DOCUMENT LIBRARY

CLI Reference

Introduction
Using the CLI
- Command syntax
- Subcommands
- Permissions
- Tips & tricks
config config
- config config sync-list
config firewall
- config firewall connlimit
- config firewall connlimit6
- config firewall nat-snat
- config firewall policy
- config firewall policy6
- config firewall qos-filter
- config firewall qos-filter6
- config firewall qos-queue
- config firewall vip
config global
- config log setting global_remote
config global-dns-server
- config global-dns-server address-group
- config global-dns-server dns64
- config global-dns-server dsset-info-list
- config global-dns-server general
- config global-dns-server policy
- config global-dns-server remote-dns-server
- config global-dns-server response-rate-limit
- config global-dns-server trust-anchor-key
- config global-dns-server zone
config global-load-balance
- config global load balance analytic
- config global-load-balance data-center
- config global-load-balance link
- config global-load-balance servers
- config global-load-balance setting
- config global-load-balance topology
- config global-load-balance virtual-server-pool
- config global-load-balance host
config link-load-balance
- config link-load-balance flow-policy
- config link-load-balance gateway
- config link-load-balance link-group
- config link-load-balance persistence
- config link-load-balance proximity-route
- config link-load-balance virtual-tunnel
config load-balance
- config load-balance auth-policy
- config load-balance caching
- config load-balance captcha-profile
- config load-balance certificate-caching
- config load-balance client-ssl-profile
- config load-balance clone-pool
- config load-balance compression
- config load-balance connection-pool
- config load-balance content-rewriting
- config load-balance content-routing
- config load-balance error-page
- config load-balance geoip-list
- config load-balance http2-profile
- config load-balance ippool
- config load-balance l2-exception-list
- config load-balance method
- config load-balance pagespeed
- config load-balance pagespeed-profile
- config load-balance persistence
- config load-balance pool
- config load-balance profile
- config load-balance real-server-ssl-profile
- config load-balance reputation
- config load-balance reputation-exception
- config load-balance reputation-black-list
- config load-balance schedule-pool
- config load-balance virtual-server
- config load-balance web-category
- config load-balance web-filter-profile
- config load-balance web-sub-category
- config load-balance whitelist
config log
- config log fast_report
- config log report
- config log report email
- config log report_queryset
- config log setting fast_stats
- config log setting highspeed
- config log setting local
- config log setting remote
config router
- config router isp
- config router md5-ospf
- config router ospf
- config router policy
- config router setting
- config router static
config security
- config security antivirus profile
- config security antivirus quarantine
- config security antivirus settings
- config security dos dos-protection-profile
- config security dos http-access-limit
- config security dos http-connection-flood-protection
- config security dos http-request-flood-protection
- config security dos ip-fragmentation-protection
- config security dos tcp-access-flood-protection
- config security dos tcp-slowdata-attack-protection
- config security dos tcp-synflood-protection
- config security ips profile
- config security wad profile
- config security waf api-gateway-policy
- config security waf api-gateway-rule
- config security waf api-gateway-user
- config security waf bot-detection
- config security waf exception
- config security waf heuristic-sql-xss-injection-detection
- config security waf http-protocol-constraint
- config security waf http-header-security
- config security waf action
- config security waf profile
- config security waf input-validation-policy
- config security waf parameter-validation-rule
- config security waf url-protection
- config security waf web-attack-signature
- config security waf json-validation-detection
- config security waf json-schema file
- config security waf xml-schema file
- config security waf xml-validation-detection
- config security waf openapi-schema-file
- config security waf openapi-validation-detection
- config security waf scanner
- config security waf brute-force-login
- config security waf advanced-protection
- config security waf cookie-security
- config security waf data-leak-protection
- config security waf csrf-protection
config system
- config system accprofile
- config system address
- config system address6
- config system addrgrp
- config system addrgrp6
- config system admin
- config system auto backup
- config system certificate ca
- config system certificate ca_group
- config system certificate certificate_verify
- config system certificate crl
- config system certificate intermediate_ca
- config system certificate intermediate_ca_group
- config system certificate local
- config system certificate local_cert_group
- config system certificate remote
- config system certificate ocsp
- config system certificate ocsp_stapling
- config system certificate remote
- config system dns
- config system fortiguard
- config system global
- config system ha
- config system health-check
- config system health-check-script
- config system interface
- config system isp-addr
- config system mailserver
- config system overlay-tunnel
- config system password-policy
- config system schedule-group
- config system scripting
- config system sdn-connector
- config system service
- config system servicegrp
- config system setting
- config system snmp community
- config system snmp sysinfo
- config system snmp user
- config system tcpdump
- config system time manual
- config system time ntp
- config system web-filter
- config system tunneling
- config system fortisandbox
- config system alert
- config system alert-policy
- config system alert-syslog
- config system alert-email
- config system alert-snmp-trap
- config system central-management
config user
- config user ldap
- config user local
- config user radius
- config user user-group
- config user authentication-relay
- config user saml-idp
- config user saml-sp
diagnose
- diagnose antivirus quarantine
- diagnose debug cmdb
- diagnose debug enable/disable
- diagnose debug flow
- diagnose debug info
- diagnose debug module
- diagnose debug module kernel
- diagnose debug module fnginx
- diagnose debug module httproxy ssl
- diagnose debug timestamp
- diagnose hardware deviceinfo
- diagnose hardware ioport
- diagnose hardware pciconfig
- diagnose hardware sysinfo
- diagnose llb policy list
- diagnose netlink backlog
- diagnose netlink device
- diagnose netlink interface
- diagnose netlink ip/ipv6
- diagnose netlink neighbor/neighbor6
- diagnose netlink route/route6
- diagnose netlink tcp
- diagnose netlink udp
- diagnose server load balance dns-clients
- diagnose server-load-balance persistence
- diagnose server-load-balance session
- diagnose server-load-balance slb_load
- diagnose sniffer packet
- diagnose system top
- diagnose system vm
- diagnose tech-report
execute
- execute backup
- execute caching
- execute certificate ca
- execute certificate crl
- execute certificate local
- execute certificate remote
- execute certificate config
- execute checklogdisk
- execute clean
- execute config-sync
- execute date
- execute discovery-glb-virtual-server
- execute dumpsystem
- execute dumpsystem-file
- execute factoryreset
- execute fixlogdisk
- execute formatlogdisk
- execute geolookup
- execute glb-dprox-lookup
- execute glb-persistence-lookup
- execute ha force sync-config
- execute ha manage
- execute health-check-verify
- execute isplookup
- execute log delete-file
- execute log delete-type
- execute log list-type
- execute log rebuild-db
- execute nslookup
- execute packet-capture/packet-capture6
- execute packet-capture-file
- execute ping-option/ping6-option
- execute ping/ping6
- execute reboot
- execute reload
- execute restore
- execute shutdown
- execute ssh
- execute statistics-db
- execute telnet
- execute traceroute
- execute vmware license
- execute web-category-test
- execute SSL client-side session statistics
- execute SSL handshake record statistics
- execute web vulnerability scan
- execute forticloud create-account
- execute forticloud login
- execute forticloud try
get
- get router info ospf
- get router info routing-table
- get security waf-signature-status
- get security scan-report
- get security scan-task
- get system ha-status
- get system performance
- get system status
- get system traffic-group
- get system traffic-group status
- get router info bgp all
- get router info bgp ip
- get router info bgp neighbors
- get router info bgp regexp
- get router info bgp summary
- get router info6 bgp all
- get router info6 bgp ip
- get router info6 bgp neighbors
- get router info6 bgp regexp
- get router info6 bgp summary
show
Appendix A: Virtual domains
Change Log

Home FortiADC 6.0.2 CLI Reference

6.0.2

config security waf csrf-protection

Use this command to configure waf csrf-protection.

Syntax

edit <csrf-protection-name> // csrf protection name

set action [alert | deny | block | silent-deny | <datasource> // default value: alert

set severity [low | medium | high] // default value: low

set status [enable | disable] // default value: disable

config csrf-page-list

edit 1

set url-pattern [url] // URL of page, it supports regular expression

set parameter-filter [ enable | disable] // default value: disable

set parameter-filter-name <name> // parameter name

set parameter-filter-pattern <value> // parameter value, it supports regular expression

end

config csrf-url-list

edit 1

set url-pattern [url]

set parameter-filter [ enable | disable] // default value: disable.

set parameter-name <name> // parameter name

set parameter-pattern <value> // parameter value, it supports regular expression

end

config security waf profile

edit "waf"

set csrf-protection <csrf-protection-name> // csrf protection name

end

csrf-protection-name	CSRF protection name.
action	Default value: alert.
severity	Default: low.
status	Default value: disable.
csrf-page-list	When FortiADC receives a request for a web page in the page list, it inserts a javascript in the web page. The script runs in the client's web browser and automatically appends a anti-csrf token.
url-pattern	Page URL, supports regular expression.
parameter-filter	Enable or disable. Default is disable. In some cases, a request for a web page and the requests generated by its links have the same URL. FortiADC cannot distinguish between requests to add javascript to and requests to check for the anti-CSRF parameter. To avoid this issue, you create unique Page List and URL List items by adding a parameter filter to them. The parameter filter allows you to add additional criteria to match in the URL or HTTP body of a request.
parameter-name	Parameter name.
parameter-pattern	Parameter value, supports regular expression.
csrf-url-list	The URL list contains all the URLs that you want to protect. FortiADC will verify the anti-csrf token when you access the URL.

Example

config security waf csrf-protection

edit "csrf"

set status enable

set action deny

config csrf-page-list

edit 1

set url-pattern /csrf/csrf-all-in-one.php

end

config csrf-url-list

edit 1

set url-pattern /csrf/csrf-all-in-one.php

set parameter-filter enable

set parameter-filter-name say

set parameter-filter-value .*

end