page-method Enter the number of seconds that you want to block the requests. 60
"<block-period-page- The valid range is 1–3,600 seconds. The default value is 60
method_int>"
seconds.
This option only takes effect when you choose Period Block in
Action.
severity-page-method
Select the severity level for this anomaly type. The severity level
{High | Info | Low High
| Medium} will be displayed in the alert email and/or log message.
trigger-page-method Select a trigger policy that you have set in Log&Report > Log No default
"<policy_name>" Policy > Trigger Policy. If HTTP Method Violation is detected, it
will trigger the system to send email and/or log messages
according to the trigger policy.
This option appears when you enable Dynamically update

when parameters change.
Low—The system triggers model update only when the entire
data distribution area (from the maximum value to the minimum
value, that is, the entire area containing all the data) of the new
boxplot doesn't have any overlapping part with that of the sample
boxplots.
app-change-sensitivity
{High | Low | Medium} Medium—The system triggers model update if the notch area No default.
(the median rectangular area in the boxplot where most of the
data is located) of the new boxplot doesn't have any overlapping
part with the entire data distribution areas of the sample boxplots.
High—The system triggers model update as long as the notch

area of the new boxplot doesn't have any overlapping part with
that of the sample boxplots.
status {enable Enable to change the status to Running, while disable to change enable
| disable} the status to Stopped.
Select the name of the URL Replacer Policy that you have
created in Machine Learning Templates. If web applications have
url-replacer-policy No default.
dynamic URLs or unusual parameter styles, you must adapt URL
Replacer Policy to recognize them.
trigger-potential Select a trigger policy that you have set in Log&Report > Log
"<policy_name>" Policy > Trigger Policy. If potential anomaly is detected, it will
trigger the system to send email and/or log messages according
to the trigger policy.

config 449
"<allow-domain-name_id>" Enter the ID of the policy. The valid range is 1–65,535. No default.
ip-list-type {Trust Allow or deny sample collection from the Source IP list. Trust
| Black}
domain-name "<domain- Add full domain name or use wildcard '*' to cover multiple
name_str>" No default.
domains under one profile.
domain-index "<domain- The number automatically assigned by the system when the No default.
index_id>" domain name is created.
character-set {AUTO
| ISO-8859-1 | ISO-8859-
2 | ISO-8859-3 | ISO-
8859-4 | ISO-8859-5 |
ISO-8859-6 | ISO-8859-7
The corresponding character code when manually setting the
| ISO-8859-8 | ISO-8859- No default.
9 | ISO-8859-10 | ISO- domain.
8859-15 | GB2312 | BIG5
| ISO-2022-JP | ISO-
2022-JP-2 | Shift-JIS |
ISO-2022-KR | UTF-8}
"<source-ip-list_id>" Enter the ID of the source IP. The valid range is 1– No default.
9,223,372,036,854,775,807
"<ip>" Enter the IP range for the source IP list. No default.
Related Topics
l "waf machine-learning" on page 441
waf mitb-policy
Use this command to configure MiTB policies.
Syntax
config waf mitb-policy
edit "<mitb-rule_name>"
config rule list
edit "<rule-list_id>"
set "<mitb-rule_name>"
next
end

config 450
next
end
"<rule-list_id>" Select the sequence number of the MiTB rules. No

default.
No
"<mitb-rule_name>" Enter the name of a MiTB policy.
default.
Related topics
l waf mitb-rule
waf mitb-rule
Use this command to configure MiTB rules.
Syntax
config waf mitb-rule
edit mitb-rule_name
set action {alert| alert_deny}
set request-url "<request-url_str>"
set post-url "<post-url_str>"
edit protected-parameter-list_name
set type {regular-input | password-input}
set obfuscate {enable | disable}
set encrypt {enable | disable}
set anti-keyLogger {enable | disable}
next
end
config allowed-external-domains-list
edit allowed-external-domains-list_id
set domain "<domain_str>"
next
end

config 451
mitb-rule_name Enter a name that can be referenced by other parts of the No default.
configuration.
Select the action the FortiWeb appliance takes when it detects a

action {alert| alert_ Alert—Accept the connection and generate an alert email and/or
Alert
deny} log message.
Alert & Deny—Block the request (or reset the connection) and
generate an alert and/or log message.
severity {High | Medium | Select which severity level the FortiWeb appliance will use when it Low
Low | Info} logs a violation of the rule.
Select which trigger, if any, that the FortiWeb appliance will use
trigger "<trigger-policy_
name>" when it logs and/or sends an alert email about a violation of the No default.
rule.
host-status {enable | Enable to compare the MiTB rule to the Host: field in the No default.
disable} HTTP header.
host "<host_str>" Select the IP address or FQDN of a protected host. No default.
request-url "<request- The URL hosting the webpage which contains the parameters No default.
url_str>" (field names or passwords) you want to protect.
request-type {plain |
regular} Select either of the URL types. plain
post-url "<post-url_str>" Enter the URL triggered after you submit your access request. No default.
protected-parameter-list_
name Enter the protected parameter list name. No default.
type {regular-input | Select the input type to carry out the protection. regular-
password-input} input
obfuscate {enable |
disable} Enable to obfuscate the configured parameter name. No default.
encrypt {enable | Enable to encrypt the parameter value. No default.

disable}
anti-keyLogger {enable | Enable anti-keyLogger to prevent hackers from intercepting your

disable} No default.
password input.
allowed-external-domains- Enter the allowed external domain list ID. No default.

list_id
domain "<domain_str>" Set the domain, for example, www.alloweddomain.com. No default.

config 452
Related topics
l waf mitb-policy
waf openapi-file
Use this command to create openapi file name.
Syntax
config waf openapi-file
edit "<openapi-file_name>"
end
"<openapi-file_name>" Enter the name of an openapi file. No

default.
Related topics
l "waf openapi-validation-policy" on page 452
waf openapi-validation-policy
Use this command to create new openapi validation policy and configure related settings.
Syntax
config waf openapi-validation-policy
edit openapi-validation-policy_name
set action {alert | alert_deny | block-period | redirect | send_403_
set trigger "<trigger-policy>"
config schema-file
edit schema-file_id
set openapi-file <datasource>
end
openapi-validation- Enter the name for the OpenAPI validation policy. No

policy_name default

config 453

deny | block-period |
Select which action FortiWeb will take when it detects a violation of
redirect | send_403_ alert
the policy.
forbidden | deny_no_
log}
block-period Type the number of seconds that you want to block subsequent 60
"<seconds_int>" requests from the client after the FortiWeb appliance detects that
the client has violated the rule. The valid range is 1–3600 seconds.
severity {Low | Select which severity level the FortiWeb appliance will use when it
Low
Medium | High | Info} logs a violation of the rule.
trigger "<trigger- Select which trigger, if any, that the FortiWeb appliance will use No
policy>" when it logs and/or sends an alert email about a violation of the default
rule.
No
schema-file_id The scheme file by the sequence number.
default.
openapi-file <datasource> Select the created OpenAPI file. No

default.
Related topics
l waf openapi-file
waf padding-oracle
Use this command to create a policy that protects vulnerable block cipher implementations for web applications that
selectively encrypt inputs without using HTTPS.
To apply this policy, include it in an inline web or Offline Protection profile. For details, see "waf web-protection-profile
inline-protection" on page 518 and "waf web-protection-profile offline-protection" on page 531.
Syntax
config waf padding-oracle
edit "<padding-oracle_rule_name>"
set block-period <block-period_int>
config protected-url-list
edit <entry_index>

config 454

set protected-url "<protected-url_str>"
set target "<cookie parameter url>"
end
next
end
"<padding-oracle_rule_ Enter the name of a new or existing rule. The maximum No default.

edit ?
Specify the action that FortiWeb takes when a request

violates the rule:

and/or log message.


period <block-period_int> (page 455).
l deny_no_log—Deny a request. Do not generate a

log message.
Note: If FortiWeb is deployed behind a NAT load

action {alert | alert_ balancer, when using this option, define an X-header that
deny | block-period | indicates the original client’s IP. Failure to do so may alert
deny_no_log} cause FortiWeb to block all connections when it detects a
violation of this type. For details, see "waf x-forwarded-
for" on page 542.
Attack log messages contain Padding Oracle

Attack when this feature detects a possible attack.
Because this attack involves some repeated brute force,
the attack log may not appear immediately, but should
occur within 2 minutes, depending on your configured DoS
alert interval.

Note: Logging and/or alert email occur only when the these
features are enabled and configured. For details, see "log
attack-log" on page 68 and "log alertMail" on page 67.

config 455
Note: To use this rule set with auto-learning, select

alert. If action is alert_deny or any other option
that causes the FortiWeb appliance to terminate or modify
the request or reply when it detects an attack attempt, the
session information for auto-learning will be incomplete.
block-period <block- Enter the number of seconds that FortiWeb blocks 1

period_int> subsequent requests from the client after it detects that the
client has violated the rule.
This setting is available only if action {alert |

alert_deny | block-period | deny_no_log}
(page 454) is block-period.
The valid range is 1–4,294,967,295.
severity {High | Medium | message contains a Severity Level (severity_level) field.
Medium
Low | Info} Specify the severity level FortiWeb uses when it logs a violation
of this rule.
trigger "<trigger-policy_ Enter the name of the trigger policy, if any, that the No default.
name>" FortiWeb appliance uses when it logs and/or sends an alert
email about a violation of the rule. For details, see "log
trigger-policy" on page 101.

set trigger ?
Enter the index number of the individual entry in the table. The
valid range is 1–9,999,999,999,999,999,999.
host-status {enable | Specify enable to apply this rule only to HTTP requests disable
disable} for specific web hosts. Also specify host "<host_
str>" (page 455).
Specify disable to match the rule based on the other

criteria, such as the URL, but regardless of the Host:
field.
Specify which protected host names entry (either a web

host name or IP address) that the Host: field of the HTTP
request must be in to match the rule.
host "<host_str>" No default.
This option is available only if the value of host-status
Maximum length is 255 characters.

config 456
url-type {plain | Enter to determine how the value of protected-url plain

regular} "<protected-url_str>" (page 456) is specified:
l plain—A literal URL.

l regular—A regular expression designed to match multiple
URLs.
If the value of url-type {plain | regular} (page

456) is plain, enter the literal URL that HTTP requests
that match the rule contain.
For example:
/profile.jsp
The URL must begin with a backslash ( / ).
If the value of url-type is regular, specify a regular

expression matching all and only the URLs to which the rule
should apply.
For example:
protected-url
"<protected-url_str>" No default.
^/*\.jsp\?uid\=(.*)
The pattern does not require a slash ( / ).; however, it must
at least match URLs that begin with a slash, such as
/profile.cfm.

www.example.com, which is specified by host.
Regular expressions beginning with an exclamation point

( ! ) are not supported. For information on language and
target "<cookie parameter Specify which parts of the client’s requests FortiWeb parameter
url>" examines for padding attack attempts:
l url—A URL (for example, the parameter

/user/0000012FE03BC2 is embedded in the URL).
l parameter—A parameter (for example, the parameter
/index.php?user=0000012FE03BC2 appended to a
traditional GET or POST body).
l cookie—A cookie.

config 457
Example
This example illustrates a padding oracle rule that blocks requests to the host www.example.com when a parameter
appended in a traditional GET URL parameter or POST body matches the specified regular expression. When a request
matches the expression, FortiWeb logs or sends a high-severity message as specified in the notification-
servers1 trigger policy.
config waf padding-oracle
edit "padding-oracle1"
set severity High
config protected-url-list
edit 1
set url-type regular
set protected-url "\/profile\.jsp\?uid\=(.*)"
set target parameter
end
Related topics
waf page-access-rule
Use this command to configure page access rules.
Page access rules define URLs that can be accessed only in a specific order, such as to enforce the business logic of a
web application. Requests for other, non-ordered URLs may interleave ordered URLs during the client’s session. Page
access rules may be specific to a web host.
For example, an e-commerce application might be designed to work properly in this order:
1. A client begins a session by adding an item to a shopping cart (/addToCart.do?*).

2. The client either views and adds additional items to the shopping cart, or proceeds directly to the checkout.
3. The client confirms the items that he or she wants to purchase (/checkout.do).
4. The client provides shipping information (/shipment.do).
5. The client pays for the items and shipment, completing the transaction (/payment.do).
Sessions that begin at the shipping or payment stage should therefore be invalid. If the web application does not
enforce this rule itself, it could be open to cross-site request forgery (CSRF) attacks on the payment feature. To prevent
such abuse, the FortiWeb appliance could enforce the rule itself using a page access rule set with the following order:
1. /addToCart.do?item=*
2. /checkout.do?login=*
3. /shipment.do

config 458
4. /payment.do
Attempts to request /payment.do before those other URLs during a session would be denied, and generate an alert
and attack log message. For details, see "log disk" on page 73.
To apply page access rules, select them within an inline protection profile. For details, see "waf web-protection-profile
inline-protection" on page 518.
Before you configure a page access rule, if you want to apply it only to HTTP requests for a specific real or virtual host,
you must first define the web host in a protected hosts group. For details, see "server-policy allow-hosts" on page 108.
You can use SNMP traps to notify you when a page access rule is enforced. For details, see "system snmp community"
on page 299.
In order for page access rules to be enforced, you must also enable http-session-
management {enable | disable} (page 521) in the inline protection profile.
Syntax
config waf page-access-rule
edit "<page-access-rule_name>"
set page-severity {Low | Medium | High | Info}
set page-trigger <page-trigger-policy_name>
config page-access-list
edit <entry_index>
next
end
next
end
"<page-access-rule_name>" Enter the name of a new or existing rule. The maximum No


edit ?
message contains a Severity Level (severity_level) field.
page-severity {Low |
Medium | High | Info} Select which severity level the FortiWeb appliance will use when it
logs a violation of the rule:
l Informative

config 459
l Low
l Medium
High
l
The default value is Medium.
page-trigger <page- Select which trigger, if any, that the FortiWeb appliance will use
trigger-policy_name> when it logs and/or sends an alert email about a violation of the
rule.

The valid range is 1–9,999,999,999,999,999,999.
Page access rules should be added to the set in the order No

<entry_index>
which clients will be permitted to access them. default.
For example, if a client must access /login.asp before

/account.asp, add the rule for /login.asp first.
host "<protected-hosts_ Enter the name of a protected host that the Host: field of an No
name>" HTTP request must be in order to match the page access default.
rule. The maximum length is 255 characters.

Enable to apply this page access rule only to HTTP requests

for specific web hosts. Also configure host
host-status {enable | "<protected-hosts_name>" (page 459). disable
disable}
Disable to match the page access rule based upon the other
criteria, such as the URL, but regardless of the Host: field.
request-file "<url_str>" Depending on your selection in request-type {plain | No

regular} (page 460), enter either: default.
l The literal URL, such as /cart.php, that the HTTP request

must contain in order to match the page access rule. The URL
must begin with a slash ( / ).
the URLs to which the page access rule should apply. The
pattern is not required to begin with a slash ( / ). However, it must
at least match URLs that begin with a slash, such as
/cart.cfm.

config 460

Specify whether request-file "<url_str>" (page 459) will

regular} contain a literal URL (plain), or a regular expression designed to plain
match multiple URLs (regular).
Example
This example allows any request to www.example.com, as long as it follows the expected sequence within a session for
the four key shopping cart URLs (/addToCart.do, /checkout.do, /shipment.do, then /payment.do).
config waf page-access-rule
edit "page-access-rule1"
config page-access-list
edit 1
set request-file "/addToCart.do?item=*"
next
edit 2
set request-file "/checkout.do?login=*"
next
edit 3
set request-file "/shipment.do"
next
edit 4
set request-file "/payment.do"
next
end
next
end
Related topics

config 461
waf parameter-validation-rule
Use this command to configure parameter validation rules, each of which is a group of input rule entries.
To apply parameter validation rules, select them within an inline or Offline Protection profile. For details, see "waf web-
Before you can configure parameter validation rules, you must first configure one or more input rules. For details, see
"waf input-rule" on page 424.
You can use SNMP traps to notify you when a parameter validation rule is enforced. For details, see "system snmp
Syntax
config waf parameter-validation-rule
edit "<rule_name>"
config input-rule-list
edit <entry_index>
set input-rule "<input-rule_name>"
next
end
next
end

edit ?
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
input-rule "<input-rule_ Enter the name of an input rule to use in the parameter No
name>" validation rule. The maximum length is 63 characters. default.
To display the list of existing input rules, enter:

set input-rule ?
Example
This example configures a parameter validation rule that applies two input rules.
config waf parameter-validation-rule
edit "parameter_validator1"

config 462
edit 1
set input-rule "input_rule1"
next
edit 2
set input-rule "input_rule2"
next
end
next
end
Related topics
l "waf input-rule" on page 424
waf signature
Use this command to configure web server protection rules.
There are several security features specifically designed to protect web servers from known attacks. You can configure
defenses against:
l Cross-site scripting (XSS)

l SQL injection and many other code injection styles
l Remote file inclusion (RFI)
l Local file inclusion (LFI)
l OS commands
l Trojans/viruses
l Exploits
l Sensitive server information disclosure
l Credit card data leaks
To defend against known attacks, FortiWeb scans:
l Parameters in the URL of HTTP GET requests

l Parameters in the body of HTTP POST requests
l XML in the body of HTTP POST requests (if xml-protocol-detection {enable | disable} (page 522) is
enabled)
l Cookies
l Headers
l JSON Protocol Detection
l Uploaded filename(MULTIPART_FORM_DATA_FILENAME)
In addition to scanning standard requests, signatures can also scan action message format 3.0 (AMF3) binary inputs
used by Adobe Flash clients to communicate with server-side software and XML. For details, see amf3-protocol-

config 463
detection {enable | disable} (page 522) and malformed-xml-check {enable | disable} (page
522) (for inline protection profiles) or amf3-protocol-detection {enable | disable} (page 534) (for
Offline Protection profiles).
Updating signatures
Known attack signatures can be updated. For details about uploading a new set of attack definitions, see the FortiWeb
You can also create your own. For details, see "waf custom-protection-rule" on page 370.
Configuring signatures
Before configuring a server protection rule, if you want to configure your own attack or data leak signatures, you must
also configure custom server protection rules. For details, see "waf custom-protection-group" on page 368.
Each server protection rule can be configured with the severity and notification settings (“trigger”) that, in combination
with the action, determines how FortiWeb handles each violation.
For example, attacks categorized as cross-site scripting and SQL injection could have the action set to alert_
deny, the severity set to High, and a trigger set to deliver an alert email each time these rule violations are
detected. Specific signatures in those categories, however, might be disabled, set to log/alert instead, or exempt
requests to specific host names/URLs.
Alternatively, you can automatically configure a server protection rule that detects all
attack types by generating a default auto-learning profile. For details, see the
Overriding signature category configuration
To override category-wide actions for a specific signature, configure:
l config signature_disable_list (page 464)—Disable a specific signature ID (e.g. 040000007), even if the
category in general (e.g. SQL Injection (Extended)) is enabled.
l config sub_class_disable_list (page 464)—Disable a subcategory of signatures (e.g. Session Fixation),
even if the category in general (e.g. General Attacks) is enabled.
l config alert_only_list (page 464)—Only log/alert when detecting the attack, even if the category in general is
configured to block.
l config filter_list (page 464)—Exempt specific host name and/or URL combinations from scanning with this
signature.
Applying signature policies
To apply server protection rules, select them within an inline or Offline Protection profile. For details, see "waf web-

config 464
You can use SNMP traps to notify you when an attack or data leak has been detected. For details, see "system snmp
Syntax
config waf signature
edit "<signature-set_name>"
set credit-card-detection-threshold <instances_int>
set custom-protection-group "<group_name>"
config main_class_list
edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 |
060000000 | 070000000 | 080000000 | 090000000 | 100000000 | 110000000 |
120000000}
set action {alert |alert_deny | block-period |only_erase | send_http_
response | alert_erase | redirect | deny_no_log}
set trigger "trigger-policy_name>"
next
end
config signature_disable_list
edit "<signature-id_str>"
next
end
config sub_class_disable_list
edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 |
060000000 | 070000000 | 080000000 | 090000000 | 100000000 | 110000000 |
120000000}
next
end
config alert_only_list
edit "<alert-only-list_signature-id_str>"
next
end
config fpm_disable_list
edit "<fpm-disable-list_signature-id_str>"
next
end
config scoring_override_disable_list
edit "<scoring-override-disable-list_signature-id_str>"
next
end
config score_grade_list
edit "<score-grade-list_signature-id_str>"
set scoring-grade {off | low | med | high | crit}
next
end
config filter_list
edit <entry_index>
set signature_id "<signature-id_str>"
set match-target {HTTP_METHOD | CLIENT_IP | HOST | URI| FULL_URL |
PARAMETER| COOKIE}
set operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}
set http-method {get post head options trace connect delete put others
patch}
set ip {<ipv4> | <ipv6>}
set name {"<name_str>" | "<name_pattern>"}

config 465
set value-check {enable | disable}

set value {"<value_str>" | "<value_pattern>"}
set concatenate-type {AND | OR}
next
end
next
end
"<signature-set_name>" Enter the name of a new or existing rule. The maximum No default.

edit ?
credit-card-detection- Enter the number of credit cards that triggers the credit
threshold <instances_ card number detection feature.
int>
For example, to ignore web pages with only one credit card
1
number, but to detect when a web page containing two or
more credit cards, enter 2.
custom-protection-group Enter the name of the custom signature group to be used, No default.
"<group_name>" if any. The maximum length is 63 characters.
To display the list of existing custom signature groups,

enter:
set custom-protection-group ?
{010000000 | 020000000 | Enter the ID of a signature class (or, for subclass overrides,
030000000 | 040000000 | the subclass ID).
050000000 | 060000000 |
070000000 | 080000000 | No default.
To display the list of signature classes, enter:
090000000 | 100000000 |
110000000 | 120000000} edit ?
action {alert |alert_ Select which action the FortiWeb appliance will take when alert
deny | block- it detects a signature match.
period |only_erase |
send_http_response | Note: This is not a single setting. Available actions may
alert_erase | redirect |
vary slightly, depending on what is possible for each
deny_no_log}
specific type of attack/information disclosure.

and/or log message.
Note: Does not cloak, except for removing sensitive

headers. (Sensitive information in the body remains
unaltered.)

config 466

connection) and generate an alert email and/or log
message.
You can customize the web page that FortiWeb returns

to the client with the HTTP status code. For details, see

Note: If FortiWeb is deployed behind a NAT load

balancer, when using this option, you must also define
an X-header that indicates the original client’s IP. Failure
to do so may cause FortiWeb to block all connections
when it detects a violation of this type. For details, see
"waf x-forwarded-for" on page 542.
l only_erase—Hide sensitive information in replies

from the web server (sometimes called “cloaking”). Block
the request or remove the sensitive information, but do
not generate an alert email and/or log message.
Caution: This option is not supported in Offline

Protection mode.
l send_http_response—Block and reply to the client

with an HTTP error message, and generate an alert
email, a log message, or both
l alert_erase—Hide replies with sensitive information

(sometimes called “cloaking”). Block the reply (or reset
the connection) or remove the sensitive information, and
l deny_no_log—Deny a request. Do not generate a

log message.
Note: This option is not fully supported in Offline

Protection mode. Effects will be identical to alert;
sensitive information will not be blocked or erased.
l redirect—Redirect the request to the URL that you specify

in the protection profile and generate an alert email and/or log
message. Also configure redirect-url "<redirect_
fqdn>" (page 529) and rdt-reason {enable |
disable} (page 529).
Caution: FortiWeb ignores this setting if monitor-mode

config 467
Note: Actions that generate log messages alert email

actions require the features to be enabled and configured.
For details, see "log disk" on page 73 and "log alertMail" on
page 67.
Note: If you select an auto-learning profile in the policy

with Offline Protection profiles that use this rule, select
alert. If the action is alert_deny, the FortiWeb
appliance resets the connection when it detects an attack
and the session information for the auto-learning feature
will be incomplete. For details about auto-learning
requirements, see "waf web-protection-profile
autolearning-profile" on page 516.
block-period <seconds_ Enter the number of seconds that you want to block 60
int> subsequent requests from the client after the FortiWeb
appliance detects that the client has violated the rule.
The valid range is 1–3,600. The setting is applicable only if

action is period-block.
Note: This is not a single setting. You can configure the

block period separately for each signature category.
severity {Low | Medium | When rule violations are recorded in the attack log, each
High | Info} log message contains a Severity Level (severity_
level) field. Select which severity level the FortiWeb
appliance will use when it logs a violation of the rule:
l Low Medium
l Medium
l High
Note: This is not a single setting. You can configure the
severity separately for each signature category.
trigger "trigger-policy_ Enter the name of the trigger, if any, to apply when a No default.
name>" protection rule is violated. For details, see "log trigger-
policy" on page 101. The maximum length is 63
characters.

set trigger ?
Note: This is not a single setting. You can configure a

different trigger for each signature category.
"<signature-id_str>" Enter the ID of a specific signature that you want to

No default.
disable.

config 468
Some signatures often cause false positives and are

disabled by default. To display a list, enter:
edit ?
"<alert-only-list_ Enter the ID of a specific signature that generates logs or No default.

signature-id_str>" alert email only and does not block matching requests.
"<fpm-disable-list_ Enter the ID of a specific signature for which false positive

signature-id_str>" mitigation is disabled.
The false positive mitigation feature performs additional No default.

lexical and syntax analysis after a SQL injection signature
matches a request.
"<scoring-override- Enter the ID of a specific signature that will not be affected No default.
disable-list_signature- by the threat weight settings in a device reputation security
id_str>"
policy, if any. When traffic violates specified signature,
FortiWeb takes the local action specified for that signature.
"<score-grade-list_ Enter the ID of a specific signature to configure its threat

signature-id_str>" weight.
No default.
Specify the scoring-grade to set the threat weight of
the specified signature.
scoring-grade {off | low Specify the threat weight that the signature adds to the No default.
| med | high | crit} combined threat weight in the selected device reputation
security policy.
Global threat weight risk level values can be modified

using config server-policy pattern threat-
weight (page 139).
<entry_index> Enter the index number of the individual entry in the table. The
valid range is 1–128. You can create up to 128 exceptions for No default.
each signature.
signature_id Enter the ID of a specific signature that you want to disable No default.
"<signature-id_str>" when the request matches the specified object.
match-target {HTTP_ Enter the type of object that FortiWeb examines for
METHOD | CLIENT_IP | matching values:
HOST | URI| FULL_URL |
PARAMETER| COOKIE} l HTTP_METHOD—One or more HTTP methods specified by
http-method {get post head options trace
connect delete put others patch} (page 469).
l CLIENT_IP—The IP address or IP range specified by ip
{<ipv4> | <ipv6>} (page 469).

config 469
l HOST—The Host: field value specified by value

{"<value_str>" | "<value_pattern>"} (page
470).
l URI—The URL value specified by value. The value does not
include parameters.
l FULL_URL—The URL value specified by value. The value
includes parameters to match.
l PARAMETER—A parameter specified by name {"<name_
str>" | "<name_pattern>"} (page 470). To match a
specific parameter value, enable value-check {enable
| disable} (page 470), and then specify value.
l COOKIE—A cookie specified by name. To match a specific
cookie value, enable value-check, and then specify
value.
operator {STRING_MATCH | Enter the type of values to match. The match-target

REGEXP_MATCH | EQ | NE| value determines which types are available.
INCLUDE | EXCLUDE}
l STRING_MATCH—value is a literal value (for example, a
literal host name).
l REGEXP_MATCH—value is a regular expression that
matches the object the exception applies to.
l EQ—When match-target is CLIENT_IP, FortiWeb only
performs a signature scan for requests with a client IP address
that matches the value of ip.
l NE—When match-target is CLIENT_IP, FortiWeb does
not perform a signature scan for requests with a client IP
address that matches the value of ip.
l INCLUDE—When match-target is HTTP_METHOD,
FortiWeb does not perform a signature scan for requests that
include the HTTP methods specified by http-method.
l EXCLUDE—When match-target is HTTP_METHOD,
FortiWeb only performs a signature scan for requests that
include the HTTP methods specified by http-method.
http-method {get post When match-target {HTTP_METHOD | CLIENT_

head options trace IP | HOST | URI| FULL_URL | PARAMETER|
connect delete put No default.
others patch} COOKIE} (page 468) is HTTP_METHOD, specifies one or
more HTTP methods to match.
ip {<ipv4> | <ipv6>} When match-target {HTTP_METHOD | CLIENT_ No default.

IP | HOST | URI| FULL_URL | PARAMETER|
COOKIE} (page 468) is CLIENT_IP, specifies the
IP address or IP range to match.

config 470
name {"<name_str>" | Enter the name of a parameter or cookie to match.

"<name_pattern>"} Whether the value is a literal value or a regular expression
is determined by the value of operator {STRING_
MATCH | REGEXP_MATCH | EQ | NE| INCLUDE
| EXCLUDE} (page 469). No default.
Available when match-target {HTTP_METHOD |
CLIENT_IP | HOST | URI| FULL_URL |
PARAMETER| COOKIE} (page 468) is PARAMETER or
COOKIE.
value-check {enable | Enable to specify whether matching requests match a disable

disable} specified parameter or cookie value as well as the
specified parameter or cookie name.
value {"<value_str>" | Enter the value to match (for example, a Host: field
"<value_pattern>"} value). Whether the value is a literal value or a regular No default.
expression is determined by the value of operator.
concatenate-type {AND | l AND—A matching request matches this entry in addition to AND
OR} other entries in the list.
l OR—A matching request matches this entry or other entries in
the list.
comment "<comment_str>" Enter a description or other comment. No default.
Example
This example enables both the Trojans (070000000) and XSS (010000000) classes of signatures, setting them to
result in attack logs with a severity_level field of High, and using the email and SNMP settings defined in
notification-servers1. It also enables use of custom attack and data leak signatures in the set named
custom-signature-group1.
This example disables by ID a signature that is known to cause false positives (080200001). It also makes an
exception (config filter_list) by ID for a specific signature (070000001) for a URL (/virus-sample-
upload) on a host (www.example.com) that is used by security researchers to receive virus samples.
config waf signature
edit "attack-signatures1"
set custom-protection-group "custom-signature-group1"
config main_class_list
edit "010000000"
set severity High
next
edit "070000000"
set severity High
next
end

config 471
config signature_disable_list
edit "080200001"
next
end
config filter_list
edit 1
set signature_id "070000001"
set match-target HOST
set value "www.example.com"
next
edit 2
set signature_id "070000001"
set match-target URI
set value "/virus-sample-upload"
next
end
next
end
Related topics
l "waf custom-protection-group" on page 368
waf site-publish-helper authentication-server-pool
Use this command to create a pool of authentication server connections for use with a site publishing rule.
Syntax
config waf site-publish-helper authentication-server-pool
edit "<authentication-server-pool_name>"
edit <entry_index>
set server-type {ldap | radius}
set ldap-server "<ldap-query_name>"
set radius-server "<radius-query_name>"
set rsa-securid {enable | disable}
end
next
end
"<authentication-server- Enter the name of a new or existing authentication server No

config 472
pool_name>" pool. The maximum length is 63 characters. default.
To display the list of existing pools, enter:

edit ?
Enter the index number of a new or existing server entry in the No

<entry_index>
authentication server pool. default.
server-type {ldap | Set the server type to the server entry <entry_index>. Enter ldap
radius} ldap for a LDAP server or radius for a RADIUS server.
Set the name of the LDAP query to the server entry <entry_
ldap-server "<ldap-query_ No
name>" index> if you set the server entry as LDAP. For details, see "user
default.
ldap-user" on page 318.
radius-server "<radius- Set the name of the RADIUS query to the server entry <entry_ No
query_name>" index> if you set the server entry as RADIUS. For details, see default.
"user radius-user" on page 325.
Specify whether FortiWeb authenticates clients using a

username and a RSA SecurID authentication code only.
Users are not required to enter a password.
When this option is enabled, the authentication delegation

rsa-securid {enable |
disable} options in the site publish rule are not available. disable
Available only if server-type {ldap | radius} (page

472) is radius and client-auth-method {html-
form-auth | http-auth | client-cert-auth
| saml-auth} (page 478) is html-form-auth.
Example
For an example, see "waf site-publish-helper rule" on page 475.
Related topics
waf site-publish-helper keytab_file
Use this command to group together web applications that you want to publish.z

config 473
waf site-publish-helper policy
Use this command to group together web applications that you want to publish.
Before you configure site publishing policies, you must first define the individual sites that will be a part of the group. For
details, see "waf site-publish-helper rule" on page 475.
To apply this policy, include it in an inline web protection profile. For details, see "waf web-protection-profile inline-
Syntax
config waf site-publish-helper policy
edit "<site-publish-policy_name>"
set account-lockout {enable | disable}
set max-login-failures <failures_int>
set account-block-period <account-block-period_int>
set within <within_int>
set credential-stuffing-protection {enable | disable}
set severity {high | medium | low | Info}
set trigger "<trigger_policy>"
config rule
edit <entry_index>
set rule-name "<site-publish-rule_name>"
next
end
next
end
"<site-publish-policy_ Enter the name of a new or existing policy. The maximum No


edit ?
account-lockout {enable | Enable to prevent account cracking by locking an account out after
disable
disable} several failures logging into FortiWeb.
max-login-failures Set the threshold of login failure. FortiWeb will trigger lockout to 5
<failures_int> the account if number of login failure exceeds the threshold during
the specified time period (within <within_int> (page 474)).
account-block-period Set the time period (in minutes) that FortiWeb locks out an account
<account-block-period_
60
for. No more login is accepted for the locked account during the

config 474
int> period.
within <within_int> Set the time period (in minutes) for FortiWeb counting the login 3
failures and judging lockout to accounts. Count of login failure of
an account will be reset when the time period is up.
credential-stuffing-
Enable to use FortiGuard's Credential Stuffing Defense database
protection {enable | disable
disable} to prevent against credential stuffing attacks.
action {alert | alert_ Set the action. The options are: No

deny | block-period | default.
deny_no_log} l alert—Accept the request and generate an alert email and/or
log message.
generate an alert email and/or log message
a number of seconds.
message.
You can customize the web page that returns to the client
with the HTTP status code.
If the action {alert | alert_deny | block-

period | deny_no_log} (page 474) is block-
block-period <block_
period_int> period, set amount of time (in seconds) FortiWeb will block 60
subsequent requests from the client. The valid range is 1–
3600.
severity {high | medium Set the severity of credential stuffing attacks. No

| low | Info} default.
trigger "<trigger_ Select the trigger policy, if any, to apply in the Site Publish policy. No
policy>" For details, see "log trigger-policy" on page 101. default.
rule-name "<site-publish- No
rule_name>" Enter the name of an existing rule.
default.
Example
For an example, see "waf site-publish-helper rule" on page 475.

config 475
Related topics
waf site-publish-helper rule
Use this command to configure access control, authentication, and, optionally, SSO for your web applications.
You may want to configure single sign-on (SSO) and combination access control and authentication (called “site
publishing” in the GUI) instead of configuring simple HTTP authentication rules if:
l Your users access multiple web applications on your domain

l You have defined accounts centrally on an LDAP (such as Microsoft Active Directory) or RADIUS server
SSO provides a benefit over HTTP authentication rules: your users do not need to authenticate each time they access
separate web applications in your domain. When FortiWeb receives the first request, it will return (depending on your
configuration) an HTML authentication form or HTTP WWW-Authenticate: code to the client.
FortiWeb sends the client’s credentials in a query to the authentication server. Once the client is successfully
authenticated, if the web application supports HTTP authentication and you have configured delegation, FortiWeb
forwards the credentials to the web application. The server’s response is returned to the client. Until the session expires,
subsequent requests from the client to the same or other web applications in the same domain do not require the client
to authenticate..
For example, you may prefer SSO if you are using FortiWeb to replace your discontinued Microsoft Threat Management
Gateway, using it as a portal for multiple applications such as SharePoint, Outlook Web Application, and/or IIS. Your
users will only need to authenticate once while using those resources.
Before you configure site publishing, you must first define the queries to your authentication server. For details, see
"user ldap-user" on page 318 and "server-policy custom-application application-policy" on page 110.
FortiWeb supports the following additional site publishing options:

config 476
l RADIUS authentication that requires users to provide a secondary password, PIN, or token code in addition to a username
and password (two-factor authentication)
l RADIUS authentication that allows users to authenticate using their username and RSA SecurID token code only (no
password)
l Regular Kerberos authentication delegation and Kerberos constrained delegation
For details about these options, see the descriptions of the individual site publishing rule settings and the FortiWeb
Syntax
config waf site-publish-helper rule
edit "<site-publish-rule_name>"
set req-type {plain | regular}
set saml-server "<server_name>"
set service-principal-name-pool "<pool_name>"
set published-site "<host_fqdn>"
set path "<url_str>"
set client-auth-method {html-form-auth | http-auth | client-cert-auth
| saml-auth}
set logoff-path-type {plain | regular}
set Published-Server-Logoff-Path "<url_str>"
set cookie-timeout <timeout_int>
set kerberos-type {krb5 | spnego}
set auth-server-pool "<authentication-server-pool_name>"
set auth-delegation {http-basic | kerberos | kerberos-constrained-
delegation | no-delegation | ntlm}
set field-name {subject | SAN}
set attribution-name {email | UPN}
set delegated-spn "<delegated-spn_str>"
set keytab-file <keytab_file>
set delegator-spn "<delegator-spn_str>"
set prefix-support {enable | disable}
set prefix-domain "<prefix-domain_str>"
set alert-type {all | fail | none | success}
set sso-support {enable | disable}
set sso-domain "<domain_str>"
set exchage-activesync {enable | disable}
next
end
"<site-publish-rule_ Enter the name of a new or existing rule. The maximum No default.

config 477
edit ?
status {enable | Enable to activate this rule.

disable}
This can be used to temporarily deactivate access to a enable
single web application without removing it from a site
publishing policy.
req-type {plain | Select whether published-site "<host_fqdn>" (page plain

regular} 477) contains a literal FQDN (plain), or a regular expression
designed to match multiple host names or fully qualified
domain names (regular).
saml-server "<server_ Select the SAML server that FortiWeb uses to

name>" authenticate clients.
Available only when client-auth-method {html- No default.

form-auth | http-auth | client-cert-auth
| saml-auth} (page 478) is set to saml-auth.
service-principal-name- Select the SPN pool for the application that clients access No default.
pool "<pool_name>" using this site publish rule.
Available only when auth-delegation {http-

basic | kerberos | kerberos-
constrained-delegation | no-delegation
| ntlm} (page 479) is kerberos or kerberos-
constrained-delegation.
published-site "<host_ Depending on your selection in req-type {plain |

fqdn>" regular} (page 477), enter either:
l The literal Host: name, such as

sharepoint.example.com, that the HTTP request must
contain in order to match the rule.
l A regular expression, such as ^*\.example\.edu,
matching only the host names to which the rule should apply.
No default.

point ( ! ) are not supported. For information on language
and regular expression matching, see the FortiWeb
path "<url_str>" Enter the URL of the request for the web application, such as No default.
/owa. It must begin with a forward slash ( / ).

config 478
client-auth-method Specify one of the following options:

{html-form-auth | http-
auth | client-cert-auth l html-form-auth—FortiWeb authenticates clients by
| saml-auth} presenting an HTML web page with an authentication form.
l http-auth—FortiWeb authenticates clients by providing an
HTTP AUTH code so that the browser displays its own
dialog.return an HTTP AUTH code so that the browser
displays its own dialog.
l client-cert-auth—FortiWeb validates the HTTP html-form-
client’s personal certificate using the certificate verifier auth
specified in the associated server policy or server pool
configuration.
l saml-auth—FortiWeb uses a SAML server to pass identity
information to a service provider via a signed XML document
for client authentication.
If exchage-activesync {enable | disable}
(page 483) is enable, only http_auth is allowed here.
logoff-path-type Specify whether Published-Server-Logoff-Path

{plain | regular} contains a literal URL (plain), or a regular expression
designed to match multiple URLs (regular).
Published-Server-Logoff- This setting appears only if client-auth-method

Path "<url_str>" {html-form-auth | http-auth | client-
cert-auth | saml-auth} (page 478) is html-
form-auth.
Depending on the value of logoff-path-type, enter

one of the following values:
l The literal URL of the request that a client sends to log out of
the application (for example, /owa/auth/logoff.aspx .
l A regular expression that matches the request that a client
sends to log out of the application.
No default.
Ensure that the value is a sub-path of the path value. For
example, if path is /owa, /owa/auth/logoff.aspx
is a valid value.
When a client logs out of the web application, FortiWeb

redirects the client to its authentication dialog.
Note:Regular expressions beginning with an exclamation

point ( ! ) are not supported. For information on language
and regular expression matching, see the FortiWeb

config 479
cookie-timeout <timeout_ Specify the length of time (in minutes) that passes before 0
int> the cookie that the site publish rule adds expires and the
client must re-authenticate.
The valid range is 0–216,000. To disable the limit, enter 0.

(page 483) is enable, this must be 0.
If you enter a value of 0, the browser only deletes the

cookie when the user closes all browser windows.
auth-server-pool Enter the name of the pool of servers that FortiWeb uses to
"<authentication-server- authenticate clients. For details, see "waf site-publish-helper No default.
pool_name>"
authentication-server-pool" on page 471.
auth-delegation {http- Specify one of the following options: no-

basic | kerberos | delegation
kerberos-constrained- l http-basic—Use HTTP Authorization: headers
delegation | no- with Base64 encoding to forward the client’s credentials
delegation | ntlm}
to the web application. Typically, you should select this
option if the web application supports HTTP protocol-
based authentication.
Available only if client-auth-method {html-

form-auth | http-auth | client-cert-
auth | saml-auth} (page 478) is html-form-
auth or http-auth.
l kerberos—After it authenticates the client via the

HTTP form or HTTP basic method, FortiWeb obtains a
Kerberos service ticket for the specified web application
on behalf of the client. It adds the ticket to the HTTP
Authorization: header of the client request with
Base64 encoding.
Available only if client-auth-method is html-

form-auth or http-auth.
l kerberos-constrained-delegation—After it
authenticates the client’s certificate, FortiWeb obtains a
Kerberos service ticket for the specified web application
on behalf of the client. It adds the ticket to the HTTP
Authorization: header of the client request with
Base64 encoding.
Available only if client-auth-method is client-

cert-auth.
l no-delegation—FortiWeb does not send the client’s

credentials to the web application.

config 480
Select this option when the web application has no

authentication of its own or uses HTML form-based
authentication.
Note: If the web application uses HTML form-based

authentication, the client is required to authenticate
twice: once with FortiWeb and once with the web
application’s form.
l ntlm—FortiWeb uses NT LAN Manager (NTLM) for

authentication delegation. This is a challenge/response
authentication protocol that FortiWeb uses to verify the
identify of clients attempting to connect to the server(s).
Note: If the POST method request triggers NTLM

authentication, the request body cannot exceed 100M.

(page 483) is enable, only no_delegation or http-
basic is allowed here.
Not available when rsa-securid {enable |

field-name {subject | Specify one of the following options to specify the

SAN} certificate information that FortiWeb uses to determines
the client username:
l subject—The email address value in the certificate’s

Subject information.
For attribution-name {email | UPN} (page

481), select email.
l SAN—The certificate’s subjectAltName (Subject

Alternative Name or SAN) and either the User Principal
Name (UPN) or the email address value in the
certificate’s Subject information. SAN
For attribution-name, enter UPN or email.
In certificates issued in a Windows environment, the

certificate’s SAN and UPN contain the username. For
example:
username@domain

| ntlm} (page 479) is kerberos-constrained-
delegation.

config 481
attribution-name Specify one of the following options to specify the UPN

{email | UPN} certificate information that FortiWeb uses to determines
the client username:
l email—The email address value in the certificate’s

Subject information.
For field-name {subject | SAN} (page 480),

enter subject or SAN.
l UPN—The User Principal Name (UPN) value.
For field-name, enter SAN.
Note: Because the email value can be an alias rather than

the real DC (domain controller) domain, the most reliable
method for determining the username is SAN and UPN.

delegation.
delegated-spn Specify the Service Principal Name (SPN) for the web
"<delegated-spn_str>" application that clients access using this site publish rule.
A service principal name uses the following format:

<service_type >/<instance_name>:<port_
number>/
<service_name>
For example, for an Exchange server that belongs to the

No default.
domain dc1.com and has the hostname USER-
U3LOJFPLH1, the SPN is http/USER-
[email protected].

| ntlm} (page 479) is kerberos or kerberos-
constrained-delegation.
keytab-file <keytab_ Specify the keytab file configuration for the AD user that No default.
file> FortiWeb uses to obtain Kerberos service tickets for
clients. For details, see "waf site-publish-helper keytab_
file" on page 472.


config 482

delegation.
delegator-spn Specify the Service Principal Name (SPN) that you used to
"<delegator-spn_str>" generate the keytab specified by keytab-file
<keytab_file> (page 481).
This is the SPN of the AD user that FortiWeb uses to

obtain a Kerberos service tickets for clients.
No default.
delegation.
prefix-support {enable | Enable to allow users in environments that require users to enable
disable} log in using both a domain and username to log in with just
a username. Also specify prefix-domain
"<prefix-domain_str>" (page 482).
In some environments, the domain controller requires

users to log in with the username format
domain\username. For example, if the domain is
example.com and the username is user1, the user
enters EXAMPLE\user1.
Alternatively, enable this option and enter EXAMPLE for

prefix-domain "<prefix-domain_str>" (page
482). The user enters user1 for the username value and
FortiWeb automatically adds EXAMPLE\ to the HTTP
Authorization: header before it forwards it to the web
application.

| ntlm} (page 479) is http-basic or kerberos.
prefix-domain "<prefix- Enter a domain name that FortiWeb adds to the HTTP
domain_str>" Authorization: header before it forwards it to the web
application.
Available only when prefix-support {enable |

disable} (page 482) is enabled. No default.
If auth-delegation {http-basic | kerberos

| kerberos-constrained-delegation | no-
delegation | ntlm} (page 479) is kerberos,
ensure that the string is the full domain name (for

config 483
example, example.com).
sso-domain "<domain_ Enter the domain suffix of Host: names that will be allowed to No default.
str>" share this rule’s authentication sessions, such as
.example.com. Include the period ( . ) that precedes the
host’s name.
sso-support {enable | Enable for single sign-on support.

disable}
For example, if this website is www1.example.com and
the SSO domain is .example.com, once a client has
authenticated with that site, it can access
www2.example.com without authenticating a second
time.
Site publishing SSO sessions exist on FortiWeb only; they disable

are not synchronized to the authentication and/or
accounting server, and therefore SSO is not shared with
non-web applications. For SSO with other protocols,
consult the documentation for your FortiGate or other
firewall.

(page 483) is enable, this must be disable.
alert-type {all | fail | Specify which site publishing-related authentication events none
none | success} the FortiWeb appliance will log and/or send an alert email
about.
l all
l fail
l success
l none
Event log messages contain the user name,
authentication type, success or failure, and source address
(for example, User jdoe [Site Publish] login
successful from 172.0.2.5) when an end-user
successfully authenticates. A similar message is recorded
if the authentication fails (for example, User hackers
[Site Publish] login failed from
172.0.2.5).
Note: Logging and/or alert email occurs only if it is

enabled and configured. For details, see "log disk" on page
73 and "log alertMail" on page 67.
exchage-activesync Enable to allow Android clients to access to Microsoft

Exchange servers through Exchange ActiveSync protocol.

config 484
Note: If this is enabled, these are restrictions are put in

place:
l Only http_auth is allowed for client-auth-method

{html-form-auth | http-auth | client-cert-
auth | saml-auth} (page 478).
l sso-support {enable | disable} (page 483) must
be disable.
l cookie-timeout <timeout_int> (page 479) must be
0.
l Only no_delegation or http-basic is allowed for
auth-delegation {http-basic | kerberos |
kerberos-constrained-delegation | no-
delegation | ntlm} (page 479).
kerberos-type {krb5 | Two kinds of authorization mechanisms are available, which

spnego} are used by web servers to retrieve the Kerberos tickets.
Available only when Authentication Delegation is Kerberos.
Example
This example configures a site publisher with SSO for both Outlook and Sharepoint on the example.com domain.
edit "LDAP server pool"
edit 1
set server-type ldap
set ldap-server "LDAP query 1"
end
next
end
edit "RADIUS server pool"
edit 1
set server-type radius
set ldap-server "RADIUS query 1"
end
next
end
config waf site-publish-helper rule
edit "Outlook"
set published-site "^*\.example\.edu"
set auth-server-pool "LDAP server pool"
set auth-delegation http-basic
set sso-support enable
set sso-domain ".example.edu"
set path "/owa"
set alert-type fail
set Published-Server-Logoff-Path /owa/auth/logoff.aspx?Cmd=logoff
next
edit "Sharepoint"

config 485
set published-site ^*\\.example\\.edu

set req-type regular
set auth-server-pool "RADIUS server pool"
set auth-delegation http-basic
set sso-support enable
set sso-domain ".example.edu"
set path "/sharepoint"
set alert-type fail
next
end
config waf site-publish-helper policy
edit "example_com_apps"
config rule
edit 1
set rule-name "Outlook"
next
edit 2
set rule-name "Sharepoint"
next
end
next
end
Related topics
l "waf site-publish-helper policy" on page 473
l "waf site-publish-helper authentication-server-pool" on page 471
waf start-pages
Use this command to configure start page rules.
When a start page group is selected in the inline protection profile, HTTP clients must begin from a valid start page in
order to initiate a valid session.
For example, you may wish to specify that HTTP clients of an e-commerce website must begin their session from either
an item view or the first stage of the shopping cart checkout, and cannot begin a valid session from the third stage of the
shopping cart checkout.
To apply start pages, select them within an inline protection profile. For details, see "waf web-protection-profile inline-
Before you configure a start page rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you
must first define the web host in a protected hosts group. For details, see "server-policy allow-hosts" on page 108.
You can use SNMP traps to notify you when a start page rule is enforced. For details, see "system snmp community" on
page 299.

config 486
Syntax
config waf start-pages
edit "<start-page-rule_name>"
set action {alert | alert_deny | block-period | redirect | send_403_
config start-page-list
edit <entry_index>
set default {yes | no}
next
end
next
end
"<start-page-rule_name>" Enter the name of a new or existing rule. The maximum No


edit ?

appliance will perform when an HTTP request that initiates a
session does not begin with one of the allowed start pages.

and/or log message.


deny | block-period | the client with the HTTP status code. For details, see No
redirect | send_403_ "system replacemsg" on page 294. default.

on page 542.

config 487



message.



block-period <seconds_ If action {alert | alert_deny | block- 1

int> period | redirect | send_403_forbidden |
deny_no_log} (page 486) is block-period, type,
specify the number of seconds that the connection will be
blocked. The valid range is 1–3,600.
severity {Low | Medium | Select the severity level to use in logs and reports generated when
Low
High | Info} a violation of the rule occurs.

set trigger ?
Enter the index number of the individual entry in the table. No

<entry_index>
name>" HTTP request must be in order to match the start page rule. default.

config 488

Enable to apply this start page rule only to HTTP requests for
specific web hosts. Also configure host "<protected-
host-status {enable | hosts_name>" (page 487). disable
disable}
Disable to match the start page rule based upon the other
criteria, such as the URL, but regardless of the Host: field.
request-file "<url_str>" Depending on your selection in request-type {plain | No

regular} (page 488), enter either: default.
l The literal URL, such as /index.php, that the HTTP request

must contain in order to match the start page rule. The URL must
begin with a slash ( / ).
the URLs to which the start page rule should apply. The pattern is
not required to begin with a slash ( / ). However, it must at least
match URLs that begin with a slash, such as /index.cfm.

Select whether request-file "<url_str>" (page 488)

regular} will contain a literal URL (plain), or a regular expression plain
designed to match multiple URLs (regular).
default {yes | no} Enter yes to use the page as the default for HTTP requests no
that either:
l Do not specify a URL.

l Do not specify the URL of a valid start page (only if you
have selected redirect from action).
Otherwise, enter no.

config 489
Example
This example redirects clients to the default start page, /index.html, if clients request a page that is not one of the
valid start pages (/index.html or /cart/login.jsp). Redirection will occur only if the request is destined for one
of the virtual or real hosts defined in the protected hosts group named example_com_hosts.
config waf start-pages
edit "start-page-rule1"
edit 1
set host "example_com"
set request-file "/index.html"
set default yes
next
edit 2
set host "example_com_hosts"
set request-file "/cart/login.jsp"
set default no
next
next
end
Related topics
waf url-access url-access-policy
Use this command to configure a set of URL access rules that define HTTP requests that are allowed or denied.
Before using this command, you must first define your URL access rules. For details, see "waf url-access url-access-
rule" on page 490.
To apply URL access policies, select them within an inline or Offline Protection profile. For details, see "waf web-
protection-profile inline-protection" on page 518 or "waf web-protection-profile offline-protection" on page 531.
You can use SNMP traps to notify you when a URL access rule is enforced. For details, see "system snmp community"
on page 299.
Syntax
config waf url-access url-access-policy
edit "<url-access-policy_name>"
config rule
edit <entry_index>

config 490
set url-access-rule-name "<url-access-rule_name>"

next
end
next
end
"<url-access-policy_ Enter the name of the new or existing URL access policy. The No
name>" maximum length is 63 characters. default.

edit ?
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
url-access-rule-name Enter the name of the existing URL access rule to add to the policy. No
"<url-access-rule_name>" The maximum length is 63 characters. default.
Example
This example adds two rules to the policy, with the first one set to priority level 0, and the second one set to priority level
1. The rule with priority 0 would be applied first.
config waf url-access url-access-policy
edit "URL-access-set2"
config rule
edit 1
set url-access-rule-name "URL Access Rule 1"
next
edit 2
set url-access-rule-name "Blocked URL"
next
next
end
Related topics
l "waf url-access url-access-rule" on page 490
waf url-access url-access-rule
Use this command to configure URL access rules that define the HTTP requests that are allowed or denied based on
their host name and URL.

config 491
Typically, for example, access to administrative panels for your web application should only be allowed if the client’s
source IP address is an administrator’s computer on your private management network. Unauthenticated access from
unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.
To apply URL access rules, first group them within a URL access policy. For details see, "waf url-access url-access-
You can use SNMP traps to notify you when a URL access rule is enforced. For details, see "system snmp community"
on page 299.
Syntax
config waf url-access url-access-rule
edit "<url-access-rule_name>"
set action {alert_deny | continue | pass | deny_no_log}
set severity {Informative | Low | Medium | High | Info}
config match-condition
edit <entry_index>
set sip-address-check {enable | disable}
set sip-address-type {sip | sdomain | source-domain}
set sip-address-value "<client_ip>"
set sdomain-type {"<ipv4>" | "<ipv6>"}
set sip-address-domain "<fqdn_str>"
set source-domain-type {simple-string | regex-expression}
set source-domain "<source-domain_str>"
set type {regex-expression | simple-string}
set reg-exp "<object_pattern>"
set reverse-match {yes | no}
next
end
next
end
"<url-access-rule_name>" Enter the name of a new or existing rule. The maximum No


edit ?
Select which action the FortiWeb appliance will take when a

request matches the URL access rule.
action {alert_deny |
continue | pass | deny_ l alert_deny—Block the request (or reset the connection) pass
no_log} and generate an alert email and/or log message.

config 492
l continue—Generate an alert and/or log message, then

continue by evaluating any subsequent rules defined in the
web protection profile. If no other rules are violated, allow
the request. If multiple rules are violated, a single request
will generate multiple attack log messages. For details, see
"debug flow trace" on page 583.
l pass—Allow the request. Do not generate an alert and/or

log message.

message.



select pass. If the action is alert_deny, the FortiWeb
learning feature. For details about auto-learning
requirements, see "waf web-protection-profile autolearning-
profile" on page 516.
name>" HTTP request must be in order to match the rule. The default.
This setting is used only if host-status {enable |

Enable to require that the Host: field of the HTTP request match
host-status {enable |
disable} a protected hosts entry in order to match the rule. Also configure disable
host "<protected-hosts_name>" (page 492).
severity {Informative When rule violations are recorded in the attack log, each log Low
| Low | Medium | High | message contains a Severity Level (severity_level)
Info}
field. Select which severity level the FortiWeb appliance will
use when a blacklisted IP address attempts to connect to your
web servers:
l Informative
l Low

config 493
l Medium
l High
l Info
Select which trigger, if any, that the FortiWeb appliance will

use when it logs and/or sends an alert email about a
blacklisted IP address’s attempt to connect to your web
trigger "<trigger-policy_ servers. The maximum length is 63 characters. For details, No
name>" see "log trigger-policy" on page 101. default.

set trigger ?
Enable to add the client’s source IP address as a criteria for

sip-address-check matching the URL access rule. Also configure sip-address-
disable
{enable | disable} type {sip | sdomain | source-domain} (page 493)
and the specific settings for each source address type.
sip-address-type {sip | l sip—Configure sip-address-value "<client_ip>" sip

sdomain | source-domain} (page 493).
l sdomain—Configure sdomain-type {"<ipv4>" |
"<ipv6>"} (page 493) and sip-address-domain
"<fqdn_str>" (page 494).
l source-domain—Configure source-domain-type
{simple-string | regex-expression} (page 494) and
source-domain "<source-domain_str>" (page 494).
Enter one of the following values:
l A single IP address that a client source IP must match, such as a

trusted private network IP address (e.g. an administrator’s
sip-address-value computer, 172.16.1.20).
0.0.0.0
"<client_ip>" l A range or addresses (e.g., 172.22.14.1-172.22.14.255
or 10:200::10:1-10:200:10:100).
Available only if sip-address-type {sip |
sdomain | source-domain} (page 493) is sip.
sdomain-type {"<ipv4>" | Specifies the type of IP address FortiWeb retrieves from the No
"<ipv6>"} DNS lookup of the domain specified by sip-address- default.
domain "<fqdn_str>" (page 494).

sdomain | source-domain} (page 493) is sdomain.

config 494
Specifies the domain to match the client source IP after DNS

sip-address-domain lookup. No
"<fqdn_str>" default.
source-domain-type l simple-string—source-domain specifies a literal simple-

{simple-string | regex- domain. string
expression}
l regex-expression—source-domain specifies a regular
expression that is designed to match multiple URLs.
sdomain | source-domain} (page 493) is source-
domain.
Enter a literal domain or a regular expression that is designed

source-domain "<source- to match multiple URLs. No
domain_str>" default.
type {regex-expression | Select how to use the text in reg-exp "<object_ No

simple-string} pattern>" (page 494) to determine whether or not a default.
request URL meets the conditions for this rule.
l simple-string—The text is a string that request URLs must

match exactly.
l regular-expression—The text is a regular expression that
defines a set of matching URLs.
Depending on your selection in type {regex-

expression | simple-string} (page 494) and
reverse-match {yes | no} (page 494), type a regular
expression that defines either all matching or all non-
matching URLs. Then, also configure reverse-match
{yes | no} (page 494).
reg-exp "<object_ For example, for the URL access rule to match all URLs that No
pattern>" begin with /wordpress, you could enter ^/wordpress, default.
then, for reverse-match, enter no.
The pattern is not required to begin with a slash ( / ). The


point ( ! ) are not supported. Instead, use reverse-match
{yes | no}.
reverse-match {yes | no} Indicate how to use reg-exp "<object_pattern>" no

(page 494) when determining whether or not this rule’s

config 495
l no—If the simple string or regular expression does match the

request URL, the condition is met.
l yes—If the simple string or regular expression does not match
the request URL, the condition is met.
The effect is equivalent to preceding a regular expression with an
exclamation point ( ! ).
Example
This example defines two sets of URL access rules.
The first set, Blocked URL, defines two URL match conditions: one uses a simple string to match an administrative
page, and the other uses a regular expression to match a set of dynamic URLs for statistics pages.
The second set, Allowed URL, defines a single match condition that uses a regular expression to match all dynamic
forms of the index page.
Actual blocking or allowing of the URLs, however, would not occur until a policy applies these URL access rules, and
sets an action that the FortiWeb appliance will perform when an HTTP request matches either rule set.
config waf url-access url-access-rule
edit "Blocked URL"
edit 1
set type simple-string
set reg-exp "/admin.php"
next
edit 2
set type regular-expression
set reverse-match no
set reg-exp "statistics.php*"
next
end
next
edit "Allowed URL"
edit 1
set type regular-expression
set reverse-match no
set reg-exp "index.php*"
next
end
next
end
Related topics

config 496
l "waf url-access url-access-policy" on page 489
waf url-rewrite url-rewrite-policy
Use this command to group URL rewrite rules.
Before you can configure a URL rewrite group, you must first configure any URL rewriting rules that you want to include.
For details, see "waf url-rewrite url-rewrite-rule" on page 497.
To apply a URL rewriting group, select it in an inline protection profile. For details, see "waf web-protection-profile inline-
Syntax
config waf url-rewrite url-rewrite-policy
edit "<url-rewrite-group_name>"
config rule
edit <entry_index>
set url-rewrite-rule-name "<url-rewrite-rule_name>"
next
end
next
end
"<url-rewrite-group_ Enter the name of the URL rewriting rule group. The maximum No
To display the list of existing group, enter:

edit ?
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
url-rewrite-rule-name Enter the name of an existing URL rewriting rule that you want to No
"<url-rewrite-rule_name>" include in the group. The maximum length is 63 characters. default.
Related topics
l "waf url-rewrite url-rewrite-rule" on page 497

config 497
waf url-rewrite url-rewrite-rule
Use this command to configure URL rewrite rules or to redirect requests.
Rewriting or redirecting HTTP requests and responses is popular, and can be done for many reasons.
Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying technology or website
structures to HTTP clients.
For example, when visiting a blog web page, its URL might be:
http://www.example.com/wordpress/?feed=rss2
Simply knowing the file name, that the blog uses PHP, its compatible database types, and the names of parameters via
the URL could help an attacker to craft an appropriate attack for that platform. By rewriting the URL to something more
human-readable and less platform-specific, the details can be hidden:
http://www.example.com/rss2
Aside from for security, rewriting and redirects can be for aesthetics or business reasons. Financial institutions can
transparently redirect customers that accidentally request HTTP:
http://bank.example.com/login
to authenticate and do transactions on their secured HTTPS site:

https://bank.example.com/login
Additional uses could include:
l During maintenance windows, requests can be redirected to a read-only server.

l International customers can use global URLs, with no need to configure the back-end web servers to respond to additional
HTTP virtual host names.
l Shorter URLs with easy-to-remember phrases and formatting are easier for customers to understand, remember, and
return to.
Much more than their name implies, “URL rewriting rules” can do all of those things, and more:
l Redirect HTTP requests to HTTPS

l Rewrite the URL line in the header of an HTTP request
l Rewrite the Host: field in the header of an HTTP request
l Rewrite the Referer: field in the header of an HTTP request
l Redirect requests to another website
l Send a 403 Forbidden response to a matching HTTP requests
l Rewrite the HTTP location line in the header of a matching redirect response from the web server
l Rewrite the body of an HTTP response from the web server
Rewrites/redirects are not supported in all modes. For details, see the FortiWeb
To use a URL rewriting rule, add it to a policy. For details, see "waf url-rewrite url-rewrite-policy" on page 496.

config 498
Syntax
config waf url-rewrite url-rewrite-rule
edit "<url-rewrite-rule_name>"
set action {403-forbidden | redirect | redirect-301 | http-body-rewrite |
http-header-rewrite | location-rewrite}
set header-name "<header-name_str>"
set header-status {enable | disable}
set header-value "<header-value_str>"
set host {<server_fqdn> | <server_ipv4> | <host_pattern>}
set host-use-pserver {enable | disable}
set url "<replacement-url_str>"
set url-status {enable | disable}
set location "<location_str>"
set location_replace "<location_str>"
set referer-status {enable | disable}
set referer "<referer-url_str>"
set referer-use-pserver {enable | disable}
set body_replace "<replacement_str>"
edit <entry_index>
set content-filter {enable | disable}
set content-type-set {text/html text/plain text/javascript
application/xml(or)text/xml application/javascript
application/soap+xml application/x-javascript}
set HTTP-protocol {http | https}
set is-essential {yes | no}
set object {http-host | http-reference | http-url}
set protocol-filter {enable | disable}
set reg-exp "<object_pattern>"
set reverse-match {yes | no}
next
end
next
end
"<url-rewrite-rule_name>" Enter the name of a new or existing rule. The maximum No


edit ?
action {403-forbidden | Specify one of the following values:

redirect | redirect-301 | http-
http-body-rewrite | http- l 403-forbidden—Send a 403 (Forbidden) response to the header-
header-rewrite | client.
location-rewrite}
rewrite
l redirect—Send a 302 (Moved Temporarily) response

config 499
to the client, with a new Location: field in the HTTP header.

l redirect-301—Send a 301 (Moved Permanently)
response to the client, with a new Location: field in the HTTP
header.
l http-body-rewrite—Replace the specific HTTP content in
the body of responses.
l http-header-rewrite—Rewrite the host, referer and
request URL fields in HTTP header.
l location-rewrite—Rewrite the location string in a 302
redirect.
header-name "<header- Enter the name of the header field that you want to insert to a No
name_str>" request, such as "Myheader." default.
header-status {enable | Enable to insert the specified header and value to the matched
disable} HTTP requests. Specifies the header name and header value
through header-name "<header-name_str>" (page 499) disable
and header-value "<header-value_str>" (page 499),
respectively.
header-value "<header- Enter the value of the header field that you specified in header- No
value_str>" name "<header-name_str>" (page 499), such as "123." default.
Then, the customized header Myheader: 123 will be inserted to
the matched HTTP requests.
host {<server_fqdn> | Type the FQDN of the host, such as store.example.com,

<server_ipv4> | <host_ to which the request will be redirected. The maximum length
pattern>}
is 255 characters.
This option is available only when host-status

{enable | disable} (page 500) is enabled and action
{403-forbidden | redirect | redirect-301 |
http-body-rewrite | http-header-rewrite |
location-rewrite} (page 498) is http-header-
rewrite.
This field supports back references such as $0 to the parts of No

the original request that matched any capture groups that you default.
entered in reg-exp "<object_pattern>" (page 503)
for each object in the condition table. (A capture group is a
regular expression, or part of one, surrounded in
parentheses.)
Use $ n (0 <= n <= 9) to invoke a substring, where n is the

order of appearance of the regular expression, from left to
right, from outside to inside, then from top to bottom.
For example, regular expressions in the condition table in this

order:

config 500
(a)(b)(c(d))(e)
(f)
would result in invokable variables with the following values:
l $0—a
l $1—b
l $2—cd
l $3—d
l $4—e
l $5—f
host-status {enable | Enable to rewrite the Host: field or host name part of the disable
disable} Referer: field.
When disabled, the FortiWeb appliance preserves the value

from the client’s request when rewriting it.
This option is available only when action {403-

forbidden | redirect | redirect-301 | http-
body-rewrite | http-header-rewrite |
rewrite.
host-use-pserver Enable this when you have a server farm for server balance or
{enable | disable} content routing. In this case you do not know which server in
the server farm the FortiWeb appliance will use. When
FortiWeb processes the request, it sets the value for the
actual host.
This option is available only when host-status disable

rewrite. Any setting you make for host is ignored.
url "<replacement-url_ Enter the string, such as /catalog/item1, that will replace No
str>" the request URL. The maximum length is 255 characters. default.
This option is available only when url-status

rewrite.

www.example.com, nor the protocol, which are configured

config 501
separately in host {<server_fqdn> | <server_

ipv4> | <host_pattern>} (page 499).
Like host, this field supports back references such as $0 to

the parts reg-exp "<object_pattern>" (page 503) for
each object in the condition table.
For an example, see the FortiWeb Administration Guide:
url-status Enable to rewrite the URL part of the request URL.

{enable | disable}
If you disable this option, the FortiWeb appliance preserves
the value from the client’s request when it rewrites it.
This option is available only when action {403- disable

rewrite.
location "<location_str>" Enter the replacement value for the Location: field in the No
HTTP header for the 302 response. The maximum length is default.
255 characters.
This option is available only when action {403-

location-rewrite} (page 498) is redirect.
location_replace Enter the URL string that provides a location for use in a 302
"<location_str>" HTTP redirect response from a web server connected to
FortiWeb. The maximum length is 255 characters.
This option is available only when action {403- No

forbidden | redirect | redirect-301 | http- default.
location-rewrite} (page 498) is location-
rewrite.
referer-status {enable | Enable to rewrite the Referer: field in the HTML header. Also disable
disable} configure referer "<referer-url_str>" (page 501) and
referer-use-pserver {enable | disable} (page 502).
referer "<referer-url_ Enter the replacement value for the Referer: field in the
str>" HTML header. The maximum length is 255 characters. No
This option is available only when referer-status default.

config 502
referer-use-pserver Enable this when you have a server farm for server balance or disable
{enable | disable} content routing. In this case you do not know which server in
the server farm the FortiWeb appliance will use. When
FortiWeb processes the request, it sets the value for the
actual referrer.
This option is available only when referer-status

rewrite. Any setting you make for referer
"<referer-url_str>" (page 501) is ignored.
body_replace Enter the value that will replace matching HTTP content in the
"<replacement_str>" body of responses. The maximum is 255 characters.
For an example, see the FortiWeb Administration Guide:
https://docs.fortinet.com/fortiweb/admin-guides No
This option is available only when action {403- default.
location-rewrite} (page 498) is http-body-
rewrite.
content-filter {enable | Enable if you want to match this condition only for specific HTTP
disable} content types (also called Internet or MIME file types) such as
text/html, as indicated in the Content-Type: HTTP header.
Also configure content-type-set {text/html
disable
text/plain text/javascript application/xml
(or)text/xml application/javascript
application/soap+xml application/x-javascript}
(page 502).
content-type-set Enter the HTTP content types that you want to match in a No
{text/html text/plain space-delimited list, such as: default.
text/javascript
application/xml set content-type-set text/html text/plain
(or)text/xml
application/javascript
application/soap+xml
application/x-javascript}
HTTP-protocol {http | Select which protocol will match this condition, either HTTP or
https} http
HTTPS.

config 503
This option is applicable only if protocol-filter

{enable | disable} (page 503) is set to enable.
is-essential {yes | no} Select what to do if there is no Referer: field, either: yes
l no—Meet this condition.

l yes—Do not meet this condition.
Requests can lack a Referer: field for several reasons,
such as if the user manually types the URL, and the request
does not result from a hyperlink from another website, or if the
URL resulted from an HTTPS connection. In those cases, the
field cannot be tested for a matching value. For details, see
the RFC 2616 section on the Referer: field
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).
This option appears only if object {http-host |

http-reference | http-url} (page 503) is http-
reference.
object {http-host | http- Select which part of the HTTP request to test for a match:
reference | http-url}
l http-host
l http-url
l http-reference (the Referer: field) http-
host
If the request must match multiple conditions (for example, it
must contain both a matching Host: field and a matching
URL), add each object match condition to the condition table
separately.
protocol-filter {enable | Enable if you want to match this condition only for either disable
disable} HTTP or HTTPS. Also configure HTTP-protocol
{http | https} (page 502).
For example, you could redirect clients that accidentally

request the login page by HTTP to a more secure HTTPS
channel—but the redirect is not necessary for HTTPS
requests.
As another example, if URLs in HTTPS requests should be

exempt from rewriting, you could configure the rewriting rule
to apply only to HTTP requests.
reg-exp "<object_ Depending on your selection in object {http-host |

pattern>" http-reference | http-url} (page 503) and
reverse-match {yes | no} (page 504), type a regular No
expression that defines either all matching or all non- default.
matching Host: fields, URLs, or Referer: fields. Then,
also configure reverse-match {yes | no}.

config 504
For example, for the URL rewriting rule to match all URLs that
begin with /wordpress, you could enter ^/wordpress,
then, in reverse-match {yes | no}, select no.
The pattern is not required to begin with a slash ( / ). The


point ( ! ) are not supported. Instead, use reverse-match
{yes | no}.
reverse-match {yes | no} Indicate how to use reg-exp "<object_pattern>" no

(page 503)when determining whether or not this URL
rewriting condition has been met.
l no—If the regular expression does match the request object, the
condition is met.
l yes—If the regular expression does not match the request
object, the condition is met.
The effect is equivalent to preceding a regular expression with an
exclamation point ( ! ).
If all conditions are met, the FortiWeb appliance will do your
selected action {403-forbidden | redirect |
redirect-301 | http-body-rewrite | http-
header-rewrite | location-rewrite} (page 498).
Related topics
l "waf url-rewrite url-rewrite-policy" on page 496
waf user-tracking policy
Use this command to group user tracking rules, which track sessions by user and capture a username to reference in
traffic and attack log messages.
Before you configure a user-tracking policy, define the rules to add. For details, see "waf user-tracking rule" on page
505.
To apply a user tracking policy, you select it in an inline or Offline Protection profile. For details, see "waf web-
Syntax
config waf user-tracking policy
edit "<user-tracking-policy_name>"

config 505
edit <entry_index>
set input-rule "<input-rule_name>"
next
end
next
end
"<user-tracking-policy_ Enter the name of a new or existing policy. The maximum No


edit ?
<entry_index>
range is 1–9,999,999,999,999,999,999. default.
input-rule "<input-rule_ Enter the name of an existing rule. No

name>" default.
waf user-tracking rule
Use this command to configure FortiWeb to track sessions by user and capture a username to reference in traffic and
attack log messages.
When FortiWeb detects users that match the criteria that you specify in a user tracking policy, it stores the session ID
and username.
To apply a user tracking rule, add it to a user tracking policy that you can select in an inline or Offline Protection profile.
For details, see "waf user-tracking policy" on page 504.
You can apply a user tracking policy using either an inline or Offline Protection profile. However, in Offline Protection
mode, session-fixation-protection, session-timeout-enforcement, and the deny, redirect and
period block actions are not supported.
You can also use the user tracking feature to create a filter in a custom rule that matches specific users. This type of
custom rule requires you to create a user tracking policy and apply it to the protection profile that uses the custom rule.
For details, see "waf custom-access rule" on page 356.
Syntax
config waf user-tracking rule
edit "<rule_name>"
set hostname-ip "<hostname-ip_str>"
set host-status { enable | disable}
set authentication-url "<url_str>"
set username-parameter "<username_str>"

config 506
set password-parameter "<password_str>"

set session-id-name "<session-id_str>"
set logoff-path "<logoff_str>"
set session-fixation-protection {enable | disable}
set session-timeout-enforcement {enable | disable}
set session-timeout <timeout_int>
set session-frozen-time <frozen-time_int>
set session-frozen-action {alert | alert_deny | redirect | block-period | deny_
no_log}
set session-frozen-block-period <block-period_int>
set session-frozen-severity {High | Medium | Low | Info}
set session-frozen-trigger "<trigger-policy_name>"
set default-action {failed | success}
set credential-stuffing-protection {enable | disable}
edit <entry_index>
set authentication-result-type {failed | success}
set HTTP-match-target {return-code | response-body | redirect-url}
set value-type {plain | regular}
set value "<value-str>"
next
end
next
end
"<rule_name>" Enter a name that identifies the rule. You will use this name No
to reference the rule in other parts of the configuration. The default.
hostname-ip "<hostname- No
ip_str>" default.
host-status { enable | No
disable} default.
authentication-url "<url_ Enter the URL to match in authorization requests. No

str>" default.
Ensure that the value begins with a forward slash ( / ).
username-parameter Enter the username field value to match in authorization No

"<username_str>" requests. default.
password-parameter Enter the password field value to match in authorization No

"<password_str>" requests. default.
session-id-name Enter the name of the session ID that is used to identify each No
"<session-id_str>" session. default.
Examples of session ID names are sid, PHPSESSID, and

JSESSIONID

config 507
Optionally, enter the URL of the request that a client sends to

log out of the application.
logoff-path "<logoff_ No
str>" When the client sends this URL, FortiWeb stops tracking the
default.
user session.
Ensure that the value begins with a forward slash ( / ).
session-fixation- Enter enable to configure FortiWeb to erase session IDs disable

protection {enable | from the cookie and argument fields of a matching login
disable}
request.
FortiWeb erases the IDs for non-authenticated sessions only.
For web applications that do not renew the session cookie

when a user logs in, it is possible for an attacker to trick a user
into authenticating with a session ID that the attacker
acquired earlier. This feature prevents the attacker from
accessing the web app in an authenticated session.
When this feature removes session IDs, FortiWeb does not

generate a log message because it is very common for a
legitimate user to access a web application using an existing
cookie. For example, a client who leaves his or her web
browser open between sessions presents the cookie from an
earlier session.
Caution: This option is not supported in Offline Protection

mode.
Enter enable to configure FortiWeb to remove the session

ID for user sessions that are idle for longer than the length of
time specified by session-timeout. When a session is
session-timeout-
reset, the client has to log in again to access the back-end
enforcement {enable | server. disable
disable}
If a session exceeds the timeout threshold, instead of tracking
subsequent matching sessions by user, FortiWeb takes the
specified action, for a length of time specified by session-
frozen-time.
session-timeout <timeout_ Enter the length of time in minutes that FortiWeb waits before 30
int> it stops tracking an inactive user session.
Enter the length of time after a session exceeds the timeout

session-frozen-time threshold that FortiWeb takes the specified action against
requests with the ID of the timed-out session. 30
<frozen-time_int>
After the freeze time has elapsed, FortiWeb removes the

config 508
session ID for idle sessions but no longer takes the specified

action.
Available only when session-timeout-enforcement

session-frozen-action When session-timeout-enforcement {enable | alert

{alert | alert_deny | disable} (page 507) is enable, enter the action that
redirect | block-period |
deny_no_log} FortiWeb takes against requests with the ID of a timed-out
session during the specified time period, or when
credential-stuffing-protection {enable |
disable} (page 509) is enabled enter the action that
FortiWeb takes against spilled username/password pairs:

and/or log message.
l alert_deny—Block the request and generate an alert


Note: In Offline Protection mode, because the deny action

is not supported, this option has the same effect as alert.
l redirect — Redirect the request to the URL that you

specify in the protection profile and generate an alert and/or
log message. Also configure redirect-url
<redirect_fqdn> and rdt-reason {enable |
disable}.

mode

client for a specified number of seconds.
deny_no_log—Deny a request. Do not generate a log

message.


mode
When the action generates a log message, the message field

value is Session Timeout Enforcement:
triggered by user <username>.

config 509

{enable | disable} (page 507) or credential-
stuffing-protection {enable | disable} (page
509) is set to enable.
Enter the number of seconds to block requests with the ID of

a timed-out session or when credential-stuffing-
protection {enable | disable} (page 509) is
session-frozen-block- enabled and detects spilled username/password pairs.
60
period <block-period_int>
This setting is available only if session-frozen-action
{alert | alert_deny | redirect | block-
period | deny_no_log} (page 508) is block-
period. The valid range is 1–3,600.
session-frozen-severity When the session timeout settings generate an attack log, Low
{High | Medium | Low | each log message contains a Severity Level (severity_
Info}
level) field. Select which severity level FortiWeb uses when
it takes the specified action:
l Low
l Medium
l High
{enable | disable} (page 507) or credential-
stuffing-protection {enable | disable} (page
509) is set to enable.
Enter the name of the trigger, if any, to apply when FortiWeb

detects requests with the ID of a timed-out session or when
credential-stuffing-protection is enabled and
FortiWeb detects spilled username/password pairs. The
session-frozen-trigger maximum length is 63 characters. No
"<trigger-policy_name>" default.
For details, see "log trigger-policy" on page 101.

set trigger ?
default-action {failed | Enter the authentication result that FortiWeb associates with failed
success} requests that match the criteria but do not match an entry in
the Authentication Result Condition Table.
When the login result is successful, FortiWeb tracks the

session using the session ID and username values.
credential-stuffing- Enable to use FortiGuard's Credential Stuffing Defense

protection {enable |
disable
database to prevent against Credential Stuffing attacks. For

config 510

disable}
default.
Specify the status FortiWeb assigns to user logins that match

this table item: failed or successful.
FortiWeb tracks sessions by user only when the status is

authentication-result-
successful. success
type {failed | success}
If the request does not match any rules in this table, FortiWeb
uses the value specified by default-action {failed
| success} (page 509).
HTTP-match-target Select the location of the value to match with the string or return-
{return-code | response- regular expression specified in this table item: return- code
body | redirect-url}
code, response-body, redirect-url.
value-type {plain | Indicate whether value is a simple string (plain) or a

plain
regular} regular expression (regular).
value "<value-str>" Enter the value to match. No

default.
Example
This example matches requests from clients using the URL /login2 with the parameters user and pass and a
session ID specified by jsessionid. FortiWeb tracks matching sessions by user and stops tracking if the client logs
out using the URL /logout2.
FortiWeb tracks only requests with the return code 200, which it classifies as successful. It does not track requests with
a response body that matches the regular expression deny. In addition, because the rule uses the default value for the
default authentication result, it does not track requests that do not match an item in the list of match conditions.
The rule enables both session fixation protection and session timeout enforcement for tracked sessions. If a session is
idle longer than the default session timeout, FortiWeb blocks requests from clients that use the session ID that has
timed out for the default period block time. It performs this action for 30 minutes after the session times out (the default
session freeze time).
config waf user-tracking
edit "rule1"
set authentication-url "/login2"
set username-parameter user
set password-parameter pass
set session-id-name "jsessionid"
set logoff-path "/logout2"
set session-fixation-protection enable
set timeout-enforcement enable
set session-frozen-action period-block

config 511
set session-frozen-severity High

set session-frozen-trigger "trigger1"
edit 1
set authentication-result-type success
set HTTP-match-target return-code
set value-type plain
set value 200
next
edit 2
set authentication-result-type failed
set HTTP-match-target return
set value-type regular
set value deny
next
end
next
end
Related topics
waf web-cache-exception
Use this command to configure FortiWeb to cache responses from your servers.
Use web-cache-exception to cache all URLs except for a few. To cache only a few URLs, see "waf web-cache-
To apply this policy, include it in an inline protection profile. For details, see "waf web-protection-profile inline-
Syntax
config waf web-cache-exception
edit "<web-cache-exception_rule_name>"
config exception-list
edit <entry_index>
set url-patten "<url-pattern_str>"
end
next
end

config 512
"<web-cache-exception_ Enter the name of a new or existing rule. The maximum No

rule_name>" length is 63 characters. default.

edit ?

<entry_index>
host-status {enable | Specify enable to require that the Host: field of the HTTP disable
disable} request match a protected host names entry in order to match
the exception. Also specify a value for host.
Specify which protected host names entry (either a web host

name or IP address) that the Host: field of the HTTP
request must be in to match the exception.
No
host "<host_str>"
Maximum length is 255 characters. default.

url-type {plain | Specify the type of value that is used for url-patten plain
regular} "<url-pattern_str>" (page 512):
l plain—A literal URL.

l regular — A regular expression designed to match multiple
URLs.

512) is plain, specify the literal URL, such as
/index.php, that the HTTP request must contain in order
to match the rule. The URL must begin with a slash ( / ).
If the value of url-type is regular, specify a regular

expression, such as ^/*.php, that matches all and only the
URLs that the rule applies to. The pattern does not require a
slash ( / ); however, it must match URLs that begin with a
url-patten "<url-pattern_ slash, such as /index.cfm. No
str>" default.
www.example.com, which is specified by host.
Tip: Generally, URLs that require autolearning adapters do

not work well with caching either. Do not cache dynamic URLs
that contain variables such as user names (e.g. older versions
of Microsoft OWA) or volatile data such as parameters.
Because FortiWeb is unlikely to receive identical subsequent

config 513
requests for them, dynamic URLs can rapidly consume cache

without improving performance.
cookie-name "<cookie- Specify the name of the cookie, such as sessionid, as it No

name_str>" appears in the Cookie: HTTP header. default.
Tip: Content that is unique to a user, such as personalized

pages that appear after a person has logged in, usually
should not be cached. If the web application’s authentication
is cookie-based, configure this setting with the name of the
authentication cookie. Otherwise, if it is parameter-based,
configure the exception with a URL pattern that matches the
authentication ID parameter.
Related topics
l "waf web-cache-policy" on page 513
waf web-cache-policy
Use this command to configure FortiWeb to cache responses from your servers.
Use web-cache-policy to cache only a few URLs. To cache all URLs except for a few, see config waf web-
cache-exception (page 511).
To apply this policy, include it in an inline protection profile. For details, see config waf web-protection-
profile inline-protection (page 518).
Syntax
config waf web-cache-policy
edit "<web-cache-policy_rule_name>"
set cache-buffer-size <cache-size_int>
set max-cached-page size <page-size_int>
set default-cache-timeout <cache-timeout_int>
set exception "<web-cache-exception_name>"
config url-match-list
edit <entry_index>
set url-pattern "<url-pattern_str>"
end

config 514
next
end
"<web-cache-policy_rule_ Enter the name of a new or existing rule. The maximum No


edit ?
Specify the maximum amount of RAM to allocate to caching

content, in MB (megabytes).
You cannot store cached content on FortiWeb’s hard disk.
The FortiWeb model determines the valid range of values:
l FortiWeb 400C, FortiWeb-VM (2-4 GB RAM): 1–100 MB

l FortiWeb 1000C, FortiWeb-VM (4-8 GB RAM): 1–200 MB
l FortiWeb 3000C, FortiWeb 3000C/CFsx, FortiWeb-VM (8–16 GB
RAM): 1–400 MB
l FortiWeb 4000C: 1–600 MB
l FortiWeb 1000D: 1–800 MB
l FortiWeb 1000E: 1–800 MB
cache-buffer-size <cache- l FortiWeb-VM (16+ GB RAM): 1–1,024 MB 100
size_int>
l FortiWeb 3000D/DFsx: 1–1,200 MB
l FortiWeb 4000D: 1–2,048 MB
If administrative domains (ADOMs) are enabled, the
maximums apply to the total RAM allotted to all ADOMs. For
example, a FortiWeb 1000D has two ADOMs. If the cache-
buffer-size value for the first ADOM is 600, the valid
range for cache-buffer-size for the second ADOM is 1–
200.
Tip: For improved performance, adjust this setting until it is

as small as possible yet FortiWeb can still fit most graphics
and server processing-intensive pages into its cache. This
allows FortiWeb to allocate more RAM to other features that
also affect throughput, such as scanning for attacks.
max-cached-page size Specify the maximum size of each URL that FortiWeb 2048
<page-size_int> caches, in kilobytes (KB). FortiWeb does not cache objects
such as high-resolution images, movies, or music that are
larger than this value.
Tip: For improved performance, adjust this setting until

FortiWeb can fit most graphics and server processing-

config 515
intensive pages into its cache.
Specify the time to live for each entry in the cache. FortiWeb
removes expired entries.
Valid range is 0–7,200.

default-cache-timeout
1440
<cache-timeout_int> When it receives a subsequent request for the URL, FortiWeb
forwards the request to the server and refreshes the cached
response. Any additional requests receive the new cached
response until the URL’s cache timeout expires.
exception "<web-cache- Specify the name of a list of exceptions. No

exception_name>" default.
For details, see "waf web-cache-exception" on page 511.

<entry_index>
host-status {enable | Specify enable to require that the Host: field of the HTTP disable
disable} request match a protected host names entry in order to match
the policy. Also specify a value for host "<host_str>"
(page 515).
Specify which protected host names entry (either a web host

name or IP address) that the Host: field of the HTTP
request must be in to match the policy. No
host "<host_str>"
default.
url-type {plain | Specify the type of value that is used for url-pattern plain
regular} "<url-pattern_str>" (page 515):
plain—A literal URL.

regular—A regular expression designed to match multiple
URLs.

515) is plain, specify the literal URL, such as
/index.php, that the HTTP request must contain in order
to match the rule. The URL must begin with a slash ( / ).
url-pattern "<url- No
pattern_str>" If the value of url-type is regular, specify a regular default.
expression, such as ^/*.php, that matches all and only the
URLs that the rule applies to. The pattern does not require a
slash ( / ); however, it must match URLs that begin with a
slash, such as /index.cfm.

config 516

www.example.com, which is specified by host "<host_
str>" (page 515).
Related topics
l "waf web-cache-exception" on page 511
waf web-protection-profile autolearning-profile
Use this command to configure auto-learning profiles.
Auto-learning profiles are useful when you want to collect information about the HTTP sessions on your unique network
in order to design inline or Offline Protection profiles suited for them. This reduces much of the research and guesswork
about what HTTP request methods, data types, and other types of content that your websites and web applications use
when designing an appropriate defense.
Auto-learning profiles track your web servers’ response to each request, such as 401 Unauthorized or
500 Internal Server Error, to learn about whether the request is legitimate or a potential attack attempt. Such
data is used for auto-learning reports, and can serve as the basis for generating inline protection or Offline Protection
profiles.
Auto-learning profiles are designed to be used in conjunction with a protection or detection profile, which is used to
detect attacks. Only if attacks are detected can the auto-learning profile accumulate auto-learning data and generate its
report. As a result, auto-learning profiles require that you also select a protection or detection profile in the same policy.
Use auto-learning profiles with profiles whose action is alert.
If action is alert_deny, the FortiWeb appliance will reset the connection,

preventing the auto-learning feature from gathering complete data on the session.
To apply auto-learning profiles, select them within a policy. For details, see "waf web-protection-profile offline-
protection" on page 531. Once applied in a policy, the FortiWeb appliance will collect data and generate a report from it.
Before configuring an auto-learning profile, first configure any of the following that you want to include in the profile:
l Data type group (see "server-policy pattern data-type-group" on page 132)

l Suspicious URL rule group (see "server-policy pattern suspicious-url-rule" on page 137)
l URL interpreter (see "server-policy custom-application application-policy" on page 110)

config 517
Alternatively, you could generate an auto-learning profile and its required

components, and then modify them. For details, see the FortiWeb Administration
Guide:
You must also disable any globally whitelisted objects. These will be exempt from scans and autolearning data. For
details, see "server-policy pattern custom-global-white-list-group" on page 128.
learngrp area. For details, see "Permissions" on page 51.
Syntax
config waf web-protection-profile autolearning-profile
edit "<auto-learning-profile_name>"
set data-type-group "<data-type-group_name>"
set suspicious-url-rule "<suspicious-url-rule-group_name>"
set attack-count-threshold <count_int>
set attack-percent-range <percent_int>
set application-policy "<policy_name>"
next
end
"<auto-learning-profile_ Enter the name of the auto-learning profile. The maximum No

To display the list of existing profile, enter:

edit ?
Enter the name of the data type group for the profile to use.
The maximum length is 63 characters. For details, see "server-
policy pattern data-type-group" on page 132.
data-type-group "<data- To display the list of existing groups, enter: No

type-group_name>" default.
set data-type-group ?
The auto-learning profile will learn about the names, length,

and required presence of these types of parameter inputs as
described in the data type group.
suspicious-url-rule Enter the name of a suspicious URL rule group to use. The No
"<suspicious-url-rule- maximum length is 63 characters. For details, see "server- default.
group_name>"
policy pattern suspicious-url-rule" on page 137.

set suspicious-url-rule ?

config 518
The auto-learning profile will learn about attempts to access

URLs that are typically used for web server or web application
administrator logins, such as admin.php. Requests from
clients for these types of URLs are considered to be a possible
attempt at either vulnerability scanning or administrative login
attacks, and therefore potentially malicious.
Enter the integer representing the threshold over which the

attack-count-threshold
<count_int> auto-learning profile adds the attack to the server protection 100
rules. The valid range is 1–2,147,483,647.
attack-percent-range Enter the integer representing the threshold of the percentage 5

<percent_int> of attacks to total hits over which the auto-learning profile adds
the attack to the server protection exceptions. The valid range
is 1–10,000.
Enter the name of a custom application policy to use. The

maximum length is 63 characters. For details, see "server-
application-policy policy custom-application application-policy" on page 110. No
To display the list of existing application policies, enter:
set application-policy ?
Related topics
l "server-policy pattern custom-global-white-list-group" on page 128
l "server-policy pattern data-type-group" on page 132
l "server-policy pattern suspicious-url-rule" on page 137
waf web-protection-profile inline-protection
Use this command to configure inline protection profiles.
Inline protection profiles are a set of attack protection settings. The FortiWeb appliance applies the profile when a
connection matches a server policy that includes the protection profile. You can use inline protection profiles in server
policies for any mode except Offline Protection.
To apply protection profiles, select them within a server policy. For details, see "server-policy policy" on page 146.
Before configuring an inline protection profile, first configure any of the following that you want to include in the profile:
l Parameter validation rule (see "waf parameter-validation-rule" on page 461)

l Start pages (see "waf start-pages" on page 485)

config 519
l Caching of back-end server responses (see "waf web-cache-policy" on page 513)

l URL access policy (see "waf url-access url-access-policy" on page 489
l Hidden field rule group (see "waf hidden-fields-protection" on page 398)
l Parameter restriction constraint (see "waf http-protocol-parameter-restriction" on page 418)
l Authentication policy and/or site publisher (see "waf http-authen http-authen-policy" on page 403 and "waf site-publish-
helper policy" on page 473)
l Brute force login attack sensor (see "waf brute-force-login" on page 344)
l Allowed method exception (see "waf allow-method-exceptions" on page 337)
l List of manually trusted and black-listed IPs, FortiGuard IP reputation category-based blacklisted IPs, and/or a
geographically-based IP blacklist (see "waf ip-intelligence" on page 429, "server-policy custom-application application-
policy" on page 110, and "waf geo-block-list" on page 395)
l Page order rule (see "waf page-access-rule" on page 457)
l Attack signatures (see "waf signature" on page 462)
l File security policy (see "server-policy custom-application application-policy" on page 110)
l URL rewriting policy (see "waf url-rewrite url-rewrite-policy" on page 496)
l XML protection policy ("waf xml-validation" on page 546)
l DoS protection policy (see "waf application-layer-dos-prevention" on page 341)
l Compression rules (see "waf file-compress-rule" on page 380)
l Decompression rules ("waf file-uncompress-rule" on page 382)
l Policy that protects vulnerable block cipher implementations for web applications that selectively encrypt inputs without
using HTTPS ("waf padding-oracle" on page 453)
l FortiGate that provides a list of quarantined source IPs ("system fortigate-integration" on page 255)
l Cross-site request forgery (CSRF) protection rule (see "waf csrf-protection" on page 351)
l Cookie security policy (see "waf cookie-security" on page 347)
l User tracking policy (see "waf user-tracking policy" on page 504)
Syntax
config waf web-protection-profile inline-protection
edit "<inline-protection-profile_name>"
set http-session-management {enable | disable}
set http-session-timeout <seconds_int>
set x-forwarded-for-rule "<x-forwarded-for_name>"
set signature-rule {"High Level Security" | "Medium Level Security" | "Alert
Only" | <signature-set_name>}
set amf3-protocol-detection {enable | disable}
set xml-protocol-detection {enable | disable}
set malformed-xml-check {enable | disable}
set malformed-xml-check-action {alert | alert_deny | block-period}
set malformed-xml-block-period <block-period_int>
set malformed-xml-check-severity {High | Low | Medium}
set malformed-xml-check-trigger "<trigger-policy_name>"
set json-protocol-detection {enable | disable}
set malformed-json-check {enable | disable}
set malformed-json-check-action {alert | alert_deny | block-period}
set malformed-json-block-period <block-period_int>
set malformed-json-check-severity {High | Medium | Low}

config 520
set malformed-json-check-trigger "<trigger-policy_name>"

set custom-access-policy "<combo-access_name>"
set padding-oracle "<rule_name>"
set csrf-protection "<rule_name>"
set cookie-security-policy "<cookie-security_name>"
set parameter-validation-rule "<rule_name>"
set hidden-fields-protection "<group_name>"
set file-upload-policy "<policy_name>"
set http-protocol-parameter-restriction "<constraint_name>"
set brute-force-login "<sensor_name>"
set url-access-policy "<policy_name>"
set page-access-rule "<rule_name>"
set start-pages "<rule_name>"
set allow-method-policy "<policy_name>"
set ip-list-policy "<policy_name>"
set geo-block-list-policy "<policy_name>"
set application-layer-dos-prevention "<policy_name>"
set ip-intelligence {enable | disable}
set fortigate-quarantined-ips {enable | disable}
set quarantined-ip-action {alert | alert_deny}
set quarantined-ip-severity {High | Medium | Low}
set quarantined-ip-trigger "<trigger-policy_name>"
set known-search-engine {enable | disable}
set url-rewrite-policy "<group_name>"
set http-authen-policy "<policy_name>"
set http-header-security "<policy_name>"
set site-publisher-helper "<policy_name>"
set file-compress-rule "<rule_name>"
set file-uncompress-rule "<rule_name>"
set web-cache-policy "<web-cache-policy_name>"
set user-tracking-policy "<user-tracking-policy_name>"
set redirect-url "<redirect_fqdn>"
set rdt-reason {enable | disable}
set data-analysis {enable | disable}
set device-tracking {enable | disable}
set device-reputation-security-policy "<drs_policy_name>"
set profile-id "<profile-id_str>"
set mitb-protection "<mitb-protection_name>"
set openapi-validation-policy "<openapi-validation-policy_name>"
set websocket-security-policy "<websocket-security-policy_name>"
next
end
"<inline-protection- Enter the name of the inline protection profile. The maximum No
profile_name>" length is 63 characters. default.

edit ?

config 521
Enable to add an implementation of HTTP sessions, and

track their states, using a cookie such as cookiesession1.
Also configure http-session-timeout <seconds_
int> (page 521).
Although HTTP has no inherent support for sessions, a notion

of individual HTTP client sessions, rather than simply the
source IP address and/or timestamp, is required by some
features.
For example, you might want to require that a client’s first

HTTP request always be a login page: the rest of the web
pages should be inaccessible if they have not authenticated.
Out-of-order requests could represent an attempt to bypass
the web application’s native authentication mechanism. How
can FortiWeb know if a request is the client’s first HTTP
request?
If FortiWeb were to treat each request independently, without

http-session-management knowledge of anything previous, it could not, by definition,
disable
{enable | disable} enforce page order.
Therefore FortiWeb must keep some record of the first

request from that client (the session initiation). It also must
record their previous HTTP request(s), until a span of time
(the session timeout) has elapsed during which there were no
more subsequent requests, after which it would require that
the session be initiated again.
The session management feature provides such FortiWeb

session support.
This feature requires that the client support cookies.
Note: You must enable this option:

l To enforce the start page rule, page access rule, and hidden
fields rule, if any of those are selected.
l If you want to include this profile’s traffic in the traffic log, in
addition to enabling traffic logs in general. For details, see "log
attack-log" on page 68.
http-session-timeout Enter the HTTP session timeout in seconds. The valid range 1200
<seconds_int> is 20–3,600.
This setting is available only if http-session-

management {enable | disable} (page 521) is
enabled.
x-forwarded-for-rule "<x- Specify the name of a rule that configures FortiWeb’s use of No
forwarded-for_name>" X-Forwarded-For: and X-Real-IP. The maximum length is 63 default.

config 522
characters. For details, see "waf x-forwarded-for" on page

542.

set x-forwarded-for-rule ?
signature-rule {"High Specify a signature policy to include in the profile. The No

Level Security" | "Medium maximum length is 63 characters. For details, see "waf default.
Level Security" | "Alert
Only" | <signature-set_ signature" on page 462.
name>}
set server-protection-rule ?
The type of attack that FortiWeb detects determines the

attack log messages for this feature. For a list, see "waf
signature" on page 462.
Enable to scan requests that use action message format 3.0

(AMF3) for these attacks if you have enabled those in the
signature set specified by signature-rule {"High
Level Security" | "Medium Level
Security" | "Alert Only" | <signature-set_
name>} (page 522):
l Cross-site scripting (XSS) attacks

amf3-protocol-detection SQL injection attacks
l disable
{enable | disable}
l Common exploits
AMF3 is a binary format that Adobe Flash clients can use to
send input to server-side software.
Caution: To scan for attacks or enforce input rules on AMF3,

you must enable this option. Failure to enable the option will
make the FortiWeb appliance unable to scan AMF3 requests
for attacks.
xml-protocol-detection Enable to scan for matches with attack and data leak disable
{enable | disable} signatures in Web 2.0 (XML AJAX) and other XML submitted
by clients in the bodies of HTTP POST requests.
Enable to validate that XML elements and attributes in the

request’s body conforms to the W3C XML 1.1 and/or XML
2.0 standards (http://www.w3.org/TR/xml-c14n2).
malformed-xml-check
Malformed XML, such as without the final > or with multiple
>> in the closing tag, is often an attempt to exploit an disable
{enable | disable}
unhandled error condition in a web application’s XHTML or
XML parser.
This feature is applicable only when xml-protocol-

config 523
detection {enable | disable} (page 522) is

enable. Attack log messages contain Illegal XML
Format when this feature detects malformed XML.
malformed-xml-check- Specify the action that FortiWeb takes when it detects a alert
action {alert | alert_ request that contains malformed XML:
deny | block-period}
message, or both.
l alert_deny—Block the request and generate an alert email, a
log message, or both.
l block-period—Block the XML traffic for a number of
seconds. Also configure malformed-xml-block-period
Enter the length of time (in seconds) that FortiWeb blocks

malformed-xml-block- XML traffic that contains malformed XML, in seconds. 60
The valid range is from 1–3,600.
malformed-xml-check- Select the severity level to use in logs and reports generated High
severity {High | Low | when illegal XML formats are detected.
Medium}
Enter the name of the trigger to apply when illegal XML

formats are detected. The maximum length is 63 characters.
malformed-xml-check-
For details, see "log trigger-policy" on page 101. No
name>" default.
set trigger ?
json-protocol-detection Enter enable to scan for matches with attack and data leak disable
{enable | disable} signatures in JSON data submitted by clients in HTTP
requests with Content-Type: values
application/json or text/json.
malformed-json-check
{enable | disable} Enter enable to scan for illegal formatting in JSON data. disable
malformed-json-check- Specify the action that FortiWeb takes when it detects a No

action {alert | alert_ request that contains malformed JSON content: default.
message, or both.
l alert_deny—Block the request and generate an alert email, a
l block-period—Block the JSON traffic for a number of
seconds. Also configure malformed-json-block-period

config 524
Enter the length of time (in seconds) that FortiWeb blocks

malformed-json-block- traffic that contains malformed JSON content, in seconds. 60
malformed-json-check- Select the severity level to use in logs and reports that High
severity {High | Medium | FortiWeb generates when it detects malformed JSON
Low}
content.
Enter the name of the trigger to apply when FortiWeb detects

malformed JSON content. The maximum length is 63
malformed-json-check-
characters. No
name>" default.
set trigger ?
custom-access-policy Enter the name of a custom access policy. The maximum No

"<combo-access_name>" length is 63 characters. For details, see "waf custom-access default.

set custom-access-policy ?
Enter the name of a padding oracle protection rule. The

maximum length is 63 characters. For details, see "waf
padding-oracle "<rule_ padding-oracle" on page 453. No
name>" default.
set padding-oracle ?
csrf-protection "<rule_ Select the name of cross-site request forgery protection rule, if No
name>" any, to apply to matching requests. For details, see "waf csrf- default.
Available only when http-session-management

Enter the name of a cookie security policy. For details, see

"waf cookie-security" on page 347.
cookie-security-policy
"<cookie-security_name>" To display the list of existing policies, enter:
set cookie-security-policy ?
parameter-validation-rule Enter the name of a parameter validation rule. The maximum No

"<rule_name>" length is 63 characters. For details, see "waf parameter- default.

config 525
validation-rule" on page 461.

set parameter-validation-rule ?
Enter the name of a hidden field rule group that you want to
apply, if any. The maximum length is 63 characters. For
hidden-fields-protection details, see "waf hidden-fields-protection" on page 398. No
"<group_name>" default.
set hidden-fields-protection ?
file-upload-policy Enter the name of a file upload security policy to use, if any. No
"<policy_name>" The maximum length is 63 characters. For details, see default.
"server-policy custom-application application-policy" on page
110.

set file-upload-policy ?
Enter the name of an HTTP protocol constraint that you want

to apply, if any. The maximum length is 63 characters. For
http-protocol-parameter- details, see "waf http-protocol-parameter-restriction" on page
No
restriction "<constraint_ 418.
name>" default.
set http-protocol-parameter-restriction ?
brute-force-login Enter the name of a brute force login attack sensor. The No
"<sensor_name>" maximum length is 63 characters. For details, see "waf brute- default.
force-login" on page 344.
To display the list of existing sensors, enter:

set brute-force-login ?
Enter the name of a URL access policy. The maximum length

is 63 characters. For details, see "waf url-access url-access-
url-access-policy policy" on page 489. No
set url-access-policy ?
page-access-rule "<rule_ Enter the name of a page order rule. The maximum length is No
name>" 63 characters. For details, see "waf page-access-rule" on default.
page 457.
To display the list of existing rule, enter:

config 526
set page-access-rule ?
Enter the name of a start page rule. The maximum length is

63 characters. For details, see "waf start-pages" on page 485.

No
start-pages "<rule_name>" set start-pages ? default.
enabled.
allow-method-policy Enter the name of an allowed method policy. The maximum No

"<policy_name>" length is 63 characters. For details, see "server-policy custom- default.
application application-policy" on page 110.

set allow-method-policy ?
Enter the name of a trusted IP or blacklisted IP policy. The

maximum length is 63 characters. For details, see "server-
ip-list-policy "<policy_ policy custom-application application-policy" on page 110. No
name>" default.
set ip-list-policy ?
geo-block-list-policy Enter the name of a geographically-based client IP black list No

"<policy_name>" that you want to apply, if any. The maximum length is 63 default.
characters. For details, see "waf geo-block-list" on page 395.

set geo-block-list-policy ?
Enter the name of an existing DoS protection policy to use

with this profile, if any. The maximum length is 63 characters.
application-layer-dos- For details, see "waf application-layer-dos-prevention" on
No
prevention "<policy_ page 341.
name>" default.
set application-layer-dos-prevention ?
ip-intelligence {enable | Enable to apply intelligence about the reputation of the disable
disable} client’s source IP. Blocking and logging behavior is configured
in "waf ip-intelligence" on page 429.
fortigate-quarantined-ips Enable to detect source IP addresses that a FortiGate unit is

disable
{enable | disable} currently preventing from interacting with the network and

config 527
protected systems.
To configure communication between the FortiGate and

FortiWeb, see "system fortigate-integration" on page 255.
quarantined-ip-action Specify the action that FortiWeb takes if it detects a alert

{alert | alert_deny} quarantined IP address:
l alert—Accept the request and generate an alert email, log

message, or both.
l alert_deny—Block the request and generate an alert, log
message, or both.
quarantined-ip-severity Specify the severity that FortiWeb assigns to quarantined IP

High
{High | Medium | Low} log messages.
quarantined-ip-trigger Enter the name of the trigger to apply when FortiWeb detects No
"<trigger-policy_name>" a quarantined IP. For deails, see "log trigger-policy" on page default.
101.

set trigger ?
Enable to allow or block predefined search engines, robots,

spiders, and web crawlers according to your settings in the
global list.
Enable to exempt popular search engines’ robots, spiders,

and web crawlers from DoS sensors, brute force login
sensors, HTTP protocol constraints, and combination rate &
access control (called “advanced protection” and “custom
policies” in the web UI).
This option improves access for search engines. Rapid access

rates, unusual HTTP usage, and other characteristics that
known-search-engine may be suspicious for web browsers are often normal with
disable
{enable | disable} search engines. If you block them, your websites’ rankings
and visibility may be affected.
By default, this option allows all popular predefined search

engines. Known search engine indexer source IPs are
updated via FortiGuard Security Service. To specify which
search engines will be exempt, enable or disable each search
engine in "server-policy pattern custom-global-white-list-
group" on page 128.
Note: X-header-derived client source IPs do not support this

feature in this release. If FortiWeb is deployed behind a load
balancer or other web proxy that applies source NAT, this

config 528
feature will not work. For details, see "waf x-forwarded-for" on

page 542.
url-rewrite-policy Enter the name of a URL rewriting rule set, if any, that will be No
"<group_name>" applied to matching HTTP requests. The maximum length is default.
63 characters.

set url-rewrite-policy ?
For details, see "waf url-access url-access-policy" on page

489.
Enter the name of an HTTP authentication policy, if any, that

will be applied to matching HTTP requests. The maximum
length is 63 characters. For details, see "waf http-authen http-
authen-policy" on page 403.
http-authen-policy No
"<policy_name>" To display the list of existing profiles, enter: default.
set http-authen-policy ?
If the HTTP client fails to authenticate, it will receive an HTTP

403 (Access Forbidden) error message.
http-header-security Enter the name of an HTTP Header Security Policy, if any. No

"<policy_name>" For details, see "waf http-header-security" on page 415. default.

set http-header-security ?
Enter the name of a site publishing policy, if any, that will be

applied to matching HTTP requests. The maximum length is
63 characters. For details, see "waf site-publish-helper policy"
on page 473.
site-publisher-helper No
"<policy_name>" To display the list of existing profiles, enter: default.
set site-publisher-policy ?
If the HTTP client fails to authenticate, it will receive an HTTP

403 (Access Forbidden) error message.
file-compress-rule Enter the name of an existing file compression rule to use No

"<rule_name>" with this profile, if any. The maximum length is 63 characters. default.
For details, see "waf file-compress-rule" on page 380.

set file-compress-rule ?

config 529
Enter the name of an existing file uncompression rule to use

with this profile, if any. The maximum length is 63 characters.
file-uncompress-rule For details, see "waf file-uncompress-rule" on page 382. No
set file-uncompress-rule ?
web-cache-policy "<web- Enter the name of content caching policy. The maximum No
cache-policy_name>" length is 63 characters. For details, see "waf web-cache- default.

set web-cache-policy ?
Enter the name of a user tracking policy. The maximum

length is 63 characters. For details, see "waf user-tracking
user-tracking-policy
policy" on page 504. No
"<user-tracking-policy_
name>" default.
set user-tracking-policy ?
redirect-url "<redirect_ Enter a URL, including the FQDN/IP and path, if any, to which No
fqdn>" an HTTP client will be redirected if their HTTP request default.
violates any of the rules in this profile.
For example, you could enter

www.example.com/products/.
If you do not enter a URL, depending on the type of violation

and the configuration, the FortiWeb appliance will log the
violation, may attempt to remove the offending parts, and
could either reset the connection or return an HTTP 403
(Access Forbidden) or 404 (File Not Found) error message.
Enable to include the reason for URL redirection as a

parameter in the URL, such as reason=DETECT_PARAM_
RULE_FAILED, when traffic has been redirected using
redirect-url "<redirect_fqdn>" (page 529).
rdt-reason {enable | The FortiWeb appliance also adds fortiwaf=1 to the URL No
disable} to detect and cancel a redirect loop when the redirect action default.
recursively triggers an attack event.
Caution: If you specify a redirect URL that is protected by the

FortiWeb appliance, you should enable this option to prevent
infinite redirect loops.

config 530
data-analysis {enable | Enable this to collect data for servers covered by this profile. disable
disable} To view the statistics for collected data, in the web UI, go to
Log&Report > Monitor > Data Analytics.
Enter a description or other comment. If the comment

contains more than one word or contains an apostrophe, No
comment "<comment_str>"
surround the comment in double quotes ( " ). The maximum default.
device-tracking {enable Enter to enable Device Tracking. When this feature is disable
| disable} enabled, if a device triggers a security violation, FortiWeb
generates a unique device ID according to a set of the
device's characteristics, including the time zone, source IP,
operating system, browser, language, CPU, color depth, and
screen size. For details, see "system device-tracking" on page
241.
Enter the name of a device reputation security policy, if any.

The maximum length is 63 characters. For details, see
device-reputation-
"system device-tracking" on page 241. No
security-policy "<drs_
set device-reputation-security-policy ?
xml-validation-policy Enter the name of an XML protection policy, if any. The No

"<xml_policy_name>" maximum length is 63 characters. For details, see "waf xml- default.
validation" on page 546.

set xml-validation-policy ?
profile-id "<profile-id_ No
str>" Enter the inline profile ID.
default.
mitb-protection "<mitb- Enter the MiTB protection policy name. No

protection_name>" default.
openapi-validation-policy
No
"<openapi-validation- Enter the openapi validation policy name.
websocket-security-policy Enter the websocket security policy name. No

"<websocket-security- default.
policy_name>"

config 531
Related topics
l "server-policy pattern custom-global-white-list-group" on page 128
l "waf start-pages" on page 485
l "waf padding-oracle" on page 453
l "waf page-access-rule" on page 457
l "waf url-access url-access-policy" on page 489
l "waf http-authen http-authen-policy" on page 403
l "waf web-cache-exception" on page 511
l "waf web-cache-policy" on page 513
waf web-protection-profile offline-protection
Use this command to configure Offline Protection profiles.
Detection profiles are useful when you want to preview the effects of some web protection features without affecting
traffic, or without affecting your network topology.
Unlike protection profiles, a detection profile is designed for use in Offline Protection mode. Detection profiles cannot be
guaranteed to block attacks. They attempt to reset the connection, but due to variable speeds of different routing paths,
the reset request may arrive after the attack has been completed. Their primary purpose is to detect attacks, especially
for use in conjunction with auto-learning profiles. In fact, if used in conjunction with auto-learning profiles, you should
configure the detection profile to log only and not block attacks in order to gather complete session statistics for the
auto-learning feature. As a result, detection profiles can only be selected in policies whose deployment-mode is
offline-detection, and those policies will only be used by the FortiWeb appliance when its operation mode is
offline-detection.
Unlike inline protection profiles, Offline Protection profiles do not support HTTP conversion, cookie poisoning detection,
start page rules, and page access rules.

config 532
To apply detection profiles, select them within a server policy. For details, see "server-policy policy" on page 146.
Before configuring an Offline Protection profile, first configure any of the following that you want to include in the profile:
l File security policy (see "server-policy custom-application application-policy" on page 110)

l Server protection rule (see "waf signature" on page 462)
l List of manually trusted and black-listed IPs, FortiGuard IRIS category-based blacklisted IPs, and/or a geographically-
based IP blacklist (see "waf ip-intelligence" on page 429, "server-policy custom-application application-policy" on page 110
and "waf geo-block-list" on page 395)
l Parameter validation rule (see "waf parameter-validation-rule" on page 461)
l URL access policy (see "waf url-access url-access-policy" on page 489
l Allowed method exception (see "waf allow-method-exceptions" on page 337)
l Hidden field rule group (see "waf hidden-fields-protection" on page 398)
l Parameter restriction constraint (see "waf http-protocol-parameter-restriction" on page 418)
l Brute force login attack sensor (see "waf brute-force-login" on page 344)
l Decompression rule (see "waf file-uncompress-rule" on page 382)
l Policy that protects vulnerable block cipher implementations for web applications that selectively encrypt inputs without
using HTTPS ("waf padding-oracle" on page 453)
l User tracking policy (see "waf user-tracking policy" on page 504)
Syntax
config waf web-protection-profile offline-protection
edit "<offline-protection-profile_name>"
set http-session-management {enable | disable}
set http-session-timeout <seconds_int>
set x-forwarded-for-rule "<x-forwarded-for_name>"
set http-session-keyword "<key_str>"
set signature-rule {"High Level Security" | "Medium Level Security" | "Alert
Only" | "<signature-set_name>"}
set amf3-protocol-detection {enable | disable}
set xml-protocol-detection {enable | disable}
set malformed-xml-check {enable | disable}
set malformed-xml-check-action {alert | alert_deny | block-period}
set malformed-xml-block-period <block-period_int>
set malformed-xml-check-severity {High | Low | Medium}
set malformed-xml-check-trigger "<trigger-policy_name>"
set json-protocol-detection {enable | disable}
set malformed-json-check {enable | disable}
set malformed-json-check-action {alert | alert_deny | block-period}
set malformed-json-block-period <block-period_int>
set malformed-json-check-severity {High | Medium | Low}
set malformed-json-check-trigger "<trigger-policy_name>"
set custom-access-policy "<combo-access_name>"
set padding-oracle "<rule_name>"
set parameter-validation-rule "<rule_name>"
set hidden-fields-protection "<group_name>"
set file-upload-policy "<policy_name>"
set http-protocol-parameter-restriction "<constraint_name>"
set url-access-policy "<policy_name>"

config 533
set allow-method-policy "<policy_name>"

set brute-force-login "<sensor_name>"
set ip-list-policy "<policy_name>"
set geo-block-list-policy "<policy_name>"
set ip-intelligence {enable | disable}
set known-search-engine {enable | disable}
set file-uncompress-rule "<rule_name>"
set csrf-protection "<rule_name>"
set user-tracking-policy "<user-tracking-policy_name>"
set data-analysis {enable | disable}
set openapi-validation-policy "<openapi-validation-policy_name>"
next
end
"<offline-protection- Enter the name of the Offline Protection profile. The No

profile_name>" maximum length is 63 characters. default.

edit ?
Enable to track the states of HTTP sessions. Also configure

http-session-timeout <seconds_int> (page 534).
Although HTTP has no inherent support for sessions, a notion

of individual HTTP client sessions, rather than simply the
source IP address and/or timestamp, is required by some
features.
For example, you might want to require that a client’s first

HTTP request always be a login page: the rest of the web
pages should be inaccessible if they have not authenticated.
Out-of-order requests could represent an attempt to bypass
the web application’s native authentication mechanism. How
can FortiWeb know if a request is the client’s first HTTP
http-session-management request? If FortiWeb were to treat each request disable
{enable | disable}
independently, without knowledge of anything previous, it
could not, by definition, enforce page order. Therefore
FortiWeb must keep some record of the first request from that
client (the session initiation). It also must record their previous
HTTP request(s), until a span of time (the session timeout)
has elapsed during which there were no more subsequent
requests, after which it would require that the session be
initiated again.
The session management feature provides such FortiWeb

session support.
Note: This feature requires that the client support cookies.

Note: You must enable this option if you want to

config 534
include this profile’s traffic in the traffic log, in addition to

enabling traffic logs in general. For details, see "log attack-
log" on page 68.
http-session-timeout Enter the HTTP session timeout in seconds. The valid range 1200
<seconds_int> is 20–3,600.

enabled.
Specify the name of a rule that configures FortiWeb’s use of

X-Forwarded-For: and X-Real-IP. For details, see "waf x-
x-forwarded-for-rule "<x- forwarded-for" on page 542. No
forwarded-for_name>" default.
To display a list of existing rules, enter:
set forwarded-for-rule ?
http-session-keyword If you want to use an HTTP header other than Session- No

"<key_str>" Id: to track separate HTTP sessions, enter the key portion of default.
the HTTP header that you want to use, such as Session-
Num.
Specify a signature policy to include in the profile. The

maximum length is 63 characters. For details, see "waf
signature-rule {"High
Level Security" | "Medium To display the list of existing rules, enter: No
Level Security" | "Alert
Only" | "<signature-set_ set server-protection-rule ? default.
name>"}
The type of attack that FortiWeb detects determines the
attack log messages for this feature. For a list, see "waf
amf3-protocol-detection Enable to scan requests that use the action message format disable
{enable | disable} 3.0 (AMF3) for these attacks if you have enabled those in the
set of signatures specified by signature-rule {"High
Level Security" | "Medium Level
Security" | "Alert Only" | "<signature-
set_name>"} (page 534):
l Cross-site scripting (XSS) attacks

l SQL injection attacks
l Common exploits
AMF3 is a binary format that can be used by Adobe Flash
clients to send input to server-side software.

config 535
Caution: To scan for attacks or enforce input rules on AMF3,

you must enable this option. Failure to enable the option
makes the FortiWeb appliance unable to scan AMF3 requests
for attacks.
Enable to scan for matches with attack and data leak

xml-protocol-detection
{enable | disable} signatures in Web 2.0 (XML AJAX) and other XML submitted disable
by clients in the bodies of HTTP POST requests.
malformed-xml-check Enable to validate that XML elements and attributes in the disable
{enable | disable} request’s body conforms to the W3C XML 1.1
(http://www.w3.org/TR/xml11) and/or XML 2.0
(http://www.w3.org/TR/xml-c14n2) standards. Malformed
XML, such as without the final > or with multiple >> in the
closing tag, is often an attempt to exploit an unhandled error
condition in a web application’s XHTML or XML parser.
Attack log messages contain Illegal XML Format when

this feature detects malformed XML.
This feature is applicable only when xml-protocol-

detection {enable | disable} (page 535) is
enable.
Specify the action that FortiWeb takes when it detects a

request that contains malformed XML:

malformed-xml-check- message, or both.
action {alert | alert_ l alert_deny—Block the request and generate an alert email, a alert
l block-period—Block the XML traffic for a number of
seconds. Also configure malformed-xml-block-period
malformed-xml-block- Enter the length of time (in seconds) that FortiWeb blocks 60
period <block-period_int> XML traffic that contains malformed XML, in seconds.
malformed-xml-check-
Select the severity level to use in logs and reports generated
severity {High | Low | High
Medium} when illegal XML formats are detected.
malformed-xml-check- Enter the name of the trigger to apply when illegal XML No
trigger "<trigger-policy_ formats are detected. The maximum length is 63 characters. default.
name>"
For details, see "log trigger-policy" on page 101.

config 536
set trigger ?
Enable to scan for matches with attack and data leak

json-protocol-detection signatures in JSON data submitted by clients in HTTP
disable
{enable | disable} requests with Content-Type: values
application/json or text/json.
malformed-json-check Enter enable to scan for illegal formatting in JSON data. disable

{enable | disable}
Specify the action that FortiWeb takes when it detects a

request that contains malformed JSON content:

malformed-json-check- message, or both.
No
action {alert | alert_ alert_deny—Block the request and generate an alert email, a
l
default.
l block-period—Block the JSON traffic for a number of
seconds. Also configure malformed-json-block-period
malformed-json-block- Enter the length of time (in seconds) that FortiWeb blocks 60
period <block-period_int> traffic that contains malformed JSON content.
malformed-json-check- Select the severity level to use in logs and reports that
severity {High | Medium | FortiWeb generates when it detects malformed JSON High
Low} content.
malformed-json-check- Enter the name of the trigger to apply when FortiWeb detects No
trigger "<trigger-policy_ malformed JSON content. The maximum length is 63 default.
name>"
characters.

set trigger ?
Enter the name of a custom access policy. The maximum

length is 63 characters. For details, see "waf custom-access
custom-access-policy policy" on page 355. No
"<combo-access_name>" default.
set custom-access-policy ?
padding-oracle "<rule_ Enter the name of a padding oracle protection rule. The No
name>" maximum length is 63 characters. For details, see "waf default.
padding-oracle" on page 453.

config 537

set padding-oracle ?
Enter the name of a parameter validation rule. The maximum

length is 63 characters. For details, see "waf parameter-
parameter-validation-rule validation-rule" on page 461. No
set parameter-validation-rule ?
hidden-fields-protection Enter the name of a hidden field rule group that you want to No
"<group_name>" apply, if any. The maximum length is 63 characters. For default.
details, see "waf hidden-fields-protection" on page 398.

set hidden-fields-protection ?
Enter the name of a file security policy. The maximum length

is 63 characters. For details, see "server-policy custom-
file-upload-policy application application-policy" on page 110. No
set file-upload-policy ?
http-protocol-parameter- Enter the name of an HTTP protocol constraint that you want No
restriction "<constraint_ to apply, if any. The maximum length is 63 characters. For default.
name>"
details, see "waf http-protocol-parameter-restriction" on page
418.
To display the list of existing constraints, enter:

set http-protocol-parameter-restriction ?
Enter the name of a URL access policy. The maximum length

is 63 characters. For details, see "waf url-access url-access-
url-access-policy policy" on page 489. No
set url-access-policy ?
allow-method-policy Enter the name of an allowed method policy. The maximum No

"<policy_name>" length is 63 characters. For details, see "server-policy custom- default.
application application-policy" on page 110.

set allow-method-policy ?

config 538
Enter the name of a brute force login attack sensor. The

maximum length is 63 characters. For details, see "waf brute-
brute-force-login force-login" on page 344. No
"<sensor_name>" default.
To display the list of existing sensors, enter:
edit ?
ip-list-policy "<policy_ Enter the name of a trusted IP or blacklisted IP policy. The No

name>" maximum length is 63 characters. For details, see "server- default.
policy custom-application application-policy" on page 110.

set ip-list-policy ?
Enter the name of a geographically-based client IP black list

that you want to apply, if any. The maximum length is 63
geo-block-list-policy characters. For details, see "waf geo-block-list" on page 395. No
set geo-block-list-policy ?
ip-intelligence {enable | Enable to apply intelligence about the reputation of the disable
disable} client’s source IP. Blocking and logging behavior is configured
in "waf ip-intelligence" on page 429.
Enable to allow or block predefined search engines, robots,

known-search-engine
{enable | disable} spiders, and web crawlers according to your settings in the disable
global list.
file-uncompress-rule Enter the name of an existing file decompression rule to use No

"<rule_name>" with this profile, if any. The maximum length is 63 characters. default.
For details, see "waf file-uncompress-rule" on page 382.

set file-uncompress-rule ?
Select the name of cross-site request forgery protection rule,

if any, to apply to matching requests. See "waf csrf-
csrf-protection "<rule_ To display the list of existing rules, enter:
name>"
set csrf-protection ?
Available only when http-session-management

user-tracking-policy Enter the name of a user tracking policy. The maximum No

config 539
"<user-tracking-policy_ length is 63 characters. For details, see "waf user-tracking default.

name>" policy" on page 504.

set user-tracking-policy ?
Enable this to collect data for servers covered by this profile.

data-analysis {enable |
disable} To view the statistics for collected data, in the web UI, go to disable
Log&Report > Monitor > Data Analytics.
comment "<comment_str>" Enter a description or other comment. If the comment No

contains more than one word or contains an apostrophe, default.
surround the comment in double quotes ( " ). The maximum
openapi-validation-
policy "<openapi- No
Enter the openapi validation policy name.
validation-policy_ default.
name>"
Related topics
l "waf padding-oracle" on page 453
waf websocket-security rule
Use this command to configure WebSocket rule related settings.

config 540
Syntax
config waf websocket-security rule
edit websocket-security_rule_name
set host <host_str>
set url <url_str>
set block-websocket-traffic {enable | disable}
set action {alert | deny_no_log | alert_deny}
set max-frame-size <max-frame-size_int>
set max-message-size <max-message-size_int>
set block-extensions {enable | disable}
set enable-attack-signatures {enable | disable}
set allow-plain-text {enable | disable}
set allow-binary-text {enable | disable}
config allowed-origin-list
edit allowed-origin-list <allowed-origin-list_id>
set origin <origin_str>
end
websocket-security_rule_ Enter the WebSocket security rule name. No default.

name
host-status {enable Enable to compare the WebSocket security rule to the Host:
| disable} No default.
field in the HTTP header.
host <host_str> Select the IP address or fully qualified domain name (FQDN) of No default.
the protected host to which this rule applies.
This option is available only if Host Status is enabled.
Select whether the URL Pattern field will contain a literal URL
url-type {plain
| regular} (Simple String), or a regular expression designed to match Plain
multiple URLs (Regular Expression).
url <url_str> The URL which hosts the web page containing the user input No default.
fields you want to protect.
Enable to deny the WebSocket traffic, and FortiWeb will not

block-websocket-traffic
{enable | disable} check any WebSocket related traffic. This option is disabled by Disable
default.
action {alert | deny_no_ Select which action the FortiWeb appliance will take when it Alert
log | alert_deny} detects a violation.
Alert—Accept the connection and generate an alert email and/or
log message.
Alert & Deny—Block the request (or reset the connection) and
generate an alert and/or log message.
Deny (no log)—Block the request (or reset the connection).

config 541
max-frame-size <max- Specifies the maximum acceptable frame header and body size
64
frame-size_int> in bytes. The valid range is 0–2147483647 bytes.
max-message-size <max- Specifies the maximum acceptable message header and body 1024
message-size_int> size in bytes. The valid range is 0–2147483647 bytes.
block-extensions {enable Enable to not check the extension header in WebSocket

Disable
| disable} handshake packet. By default, this option is disabled.
enable-attack-signatures Enable to detect attack in WebSocket message body. But if Disable

{enable | disable} WebSocket traffic has extension header and allow extension
header in WebSocket security rule, FortiWeb can not detect
attack signatures. When attack signature is detected, the actions
FortiWeb will take follow those of related signatures.
allow-plain-text {enable
| disable} Enable to allow detecting the plain text. Enable
allow-binary-text {enable Enable to allow detecting the binary text. Enable

| disable}
allowed-origin-list
<allowed-origin-list_id> Enter the origin list ID in WebSocket handshake packet. No default.
origin <origin_str>
Related topics
l "waf http-constraints-exceptions" on page 410
waf websocket-security policy
Use this command to create WebSocket policy.
Syntax
config waf websocket-security policy
edit "<"<policy_name>"
config rule-list
edit rule-list_id
set rule "<rule_name>"
end

config 542
"<policy_name>" Enter the WebSocket Security policy name. No default.
rule-list_id Enter the sequence number of the rule in the rule list.
rule "<rule_name>" Select the created WebSocket security rule name. No default.
Related topics
l waf websocket-security rule
waf x-forwarded-for
Use this command to configure FortiWeb’s use of X-Forwarded-For: and X-Real-IP:.
For behavior of this feature and requirements, see the FortiWeb Administration Guide:
Syntax
config waf x-forwarded-for
edit "<x-forwarded-for_name>"
set block-based-on-original-ip {enable | disable}
set ip-location {left | right}
set original-ip-header "<http-header-key_str>"
set tracing-original-ip {enable | disable}
set x-forwarded-proto {enable | disable}
set x-forwarded-for-support {enable | disable}
set x-real-ip {enable | disable}
config ip-list
edit <entry_index>
set ip "<load-balancer_ip>"
next
end
next
end
"<x-forwarded-for_name>" Enter the name of the new or existing group. The maximum No

edit ?

config 543
Enable to be able to block requests that violate your policies

by using the original client’s IP derived from this HTTP X-
block-based-on-original- header. disable
ip {enable | disable}
When disabled, only attack logs and reports will use the
original client’s IP.
ip-location {left | Select whether to extract the original client’s IP from either left
right} the left or right end of the HTTP X-header line.
Most proxies put the request’s origin at the left end, which is
the default setting. Some proxies, however, place it on the
right end.
Enter the key of the X-header, such as X-Forwarded-For

X-Real-IP, without the colon ( : ), that contains the
original source IP address of the client. Also configure
original-ip-header tracing-original-ip {enable | disable} (page No
"<http-header-key_str>" default.
543) and, for security reasons, ip "<load-balancer_
ip>" (page 545).
tracing-original-ip If FortiWeb is deployed behind a device that applies NAT, disable

{enable | disable} enable this option to derive the original client’s source IP
address from an HTTP X-header, instead of the SRC field in
the IP layer. Also configure original-ip-header
"<http-header-key_str>" (page 543) and, for security
reasons, ip "<load-balancer_ip>" (page 545).
This HTTP header is often X-Forwarded-For: when

traveling through a web proxy, but can vary. For example, the
Akamai service uses True-Client-IP:.
For deployment guidelines and mechanism details, see the

Caution: To combat forgery, configure the IP addresses of
load balancers and proxies that are trusted providers of this
header. Also configure those proxies/load balancers to reject
fraudulent headers, rather than passing them to FortiWeb.
Enable to add an X-Forwarded-Proto: header that

x-forwarded-proto indicates the protocol used in the client’s original request. disable
{enable | disable}
Requires Reverse Proxy or True Transparent Proxy mode.
x-forwarded-for-support Enable to include the X-Forwarded-For: HTTP header on disable

{enable | disable}

config 544
requests forwarded to your web servers. Behavior varies by

the header already provided by the HTTP client or web proxy,
if any:
l Header absent—Add the header, using the source IP address of

the connection.
l Header present—Verify that the source IP address of the
connection is present in this header’s list of IP addresses. If it is
not, append it.
This option can be useful for web servers that log or analyze
clients’ IP addresses, and support the X-Forwarded-For:
header. When this option is disabled, from the web server’s
perspective, all connections appear to be coming from the
FortiWeb appliance, which performs network address
translation (NAT). But when enabled, the web server can
instead analyze this header to determine the source and path
of the original client connection.
This option applies only when FortiWeb is operating in

Reverse Proxy mode or True Transparent Proxy.
Enable to include the X-Real-IP: HTTP header on

requests forwarded to your web servers. Behavior varies by
the header already provided by the HTTP client or web proxy,
if any. For details, see x-forwarded-for-support
{enable | disable} (page 543)).
x-real-ip {enable |
disable
disable} Like X-Forwarded-For:, this header is also used by some
proxies and web servers to trace the path, log, or analyze
based upon the packet’s original source IP address.
This option applies only when FortiWeb is operating in

Reverse Proxy or True Transparent Proxy mode.
x-forwarded-proto Enable to add an HTTP header that indicates the service used disable
{enable | disable} in the client’s original request.
Usually if your FortiWeb is receiving HTTPS requests from

clients, and it is operating in Reverse Proxy mode, SSL/TLS is
being offloaded. FortiWeb has terminated the SSL/TLS
connection and the second segment of the request, where it
forwards to the back-end servers, is clear text HTTP. In some
cases, your back-end server may need to know that the
original request was, in fact, encrypted HTTPS, not HTTP.

No
<entry_index> The valid range is 1–9,223,372,036,854,775,807.
default.
Each list can contain a maximum of 256 IP addresses.

config 545
ip "<load-balancer_ip>" Type the IP address of a load balancer or proxy that is in front No

of the FortiWeb appliance (between the client and FortiWeb). default.
To apply anti-spoofing measures and improve security,

FortiWeb trusts the contents of the HTTP header that you
specify in original-ip-header "<http-header-
key_str>" (page 543) only if the packet arrived from one
of the IP addresses you specify here. It regards original-
ip-header "<http-header-key_str>" (page 543)
from other IP addresses as potentially spoofed.
For packets from other IP addresses, FortiWeb ignores the

X-Forwarded-For: header and uses the source IP
address in the IP header as the client source address. This IP
address is displayed in the attack log message.
Example
The following example defines a X-Forwarded-For rule that adds X-Forwarded-For:, X-Real-IP:, and X-
Forwarded-Proto: headers to traffic that FortiWeb forwards to a back-end server. It enables FortiWeb to use the
HTTP X-Header to identify and block the original client's IP. To protect against XFF spoofing, it also specifies the
trusted load-balancer 192.0.2.105 in the X-Forwarded-For IP list.
config waf x-forwarded-for
edit "load-balancer1"
set x-forwarded-for-support enable
set tracing-original-ip enable
set original-ip-header X-FORWARDED-FOR
set x-real-ip enable
set x-forwarded-proto enable
config ip-list
edit 1
set ip "192.0.2.105"
next
end
set block-based-on-original-ip enable
next
end
waf xml-schema
Use this command to view XML schema files that have already been uploaded to FortiWeb. You can upload
XML schema files only in the web UI.
XML schema files specify the acceptable structure of an elements in an XML document. When you use XML schema
files to check XML content in HTTP requests, FortiWeb can determine whether content is allowed and validate that
content is well-formed.

config 546
XML schema files are included in XML protection rules. XML protection rules define acceptable parameters for XML
content in HTTP requests. Groups of XML protection rules are grouped into XML protection policies. For details, see
"waf xml-validation" on page 546.
Syntax
config waf xml-schema file
edit "<xml_schema_file_name>"
end
"<xml_schema_file_name>" To display a list of existing XML schema files, enter: No default.

edit ?
Related topics
l "waf xml-validation" on page 546
waf xml-validation
Use this command to create XML protection rules and configure XML protection policies. You can create up to 256 rules
per policy.
XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML to attack web
servers. Using this command, you can configure FortiWeb to examine lcient requests for anomalies in XML. Configuring
XML protection can help ensure that the content of HTTP requests containing XML does not contain any potential
attacks.
XML protection is available in Reverse Proxy, Offline Protection, True Transparent Proxy, Transparent Inspections, and
WCCP operating modes.
Syntax
config waf xml-validation rule
edit "<xml_rule_name>"
set action {alert | alert_deny | block-period | redirect | send_403_forbidden |
deny_no_log}
set block-period <period_int>
set expansion-entity-check {enable | disable}
set external-entity-check {enable | disable}
set host "<host_name_str>"
set request-file "<file_str>"
set schema-file "<schema_file_name>"
set severity {High Low | Medium | Info}

config 547
set trigger "<trigger_policy_name>"

set xml-entity-check {enable | disable}
set xml-limit-attr-num <limit_int>
set xml-limit-attrname-len <limit_int>
set xml-limit-attrvalue-len <limit_int>
set xml-limit-cdata-len <limit_int>
set xml-limit-check {enable | disable}
set xml-limit-element-depth <limit_int>
set xml-limit-element-name-len <limit_int>
set data-format {xml | soap}
set wsdl-file <wsdl-file_name>
set validate-soapaction {enable | disable}
set validate-soap-headers {enable | disable}
set allow-additional-soap-headers {enable | disable}
set validate-soap-body {enable | disable}
next
end
config waf xml-validation policy
edit "<xml_policy_name>"
edit <entry_index>
set "<xml_rule_1>"
next
end
next
end
"<xml_rule_name>" Enter a name that can be referenced by other parts of the No

configuration. You will use the name to select the rule in an default.
XML protection policy. The maximum length is 63
characters.
Select one of the following actions that FortiWeb performs

when a request violates the rule:

and/or log message.

connection) and generate an alert email and/or log
message.
deny | block-period
alert
| redirect | send_403_ You can customize the web page that FortiWeb returns to

client for a number of seconds. Also configure waf xml-
validation (page 546).

config 548
specify in the protection profile and generate an alert

email and/or log message. Also configure redirect-
url "<redirect_fqdn>" (page 529) and rdt-
reason {enable | disable} (page 529).


message.
Caution:FortiWeb ignores this setting when monitor-

mode {enable | disable} (page 157) is enabled.

and configured. For details, see "log disk" on page 73 and
"log alertMail" on page 67.
Note: If you select an auto-learning profile with this rule,

you should select alert. If the action is alert_deny,
for example, the FortiWeb appliance will block the request
or reset the connection when it detects an attack, resulting
in incomplete session information for the auto-learning
feature. For details about auto-learning requirements, see
"waf web-protection-profile autolearning-profile" on page
516.
block-period <period_int> Enter the amount of time (in seconds) that you want to 60
block subsequent requests from a client after FortiWeb
detects a rule violation. This setting is available only when
waf xml-validation (page 546) is block-period.
Enable to trigger the waf xml-validation (page 546)

if an HTTP request contains an XML recursive entity
expansion-entity-check expansion. disable
{enable | disable}
To enable this option, you must first enable waf xml-
external-entity-check Enable to trigger the waf xml-validation (page 546) disable

{enable | disable} if an HTTP request contains an external entity in XML.
To enable this option, you must first enable waf xml-

Enter the name of a protected host that the Host: field of

No
host "<host_name_str>" an HTTP request must match in order for the rule to apply.
default.
For details, see "server-policy allow-hosts" on page 108.

config 549
host-status {enable | Enable to compare the XML rule to the Host: field in the disable
disable} HTTP header. If enabled, also configure waf xml-
Depending on your selection for waf xml-validation

(page 546), enter either:
l plain—The literal URL, such as /index.php, that

the HTTP request must contain in order to match the
rule. The URL must begin with a slash ( / ).
l regular—A regular expression, such as ^/*.php, No
request-file "<file_str>"
matching the URLs to which the rule should apply. The default.
pattern does not require a slash ( / ), but it must match
URLs that begin with a slash, such as /index.cfm.
waf xml-validation (page 546).
request-type {plain Select whether waf xml-validation (page 546) must No

| regular} contain either: default.
l Simple String—The field is a string that the request

URL must match exactly.
l Regular Expression—The field is a regular expression
that defines a set of matching URLs.
Select an XML schema file.
To display a list of existing XML schema files, enter:

schema-file "<schema_ set schema-file ? No
file_name>" default.
Note, if you select an XML schema file that references
other XML schema files, the other XML schema files must
also be uploaded to FortiWeb.
severity {High Low | When rule violations are recorded in the attack log, each log Low
Medium | Info} message contains a Severity Level field. Select which
severity level FortiWeb will use when it logs a violation of
the rule:
l Low
l Medium
l High
l Info
trigger "<trigger_policy_ Enter the name of the trigger, if any, to apply when the rule No
name>" is violated. The maximum length is 63 characters. For default.

config 550
details, see "log trigger-policy" on page 101.
To display a list of existing triggers, enter:

set trigger ?
xml-entity-check {enable Enable to configure waf xml-validation (page 546) disable

| disable} and waf xml-validation (page 546).
Enter the maximum number of attributes for each element.

xml-limit-attr-num The valid range is 1–256.
20
<limit_int>
To configure this option, you must first enable waf xml-
xml-limit-attrname-len Enter the maximum attribute name length (in bytes) of each 64
<limit_int> element. The valid range is 1–1,024.

Enter the maximum attribute value length (in bytes) of each

xml-limit-attrvalue-len element. The valid range is 1–2,048.
1,024
<limit_int>
xml-limit-cdata-len Enter the maximum Character Data (CDATA) length (in 4,096
<limit_int> bytes) in XML. The valid range is 1–4,096.

xml-limit-check {enable |
disable} Enable to configure XML limits. disable
xml-limit-element-depth Enter the maximum element depth in XML. The valid range 20
<limit_int> is 1–256.

Enter the maximum element name length (in bytes) in

xml-limit-element-name- XML. The valid range is 1–1,024.
64
len <limit_int>
"<xml_policy_name>" Enter the name of an XML protection policy. You will use No

the name to select the policy in other parts of the default.
configuration. The maximum length is 63 characters.

config 551
Enter the index number of an entry to create or modify a

No
<entry_index> rule for the policy. The valid range is 1–
default.
9,999,999,999,999,999,999.
"<xml_rule_1>" Enter the sequence number of an XML protection rule to No

add to the XML protection policy. The maximum length is default.
63 characters.
data-format {xml
Select the XML protection rule format. No default.
| soap}
wsdl-file <wsdl-file_ This field applies When the Data Format is SOAP. Enter a name No default.
name> for the WSDL file.
validate-soapaction Enable to validate whether the soapAction in SOAP protocol

No default.
{enable | disable} complies with that in WSDL file.
validate-soap-headers Enable to validate whether the header elements in SOAP No default.

{enable | disable} protocol comply with those in WSDL file.
allow-additional-soap-
headers {enable Enable not to validate additional header elements. No default.
| disable}
validate-soap-body Enable to validate whether the body elements in SOAP protocol No default.
{enable | disable} comply with those in WSDL file.
Example
The below example creates an XML protection rule and applies the rule to a new XML protection policy.
config waf xml-validation rule
edit "example_rule_name_1"
set severity Medium
set trigger "example_trigger_policy_name"
set host "example_host_name"
set request-file "/index.php"
set schema-file "example_schema_file_name"
set xml-limit-check enable
set xml-limit-attr-num 64
set xml-limit-attrname-len 256
set xml-limit-attrvalue-len 1024
set xml-limit-cdata-len 2096
set xml-limit-element-depth 128
set xml-limit-element-name-len 128
set xml-entity-check enable
set expansion-entity-check enable

config 552
set external-entity-check enable

next
end
config waf xml-validation policy
edit "example_policy_name"
edit "example_rule_1"
set "example_rule_1"
next
end
next
end
Related topics
l "waf xml-schema" on page 545
l "waf xml-wsdl" on page 552
waf xml-wsdl
Use this command to view XML wsdl files that have already been uploaded to FortiWeb. You can upload XML wsdl files
only in the web UI.
WSDL files are XML files that describe how to use SOAP to invoke web service. To configure FortiWeb to verify legality
of WSDL files and check the SOAP message against WSDL and SOAP protocol, create an XML protection rule and
select a WSDL file for that rule. You can select only one WSDL file for each XML protection rule, but you can configure
FortiWeb to enforce multiple rules in XML protection policies.
Syntax
config waf xml-wsdl file
edit "<xml_wsdl_file_name>"
end
"<xml_wsdl_file_name>" To display a list of existing XML WSDL files, enter: No default.

edit ?
Related topics
l "waf xml-validation" on page 546

config 553
wvs policy
Use this command to define a web vulnerability scan policy. The policy enables you to set the frequency of the
vulnerability scan, schedule the scan, and choose a format for the scan report. The policy also enables you to select an
email policy that determines who receives the scan report.
Before you can complete a web vulnerability scan policy, you must first configure a scan profile using the FortiWeb web
UI and a scan schedule using either the web UI or the command config wvs schedule (page 556).
wvsgrp area. For details, see "Permissions" on page 51.
Syntax
config wvs policy
edit "<wvs-policy_name>"
set type {runonce | schedule}
set schedule "<wvs-schedule_name>"
set profile "<wvs-profile_name>"
set email "<email-policy_name>"
set report_format {html mht pdf rtf text}
set runtime <count_int>
next
end
"<wvs-policy_name>" Enter the name of a new or existing web vulnerability scan No

policy. The maximum length is 63 characters. default.

edit ?
Select either:
l runonce—Run the scan immediately after you complete the

type {runonce | schedule} policy. runonce
l schedule—Run the scan on a schedule. Also configure
analyzer-policy "<fortianalyzer-policy_name>"
(page 102).
schedule "<wvs-schedule_ Enter the name of an existing web vulnerability scan No

name>" schedule. The maximum length is 63 characters. For details, default.
see "wvs schedule" on page 556.
To display the list of existing schedules, enter:

set schedule ?
This setting is applicable only if type {runonce |

schedule} (page 553) is schedule.

config 554
Enter the name of an existing web vulnerability scan profile.

profile "<wvs-profile_ No
name>" To display a list of the existing profiles, enter: default.
set profile ?
email "<email-policy_ Enter the name of an existing email policy. When the scan No
name>" completes, the FortiWeb appliance will send email in the default.
specified format to the email addresses in the policy. The
maximum length is 63 characters. For details, see "log email-
policy" on page 75.
To display the list of existing policy, enter:

set email ?
report_format {html mht Select one or more file formats of the report to attach when
html
pdf rtf text} emailing it.
runtime <count_int> Not configurable. No

default.
To reset the value to zero, enter:
set runtime 0
Example
The following example defines a recurring vulnerability scan with email report output in RTF and text format.
config wvs policy
edit "wvs-policy1"
set type schedule
set schedule "wvs-schedule1"
set report_format rtf text
set profile "wvs-profile1"
set email "EmailPolicy1"
next
end
Related topics
l "wvs profile" on page 554
l "wvs schedule" on page 556
wvs profile
Use this command to display the names of web vulnerability scan profiles.

config 555
This command can only be used to display the names of the profiles. It cannot configure
the profiles. To create a web vulnerability scan profile, you must use the web UI.
A web vulnerability scan (WVS) profile defines the web server to scan, as well as the specific vulnerabilities to scan for.
The WVS profiles are associated with WVS policies, which determine when to perform the scan and how to publish the
results of the scan defined by the profile.
Syntax
config wvs profile
get
show
end
Example
This example displays the names of all configured web vulnerability scan profiles.
config wvs profile
get
Output:
== [ WVS-Profile1 ]
name: WVS-Profile1
== [ WVS-Profile2 ]
name: WVS-Profile2
This example displays the names of all configured web vulnerability scan profiles, using configuration file syntax.
config wvs profile
show
Output:
config wvs profile
edit "WVS-Profile1"
next
edit "WVS-Profile2"
next
end
Related topics
l "wvs policy" on page 553
l "wvs schedule" on page 556

config 556
wvs schedule
Use this command to schedule a web vulnerability scan.
Vulnerability scanning can detect known vulnerabilities on your web servers and web applications, helping you to design
protection profiles. Vulnerability scans start from an initial directory, then scan for vulnerabilities in web pages located in
the same directory or subdirectory as the initial URL.
Syntax
config wvs schedule
edit "<schedule_name>"
set type {recurring | onetime}
set date "<time_str>" "<date_str>"
set time "<time_str>"
set wday {Sunday Monday Tuesday Wednesday Thursday Friday Saturday}
next
end
"<schedule_name>" Enter the name of new or existing WVS schedule. The No

To display the list of existing schedule, enter:

edit ?
Select either:
l onetime—Run the scan only when an administrator manually

initiates it. Also configure date "<time_str>" "<date_
type {recurring | str>" (page 556). onetime
onetime}
l recurring—Run the scan periodically, on a schedule. Also
configure time "<time_str>" (page 557) and wday
{Sunday Monday Tuesday Wednesday Thursday
Friday Saturday} (page 557).
date "<time_str>" "<date_ For a one-time web vulnerability scan, enter the time and No
str>" date for the scan to run. default.

yyyy/mm/dd, where:

l mm is the minute
l yyyy is the year
l mm is the month

config 557
l dd is the day
The yyyy range is 2001–2050.
This only applies if type {recurring | onetime}

(page 556) is onetime.
Enter the time the vulnerability scan is to be performed.
l hh is the hour according to a 24-hour clock No

time "<time_str>"
default.
l mm is the minute
This only applies if type {recurring | onetime}
(page 556) is recurring.
wday {Sunday Monday For a recurring scan only, enter one or more days of the week No
Tuesday Wednesday the scan is to be performed. default.
Thursday Friday Saturday}
This setting only applies if type {recurring |
onetime} (page 556) is recurring.
Example
The following example schedules a recurring vulnerability scan to run every Sunday and Thursday at 1:00 AM.
config wvs schedule
edit "WVS-schedule1"
set type recurring
set time 01:00
set wday Sunday Thursday
next
end
Related topics
l "wvs profile" on page 554
l "wvs policy" on page 553

diagnose 558
diagnose
The diagnose commands display diagnostic information that help you troubleshoot problems. These commands do
not have an equivalent in the web UI.
debug application autolearn debug hardware raid

dnsproxy list
debug application detect
list
index
debug application dssl
debug
log
debug application fds emerglog
network arp
debug application hasync debug flow
filter network ip
debug application hatalk
debug flow network route
debug application http
reset
network rtcache
debug application miglogd
debug flow
network sniffer
debug application mulpattern filter
module- network tcp
debug application proxy detail list
debug application ustack hardware network udp
debug application waf-fds-update check list
debug cli diagnose policy

debug flow
debug cmdb system flash
trace (page
debug application proxy-error 583) system ha file-
debug flow stat
debug application snmp
trace system ha mac
debug application ssl
debug info system ha
debug application sysmon
debug init status
debug console timestamp
debug system ha sync-
debug coredumplog kernlog stat
debug crashlog debug proxy system kill
debug daemonlog svr-balance system mount

debug proxy system top
thread-
l7sync system update
info
debug
netstatlog

diagnose 559
debug trace
report
debug trace
tcpdump
hardware
cpu
debug reset
debug
upload
hardware
harddisk
hardware
interrupts
hardware
logdisk
info
hardware
mem
hardware
nic
debug
Use this command to turn debug log output on or off.
Debug logging can be very resource intensive. To minimize the performance impact on your FortiWeb appliance, use
packet capture only during periods of minimal traffic, with a local console CLI connection rather than a Telnet or SSH
CLI connection, and be sure to stop the command when you are finished.
By default, the most verbose logging that is available from the web UI for any log type is the Information severity level.
Due to their usually unnecessary nature, logs at the severity level of Debug are disabled and hidden. They can only be
enabled and viewed from the CLI. Typically this is done only if your configuration seems to be correct, you cannot
diagnose the problem without more information, and possibly suspect that you may have found either a hardware failure
or software bug.
To generate debug logs, you must:
1. Set the verbosity level for the specific module whose debugging information you want to view, via a debug log
command such as:
debug application hasync {0 | 1 | 2 | 3 | 4 | 5 | 6 | 7} (page 566)
2. If necessary configure any filters specific to the module whose debugging information you are viewing, such as:
debug flow filter server-ip "10.0.0.10"

diagnose 560
3. If necessary start debugging specific to the module, such as:

debug flow trace start
4. Enable debug logs overall. To do this, enter:

debug enable
5. View the debug logs. For convenience, debugging logs are immediately outputted to your local console display or
terminal emulator, but debug log files can also be uploaded to a server.
To do this, use the command:

debug upload
For more complex issues or bugs, this may be required in order to send debug information to Fortinet Customer
Service & Support (https://support.fortinet.com).
Debug logs will be generated only if the application is running. To verify this, use
diagnose system top (page 621). Otherwise, use diagnose debug
crashlog (page 579) instead.
6. The CLI will display debug logs as they occur until you either:
l Disable it by either typing:
diagnose debug disable
or setting all modules’ debug log verbosity back to 0. To reset all verbosity levels simultaneously, you can use
the command:
diagnose debug reset
l Close your terminal emulator, thereby ending your administrative session.

l Send a termination signal to the console by pressing Ctrl+C.
l Reboot the appliance. To do this, you can use the command:
execute reboot
To use this command, your administrator account’s access control profile requires only r permission in any
profile area.
Syntax
diagnose debug {enable | disable}
debug {enable | disable} Select whether to enable or disable recording of logs at the debug disable
severity level.

diagnose 561
Related topics
l "debug application autolearn" on page 561
l "debug application detect" on page 563
l "debug application fds" on page 565
l "debug application mulpattern" on page 570
l "debug application proxy" on page 571
l "debug application proxy-error" on page 572
l "debug application snmp" on page 573
l "debug application sysmon" on page 574
l "debug application waf-fds-update" on page 576
l "debug cli" on page 577
l "debug crashlog" on page 579
l "debug upload" on page 590
debug application autolearn
Use this command to view and set the verbosity level of debug logs for auto-learning.
Before you can see any debug logs, you must first enable debug log output using the command debug.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
For details, see "Permissions" on page 51.
Syntax
diagnose debug application autolearn <autolearn_int>
autolearn <autolearn_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables debug logs for auto-
learning and 7 generates the most verbose logging.

diagnose 562
If you omit the number, the CLI displays the current verbosity
level. For example:
autolearn debug level is 0
Related topics
l "debug console timestamp" on page 578
l "debug info" on page 586
l "debug reset" on page 589
debug application confd-hamsg
Use this command to set the verbosity level and type of debug logs for HA synchronization.
Before you will be able to see any debug logs, you must first enable debug log output using the command diagnose
debug (page 1).
Syntax
diagnose debug application confd-hamsg {0 | 1 | 2 | 3 | 4 | 5 | 6 | 7}
confd-hamsg {0 | 1 | Enter the number indicating the verbosity level and type of 0
2 | 3 | 4 | 5 | 6 | 7} debugging messages to output to the CLI display after the
command executes.
l 0—Do not display messages.

l 1—Display the process initialization failure message.
l 2—None.
l 3—Display MD5 checksums message of local host.
l 4—Display messages that the local host has received and need to
be synchronized.
l 5—Display messages about member change and HA mode that
the local host has received..
l 6—Display detailed messages of information to be synchronized.
l 7—Display all messages.

diagnose 563
level:
hasync debug level is 0
Example
This example enables diagnostic debug logging in general, then specifically enables packet transmission logging of the
HA synchronization daemon, confd-hamsg.
diagnose debug enable
diagnose debug application confd-hamsg 5
The CLI displays output such as the following until the command is terminated:
(./lib/confd_generate_md5.c : 103 ) request generate md5sum!
(./lib/confd_generate_md5.c : 149 ) generate md5sum done!
(./sync/confd_md5.c : 158 ) send md5sum request to FVVM020000176885, now:548 pending:0 timeout
[60] sync_time:0
(./sync/confd_md5.c : 167 ) ---- <ha_check_confirm_members send by timeout> ----
(./sync/confd_md5.c : 168 ) ---- <local cli> 21E374585BFFBDD4A043951988FEDBE9 ----
(./sync/confd_md5.c : 169 ) ---- <member cli> 1335504BC818AC7702F0A8735DB290D0 ----
(./lib/confd_setup_rsc.c : 571 ) Received MD5SUM response from FVVM020000176885
(./lib/confd_setup_rsc.c : 254 ) get device's config file md5info, and compare them
(./lib/confd_setup_rsc.c : 336 ) the device FVVM020000176885 has fresh system config, don't
need update
(./lib/confd_setup_rsc.c : 384 ) the device FVVM020000176885 has fresh cli config, don't need
update
(./lib/confd_setup_rsc.c : 393 ) config file is same, send init_finished to slave device
FVVM020000176885
(./lib/confd_setup_rsc.c : 118 ) member FVVM020000176885 update confirme time: 550654
(./lib/confd_msg.c : 39 ) send msg to ha, msg len: 72 msg type: 1 sn: FVVM020000176885 status:
0
Related topics
l "debug" on page 1
debug application detect
Use this command to set the verbosity level of debug logs for intrusion detection.
Before you can see any debug logs, you must first enable debug log output using the command diagnose debug
(page 559).

diagnose 564
Syntax
diagnose debug application detect <detect_int>
detect <detect_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables debug logs for

intrusion detection and 7 generates the most verbose logging.
level:
detect debug level is 0
Related topics
debug application dssl
Use this command to set the verbosity level of debug logs for SSL inspection (temporary decryption in order to enforce
policies). SSL inspection is used only when FortiWeb is operating in a mode that supports it, such as Transparent
Inspection mode or Offline Protection mode.
debug (page 559).
Syntax
diagnose debug application dssl <dssl_int>
dssl <dssl_int> Specify the verbosity level to output to the CLI display after the 0

diagnose 565
command executes.
The valid range is 0–7, where 0 disables debug logs for SSL
inspection and 7 generates the most verbose logging.
level. For example:
dssl debug level is 0
Related topics
debug application fds
Use this command to set the verbosity level of debug logs for update requests to the Fortinet Distribution Network
(FDN).
debug (page 559).
Syntax
diagnose debug application fds <fds_int>
fds <fds_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables debug logs for FDN
updates and 7 generates the most verbose logging.
level. For example:
fds debug level is 0

diagnose 566
Related topics
debug application hasync
Use this command to set the verbosity level and type of debug logs for HA synchronization.
debug (page 559).
Syntax
diagnose debug application hasync {0 | 1 | 2 | 3 | 4 | 5 | 6 | 7}
hasync {0 | 1 | 2 | 3 | Enter the number indicating the verbosity level and type of 0
4 | 5 | 6 | 7} debugging messages to output to the CLI display after the
command executes.

l 1—Display the process initialization failure message.
l 2—None.
l 3—Display MD5 checksums message.
l 4—Display transmission loading message.
l 5—Display network transmission messages, such as ARP
broadcasts and bridge down/up status changes.
l 6—Display more detailed packet transmission messages.
level:
hasync debug level is 0
Example
This example enables diagnostic debug logging in general, then specifically enables packet transmission logging of the
HA synchronization daemon, hasyncd.

diagnose 567

diagnose debug application hasync 5
(./lib/confd_send_queue.c : 58 ) add request to ha sendqueue success len:626
(./lib/confd_send_queue.c : 171 ) Read send request from local, len = 626 element type:1
(./lib/confd_sync_data.c : 1243) Create session: 0x7f1a3b45f080 dstip: 169.254.0.2 dstsn:
FVVM020000176885 type :1 sd :13 filename : msglen :50
fortiweb # (./lib/confd_sync_data.c : 214 ) Send message hdr init, session :0x7f1a3b45f080
session id: 9219122 type: 1
fer: FV-VMB-6.0-FW-build0064 src_sn: FVVM020000176884 dst_sn: FVVM020000176885
(./lib/confd_sync_data.c : 732 ) Send single cfg message, session: 0x7f1a3b45f080 total len:
278 total_count: 1 current-count: 1 residue: 278 p_len: 278
send_len: 278
(./lib/confd_sync_data.c : 739 ) Send cfg message, session: 0x7f1a3b45f080 total_len: 278
msglen: 58 total_count: 1 current-count: 1residue: 278 retval: 278
(./lib/confd_sync_data.c : 1025) Release session: 0x7f1a3b45f080 type: 1 ctx status: 3 ctx_
file_status: 0 times :4 time out: 5000
Related topics
debug application hatalk
Use this command to set the verbosity level and type of debug logs for HA heartbeats.
debug (page 559).
Syntax
diagnose debug application hatalk {0 | 1 | 2 | 3 | 4 | 5 | 6 | 7}
{0 | 1 | 2 | 3 | 4 | 5 | Enter the number indicating the verbosity level and type of 0
6 | 7} debugging messages to output to the CLI display after the
command executes.

l 1—Display heartbeat process initialization messages.

diagnose 568
l 2—Display monitor port related messages.

l 3—Display member change, external process communication
related messages.
l 4—None.
l 5—Display member massages sent to Kernal.
l 6—Display current status, and role messages.
level:
hatalk debug level is 0
Example
This example enables diagnostic debug logging in general, then specifically enables complete debug logging of the HA
heartbeat daemon, hatalkd.
diagnose debug application hatalk 6
FortiWeb # (ha_timer.c : 305) [87040]syncronized 2 nodes!
(ha_timer.c : 428) hamain[87040949] mode 2, role 1,1, phase 2, narps 0, skip 0
(ha_timer.c : 305) [87041]syncronized 2 nodes!
Related topics

diagnose 569
debug application http
Use this command to set the verbosity level of debug logs for the HTTP protocol parser. This parser module dissects the
HTTP headers and content body for analysis by other modules such as rewriting, HTTP protocol constraints, server
information disclosure, and attack signature matching.
If the debug logs indicate that the HTTP protocol parser may be encountering an error
condition, you can temporarily disable it and allow packets to bypass it to verify if this is the
case. For details, see noparse {enable | disable} (page 157).
debug (page 559).
Syntax
diagnose debug application http <http_int>
http <http_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables debug logs for the
HTTP protocol parser and 7 generates the most verbose
logging.
level. For example:
http debug level is 0
Related topics
debug application miglogd
Use this command to set the verbosity level of debug logs for the log daemon, miglogd.

diagnose 570
debug (page 559).
Syntax
diagnose debug application miglogd <miglogd_int>
miglogd <miglogd_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables debug logs for the log
daemon and 7 generates the most verbose logging.
level. For example:
miglogd debug level is 0
Related topics
l "db rebuild" on page 632
debug application mulpattern
Use this command to set the verbosity level of debug logs for the pattern matching module.
debug (page 559).
Syntax
diagnose debug application mulpattern <mulpattern_int>

diagnose 571
mulpattern <mulpattern_ Specify the verbosity level to output to the CLI display after the 0
int> command executes.
pattern matching module and 7 generates the most verbose
logging.
level. For example:
mulpattern debug level is 0
Related topics
debug application proxy
Use this command to set the verbosity level of debug logs for flow through the XML application proxy.
debug (page 559).
Syntax
diagnose debug application proxy <proxy_int>
proxy <proxy_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
XML application proxy flow and 7 generates the most verbose
logging.
level. For example:
proxy debug level is 0

diagnose 572
Related topics
debug application proxy-error
Use this command to set the verbosity level of debug logs for errors in the XML application proxy.
debug (page 559).
Syntax
diagnose debug application proxy-error {-1 | 0}
proxy-error {-1 | 0} Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables debug logs for XML
application proxy errors and 7 generates the most verbose
logging.
level. For example:
proxy-error debug level is 0
Related topics

diagnose 573
debug application snmp
Use this command to debug the SNMP daemon.
debug (page 559).
Syntax
diagnose debug application snmp <snmp_int>
snmp <snmp_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables SNMP debugging and

7 generates the most verbose logging.
level:
snmp debug level is 0
Related topics
debug application ssl
Use this command to set the verbosity level of debug logging for SSL/TLS offloading. SSL offloading is supported only
when the FortiWeb appliance is operating in Reverse Proxy or True Transparent Proxy mode.
debug (page 559).

diagnose 574
Syntax
diagnose debug application ssl <ssl_int>
ssl <ssl_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables debug logging of

SSL/TLS offloading and 7 generates the most verbose
logging.
level. For example:
ssl debug level is 0
Example
This example enables diagnostic debug logging overall, then specifically enables debug logging for SSL in Reverse
Proxy mode.
diagnose debug application ssl
Related topics
debug application sysmon
Use this command to debug the system monitor.
debug (page 559).
Syntax
diagnose debug application sysmon <sysmon_int>

diagnose 575
sysmon <sysmon_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables system monitor

debugging and 7 generates the most verbose logging.
level. For example:
sysmon debug level is 0
Related topics
debug application ustack
Use this command to set the verbosity level of debug logs for the user-space TCP/IP connectivity stack.
debug (page 559).
Syntax
diagnose debug application ustack <ustack_int>
ustack <ustack_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables debug logging of the

user-space TCP/IP connectivity stack and 7 generates the
most verbose logging.
level. For example:
ustack debug level is 0

diagnose 576
Related topics
debug application waf-fds-update
Use this command to debug the FortiGuard service update processs.
debug (page 559).
Syntax
diagnose debug application waf-fds-update <update_int>
waf-fds-update <update_ Specify the verbosity level to output to the CLI display after the 0
int> command executes.
The valid range is 0–7, where 0 disables FortiGuard

Distribution Server (FDS) update debugging and 7 generates
the most verbose logging.
level. For example:
waf-fds-update debug level is 0
Related topics

diagnose 577
debug cli
Use this command to set the debug level for the command line interface (CLI).
debug (page 559).
Syntax
diagnose debug cli <cli_int>
cli <cli_int> Specify the verbosity level to output to the CLI display after the 3
command executes.
CLI and 7 generates the most verbose logging.
level. For example:
cli debug level is 0
Related topics
debug cmdb
Use this command to enable the debug log for the configuration management database (CMDB).
debug (page 559).
Syntax
diagnose debug cmdb <cmdb_int>

diagnose 578
cmdb <cmdb_int> Specify the verbosity level to output to the CLI display after the 0
command executes.
The valid range is 0–7, where 0 disables SNMP debugging and

7 generates the most verbose logging.
level:
cmdb debug level is 0
Related topics
debug console timestamp
Use this command to enable or disable the timestamp in debug logs.
debug (page 559).
Syntax
diagnose debug console timestamp {enable | disable}
timestamp {enable | Enable to add timestamps to debug output. disable

disable}
If you omit the selection, the CLI displays the current
timestamp status:
console timestamp is disabled.
Related topics

diagnose 579
debug coredumplog
Use this command to record the stack information in the core file of the proxyd program.
Before you will be able to see any debug logs, you must first enable debug log output using the command enable-
debug-log {enable | disable} (page 299).
Syntax
diagnose debug coredumplog show
diagnose debug coredumplog clear
Related Topic
debug crashlog
Use this command to show crash logs from application proxies that have call back traces, segmentation faults, or
memory register dumps, or to delete the crash log.
Syntax
diagnose debug crashlog show
diagnose debug crashlog clear
Example
diagnose debug crashlog show
Output similar to the following appears in the CLI:

2011-02-08 06:20:46 <18632> firmware FortiWeb-1000B 4.20,build0403,110131
2011-02-08 06:20:46 <18632> application proxy
2011-02-08 06:20:46 <18632> *** signal 11 (Segmentation fault) received ***
2011-02-08 06:20:46 <18632> Register dump:
2011-02-08 06:20:46 <18632> RAX: 00000000 RBX: 00000001 RCX: 00000001 RDX: 00000001
2011-02-08 06:20:46 <18632> RSI: 008d91a4 RDI: 00000000 RBP: 2b8f90ee2b10 RSP:
0072af60
2011-02-08 06:20:46 <18632> RIP: 008d8660 EFLAGS: 2b8f9aaa0010
2011-02-08 06:20:46 <18632> CS: 86b0 FS: 0000 GS: 008d

diagnose 580
2011-02-08 06:20:46 <18632> Trap: 7fff26859ee0 Error: 008d8710 OldMask: 00440f90

2011-02-08 06:20:46 <18632> CR2: 00010202
2011-02-08 06:20:46 <18632> Backtrace:
2011-02-08 06:20:46 <18632> [0x008d8660] => /bin/xmlproxy (g_proxy+0x00000000)
2011-02-08 06:20:46 proxy received SEGV signal - 11
debug daemonlog
Use this command to process call information on specific interface records.
Syntax
diagnose debug daemonlog show
diagnose debug daemonlog clear
Related Topic
debug dnsproxy list
Use this command to display the DNS cache that stores the results of resolving all fully qualified domain names in the
server pools.
Syntax
diagnose debug dnsproxy list
Example
diagnose debug dnsproxy list
If the domain specified for the server pool member is www.example.org and has resolved to 10.20.5.12,
output similar to the following is displayed:
www.example.org
10.20.5.12
10:20::5:12

diagnose 581
Related topics
debug emerglog
Use this command to view or erase disk read-only error logs.
debug (page 559).
Syntax
diagnose debug emerglog {show | clear}
{show | clear} Enter show to view disk read-only error logs. No

default
Enter clear to delete error logs.
debug flow filter
Use these commands to generate only packet flow debug logs that match your filter criteria, such as a specific
destination IP address. You can also use these commands to delete the packet flow debug log filter, so that all packet
flow debug logs are generated.
debug (page 559).
Syntax
diagnose debug flow filter reset
diagnose debug flow filter client-ip <source_ipv4 | source_ipv6>
diagnose debug flow filter server-ip <destination_ipv4 | destination_ipv6>
client-ip <source_ipv4 | Enter the source (SRC) IP address of connections. This will No
source_ipv6> generate only packet flow debug log messages involving that default.
source IP address.

diagnose 582
Note: This filter operates at the IP layer, not the HTTP layer.
If a load balancer or other web proxy is deployed in front of
FortiWeb, and therefore all connections for HTTP requests
appear to originate from this IP address, configuring this filter
will have no effect.
Similarly, if multiple clients share an Internet connection via

NAT or explicit web proxy, configuring this filter will only isolate
connections that share this IP address. It will not be able to
filter out a single client based on individual HTTP sessions
from that IP.
Enter the destination (DST) IP address of the connection,

either the:
l Virtual server on FortiWeb (if FortiWeb is operating in Reverse

server-ip <destination_ No
ipv4 | destination_ipv6>
Proxy mode)
default.
l Protected web server on the back end (all other operation modes)
This will generate only packet flow debug log messages
involving that server IP address.
Related topics
debug flow filter module-detail
Use this command to include or exclude debug logs from each FortiWeb feature module as the packet is processed
when generating packet flow debug logs. This can be useful if you suspect that a module is encountering errors, or need
to know which module is dropping the packet.
Syntax
diagnose debug flow filter module-detail {on | off}
module-detail {on | off} Select whether to include (on) or exclude (off) details from each No default.
module that processes the packet.

diagnose 583
Related topics
l "debug flow reset" on page 583
debug flow reset
Use this command to reset the configuration of packet flow debug log messages.
Syntax
diagnose debug flow reset
Related topics
l "debug flow filter module-detail" on page 582
debug flow trace
Use this command to trace the flow of packets through the FortiWeb appliance’s processing modules and network
stack.
debug (page 559).
Syntax
diagnose debug flow trace {start | stop}
trace {start | stop} Select whether to enable (start) or disable (stop) the recording No
of packet flow trace debug log messages. default.
Example
This example configures a filter based on the packet destination IP 192.0.2.48, enables messages from each packet
processing module, enables packet flow traces, then finally begins generating the debug logs that are enabled for
output (in this case, only packet trace debug logs).

diagnose 584
Because the filters are configured before debug logging is enabled, the administrator can type the filter without being
interrupted by debug log output to the CLI.
diagnose debug flow filter server-ip 192.0.2.48
diagnose debug flow flow module-detail on
diagnose debug flow trace start
Output:
FortiWeb # session_id=251 packet_id=0 policy_name=policy1 msg="Receive packet from client
172.20.120.225:49428"
session_id=251 packet_id=0 msg="HTTP parsing client packet success"
session_id=251 packet_id=0 policy_name="policy1" msg="
Module name:WAF_IP_LIST_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_GEO_BLOCK_LIST, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PROTECTED_SERVER_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_ALLOW_METHOD_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_SESSION_MANAGEMENT, Execution:4, Process error:1, Action:ACCEPT
Module name:WAF_HTTP_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_LAYER4_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_AUTHENTICATION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_GLOBAL_WHITE_LIST, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_URL_ACCESS_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_BRUCE_FORCE_LOGIN, Execution:3, Process error:0, Action:ACCEPT
Module name:HTTP_CONSTRAINTS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_COOKIE_POISON, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_START_PAGES, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PAGE_ACCESS_RULE, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_UPLOAD_RESTRICTION_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:ROBOT_CONTROL_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PARAMETWER_VALIDATION_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_CHUNK_DECODE, Execution:3, Process error:2, Action:ACCEPT
Module name:WAF_FILE_UNCOMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_SIG_DETECT_PROCESS, Execution:4, Process error:1, Action:ACCEPT
Module name:WAF_HIDDEN_FIELD_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_URL_REWRITING, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_COMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_CERTIFICATE_FORWARD, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_AUTOLEARN, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_STATISTIC, Execution:3, Process error:0, Action:ACCEPT
"
session_id=502 packet_id=0 policy_name=policy1 msg="Receive packet from client
172.20.120.225:49429"
session_id=502 packet_id=0 msg="HTTP parsing client packet success"
session_id=502 packet_id=0 policy_name="policy1" msg="
Module name:WAF_IP_LIST_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_GEO_BLOCK_LIST, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PROTECTED_SERVER_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_ALLOW_METHOD_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_SESSION_MANAGEMENT, Execution:4, Process error:1, Action:ACCEPT
Module name:WAF_HTTP_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_LAYER4_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_AUTHENTICATION, Execution:3, Process error:0, Action:ACCEPT

diagnose 585
Module name:WAF_GLOBAL_WHITE_LIST, Execution:4, Process error:1, Action:ACCEPT

Module name:WAF_URL_ACCESS_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_BRUCE_FORCE_LOGIN, Execution:1, Process error:0, Action:ACCEPT
Module name:HTTP_CONSTRAINTS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_COOKIE_POISON, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_START_PAGES, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PAGE_ACCESS_RULE, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_UPLOAD_RESTRICTION_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:ROBOT_CONTROL_PROCESS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_PARAMETWER_VALIDATION_PROCESS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_CHUNK_DECODE, Execution:3, Process error:2, Action:ACCEPT
Module name:WAF_FILE_UNCOMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_SIG_DETECT_PROCESS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_HIDDEN_FIELD_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_URL_REWRITING, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_COMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_CERTIFICATE_FORWARD, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_AUTOLEARN, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_STATISTIC, Execution:3, Process error:0, Action:ACCEPT
"
session_id=0 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:47368"
192.0.2.48:47376"
192.0.2.48:59687"
192.0.2.48:47382"
192.0.2.48:47387"
diag debug disable
FortiWeb #
Session lines contain the name of the matching server policy (policy_name), the packet identifier (packet_ID), and
TCP session ID (session_id), as well as a log message (msg) indicating one or more of the following:
l The source IP address and port number of the packet (e.g. Receive packet from client
192.0.2.225:49428)
l The success or failure of FortiWeb’s HTTP parser’s attempt to analyze the HTTP headers and payload of the packet into
pieces that can be scanned or modified by modules (e.g. HTTP parsing client packet success or Packet
dropped by detection module,and module number=11)
If the debug logs indicate that the HTTP protocol parser may be encountering an error
condition, you can temporarily disable it and allow packets to bypass it to verify if this is the
case. For details, see noparse {enable | disable} (page 157).
If enabled, module lines contain messages from each FortiWeb feature module as it processes the packet (e.g.
Module name:WAF_PROTECTED_SERVER_CHECK for the feature that tests for an allowed Host: name in the
request). The module logs are displayed in their order of execution; for details, see the FortiWeb Administration Guide:
These messages indicate:

diagnose 586
l Whether or not the module executed, and if not, the reason (e.g. Execution:1)
l Processing errors, if any (e.g. Process error:0)
l Whether a module has allowed or blocked the packet (e.g. Action:ACCEPT or Action:FOLLOWUP_ACCEP)
For non-execution reasons, possible status codes are:
l Execution:1—The module is disabled, and therefore is being skipped.

l Execution:2—The module is not supported in the current deployment mode, and therefore is being skipped.
l Execution:3—The client IP address is whitelisted, and therefore the module is being skipped.
l Execution:4—URL access policy has caused the module to be skipped.
Related topics
l "debug flow filter module-detail" on page 582
debug info
Use this command to display a list of debug log settings.
Syntax
diagnose debug info
Example
diagnose debug application ssl 8
diagnose debug application dssl 8
diagnose debug application ustack 8
diagnose debug info

debug output: disable
console timestamp: disable
ssl debug level: 8
ustack debug level: 8
dssl debug level: 8
CLI debug level: 3

diagnose 587
If you have not modified any verbosity levels, only this default output appears:
FortiWeb # diagnose debug info
debug output: disable
console timestamp: disable
CLI debug level: 3
Related topics
debug init
Use this command to record packet flow trace log messages.
debug (page 559).
Syntax
diagnose debug init {enable | disable}
init {enable | disable} Select whether to enable (start) or disable (stop) the No

diagnose 588
recording of packet flow trace debug log messages. default.
If you omit the selection, the CLI displays the current

timestamp status:
init output: disabled
debug kernlog
Use this command to record the print information of the kernel.
Syntax
diagnose debug kernlog show
diagnose debug kernlog clear
Related Topic
debug netstatlog
Use this command to record the print information of the netstat -anlt when the proxyd program is overloaded.
Syntax
diagnose debug netstatlog show
diagnose debug netstatlog clear
Related Topic

diagnose 589
debug reset
Use this command to reset all debug log settings to default settings for the currently installed firmware version. If you
have not upgraded or downgraded the firmware, this restores the factory default settings.
Syntax
diagnose debug reset
Related topics
debug trace report
Use this command to start or stop collecting debug logs.
Only administrators or users with the prof_admin access file have permission to this command.
Syntax
diagnose trace report {start | stop}
trace report {start | Select whether to enable (start) or disable (stop) collecting No
stop} debug logs. default

diagnose 590
Related topics
debug trace tcpdump
Use this demand to trace packets with tcpdump.
Syntax
diagnose trace tcpdump "<filter_str>" {any | "<interface_str>"} "<max-packet-count_
int>" {reset}
"<filter_str>" Specify which protocols and port numbers that you do or do No

not want to capture, such as 'tcp and port 80 and default
host IP1 and ( IP2 or IP3 )', or leave this field
blank for no filters.
Note that please use the same filter expression as tcpdump
for this filter, you can refer to the Linux main page of
TCPDUMP
(http://www.tcpdump.org/manpages/tcpdump.1.html).
Select the network interface on which you want to capture

{any | "<interface_str>"} any
packets, such as port1, or any for all interfaces.
"<max-packet-count_int>" Specify the maximum packets you want to capture for the 4000
policy. Capture will stop automatically if the total captured
packets hit the count.
No
{reset} Reset all the settings to default.
default
Related topics
debug upload
Use this command to upload debug logs to an FTP server. This can be used if you want to view logs outside of the CLI,
or if you need to provide debug log files to Fortinet Customer Service & Support:

diagnose 591
Syntax
diagnose debug upload <ftp_ipv4> <user_str> <password_str> <upload-dir_str>
<ftp_ipv4> Enter the IP address or domain name of the FTP server. No

default.
No
<user_str> Enter a valid user account name to log in to the FTP server.
default.
<password_str> Enter the password for the user account. No

default.
Enter the directory path on the FTP server where FortiWeb will No
<upload-dir_str>
upload files. default.
Example
diagnose debug upload 192.0.2.5 user1 1passw0Rd C:/uploads
Related topics
hardware check
Use this command to check the appliance hardware for errors. In the case of FortiWeb, this command checks virtual
hardware—the vCPUs.
For example, to troubleshoot a logging problem, use the following command to check the log disk for errors:
diagnose hardware check logdisk
If the disk does not pass the check, it is likely the source of the problem.
Syntax
diagnose hardware check {all |cp8 |cpu |logdisk | memory |nic}
{all |cp8 |cpu |logdisk | memory Enter the type of hardware to check, or enter all to No

|nic}

diagnose 592
check all hardware. default.
For FortiWeb-VM versions, the cp8 option is not

available.
Note: Only some hardware platforms support
diagnose hardware check.
Example
The following command checks the log disk:
diagnose hardware check logdisk

logdisk check Pass
size Pass 1952
disk-number Pass 2
raid-level Pass raid1
hardware cpu
Use this command to display a list of hardware specifications on the FortiWeb appliance for CPUs. In the case of
FortiWeb-VM, this command displays virtual hardware information—the vCPUs.
To use this command, your administrator account’s access control profile must have at least r permission to the
Syntax
diagnose hardware cpu [list]
Example
diagnose hardware cpu list

processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Xeon(R) CPU E5405 @ 2.00GHz
stepping : 10
cpu MHz : 1995.056
cache size : 6144 KB
physical id : 0
siblings : 4
core id : 0
cpu cores : 4

diagnose 593
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36
clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc pni monitor ds_cpl
vmx tm2 cx16 xtpr lahf_lm
bogomips : 3994.51
clflush size : 64
cache_alignment : 64
address sizes : 38 bits physical, 48 bits virtual
power management:
Related topics
l "system top " on page 621
l "hardware mem" on page 596
l "system performance" on page 659
hardware fail-open
Fail-to-wire/bypass behavior is available for specific models only. For details, see "system fail-open" on page 245.
hardware harddisk
Use this command to display a list of hard disks and their capacity in megabytes (MB) in the FortiWeb appliance. In the
case of FortiWeb-VM, this will instead be for virtual hardware.
Syntax
diagnose hardware harddisk [list]
Example
diagnose hardware harddisk list

name size(M)
sda 625.56
sdb 32212.25
On a FortiWeb 1000C with a single properly functioning internal hard disk plus its internal flash disk, this command
should show two file systems:
name size(M)
sda 1000204.89

diagnose 594
sdb 1971.32
where sda, the larger file system, is from the hard disk used to store non-configuration/firmware data. If it does not
appear, you can reboot and attempt to run a file system check to fix the file system and mount it.
Similarly FortiWeb 3000D shows:

name size(M)
sda 1999844.15
sdb 2055.21
Related topics
l "hardware logdisk info" on page 595
l "system flash" on page 615
l "system mount" on page 620
hardware interrupts
Use this command to display input/output (I/O) interrupt requests (IRQs) on the FortiWeb appliance. (In the case of
FortiWeb-VM, this will instead be for virtual hardware.)
Syntax
diagnose hardware interrupts list
Example
diagnose hardware interrupts list

CPU0
0: 225 IO-APIC-edge timer
1: 597 IO-APIC-edge i8042
2: 0 XT-PIC-XT-PIC cascade
12: 6 IO-APIC-edge i8042
14: 0 IO-APIC-edge ide0
15: 0 IO-APIC-edge ide1
16: 151462 IO-APIC-fasteoi vmxnet ether
17: 1080446 IO-APIC-fasteoi ioc0, vmxnet ether
NMI: 0 Non-maskable interrupts
LOC: 103791489 Local timer interrupts
SPU: 0 Spurious interrupts
PMI: 0 Performance monitoring interrupts
IWI: 0 IRQ work interrupts

diagnose 595
RES: 0 Rescheduling interrupts

CAL: 0 Function call interrupts
TLB: 0 TLB shootdowns
MCE: 0 Machine check exceptions
MCP: 346 Machine check polls
ERR: 0
MIS: 0
Related topics
hardware logdisk info
Use this command to display the capacity, partitions, mount status, and RAID level (if any) of the hard disk FortiWeb
uses to store logs and other data. For FortiWeb-VM, information for virtual hardware (the vDisk) is displayed.
Syntax
diagnose hardware logdisk info
Example
This example shows normal output for a FortiWeb-VM installation: there is no RAID, and it has been allocated a 40 GB
vDisk. If the disk were mounted as read-only, this would indicate that the disk had failed to mount normally, and would
be the cause if no new log messages were being recorded.
diagnose hardware logdisk info
The CLI displays output that is similar to the following:

disk number: 1
disk[0] size: 31.46GB
raid level: no raid exists
partition number: 1
mount status: read-write
Related topics
l "hardware harddisk" on page 593

diagnose 596
hardware mem
Use this command to display the usage statistics of ephemeral memory (RAM), including swap pages and shared
memory (Shmem), on the FortiWeb appliance. In the case of FortiWeb-VM, this will instead be for virtual hardware—the
vRAM.
Syntax
diagnose hardware mem list
Example
diagnose hardware mem list

MemTotal: 1026808 kB
MemFree: 397056 kB
Buffers: 121248 kB
Cached: 86112 kB
SwapCached: 0 kB
Active: 324664 kB
Inactive: 66608 kB
Active(anon): 186544 kB
Inactive(anon): 8856 kB
Active(file): 138120 kB
Inactive(file): 57752 kB
Unevictable: 46008 kB
Mlocked: 46008 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 1564 kB
Writeback: 0 kB
AnonPages: 229920 kB
Mapped: 12632 kB
Shmem: 11488 kB
Slab: 36564 kB
SReclaimable: 6552 kB
SUnreclaim: 30012 kB
KernelStack: 640 kB
PageTables: 8820 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 513404 kB
Committed_AS: 1216900 kB
VmallocTotal: 34359738367 kB
VmallocUsed: 38960 kB
VmallocChunk: 34359682723 kB
DirectMap4k: 8192 kB
DirectMap2M: 1040384 kB

diagnose 597
Related topics
hardware nic
Use this command to display a list of hardware specifications for the network interface card (NIC) physical ports on the
FortiWeb appliance. (In the case of FortiWeb-VM, this will instead be for virtual hardware—the vNICs—and therefore
the driver will be a virtual driver such as vmxnet, and the interrupt will be a virtual IRQ address.)
If the FortiWeb’s network hardware has failed, this command can help to detect it. For example, if you know that the
network cable is good and the configuration is correct, but this command displays Link detected: no), the
physical network port may be broken.
Syntax
diagnose hardware nic list [<interface_name>]
list [<interface_name>] Optionally, enter the name of a physical network interface, No

such as port1, to display its link status, configuration, default.
hardware information, status, and connectivity statistics such
as collision errors.
If you omit the name of a NIC port, the CLI returns a list of all
physical network interfaces, as well as the loopback interface
(lo):
lo
port1
port2
port3
port4
Note: The detected physical link status from this command is

not the same as its configured administrative status.
For example, even though you have used config config
system interface (page 280) to configure port1 with set
status down, if the cable is physically plugged in,
diagnose hardware nic list port1 will indicate
correctly that the link is up (Link detected: yes).

diagnose 598
Example
diagnose hardware nic list

driver vmxnet
version 2.0.9.0
firmware-version N/A
bus-info 0000:00:11.0
Supported ports TP
Supported link modes 1000baseT/Full
Supports auto-negotiation: No
Advertised link modes: Not reported
Advertised auto-negotiation: No
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD 0
Transceiver: internal
Auto-negotiation off
Link detected yes
Link encap Ethernet

HWaddr 00:0C:29:FE:2B:47
INET addr 10.1.1.221
Bcast 10.1.1.221
Mask 255.255.255.255
FLAG UP BROADCAST RUNNING MULTICAST
MTU 1500
MEtric 1
Outfill 0
Keepalive 6846704
Interrupt 18
Base address 0x1400
RX packets 171487
RX errors 167784
RX dropped 0
RX overruns 0
RX frame 0
TX packets 202724
TX errors 0
TX dropped 0
TX overruns 0
TX carrier 0
TX collisions 0
TX queuelen 1000
RX bytes 72772373 (69.4 Mb)
TX bytes 32288070 (30.7 Mb)

diagnose 599
Related topics
l "hardware interrupts" on page 594
l "network tcp list" on page 611
l "network udp list" on page 613
l "system ha mac" on page 617
hardware raid list
Use this command to run a diagnostic test of each hard disk in the RAID array that FortiWeb has. It also displays the
capacity and RAID level. Because FortiWeb-VM has no RAID, this command is not applicable to it.
Syntax
diagnose hardware raid list
Example
diagnose hardware raid list
Output similar to the following (from a FortiWeb 3000D) appears in the CLI window:
disk-number size(M) level
0(OK),1(OK), 1877274 raid1
Related topics
l "system raid" on page 293
l "hardware harddisk" on page 593
l "create-raid level" on page 630

diagnose 600
index
Use this command to view (list) or clear logs, or to examine (show) or configure logs.
To use this command, your administrator account’s access control profile must have rw or w permission to the loggrp
Syntax
diagnose index all show
diagnose index all clear
diagnose index {alog | dlog | elog | tlog} clear
diagnose index {alog | dlog | elog | tlog} list <index_int>
diagnose index {alog | dlog | elog | tlog} set <queue_int>
diagnose index {alog | dlog | elog | tlog} show
index {alog | dlog | Select which log files to view or affect: No

elog | tlog} default.
l alog—Attack logs.
l dlog—Debug logs.
l elog—Event logs.
l tlog—Traffic logs.
No
list <index_int> Enter the number of most recent logs to display.
default.
set <queue_int> Enter the maximum length of the log before it is flushed and written No
to disk. The valid range is 0–32,768. default.
Example
This example displays a list of logs processed.
diagnose index all show
Related topics

diagnose 601
log
Use this command to view (list) or clear log messages, or to examine (show) or configure logging queues.
To use this command, your administrator account’s access control profile must have rw or w permission to the loggrp
Syntax
diagnose log {all | alog | dlog | elog | tlog} [show | start | stop]
log {all | alog | dlog | Select which log files to view: No

elog | tlog} default.
l all—All logs
l alog—Attack logs
l dlog—Debug logs
l elog—Event logs
l tlog—Traffic logs
Displays the log messages or specifies a time to start or stop

[show | start | stop]
logging.
Example
This example sets a time to start the display of log messages, displays log information starting at that time, and stops
the display of log messages. The appliance’s responses are displayed in bold.
FortiWeb # dia log all start
start tracking log
FortiWeb # dia log all show
time span starts from 2014-07-31 18:31:53.000000
Total time span is 10.754097 seconds
Time spent on waiting is 10.527346 seconds
Time spent on preprocessing is 0.000000 seconds
event log processed: 0
traffic log processed: 0
attack log processed: 0
FortiWeb # dia log all stop
stop tracking log
Related topics

diagnose 602
network arp
Use this command to add or delete an address resolution protocol (ARP) table entry, or to display the ARP table. The
ARP table is used to resolve the IP addresses that correspond to a network interface card’s physical MAC address,
thereby determining which IP addresses can be reached directly through a link.
To use this command, your administrator account’s access control profile must have rw or w permission to the sysgrp
Syntax
diagnose network arp add <interface_name><mac-address_hex>
diagnose network arp delete network arp
diagnose network arp list
diagnose network arp flush
<interface_name> Enter the name of the interface to add or delete from the ARP No
table. default.
{<interface_ipv4> | No
interface_ipv6>} Enter the IP address of the interface.
default.
<mac-address_hex> Enter the MAC address of the interface. No

default.
Example
This example displays a list of ARP table entries.
FortiWeb # diagnose network arp list
port_ha: 169.254.0.2 fc:aa:14:75:c0:e0 reachable
port1: 10.0.0.1 00:09:0f:77:11:1d stale
port2: 10.65.13.3 00:0c:29:02:f1:bb reachable
lo: 10::13:101 0: 0: 0: 0: 0: 0 noarp
port2: ff02::16 33:33: 0: 0: 0:16 noarp
vlan66: ff02::16 33:33: 0: 0: 0:16 noarp
port7: ff02::2 33:33: 0: 0: 0: 2 noarp
port_ha: ff02::2 33:33: 0: 0: 0: 2 noarp
port_tn: ff02::16 33:33: 0: 0: 0:16 noarp
port7: ff02::16 33:33: 0: 0: 0:16 noarp
port_ha: ff02::16 33:33: 0: 0: 0:16 noarp
gretap0: ff02::16 33:33: 0: 0: 0:16 noarp
Related topics

diagnose 603

network ip
Use these commands to add or delete a network interface, loopback interface, or virtual server (which functions
somewhat like a virtual network interface) IP address, or to list the table of network interface IPs.
Back up the configuration before deleting a network interface table entry. FortiWeb
presents no confirmation message, and in some cases such as the loopback
interface, provides no undelete mechanism.
Syntax
diagnose network ip add <interface_name> {<interface_ipv4> | interface_ipv6}
{<interface_ipv4mask> |<interface_v6mask>}
diagnose network ip delete <interface_name> {<interface_ipv4> | interface_ipv6}
diagnose network ip list
<interface_name> Enter the name of the interface to add or delete from the network No
interface table. default.
{<interface_ipv4> | No
interface_ipv6} Enter the IP address of the network interface.
default.
{<interface_ Enter the subnet mask. No

ipv4mask> |<interface_ default.
v6mask>}
Example
This example displays a list of enabled network interfaces, including the loopback (lo).
FortiWeb # diagnose network ip list
lo: 127.0.0.1/24
port1: 10.200.123.2/16
lo: ::1/128
port1: fe80::20c:29ff:fec3:34a6/64
port5: fe80::20c:29ff:fec3:34ce/64
port9: fe80::20c:29ff:fec3:34f6/64
port2: fe80::20c:29ff:fec3:34b0/64
port6: fe80::20c:29ff:fec3:34d8/64
port10: fe80::20c:29ff:fec3:3400/64
port3: fe80::20c:29ff:fec3:34ba/64
port7: fe80::20c:29ff:fec3:34e2/64

diagnose 604
port4: fe80::20c:29ff:fec3:34c4/64
port8: fe80::20c:29ff:fec3:34ec/64
port_tn: fe80::1854:64ff:fe68:fd55/64
Example
This example deletes the IP of a virtual server on port2.
diagnose network ip delete port1 192.0.2.221
Related topics
network route
Use this command to add or delete a route in the routing table, or to list the routing table.
This command displays all individual entries, including automatically configured routes for the loopback interface and
VLANs, and also displays each route’s priority. Unlike diagnose network rtcache (page 605), it displays all
known routes, regardless of whether they have been recently used.
Do not delete routes unless you are sure. FortiWeb does not ask you to confirm the
deletion, and there is no undelete mechanism. For example, if you accidentally delete a
loopback interface route, you must recreate it manually.
Syntax
diagnose network route add {<source_ipv4mask> | <source_ipv6mask>} <delay_int>
{<destination_ipv4mask> | <destination_ipv6mask>} <delay_int> <delay_
int><priority_int>
diagnose network route delete {<source_ipv4mask> | <source_ipv6mask>} <delay_int>
{<destination_ipv4mask> | <destination_ipv6mask>} <delay_int> <delay_int>
<priority_int>
diagnose network route list
{<source_ipv4mask> | Enter the IP address and network mask of the source, separated by No
<source_ipv6mask>} a space. default.
Enter the name of the interface to add or delete from the routing No
<interface_name>
table. default.
{<destination_ipv4mask> | Enter the IP address and network mask of the source, separated by No

diagnose 605
<destination_ipv6mask>} a space. default.
{<gateway_ipv4> | Enter the IP address of the next hop router (sometimes called a No
<gateway_ipv6>} gateway) to which this route sends packets. default.
<priority_int> Enter the priority of the route in the routing table. The lower the 0
number, the higher the priority. The valid range is 1–255.
Example
This example displays the routing table.
FortiWeb # diagnose network route list
0.0.0.0/0(none)->10.200.0.0/16(port1) via 0.0.0.0, pri 0 prot 2 scope 253
::/0(none)->fe80::/64(port1) via ::, pri 256 prot 2 scope 0
::/0(none)->fe80::/64(port_tn) via ::, pri 256 prot 2 scope 0
Example
This example adds a route to the routing table.
diagnose network route add 10::/64 port1 10:200::1/64 port1 10::1 0
Related topics
l "ping6" on page 640
l "network rtcache" on page 605
network rtcache
Use this command to display the routing cache.
Unlike diagnose network route (page 604), this command displays the cache of the most recently used routes,
not necessarily the entire configuration. (You may have configured many routes, and these configurations will be saved

diagnose 606
to disk and appear in diagnose network route (page 604), but rarely used ones will not usually appear in the
route cache, which keeps recently used routes in RAM for performance reasons.)
Syntax
diagnose network rtcache list
Example
This example displays the ARP cache.
172.20.120.52(port1)->255.255.255.255(lo) via 0.0.0.0, pri 0 prot 0 scope 0, ref 0 lastuse 3181
expires 0 error 0 used 855
172.20.120.100(port3)->172.20.120.255(lo) via 0.0.0.0, pri 0 prot 0 scope 0, ref 0 lastuse 434
expires 0 error 0 used 0
172.20.120.230(port1)->255.255.255.255(lo) via 0.0.0.0, pri 0 prot 0 scope 0, ref 0 lastuse
47386 expires 0 error 0 used 7
10.0.1.1(none)->10.0.1.1(lo) via 0.0.0.0, pri 0 prot 0 scope 0, ref 0 lastuse 223 expires 0
error 0 used 29551
0.0.0.0(none)->10.0.1.1(lo) via 0.0.0.0, pri 0 prot 0 scope 0, ref 0 lastuse 223 expires 0
error 0 used 7387
::(none)->::1(lo) via ::, pri 0 prot 0 scope 0 ref 1 lastuse 155845 expires 0 error 0 used 417
::(none)->2607:f0b0:f:420:20c:29ff:fe4d:3ad3(lo) via ::, pri 0 prot 0 scope 0 ref 1 lastuse
::(none)->2607:f0b0:f:420:20c:29ff:fe4d:3ae7(lo) via ::, pri 0 prot 0 scope 0 ref 1 lastuse
::(none)->2607:f0b0:f:420:20c:29ff:fe4d:3af1(lo) via ::, pri 0 prot 0 scope 0 ref 1 lastuse
::(none)->2607:f0b0:f:420::(port1) via ::, pri 256 prot 0 scope 0 ref 0 lastuse 2590616 expires
214715722 error 0 used 0
::(none)->ff00::(port4) via ::, pri 256 prot 0 scope 0 ref 0 lastuse 2590615 expires 0 error 0
used 0
::(none)->ff00::(lo) via ::, pri -1 prot 0 scope 0 ref 1 lastuse 449431651 expires 0 error -101
used 1
Example
This example adds a route to the routing table.
diagnose network route add vlan2 160.1.12.0 255.0.0.0 172.20.01.169 32 3 verify
Related topics

diagnose 607
network sniffer
Use this command to perform a packet trace on one or more network interfaces.
Packet capture, also known as sniffing or packet analysis, records some or all of the packets seen by a network interface
(that is, the network interface is used in promiscuous mode). By recording packets, you can trace connection states to
the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to
detect.
FortiWeb appliances have a built-in sniffer. Packet capture on FortiWeb appliances is similar to that of FortiGate
appliances. Packet capture output appears on your CLI display until you stop it by pressing Ctrl+C, or until it reaches the
number of packets that you have specified to capture.
Packet capture can be very resource intensive. To minimize the performance impact on
your FortiWeb appliance, use packet capture only during periods of minimal traffic, with a
local console CLI connection rather than a Telnet or SSH CLI connection, and be sure to
stop the command when you are finished.
If your FortiWeb model uses Data Plane Development Kit (DPDK) for packet processing
(for example, models 3000E, 3010E and 4000E) and is operating in Offline Protection
mode, you cannot use this command with ports that are configured as data capture ports.
To use the command with this type of port, disable the corresponding server policy or
configure the policy with a different data capture port.
Syntax
diagnose network sniffer [{any | "<interface_name>"} [{none | "<filter_str>"} [{1 | 2 |
3} [<packets_int> ]]]]
{any | "<interface_ Enter the name of a network interface whose packets you No
name>"} want to capture, such as port1, or type any to capture default.
packets on all network interfaces.
If you omit this and the following parameters for the

command, the command captures all packets on all network
interfaces.
Enter either none to capture all packets, or type a filter that

specifies which protocols and port numbers that you do or do
not want to capture, such as "tcp port 25".
{none | "<filter_str>"} none
Filters use tcpdump (http://www.tcpdump.org) syntax:
"[[src|dst] host {<host1_fqdn> | <host1_
ipv4>}] [and|or] [[src|dst] host {<host2_

diagnose 608
fqdn> | <host2_ipv4>}] [and|or]

[[arp|ip|gre|esp|udp|tcp] port <port1_int>]
[and|or] [[arp|ip|gre|esp|udp|tcp] port
<port2_int>]"
To display only the traffic between two hosts, specify the IP

addresses of both hosts. To display only forward or reply
packets, indicate which host is the source, and which is the
destination.
For example, to display UDP port 1812 traffic between

1.example.com and either 2.example.com or
3.example.com, you would enter:
"udp and port 1812 and src host
1.example.com and dst $ 2.example.com or
2.example.com $"
{1 | 2 | 3} Type one of the following integers indicating the depth of 1

packet headers and payloads to capture:
l 1—Display the packet capture timestamp, plus basic fields

of the IP header: the source IP address, the destination IP
address, protocol name, and destination port number.
Does not display all fields of the IP header; it omits:
l IP version number bits

l Internet header length (ihl)
l type of service/differentiated services code point (tos)
l explicit congestion notification
l total packet or fragment length
l packet ID
l IP header checksum
l time to live (TTL)
l fragment offset
l options bits
l 2—All of the output from 1, plus the packet payload in both
hexadecimal and ASCII.
l 3—All of the output from 2, plus the link layer (Ethernet) header.
For troubleshooting purposes, Fortinet Technical Support
may request the most verbose level (3).
Enter the number of packets to capture before stopping. Packet

capture
<packets_int> If you do not specify a number, the command will continue to continues
capture packets until you press Ctrl+C. until you

diagnose 609
press
Ctrl + C.
Example
The following example captures three packets of traffic from any port number or protocol and between any source and
destination (a filter of none), which passes through the network interface named port1. The capture uses a low level
of verbosity (indicated by 1).
Commands that you would type are highlighted in bold; responses from the FortiWeb appliance are not bolded.
FortiWeb# diagnose network sniffer port1 none 1 3
filters=[none]
0.918957 192.168.0.1.36701 -> 192.168.0.2.22: ack 2598697710
0.919024 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697710 ack 2587945850
0.919061 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697826 ack 2587945850
If you are familiar with the TCP protocol, you may notice that the packets are from the middle of a TCP connection.
Because port 22 is used (highlighted above in bold), which is the standard port number for SSH, the packets might be
from an SSH session.
Example
The following example captures packets traffic on TCP port 80 (typically HTTP) between two hosts, 192.168.0.1
and 192.168.0.2. The capture uses a low level of verbosity (indicated by 1). Because the filter does not specify either
host as the source or destination in the IP header (src or dst), the sniffer captures both forward and reply traffic.
FortiWeb# diagnose network sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and tcp
port 80' 1
A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator
presses Ctrl+C. The sniffer then confirms that five packets were seen by that network interface. Below is a sample
output.
192.168.0.2.3625 -> 192.168.0.1.80: syn 2057246590
192.168.0.1.80 -> 192.168.0.2.3625: syn 3291168205 ack 2057246591
192.168.0.2.3625 -> 192.168.0.1.80: ack 3291168206
192.168.0.2.3625 -> 192.168.0.1.80: psh 2057246591 ack 3291168206
192.168.0.1.80 -> 192.168.0.2.3625: ack 2057247265
5 packets received by filter
0 packets dropped by kernel
Example
The following example captures TCP port 443 (typically HTTPS) traffic occurring through port1, regardless of its
source or destination IP address. The capture uses a high level of verbosity (indicated by 3).
The number of packets to capture is not specified, so the packet capture continues until the administrator presses
Ctrl+C. The sniffer then states how many packets were seen by that network interface.

diagnose 610
Verbose output can be very long. As a result, output shown below is truncated after only one packet.
FortiWeb# diagnose network sniffer packet port1 'tcp port 443' 3
interfaces=[port1]
filters=[tcp port 443]
10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898
0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E.
0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .<s.@.@.;..W....
0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-f........
0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab ..Or............
Instead of reading packet capture output directly in your CLI display, you usually should save the output to a plain text
file using your CLI client. Saving the output provides several advantages. Packets can arrive more rapidly than you may
be able to read them in the buffer of your CLI display, and many protocols transfer data using encodings other than US-
ASCII. It is often, but not always, preferable to analyze the output by loading it into in a network protocol analyzer
application such as Wireshark (http://www.wireshark.org/).
For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output to a file. Methods may vary.
See the documentation for your CLI client.
Requirements

l A plain text editor such as Notepad
l A Perl interpreter
l Network protocol analyzer software such as Wireshark (http://www.wireshark.org)
To view packet capture output using PuTTY and Wireshark

2. Use PuTTY to connect to the FortiWeb appliance using either a local console, SSH, or Telnet connection. For
details, see "Connecting to the CLI" on page 39.
3. Type the packet capture command, such as:

diag network sniffer packet port1 'tcp port 443' 3 100
but do not press Enter yet.
4. In the upper left corner of the window, click the PuTTY icon to open its drop-down menu, then select
Change Settings.
5. In the Category tree on the left, go to Session > Logging.
6. Select Printable output.
7. In Log file name, click the Browse button, then choose a directory path and file name such as
C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain text file. You do not need
to save it with the .log file extension.
8. Click Apply.
9. Press Enter to send the CLI command to the FortiMail appliance, beginning packet capture.

diagnose 611
10. If you have not specified a number of packets to capture, when you have captured all packets that you want to
analyze, press Ctrl + C to stop the capture.
11. Close the PuTTY window.

12. Open the packet capture file using a plain text editor such as Notepad.
13. Delete the first and last lines, which look like this:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 4/29/2019.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~=
FortiWeb-2000 #
These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you do not
delete them, they could interfere with the script in the next step.
14. Convert the plain text file to a format recognizable by your network protocol analyzer application.
You can convert the plain text file to a format recognizable by Wireshark (.pcap) using the fgt2eth.pl Perl
script. To download fgt2eth.pl, see the Fortinet Knowledge Base article "Using the FortiOS built-in packet
sniffer:"
http://kb.fortinet.com/kb/documentLink.do?externalId=11186
The fgt2eth.pl script is provided as-is, without any implied warranty or technical support, and requires that you
first install a Perl module compatible with your operating system.
To use fgt2eth.pl, open a command prompt, then enter a command such as the following:
fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap
where:
l fgt2eth.pl is the name of the conversion script; include the path relative to the current directory, which is indicated
by the command prompt
l packet_capture.txt is the name of the packet capture’s output file; include the directory path relative to your
current directory
l packet_capture.pcap is the name of the conversion script’s output file; include the directory path relative to your
current directory where you want the converted output to be saved
Methods to open a command prompt vary by operating system.

On Windows XP, go to Start > Run and enter cmd.
On Windows 7, click the Start (Windows logo) menu to open it, then enter cmd.
15. Open the converted file in your network protocol analyzer application. For further instructions, see the
documentation for that application.
network tcp list
Use this command to view a list of TCP raw socket details, including:
l sl—Kernel socket hash slot.

l local_address—IP address and port number pair of the local FortiWeb network interface in hexadecimal, such as
DD01010A:0050.

diagnose 612
l rem_address—Remote host’s network interface and port number pair. If not connected, this will contain
00000000:0000.
l st—TCP state code (e.g. OA for listening, 01 for established, or 06 for timeout wait)
l tx_queue—Kernel memory usage by the transmission queue.
l rx_queue—Kernel memory usage by the retransmission queues.
l tr, tm-> when, retrnsmt—Kernel socket state debugging information.
l uid—User ID of the socket’s creator (on FortiWeb, always 0).
l timeout—Connection timeout.
l inode—Pseudo-file system i-node of the process.
Syntax
diagnose network tcp list
Example
diagnose network tcp list
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
0: DD01010A:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 333597 1
ffff88003b825880 299 0 0 2 -1
1: 2F7814AC:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 228018 1
ffff88003b824680 299 0 0 2 -1
2: 1B01A8C0:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2692 1
ffff88003b6ec6c0 299 0 0 2 -1
3: 0100007F:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2691 1
ffff88003b6eccc0 299 0 0 2 -1
4: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2433 1
ffff88003b489280 299 0 0 2 -1
5: 00000000:0017 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2400 1
ffff88003b489880 299 0 0 2 -1
6: 0100007F:22B8 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2687 1
ffff88003b488680 299 0 0 2 -1
7: DD01010A:01BB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 333598 1
ffff88003bbf3940 299 0 0 2 -1
8: 2F7814AC:01BB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 228017 1
ffff88003b824080 299 0 0 2 -1
9: 1B01A8C0:01BB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2689 1
ffff88003b6ed8c0 299 0 0 2 -1
10: 0100007F:01BB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2688 1
ffff88003b488080 299 0 0 2 -1
11: 00000000:208D 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2441 1
ffff88003b488c80 299 0 0 2 -1
12: 2F7814AC:0016 E17814AC:FEF2 01 00000000:00000000 02:000909FE 00000000 0 0 272209 4
ffff88003bbf2d40 20 3 1 5 -1
Related topics

diagnose 613
network udp list
Use this command to view a list of UDP raw socket details, including:
l sl—Kernel socket hash slot.

l local_address—IP address and port number pair of the local FortiWeb network interface in hexadecimal, such as
DD01010A:0050.
l rem_address—Remote host’s network interface and port number pair. If not connected, this will contain
00000000:0000.
l st—TCP state code in hexadecimal (e.g. 0A for listening, 01 for connection established, or 06 for waiting for data)
l tx_queue—Kernel memory usage by the transmission (Tx) queue.
l rx_queue—Kernel memory usage by the retransmission (Rx) queues. This is not used by UDP, since the protocol itself
does not support retransmission.
l tr, tm-> when, retrnsmt—Kernel socket state debugging information. These are not used by UDP, since the
protocol itself does not support retransmission.
l uid—User ID of the socket’s creator (on FortiWeb, always 0).
l timeout—Connection timeout.
l inode—Pseudo-file system inode of the process.
l ref, pointer—Pseudo-file system references.
Syntax
diagnose network udp list
Example
diagnose network udp list
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref
pointer drops
307: 00000000:00A1 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2498 2
ffff88003acba080 0
447: 00000000:3F2D 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2874 2
ffff88003acbac80 0
Related topics

diagnose 614
policy
Use this command to view the process ID, live sessions, and traffic statistics associated with a server policy.
Syntax
diagnose policy pserver [list "<policy_name>"]
diagnose policy session [list "<policy_name>"]
diagnose policy traffic [list "<policy_name>"]
diagnose policy period-blockip [list "<policy_name>"]
diagnose policy period-blockip [delete "<policy_name>"]{ipv4 | ipv6}
diagnose policy "<policy_name>"
pserver [list "<policy_ Displays the status of physical servers covered by the policy. No
name>"] default.
session [list "<policy_ No

name>"] Displays IP session information for TCP and UDP connections.
default.
traffic [list "<policy_ Displays traffic throughput (bandwidth usage) information. No

name>"] default.
Displays client IP addresses whose requests are temporarily

period-blockip [list No
"<policy_name>"]
blocked because the client violated a rule in the specified policy
default.
with an Action value of Period Block.
period-blockip [delete Unblocks the specified client IP address that FortiWeb has blocked No
"<policy_name>"]{ipv4 | because it violated a rule in the specified policy with an Action default.
ipv6}
value of Period Block. (FortiWeb can still block the address
because it violates a rule in a different policy.)
No
"<policy_name>" Enter the name of an existing server policy.
default.
Example
This example shows the output of the pserver list command. The alive value indicates the status of the server
health check:

diagnose 615
Health Check Status icon in Policy Status

Integer Health check status
dashboard
0 Failed Red
1 Passed Green
2 Disabled Grey
diagnose policy pserver list Policy1

policy(Policy1)
server-pool(FWB_server_pool):
total = 1
server[0]
id: 1
ip: 10.20.1.22
port: 80
alive: 2
session: 0
status: 1
Related topics
system flash
Use this command to change the currently active firmware partition or to display partition information stored on the flash
drive.
FortiWeb appliances have 2 partitions that each contain a firmware image: one is the primary and one is the backup. If
the FortiWeb appliance is unable to successfully boot using the primary firmware partition, it may boot using the
alternative firmware partition. The second partition can contain another version of the firmware.
Syntax
diagnose system flash default <partition_int>
diagnose system flash list
<partition_int> Enter the number of the partition that will be used as the primary No
firmware partition during the next reboot or startup. The other default.
partition will become the backup firmware partition.

diagnose 616
Example
This example lists the partition settings.
diagnose system flash list
Below is a sample output.

Image# Version TotalSize(KB) Used(KB) Use% Active
1 FV-1KB-4.30-FW-build0521-110120 38733 33125 86% No
2 FV-1KB-4.30-FW-build0522-110112 38733 33125 86% Yes
3 836612 16980 2 % No
Related topics
l "restore image" on page 648
system ha file-stat
Use this command to display the current status of FortiGuard subscription services files and the MD5 checksum for
system and configuration files.
Syntax
diagnose system ha file-stat
Example
FortiWeb Security Service:
2021-01-03
Last Update Time: 2017-02-17 Method: Scheduled
Signature Build Number-0.00177
FortiWeb Antivirus Service:
2021-01-03
Regular Virus Database Version-42.00885
Extended Virus Database Version-42.00814
FortiWeb IP Reputation Service:
2021-01-03
Signature Build Number-3.00315
System files MD5SUM: 5660BD9FA1F6C86E8A31B2A139045F17
CLI files MD5SUM: 71BF206315679018536D9E19B37CBEAE
Related topics

diagnose 617

system ha mac
Use this command to display the virtual MAC addresses and link statuses of each network interface of appliances in the
HA group.
Syntax
diagnose system ha mac
Example
This example indicates that the links are “up” (linkfail=0) for port1 and port3 on the currently active appliance in the
HA pair. While operating in HA, the network interfaces are using a Layer 1 data link (MAC) address that begins with the
hexadecimal string 00:09:0F:09:00:.
diagnose system ha mac

HA mac msg
name=port1, phyindex=0, 00:09:0F:09:00:01, linkfail=0
Related topics
l system ha
system ha status
Use this command to display the HA group ID, as well as the serial number, role (active or standby), and device priority
of each appliance belonging to the HA cluster.

diagnose 618
Syntax
diagnose system ha status
Example
This example lists the HA group ID, serial numbers, and device priorities.
diagnose system ha status

HA information
Model=FV-1KD-5.30-FW-build0431, Mode=a-p Group=2
HA group member information: is_manage_master=1.

FV-1KD3A13800012, Master, 4, 0, 196417
FV-1KD3A13800091, Slave, 6, 0, 185787
In this example, in the information for FV-1KD3A13800012, 4 is the priority of the appliance and 0 is the number of
ports that have been down.
If the value of the priority or ports down is 100, the parameter is “invalid.” For example, if the appliance has not yet
joined the HA cluster.
Related topics
system ha sync-stat
Use this command to display the status of the high availability (HA) synchronization process.
Syntax
diagnose system ha sync-stat
Status Description
INIT Initiation. Last synchronization completed and system is ready and

waiting for next synchronization.
SENDING Synchronization is in process; data is sending.

diagnose 619
Status Description
SUCCESS Success in data sending; synchronization is complete.
SEND_TIMEOUT Data sending timeout; synchronization is incomplete.
Example
This example lists the HA synchronization status.
diagnose system ha sync-stat
Image INIT
Config INIT
System INIT
CLI INIT
Signature SUCCESS
GeoDB SUCCESS
AV SUCCESS
IpReputation SUCCESS
HarvestCredentials SUCCESS
Related topics
l
system kill
Use this command to terminate a process currently running on FortiWeb, or send another signal from the FortiWeb OS
to the process.
Syntax
diagnose system kill <delay_int> <delay_int>
<signal_int> Enter the ID of the signal to send to the process. This in an No

integer between 1 and 32. Some common signals are: default.

diagnose 620
l 1—Varies by the process’s interpretation, such as re-read

configuration files or re-initialize (hang up; SIGHUP).
For example, the FortiWeb web UI verifies its configuration

files, then restarts gracefully.
l 2—Request termination by simulating the pressing of the

interrupt keys, such as Ctrl + C (interrupt; SIGINT).
l 3—Force termination immediately and do a core dump (quit;

SIGQUIT).
l 9—Force termination immediately (kill; SIGKILL).
l 15—Request termination by inter-process communication

(terminate; SIGTERM).
Enter the process ID where the signal is sent to.

No
<pid_int> To list all current process IDs, use diagnose system top default.
(page 621).
Related topics
l "hardware cpu" on page 592
system mount
Use this command to display a list of mounted file systems, including their available disk space, disk usage, and mount
locations.
Syntax
diagnose system mount list
Example
diagnose system mount list
Output from a FortiWeb 3000D:

Filesystem 1M-blocks Used Available Use% Mounted on
/dev/ram0 97 87 10 89% /

diagnose 621
none 4823 0 4823 0% /tmp

none 16077 0 16077 0% /dev/shm
/dev/sdb1 189 45 134 25% /data
/dev/sdb3 961 17 895 1% /home
/dev/sda1 1877275 271 1781644 0% /var/log
Related topics
system top
Use this command to view a list of the most system-intensive processes and to change the refresh rate.
Syntax
diagnose system top [<delay_int> [<delay_int> ]]
<delay_int> Enter the process list refresh interval in seconds. 5
<max-lines> Set the maximum number of top processes to display. All processes are shown.
Once you execute this command, it continues to run and display in the CLI window until you enter q (quit).
While the command is running, you can press Shift + P to sort the five columns of data by CPU usage (the default)
or Shift + M to sort by memory usage.
Example
This example displays a list of the top FortiWeb processes and sets the update interval at 10 seconds.
diagnose system top 10

Run Time: 0 days, 0 hours and 48 minutes
0U, 0S, 100I; 1002T, 496F
xmlproxy 152 S 1.3 4.7
updated 54 S 0.1 0.3
monitord 57 S 0.1 0.3
sys_monito 58 S 0.1 0.3
xmlproxy 56 S 0.0 8.2
alertmail 76 S 0.0 4.6
cli 396 S 0.0 1.2
cli 301 S 0.0 1.2
cmdbsvr 43 S 0.0 1.0

diagnose 622
httpsd 147 S 0.0 1.0

cli 403 R 0.0 0.9
data_analy 60 S 0.0 0.6
httpsd 308 S 0.0 0.6
cli 379 S 0.0 0.5
hasync 63 S 0.0 0.4
hatalk 62 S 0.0 0.4
synconf 64 S 0.0 0.4
al_daemon 59 S 0.0 0.3
miglogd 53 S 0.0 0.3
The first line indicates the up time. The second line lists the processor and memory usage, where the parameters from
left to right mean:
l U—Percent of user CPU usage (in this case 0%)

l S—Percent of system CPU usage (in this case 0%)
l I—Percentage of CPU idle (in this case 100%)
l T—Total memory in kilobytes (in this case 2008 KB)
l F—Available memory in kilobytes (in this case 445 KB)
The five columns of data provide the process name (such as updated), the process ID (pid), the running status, the
CPU usage, and the memory usage. The status values are:
l S—Sleeping (idle)
l R—Running
l Z—Zombie (crashed)
l <—High priority
l N—Low priority
Related topics
l "system kill" on page 619
system update info
Use this command to display recent error messages and the following information about FortiGuard signatures, IP lists,
and engine packages and the geography-to-IP mapping database:
l Current version
l Time of last update
l Next scheduled update time
l Previous version history
Syntax
diagnose system update info

diagnose 623
Example
FortiWeb signature
----------
Version: 0.00146
Expiry Date: Thu Jan 01 1970
Last Update Date: Sat Dec 05 11:00:46 2015
Next Update Date: Wed Jan 13 11:00:00 2016
Historical versions
----------
0.00146
0.00144
0.00144
0.00144
0.00139
FortiWeb GEODB
----------
Version: GEO-533LITE 20141104
Expiry Date: N/A
Last Update Date: Tue Dec 01 10:53:35 2015
Next Update Date: N/A
Historical versions
----------
GEO-533LITE 20141007
N/A
Regular Antivirus
----------
Version: 30.00946
Expiry Date: Thu Mar 13 2014
Historical versions
----------
30.00859
30.00785
30.00698
29.00326
29.00302
29.00279
29.00256
14.00922
Extended Antivirus
----------
Version: 30.00871
Expiry Date: Thu Mar 13 2014
Historical versions
----------
30.00708
30.00540

diagnose 624
29.00219
14.00922
IP Reputation
----------
Version: 2.00649
Expiry Date: Thu Jan 01 1970
Historical versions
----------
2.00642
2.00635
2.00628
2.00596
2.00594
2.00592
2.00590
1.00020
Latest errors
----------
Wed Jan 13 10:04:02 2016 Failed to establish connection with 192.168.100.205:443 when install anti-
virus packages.
Wed Jan 13 10:03:02 2016 Failed to establish connection with 192.168.100.205:443 when install
essential packages.
virus packages.
essential packages.
virus packages.
essential packages.
virus packages.
essential packages.
virus packages.
essential packages.

execute 625
execute
The execute command has an immediate and decisive effect on your FortiWeb appliance and, for that reason, should
be used with care. Unlike config commands, most execute commands do not result in any configuration change.
backup cert-config erase-disk reboot
backup cli-config factoryreset remove vmlicense
backup full-config factoryreset restore config
backup web- formatlogdisk restore image

protection-profile
ha disconnect restore secondary-
batch image
ha manage
certificate ca restore vmlicense
ha md5sum
certificate crl session-cleanup
ha synchronize
certificate inter-ca shutdown
ping
certificate local telnet
ping6
create-raid level telnettest
ping-options
create-raid rebuild time
ping6-options
date traceroute
db rebuild update-now
backup cert-config
Use this command to back up certificates of a FortiWeb appliance to a TFTP server.
Syntax
execute backup cer-config <filename_str> <tftp_ipv4> [<password_str>]
<filename_str> Enter the name of the file to be used for the backup file, such as No
FortiWeb_backup.zip. default.
No
<tftp_ipv4> Enter the IP address of the TFTP server.
default.

execute 626
[<password_str>] Enter a password to be used when decompressing the backup No

file. default.
Caution: Remember the password or keep it in a secure

location. You will be required to enter the same password
when restoring an encrypted backup file. If you forget or lose
the password, you won't be able to use that encrypted backup
file.
Example
This example backs up certificates of the FortiWeb appliance on a TFTP server at IP address 192.0.2.23. The file is
encrypted with the password P@ssword1.
execute backup cert-config tftp FortiWeb_backup.zip 192.0.2.23 P@ssword1
Related topics
l "backup full-config" on page 627
l "system backup" on page 215
backup cli-config
Use this command to manually back up the configuration file to a TFTP server.
This method does not include uploaded files such as:
l Error pages
l WSDL files
l W3C Schema
l Vulnerability scan settings
If your configuration has these files, use either a full TFTP or FTP/SFTP backup
instead. For details, see "backup full-config" on page 627 or "system backup" on page
215.
This command also does not include settings that remain at their default values for
the currently installed version of the firmware. If you require a backup that includes
those settings, instead use execute backup full-config (page 627).
Alternatively, you can back up the configuration to an FTP or SFTP server. For details, see "system backup" on page
215.

execute 627
Syntax
execute backup cli-config tftp <filename_str> <tftp_ipv4> [<password_str>]
FortiWeb_backup.conf. default.
No
default.
[<password_str>] Enter a password to be used when encrypting the backup file No

to a .zip extension file. default.
If you don't provide a password, the backup file will be stored

as a clear file with a .zip extension.

file.
Example
This example uploads the FortiWeb appliance’s system configuration to a file named fweb.zip on a TFTP server at IP
address 192.0.2.23. The file will not be password-encrypted.
execute backup cli-config tftp fweb.zip 192.0.2.23
Related topics
backup full-config
Use this command to manually back up the entire configuration file, including those settings that remain at their
default values, to a TFTP server.
We strongly recommend that you password-encrypt this backup and store it in a secure
location. This backup method includes sensitive data such as your HTTPS certificates’
private keys. Unauthorized access to private keys compromises the security of all HTTPS
requests using those certificates.

execute 628
Alternatively, you can back up the configuration to an FTP or SFTP server. For details, see "system backup" on page
215.
This backup includes settings that remain at their default values increases the file size of the backup, but may be useful
in some cases, such as when you want to compare the default settings with settings that you have configured.
Syntax
execute backup full-config tftp <filename_str> <tftp_ipv4> [<password_str>]
FortiWeb_backup.conf. default.
No
default.
[<password_str>] Enter a password to be used when encrypting the backup file No

to a .zip extension file. default.


the password, you will not be able to use that encrypted
backup file.
Example
This example uploads the FortiWeb appliance’s entire configuration, including uploaded error page and HTTPS
certificate files, to a file named fweb.zip on a TFTP server at IP address 192.0.2.23. The file is encrypted with the
password P@ssword1.
execute backup full-config tftp fweb.zip 192.0.2.23 P@ssword1
Related topics
backup web-protection-profile
Use this command to back up web protection profiles of a FortiWeb appliance to a TFTP server.

execute 629
Syntax
execute backup web-protection-profile <filename_str> <tftp_ipv4>[<password_str>]
<filename_str> Enter the name of the backup file, such as config.zip. No

default.
No
default.
[<password_str>] Enter a password to be used when encrypting the backup No

.zip extension file. This is optional. default.


file.
Example
This example backs up web protection profiles of the FortiWeb appliance on a TFTP server at IP address
192.0.2.23. The file is encrypted with the password P@ssword1.
execute backup web-protection-profile tftp config.zip 192.0.2.23 P@ssword1
Related topics
batch
Use this command to execute commands in a group. If a command in the group fails or an operation cannot be
completed, every command in the group can be rolled back, whether they were successful or not.
Syntax
execute batch start
execute batch status
execute batch lastlog

execute 630
execute batch recover

execute batch end
start Enter to initiate batch mode. Every subsequent command will No

be grouped until you enter the execute batch end default.
command.
Enter to determine whether batch mode is running. If batch

mode is running, you will see this message:
Batch mode is running... No
status
default.
If batch mode is not running, you will see this command:
Batch mode is stopped...
lastlog Enter to view the executed commands in the current batch mode. No
default.
Enter to rollback every command that has been executed in the No

recover
current batch mode. default.
end Enter to turn off batch mode. No

default.
create-raid level
Use the this command to initialize the RAID.
Currently, only RAID level 1 is supported, and only on FortiWeb 1000B/C/D/E, 2000E, 3000C/CFsx, 3000E, and 4000E
shipped with FortiWeb 4.0 MR1 or later.
On older appliances that have been upgraded to FortiWeb 4.0 MR1, RAID cannot be activated.
Back up any data before initializing the array.
Back up the data regularly. RAID is not a substitute for regular backups. RAID 1
(mirroring) is designed to improve hardware fault tolerance, but cannot negate all
risks.
Syntax
execute create-raid level {raid1}

execute 631
level {raid1} Enter the RAID level. Currently, only RAID level 1 is supported. raid1
Related topics
create-raid rebuild
Use the this command to rebuild the RAID.
Currently, only RAID level 1 is supported, and only on FortiWeb-1000B, 1000C, 3000C/CFsx, 3000E, and 4000E
shipped with FortiWeb 4.0 MR1 or later.
On older appliances that have been upgraded to FortiWeb 4.0 MR1, RAID cannot be activated.
Back up the data regularly. RAID is not a substitute for regular backups. RAID 1
(mirroring) is designed to improve hardware fault tolerance, but cannot negate all
risks.
Rebuilding the array due to disk failure may result in some loss of packet log data.
Syntax
execute create-raid rebuild
Example
This example rebuilds the RAID array.
execute create-raid rebuild
The CLI displays the following:

This operation will clear all data on disk :0!
Do you want to continue? (y/n)
After you enter y (yes), the CLI displays additional messages.
Related topics

execute 632
date
Use this command to display or set the system date.
Syntax
execute date <date_str>
date <date_str> Enter the current date for the FortiWeb appliance’s time zone, No
using the format yyyy-mm-dd, where: default.
l yyyy is the year. Valid years are 2001 to 2037.

l mm is the month. Valid months are 01 to 12.
l dd is the day of the month. Valid days are 01 to 31.
If you do not specify a date, the command returns the current
system date. Shortened values, such as 06 instead of 2006
for the year or 1 instead of 01 for the month or day, are not
valid.
Example
This example sets the date to September 23, 2017:
execute date 2017-09-23
Related topics
l "time" on page 654
db rebuild
Use this command to rebuild the FortiWeb appliance’s internal database that it uses to store log messages.
Syntax
execute db rebuild

execute 633
Related topics
l "formatlogdisk" on page 634
erase-disk
Use this command to erase the hard disk or flash memory.
This command requires a console connection to the appliance and is available only when Federal Information
Processing Standards (FIPS) and Common Criteria (CC) compliant mode is enabled. For details, see "system fips-cc"
on page 248.
Syntax
execute erase-disk { flash | disk } [<erase-times> ]
{ flash | disk } Specify whether to erase the flash memory or the hard disk. No
default.
Enter the number of times to overwrite the specified memory

<erase-times> with random data. 1
factoryreset
Use this command to reset the FortiWeb appliance to its default settings for the currently installed firmware version. If
you have not upgraded or downgraded the firmware, this restores factory default settings.
Back up your configuration first. This command resets all changes that you have made to
the FortiWeb appliance’s configuration file and reverts the system to the default values for
the firmware version. Depending on the firmware version, this could include factory default
settings for the IP addresses of network interfaces. For details about creating a backup,
see "backup cli-config" on page 626.
Syntax
execute factoryreset

execute 634
Related topics
formatlogdisk
Use this command to clear the logs from the FortiWeb appliance’s hard disk and reformat the disk.
This operation deletes all locally stored log files.
When you execute this command, the FortiWeb appliance displays the following message:
This operation will clear all data on the log disk and take a few minutes according to the
disk size!!
Syntax
execute formatlogdisk
Related topics
ha disconnect
Use this command to manually force a FortiWeb appliance to leave the HA group, without unplugging any cables. This
can be useful, for example, if you need to remove a standby appliance from the HA cluster in order to configure it for
standalone operation, and want to do so without disrupting traffic, and without unplugging cables.
Behavior varies by which appliance you eject:
l Active—Failover occurs. The standby remains as a member of the HA group, and will elect itself as the new active
appliance, assuming all of the HA cluster’s configured IP addresses and traffic processing duties.
l Standby—No failover occurs. The active appliance remains actively processing traffic.
To ensure that you can re-connect to the ejected appliance’s GUI or CLI via a remote network connection (not only via
its local console), this command requires that you specify an IP address and port name that will become its new
management interface. By default, it will be accessible via HTTP, HTTPS, SSH, and telnet.

execute 635
All other network interfaces on the ejected appliance will be brought down and reset to 0.0.0.0/0.0.0.0. To configure
them, you must connect to the ejected appliance’s GUI or CLI.
Syntax
execute ha disconnect <serial-number_str> <interface_name> <interface_
ipv4mask/ipv6mask>
disconnect <serial- Enter the serial number of the FortiWeb appliance that you No
number_str> want to disconnect from the cluster. default.
To display the serial number of each appliance in the HA

group, enter:
execute ha disconnect ?
Enter the name of the network interface, such as port1, that will No
<interface_name>
be configured as the ejected appliance’s management interface. default.
<interface_ Enter the IP address and netmask that will be configured as the No
ipv4mask/ipv6mask> ejected appliance’s management interface. default.
Example
This example ejects the standby appliance whose serial number is FV-1KC3R11111111, assigning its port1 to be the
web UI interface, reachable at 192.0.2.123.
execute ha disconnect FV-1KC3R11111111 port1 192.0.2.123/24 192::2:123/64
After the command completes, to reconfigure the ejected appliance, you could then use either a web browser or SSH
client to connect to 192.0.2.123 in order to reconfigure it for standalone operation.
Related topics
l "ha md5sum" on page 637

execute 636
ha manage
Use this command to log in to another appliance in the HA group via the HA link. In most cases, you log into a standby
appliance (also called the secondary, or slave) from the main (primary or master) appliance, but you can also use a
standby appliance to access the main appliance.
Syntax
execute ha manage <cluster-index>
<cluster-index> Enter an index value that the FortiWeb HA feature assigns to a No

cluster member based on its serial number. default.
The cluster member with the highest serial number has a

cluster index of 0, the one with the second-highest serial
number has a cluster index of 1, and so on.
To display the index numbers of the cluster members, enter:

execute ha manage ?
Example
In this example, you are logged in to the main appliance.
execute ha manage ?
<id> please input peer box index.
<2> Subsidary unit FV-1KD3A12345678
<3> Subsidary unit FV-1KD3A11345678
The cluster index and serial number of the appliance you are currently logged in to is not displayed.
Enter 3 to connect to the standby appliance with serial number FV-1KD3A11345678. The CLI prompt changes to the
host name of this unit and the login prompt is displayed.
To return to the primary unit, enter exit.
Related topics
l "ha synchronize" on page 637

execute 637
ha md5sum
Use this command to retrieve the CLI system configuration MD5 from the appliances in an HA cluster.
This information allows you to confirm whether the HA configuration is synchronized.
Syntax
execute ha md5sum
Example
FortiWeb # execute ha md5sum
FV-1KD3A15800048<Master>
SYS: A4BA318B0762E202B4CAE44173F08CB5
CLI: 408268C68309651DC4C9D8C094B1EF0F
FV-1KD3A14800059<Slave>
SYS: A4BA318B0762E202B4CAE44173F08CB5
CLI: 408268C68309651DC4C9D8C094B1EF0F
Related topics
ha synchronize
Use this command to manually control the synchronization of configuration files and FortiGuard service-related
packages from the active HA appliance to the standby appliance.
Typically, most HA synchronization happens automatically, whenever changes are made. However, in some cases, you
may want to use this command to manually initiate full or partial HA synchronization, including to
l Delay synchronization to a more convenient time if you are planning to make large batch changes, and therefore delayed
synchronization is preferable for network performance reasons
l Manually force synchronization of files that are not automatically synchronized
l Trigger automatic synchronization if it has been interrupted due to HA link failure, daemon crashes, etc.
Syntax
execute ha synchronize {all | avupd | cli | geodb | sys}

execute 638
synchronize {all | Select which part of the configuration and/or FortiGuard No

avupd | cli | geodb | service-related packages to synchronize. default.
sys}
l all—Entire configuration, including CLI
configuration, system files, and signature databases.
l avupd—Only the FortiGuard Antivirus service

package, including the virus signatures, scan engine,
and proxy.
l cli—Only the core CLI configuration file (fwb_

system.conf). You can use the show command to
view the contents of the configuration file.
l geodb—Only the geography-to-IP address mappings.

Similar to firmware, these can be downloaded from
the Fortinet Customer Service & Support website:
l sys—Only the IP Reputation Database (IRDB) and
system files such as X.509 certificates.
Note: This command has no effect if you use the command

execute ha synchronize stop to pause it manually.
Example
This example shows how to manually synchronize the virus signature and engine package to the standby appliance.
FortiWeb # execute ha synchronize avupd
starting synchronize with HA master...
Related topics
ping
Use this command to perform an ICMP ECHO request (also called a ping) to a host by specifying its fully qualified
domain name (FQDN) or IPv4 address, using the options configured by ping-options.
Pings are often used to test IP-layer connectivity during troubleshooting.

execute 639
Syntax
execute ping {<host_fqdn> | <host_ipv4>}
ping {<host_fqdn> | Type either the IPv4 address or fully qualified domain name No
<host_ipv4>} (FQDN) of the host. default.
Example
This example pings a host with the IP address 192.0.2.10.
execute ping 192.0.2.10

PING 192.0.2.10 (192.0.2.10): 56 data bytes
64 bytes from 192.0.2.10: icmp_seq=0 ttl=128 time=0.5 ms
--- 192.0.2.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.5 ms
The results indicate that a route exists between the FortiWeb appliance and 192.0.2.10. It also indicates that during
the sample period, there was no packet loss, and the average response time was 0.2 milliseconds.
Example
This example pings a host with the IP address 192.0.2.78.
execute ping 192.0.2.78

PING 192.0.2.78 (192.0.2.78): 56 data bytes
After several seconds, no output appears. The administrator halts the ping by pressing Ctrl+C. The CLI displays the
following:
--- 192.0.2.78 ping statistics ---
The results indicate the host may be down, or there is no route between the FortiWeb appliance and 192.0.2.78. To
determine the point of failure along the route, further diagnostic tests are required, such as execute traceroute
(page 655).

execute 640
Related topics
l "ping-options" on page 641
l "telnettest" on page 653
ping6
Use this command to perform an ICMP ECHO request (also called a ping) to a host by specifying its IPv6 address, using
the options configured in execute ping-options (page 641).
Pings are often used to test IP-layer connectivity during troubleshooting.
Syntax
execute ping6 {<host_fqdn> | <host_ipv6>}
ping6 {<host_fqdn> | Enter either the IP address or fully qualified domain name (FQDN) No
<host_ipv6>} of the host. default.
Example
This example pings a host with the IP address 2001:0db8:85a3:::8a2e:0370:7334.
execute ping6 2607:f0b0:f:420::

PING 2607:f0b0:f:420:: (2607:f0b0:f:420::): 56 data bytes
After several seconds, no output appears. The administrator halts the ping by pressing Ctrl+C. The CLI displays the
following:
--- 2607:f0b0:f:420:: ping statistics ---

execute 641
The results indicate the host may be down, or there is no route between the FortiWeb appliance and
2607:f0b0:f:420::. To determine the point of failure along the route, further diagnostic tests are required, such as
execute traceroute (page 655).
Related topics
l "ping6-options" on page 643
ping-options
Use these commands to configure the behavior of the execute ping (page 638) command.
Syntax
execute ping-options data-size <bytes_int>
execute ping-options df-bit {yes | no}
execute ping-options pattern <bufferpattern_hex>
execute ping-options repeat-count <repeat_int>
execute ping-options source {auto | <interface_ipv4>}
execute ping-options timeout <seconds_int>
execute ping-options tos {<service_type>}
execute ping-options ttl <hops_int>
execute ping-options validate-reply {yes | no}
execute ping-options view-settings
data-size <bytes_int> Enter datagram size in bytes.This allows you to send out 56
packets of different sizes for testing the effect of packet size
on the connection. If you want to configure the pattern that
will be used to buffer small datagrams to reach this size, also
configure pattern <bufferpattern_hex> (page 642).
Enter either yes to set the DF bit in the IP header to prevent

df-bit {yes | no} the ICMP packet from being fragmented, or enter no to allow no
the ICMP packet to be fragmented.

execute 642
pattern <bufferpattern_ Enter a hexadecimal pattern, such as 00ffaabb, to fill the No

hex> optional data buffer at the end of the ICMP packet. The size default.
of the buffer is determined by data-size <bytes_int>
(page 641).
repeat-count <repeat_int> Enter the number of times to repeat the ping. 5
source {auto | Select the network interface from which the ping is sent. Enter auto
<interface_ipv4>} either auto or a FortiWeb network interface IP address.
timeout <seconds_int> Enter the ping response timeout in seconds. 2
tos {<service_type>} Enter the IP type-of-service option value, either: default
l default—Do not indicate. That is, set the TOS byte to 0.

l lowcost—Minimize cost.
l lowdelay—Minimize delay.
l reliability—Maximize reliability.
l throughput—Maximize throughput.
ttl <hops_int> Enter the time-to-live (TTL) value. 64
validate-reply {yes | no} Select whether or not to validate ping replies. no
No
view-settings Display the current ping option settings.
default.
Example
This example sets the number of pings to three and the source IP address to 192.0.2.1, then views the ping options
to verify their configuration.
execute ping-option repeat-count 3
execute ping-option source 192.0.2.1
execute ping-option view-settings
The CLI would display the following:

Ping Options:
Repeat Count: 3
Data Size: 56
Timeout: 2
TTL: 64
TOS: 0
DF bit: unset
Source Address: 192.0.2.1
Pattern:
Pattern Size in Bytes: 0
Validate Reply: no

execute 643
Related topics
ping6-options
Use these commands to configure the behavior of the execute ping6 (page 640) command.
Syntax
execute ping6-options data-size <bytes_int>
execute ping6-options pattern <bufferpattern_hex>
execute ping6-options repeat-count <repeat_int>
execute ping6-options source {auto | <interface_ipv6>}
execute ping6-options timeout <seconds_int>
execute ping6-options tos {<service_type>}
execute ping6-options ttl <hops_int>
execute ping6-options validate-reply {yes | no}
execute ping6-options view-settings
data-size <bytes_int> Enter datagram size in bytes. This allows you to send out 56
packets of different sizes for testing the effect of packet size
on the connection. If you want to configure the pattern that
will be used to buffer small datagrams to reach this size, also
configure pattern <bufferpattern_hex> (page 642).
Enter a hexadecimal pattern, such as 00ffaabb, to fill the

pattern <bufferpattern_ optional data buffer at the end of the ICMP packet. The size No
hex> of the buffer is determined by data-size <bytes_int> default.
(page 641).
repeat-count <repeat_int> Enter the number of times to repeat the ping. 5
source {auto | Select the network interface from which the ping is sent. Enter
auto
<interface_ipv6>} either auto or a FortiWeb network interface IP address.
timeout <seconds_int> Enter the ping response timeout in seconds. 2
Enter the IP type-of-service option value, either:

tos {<service_type>} l default—Do not indicate. That is, set the TOS byte to 0. default
l lowcost—Minimize cost.

execute 644
l lowdelay—Minimize delay.
l reliability—Maximize reliability.
l throughput—Maximize throughput.
ttl <hops_int> Enter the time-to-live (TTL) value. 64
validate-reply {yes | no} Select whether or not to validate ping replies. no
view-settings Display the current ping option settings. No

default.
Example
This example sets the number of pings to 3, then views the ping options to verify their configuration.
execute ping6-option repeat-count 3
execute ping6-option view-settings
The CLI would display the following:

IPV6 Ping Options:
Repeat Count: 3
Data Size: 56
Timeout: 2
Interval: 1
TTL: 64
TOS: 0
Source Address: auto
Pattern:
Pattern Size in Bytes: 0
Validate Reply: no
Related topics
reboot
Use this command to restart the FortiWeb appliance.
Syntax
execute reboot

execute 645
Example
This example shows the reboot command in action.
execute reboot

This operation will reboot the system !
After you enter y (yes), the CLI displays the following:

System is rebooting...
If you are connected to the CLI through a local console, the CLI displays messages while the reboot is occurring.
If you are connected to the CLI through the network, the CLI will not display any notification while the reboot is
occurring, as this occurs after the network interfaces have been shut down. Instead, you may notice that the connection
is terminated. Time required by the reboot varies by many factors, such as whether or not hard disk verification is
required, but may be several minutes.
Related topics
l "shutdown" on page 651
remove vmlicense
Use this command to remove a FortiWeb-VM license.
For more information on FortiWeb-VM licenses, see the FortiWeb-VM Install Guide:
Syntax
execute remove vmlicense
Example
This example shows the remove command in action.
execute remove vmlicense

This operation will remove existing license!

execute 646

removing license ......
Related Topics
l "restore vmlicense" on page 650
restore cert-config
Use this command to restore certificates of a FortiWeb appliance from a TFTP server.
Syntax
execute restore cer-config <filename_str> <tftp_ipv4>[<password_str>]
FortiWeb_backup.zip. default.
No
default.
[<password_str>] Enter a password to be used when decompressing the backup No

file. default.

file.
Example
This example restores certificates of the FortiWeb appliance on a TFTP server at IP address 192.0.2.23. The file is
encrypted with the password P@ssword1.
execute restore cert-config tftp FortiWeb_backup.zip 192.0.2.23 P@ssword1
Related topics

execute 647
restore config
Use this command to restore the configuration from a configuration backup file on an TFTP server, or to install primary
or backup firmware.
Back up the configuration before restoring the configuration. This command restores
configuration changes only, and does not affect settings that remain at their default values.
Default values may vary by firmware version. For backup commands, see "backup cli-
config" on page 626 and "backup full-config" on page 627.
Syntax
execute restore config tftp <filename_str> <tftp_ipv4> [<password_str>]
<filename_str> Enter the name of the backup or firmware image file. No

default.
No
default.
[<password_str>] Enter the password that was used to encrypt the backup file, if No
any. default.
If you do not provide a password, the backup file must have

been stored as a clear file with a .zip extension.
Example
This example downloads a configuration file named backup.zip from the TFTP server, 192.0.2.23, to the
FortiWeb appliance. The backup file was encrypted with the password P@ssword1.
execute restore config tftp backup.zip 192.0.2.23 P@ssword1
The FortiWeb appliance then applies the configuration backup and reboots.
Related topics
l "restore secondary-image" on page 649

execute 648
restore image
Use this command to install firmware on the primary partition and reboot.
Back up the configuration before installing new firmware. Installing new firmware can
change default settings and reset settings that are incompatible with the new version. For
backup commands, see "backup full-config" on page 627 and "backup cli-config" on page
626.
Unlike installing firmware via TFTP during a boot interrupt, installing firmware using this command will attempt to
preserve settings and files, and not necessarily restore the FortiWeb appliance to its firmware/factory default
configuration.
Syntax
execute restore image ftp <filename_str> <ftp_ipv4>
execute restore image tftp <filename_str> <tftp_ipv4>
<filename_str> Enter the name of the firmware image file. No

default.
No
<ftp_ipv4> Enter the IP address of the TFTP server.
default.
<tftp_ipv4> Enter the IP address of the FTP server. No

default.
Example
This example installs a firmware file named firmware.out from the TFTP server, 192.0.2.23, to the FortiWeb
appliance.
execute restore image tftp firmware.out 192.0.2.23
The FortiWeb appliance downloads the firmware file, installs it, and reboots.
Related topics
l "restore secondary-image" on page 649

execute 649

restore secondary-image
Use this command to install backup firmware on the secondary partition and reboot.
Back up the configuration before installing new firmware. Installing new firmware can
change default settings and reset settings that are incompatible with the new version. For
backup commands, see "backup full-config" on page 627 and "backup cli-config" on page
626.
Unlike installing firmware via TFTP during a boot interrupt, installing firmware using this command will attempt to
preserve settings and files, and not necessarily restore the FortiWeb appliance to its firmware/factory default
configuration.
Syntax
execute restore secondary-image ftp <filename_str> <ftp_ipv4>
execute restore secondary-image tftp <filename_str> <tftp_ipv4>
<filename_str> Enter the name of the firmware image file. No

default.
No
<ftp_ipv4> Enter the IP address of the FTP server.
default.
<tftp_ipv4> Enter the IP address of the TFTP server. No

default.
Example
This example installs a firmware file named firmware.out from the TFTP server, 192.0.2.23, to the FortiWeb
appliance.
execute restore secondary-image tftp firmware.out 192.0.2.23
The FortiWeb appliance downloads the firmware file, installs it, and reboots.
Related topics

execute 650

restore vmlicense
Use this command to upload a FortiWeb-VM license file from an FTP or TFTP server.
After you enter the command, FortiWeb prompts you to confirm the upload.
After the license is authenticated successfully, the following message is displayed:

“*ATTENTION*: license registration status changed to 'VALID', please logout and re-login”
For more information on FortiWeb-VM licenses, see the FortiWeb-VM Install Guide:
Syntax
execute restore vmlicense {ftp | tftp} "<license-file_str>" {"<ftp_ipv4>" | "<user_
str>" :"<password_str>" @"<ftp_ipv4>" | "<tftp_ipv4>" }
{ftp | tftp} Specify whether to connect to the server using file transfer No
protocol (FTP) or trivial file transfer protocol (TFTP). default.
No
"<license-file_str>" Enter the name of the license file.
default.
"<ftp_ipv4>" Enter the IP address of the FTP server. No

default.
Enter the user name that FortiWeb uses to authenticate with No

"<user_str>"
the server. default.
"<password_str>" Enter the password for the account specified by <user_str>. No

default.
No
"<tftp_ipv4>" Enter the IP address of the TFTP server.
default.

execute 651
Example
This example uploads the license file FVVM040000010871.lic from the TFTP server 192.0.2.23 to the FortiWeb
appliance.
execute restore vmlicense tftp FVVM040000010871.lic 192.0.2.23
The FortiWeb appliance uploads the file, and then prompts you to log out and log in again.
session-cleanup
Use this command to immediately clean up all sessions.
Syntax
execute session-cleanup
shutdown
Use this command to prepare the FortiWeb appliance to be powered down by halting the software, clearing all buffers,
and writing all cached data to disk.
Power off the FortiWeb appliance only after issuing this command. Unplugging or
switching off the FortiWeb appliance without issuing this command could result in data
loss.
Syntax
execute shutdown
Example
This example shows the reboot command in action.
execute shutdown

This operation will halt the system
(power-cycle needed to restart)!Do you want to continue? (y/n)

execute 652
System is shutting down...(power-cycle needed to restart)
If you are connected to the CLI through a local console, the CLI displays a message when the shutdown is complete.
If you are connected to the CLI through the network, the CLI will not display any notification when the shutdown is
complete, as this occurs after the network interfaces have been shut down. Instead, you may notice that the connection
times out.
Related topics
l "reboot" on page 644
telnet
Use this command to open a Telnet connection to a server using IPv4 to port 23.
Telnet connections are not secure. Eavesdroppers could easily obtain your administrator
password. Only use telnet over a trusted, physically secured network, such as a direct
connection between your computer and the appliance.
Syntax
execute telnet "<host_ipv4>"
telnet "<host_ipv4>" Enter the IP address of the host. No

default.
Example
This example Telnets to a host with the IP address 192.0.2.10.
execute telnet 192.0.2.10
login: admin
Password: *******
Related topics

execute 653
telnettest
Use this command to open a Telnet connection to a server using an IPv4 or IPv6 address or fully qualified domain name
(FQDN). This command can be useful for troubleshooting. For example, when the server does not support the HTTP
versions, methods, headers, and so on, that the client uses.
Telnet connections are not secure. Eavesdroppers could easily obtain your administrator
password. Only use Telnet over a trusted, physically secured network, such as a direct
connection between your computer and the appliance, and from the appliance to the
server.
Syntax
execute telnettest {"<host_ipv4>" | "<host_ipv6>" | "<host_fqdn>"}
telnettest {"<host_ Enter the IP address or fully qualified domain name (FQDN) of the No
ipv4>" | "<host_ipv6>" | host. default.
"<host_fqdn>"}
Example
This example Telnets to a host with the IPv4 address 192.0.2.10 on port 80, the IANA standard port for HTTP.
FortiWeb# exec telnettest 192.0.2.10:80
Connected
GET /
Entering interactive mode. Type CTRL-D to exit.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>Get to /index.html not supported.<br />
</p>
<hr>
<address>Apache/2.2.22 (Unix) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8x Server at irene.local Port
80</address>
</body></html>
Connection closed.
Connection status to 192.0.2.10 port 80:

Connecting to remote host succeeded.

execute 654
Related topics
l "telnet" on page 652
time
Use this command to display or set the system time.
Syntax
execute time [<time_str>]
time [<time_str>] Enter the current date for the FortiWeb appliance’s time zone, No
using the format hh:mm:ss, where: default.
l hh is the hour. Valid hours are 00–23

l mm is the minute. Valid minutes are 00–59.
l ss is the second. Valid seconds are 00–59.
If you do not specify a time, the command returns the current
system time.
Shortened values, such as 1 instead of 01 for the hour, are

valid. For example, you could enter either 01:01:01 or
1:1:1.
Example
This example sets the system time to 15:31:03:
execute time 15:31:03
Related topics
l "date" on page 632

execute 655
traceroute
Use this command to use ICMP to test the connection between the FortiWeb appliance and another network device,
and display information about the time required for network hops between the device and the FortiWeb appliance.
Syntax
execute traceroute {"<host_fqdn>" | "<host_ipv4>"}
traceroute {"<host_ Enter either the IP address or fully qualified domain name (FQDN) No
fqdn>" | "<host_ipv4>"} of the host. default.
Example
This example tests connectivity between the FortiWeb appliance and docs.fortinet.com. In this example, the trace
times out after the first hop, indicating a possible connectivity problem at that point in the network.
FortiWeb# execute traceroute docs.fortinet.com
traceroute to docs.fortinet.com (65.39.139.196), 30 hops max, 38 byte packets
1 192.0.2.200 (192.0.2.200) 0.324 ms 0.427 ms 0.360 ms
2 * * *
Example
This example tests the availability of a network route to the server example.com.
execute traceroute example.com

traceroute to example.com (192.168.1.10), 32 hops max, 72 byte packets
1 172.16.1.2 0 ms 0 ms 0 ms
2 10.10.10.1 <static.isp.example.net> 2 ms 1 ms 2 ms
3 10.20.20.1 1 ms 5 ms 1 ms
4 10.10.10.2 <core.isp.example.net> 171 ms 186 ms 14 ms
5 10.30.30.1 <isp2.example.net> 10 ms 11 ms 10 ms
6 10.40.40.1 73 ms 74 ms 75 ms
7 192.168.1.1 79 ms 77 ms 79 ms
8 192.168.1.2 73 ms 73 ms 79 ms
9 192.168.1.10 73 ms 73 ms 79 ms
10 192.168.1.10 73 ms 73 ms 79 ms
Example
This example attempts to test connectivity between the FortiWeb appliance and example.com. However, the FortiWeb
appliance could not trace the route, because the primary or secondary DNS server that the FortiWeb appliance is

execute 656
configured to query could not resolve the FQDN example.com into an IP address, and it therefore did not know to
which IP address it should connect. As a result, an error message is displayed.
FortiWeb# execute traceroute example.com
traceroute: unknown host example.com
Command fail. Return code 1
To resolve the error message in order to perform connectivity testing, the administrator would first configure the
FortiWeb appliance with the IP addresses of DNS servers that can resolve the FQDN example.com. For details, see
"system dns" on page 242.
Related topics
l "ping-options" on page 641
update-now
Use this command to initiate an update of the predefined robots, data types, suspicious URLS, and attack signatures
used by your FortiWeb appliance.
FortiWeb appliances receive updates from the FortiGuard Distribution Network (FDN). The FDN is a world-wide network
of FortiGuard Distribution Servers (FDS). FortiWeb appliances connect to the FDN by connecting to the FDS nearest to
the FortiWeb appliance by its configured time zone.
The time required for the update varies with the availability of the updates, the size of the updates, and the speed of the
FortiWeb appliance’s network connection. If event logging is enabled, and the FortiWeb appliance cannot connect
successfully, it will log the message update failed, failed to connect any fds servers! or
FortiWeb is unauthorized
Syntax
execute update-now

get 657
get
The get command displays parts of your FortiWeb appliance’s configuration in the form of a list of settings and their
values.
Unlike show, get displays all settings, even if they are still in their default state.
For example, you might get the current DNS settings:

get system dns
primary : 192.0.2.19
secondary : 0.0.0.0
domain : example.com
Notice that the command displays the setting for the secondary DNS server, even though it has not been configured, or
has reverted to its default value.
Also unlike show, unless used from within an object or table, get requires that you specify the object or table whose
settings you want to display.
For example, at the root prompt, this command would be valid:

get system dns
and this command would not be valid:

get
Like show, depending on whether or not you have specified an object, get may display one of two different outputs,
either the configuration that you have just entered but not yet saved, or as it currently exists on the flash disk.
For example, immediately after configuring the secondary DNS server setting but before saving it, get displays two
different outputs (differences highlighted in bold):
FortiWeb# config system dns
FortiWeb (dns)# set secondary 192.0.2.10
FortiWeb (dns)# get
primary : 192.0.2.19
secondary : 192.0.2.10
FortiWeb (dns)# get system dns
primary : 192.0.2.19
secondary : 0.0.0.0
The first output from get indicates the value that you have configured but not yet saved; the second output from get
indicates the value that was last saved to disk.
If you were to now enter end, saving your setting to disk, get output for both syntactical forms would again match.
However, if you were to enter abort at this point and discard your recently entered secondary DNS setting instead of
saving it to disk, the FortiWeb appliance’s configuration would therefore match the second output, not the first.

get 658
If you have entered settings but cannot remember how they differ from the existing
configuration, the two different forms of get, with and without the object name, can be a
useful way to remind yourself.
Most get commands, such as get system dns, are used to display configured settings. You can find relevant
information about such commands in the corresponding config commands in the config chapter.
Other get commands, such as get system performance (page 659), are used to display system information that
is not configurable. This chapter describes this type of get command.
The get commands require at least read (r) permission to applicable administrator profile groups.
system fortisandbox- system status

system performance
statistics waf signature-rules
Although not explicitly shown in this section, for all config commands, there are
related get and show commands which display that part of the configuration. get
and show commands use the same syntax as their related config command,
unless otherwise mentioned. For syntax examples and descriptions of each
configuration object, field, and option, see "config " on page 65.
When ADOMs are enabled, if you log in as admin, the top level of the shell changes: the two top level items are get
global and get vdom:
l get global displays settings that only admin or other accounts with the prof_admin access profile can change.
l get vdom displays each ADOM and its respective settings.
This menu and CLI structure change is not visible to non-global accounts; ADOM administrators’ navigation menus continue
to appear similar to when ADOMs are disabled, except that global settings such as network interfaces, HA, and other global
settings do not appear.
system fortisandbox-statistics
Use this command to display a count of uploaded files that FortiSandbox has evaluated in the past seven days, by
evaluation result.
FortiWeb organizes the statistics using the following categories:
l Detected (total malicious files detected)

l Clean
l Risk-low (total low-risk malicious files detected)
l Risk-medium (total medium-risk malicious files detected)
l Risk-high (total high-risk malicious files detected)
Syntax
get system fortisandbox-statistics

get 659
Example
FortiWeb # get system fortisandbox-statistics
detected : 0
clean : 0
risk-low : 0
risk-medium : 0
risk-high : 0
Related topics
l "system fortisandbox" on page 257
system performance
Displays the FortiWeb appliance’s CPU usage, memory usage, average system load, and up time.
Normal idle load varies by hardware platform, firmware, and configured features. To determine your specific baseline
for idle, configure your system completely, reboot, then view the system load. After at least 1 week of uptime with
typical traffic volume, view the system load again to determine the normal non-idle baseline.
System load is the average of percentages relative to the maximum possible capability of this FortiWeb appliance’s
hardware. It includes:
l Average system load

l Number of HTTP daemon/proxy processes or children
l Memory usage
l Disk swap usage
Syntax
get system performance
Example
FortiWeb # get system performance
CPU states: 4% used, 96% idle
Memory states: 18% used
System Load: 1
Up: 28 days, 11 hours, 38 minutes
Related topics

get 660
l "system kill" on page 619

l "reboot" on page 644
system status
Use this command to display system status information, including:
l FortiWeb firmware version, build number and date

l FortiWeb appliance serial number and boot loader (“Bios”) version
l Log hard disk availability
l Host name
l Operation mode, such as Reverse Proxy or Transparent Inspection
l Current HA status for all appliances in the HA cluster (if HA is enabled)
Syntax
get system status
Example
get system status
International Version:FortiWeb-1000C 5.01,build0039,130726
Serial-Number:FV-1KC3R11700094
Bios version:04000002
Log hard disk:Available
Hostname:FortiWeb
Operation Mode:Reverse Proxy
Current HA mode=active-passive, Status=main
HA member :
Serial-Number Priority HA-Role
FV-1KC3R11700136 5 standby
FV-1KC3R11700094 1 main
Related topics
waf predefined-global-white-list
Use this command to get the global object white list. This feature reduces false positives and improves performance.

get 661
Syntax
get waf predefined-global-white-list
waf signature-rules
Use this command to list the IDs, names, and descriptions of signature rules.
You specify signatures in the config waf signature command using the signature ID only. This command allows
you to view the names and descriptions of the IDs.
Syntax
get waf signature-rules
Example
get waf signature-rules
This example output is the first four entries that the CLI displays when FortiWeb is configured with the default
signatures only.
rule id : 110000009
main class id : 110000000
main class name : Bad Robot
sub class id : 000000000
sub class name : Bad Robot
rule description : This signature prevents Google Skipfish scanner from exploiting a
vulnerability to include an arbitrary remote file with malicious PHP code and executing it
in the context of the webserver process.
This attack can be achieved in HTTP request arguments.
rule id : 110000010
rule description : This signature checks whether the request came from Google Skipfish Web
scanner.
The signature check region: user-agent field in http request header.
rule id : 110000011
rule description : This signature checks whether the request contains a string of a content
scraper, which could be a part of virus.
The signature check region: user-agent field in http request header.
rule id : 110000012

get 662

rule description : This signature checks whether the request came from Acunetix Web
Vulnerability Scanner.
The signature check region: http request url.
Related topics

show 663
show
The show command displays parts of your FortiWeb appliance’s configuration in the form of commands that are
required to achieve that configuration from the firmware’s default state.
The show commands require at least read (r) permission to applicable administrator profile groups.
Although not explicitly shown in this section, for all config commands, there are
related get and show commands which display that part of the configuration. get
and show commands use the same syntax as their related config command,
unless otherwise mentioned. For syntax examples and descriptions of each
configuration object, field, and option, see "config " on page 65.
Unlike get, show does not display settings that are assumed to remain in their default state.
For example, you might show the current DNS settings:

FortiWeb# show system dns
config system dns
set primary 172.16.1.10
end
Notice that the command does not display the setting for the secondary DNS server. This indicates that it has not been
configured, or has reverted to its default value.
Like get, depending on whether or not you have specified an object, show may display one of two different outputs,
either the configuration:
l that you have just entered but not yet saved, or

l as it currently exists on the flash disk, respectively.
For example, immediately after configuring the secondary DNS server setting but before saving it, show displays two
different outputs (differences highlighted in bold):
FortiWeb# config system dns
FortiWeb (dns)# set secondary 192.168.1.10
FortiWeb (dns)# show
config system dns
set secondary 192.168.1.10
end
FortiWeb (end)# show system dns
config system dns
end
The first output from show indicates the value that you have configured but not yet saved; the second output from
show indicates the value that was last saved to disk.

show 664
If you have entered settings but cannot remember how they differ from the existing
configuration, the two different forms of show, with and without the object name, can be a
useful way to remind yourself.
If you were to now enter end, saving your setting to disk, show output for both syntactical forms would again match.
However, if you were to enter abort at this point and discard your recently entered secondary DNS setting instead of
saving it to disk, the FortiWeb appliance’s configuration would therefore match the second output, not the first.
When ADOMs are enabled, and if you log in as admin, the top level of the shell changes: the two top level items are show
global and show vdom.
l show global displays settings that only admin or other accounts with the prof_admin access profile can change.
l show vdom displays each ADOM and its respective settings.
This menu and CLI structure change is not visible to non-global accounts; ADOM administrators’ navigation menus continue
to appear similar to when ADOMs are disabled, except that global settings such as network interfaces, HA, and other global
settings do not appear.

Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Fortiweb v6.0.2 Cli Reference

Uploaded by

Copyright:

Available Formats

Fortiweb v6.0.2 Cli Reference

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortiweb v6.0.2 Cli Reference

Uploaded by

Copyright:

Available Formats

FortiWeb CLI Reference

END USER LICENSE AGREEMENT

January 31, 2019

FortiWeb 6.0.2 CLI Reference

11/23/2018 Initial release.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

l You have administrative access to the web UI and/or CLI.

l Update the FortiWeb appliance.

This document uses the conventions described in this section.

RFC 1918: Address Allocation for Private Internets

Cautions, notes, & tips

Highlight important, possibly unexpected but non-destructive, details about a feature’s

Present best practices, troubleshooting, performance tips, or alternative methods.

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

config system dns

CLI output FortiWeb# diagnose hardware logdisk info

File content <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>

Navigation Go to VPN > IPSEC > Auto Key (IKE).

Publication For details, see the FortiWeb Administration Guide:

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

config system global (page 258)

config system password-policy (page 291)

set status {enable | disable}

config system admin (page 201)

config system interface (page 280)

config system ha (page 1)

FortiWeb 6.0.2 CLI Reference Fortinet Inc.

config system v-zone (page 310)

set multicast-snooping {enable | New.

config system snmp sysinfo (page 304)

config system snmp community (page 299)

set events {cpu-high | intf-ip | log-