What’s new
The tables below list commands newly added for FortiWeb 6.2.0.
| Command | Change |
|---|---|
| system global | |
|
config system global set cert-expire-check-time <cert-expire-check-time _int> end |
New. Set the notification time ( the days) before the certificate expires. The valid value range is 0-365. When the value is 0, it means no certificate expiration will be checked. When the value is 100, it means notification will be sent 100 days before the certificate expires. |
|
|
|
|
config waf xml-validation rule edit "<xml_rule_name>" set data-format {xml | soap} set soap-attachment {allow | disallow} next end |
New. Specify whether the SOAP message can carry attachments. Available only when the data format is SOAP. |
|
|
|
|
config waf machine-learning-policy edit waf machine-learning-policy set threat-model {enable | disable} end |
New. Enable to scan anomalies to verify whether they are attacks. It provides a method to check whether an anomaly is a real attack by the trained Support Vector Machine Model. |
|
|
|
|
config log attack-log set http2-parse-error-output {enable | disable} end |
New. Enable while debugging only, to log errors of the HTTP/2 protocol parser. |
|
|
|
|
config waf http-constraints-exceptions edit "<http-exception_name>" config http_constraints-exception-list edit <entry_index> set Internal-resource-limits-check {enable | disable} set rpc-protocol-check {enable | disable} next end next end |
New. Enable to omit the constraint on the maximum number of limits allowed by HTTP parser. Enable to omit detecting traffic that uses the PRC protocol. |
|
New. Enable to detect the constraint on the maximum number of limits allowed by HTTP parser. Enable to detect traffic that uses the PRC protocol. |
|
| debug dnsproxy list | |
|
diagnose debug dnsproxy list |
New. Add the update time and update interval information in the output. |
| fdnserver show | |
|
execute fdnserver show |
New. Use this command to show the list of all current FDS servers. |
| fdnserver delete | |
|
execute fdnserver delete |
New. Use this command to delete all FDS servers. FortiWeb will update the FDS servers during the next update. |
|
|
|
|
config system advanced set max-bot-alert-interval <interval_int> end |
New. Type the maximum amount of interval time that FortiWeb will send an attack log during a bot attack. The valid range is 0-300 seconds. |
|
|
|
|
edit <policy_name> set proxy-protocol {enable | disable} set use-proxy-protocol-addr {enable | disable} set replacemsg <replacemsg_name> next end |
New. Add proxy protocol and replacement message configuration. |
|
|
|
|
config server-policy server-pool edit <server-pool_name> set proxy-protocol {enable | disable} set proxy-protocol-version {v1 | v2} next end |
New. Add proxy protocol and proxy protocol version configuration. |
|
|
|
|
config server-policy pattern threat-weight set bot-deception {off | low | med | high | crit} set biometrics-based-detection {off | low | med | high | crit} set threshold-bot-detection {off | low | med | high | crit} set bot-detection {off | low | med | high | crit} set mobile-api-protection {off | low | med | high | crit} set json-protection {off | low | med | high | crit} set openapi-validation {off | low | med | high | crit} set cors-protection {off | low | med | high | crit} set site-publish {off | low | med | high | crit} end |
New. Set threat weight for more new modules. |
|
|
|
|
config server-policy vserver edit "<virtual-server_name>" config vip-list edit "<vip-list_id>" set interface "<interface_name>" set status {enable | disable} set vip "<vip_str>" set use-interface-ip {enable | disable} next end next end |
Update. Multiple virtual IPs can be attached to one virtual server so that you can apply the same server policy to more than one IP addresses.
|
|
|
|
|
config waf bot-detection-policy edit <bot-detection-policy_ID> set policy-id <server-policy-id> set verification-method {Disable | Real-Browser-Enforcement | Captcha-Enforcement} set mobile-verification-method {Disable | Mobile-Token-Validation} next end |
New. Add disable option for verification method to disable the system to verify whether the sample is indeed a bot. Add mobile vertification method. |
|
|
|
|
config waf machine-learning-policy edit <waf machine-learning-policy_id> set learning-time <the-number-of-weeks> set anomaly-detection-threshold <anomaly-detection-threshold_int> set parameters-limit-per-conn {enable | disable} set sample-collecting-mode {normal | fast} set threat-model {enable | disable} end |
New. Add new configurations for the machine learning policy. |
| waf web-protection-profile offline-protection |
|
|
config waf web-protection-profile offline-protection edit "<offline-protection-profile_name>" set mobile-app-identification {enable | disable} set token-secret <token-secret_str> set token-header <token-header_str> set mobile-api-protection <mobile-api-protection_name> next end |
New. Add more supported profiles. |
|
|
|
|
config waf web-protection-profile inline-protection edit "<inline-protection-profile_name>" set mobile-app-identification {enable | disable} set token-secret <token-secret_str> set token-header <token-header_str> set mobile-api-protection <mobile-api-protection_name> set bot-mitigate-policy <bot-mitigate-policy_name> set api-management-policy <api-management-policy_name> next end |
New. Add more supported profiles.
|
|
|
|
|
config waf mobile-api-protection-rule edit <mobile-api-protection-rule_name> set host-status {enable | disable} set host <host_str> set action {alert | deny_no_log | alert_deny | block-period} set block-period <block-period_int> set severity {High | Medium | Low | Info} set trigger <trigger_policy_name> config url-list edit <url-list_id> set url-type {plain | regular} set url-pattern <url-pattern_str> next end next end
config waf mobile-api-protection-policy edit <mobile-api-protection-policy_name> config rule-list edit <rule-list_id> set rule <rule_name> next end next end |
New. Configure mobile API protection rules and policies.
|
|
|
|
|
config waf ftp-file security edit "<rule_name>" set icap-server-check {enable | disable}
next end |
New. Enable so that FortiWeb sends files to ICAP server that matches the uploading or downloading directions. |
|
|
|
|
config waf site-publish-helper policy edit "<site-publish-policy_name>" set limit-users {enable | disable} set maximum-users <integer> set session-idle-timeout <integer> next end |
New. Add configurations for concurrent access into a user account. |
|
|
|
|
config system vip edit <vip_name> set vip <ip&netmask> set vip6 <ip&netmask> set interface <interface_name> set index <the_index_number> next end |
New. Use this command to create Virtual IP addresses. |
|
|
|
|
config server-policy vserver edit "<virtual-server_name>" set status {enable | disable} set interface "<interface_name>" set vip "<virtual-ip_ipv4mask>" set vip6 "<virtual-ip_ipv6mask>" set use-interface-ip {enable | disable} next end |
Update. Update this command to include VIP. |
|
|
|
|
config system ha set mode {active-passive | active-active-standard | active-active-high-volume |standalone} next end |
New. Add active-active-high-volume mode. |
|
|
|
|
config system ha-node edit <HA_node_number> set <HA_node_device_SN> next end |
New. Use this command to allocate nodes to the active-active-high-volume HA group. |
|
|
|
|
config system ha-traffic-distribution edit <traffic-distribution_name> set node-order <the_index_of_node_with_highest_priority> set node-order <the_index_of_node_with_secondary_priority> set node-order <the_index_of_node_with_third_priority> ... set vip-list <vip_names> next end |
New. Use this command to attach VIP to different nodes in the HA group. |
|
|
|
|
config system snmp community edit <community_index> set status {enable | disable} set name "<community_str>" set events {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack | power-supply-failure} next end |
New. Add a new event |
|
|
|
|
config system snmp user edit name "<user_str>" set trapevent {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack | power-supply-failure} next end |
New. Add a new event |
|
|
|
|
config system icapserver set server "<server_ipv4>" set cache-timeout <timeout_int> set port <port_int> set elog {enable | disable} set service-name <name_str> set ssl {enable | disable} end |
New. Use this command to configure FortiWeb to submit all files that match your upload restriction rules to ICAP server. |
|
|
|
|
config system feature-visibility set mobile-app-identification {enable | disable} end |
New. Enable to configure the JWT token secret and token header to verify a request from a mobile application. |
|
|
|
|
config user kerberos-user edit "<kdc_name>" set realm "<realm_str>" set shortname <shortname _str> set status {enable | disable} config server-members edit "<entry_index>" set server <server_str> set port <port_int> next end next end |
New. Add multiple servers support in one KDC realm. |
|
|
|
|
config log attack-log set packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection} end |
Add new packet log
|
|
|
|
|
config system certificate ocsp-stapling edit <ocsp_name> set certificate "<certificate_name>" set local-cert "<certificate_name>" set comment <comment_str> set ocsp_url <url> next end |
Update. OCSP works now as a global setting, and all local certificates are supported by OSCP. |
|
|
|
|
config waf http-request-flood-prevention-rule edit "<rule_name>" set mobile-app-identification {disabled | mobile-token-validation} set bot-confirmation {enable | disable} next end |
New. Add
|
|
|
|
|
config waf layer4-access-limit-rule edit "<rule_name>" set mobile-app-identification {disabled | mobile-token-validation} set bot-confirmation {enable | disable} next end |
New. Add |
|
|
|
|
config waf xml-validation rule edit "<xml_rule_name>" set data-format {xml | soap} set soap-attachment {allow | disallow} set ws-i-basic-profile-assertion {WSI1001 | WSI1002 | WSI1003 | WSI1004 | WSI1006 | WSI1007 | WSI1032 | WSI1033 | WSI1109 | WSI1110 | WSI1111 | WSI1201 | WSI1202 | WSI1204 | WSI1208 | WSI1301 | WSI1307 | WSI1308 | WSI1309 | WSI1318 | WSI1601 | WSI1701} set ws-i-basic-profile-wsdl-assertion {WSI1008 | WSI1116 | WSI1211} next end |
New. Select WSI rules that SOAP messages will adhere to. |
|
|
|
|
config waf http-constraints-exceptions edit "<http-exception_name>" config http_constraints-exception-list edit <entry_index> set rpc-protocol-check {enable | disable} next end next end |
New. Enable to omit detecting traffic that uses the PRC protocol. |
|
|
|
|
config waf bot-deception edit <bot-deception-policy-name_str> set action {alert | alert_deny | block-period | deny_no_log} set block-period <block_period_int> set deception-url <url_str> set severity {high | medium | low | Info} set trigger <trigger_policy> config url-list edit <url-list_id> set host <host_str> set host-status {enable | disable} set type {simple-string | regex-expression} set url <url_str> next end next end |
New. Use this command to configure bot deception policy to insert link in HTML type response page. |
|
|
|
|
config waf biometrics-based-detection edit <biometrics-based-detection-name_str> set mouse-movement {enable | disable} set click {enable | disable} set screen-touch {enable | disable} set keyboard {enable | disable} on page 1 set scroll {enable | disable} set event-collection-time <time_int> set bot-effective-time <time_int> set action {alert | alert_deny | | deny_no_log} set severity {high | medium | low | Info} set trigger <trigger_policy> config url-list edit <url-list_id> set host <host_str> set host-status {enable | disable} set type {simple-string | regex-expression} set url <url_str> next end next end |
New. Use this command to configure the biometrics based detection rule to define the client event, collection period, and the request URL, etc. |
|
|
|
|
config waf bot-mitigate-policy edit bot-deception <bot-deception_str> set bot-deception <bot-deception_str> set biometrics-based-detection <biometrics-based-detection_str> set threshold-based-detection <threshold-based-detection_str> next end |
New. Use this command to integrate the bot deception policy, the biometrics based detection rule, and threshold based detection rule, and apply the policy in the web protection profile for bot mitigation. |
|
|
|
|
config waf file-upload-restriction-policy edit <file-upload-restriction-policy_name> set What’s new next end |
New. Add the ICAP server configurations. |
|
|
|
|
config waf threshold-based-detection edit "<policy_name>" set bot-recognition {disabled | real-browser-enforcement | captcha-enforcement} set mobile-app-identification {disabled | mobile-token-validation} set bot-confirmation {enable | disable} set validation-timeout <validation-timeout_int> set max-attempt-times <max-attempt-times_int> set crawler-detection {enable | disable} set crawler-action {alert | deny_no_log | alert_deny | block-period} set crawler-severity {High | Medium | Low | Info} set crawler-trigger <crawler-trigger-policy_name> set crawler-occurrence-num <crawler-occurrence-num_int> set crawler-within <crawler-within_int> set crawler-block-period <crawler-block-period_int> set scanner-detection {enable | disable} set scanner-action {alert | deny_no_log | alert_deny | block-period} set scanner-severity {High | Medium | Low | Info} set scanner-trigger <scanner-trigger-policy_name> set scanner-occurrence-num <scanner-occurrence-num_int> set scanner-within <scanner-within_int> set scanner-block-period <scanner-block-period_int> set slow-attack-detection {enable | disable} set slow-attack-action {alert | deny_no_log | alert_deny | block-period} set slow-attack-severity {High | Medium | Low | Info} set slow-attack-trigger <slow-attack-trigger-policy_name> set slow-attack-occurrence-num <slow-attack-occurrence-num_int> set slow-attack-within <slow-attack-within_int> set slow-attack-http-transaction-timeout <slow-attack-http-transaction-timeout_int> set slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int> set slow-attack-block-period <slow-attack-block-period_int> set content-scraping-detection {enable | disable} set content-scraping-action {alert | deny_no_log | alert_deny | block-period} set content-scraping-severity {High | Medium | Low | Info} set content-scraping-trigger <content-scraping-trigger-policy_name> set content-scraping-occurrence-num <content-scraping-occurrence-num_int> set content-scraping-within <content-scraping-within_int> set content-scraping-block-period <content-scraping-block-period_int> set brute-login-detection {enable | disable} set brute-login-action {alert | deny_no_log | alert_deny | block-period} set brute-login-severity {High | Medium | Low | Info} set brute-login-trigger <brute-login-trigger-policy_name> set brute-login-occurrence-num <brute-login-occurrence-num_int> set brute-login-within <brute-login-within_int> set brute-login-request-file <brute-login-request-file_str> set brute-login-block-period <brute-login-block-period_int> next end |
New. Use this command to configure threshold based detection rules to define occurrence, time period, severity, and trigger policy, etc of suspicious behaviors, and thus FortiWeb judges whether the request comes from a human or a bot. |
|
|
|
|
config waf x-forwarded-for edit "<x-forwarded-for_name>" set ip-location {left | right} set skip-private-original-ip {enable | disable} config ip-list edit <entry_index> set ip "<load-balancer_ip>" next end next end |
New. Enable to skip the private original IP that indicates the service used in the client’s original request. |
|
|
|
|
config waf api-policy edit <api-policy_name> config api-rule-list edit <api-rule-list_id> set api-rule-name <api-rule-name_str> next end next end |
New. Use this command to create API gateway policy. |
|
|
|
|
config waf api-rules edit <api-rules_name> set api-key-verification {enable | disable} set allow-user-group <allow-user-group_name> set api-key-location {http-parameter | http-header} set header-field-name <header-field-name_str> set parameter-name <parameter-name_str> set rate-limit-period <rate-limit-period_int> set rate-limit-requests <rate-limit-requests_int> set action {alert | deny_no_log | alert_deny | block-period} set block-period <block-period_int> set severity {High | Medium | Low | Info} set trigger-policy <trigger-policy_str> set host <host_str> set host-status {enable | disable} config attach-http-header edit <attach-http-header_id> set http-header-item <http-header-item_str> next end config match-url-prefixes edit <match-url-prefixes_id> set frontend-prefix <frontend-prefix_str> set backend-prefix <backend-prefix_str> next end config sub-url-setting edit <sub-url-setting_id> set http-method {get | post | head | options | trace | connect | delete | put | patch | any} set type {plain | regular} set url-expression <url-expression_str> set api-key-verification {enable | disable} set api-key-location {http-parameter | http-header} set header-field-name <header-field-name_str> set parameter-name <parameter-name_str> set rate-limit-period <rate-limit-period_int> set rate-limit-requests <rate-limit-requests_int> set allow-user-group <allow-user-group_name> set api-key-inherit {enable | disable} next end next end |
New. To restrict API access, you can use this command to configure certain rules involving API key verification, API key carryover, API user grouping, sub-URL setting, and specified actions FortiWeb will take in case of any API call violation. |
|
|
|
|
config waf api-user-group edit <api-user-group_name> config user-list edit <user-list_id> set api-user-name <api-user-name_str> next end next end |
New. Use this command to create API user group which defines specific permissions of the group users can perform. |
|
|
|
|
config waf api-users edit <api-user_name> set email <email_str> set comments <comments_str> set uuid <uuid_str> set api-key <api-key_str> set create-time <create-time_str> config ip-access-list edit <ip-access-list_id> set ip <ip_str> end config http-referer-list edit <http-referer-list_id> set http-referer <http-referer_str> next end next end |
New. Use this command to define API users to restrict access to APIs based on API keys. |
|
|
|
|
config system replacemsg-image edit "<image_name>" set image-type {gif | jpg | png | tiff} set image-base64 <image_code> end |
New. Use this command to add images that the FortiWeb HTML web pages can use. These pages are the ones that FortiWeb uses for blocking, authentication, and unavailable servers. |