server-policy policy
Use this command to configure HTTP, FTP, and AD FS server policies.
FortiWeb applies only one server policy to each connection.
HTTP policy behavior varies by the operation mode. FTP and AD FS server policies are available only in Reverse Proxy mode. For details, see FortiWeb Administration Guide:
http://docs.fortinet.com/fortiweb/admin-guides
When you switch the operation mode, FortiWeb deletes server policies from the configuration file if they are not applicable in the current operation mode. |
To determine which type of server policy to create, configure protocol {HTTP | FTP | ADFSPIP}. If you're planning to configure an FTP server policy, you'll need to confirm that system feature-visibility is enabled. For details, see system feature-visibility.
Before you configure an HTTP server policy, you can configure several policies and profiles:
- Configure a virtual server and server pool. For details, see server-policy vserver and server-policy server-pool.
- To route traffic based on headers in the HTTP layer, configure one or more HTTP content routing policies. For details, see server-policy http-content-routing-policy.
- To restrict traffic based upon which hosts you want to protect, configure a group of protected host names. For details, see server-policy allow-hosts.
- If you want the FortiWeb appliance to gather auto-learning data, generate or configure an auto-learning profile and its required components. For details, see waf web-protection-profile autolearning-profile and server-policy custom-application application-policy.
- If you plan to authenticate users, you need to configure users, user groups, and authentication rules and policy, and include the policy in an inline web protection profile. For details, see user ldap-user, user local-user, user ntlm-user, user user-group, waf http-authen http-authen-rule, and waf http-authen http-authen-policy.
- To apply a web protection profile to a server policy, you must first configure them. For details, see waf web-protection-profile inline-protection (Reverse Proxy mode or either of the transparent modes), or waf web-protection-profile offline-protection (Offline Protection mode) .
- If you want to use the FortiWeb appliance to apply SSL to connections instead of using physical servers, you must also import a server certificate or create a Server Name Indication (SNI) configuration. For details, see system certificate local, system certificate sni. , and system certificate urlcert.
- If you want the FortiWeb appliance to verify the certificate provided by an HTTP client to authenticate themselves, you must also define a certificate verification rule. If you want to specify whether a client is required to present a personal certificate or not based on the request URL, create a URL-based client certificate group. For details, see system certificate verify.
You can also use SNMP traps to notify you of policy status changes, or when a policy enforces your network usage policy. For details, see system snmp community.
Before you configure an FTP server policy, you need to:
- Configure an FTP command restriction rule. For details, see waf ftp-command-restriction-rule.
- Configure an FTP file check rule. For details, see waf ftp-file-security.
- Enable IP reputation intelligence. For details, see waf ip-intelligence.
- Create a geo IP rule. For details, see waf geo-block-list.
- Create an IP list. For details, see waf ip-list.
- Configure an FTP security inline profile. For details, see waf ftp-propredefined-global-white-listtection-profile.
Before you configure an AD FS server policy, you need to:
- Configure a virtual server and server pool. For details, see server-policy vserver and server-policy server-pool.server-policy vserver
- Import a certificate file and a CA file. For details, see system certificate local and system certificate ca.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the traroutegrp
area. For details, see Permissions.
Syntax
edit "<policy_name>"
set allow-hosts "<hosts_name>"
set case-sensitive {enable | disable}
set certificate "<certificate_name>"
set client-certificate-forwarding {enable | disable}
set client-certificate-forwarding-sub-header "<header_str>"
set client-real-ip {enable | disable}
set client-timeout <seconds_int>
set data-capture-port <port_int>
set ftp-protection-profile <profile_name>
set half-open-threshold <packets_int>
set hsts-header {enable | disable}
set hsts-max-age <timeout_int>
set hsts-header {enable | disable}
set http-header-timeout <seconds_int>
set http-pipeline {enable | disable}
set http-to-https {enable | disable}
set https-service "<service_name>"
set implicit_ssl {enable | disable}
set intermediate-certificate-group "<CA-group_name>"
set internal-cookie-httponly {enable | disable}
set internal-cookie-secure {enable | disable}
set monitor-mode {enable | disable}
set noparse {enable | disable}
set ocspstapling {enable | disable}
set ocspstapling-group "<group_name>"
set policy-id
set prefer-current-session {enable |disable}
set protocol {HTTP | FTP | ADFSPIP}
set server-pool "<server-pool_name>"
set sessioncookie-enforce {enable | disable}
set sni-certificate "<sni_name>"
set sni-strict {enable | disable}
set ssl-cipher {medium | high | custom}
set ssl-client-verify "<verifier_name>"
set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}
set ssl-noreg {enable | disable}
set ssl-quiet-shutdown {enable | disable}
set ssl-session-timeout <ssl-session-timeout_int>
set syncookie {enable | disable}
set tcp-recv-timeout <seconds_int>
set tls-v10 {enable | disable}
set tls-v11 {enable | disable}
set tls-v12 {enable | disable}
set tls-v13 {enable | disable}
set urlcert {enable | disable}
set urlcert-group "<urlcert-group_name>"
set waf-autolearning-profile "<profile_name>"
set web-protection-profile "<profile_name>"
set traffic-mirror {enable | disable}
set traffic-mirror-type {client-side | server-side| both-side}
set traffic-mirror-profile <traffic-mirror-profile_str>
set adfs-certificate-ssl-client-verify <adfs-certificate-ssl-client-verify_str>}
set adfs-certificate-service <adfs-certificate-service_str>}
set multi-certificate {enable | disable}
set certificate-group <certificate-group_str>}
config http-content-routing-list
edit <entry_index>
set content-routing-policy-name "<content-routing_name>"
set profile-inherit {enable | disable}
set web-protection-profile "<profile_name>"
next
end
next
end
Variable | Description | Default |
Enter the name of the policy. The maximum length is 63 characters. To display the list of existing policies, enter:
|
No default. | |
Enter the name of a protected hosts group to allow or reject connections based upon whether the To display the list of existing groups, enter:
If you do not select a protected hosts group, FortiWeb accepts pr blocks requests based upon other criteria in the policy or protection profile, but regardless of the Note: Unlike HTTP 1.1, HTTP 1.0 does not require the |
No default. | |
Enter the number of the physical network interface port that FortiWeb uses to send TCP For example, to send TCP
Available only when the operating mode is Offline Protection. |
No default. | |
Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests, such as start page rules, black list rules, white list rules, and page access rules. For example, when enabled, an HTTP request involving |
No default. | |
Enter the name of the certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections. The maximum length is 63 characters. To display the list of existing certificates, enter:
If sni {enable | disable} is This option is used only if https-service "<service_name>" is configured. |
No default. | |
Enable to include the X.509 personal certificate presented by the client during the SSL/TLS handshake, if any, in an FortiWeb still validates the client certificate itself, but this can be useful if the web server requires the client certificate for the purpose of server-side identity-based functionality. |
disable
|
|
Enter a custom certificate header that will include the Base64 certificate of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server. |
x-client-cert |
|
Enter a custom subject header that will include the subject of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server. |
x-client-dn |
|
Enter By default, when the operation mode is Reverse Proxy, the source IP for connections between FortiWeb and back-end servers is the address of a FortiWeb network interface.
Note: To ensure FortiWeb receives the server's response, configure FortiWeb as the server’s gateway. Available only if the operating mode is Reverse Proxy. |
disable
|
|
Enter the amount of time (in seconds) that FortiWeb will keep open a connection with an idle client that isn't sending data. The valid range is 1–1200. A value of 0 means that there is no timeout. |
0 |
|
Enter a description or other comment. If the comment is more than one word or contains special characters, surround the comment with double quotes ( " ). The maximum length is 999 characters. |
No default. | |
Enter the network interface of incoming traffic that the policy attempts to apply a profile to. The IP address is ignored. Available only if the operating mode is offline inspection. |
||
deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers} |
Specify the distribution method that FortiWeb uses when it forwards connections accepted by this policy.
|
No default. |
Enter the FTP security profile to apply to connections that this policy monitors. If you haven't created a profile yet, see waf ftp-propredefined-global-white-listtection-profile or instructions about creating one. |
No default. |
|
Enter the maximum number of TCP The valid range is 10–10,000. Available only when the operating mode is Reverse Proxy or True Transparent Proxy and syncookie {enable | disable} is enabled. |
8192
|
|
Select an HPKP profile, if any, to use to verify certificates when clients attempt to access a server. HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates. Available only when the operating mode is Reverse Proxy. |
No default. | |
Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as:
This header forces the client to use HTTPS for subsequent visits to this domain. If the certificate does not validate, it also causes a fatal connection error: the client’s web browser does not display any dialog that allows the user to override the certificate mismatch error and continue. Available only if https-service "<service_name>" is configured. |
disable
|
|
Enter the time to live in seconds for the HSTS header. Available only if hsts-header {enable | disable} is enabled. The valid range is 3,600–31,536,000. |
7776000
|
|
FortiWeb's HTTP/2 security inspection is only supported for Revers Proxy mode and True Transparent Proxy mode. This option enables FortiWeb operating in Reverse Proxy mode (see opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}) to negotiate HTTP/2 with clients via SSL ALPN (Application-Layer Protocol Negotiation) during the SSL handshake if the client's browser supports HTTP/2 protocol. With the HTTP/2 being enabled, FortiWebcan recognize HTTP/2 traffic and apply the security services to it. To enable HTTP/2 communication between the FortiWeb and back-end web servers for HTTP/2 inspections in Reverse Proxy mode, see http2 {enable | disable}. Available only when
When |
disable | |
Enter the amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. The valid range is 0–1200. A value of 0 means that there is no timeout. |
0 |
|
Specify whether FortiWeb accelerates transactions by bundling them inside the same TCP connection, instead of waiting for a response before sending/receiving the next request. This can increase performance when pages containing many images, scripts, and other auxiliary files are all hosted on the same domain, and therefore logically could use the same connection. When FortiWeb is operating in Reverse Proxy or True Transparent Proxy mode, it can automatically use HTTP pipelining for requests with the following characteristics:
|
enable |
|
Specify enable to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters. Also configure https-service and ensure service uses port 443 (the default). FortiWeb does not apply the protection profile for this policy (specified by web-protection-profile "<profile_name>") to the redirected traffic. Available only when the operation mode is Reverse Proxy. |
disable
|
|
Enter the custom or predefined service that defines the port number on which the virtual server receives HTTPS traffic. The maximum length is 63 characters. To display the list of existing services, enter:
Available only when the operating mode is Reverse Proxy. For other operation modes, use the server pool configuration to enable SSL inspection instead. |
No default. | |
Enter the name of an intermediate certificate authority (CA) group, if any, that FortiWeb uses to validate the CA signing chain in a client’s certificate. The maximum length is 63 characters. To display the list of existing groups, enter:
Available only if https-service "<service_name>" is configured. |
No default. | |
Enable to assign an |
enable |
|
Enable to assign a |
disable |
|
Enable to override deny and redirect actions defined in the server protection rules for the selected policy. This setting enables FortiWeb to log attacks without performing the deny or redirect action. Disable to allow FortiWeb to perform attack deny/redirect actions as defined by the server protection rules. |
disable
|
|
Enable this option to apply the server policy as a pure proxy, without parsing the content. In this case, the policy allows all traffic to pass through the FortiWeb appliance without applying any protection rules. See also debug application http and debug flow trace. This option applies to server policy only when the FortiWeb appliance operates in Reverse Proxy or True Transparent Proxy mode. Caution: Use this only during debugging and for as brief a period as possible. This feature disables many protection features. See also http-parse-error-output {enable | disable}. |
disable
|
|
Enable OCSP stapling for the certificate you specified in certificate "<certificate_name>". This option is available only if https-service "<service_name>" is configured. |
disable
|
|
Enter the custom OCSP group that defines the CA certificate and URL of the OCSP server corresponding to the certificate specified in certificate "<certificate_name>". For details, see system certificate remote. This option is available only if ocspstapling {enable | disable} is set to |
No default. | |
A 64-bit random integer assigned to each server policy. The When administrative domains (ADOMs) are enabled, ADOMs can create unique server policies with policy names that are identical to other server policies created by different ADOMs, so the |
No default. |
|
Enable to forward subsequent requests from an identified client connection to the same server pool as the initial connection from the client. This option allows FortiWeb to improve its performance by skipping the process of matching HTTP header content to content routing policies for connections it has already evaluated and routed. Available only when deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers} is http-content-routing. |
disable
|
|
Select one of the following:
|
HTTP |
|
Enter the name of the server pool whose members receive the connections. To display the list of existing servers, enter:
This field is applicable only if deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers} is Caution: Multiple virtual servers/policies can forward traffic to the same server pool. If you do this, consider the total maximum load of connections that all virtual servers forward to your server pool. This configuration can multiply traffic forwarded to your server pool, which can overload it and cause dropped connections. |
No default. | |
Enter the custom or predefined service that defines the port number on which the virtual server receives HTTP traffic. The maximum length is 63 characters. To display the list of existing services, enter:
Available only when the operating mode is Reverse Proxy. |
No default. | |
This option is useful if your environment uses TCP multiplexing, which combines HTTP requests from multiple clients in a single session for load balancing or other purposes.
For details about configuring session persistence, see server-policy persistence-policy. |
disable
|
|
Enable to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see system certificate sni. If you specify both a SNI configuration and a certificate, FortiWeb uses the certificate specified by certificate "<certificate_name>" when the requested domain does not match a value in the SNI configuration. If you enable sni-strict {enable | disable}, FortiWeb always ignores the value of certificate "<certificate_name>". Available only if https-service "<service_name>" is configured. |
disable
|
|
Enter the name of the Server Name Indication (SNI) configuration that specifies which certificate FortiWeb uses when encrypting or decrypting SSL-secured connections for a specified domain. The SNI configuration enables FortiWeb to present different certificates on behalf of the members of a pool according to the requested domain. If only one certificate is required to encrypt and decrypt traffic that this policy applies to, specify certificate "<certificate_name>" instead. Available only if https-service "<service_name>" is configured. |
No default. | |
Select to configure FortiWeb to ignore the value of certificate "<certificate_name>" when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the specified SNI configuration. |
disable
|
|
Enable so that connections between clients and FortiWeb use SSL/TLS. Enabling |
disable |
|
Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration. If custom, also specify This is not allowed to set to For details, see the FortiWeb Administration Guide: http://docs.fortinet.com/fortiweb/admin-guides Available only if https-service "<service_name>" is configured. |
medium
|
|
Enter the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. If you do not select one, the client is not required to present a personal certificate. If the client presents an invalid certificate, the FortiWeb appliance does not allow the connection. To be valid, a client certificate must:
Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website. You can require that clients present a certificate alternatively or in addition to HTTP authentication. For details, see the FortiWeb Administration Guide: http://docs.fortinet.com/fortiweb/admin-guides The maximum length is 63 characters. To display the list of existing verifiers, type:
This option is used only if https-service "<service_name>" is configured. The client must support TLS 1.0, TLS 1.1, or TLS 1.2. |
No default. | |
Specify one or more cipher suites that FortiWeb allows. Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list. Valid values are: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-CCM8 ECDHE-ECDSA-AES128-CCM DHE-RSA-AES128-CCM8 DHE-RSA-AES128-CCM ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDHE-RSA-CAMELLIA256-SHA384 DHE-RSA-CAMELLIA256-SHA256 DHE-DSS-CAMELLIA256-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDHE-RSA-CAMELLIA128-SHA256 DHE-RSA-CAMELLIA128-SHA256 DHE-DSS-CAMELLIA128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA AES256-GCM-SHA384 AES256-CCM8 AES256-CCM AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES256-SHA256 CAMELLIA256-SHA256 AES128-SHA256 CAMELLIA128-SHA256 AES256-SHA CAMELLIA256-SHA AES128-SHA CAMELLIA128-SHA DHE-RSA-SEED-SHA ECDHE_RSA_DES_CBC3_SHA DES_CBC3_SHA |
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 |
|
Specify one or more TLS 1.3 cipher suites that FortiWeb allows. Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list. Valid values are: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 |
TLS_AES_256_GCM_SHA384 |
|
Specify whether FortiWeb ignores requests from clients to renegotiate TLS or SSL. Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server. Available only if https-service "<service_name>" is configured. |
enable
|
|
ssl-session-timeout <ssl-session-timeout_int>
|
When FortiWeb is configured as an SSL server, you can set SSL session timeout intervals via the CLI. This is available only in Reverse Proxy and True Transparent Proxy modes. | No default. |
Enable to allow the policy to be used when evaluating traffic for a matching policy. Note: You can use SNMP traps to notify you of changes to the policy’s status. For details, see system snmp community. |
No default. | |
Enable to detect TCP For details, see the FortiWeb Administration Guide: http://docs.fortinet.com/fortiweb/admin-guides Available only when the operating mode is Reverse Proxy or True Transparent Proxy. |
disable
|
|
Enter the amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. The valid range is 0–300. A value of 0 means that there is no timeout. |
0 |
|
Specifies whether clients can connect securely to FortiWeb using the TLS 1.0 cryptographic protocol. This must be set to Available only if https-service "<service_name>" is configured. |
enable
|
|
Specifies whether clients can connect securely to FortiWeb using the TLS 1.1 cryptographic protocol. This must be set to Available only if https-service "<service_name>" is configured. |
enable
|
|
Specifies whether clients can connect securely to FortiWeb using the TLS 1.2 cryptographic protocol. Available only if https-service "<service_name>" is configured. |
enable
|
|
Specifies whether clients can connect securely to FortiWeb using the TLS 1.3 cryptographic protocol. Available only if https-service "<service_name>" is configured. |
enable
|
|
Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate. Available only if https-service "<service_name>" is configured. |
disable | |
Enter the URL-based client certificate group that determines whether a client is required to present a personal certificate. If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate. For details about creating a group, see system certificate urlcert. |
No default. | |
Specifies the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group, in kilobytes. FortiWeb blocks any matching requests that exceed the specified size. This setting prevents a request from exceeding the maximum buffer size. The valid range is 16–128. |
No default. | |
Enter the name of a virtual server that provides the IP address and network interface of incoming traffic that FortiWeb routes and to which the policy applies a protection profile. The maximum length is 63 characters. To display the list of existing virtual servers, enter:
Available only if the operating mode is Reverse Proxy. |
No default. | |
Enter the name of the bridge that specifies the network interface of the incoming traffic that the policy applies a protection profile to. The maximum length is 15 characters. To display the list of existing bridges, enter:
Available only if the operating mode is True Transparent Proxy or Transparent Inspection. |
No default. | |
Enter the name of the auto-learning profile, if any, to use to discover attacks, URLs, and parameters in your web servers’ HTTP sessions. The maximum length is 63 characters. To display the list of existing profiles, enter:
You can view data gathered using an auto-learning profile in an auto-learning report and use it to generate inline or Offline Protection profiles. For details, see the FortiWeb Administration Guide: http://docs.fortinet.com/fortiweb/admin-guides This option appears only if deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers} is |
No default. | |
Enter the name of the web protection or detection profile to apply to connections that this policy accepts. The maximum length is 63 characters. To display the list of existing profiles, enter:
|
No default. | |
Note: If the connection fails when you have selected a certificate verifier, verify that the certificate meets the web browser’s requirements. Web browsers may have their own certificate validation requirements in addition to FortiWeb requirements. For example, personal certificates for client authentication may be required to either:
If the certificate does not satisfy browser requirements, although it may be installed in the browser, when the FortiWeb appliance requests the client’s certificate, the browser may not display a certificate selection dialog to the user, or the dialog may not contain that certificate. In that case, verification fails. For browser requirements, see your web browser’s documentation. |
||
Enter the index number of the individual entry in the table. | No default. | |
Enter the name of a HTTP content routing policy that this server policy uses. To display the list of existing error pages, enter:
|
No default. | |
Enter yes to specify that FortiWeb applies the protection profile to any traffic that does not match conditions specified in the HTTP content routing policies. |
No default. | |
Enter enable to specify that FortiWeb applies the web protection profile for the server policy to connections that match the routing policy. |
disable
|
|
implicit_ssl {enable | disable}
|
Enable so that FortiWeb will communicate with the pool member using implicit SSL. | No default. |
ssl-quiet-shutdown {enable | disable}
|
For HTTPS connection, when disabled, FortiWeb sends ssl alert message to the client or server pool first, and then FIN. When enabled, FortiWeb directly sends FIN message instead of sending ssl alert message. |
disable
|
traffic-mirror {enable | disable}
|
Enable to send traffic to third party IPS/IDS
devices through network interfaces for traffic monitoring. Available only when protocol {HTTP | FTP | ADFSPIP} is HTTP . |
disable
|
traffic-mirror-profile <traffic-mirror-profile_str>
|
Select the mirror policy created. | No default. |
traffic-mirror-type {client-side | server-side| both-side}
|
Select the traffic mirror type. For True Transparent Proxy mode, only Client Side type is available, which only allows traffic from client side to be sent to IPS/IDS devices. For Reverse Proxy mode, you can select Client Side, Server Side, or Client and Server. |
No default. |
multi-certificate {enable | disable}
|
Enable to allow FortiWeb to use multiple local certificates. |
disable
|
adfs-certificate-service <adfs-certificate-service_str>}
|
Configure this option if the AD FS server requires client certificate for
authentication. Select the pre-defined service TLSCLIENTPORT if FortiWeb uses service port 49443 to listen the certification authentication requests. |
No default. |
adfs-certificate-ssl-client-verify <adfs-certificate-ssl-client-verify_str>}
|
Select the certificate validation rule you have created. | No default. |
certificate-group <certificate-group_str>}
|
Select the multi-certificate file you have created. |
No default. |
Example
This example configures a web protection server policy. FortiWeb forwards HTTPS connections received by the virtual server named virtual_ip1
to a server pool named apache1
, which contains a single physical server. FortiWeb uses the certificate named certificate1
during SSL negotiations with the client, then forwards traffic to the server pool.
config server-policy policy
edit "https-policy"
set deployment-mode server-pool
set vserver "virtual_ip1"
set server-pool "apache1"
set web-protection-profile "inline-protection1"
set https-service HTTPS
set certificate "certificate1"
set ssl-client-verify
set case-sensitive disable
set status enable
next
end
Related topics
- server-policy allow-hosts
- system certificate local
- system certificate remote
- server-policy http-content-routing-policy
- server-policy server-pool
- server-policy service custom
- server-policy vserver
- system snmp community
- system settings
- system v-zone
- waf web-protection-profile inline-protection
- waf web-protection-profile offline-protection
- debug application dssl
- debug application http
- debug application ssl
- debug application ustack
- debug flow filter
- policy