Fortinet black logo

CLI Reference

config security waf csrf-protection

config security waf csrf-protection

Use this command to configure waf csrf-protection.

Syntax

config security waf csrf-protection

edit <csrf-protection-name> // csrf protection name

set action [alert | deny | block | silent-deny | <datasource> // default value: alert

set severity [low | medium | high] // default value: low

set status [enable | disable] // default value: disable

config csrf-page-list

edit 1

set url-pattern [url] // URL of page, it supports regular expression

set parameter-filter [ enable | disable] // default value: disable

set parameter-filter-name <name> // parameter name

set parameter-filter-pattern <value> // parameter value, it supports regular expression

next

end

config csrf-url-list

edit 1

set url-pattern [url]

set parameter-filter [ enable | disable] // default value: disable.

set parameter-name <name> // parameter name

set parameter-pattern <value> // parameter value, it supports regular expression

next

end

end

end

config security waf profile

edit "waf"

set csrf-protection <csrf-protection-name> // csrf protection name

next

end

csrf-protection-name CSRF protection name.
action Default value: alert.
severity Default: low.
status Default value: disable.
csrf-page-list When FortiADC receives a request for a web page in the page list, it inserts a javascript in the web page. The script runs in the client's web browser and automatically appends a anti-csrf token.
url-pattern Page URL, supports regular expression.
parameter-filter

Enable or disable. Default is disable.

In some cases, a request for a web page and the requests generated by its links have the same URL. FortiADC cannot distinguish between requests to add javascript to and requests to check for the anti-CSRF parameter.

To avoid this issue, you create unique Page List and URL List items by adding a parameter filter to them. The parameter filter allows you to add additional criteria to match in the URL or HTTP body of a request.

parameter-name Parameter name.
parameter-pattern Parameter value, supports regular expression.
csrf-url-list The URL list contains all the URLs that you want to protect. FortiADC will verify the anti-csrf token when you access the URL.

Example

config security waf csrf-protection

edit "csrf"

set status enable

set action deny

config csrf-page-list

edit 1

set url-pattern /csrf/csrf-all-in-one.php

next

end

config csrf-url-list

edit 1

set url-pattern /csrf/csrf-all-in-one.php

set parameter-filter enable

set parameter-filter-name say

set parameter-filter-value .*

next

end

next

end

config security waf csrf-protection

Use this command to configure waf csrf-protection.

Syntax

config security waf csrf-protection

edit <csrf-protection-name> // csrf protection name

set action [alert | deny | block | silent-deny | <datasource> // default value: alert

set severity [low | medium | high] // default value: low

set status [enable | disable] // default value: disable

config csrf-page-list

edit 1

set url-pattern [url] // URL of page, it supports regular expression

set parameter-filter [ enable | disable] // default value: disable

set parameter-filter-name <name> // parameter name

set parameter-filter-pattern <value> // parameter value, it supports regular expression

next

end

config csrf-url-list

edit 1

set url-pattern [url]

set parameter-filter [ enable | disable] // default value: disable.

set parameter-name <name> // parameter name

set parameter-pattern <value> // parameter value, it supports regular expression

next

end

end

end

config security waf profile

edit "waf"

set csrf-protection <csrf-protection-name> // csrf protection name

next

end

csrf-protection-name CSRF protection name.
action Default value: alert.
severity Default: low.
status Default value: disable.
csrf-page-list When FortiADC receives a request for a web page in the page list, it inserts a javascript in the web page. The script runs in the client's web browser and automatically appends a anti-csrf token.
url-pattern Page URL, supports regular expression.
parameter-filter

Enable or disable. Default is disable.

In some cases, a request for a web page and the requests generated by its links have the same URL. FortiADC cannot distinguish between requests to add javascript to and requests to check for the anti-CSRF parameter.

To avoid this issue, you create unique Page List and URL List items by adding a parameter filter to them. The parameter filter allows you to add additional criteria to match in the URL or HTTP body of a request.

parameter-name Parameter name.
parameter-pattern Parameter value, supports regular expression.
csrf-url-list The URL list contains all the URLs that you want to protect. FortiADC will verify the anti-csrf token when you access the URL.

Example

config security waf csrf-protection

edit "csrf"

set status enable

set action deny

config csrf-page-list

edit 1

set url-pattern /csrf/csrf-all-in-one.php

next

end

config csrf-url-list

edit 1

set url-pattern /csrf/csrf-all-in-one.php

set parameter-filter enable

set parameter-filter-name say

set parameter-filter-value .*

next

end

next

end