Fortinet black logo

CLI Reference

system advanced

system advanced

Use this command to configure several system-wide options that determine how FortiWeb scans traffic.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system advanced

set circulate-url-decode {enable | disable}

set decoding-enhancement {enable | disable}

set max-cache-size <cache_int>

set max-dlp-cache-size <percentage_int>

set max-dos-alert-interval <seconds_int>

set share-ip {enable | disable}

set anypktstream {enable | disable}

set max-bot-alert-interval <interval_int>

end

Variable Description Default

circulate-url-decode {enable | disable}

Enable to detect URL-embedded attacks that are obfuscated using recursive URL encoding (that is, multiple levels’ worth of URL encoding).

Encoded URLs can be legitimately used for non-English URLs, but can also be used to avoid detection of attacks that use special characters. Encoded URLs can now be decoded to scan for these types of attacks. Several encoding types are supported.

For example, you could detect the character A that is encoded as either %41, %x41, %u0041, or \t41.

Disable to decode only one level’s worth of the URL, if encoded.

enable

decoding-enhancement {enable | disable}

Enable to decode cookies and parameters using base64 or CSS for specified URLs. To configure decoding enhancement, see system decoding enhancement.

disable

max-cache-size <cache_int>

Type the maximum size (in KB) of the body of the HTTP response from the web server that FortiWeb will cache per URL for body compression, decompression, rewriting, and XML detection.

Increasing the body cache may decrease performance.

Valid values range from 32 to 4096. The default value is 64.

Increasing the body cache may decrease performance.

512

max-dlp-cache-size <percentage_int>

Type the maximum percentage of max-cache-size <cache_int>—the body of the HTTP response from the web server—that FortiWeb buffers and scans.

Responses are cached to improve performance on compression, decompression, and rewriting on often-requested URLs.

12

max-dos-alert-interval <seconds_int>

Type the maximum amount of time that FortiWeb will converge into a single log message during a DoS attack or padding oracle attack. 180

share-ip {enable | disable}

Enable to analyze the ID field of IP headers in order to attempt to detect when multiple clients share the same source IP address. To configure the difference between packets’ ID fields that FortiWeb will treat as a shared IP, see system ip-detection.

Enabling this option is required for features that have a separate threshold for shared IP addresses, such as brute force login prevention. If you disable the option, those features will behave as if there is only a single threshold, regardless of whether the source IP is shared by many clients.

disable

anypktstream {enable | disable}

Enable to configure FortiWeb to scan partial TCP connections.
In some cases, FortiWeb is deployed after a client has already created a connection with a back-end server. If this option is disabled, FortiWeb ignores any traffic that is part of a pre-existing session.
disable

max-bot-alert-interval <interval_int>

Type the maximum amount of interval time that FortiWeb will send an attack log during a bot attack. The valid range is 0-300 seconds. 60

Related topics

system advanced

Use this command to configure several system-wide options that determine how FortiWeb scans traffic.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system advanced

set circulate-url-decode {enable | disable}

set decoding-enhancement {enable | disable}

set max-cache-size <cache_int>

set max-dlp-cache-size <percentage_int>

set max-dos-alert-interval <seconds_int>

set share-ip {enable | disable}

set anypktstream {enable | disable}

set max-bot-alert-interval <interval_int>

end

Variable Description Default

circulate-url-decode {enable | disable}

Enable to detect URL-embedded attacks that are obfuscated using recursive URL encoding (that is, multiple levels’ worth of URL encoding).

Encoded URLs can be legitimately used for non-English URLs, but can also be used to avoid detection of attacks that use special characters. Encoded URLs can now be decoded to scan for these types of attacks. Several encoding types are supported.

For example, you could detect the character A that is encoded as either %41, %x41, %u0041, or \t41.

Disable to decode only one level’s worth of the URL, if encoded.

enable

decoding-enhancement {enable | disable}

Enable to decode cookies and parameters using base64 or CSS for specified URLs. To configure decoding enhancement, see system decoding enhancement.

disable

max-cache-size <cache_int>

Type the maximum size (in KB) of the body of the HTTP response from the web server that FortiWeb will cache per URL for body compression, decompression, rewriting, and XML detection.

Increasing the body cache may decrease performance.

Valid values range from 32 to 4096. The default value is 64.

Increasing the body cache may decrease performance.

512

max-dlp-cache-size <percentage_int>

Type the maximum percentage of max-cache-size <cache_int>—the body of the HTTP response from the web server—that FortiWeb buffers and scans.

Responses are cached to improve performance on compression, decompression, and rewriting on often-requested URLs.

12

max-dos-alert-interval <seconds_int>

Type the maximum amount of time that FortiWeb will converge into a single log message during a DoS attack or padding oracle attack. 180

share-ip {enable | disable}

Enable to analyze the ID field of IP headers in order to attempt to detect when multiple clients share the same source IP address. To configure the difference between packets’ ID fields that FortiWeb will treat as a shared IP, see system ip-detection.

Enabling this option is required for features that have a separate threshold for shared IP addresses, such as brute force login prevention. If you disable the option, those features will behave as if there is only a single threshold, regardless of whether the source IP is shared by many clients.

disable

anypktstream {enable | disable}

Enable to configure FortiWeb to scan partial TCP connections.
In some cases, FortiWeb is deployed after a client has already created a connection with a back-end server. If this option is disabled, FortiWeb ignores any traffic that is part of a pre-existing session.
disable

max-bot-alert-interval <interval_int>

Type the maximum amount of interval time that FortiWeb will send an attack log during a bot attack. The valid range is 0-300 seconds. 60

Related topics