Fortinet white logo
Fortinet white logo

CLI Reference

config security waf profile

config security waf profile

Use this command to configure web application firewall (WAF) profiles. A WAF profile references the WAF policies that are to be enforced.

In many cases, you can use predefined profiles to get started. Table 16 describes the three predefined policies.

Predefined WAF profiles

Predefined Rules Description

High-Level-Security

HTTP protocol constraints policy: High-Level-Security

SQL injection and XSS detection policy: High-Level-Security

Medium-Level-Security

HTTP protocol constraints policy: Medium-Level-Security

SQL injection and XSS detection policy: Medium-Level-Security

Alert-Only

HTTP protocol constraints policy: Alert-Only

SQL injection and XSS detection policy: Alert-Only

The configurations for these profiles are shown in the examples that follow. If desired, you can create user-defined profiles.

Before you begin:
  • You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this command to add them to a WAF profile.
  • You must have read-write permission for security settings.

After you have created a WAF profile, you can specify it in a virtual server configuration.

Syntax

config security waf profile

edit <name>

set adaptive-learning <datasource>

set advanced-bot-protection <datasource>

set advanced-protection <datasource>

set api-discovery <datasource>

set api-gateway <datasource>

set biometrics-based-detection <datasource>

set body-decode-length <integer>

set body-decode-type {xml|html|json}

set bot-detection <datasource>

set brute-force-login <datasource>

set cookie-security <datasource>

set cors-protection <datasource>

set csrf-protection <datasource>

set data-leak-prevention <datasource>

set description <string>

set exception <datasource>

set fingerprint-based-detection <datasource>

set heuristic-sql-xss-injection-detection <datasource>

set http-header-cache {enable|disable}

set http-protocol-constraint <datasource>

set input-validation-policy <datasource>

set json-validation <datasource>

set multiple-decode-loop <integer>

set openapi-validation <datasource>

set rule-match-record {enable|disable}

set threshold-based-detection <datasource>

set url-protection <datasource>

set use-original-ip {enable|disable}

set web-attack-signature <datasource>

set xml-validation <datasource>

next

end

adaptive-learning

Specify a predefined or user-defined configuration object.

advanced-bot-protection

Specify a user-defined configuration object.

advanced-protection

Specify a user-defined configuration object.

api-discovery

Specify a user-defined configuration object.

api-gateway

Specify a user-defined configuration object.

biometrics-based-detection

Specify a user-defined configuration object.

body-decode-length

Specify a body decode length in byte. (Range: 0 - 4194304 B, default: 1024 B).

body-decode-type

Specify the body decode type.

Note: This only applies when the corresponding validation function is enabled.

bot-detection

Specify a user-defined configuration object.

brute-force-login

Specify a user-defined configuration object.

cookie-security

Specify a user-defined configuration object.

cors-protection

Specify a predefined or user-defined configuration object.

csrf-protection

Specify a user-defined configuration object.

data-leak-prevention

Specify a user-defined configuration object.

description

A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.

exception

Specify an exception configuration object.

fingerprint-based-detection

Specify a user-defined configuration object.

heuristic-sql-xss-injection-detection

Specify a predefined or user-defined configuration object.

http-protocol-constraint

Specify a predefined or user-defined configuration object.

http-header-cache

Enable/disable caching HTTP headers. Enabled by default. If you experience performance issues, you can disable. However, the cached HTTP headers are used to populate fields in logs resulting from HTTP body scanning.

Can only be set with the CLI.

input-validation-policy

Specify a predefined or user-defined configuration object.

json-validation

Specify a predefined or user-defined configuration object.

multiple-decode-loop

Specify the number of times for the multiple decode loop. (Range: 0 - 16, default: 6).

openapi-validation

Specify a predefined or user-defined configuration object.

rule-match-record

Enable to allow the Security Log to display the part of the rule that is matched when the security event is logged. This is disabled by default.

threshold-based-detection

Specify a predefined or user-defined configuration object.

url-protection

Specify a predefined or user-defined configuration object.

use-original-ip

Enable to use the client's original IP address instead of the source IP for attack identification. This is disabled by default.

When enabled, the client’s original IP address from the "X-Forwarded-For" header is used in place of the standard source IP, impacting specific WAF functions. This setting affects WAF Blocked IP matching, Known Good Bots in Bot Detection, and source IP-based rules in the Exception feature. Log records are updated with the original client IP for detected attacks, ensuring accurate logging.

This feature applies to both HTTP and HTTPS traffic and supports IPv4 and IPv6 addressing.

Note: If the HTTP request packet does not contain the "X-Forwarded-For" information or contains invalid data, the system will default to using the HTTP source IP address instead.

web-attack-signature

Specify a predefined or user-defined configuration object.

xml-validation

Specify a predefined or user-defined configuration object.

Example

FortiADC-docs # get security waf profile High-Level-Security

web-attack-signature : High-Level-Security

url-protection :

http-protocol-constraint : High-Level-Security

heuristic-sql-xss-injection-detect: High-Level-Security

description :

http-header-cache : enable

exception :

FortiADC-docs # get security waf profile Medium-Level-Security

web-attack-signature : Medium-Level-Security

url-protection :

http-protocol-constraint : Medium-Level-Security

heuristic-sql-xss-injection-detect: Medium-Level-Security

description :

http-header-cache : enable

exception :

FortiADC-docs # get security waf profile Alert-Only

web-attack-signature : Alert-Only

threshold-based-detection :

url-protection :

http-protocol-constraint : Alert-Only

heuristic-sql-xss-injection-detect : Alert-Only

description :

http-header-cache : enable

exception :

FortiADC-docs # config security waf profile

FortiADC-docs (profile) # edit eval

Add new entry 'eval' for node 3000

FortiADC-docs (eval) # get

web-attack-signature :

url-protection :

http-protocol-constraint :

heuristic-sql-xss-injection-detect:

bot-detection :

biometrics-based-detection :

fingerprint-based-detection :

advanced-bot-protection :

description :

http-header-cache : enable

exception :

FortiADC-docs (eval) # set web-attack-signature Alert-Only

FortiADC-docs (eval) # set http-protocol-constraint Alert-Only

FortiADC-docs (eval) # set heuristic-sql-xss-injection-detect Alert-Only

FortiADC-docs (eval) # set exception exception-group

FortiADC-docs (eval) # set description "evaluate alert-only and exception list"

FortiADC-docs (eval-alert-onl~-) # end

config security waf profile

config security waf profile

Use this command to configure web application firewall (WAF) profiles. A WAF profile references the WAF policies that are to be enforced.

In many cases, you can use predefined profiles to get started. Table 16 describes the three predefined policies.

Predefined WAF profiles

Predefined Rules Description

High-Level-Security

HTTP protocol constraints policy: High-Level-Security

SQL injection and XSS detection policy: High-Level-Security

Medium-Level-Security

HTTP protocol constraints policy: Medium-Level-Security

SQL injection and XSS detection policy: Medium-Level-Security

Alert-Only

HTTP protocol constraints policy: Alert-Only

SQL injection and XSS detection policy: Alert-Only

The configurations for these profiles are shown in the examples that follow. If desired, you can create user-defined profiles.

Before you begin:
  • You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this command to add them to a WAF profile.
  • You must have read-write permission for security settings.

After you have created a WAF profile, you can specify it in a virtual server configuration.

Syntax

config security waf profile

edit <name>

set adaptive-learning <datasource>

set advanced-bot-protection <datasource>

set advanced-protection <datasource>

set api-discovery <datasource>

set api-gateway <datasource>

set biometrics-based-detection <datasource>

set body-decode-length <integer>

set body-decode-type {xml|html|json}

set bot-detection <datasource>

set brute-force-login <datasource>

set cookie-security <datasource>

set cors-protection <datasource>

set csrf-protection <datasource>

set data-leak-prevention <datasource>

set description <string>

set exception <datasource>

set fingerprint-based-detection <datasource>

set heuristic-sql-xss-injection-detection <datasource>

set http-header-cache {enable|disable}

set http-protocol-constraint <datasource>

set input-validation-policy <datasource>

set json-validation <datasource>

set multiple-decode-loop <integer>

set openapi-validation <datasource>

set rule-match-record {enable|disable}

set threshold-based-detection <datasource>

set url-protection <datasource>

set use-original-ip {enable|disable}

set web-attack-signature <datasource>

set xml-validation <datasource>

next

end

adaptive-learning

Specify a predefined or user-defined configuration object.

advanced-bot-protection

Specify a user-defined configuration object.

advanced-protection

Specify a user-defined configuration object.

api-discovery

Specify a user-defined configuration object.

api-gateway

Specify a user-defined configuration object.

biometrics-based-detection

Specify a user-defined configuration object.

body-decode-length

Specify a body decode length in byte. (Range: 0 - 4194304 B, default: 1024 B).

body-decode-type

Specify the body decode type.

Note: This only applies when the corresponding validation function is enabled.

bot-detection

Specify a user-defined configuration object.

brute-force-login

Specify a user-defined configuration object.

cookie-security

Specify a user-defined configuration object.

cors-protection

Specify a predefined or user-defined configuration object.

csrf-protection

Specify a user-defined configuration object.

data-leak-prevention

Specify a user-defined configuration object.

description

A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.

exception

Specify an exception configuration object.

fingerprint-based-detection

Specify a user-defined configuration object.

heuristic-sql-xss-injection-detection

Specify a predefined or user-defined configuration object.

http-protocol-constraint

Specify a predefined or user-defined configuration object.

http-header-cache

Enable/disable caching HTTP headers. Enabled by default. If you experience performance issues, you can disable. However, the cached HTTP headers are used to populate fields in logs resulting from HTTP body scanning.

Can only be set with the CLI.

input-validation-policy

Specify a predefined or user-defined configuration object.

json-validation

Specify a predefined or user-defined configuration object.

multiple-decode-loop

Specify the number of times for the multiple decode loop. (Range: 0 - 16, default: 6).

openapi-validation

Specify a predefined or user-defined configuration object.

rule-match-record

Enable to allow the Security Log to display the part of the rule that is matched when the security event is logged. This is disabled by default.

threshold-based-detection

Specify a predefined or user-defined configuration object.

url-protection

Specify a predefined or user-defined configuration object.

use-original-ip

Enable to use the client's original IP address instead of the source IP for attack identification. This is disabled by default.

When enabled, the client’s original IP address from the "X-Forwarded-For" header is used in place of the standard source IP, impacting specific WAF functions. This setting affects WAF Blocked IP matching, Known Good Bots in Bot Detection, and source IP-based rules in the Exception feature. Log records are updated with the original client IP for detected attacks, ensuring accurate logging.

This feature applies to both HTTP and HTTPS traffic and supports IPv4 and IPv6 addressing.

Note: If the HTTP request packet does not contain the "X-Forwarded-For" information or contains invalid data, the system will default to using the HTTP source IP address instead.

web-attack-signature

Specify a predefined or user-defined configuration object.

xml-validation

Specify a predefined or user-defined configuration object.

Example

FortiADC-docs # get security waf profile High-Level-Security

web-attack-signature : High-Level-Security

url-protection :

http-protocol-constraint : High-Level-Security

heuristic-sql-xss-injection-detect: High-Level-Security

description :

http-header-cache : enable

exception :

FortiADC-docs # get security waf profile Medium-Level-Security

web-attack-signature : Medium-Level-Security

url-protection :

http-protocol-constraint : Medium-Level-Security

heuristic-sql-xss-injection-detect: Medium-Level-Security

description :

http-header-cache : enable

exception :

FortiADC-docs # get security waf profile Alert-Only

web-attack-signature : Alert-Only

threshold-based-detection :

url-protection :

http-protocol-constraint : Alert-Only

heuristic-sql-xss-injection-detect : Alert-Only

description :

http-header-cache : enable

exception :

FortiADC-docs # config security waf profile

FortiADC-docs (profile) # edit eval

Add new entry 'eval' for node 3000

FortiADC-docs (eval) # get

web-attack-signature :

url-protection :

http-protocol-constraint :

heuristic-sql-xss-injection-detect:

bot-detection :

biometrics-based-detection :

fingerprint-based-detection :

advanced-bot-protection :

description :

http-header-cache : enable

exception :

FortiADC-docs (eval) # set web-attack-signature Alert-Only

FortiADC-docs (eval) # set http-protocol-constraint Alert-Only

FortiADC-docs (eval) # set heuristic-sql-xss-injection-detect Alert-Only

FortiADC-docs (eval) # set exception exception-group

FortiADC-docs (eval) # set description "evaluate alert-only and exception list"

FortiADC-docs (eval-alert-onl~-) # end