Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

What’s new

The tables below list commands newly added for FortiWeb 6.2.0.

Command Change
system global  

config system global

set cert-expire-check-time <cert-expire-check-time _int>

end

New.
Set the notification time ( the days) before the certificate expires. The valid value range is 0-365. When the value is 0, it means no certificate expiration will be checked. When the value is 100, it means notification will be sent 100 days before the certificate expires.

waf xml-validation

 

config waf xml-validation rule

edit "<xml_rule_name>"

set data-format {xml | soap}

set soap-attachment {allow | disallow}

next

end

New.

Specify whether the SOAP message can carry attachments.

Available only when the data format is SOAP.

waf machine-learning-policy

 

config waf machine-learning-policy

edit waf machine-learning-policy

set threat-model {enable | disable}

end

New.

Enable to scan anomalies to verify whether they are attacks. It provides a method to check whether an anomaly is a real attack by the trained Support Vector Machine Model.

log attack-log

 

config log attack-log

set http2-parse-error-output {enable | disable}

end

New.

Enable while debugging only, to log errors of the HTTP/2 protocol parser.

waf http-constraints-exceptions

 

config waf http-constraints-exceptions

edit "<http-exception_name>"

config http_constraints-exception-list

edit <entry_index>

set Internal-resource-limits-check {enable | disable}

set rpc-protocol-check {enable | disable}

next

end

next

end

New.

Enable to omit the constraint on the maximum number of limits allowed by HTTP parser.

Enable to omit detecting traffic that uses the PRC protocol.

waf http-protocol-parameter-restriction

New.

Enable to detect the constraint on the maximum number of limits allowed by HTTP parser.

Enable to detect traffic that uses the PRC protocol.

debug dnsproxy list  

diagnose debug dnsproxy list

New.
Add the update time and update interval information in the output.
fdnserver show  

execute fdnserver show

New.
Use this command to show the list of all current FDS servers.
fdnserver delete  

execute fdnserver delete

New.
Use this command to delete all FDS servers. FortiWeb will update the FDS servers during the next update.

system advanced

 

config system advanced

set max-bot-alert-interval <interval_int>

end

New.

Type the maximum amount of interval time that FortiWeb will send an attack log during a bot attack. The valid range is 0-300 seconds.

server-policy policy

 

config server-policy policy

edit <policy_name>

set proxy-protocol {enable | disable}

set use-proxy-protocol-addr {enable | disable}

set replacemsg <replacemsg_name>

next

end

New.

Add proxy protocol and replacement message configuration.

server-policy server-pool

 

config server-policy server-pool

edit <server-pool_name>

set proxy-protocol {enable | disable}

set proxy-protocol-version {v1 | v2}

next

end

New.

Add proxy protocol and proxy protocol version configuration.

server-policy pattern threat-weight

 

config server-policy pattern threat-weight

set bot-deception {off | low | med | high | crit}

set biometrics-based-detection {off | low | med | high | crit}

set threshold-bot-detection {off | low | med | high | crit}

set bot-detection {off | low | med | high | crit}

set mobile-api-protection {off | low | med | high | crit}

set json-protection {off | low | med | high | crit}

set openapi-validation {off | low | med | high | crit}

set cors-protection {off | low | med | high | crit}

set site-publish {off | low | med | high | crit}

end

New.

Set threat weight for more new modules.

server-policy vserver

 

config server-policy vserver

edit "<virtual-server_name>"

config vip-list

edit "<vip-list_id>"

set interface "<interface_name>"

set status {enable | disable}

set vip "<vip_str>"

set use-interface-ip {enable | disable}

next

end

next

end

Update.

Multiple virtual IPs can be attached to one virtual server so that you can apply the same server policy to more than one IP addresses.

 

waf bot-detection-policy

 

config waf bot-detection-policy

edit <bot-detection-policy_ID>

set policy-id <server-policy-id>

set verification-method {Disable | Real-Browser-Enforcement | Captcha-Enforcement}

set mobile-verification-method {Disable | Mobile-Token-Validation}

next

end

New.

Add disable option for verification method to disable the system to verify whether the sample is indeed a bot.

Add mobile vertification method.

waf machine-learning-policy

 

config waf machine-learning-policy

edit <waf machine-learning-policy_id>

set learning-time <the-number-of-weeks>

set anomaly-detection-threshold <anomaly-detection-threshold_int>

set parameters-limit-per-conn {enable | disable}

set sample-collecting-mode {normal | fast}

set threat-model {enable | disable}

end

New.

Add new configurations for the machine learning policy.

waf web-protection-profile offline-protection

 

config waf web-protection-profile offline-protection

edit "<offline-protection-profile_name>"

set mobile-app-identification {enable | disable}

set token-secret <token-secret_str>

set token-header <token-header_str>

set mobile-api-protection <mobile-api-protection_name>

next

end

New.

Add more supported profiles.

waf web-protection-profile inline-protection

 

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set mobile-app-identification {enable | disable}

set token-secret <token-secret_str>

set token-header <token-header_str>

set mobile-api-protection <mobile-api-protection_name>

set bot-mitigate-policy <bot-mitigate-policy_name>

set api-management-policy <api-management-policy_name>

next

end

New.

Add more supported profiles.

 

waf mobile-api-protection

 

config waf mobile-api-protection-rule

edit <mobile-api-protection-rule_name>

set host-status {enable | disable}

set host <host_str>

set action {alert | deny_no_log | alert_deny | block-period}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger <trigger_policy_name>

config url-list

edit <url-list_id>

set url-type {plain | regular}

set url-pattern <url-pattern_str>

next

end

next

end

 

config waf mobile-api-protection-policy

edit <mobile-api-protection-policy_name>

config rule-list

edit <rule-list_id>

set rule <rule_name>

next

end

next

end

New.

Configure mobile API protection rules and policies.

 

waf ftp-file-security

 

config waf ftp-file security

edit "<rule_name>"

set icap-server-check {enable | disable}

 

next

end

New.

Enable so that FortiWeb sends files to ICAP server that matches the uploading or downloading directions.

waf site-publish-helper policy

 

config waf site-publish-helper policy

edit "<site-publish-policy_name>"

set limit-users {enable | disable}

set maximum-users <integer>

set session-idle-timeout <integer>

next

end

New.

Add configurations for concurrent access into a user account.

system vip

 

config system vip

edit <vip_name>

set vip <ip&netmask>

set vip6 <ip&netmask>

set interface <interface_name>

set index <the_index_number>

next

end

New.

Use this command to create Virtual IP addresses.

server-policy vserver

 

config server-policy vserver

edit "<virtual-server_name>"

set status {enable | disable}

set interface "<interface_name>"

set vip "<virtual-ip_ipv4mask>"

set vip6 "<virtual-ip_ipv6mask>"

set use-interface-ip {enable | disable}

next

end

Update.

Update this command to include VIP.

system ha

 

config system ha

set mode {active-passive | active-active-standard | active-active-high-volume |standalone}

next

end

New.

Add active-active-high-volume mode.

system ha-node

 

config system ha-node

edit <HA_node_number>

set <HA_node_device_SN>

next

end

New.

Use this command to allocate nodes to the active-active-high-volume HA group.

system ha-traffic-distribution

 

config system ha-traffic-distribution

edit <traffic-distribution_name>

set node-order <the_index_of_node_with_highest_priority>

set node-order <the_index_of_node_with_secondary_priority>

set node-order <the_index_of_node_with_third_priority>

...

set vip-list <vip_names>

next

end

New.

Use this command to attach VIP to different nodes in the HA group.

system snmp community

 

config system snmp community

edit <community_index>

set status {enable | disable}

set name "<community_str>"

set events {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack | power-supply-failure}

next

end

New.

Add a new event power-supply-failure.

system snmp user

 

config system snmp user

edit name "<user_str>"

set trapevent {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack | power-supply-failure}

next

end

New.

Add a new event power-supply-failure.

system icapserver

 

config system icapserver

set server "<server_ipv4>"

set cache-timeout <timeout_int>

set port <port_int>

set elog {enable | disable}

set service-name <name_str>

set ssl {enable | disable}

end

New.

Use this command to configure FortiWeb to submit all files that match your upload restriction rules to ICAP server.

system feature-visibility

 

config system feature-visibility

set mobile-app-identification {enable | disable}

end

New.

Enable to configure the JWT token secret and token header to verify a request from a mobile application.

user kerberos-user

 

config user kerberos-user

edit "<kdc_name>"

set realm "<realm_str>"

set shortname <shortname _str>

set status {enable | disable}

config server-members

edit "<entry_index>"

set server <server_str>

set port <port_int>

next

end

next

end

New.

Add multiple servers support in one KDC realm.

log attack-log

 

config log attack-log

set packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection}

end

Add new packet log mobile-api-protection.

 

system certificate ocsp-stapling

 

config system certificate ocsp-stapling

edit <ocsp_name>

set certificate "<certificate_name>"

set local-cert "<certificate_name>"

set comment <comment_str>

set ocsp_url <url>

next

end

Update.

OCSP works now as a global setting, and all local certificates are supported by OSCP.

waf http-request-flood-prevention-rule

 

config waf http-request-flood-prevention-rule

edit "<rule_name>"

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

next

end

New.

Add mobile-app-identification and bot-confirmation settings.

 

waf layer4-access-limit-rule

 

config waf layer4-access-limit-rule

edit "<rule_name>"

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

next

end

New.

Add mobile-app-identification and bot-confirmation settings.

waf xml-validation

 

config waf xml-validation rule

edit "<xml_rule_name>"

set data-format {xml | soap}

set soap-attachment {allow | disallow}

set ws-i-basic-profile-assertion {WSI1001 | WSI1002 | WSI1003 | WSI1004 | WSI1006 | WSI1007 | WSI1032 | WSI1033 | WSI1109 | WSI1110 | WSI1111 | WSI1201 | WSI1202 | WSI1204 | WSI1208 | WSI1301 | WSI1307 | WSI1308 | WSI1309 | WSI1318 | WSI1601 | WSI1701}

set ws-i-basic-profile-wsdl-assertion {WSI1008 | WSI1116 | WSI1211}

next

end

New.

Select WSI rules that SOAP messages will adhere to.

waf http-constraints-exceptions

 

config waf http-constraints-exceptions

edit "<http-exception_name>"

config http_constraints-exception-list

edit <entry_index>

set rpc-protocol-check {enable | disable}

next

end

next

end

New.

Enable to omit detecting traffic that uses the PRC protocol.

waf bot-deception

 

config waf bot-deception

edit <bot-deception-policy-name_str>

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <block_period_int>

set deception-url <url_str>

set severity {high | medium | low | Info}

set trigger <trigger_policy>

config url-list

edit <url-list_id>

set host <host_str>

set host-status {enable | disable}

set type {simple-string | regex-expression}

set url <url_str>

next

end

next

end

New.

Use this command to configure bot deception policy to insert link in HTML type response page.

waf biometrics-based-detection

 

config waf biometrics-based-detection

edit <biometrics-based-detection-name_str>

set mouse-movement {enable | disable}

set click {enable | disable}

set screen-touch {enable | disable}

set keyboard {enable | disable} on page 1

set scroll {enable | disable}

set event-collection-time <time_int>

set bot-effective-time <time_int>

set action {alert | alert_deny | | deny_no_log}

set severity {high | medium | low | Info}

set trigger <trigger_policy>

config url-list

edit <url-list_id>

set host <host_str>

set host-status {enable | disable}

set type {simple-string | regex-expression}

set url <url_str>

next

end

next

end

New.

Use this command to configure the biometrics based detection rule to define the client event, collection period, and the request URL, etc.

waf bot-mitigation-policy

 

config waf bot-mitigate-policy

edit bot-deception <bot-deception_str>

set bot-deception <bot-deception_str>

set biometrics-based-detection <biometrics-based-detection_str>

set threshold-based-detection <threshold-based-detection_str>

next

end

New.

Use this command to integrate the bot deception policy, the biometrics based detection rule, and threshold based detection rule, and apply the policy in the web protection profile for bot mitigation.

waf file-upload-restriction-policy

 

config waf file-upload-restriction-policy

edit <file-upload-restriction-policy_name>

set What’s new

next

end

New.

Add the ICAP server configurations.

waf threshold-based-detection

 

config waf threshold-based-detection

edit "<policy_name>"

set bot-recognition {disabled | real-browser-enforcement | captcha-enforcement}

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

set validation-timeout <validation-timeout_int>

set max-attempt-times <max-attempt-times_int>

set crawler-detection {enable | disable}

set crawler-action {alert | deny_no_log | alert_deny | block-period}

set crawler-severity {High | Medium | Low | Info}

set crawler-trigger <crawler-trigger-policy_name>

set crawler-occurrence-num <crawler-occurrence-num_int>

set crawler-within <crawler-within_int>

set crawler-block-period <crawler-block-period_int>

set scanner-detection {enable | disable}

set scanner-action {alert | deny_no_log | alert_deny | block-period}

set scanner-severity {High | Medium | Low | Info}

set scanner-trigger <scanner-trigger-policy_name>

set scanner-occurrence-num <scanner-occurrence-num_int>

set scanner-within <scanner-within_int>

set scanner-block-period <scanner-block-period_int>

set slow-attack-detection {enable | disable}

set slow-attack-action {alert | deny_no_log | alert_deny | block-period}

set slow-attack-severity {High | Medium | Low | Info}

set slow-attack-trigger <slow-attack-trigger-policy_name>

set slow-attack-occurrence-num <slow-attack-occurrence-num_int>

set slow-attack-within <slow-attack-within_int>

set slow-attack-http-transaction-timeout <slow-attack-http-transaction-timeout_int>

set slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int>

set slow-attack-block-period <slow-attack-block-period_int>

set content-scraping-detection {enable | disable}

set content-scraping-action {alert | deny_no_log | alert_deny | block-period}

set content-scraping-severity {High | Medium | Low | Info}

set content-scraping-trigger <content-scraping-trigger-policy_name>

set content-scraping-occurrence-num <content-scraping-occurrence-num_int>

set content-scraping-within <content-scraping-within_int>

set content-scraping-block-period <content-scraping-block-period_int>

set brute-login-detection {enable | disable}

set brute-login-action {alert | deny_no_log | alert_deny | block-period}

set brute-login-severity {High | Medium | Low | Info}

set brute-login-trigger <brute-login-trigger-policy_name>

set brute-login-occurrence-num <brute-login-occurrence-num_int>

set brute-login-within <brute-login-within_int>

set brute-login-request-file <brute-login-request-file_str>

set brute-login-block-period <brute-login-block-period_int>

next

end

New.

Use this command to configure threshold based detection rules to define occurrence, time period, severity, and trigger policy, etc of suspicious behaviors, and thus FortiWeb judges whether the request comes from a human or a bot.

waf x-forwarded-for

 

config waf x-forwarded-for

edit "<x-forwarded-for_name>"

set ip-location {left | right}

set skip-private-original-ip {enable | disable}

config ip-list

edit <entry_index>

set ip "<load-balancer_ip>"

next

end

next

end

New.

Enable to skip the private original IP that indicates the service used in the client’s original request.

waf api-policy

 

config waf api-policy

edit <api-policy_name>

config api-rule-list

edit <api-rule-list_id>

set api-rule-name <api-rule-name_str>

next

end

next

end

New.

Use this command to create API gateway policy.

waf api-rules

 

config waf api-rules

edit <api-rules_name>

set api-key-verification {enable | disable}

set allow-user-group <allow-user-group_name>

set api-key-location {http-parameter | http-header}

set header-field-name <header-field-name_str>

set parameter-name <parameter-name_str>

set rate-limit-period <rate-limit-period_int>

set rate-limit-requests <rate-limit-requests_int>

set action {alert | deny_no_log | alert_deny | block-period}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger-policy <trigger-policy_str>

set host <host_str>

set host-status {enable | disable}

config attach-http-header

edit <attach-http-header_id>

set http-header-item <http-header-item_str>

next

end

config match-url-prefixes

edit <match-url-prefixes_id>

set frontend-prefix <frontend-prefix_str>

set backend-prefix <backend-prefix_str>

next

end

config sub-url-setting

edit <sub-url-setting_id>

set http-method {get | post | head | options | trace | connect | delete | put | patch | any}

set type {plain | regular}

set url-expression <url-expression_str>

set api-key-verification {enable | disable}

set api-key-location {http-parameter | http-header}

set header-field-name <header-field-name_str>

set parameter-name <parameter-name_str>

set rate-limit-period <rate-limit-period_int>

set rate-limit-requests <rate-limit-requests_int>

set allow-user-group <allow-user-group_name>

set api-key-inherit {enable | disable}

next

end

next

end

New.

To restrict API access, you can use this command to configure certain rules involving API key verification, API key carryover, API user grouping, sub-URL setting, and specified actions FortiWeb will take in case of any API call violation.

waf api-user-group

 

config waf api-user-group

edit <api-user-group_name>

config user-list

edit <user-list_id>

set api-user-name <api-user-name_str>

next

end

next

end

New.

Use this command to create API user group which defines specific permissions of the group users can perform.

waf api-users

 

config waf api-users

edit <api-user_name>

set email <email_str>

set comments <comments_str>

set uuid <uuid_str>

set api-key <api-key_str>

set create-time <create-time_str>

config ip-access-list

edit <ip-access-list_id>

set ip <ip_str>

end

config http-referer-list

edit <http-referer-list_id>

set http-referer <http-referer_str>

next

end

next

end

New.

Use this command to define API users to restrict access to APIs based on API keys.

system replacemsg-image

 

config system replacemsg-image

edit "<image_name>"

set image-type {gif | jpg | png | tiff}

set image-base64 <image_code>

end

New.

Use this command to add images that the FortiWeb HTML web pages can use. These pages are the ones that FortiWeb uses for blocking, authentication, and unavailable servers.

What’s new

The tables below list commands newly added for FortiWeb 6.2.0.

Command Change
system global  

config system global

set cert-expire-check-time <cert-expire-check-time _int>

end

New.
Set the notification time ( the days) before the certificate expires. The valid value range is 0-365. When the value is 0, it means no certificate expiration will be checked. When the value is 100, it means notification will be sent 100 days before the certificate expires.

waf xml-validation

 

config waf xml-validation rule

edit "<xml_rule_name>"

set data-format {xml | soap}

set soap-attachment {allow | disallow}

next

end

New.

Specify whether the SOAP message can carry attachments.

Available only when the data format is SOAP.

waf machine-learning-policy

 

config waf machine-learning-policy

edit waf machine-learning-policy

set threat-model {enable | disable}

end

New.

Enable to scan anomalies to verify whether they are attacks. It provides a method to check whether an anomaly is a real attack by the trained Support Vector Machine Model.

log attack-log

 

config log attack-log

set http2-parse-error-output {enable | disable}

end

New.

Enable while debugging only, to log errors of the HTTP/2 protocol parser.

waf http-constraints-exceptions

 

config waf http-constraints-exceptions

edit "<http-exception_name>"

config http_constraints-exception-list

edit <entry_index>

set Internal-resource-limits-check {enable | disable}

set rpc-protocol-check {enable | disable}

next

end

next

end

New.

Enable to omit the constraint on the maximum number of limits allowed by HTTP parser.

Enable to omit detecting traffic that uses the PRC protocol.

waf http-protocol-parameter-restriction

New.

Enable to detect the constraint on the maximum number of limits allowed by HTTP parser.

Enable to detect traffic that uses the PRC protocol.

debug dnsproxy list  

diagnose debug dnsproxy list

New.
Add the update time and update interval information in the output.
fdnserver show  

execute fdnserver show

New.
Use this command to show the list of all current FDS servers.
fdnserver delete  

execute fdnserver delete

New.
Use this command to delete all FDS servers. FortiWeb will update the FDS servers during the next update.

system advanced

 

config system advanced

set max-bot-alert-interval <interval_int>

end

New.

Type the maximum amount of interval time that FortiWeb will send an attack log during a bot attack. The valid range is 0-300 seconds.

server-policy policy

 

config server-policy policy

edit <policy_name>

set proxy-protocol {enable | disable}

set use-proxy-protocol-addr {enable | disable}

set replacemsg <replacemsg_name>

next

end

New.

Add proxy protocol and replacement message configuration.

server-policy server-pool

 

config server-policy server-pool

edit <server-pool_name>

set proxy-protocol {enable | disable}

set proxy-protocol-version {v1 | v2}

next

end

New.

Add proxy protocol and proxy protocol version configuration.

server-policy pattern threat-weight

 

config server-policy pattern threat-weight

set bot-deception {off | low | med | high | crit}

set biometrics-based-detection {off | low | med | high | crit}

set threshold-bot-detection {off | low | med | high | crit}

set bot-detection {off | low | med | high | crit}

set mobile-api-protection {off | low | med | high | crit}

set json-protection {off | low | med | high | crit}

set openapi-validation {off | low | med | high | crit}

set cors-protection {off | low | med | high | crit}

set site-publish {off | low | med | high | crit}

end

New.

Set threat weight for more new modules.

server-policy vserver

 

config server-policy vserver

edit "<virtual-server_name>"

config vip-list

edit "<vip-list_id>"

set interface "<interface_name>"

set status {enable | disable}

set vip "<vip_str>"

set use-interface-ip {enable | disable}

next

end

next

end

Update.

Multiple virtual IPs can be attached to one virtual server so that you can apply the same server policy to more than one IP addresses.

 

waf bot-detection-policy

 

config waf bot-detection-policy

edit <bot-detection-policy_ID>

set policy-id <server-policy-id>

set verification-method {Disable | Real-Browser-Enforcement | Captcha-Enforcement}

set mobile-verification-method {Disable | Mobile-Token-Validation}

next

end

New.

Add disable option for verification method to disable the system to verify whether the sample is indeed a bot.

Add mobile vertification method.

waf machine-learning-policy

 

config waf machine-learning-policy

edit <waf machine-learning-policy_id>

set learning-time <the-number-of-weeks>

set anomaly-detection-threshold <anomaly-detection-threshold_int>

set parameters-limit-per-conn {enable | disable}

set sample-collecting-mode {normal | fast}

set threat-model {enable | disable}

end

New.

Add new configurations for the machine learning policy.

waf web-protection-profile offline-protection

 

config waf web-protection-profile offline-protection

edit "<offline-protection-profile_name>"

set mobile-app-identification {enable | disable}

set token-secret <token-secret_str>

set token-header <token-header_str>

set mobile-api-protection <mobile-api-protection_name>

next

end

New.

Add more supported profiles.

waf web-protection-profile inline-protection

 

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set mobile-app-identification {enable | disable}

set token-secret <token-secret_str>

set token-header <token-header_str>

set mobile-api-protection <mobile-api-protection_name>

set bot-mitigate-policy <bot-mitigate-policy_name>

set api-management-policy <api-management-policy_name>

next

end

New.

Add more supported profiles.

 

waf mobile-api-protection

 

config waf mobile-api-protection-rule

edit <mobile-api-protection-rule_name>

set host-status {enable | disable}

set host <host_str>

set action {alert | deny_no_log | alert_deny | block-period}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger <trigger_policy_name>

config url-list

edit <url-list_id>

set url-type {plain | regular}

set url-pattern <url-pattern_str>

next

end

next

end

 

config waf mobile-api-protection-policy

edit <mobile-api-protection-policy_name>

config rule-list

edit <rule-list_id>

set rule <rule_name>

next

end

next

end

New.

Configure mobile API protection rules and policies.

 

waf ftp-file-security

 

config waf ftp-file security

edit "<rule_name>"

set icap-server-check {enable | disable}

 

next

end

New.

Enable so that FortiWeb sends files to ICAP server that matches the uploading or downloading directions.

waf site-publish-helper policy

 

config waf site-publish-helper policy

edit "<site-publish-policy_name>"

set limit-users {enable | disable}

set maximum-users <integer>

set session-idle-timeout <integer>

next

end

New.

Add configurations for concurrent access into a user account.

system vip

 

config system vip

edit <vip_name>

set vip <ip&netmask>

set vip6 <ip&netmask>

set interface <interface_name>

set index <the_index_number>

next

end

New.

Use this command to create Virtual IP addresses.

server-policy vserver

 

config server-policy vserver

edit "<virtual-server_name>"

set status {enable | disable}

set interface "<interface_name>"

set vip "<virtual-ip_ipv4mask>"

set vip6 "<virtual-ip_ipv6mask>"

set use-interface-ip {enable | disable}

next

end

Update.

Update this command to include VIP.

system ha

 

config system ha

set mode {active-passive | active-active-standard | active-active-high-volume |standalone}

next

end

New.

Add active-active-high-volume mode.

system ha-node

 

config system ha-node

edit <HA_node_number>

set <HA_node_device_SN>

next

end

New.

Use this command to allocate nodes to the active-active-high-volume HA group.

system ha-traffic-distribution

 

config system ha-traffic-distribution

edit <traffic-distribution_name>

set node-order <the_index_of_node_with_highest_priority>

set node-order <the_index_of_node_with_secondary_priority>

set node-order <the_index_of_node_with_third_priority>

...

set vip-list <vip_names>

next

end

New.

Use this command to attach VIP to different nodes in the HA group.

system snmp community

 

config system snmp community

edit <community_index>

set status {enable | disable}

set name "<community_str>"

set events {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack | power-supply-failure}

next

end

New.

Add a new event power-supply-failure.

system snmp user

 

config system snmp user

edit name "<user_str>"

set trapevent {cpu-high | intf-ip | log-full | mem-low | netlink-down-status | netlink-up-status | policy-start | policy-stop | pserver-failed | sys-ha-cluster-status-change | sys-ha-member-join | sys-ha-member-leave | sys-mode-change | waf-access-attack | waf-amethod-attack | waf-blogin-attack |waf-hidden-fields | waf-pvalid-attack | waf-signature-detection | waf-url-access-attack | waf-spage-attack | power-supply-failure}

next

end

New.

Add a new event power-supply-failure.

system icapserver

 

config system icapserver

set server "<server_ipv4>"

set cache-timeout <timeout_int>

set port <port_int>

set elog {enable | disable}

set service-name <name_str>

set ssl {enable | disable}

end

New.

Use this command to configure FortiWeb to submit all files that match your upload restriction rules to ICAP server.

system feature-visibility

 

config system feature-visibility

set mobile-app-identification {enable | disable}

end

New.

Enable to configure the JWT token secret and token header to verify a request from a mobile application.

user kerberos-user

 

config user kerberos-user

edit "<kdc_name>"

set realm "<realm_str>"

set shortname <shortname _str>

set status {enable | disable}

config server-members

edit "<entry_index>"

set server <server_str>

set port <port_int>

next

end

next

end

New.

Add multiple servers support in one KDC realm.

log attack-log

 

config log attack-log

set packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection}

end

Add new packet log mobile-api-protection.

 

system certificate ocsp-stapling

 

config system certificate ocsp-stapling

edit <ocsp_name>

set certificate "<certificate_name>"

set local-cert "<certificate_name>"

set comment <comment_str>

set ocsp_url <url>

next

end

Update.

OCSP works now as a global setting, and all local certificates are supported by OSCP.

waf http-request-flood-prevention-rule

 

config waf http-request-flood-prevention-rule

edit "<rule_name>"

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

next

end

New.

Add mobile-app-identification and bot-confirmation settings.

 

waf layer4-access-limit-rule

 

config waf layer4-access-limit-rule

edit "<rule_name>"

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

next

end

New.

Add mobile-app-identification and bot-confirmation settings.

waf xml-validation

 

config waf xml-validation rule

edit "<xml_rule_name>"

set data-format {xml | soap}

set soap-attachment {allow | disallow}

set ws-i-basic-profile-assertion {WSI1001 | WSI1002 | WSI1003 | WSI1004 | WSI1006 | WSI1007 | WSI1032 | WSI1033 | WSI1109 | WSI1110 | WSI1111 | WSI1201 | WSI1202 | WSI1204 | WSI1208 | WSI1301 | WSI1307 | WSI1308 | WSI1309 | WSI1318 | WSI1601 | WSI1701}

set ws-i-basic-profile-wsdl-assertion {WSI1008 | WSI1116 | WSI1211}

next

end

New.

Select WSI rules that SOAP messages will adhere to.

waf http-constraints-exceptions

 

config waf http-constraints-exceptions

edit "<http-exception_name>"

config http_constraints-exception-list

edit <entry_index>

set rpc-protocol-check {enable | disable}

next

end

next

end

New.

Enable to omit detecting traffic that uses the PRC protocol.

waf bot-deception

 

config waf bot-deception

edit <bot-deception-policy-name_str>

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <block_period_int>

set deception-url <url_str>

set severity {high | medium | low | Info}

set trigger <trigger_policy>

config url-list

edit <url-list_id>

set host <host_str>

set host-status {enable | disable}

set type {simple-string | regex-expression}

set url <url_str>

next

end

next

end

New.

Use this command to configure bot deception policy to insert link in HTML type response page.

waf biometrics-based-detection

 

config waf biometrics-based-detection

edit <biometrics-based-detection-name_str>

set mouse-movement {enable | disable}

set click {enable | disable}

set screen-touch {enable | disable}

set keyboard {enable | disable} on page 1

set scroll {enable | disable}

set event-collection-time <time_int>

set bot-effective-time <time_int>

set action {alert | alert_deny | | deny_no_log}

set severity {high | medium | low | Info}

set trigger <trigger_policy>

config url-list

edit <url-list_id>

set host <host_str>

set host-status {enable | disable}

set type {simple-string | regex-expression}

set url <url_str>

next

end

next

end

New.

Use this command to configure the biometrics based detection rule to define the client event, collection period, and the request URL, etc.

waf bot-mitigation-policy

 

config waf bot-mitigate-policy

edit bot-deception <bot-deception_str>

set bot-deception <bot-deception_str>

set biometrics-based-detection <biometrics-based-detection_str>

set threshold-based-detection <threshold-based-detection_str>

next

end

New.

Use this command to integrate the bot deception policy, the biometrics based detection rule, and threshold based detection rule, and apply the policy in the web protection profile for bot mitigation.

waf file-upload-restriction-policy

 

config waf file-upload-restriction-policy

edit <file-upload-restriction-policy_name>

set What’s new

next

end

New.

Add the ICAP server configurations.

waf threshold-based-detection

 

config waf threshold-based-detection

edit "<policy_name>"

set bot-recognition {disabled | real-browser-enforcement | captcha-enforcement}

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

set validation-timeout <validation-timeout_int>

set max-attempt-times <max-attempt-times_int>

set crawler-detection {enable | disable}

set crawler-action {alert | deny_no_log | alert_deny | block-period}

set crawler-severity {High | Medium | Low | Info}

set crawler-trigger <crawler-trigger-policy_name>

set crawler-occurrence-num <crawler-occurrence-num_int>

set crawler-within <crawler-within_int>

set crawler-block-period <crawler-block-period_int>

set scanner-detection {enable | disable}

set scanner-action {alert | deny_no_log | alert_deny | block-period}

set scanner-severity {High | Medium | Low | Info}

set scanner-trigger <scanner-trigger-policy_name>

set scanner-occurrence-num <scanner-occurrence-num_int>

set scanner-within <scanner-within_int>

set scanner-block-period <scanner-block-period_int>

set slow-attack-detection {enable | disable}

set slow-attack-action {alert | deny_no_log | alert_deny | block-period}

set slow-attack-severity {High | Medium | Low | Info}

set slow-attack-trigger <slow-attack-trigger-policy_name>

set slow-attack-occurrence-num <slow-attack-occurrence-num_int>

set slow-attack-within <slow-attack-within_int>

set slow-attack-http-transaction-timeout <slow-attack-http-transaction-timeout_int>

set slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int>

set slow-attack-block-period <slow-attack-block-period_int>

set content-scraping-detection {enable | disable}

set content-scraping-action {alert | deny_no_log | alert_deny | block-period}

set content-scraping-severity {High | Medium | Low | Info}

set content-scraping-trigger <content-scraping-trigger-policy_name>

set content-scraping-occurrence-num <content-scraping-occurrence-num_int>

set content-scraping-within <content-scraping-within_int>

set content-scraping-block-period <content-scraping-block-period_int>

set brute-login-detection {enable | disable}

set brute-login-action {alert | deny_no_log | alert_deny | block-period}

set brute-login-severity {High | Medium | Low | Info}

set brute-login-trigger <brute-login-trigger-policy_name>

set brute-login-occurrence-num <brute-login-occurrence-num_int>

set brute-login-within <brute-login-within_int>

set brute-login-request-file <brute-login-request-file_str>

set brute-login-block-period <brute-login-block-period_int>

next

end

New.

Use this command to configure threshold based detection rules to define occurrence, time period, severity, and trigger policy, etc of suspicious behaviors, and thus FortiWeb judges whether the request comes from a human or a bot.

waf x-forwarded-for

 

config waf x-forwarded-for

edit "<x-forwarded-for_name>"

set ip-location {left | right}

set skip-private-original-ip {enable | disable}

config ip-list

edit <entry_index>

set ip "<load-balancer_ip>"

next

end

next

end

New.

Enable to skip the private original IP that indicates the service used in the client’s original request.

waf api-policy

 

config waf api-policy

edit <api-policy_name>

config api-rule-list

edit <api-rule-list_id>

set api-rule-name <api-rule-name_str>

next

end

next

end

New.

Use this command to create API gateway policy.

waf api-rules

 

config waf api-rules

edit <api-rules_name>

set api-key-verification {enable | disable}

set allow-user-group <allow-user-group_name>

set api-key-location {http-parameter | http-header}

set header-field-name <header-field-name_str>

set parameter-name <parameter-name_str>

set rate-limit-period <rate-limit-period_int>

set rate-limit-requests <rate-limit-requests_int>

set action {alert | deny_no_log | alert_deny | block-period}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger-policy <trigger-policy_str>

set host <host_str>

set host-status {enable | disable}

config attach-http-header

edit <attach-http-header_id>

set http-header-item <http-header-item_str>

next

end

config match-url-prefixes

edit <match-url-prefixes_id>

set frontend-prefix <frontend-prefix_str>

set backend-prefix <backend-prefix_str>

next

end

config sub-url-setting

edit <sub-url-setting_id>

set http-method {get | post | head | options | trace | connect | delete | put | patch | any}

set type {plain | regular}

set url-expression <url-expression_str>

set api-key-verification {enable | disable}

set api-key-location {http-parameter | http-header}

set header-field-name <header-field-name_str>

set parameter-name <parameter-name_str>

set rate-limit-period <rate-limit-period_int>

set rate-limit-requests <rate-limit-requests_int>

set allow-user-group <allow-user-group_name>

set api-key-inherit {enable | disable}

next

end

next

end

New.

To restrict API access, you can use this command to configure certain rules involving API key verification, API key carryover, API user grouping, sub-URL setting, and specified actions FortiWeb will take in case of any API call violation.

waf api-user-group

 

config waf api-user-group

edit <api-user-group_name>

config user-list

edit <user-list_id>

set api-user-name <api-user-name_str>

next

end

next

end

New.

Use this command to create API user group which defines specific permissions of the group users can perform.

waf api-users

 

config waf api-users

edit <api-user_name>

set email <email_str>

set comments <comments_str>

set uuid <uuid_str>

set api-key <api-key_str>

set create-time <create-time_str>

config ip-access-list

edit <ip-access-list_id>

set ip <ip_str>

end

config http-referer-list

edit <http-referer-list_id>

set http-referer <http-referer_str>

next

end

next

end

New.

Use this command to define API users to restrict access to APIs based on API keys.

system replacemsg-image

 

config system replacemsg-image

edit "<image_name>"

set image-type {gif | jpg | png | tiff}

set image-base64 <image_code>

end

New.

Use this command to add images that the FortiWeb HTML web pages can use. These pages are the ones that FortiWeb uses for blocking, authentication, and unavailable servers.