Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

waf profile

Use this command to configure web application firewall options.

Command Description

set extended-log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

config waf profile
    edit {name}
    # Web application firewall configuration.
        set name {string}   WAF Profile name. size[35]
        set external {disable | enable}   Disable/Enable external HTTP Inspection.
        set extended-log {enable | disable}   Enable/disable extended logging.
        config signature
            config main-class
                edit {id}
                # Main signature class.
                    set id {integer}   Main signature class ID. range[0-4294967295] - datasource(s): waf.main-class.id
                    set status {enable | disable}   Status.
                    set action {allow | block | erase}   Action.
                            allow  Allow.
                            block  Block.
                            erase  Erase credit card numbers.
                    set log {enable | disable}   Enable/disable logging.
                    set severity {high | medium | low}   Severity.
                            high    High severity.
                            medium  Medium severity.
                            low     Low severity.
                next
            config disabled-sub-class
                edit {id}
                # Disabled signature subclasses.
                    set id {integer}   Signature subclass ID. range[0-4294967295] - datasource(s): waf.sub-class.id
                next
            config disabled-signature
                edit {id}
                # Disabled signatures
                    set id {integer}   Signature ID. range[0-4294967295] - datasource(s): waf.signature.id
                next
            set credit-card-detection-threshold {integer}   The minimum number of Credit cards to detect violation. range[0-128]
            config custom-signature
                edit {name}
                # Custom signature.
                    set name {string}   Signature name. size[35]
                    set status {enable | disable}   Status.
                    set action {allow | block | erase}   Action.
                            allow  Allow.
                            block  Block.
                            erase  Erase credit card numbers.
                    set log {enable | disable}   Enable/disable logging.
                    set severity {high | medium | low}   Severity.
                            high    High severity.
                            medium  Medium severity.
                            low     Low severity.
                    set direction {request | response}   Traffic direction.
                            request   Match HTTP request.
                            response  Match HTTP response.
                    set case-sensitivity {disable | enable}   Case sensitivity in pattern.
                    set pattern {string}   Match pattern. size[511]
                    set target {option}   Match HTTP target.
                            arg              HTTP arguments.
                            arg-name         Names of HTTP arguments.
                            req-body         HTTP request body.
                            req-cookie       HTTP request cookies.
                            req-cookie-name  HTTP request cookie names.
                            req-filename     HTTP request file name.
                            req-header       HTTP request headers.
                            req-header-name  HTTP request header names.
                            req-raw-uri      Raw URI of HTTP request.
                            req-uri          URI of HTTP request.
                            resp-body        HTTP response body.
                            resp-hdr         HTTP response headers.
                            resp-status      HTTP response status.
                next
        config constraint
            config header-length
                set status {enable | disable}   Enable/disable the constraint.
                set length {integer}   Length of HTTP header in bytes (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config content-length
                set status {enable | disable}   Enable/disable the constraint.
                set length {integer}   Length of HTTP content in bytes (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config param-length
                set status {enable | disable}   Enable/disable the constraint.
                set length {integer}   Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config line-length
                set status {enable | disable}   Enable/disable the constraint.
                set length {integer}   Length of HTTP line in bytes (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config url-param-length
                set status {enable | disable}   Enable/disable the constraint.
                set length {integer}   Maximum length of URL parameter in bytes (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config version
                set status {enable | disable}   Enable/disable the constraint.
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config method
                set status {enable | disable}   Enable/disable the constraint.
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config hostname
                set status {enable | disable}   Enable/disable the constraint.
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config malformed
                set status {enable | disable}   Enable/disable the constraint.
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config max-cookie
                set status {enable | disable}   Enable/disable the constraint.
                set max-cookie {integer}   Maximum number of cookies in HTTP request (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config max-header-line
                set status {enable | disable}   Enable/disable the constraint.
                set max-header-line {integer}   Maximum number HTTP header lines (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config max-url-param
                set status {enable | disable}   Enable/disable the constraint.
                set max-url-param {integer}   Maximum number of parameters in URL (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config max-range-segment
                set status {enable | disable}   Enable/disable the constraint.
                set max-range-segment {integer}   Maximum number of range segments in HTTP range line (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config exception
                edit {id}
                # HTTP constraint exception.
                    set id {integer}   Exception ID. range[0-4294967295]
                    set pattern {string}   URL pattern. size[511]
                    set regex {enable | disable}   Enable/disable regular expression based pattern match.
                    set address {string}   Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                    set header-length {enable | disable}   HTTP header length in request.
                    set content-length {enable | disable}   HTTP content length in request.
                    set param-length {enable | disable}   Maximum length of parameter in URL, HTTP POST request or HTTP body.
                    set line-length {enable | disable}   HTTP line length in request.
                    set url-param-length {enable | disable}   Maximum length of parameter in URL.
                    set version {enable | disable}   Enable/disable HTTP version check.
                    set method {enable | disable}   Enable/disable HTTP method check.
                    set hostname {enable | disable}   Enable/disable hostname check.
                    set malformed {enable | disable}   Enable/disable malformed HTTP request check.
                    set max-cookie {enable | disable}   Maximum number of cookies in HTTP request.
                    set max-header-line {enable | disable}   Maximum number of HTTP header line.
                    set max-url-param {enable | disable}   Maximum number of parameters in URL.
                    set max-range-segment {enable | disable}   Maximum number of range segments in HTTP range line.
                next
        config method
            set status {enable | disable}   Status.
            set log {enable | disable}   Enable/disable logging.
            set severity {high | medium | low}   Severity.
                    high    High severity
                    medium  medium severity
                    low     low severity
            set default-allowed-methods {option}   Methods.
                    get      HTTP GET method.
                    post     HTTP POST method.
                    put      HTTP PUT method.
                    head     HTTP HEAD method.
                    connect  HTTP CONNECT method.
                    trace    HTTP TRACE method.
                    options  HTTP OPTIONS method.
                    delete   HTTP DELETE method.
                    others   Other HTTP methods.
            config method-policy
                edit {id}
                # HTTP method policy.
                    set id {integer}   HTTP method policy ID. range[0-4294967295]
                    set pattern {string}   URL pattern. size[511]
                    set regex {enable | disable}   Enable/disable regular expression based pattern match.
                    set address {string}   Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                    set allowed-methods {option}   Allowed Methods.
                            get      HTTP GET method.
                            post     HTTP POST method.
                            put      HTTP PUT method.
                            head     HTTP HEAD method.
                            connect  HTTP CONNECT method.
                            trace    HTTP TRACE method.
                            options  HTTP OPTIONS method.
                            delete   HTTP DELETE method.
                            others   Other HTTP methods.
                next
        config address-list
            set status {enable | disable}   Status.
            set blocked-log {enable | disable}   Enable/disable logging on blocked addresses.
            set severity {high | medium | low}   Severity.
                    high    High severity.
                    medium  Medium severity.
                    low     Low severity.
            config trusted-address
                edit {name}
                # Trusted address.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
            config blocked-address
                edit {name}
                # Blocked address.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
        config url-access
            edit {id}
            # URL access list
                set id {integer}   URL access ID. range[0-4294967295]
                set address {string}   Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                set action {bypass | permit | block}   Action.
                        bypass  Allow the HTTP request, also bypass further WAF scanning.
                        permit  Allow the HTTP request, and continue further WAF scanning.
                        block   Block HTTP request.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
                config access-pattern
                    edit {id}
                    # URL access pattern.
                        set id {integer}   URL access pattern ID. range[0-4294967295]
                        set srcaddr {string}   Source address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                        set pattern {string}   URL pattern. size[511]
                        set regex {enable | disable}   Enable/disable regular expression based pattern match.
                        set negate {enable | disable}   Enable/disable match negation.
                    next
            next
        set comment {string}   Comment. size[1023]
    next
end

waf profile

Use this command to configure web application firewall options.

Command Description

set extended-log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

config waf profile
    edit {name}
    # Web application firewall configuration.
        set name {string}   WAF Profile name. size[35]
        set external {disable | enable}   Disable/Enable external HTTP Inspection.
        set extended-log {enable | disable}   Enable/disable extended logging.
        config signature
            config main-class
                edit {id}
                # Main signature class.
                    set id {integer}   Main signature class ID. range[0-4294967295] - datasource(s): waf.main-class.id
                    set status {enable | disable}   Status.
                    set action {allow | block | erase}   Action.
                            allow  Allow.
                            block  Block.
                            erase  Erase credit card numbers.
                    set log {enable | disable}   Enable/disable logging.
                    set severity {high | medium | low}   Severity.
                            high    High severity.
                            medium  Medium severity.
                            low     Low severity.
                next
            config disabled-sub-class
                edit {id}
                # Disabled signature subclasses.
                    set id {integer}   Signature subclass ID. range[0-4294967295] - datasource(s): waf.sub-class.id
                next
            config disabled-signature
                edit {id}
                # Disabled signatures
                    set id {integer}   Signature ID. range[0-4294967295] - datasource(s): waf.signature.id
                next
            set credit-card-detection-threshold {integer}   The minimum number of Credit cards to detect violation. range[0-128]
            config custom-signature
                edit {name}
                # Custom signature.
                    set name {string}   Signature name. size[35]
                    set status {enable | disable}   Status.
                    set action {allow | block | erase}   Action.
                            allow  Allow.
                            block  Block.
                            erase  Erase credit card numbers.
                    set log {enable | disable}   Enable/disable logging.
                    set severity {high | medium | low}   Severity.
                            high    High severity.
                            medium  Medium severity.
                            low     Low severity.
                    set direction {request | response}   Traffic direction.
                            request   Match HTTP request.
                            response  Match HTTP response.
                    set case-sensitivity {disable | enable}   Case sensitivity in pattern.
                    set pattern {string}   Match pattern. size[511]
                    set target {option}   Match HTTP target.
                            arg              HTTP arguments.
                            arg-name         Names of HTTP arguments.
                            req-body         HTTP request body.
                            req-cookie       HTTP request cookies.
                            req-cookie-name  HTTP request cookie names.
                            req-filename     HTTP request file name.
                            req-header       HTTP request headers.
                            req-header-name  HTTP request header names.
                            req-raw-uri      Raw URI of HTTP request.
                            req-uri          URI of HTTP request.
                            resp-body        HTTP response body.
                            resp-hdr         HTTP response headers.
                            resp-status      HTTP response status.
                next
        config constraint
            config header-length
                set status {enable | disable}   Enable/disable the constraint.
                set length {integer}   Length of HTTP header in bytes (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config content-length
                set status {enable | disable}   Enable/disable the constraint.
                set length {integer}   Length of HTTP content in bytes (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config param-length
                set status {enable | disable}   Enable/disable the constraint.
                set length {integer}   Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config line-length
                set status {enable | disable}   Enable/disable the constraint.
                set length {integer}   Length of HTTP line in bytes (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config url-param-length
                set status {enable | disable}   Enable/disable the constraint.
                set length {integer}   Maximum length of URL parameter in bytes (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config version
                set status {enable | disable}   Enable/disable the constraint.
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config method
                set status {enable | disable}   Enable/disable the constraint.
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config hostname
                set status {enable | disable}   Enable/disable the constraint.
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config malformed
                set status {enable | disable}   Enable/disable the constraint.
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config max-cookie
                set status {enable | disable}   Enable/disable the constraint.
                set max-cookie {integer}   Maximum number of cookies in HTTP request (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config max-header-line
                set status {enable | disable}   Enable/disable the constraint.
                set max-header-line {integer}   Maximum number HTTP header lines (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config max-url-param
                set status {enable | disable}   Enable/disable the constraint.
                set max-url-param {integer}   Maximum number of parameters in URL (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config max-range-segment
                set status {enable | disable}   Enable/disable the constraint.
                set max-range-segment {integer}   Maximum number of range segments in HTTP range line (0 to 2147483647). range[0-2147483647]
                set action {allow | block}   Action.
                        allow  Allow.
                        block  Block.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
            config exception
                edit {id}
                # HTTP constraint exception.
                    set id {integer}   Exception ID. range[0-4294967295]
                    set pattern {string}   URL pattern. size[511]
                    set regex {enable | disable}   Enable/disable regular expression based pattern match.
                    set address {string}   Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                    set header-length {enable | disable}   HTTP header length in request.
                    set content-length {enable | disable}   HTTP content length in request.
                    set param-length {enable | disable}   Maximum length of parameter in URL, HTTP POST request or HTTP body.
                    set line-length {enable | disable}   HTTP line length in request.
                    set url-param-length {enable | disable}   Maximum length of parameter in URL.
                    set version {enable | disable}   Enable/disable HTTP version check.
                    set method {enable | disable}   Enable/disable HTTP method check.
                    set hostname {enable | disable}   Enable/disable hostname check.
                    set malformed {enable | disable}   Enable/disable malformed HTTP request check.
                    set max-cookie {enable | disable}   Maximum number of cookies in HTTP request.
                    set max-header-line {enable | disable}   Maximum number of HTTP header line.
                    set max-url-param {enable | disable}   Maximum number of parameters in URL.
                    set max-range-segment {enable | disable}   Maximum number of range segments in HTTP range line.
                next
        config method
            set status {enable | disable}   Status.
            set log {enable | disable}   Enable/disable logging.
            set severity {high | medium | low}   Severity.
                    high    High severity
                    medium  medium severity
                    low     low severity
            set default-allowed-methods {option}   Methods.
                    get      HTTP GET method.
                    post     HTTP POST method.
                    put      HTTP PUT method.
                    head     HTTP HEAD method.
                    connect  HTTP CONNECT method.
                    trace    HTTP TRACE method.
                    options  HTTP OPTIONS method.
                    delete   HTTP DELETE method.
                    others   Other HTTP methods.
            config method-policy
                edit {id}
                # HTTP method policy.
                    set id {integer}   HTTP method policy ID. range[0-4294967295]
                    set pattern {string}   URL pattern. size[511]
                    set regex {enable | disable}   Enable/disable regular expression based pattern match.
                    set address {string}   Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                    set allowed-methods {option}   Allowed Methods.
                            get      HTTP GET method.
                            post     HTTP POST method.
                            put      HTTP PUT method.
                            head     HTTP HEAD method.
                            connect  HTTP CONNECT method.
                            trace    HTTP TRACE method.
                            options  HTTP OPTIONS method.
                            delete   HTTP DELETE method.
                            others   Other HTTP methods.
                next
        config address-list
            set status {enable | disable}   Status.
            set blocked-log {enable | disable}   Enable/disable logging on blocked addresses.
            set severity {high | medium | low}   Severity.
                    high    High severity.
                    medium  Medium severity.
                    low     Low severity.
            config trusted-address
                edit {name}
                # Trusted address.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
            config blocked-address
                edit {name}
                # Blocked address.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
        config url-access
            edit {id}
            # URL access list
                set id {integer}   URL access ID. range[0-4294967295]
                set address {string}   Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                set action {bypass | permit | block}   Action.
                        bypass  Allow the HTTP request, also bypass further WAF scanning.
                        permit  Allow the HTTP request, and continue further WAF scanning.
                        block   Block HTTP request.
                set log {enable | disable}   Enable/disable logging.
                set severity {high | medium | low}   Severity.
                        high    High severity.
                        medium  Medium severity.
                        low     Low severity.
                config access-pattern
                    edit {id}
                    # URL access pattern.
                        set id {integer}   URL access pattern ID. range[0-4294967295]
                        set srcaddr {string}   Source address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                        set pattern {string}   URL pattern. size[511]
                        set regex {enable | disable}   Enable/disable regular expression based pattern match.
                        set negate {enable | disable}   Enable/disable match negation.
                    next
            next
        set comment {string}   Comment. size[1023]
    next
end