Fortinet white logo
Fortinet white logo

CLI Reference

config security waf exception

config security waf exception

Use this command to create exception configuration objects. WAF exceptions identify specific patterns that are not subject to processing by WAF rules. Use WAF exception rules to reduce false-positives triggered by legitimate HTTP requests that match an attack signature rule.

Before you begin:
  • You must have read-write permission for security settings.

FortiADC supports the following exception rule types.

Each exception rule type requires specific parameters to be applied. Use the links above to navigate to the CLI commands for each exception rule type.

After you have created an exception object, you can specify it in WAF profiles and individual WAF feature rules.

For optimal functionality, we recommend keeping the number of WAF exception rules configured to a minimum. If a large number of WAF exception rules are configured, none may work effectively due to limitations of the shared memory (maximum total is 256.0 MBs in the VM platform).

URL

Use this command to create a URL exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type URL

set host-status {enable|disable}

set host-pattern <string>

set url-pattern <string>

next

end

next

end

host-status

Enable/disable the setting exceptions by host pattern.

host-pattern

The host-pattern option is configurable if host-status is enabled.

Specify the matching string. Regular expressions are supported. Maximum length is 128 characters.

For example, you can specify www.example.com, *.example.com, or www.example.* to match a literal host pattern or a wildcard host pattern.

url-pattern

Specify the matching string. Must begin with a URL path separator (/). Regular expressions are supported. Maximum length is 128 characters.

For example, you can specify path names and files with expressions like \/admin, .*\/data\/1.html, or \/data.*.

Example

config security waf exception

edit "url"

config exception-rule

edit 1

set type URL

set host-status disable

set url-pattern /url1

next

end

next

end

Source IP

Use this command to create a Source IP exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type source-ip

set ip-netmask <ip&netmask>

next

end

next

end

ip-netmask

Specify the IPv4 address with netmask. For example: 192.0.2.5/24

Example

config security waf exception

edit "source-ip"

config exception-rule

edit 2

set type source-ip

set ip-netmask 192.0.2.0/24

next

end

next

end

Source IPv6

Use this command to create a Source IPv6 exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type source-ipv6

set ipv6-netmask <ip&netmask>

next

end

next

end

ipv6-netmask

Specify the IPv6 address with netmask. For example: 2001:0db8:85a3::8a2e:0370:7334/64

Example

config security waf exception

edit "source-ipv6"

config exception-rule

edit 3

set type source-ipv6

set ipv6-netmask 2001:1::50:1:0:20/128

next

end

next

end

HTTP Method

Use this command to create an HTTP method exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type http-method

set methods [GET|POST|HEAD|TRACE|CONNECT|DELETE|PUT|PATCH|OPTIONS|OTHERS]

next

end

next

end

methods

Select the HTTP method(s):

  • GET

  • POST

  • HEAD

  • TRACE

  • CONNECT

  • DELETE

  • PUT

  • PATCH

  • OPTIONS

  • OTHERS

Example

config security waf exception

edit "http-method"

config exception-rule

edit 4

set type http-method

set methods HEAD TRACE CONNECT DELETE PUT PATCH OPTIONS OTHERS

next

end

next

end

HTTP Header

Use this command to create an HTTP Header exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type http-header

set value-check {enable|disable}

set name-pattern <string>

set value-pattern <string>

next

end

next

end

value-check

Enable/disable value checking for the specified element.

name-pattern

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

value-pattern

The value-pattern option is required if value-check is enabled.

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

Example

config security waf exception

edit "http-header"

config exception-rule

edit 5

set type http-header

set value-check enable

set name-pattern h_name1

set value-pattern h_value1

next

end

next

end

Cookie

Use this command to create a Cookie exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type cookie

set value-check {enable|disable}

set name-pattern <string>

set value-pattern <string>

next

end

next

end

value-check

Enable/disable value checking for the specified element.

name-pattern

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

value-pattern

The value-pattern option is required if value-check is enabled.

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

Example

config security waf exception

edit "cookie"

config exception-rule

edit 6

set type cookie

set value-check enable

set name-pattern c_name1

set value-pattern c_value1

next

end

next

end

Parameter

Use this command to create a Parameter exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type parameter

set value-check {enable|disable}

set name-pattern <string>

set value-pattern <string>

next

end

next

end

value-check

Enable/disable value checking for the specified element.

name-pattern

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

value-pattern

The value-pattern option is required if value-check is enabled.

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

Example

config security waf exception

edit "parameter"

config exception-rule

edit 7

set type parameter

set value-check enable

set name-pattern p_name1

set value-pattern p_value1

next

end

next

end

Limitations: Escaped Characters

All name-pattern and value-pattern support regular expression. However, some characters must be escaped to be a valid regular expression or be functional as an exception rule. If your expression contains characters that require escaping, an error message may be triggered to reject the invalid expression. However, it is also possible that an error may not be triggered by unescaped characters if it is considered syntactically correct — in which case these expressions would not function as exception rules since they will not match any user traffic.

This section lists the most commonly used special characters that need to be escaped to make an input valid or functional as an exception rule.

Brackets: []

Brackets ([]) require other characters between the brackets to be a valid exception rule regular expression.

For example:

Invalid: []

Valid: [123] — Valid

[] is an invalid exception rule regular expression because the input only contain brackets with no other characters in between. Whereas [123] is valid because there are number characters between the brackets.

Parentheses: ()

Parentheses (()) require a backslash (\) before each parenthesis to be a valid exception rule regular expression — ()\(\)

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert\('attack success'\)

Focusing on the parameter value, mocha:alert('attack%20success') is invalid because there is no backslash before each parenthesis. Whereas mocha:alert\('attack success'\) is valid with the backslash inserted before each parenthesis.

Asterisk: *

Asterisks (*) require a backslash (\) before each asterisk to be a valid and functional exception rule — *\*

For example:

curl -vv -X POST --cookie "Cookie123=abcd"

"http://x.x.x.x/index.php?n123=v123&p_name1=p_value1"

Where the cookie name is "cookie" and the cookie value is "a*"

Invalid: a*

Valid: a\*"

In this case, both a* and a\* are both correct in syntax. However, a* would not be functional as an exception rule because it would not match any user traffic.

Space: %20

Spaces (%20) in URLs must be replaced with spaces to be a valid exception rule regular expression.

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert(\'attack success'\)

Focusing on the parameter value, the invalid expression becomes valid when the %20 is replaced with the space: mocha:alert('attack%20success')mocha:alert(\'attack success'\)

Single Quotes: ''

When the name-pattern or value-pattern contain single quotes, it will be automatically escaped.

For example:

You may enter the parameter value-pattern as: alert\('attack%20success'\)

The value-pattern will appear as: alert\\(\'attack success\'\\)

config security waf exception

config security waf exception

Use this command to create exception configuration objects. WAF exceptions identify specific patterns that are not subject to processing by WAF rules. Use WAF exception rules to reduce false-positives triggered by legitimate HTTP requests that match an attack signature rule.

Before you begin:
  • You must have read-write permission for security settings.

FortiADC supports the following exception rule types.

Each exception rule type requires specific parameters to be applied. Use the links above to navigate to the CLI commands for each exception rule type.

After you have created an exception object, you can specify it in WAF profiles and individual WAF feature rules.

For optimal functionality, we recommend keeping the number of WAF exception rules configured to a minimum. If a large number of WAF exception rules are configured, none may work effectively due to limitations of the shared memory (maximum total is 256.0 MBs in the VM platform).

URL

Use this command to create a URL exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type URL

set host-status {enable|disable}

set host-pattern <string>

set url-pattern <string>

next

end

next

end

host-status

Enable/disable the setting exceptions by host pattern.

host-pattern

The host-pattern option is configurable if host-status is enabled.

Specify the matching string. Regular expressions are supported. Maximum length is 128 characters.

For example, you can specify www.example.com, *.example.com, or www.example.* to match a literal host pattern or a wildcard host pattern.

url-pattern

Specify the matching string. Must begin with a URL path separator (/). Regular expressions are supported. Maximum length is 128 characters.

For example, you can specify path names and files with expressions like \/admin, .*\/data\/1.html, or \/data.*.

Example

config security waf exception

edit "url"

config exception-rule

edit 1

set type URL

set host-status disable

set url-pattern /url1

next

end

next

end

Source IP

Use this command to create a Source IP exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type source-ip

set ip-netmask <ip&netmask>

next

end

next

end

ip-netmask

Specify the IPv4 address with netmask. For example: 192.0.2.5/24

Example

config security waf exception

edit "source-ip"

config exception-rule

edit 2

set type source-ip

set ip-netmask 192.0.2.0/24

next

end

next

end

Source IPv6

Use this command to create a Source IPv6 exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type source-ipv6

set ipv6-netmask <ip&netmask>

next

end

next

end

ipv6-netmask

Specify the IPv6 address with netmask. For example: 2001:0db8:85a3::8a2e:0370:7334/64

Example

config security waf exception

edit "source-ipv6"

config exception-rule

edit 3

set type source-ipv6

set ipv6-netmask 2001:1::50:1:0:20/128

next

end

next

end

HTTP Method

Use this command to create an HTTP method exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type http-method

set methods [GET|POST|HEAD|TRACE|CONNECT|DELETE|PUT|PATCH|OPTIONS|OTHERS]

next

end

next

end

methods

Select the HTTP method(s):

  • GET

  • POST

  • HEAD

  • TRACE

  • CONNECT

  • DELETE

  • PUT

  • PATCH

  • OPTIONS

  • OTHERS

Example

config security waf exception

edit "http-method"

config exception-rule

edit 4

set type http-method

set methods HEAD TRACE CONNECT DELETE PUT PATCH OPTIONS OTHERS

next

end

next

end

HTTP Header

Use this command to create an HTTP Header exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type http-header

set value-check {enable|disable}

set name-pattern <string>

set value-pattern <string>

next

end

next

end

value-check

Enable/disable value checking for the specified element.

name-pattern

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

value-pattern

The value-pattern option is required if value-check is enabled.

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

Example

config security waf exception

edit "http-header"

config exception-rule

edit 5

set type http-header

set value-check enable

set name-pattern h_name1

set value-pattern h_value1

next

end

next

end

Cookie

Use this command to create a Cookie exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type cookie

set value-check {enable|disable}

set name-pattern <string>

set value-pattern <string>

next

end

next

end

value-check

Enable/disable value checking for the specified element.

name-pattern

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

value-pattern

The value-pattern option is required if value-check is enabled.

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

Example

config security waf exception

edit "cookie"

config exception-rule

edit 6

set type cookie

set value-check enable

set name-pattern c_name1

set value-pattern c_value1

next

end

next

end

Parameter

Use this command to create a Parameter exception rule.

Syntax

config security waf exception

edit <name>

config exception-rule

edit <No.>

set type parameter

set value-check {enable|disable}

set name-pattern <string>

set value-pattern <string>

next

end

next

end

value-check

Enable/disable value checking for the specified element.

name-pattern

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

value-pattern

The value-pattern option is required if value-check is enabled.

Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

For example: . Content*

Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters.

Example

config security waf exception

edit "parameter"

config exception-rule

edit 7

set type parameter

set value-check enable

set name-pattern p_name1

set value-pattern p_value1

next

end

next

end

Limitations: Escaped Characters

All name-pattern and value-pattern support regular expression. However, some characters must be escaped to be a valid regular expression or be functional as an exception rule. If your expression contains characters that require escaping, an error message may be triggered to reject the invalid expression. However, it is also possible that an error may not be triggered by unescaped characters if it is considered syntactically correct — in which case these expressions would not function as exception rules since they will not match any user traffic.

This section lists the most commonly used special characters that need to be escaped to make an input valid or functional as an exception rule.

Brackets: []

Brackets ([]) require other characters between the brackets to be a valid exception rule regular expression.

For example:

Invalid: []

Valid: [123] — Valid

[] is an invalid exception rule regular expression because the input only contain brackets with no other characters in between. Whereas [123] is valid because there are number characters between the brackets.

Parentheses: ()

Parentheses (()) require a backslash (\) before each parenthesis to be a valid exception rule regular expression — ()\(\)

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert\('attack success'\)

Focusing on the parameter value, mocha:alert('attack%20success') is invalid because there is no backslash before each parenthesis. Whereas mocha:alert\('attack success'\) is valid with the backslash inserted before each parenthesis.

Asterisk: *

Asterisks (*) require a backslash (\) before each asterisk to be a valid and functional exception rule — *\*

For example:

curl -vv -X POST --cookie "Cookie123=abcd"

"http://x.x.x.x/index.php?n123=v123&p_name1=p_value1"

Where the cookie name is "cookie" and the cookie value is "a*"

Invalid: a*

Valid: a\*"

In this case, both a* and a\* are both correct in syntax. However, a* would not be functional as an exception rule because it would not match any user traffic.

Space: %20

Spaces (%20) in URLs must be replaced with spaces to be a valid exception rule regular expression.

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert(\'attack success'\)

Focusing on the parameter value, the invalid expression becomes valid when the %20 is replaced with the space: mocha:alert('attack%20success')mocha:alert(\'attack success'\)

Single Quotes: ''

When the name-pattern or value-pattern contain single quotes, it will be automatically escaped.

For example:

You may enter the parameter value-pattern as: alert\('attack%20success'\)

The value-pattern will appear as: alert\\(\'attack success\'\\)