Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.4.7
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiADC 7.4.7 CLI Reference
    7.4.7
    8.0.2
    8.0.1
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config security waf hidden-field-rule

    config security waf hidden-field-rule

    Use this command to define the Hidden Field rule for Input Validation to check for hidden parameters from <input type="hidden"> HTML tags. These hidden parameters are often written into an HTML page by the web server when it serves that page to the client, and is not visible on the rendered web page.

    The Hidden Field rule function can do the following:

    • Check the HOST by simple string or regular expression matching.
    • Check the URL by simple string or regular expression matching.
    • Match the configuration of the fetched URL.

    If the conditions are successfully matched, it will execute the specified action.

    Syntax

    config security waf hidden-field-rule
  edit <name>
    set host status {enable|disable}
    set host <string>
    set request-url <regex>
    set action <datasource>
    set severity {high|medium|low}
    config post-url-table
      edit <no.>
        set url <regex>
      next
    end
    config hidden-field-table
      edit <no.>
        set name <string>
      next
    end
  next
end

    host-status

    Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

    host

    The host option is available if host-status is enabled.

    Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

    request-url

    The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

    action

    Select the action profile that you want to apply.

    severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • low
    • medium
    • high

    The default value is low.

    config post-url-table

    url

    Specify the Post URL on which the hidden fields function can work.

    config hidden-field-table

    name

    Enter a unique Hidden Fields name. It must match the value of the name in the input type of the HTML request.

    Example

    config security waf hidden-field-rule
  edit "hidden_policy"
    set host-status enable
    set host 118.TEST.com
    set request-url /test/product.html
    set action deny
    config post-url-table
      edit 1
        set url /test/price.jsp
      next
    end
    config hidden-field-table
      edit 1
        set name price
      next
    end
  next
end
    Previous
    Next

    config security waf hidden-field-rule

    config security waf hidden-field-rule

    Use this command to define the Hidden Field rule for Input Validation to check for hidden parameters from <input type="hidden"> HTML tags. These hidden parameters are often written into an HTML page by the web server when it serves that page to the client, and is not visible on the rendered web page.

    The Hidden Field rule function can do the following:

    • Check the HOST by simple string or regular expression matching.
    • Check the URL by simple string or regular expression matching.
    • Match the configuration of the fetched URL.

    If the conditions are successfully matched, it will execute the specified action.

    Syntax

    config security waf hidden-field-rule
  edit <name>
    set host status {enable|disable}
    set host <string>
    set request-url <regex>
    set action <datasource>
    set severity {high|medium|low}
    config post-url-table
      edit <no.>
        set url <regex>
      next
    end
    config hidden-field-table
      edit <no.>
        set name <string>
      next
    end
  next
end

    host-status

    Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

    host

    The host option is available if host-status is enabled.

    Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

    request-url

    The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

    action

    Select the action profile that you want to apply.

    severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • low
    • medium
    • high

    The default value is low.

    config post-url-table

    url

    Specify the Post URL on which the hidden fields function can work.

    config hidden-field-table

    name

    Enter a unique Hidden Fields name. It must match the value of the name in the input type of the HTML request.

    Example

    config security waf hidden-field-rule
  edit "hidden_policy"
    set host-status enable
    set host 118.TEST.com
    set request-url /test/product.html
    set action deny
    config post-url-table
      edit 1
        set url /test/price.jsp
      next
    end
    config hidden-field-table
      edit 1
        set name price
      next
    end
  next
end
    Previous
    Next