Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

waf start-pages

Use this command to configure start page rules.

When a start page group is selected in the inline protection profile, HTTP clients must begin from a valid start page in order to initiate a valid session.

For example, you may wish to specify that HTTP clients of an e-commerce website must begin their session from either an item view or the first stage of the shopping cart checkout, and cannot begin a valid session from the third stage of the shopping cart checkout.

To apply start pages, select them within an inline protection profile. For details, see waf web-protection-profile inline-protection.

Before you configure a start page rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

You can use SNMP traps to notify you when a start page rule is enforced. For details, see system snmp community.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf start-pages

edit "<start-page-rule_name>"

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <seconds_int>

set severity {Low | Medium | High | Info}

set trigger "<trigger-policy_name>"

config start-page-list

edit <entry_index>

set host "<protected-hosts_name>"

set host-status {enable | disable}

set request-file "<url_str>"

set request-type {plain | regular}

set default {yes | no}

next

end

next

end

Variable Description Default

"<start-page-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when an HTTP request that initiates a session does not begin with one of the allowed start pages.

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

No default.

block-period <seconds_int>

If action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} is block-period, type, specify the number of seconds that the connection will be blocked. The valid range is 1–3,600.

1

severity {Low | Medium | High | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999.

No default.

host "<protected-hosts_name>"

Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the start page rule. The maximum length is 256 characters.

This setting applies only if host-status {enable | disable} is enable.

No default.

host-status {enable | disable}

Enable to apply this start page rule only to HTTP requests for specific web hosts. Also configure host "<protected-hosts_name>".

Disable to match the start page rule based upon the other criteria, such as the URL, but regardless of the Host: field.

disable

request-file "<url_str>"

Depending on your selection in request-type {plain | regular}, enter either:

  • The literal URL, such as /index.php, that the HTTP request must contain in order to match the start page rule. The URL must begin with a slash ( / ).
  • A regular expression, such as ^/*.php, matching all and only the URLs to which the start page rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

No default.

request-type {plain | regular}

Select whether request-file "<url_str>" will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

plain

default {yes | no}

Enter yes to use the page as the default for HTTP requests that either:

  • Do not specify a URL.
  • Do not specify the URL of a valid start page (only if you have selected redirect from action).

Otherwise, enter no.

no

Example

This example redirects clients to the default start page, /index.html, if clients request a page that is not one of the valid start pages (/index.html or /cart/login.jsp). Redirection will occur only if the request is destined for one of the virtual or real hosts defined in the protected hosts group named example_com_hosts.

config waf start-pages

edit "start-page-rule1"

edit 1

set host "example_com"

set host-status enable

set request-file "/index.html"

set default yes

next

edit 2

set host "example_com_hosts"

set host-status enable

set request-file "/cart/login.jsp"

set default no

next

next

end

Related topics

waf start-pages

Use this command to configure start page rules.

When a start page group is selected in the inline protection profile, HTTP clients must begin from a valid start page in order to initiate a valid session.

For example, you may wish to specify that HTTP clients of an e-commerce website must begin their session from either an item view or the first stage of the shopping cart checkout, and cannot begin a valid session from the third stage of the shopping cart checkout.

To apply start pages, select them within an inline protection profile. For details, see waf web-protection-profile inline-protection.

Before you configure a start page rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

You can use SNMP traps to notify you when a start page rule is enforced. For details, see system snmp community.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf start-pages

edit "<start-page-rule_name>"

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <seconds_int>

set severity {Low | Medium | High | Info}

set trigger "<trigger-policy_name>"

config start-page-list

edit <entry_index>

set host "<protected-hosts_name>"

set host-status {enable | disable}

set request-file "<url_str>"

set request-type {plain | regular}

set default {yes | no}

next

end

next

end

Variable Description Default

"<start-page-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when an HTTP request that initiates a session does not begin with one of the allowed start pages.

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

No default.

block-period <seconds_int>

If action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} is block-period, type, specify the number of seconds that the connection will be blocked. The valid range is 1–3,600.

1

severity {Low | Medium | High | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999.

No default.

host "<protected-hosts_name>"

Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the start page rule. The maximum length is 256 characters.

This setting applies only if host-status {enable | disable} is enable.

No default.

host-status {enable | disable}

Enable to apply this start page rule only to HTTP requests for specific web hosts. Also configure host "<protected-hosts_name>".

Disable to match the start page rule based upon the other criteria, such as the URL, but regardless of the Host: field.

disable

request-file "<url_str>"

Depending on your selection in request-type {plain | regular}, enter either:

  • The literal URL, such as /index.php, that the HTTP request must contain in order to match the start page rule. The URL must begin with a slash ( / ).
  • A regular expression, such as ^/*.php, matching all and only the URLs to which the start page rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

No default.

request-type {plain | regular}

Select whether request-file "<url_str>" will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

plain

default {yes | no}

Enter yes to use the page as the default for HTTP requests that either:

  • Do not specify a URL.
  • Do not specify the URL of a valid start page (only if you have selected redirect from action).

Otherwise, enter no.

no

Example

This example redirects clients to the default start page, /index.html, if clients request a page that is not one of the valid start pages (/index.html or /cart/login.jsp). Redirection will occur only if the request is destined for one of the virtual or real hosts defined in the protected hosts group named example_com_hosts.

config waf start-pages

edit "start-page-rule1"

edit 1

set host "example_com"

set host-status enable

set request-file "/index.html"

set default yes

next

edit 2

set host "example_com_hosts"

set host-status enable

set request-file "/cart/login.jsp"

set default no

next

next

end

Related topics