Fortinet black logo

CLI Reference

What’s new

What’s new

The tables below list commands newly added for FortiWeb 6.1.1.

Command Change
system hsm info

config system hsm info

set register-status {enable| disable}

end

New.
Update the command name.
server-policy server-pool

config server-policy server-pool

edit <server-pool_name>

config pserver-list

edit <entry_index>

set set tls-v13 {enable | disable}

set tls13-custom-cipher

next

end

next

end

New.
Add two commands.
server-policy policy

config server-policy policy

edit <policy_name>

set tls-v13 {enable | disable}

set tls13-custom-cipher

next

end

New.
Add two commands.
server-policy setting

config server-policy setting

set tls13-early-data-mode {enable | disable}

set record-content-routing-error-log {enable | disable}

set server-invalid-no-reponse {enable | disable}

end

New.

Add three commands.

log attack-log

config log attack-log

set status {enable | disable}

set http-parse-error-output {enable | disable}

set packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security}

end

New.
Add two fields cors-protection and json-protection for packet log.
waf xml-exempted-urls

config waf xml-exempted-urls

edit "<xml-exempted-urls_name>"

config exempted-url-list

edit exempted-url-list <exempted-url-list_str>

set url-type {plain | regular}

set exempted-url <exempted-url_str>

next

end

next

end

New.
When you configure schema location to forbid using location field to perform malicious requests, you can use this command to exempt specific URLs from XML protection.
waf xml-validation

config waf xml-validation rule

edit "<xml_rule_name>"

set x-include-check {enable | disable}

set schema-location-check {enable | disable}

set schema-location-exempted-urls <schema-location-exempted-urls_str>

next

end

config waf xml-validation policy

edit "<xml_policy_name>"

set enable-signature-detection {enable | disable}

next

end

New.
Add SSRF attack detections.

waf web-protection-profile inline-protection

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set json-validation-policy "<json-validation-policy_name>"

set cors-protection-policy "<cors-protection-policy>"

next

end

New.
Add the JSON and CORS protection policy configurations.
waf web-protection-profile offline-protection

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set json-validation-policy "<json-validation-policy_name>"

next

end

New.
Add the JSON protection policy configuration.
server-policy pattern custom-global-white-list-group

config server-policy pattern custom-global-white-list-group

edit <entry_index>

set status {enable | disable}

set type {Cookie | Parameter | URL | Header_Field}

set header-type {plain | regular}

next

end

New.
Add the HTTP header field configuration.
waf http-constraints-exceptions

config waf http-constraints-exceptions

edit "<http-exception_name>"

config http_constraints-exception-list

edit <entry_index>

set null-byte-in-url-check {enable | disable}

set Illegal-byte-in-url-check {enable | disable}

set web-socket-protocol-check {enable | disable}

set odd-and-even-space-attack-check {enable | disable}

next

end

next

end

New.
Add more exceptions to HTTP constraints.
waf json-schema

config waf json-schema file

edit "<json_schema_file_name>"

end

New.
Use this command to view JSON schema files that have already been uploaded to FortiWeb.
waf json-validation

config waf json-validation rule

edit "<json_rule_name>"

set host-status {enable | disable}

set host "<host_name_str>"

set request-type {plain | regular}

set request-file "<file_str>"

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <period_int>

set severity {High Low | Medium | Info}

set trigger "<trigger_policy_name>"

set schema-file "<schema_file_name>"

set json-limits {enable | disable}

set json-data-size "<json-data-size_int>"

set key-size "<key-size_int>"

set key-number "<key-number_int>"

set value-size "<value-size_int>"

set value-number-in-array "<value-number-in-array _int>"

set object-depth "<object-depth _int>"

next

end

config waf json-validation policy

edit "<json_policy_name>"

set enable-signature-detection {enable | disable}

config input-rule-list

edit "<input-rule-list_id>"

set json_input_rule "<json_input_rule_str>"

next

end

next

end

New.
Use this command to create JSON protection rules and configure JSON protection policies.
waf allowed-origins

config waf allowed-origins

edit <allowed-origin-list-name>

config origin-list

edit <origin-id>

set protocol {HTTP | HTTPS | ANY}

set origin-name <the_foreign_application_domain_name>

set port <port_number>

set include-sub-domains {enable | disable}

next

end

next

end

New.
Use this command to configure a list of foreign applications that are allowed to access your application through CORS request.
waf cors-protection-rule

config waf cors-protection-rule

edit <cors-protection-rule-name>

set host-status {enable | disable}

set host <string>

set request-type {plain | regular}

set request-file <string>

set block-cors-traffic {enable | disable}

set allowed-origins-list <datasource>

set allowed-methods {enable | disable}

set allowed-credentials {none | false | true}

set allowed-maximum-age <integer>

config allowed-methods-list

edit <allowed-methods-list-id>

set method {get | post | head | trace | connect | delete | put | patch}

next

end

set allowed-headers {enable | disable}

config allowed-headers-list

edit <allowed-headers-list-id>

set header <string>

next

end

set exposed-headers {enable | disable}

config exposed-headers-list

edit <exposed-headers-list-id>

set header <string>

next

end

set remove-other-headers {enable | disable}

next

end

New.
Use this command to add CORS protection rules to block CORS traffic or add restrictions for the CORS traffic.
waf cors-protection-policy

config waf cors-protection-policy

edit <cors-protection-policy-name>

config rule-list

edit <cors-protection-rule-id>

set cors-rule <cors-protection-rule-name>

next

end

next

end

New.
Use this command to include one or more CORS protection rules in a CORS protection policy so that they can take effect as a whole.
waf ws security

config waf ws-security rule

edit "<ws-security_rule_name>"

set encryption-algorithm {3EDS | AES-128 | AES-256}

set encryption-part {Element Value | Element Markup}

set key-transport-algorithm {RSA-15 | RSA-OAEP}

set request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify}

set request-security-status {enable | disable}

set response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign}

set response-security-status {enable | disable}

set signature-algorithm {RSA-SHA-1 | HMAC-SHA-1}

set xml-client-certificate-group <xml-client-certificate_group_str>

set xml-server-certificate <xml-server-certificate_str>

config namespace-mapping

edit "<namespace-mapping_name>"

set prefix <prefix _str>

set namespace <namespace_str>

next

end

config element-list

edit "<element-list_name>"

set xpath <xpath_str>

set direction {request | response}

next

end

next

end

New.
Use this command to create WS-security rules.
system certificate xml-client-certificate

config system certificate xml-client-certificate

edit "<xml-client-certificate_name>"

set certificate <certificate_str>

set secret-key <secret-key_str>

next

end

New.
Use this command to show names of the uploaded XML client certificates that are stored locally on the FortiWeb appliance.
system certificate xml-server-certificate

config system certificate xml-server-certificate

edit "<xml-server-certificate_name>"

set certificate <certificate_str>

set private-key <private-key_str>

set passwd <passwd_str>

next

end

New.
Use this command to show names of the uploaded XML server certificates that are stored locally on the FortiWeb appliance.
system certificate xml-client-certificate-group

config system certificate xml-client-certificate-group

edit "<xml-client-certificate-group_name>"

config members

edit <entry_index>

set client-name <name_str>

next

end

next

end

New.
Use this command to group XML client certificates.

system feature-visibility

config system feature-visibility

set adfs-policy (enable | disable}

end

New.

Use this command to enable ADFS feature.

system manager-mode

config system manager

set callback-interval <integer>

next

end

New.

Use this command to configure callback interval.

system fabric-connectors

config system fabric-connectors

set name <string>

set type {oci | azure}

set tenant-ocid <string>

set user-ocid <string>

set compartment-ocid <string>

set loadbalancer-ocid <string>

set server-region {ca-toronto-server|eu-frankfurt-server|uk-london-server|us-ashburn-server|us-phoenix-server|ap-tokyo-server|ap-seoul-server}

set private-key <userdef>

set rg-name <string>

set sub-id <string>

set tenant-id <string>

set pass <passwd>

set app-id <string>

set nicFWBA <string>

set nicFWBB <string>

set public-ip <string>

end

New.

Use this command to notify the load balancer to distribute the traffic to the new master node when fail-over occurs.

What’s new

The tables below list commands newly added for FortiWeb 6.1.1.

Command Change
system hsm info

config system hsm info

set register-status {enable| disable}

end

New.
Update the command name.
server-policy server-pool

config server-policy server-pool

edit <server-pool_name>

config pserver-list

edit <entry_index>

set set tls-v13 {enable | disable}

set tls13-custom-cipher

next

end

next

end

New.
Add two commands.
server-policy policy

config server-policy policy

edit <policy_name>

set tls-v13 {enable | disable}

set tls13-custom-cipher

next

end

New.
Add two commands.
server-policy setting

config server-policy setting

set tls13-early-data-mode {enable | disable}

set record-content-routing-error-log {enable | disable}

set server-invalid-no-reponse {enable | disable}

end

New.

Add three commands.

log attack-log

config log attack-log

set status {enable | disable}

set http-parse-error-output {enable | disable}

set packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security}

end

New.
Add two fields cors-protection and json-protection for packet log.
waf xml-exempted-urls

config waf xml-exempted-urls

edit "<xml-exempted-urls_name>"

config exempted-url-list

edit exempted-url-list <exempted-url-list_str>

set url-type {plain | regular}

set exempted-url <exempted-url_str>

next

end

next

end

New.
When you configure schema location to forbid using location field to perform malicious requests, you can use this command to exempt specific URLs from XML protection.
waf xml-validation

config waf xml-validation rule

edit "<xml_rule_name>"

set x-include-check {enable | disable}

set schema-location-check {enable | disable}

set schema-location-exempted-urls <schema-location-exempted-urls_str>

next

end

config waf xml-validation policy

edit "<xml_policy_name>"

set enable-signature-detection {enable | disable}

next

end

New.
Add SSRF attack detections.

waf web-protection-profile inline-protection

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set json-validation-policy "<json-validation-policy_name>"

set cors-protection-policy "<cors-protection-policy>"

next

end

New.
Add the JSON and CORS protection policy configurations.
waf web-protection-profile offline-protection

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set json-validation-policy "<json-validation-policy_name>"

next

end

New.
Add the JSON protection policy configuration.
server-policy pattern custom-global-white-list-group

config server-policy pattern custom-global-white-list-group

edit <entry_index>

set status {enable | disable}

set type {Cookie | Parameter | URL | Header_Field}

set header-type {plain | regular}

next

end

New.
Add the HTTP header field configuration.
waf http-constraints-exceptions

config waf http-constraints-exceptions

edit "<http-exception_name>"

config http_constraints-exception-list

edit <entry_index>

set null-byte-in-url-check {enable | disable}

set Illegal-byte-in-url-check {enable | disable}

set web-socket-protocol-check {enable | disable}

set odd-and-even-space-attack-check {enable | disable}

next

end

next

end

New.
Add more exceptions to HTTP constraints.
waf json-schema

config waf json-schema file

edit "<json_schema_file_name>"

end

New.
Use this command to view JSON schema files that have already been uploaded to FortiWeb.
waf json-validation

config waf json-validation rule

edit "<json_rule_name>"

set host-status {enable | disable}

set host "<host_name_str>"

set request-type {plain | regular}

set request-file "<file_str>"

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <period_int>

set severity {High Low | Medium | Info}

set trigger "<trigger_policy_name>"

set schema-file "<schema_file_name>"

set json-limits {enable | disable}

set json-data-size "<json-data-size_int>"

set key-size "<key-size_int>"

set key-number "<key-number_int>"

set value-size "<value-size_int>"

set value-number-in-array "<value-number-in-array _int>"

set object-depth "<object-depth _int>"

next

end

config waf json-validation policy

edit "<json_policy_name>"

set enable-signature-detection {enable | disable}

config input-rule-list

edit "<input-rule-list_id>"

set json_input_rule "<json_input_rule_str>"

next

end

next

end

New.
Use this command to create JSON protection rules and configure JSON protection policies.
waf allowed-origins

config waf allowed-origins

edit <allowed-origin-list-name>

config origin-list

edit <origin-id>

set protocol {HTTP | HTTPS | ANY}

set origin-name <the_foreign_application_domain_name>

set port <port_number>

set include-sub-domains {enable | disable}

next

end

next

end

New.
Use this command to configure a list of foreign applications that are allowed to access your application through CORS request.
waf cors-protection-rule

config waf cors-protection-rule

edit <cors-protection-rule-name>

set host-status {enable | disable}

set host <string>

set request-type {plain | regular}

set request-file <string>

set block-cors-traffic {enable | disable}

set allowed-origins-list <datasource>

set allowed-methods {enable | disable}

set allowed-credentials {none | false | true}

set allowed-maximum-age <integer>

config allowed-methods-list

edit <allowed-methods-list-id>

set method {get | post | head | trace | connect | delete | put | patch}

next

end

set allowed-headers {enable | disable}

config allowed-headers-list

edit <allowed-headers-list-id>

set header <string>

next

end

set exposed-headers {enable | disable}

config exposed-headers-list

edit <exposed-headers-list-id>

set header <string>

next

end

set remove-other-headers {enable | disable}

next

end

New.
Use this command to add CORS protection rules to block CORS traffic or add restrictions for the CORS traffic.
waf cors-protection-policy

config waf cors-protection-policy

edit <cors-protection-policy-name>

config rule-list

edit <cors-protection-rule-id>

set cors-rule <cors-protection-rule-name>

next

end

next

end

New.
Use this command to include one or more CORS protection rules in a CORS protection policy so that they can take effect as a whole.
waf ws security

config waf ws-security rule

edit "<ws-security_rule_name>"

set encryption-algorithm {3EDS | AES-128 | AES-256}

set encryption-part {Element Value | Element Markup}

set key-transport-algorithm {RSA-15 | RSA-OAEP}

set request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify}

set request-security-status {enable | disable}

set response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign}

set response-security-status {enable | disable}

set signature-algorithm {RSA-SHA-1 | HMAC-SHA-1}

set xml-client-certificate-group <xml-client-certificate_group_str>

set xml-server-certificate <xml-server-certificate_str>

config namespace-mapping

edit "<namespace-mapping_name>"

set prefix <prefix _str>

set namespace <namespace_str>

next

end

config element-list

edit "<element-list_name>"

set xpath <xpath_str>

set direction {request | response}

next

end

next

end

New.
Use this command to create WS-security rules.
system certificate xml-client-certificate

config system certificate xml-client-certificate

edit "<xml-client-certificate_name>"

set certificate <certificate_str>

set secret-key <secret-key_str>

next

end

New.
Use this command to show names of the uploaded XML client certificates that are stored locally on the FortiWeb appliance.
system certificate xml-server-certificate

config system certificate xml-server-certificate

edit "<xml-server-certificate_name>"

set certificate <certificate_str>

set private-key <private-key_str>

set passwd <passwd_str>

next

end

New.
Use this command to show names of the uploaded XML server certificates that are stored locally on the FortiWeb appliance.
system certificate xml-client-certificate-group

config system certificate xml-client-certificate-group

edit "<xml-client-certificate-group_name>"

config members

edit <entry_index>

set client-name <name_str>

next

end

next

end

New.
Use this command to group XML client certificates.

system feature-visibility

config system feature-visibility

set adfs-policy (enable | disable}

end

New.

Use this command to enable ADFS feature.

system manager-mode

config system manager

set callback-interval <integer>

next

end

New.

Use this command to configure callback interval.

system fabric-connectors

config system fabric-connectors

set name <string>

set type {oci | azure}

set tenant-ocid <string>

set user-ocid <string>

set compartment-ocid <string>

set loadbalancer-ocid <string>

set server-region {ca-toronto-server|eu-frankfurt-server|uk-london-server|us-ashburn-server|us-phoenix-server|ap-tokyo-server|ap-seoul-server}

set private-key <userdef>

set rg-name <string>

set sub-id <string>

set tenant-id <string>

set pass <passwd>

set app-id <string>

set nicFWBA <string>

set nicFWBB <string>

set public-ip <string>

end

New.

Use this command to notify the load balancer to distribute the traffic to the new master node when fail-over occurs.