Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.0.5 CLI Reference
    7.0.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config security waf profile

    config security waf profile

    Use this command to configure web application firewall (WAF) profiles. A WAF profile references the WAF policies that are to be enforced.

    In many cases, you can use predefined profiles to get started. Table 16 describes the three predefined policies.

    Predefined WAF profiles
    Predefined Rules Description

    High-Level-Security

    HTTP protocol constraints policy: High-Level-Security

    SQL injection and XSS detection policy: High-Level-Security

    Medium-Level-Security

    HTTP protocol constraints policy: Medium-Level-Security

    SQL injection and XSS detection policy: Medium-Level-Security

    Alert-Only

    HTTP protocol constraints policy: Alert-Only

    SQL injection and XSS detection policy: Alert-Only

    The configurations for these profiles are shown in the examples that follow. If desired, you can create user-defined profiles.

    Before you begin:

    • You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this command to add them to a WAF profile.
    • You must have read-write permission for security settings.

    After you have created a WAF profile, you can specify it in a virtual server configuration.

    Syntax

    config security waf profile

    edit <name>

    set advanced-protection <datasource>

    set bot-detection <datasource>

    set brute-force-login <datasource>

    set cookie-security <datasource>

    set csrf-protection <datasource>

    set data-leak-prevention <datasource>

    set description <string>

    set exception <datasource>

    set heuristic-sql-xss-injection-detection <datasource>

    set http-header-cache {enable|disable}

    set http-protocol-constraint <datasource>

    set input-validation-policy <datasource>

    set cors-protection <datasource>

    set json-validation <datasource>

    set openapi-validation <datasource>

    set url-protection <datasource>

    set web-attack-signature <datasource>

    set xml-validation <datasource>

    set body-decode-length <integer>

    set multiple-decode-loop <integer>

    set body-decode-type {xml | html | json}

    next

    end

    exception

    		 Specify an exception configuration object.

    bot-detection

    		 Specify a user-defined configuration object.

    description

    A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.

    heuristic-sql-xss-injection-detection

    Specify a predefined or user-defined configuration object.

    http-protocol-constraint

    Specify a predefined or user-defined configuration object.

    url-protection

    Specify a predefined or user-defined configuration object.

    web-attack-signature

    Specify a predefined or user-defined configuration object.

    http-header-cache

    Enable/disable caching HTTP headers. Enabled by default. If you experience performance issues, you can disable. However, the cached HTTP headers are used to populate fields in logs resulting from HTTP body scanning.

    Can only be set with the CLI.

    input-validation-policy

    Specify a predefined or user-defined configuration object.

    cors-protection

    Specify a predefined or user-defined configuration object.

    xml-validation

    		 Specify a predefined or user-defined configuration object.

    json-validation

    		 Specify a predefined or user-defined configuration object.

    openapi-validation

    Specify a predefined or user-defined configuration object.

    url-protection

    Specify a predefined or user-defined configuration object.

    web-attack-signature

    Specify a predefined or user-defined configuration object.

    body-decode-length

    Specify a body decode length in byte. (Range: 0 - 4194304 B, default: 1024 B).

    multiple-decode-loop

    Specify the number of times for the multiple decode loop. (Range: 0 - 16, default: 6).

    body-decode-type

    Specify the body decode type.

    Note: This only applies when the corresponding validation function is enabled.

    Example

    FortiADC-docs # get security waf profile High-Level-Security

    web-attack-signature : High-Level-Security

    url-protection :

    http-protocol-constraint : High-Level-Security

    heuristic-sql-xss-injection-detect: High-Level-Security

    description :

    http-header-cache : enable

    exception :

    FortiADC-docs # get security waf profile Medium-Level-Security

    web-attack-signature : Medium-Level-Security

    url-protection :

    http-protocol-constraint : Medium-Level-Security

    heuristic-sql-xss-injection-detect: Medium-Level-Security

    description :

    http-header-cache : enable

    exception :

    FortiADC-docs # get security waf profile Alert-Only

    web-attack-signature : Alert-Only

    url-protection :

    http-protocol-constraint : Alert-Only

    heuristic-sql-xss-injection-detect: Alert-Only

    description :

    http-header-cache : enable

    exception :

    FortiADC-docs # config security waf profile

    FortiADC-docs (profile) # edit eval

    Add new entry 'eval' for node 3000

    FortiADC-docs (eval) # get

    web-attack-signature :

    url-protection :

    http-protocol-constraint :

    heuristic-sql-xss-injection-detect:

    bot-detection:

    description :

    http-header-cache : enable

    exception :

    FortiADC-docs (eval) # set web-attack-signature Alert-Only

    FortiADC-docs (eval) # set http-protocol-constraint Alert-Only

    FortiADC-docs (eval) # set heuristic-sql-xss-injection-detect Alert-Only

    FortiADC-docs (eval) # set exception exception-group

    FortiADC-docs (eval) # set description "evaluate alert-only and exception list"

    FortiADC-docs (eval-alert-onl~-) # end

    Previous
    Next

    config security waf profile

    config security waf profile

    Use this command to configure web application firewall (WAF) profiles. A WAF profile references the WAF policies that are to be enforced.

    In many cases, you can use predefined profiles to get started. Table 16 describes the three predefined policies.

    Predefined WAF profiles
    Predefined Rules Description

    High-Level-Security

    HTTP protocol constraints policy: High-Level-Security

    SQL injection and XSS detection policy: High-Level-Security

    Medium-Level-Security

    HTTP protocol constraints policy: Medium-Level-Security

    SQL injection and XSS detection policy: Medium-Level-Security

    Alert-Only

    HTTP protocol constraints policy: Alert-Only

    SQL injection and XSS detection policy: Alert-Only

    The configurations for these profiles are shown in the examples that follow. If desired, you can create user-defined profiles.

    Before you begin:

    • You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this command to add them to a WAF profile.
    • You must have read-write permission for security settings.

    After you have created a WAF profile, you can specify it in a virtual server configuration.

    Syntax

    config security waf profile

    edit <name>

    set advanced-protection <datasource>

    set bot-detection <datasource>

    set brute-force-login <datasource>

    set cookie-security <datasource>

    set csrf-protection <datasource>

    set data-leak-prevention <datasource>

    set description <string>

    set exception <datasource>

    set heuristic-sql-xss-injection-detection <datasource>

    set http-header-cache {enable|disable}

    set http-protocol-constraint <datasource>

    set input-validation-policy <datasource>

    set cors-protection <datasource>

    set json-validation <datasource>

    set openapi-validation <datasource>

    set url-protection <datasource>

    set web-attack-signature <datasource>

    set xml-validation <datasource>

    set body-decode-length <integer>

    set multiple-decode-loop <integer>

    set body-decode-type {xml | html | json}

    next

    end

    exception

    		 Specify an exception configuration object.

    bot-detection

    		 Specify a user-defined configuration object.

    description

    A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.

    heuristic-sql-xss-injection-detection

    Specify a predefined or user-defined configuration object.

    http-protocol-constraint

    Specify a predefined or user-defined configuration object.

    url-protection

    Specify a predefined or user-defined configuration object.

    web-attack-signature

    Specify a predefined or user-defined configuration object.

    http-header-cache

    Enable/disable caching HTTP headers. Enabled by default. If you experience performance issues, you can disable. However, the cached HTTP headers are used to populate fields in logs resulting from HTTP body scanning.

    Can only be set with the CLI.

    input-validation-policy

    Specify a predefined or user-defined configuration object.

    cors-protection

    Specify a predefined or user-defined configuration object.

    xml-validation

    		 Specify a predefined or user-defined configuration object.

    json-validation

    		 Specify a predefined or user-defined configuration object.

    openapi-validation

    Specify a predefined or user-defined configuration object.

    url-protection

    Specify a predefined or user-defined configuration object.

    web-attack-signature

    Specify a predefined or user-defined configuration object.

    body-decode-length

    Specify a body decode length in byte. (Range: 0 - 4194304 B, default: 1024 B).

    multiple-decode-loop

    Specify the number of times for the multiple decode loop. (Range: 0 - 16, default: 6).

    body-decode-type

    Specify the body decode type.

    Note: This only applies when the corresponding validation function is enabled.

    Example

    FortiADC-docs # get security waf profile High-Level-Security

    web-attack-signature : High-Level-Security

    url-protection :

    http-protocol-constraint : High-Level-Security

    heuristic-sql-xss-injection-detect: High-Level-Security

    description :

    http-header-cache : enable

    exception :

    FortiADC-docs # get security waf profile Medium-Level-Security

    web-attack-signature : Medium-Level-Security

    url-protection :

    http-protocol-constraint : Medium-Level-Security

    heuristic-sql-xss-injection-detect: Medium-Level-Security

    description :

    http-header-cache : enable

    exception :

    FortiADC-docs # get security waf profile Alert-Only

    web-attack-signature : Alert-Only

    url-protection :

    http-protocol-constraint : Alert-Only

    heuristic-sql-xss-injection-detect: Alert-Only

    description :

    http-header-cache : enable

    exception :

    FortiADC-docs # config security waf profile

    FortiADC-docs (profile) # edit eval

    Add new entry 'eval' for node 3000

    FortiADC-docs (eval) # get

    web-attack-signature :

    url-protection :

    http-protocol-constraint :

    heuristic-sql-xss-injection-detect:

    bot-detection:

    description :

    http-header-cache : enable

    exception :

    FortiADC-docs (eval) # set web-attack-signature Alert-Only

    FortiADC-docs (eval) # set http-protocol-constraint Alert-Only

    FortiADC-docs (eval) # set heuristic-sql-xss-injection-detect Alert-Only

    FortiADC-docs (eval) # set exception exception-group

    FortiADC-docs (eval) # set description "evaluate alert-only and exception list"

    FortiADC-docs (eval-alert-onl~-) # end

    Previous
    Next