Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.2.3 CLI Reference
    6.2.3
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf start-pages

    waf start-pages

    Use this command to configure start page rules.

    When a start page group is selected in the inline protection profile, HTTP clients must begin from a valid start page in order to initiate a valid session.

    For example, you may wish to specify that HTTP clients of an e-commerce website must begin their session from either an item view or the first stage of the shopping cart checkout, and cannot begin a valid session from the third stage of the shopping cart checkout.

    To apply start pages, select them within an inline protection profile. For details, see waf web-protection-profile inline-protection.

    Before you configure a start page rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

    You can use SNMP traps to notify you when a start page rule is enforced. For details, see system snmp community.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf start-pages

    edit "<start-page-rule_name>"

    set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

    set block-period <seconds_int>

    set severity {Low | Medium | High | Info}

    set trigger "<trigger-policy_name>"

    config start-page-list

    edit <entry_index>

    set host "<protected-hosts_name>"

    set host-status {enable | disable}

    set request-file "<url_str>"

    set request-type {plain | regular}

    set default {yes | no}

    next

    end

    next

    end

    Variable Description Default

    "<start-page-rule_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

    Select one of the following actions that the FortiWeb appliance will perform when an HTTP request that initiates a session does not begin with one of the allowed start pages.

    • alert—Accept the request and generate an alert email and/or log message.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

    • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

    • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

    • deny_no_log—Deny a request. Do not generate a log message.

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    		 No default.

    block-period <seconds_int>

    If action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} is block-period, type, specify the number of seconds that the connection will be blocked. The valid range is 1–3,600.

    		 1

    severity {Low | Medium | High | Info}

    		 Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

    trigger "<trigger-policy_name>"

    Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    <entry_index>

    Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999.

    		 No default.

    host "<protected-hosts_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the start page rule. The maximum length is 256 characters.

    This setting applies only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    Enable to apply this start page rule only to HTTP requests for specific web hosts. Also configure host "<protected-hosts_name>".

    Disable to match the start page rule based upon the other criteria, such as the URL, but regardless of the Host: field.

    		 disable

    request-file "<url_str>"

    Depending on your selection in request-type {plain | regular}, enter either:

    • The literal URL, such as /index.php, that the HTTP request must contain in order to match the start page rule. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php, matching all and only the URLs to which the start page rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

    Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    		No default.

    request-type {plain | regular}

    Select whether request-file "<url_str>" will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

    		 plain

    default {yes | no}

    Enter yes to use the page as the default for HTTP requests that either:

    • Do not specify a URL.
    • Do not specify the URL of a valid start page (only if you have selected redirect from action).

    Otherwise, enter no.

    		 no

    Example

    This example redirects clients to the default start page, /index.html, if clients request a page that is not one of the valid start pages (/index.html or /cart/login.jsp). Redirection will occur only if the request is destined for one of the virtual or real hosts defined in the protected hosts group named example_com_hosts.

    config waf start-pages

    edit "start-page-rule1"

    edit 1

    set host "example_com"

    set host-status enable

    set request-file "/index.html"

    set default yes

    next

    edit 2

    set host "example_com_hosts"

    set host-status enable

    set request-file "/cart/login.jsp"

    set default no

    next

    next

    end

    Related topics

    Previous
    Next

    waf start-pages

    waf start-pages

    Use this command to configure start page rules.

    When a start page group is selected in the inline protection profile, HTTP clients must begin from a valid start page in order to initiate a valid session.

    For example, you may wish to specify that HTTP clients of an e-commerce website must begin their session from either an item view or the first stage of the shopping cart checkout, and cannot begin a valid session from the third stage of the shopping cart checkout.

    To apply start pages, select them within an inline protection profile. For details, see waf web-protection-profile inline-protection.

    Before you configure a start page rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

    You can use SNMP traps to notify you when a start page rule is enforced. For details, see system snmp community.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf start-pages

    edit "<start-page-rule_name>"

    set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

    set block-period <seconds_int>

    set severity {Low | Medium | High | Info}

    set trigger "<trigger-policy_name>"

    config start-page-list

    edit <entry_index>

    set host "<protected-hosts_name>"

    set host-status {enable | disable}

    set request-file "<url_str>"

    set request-type {plain | regular}

    set default {yes | no}

    next

    end

    next

    end

    Variable Description Default

    "<start-page-rule_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

    Select one of the following actions that the FortiWeb appliance will perform when an HTTP request that initiates a session does not begin with one of the allowed start pages.

    • alert—Accept the request and generate an alert email and/or log message.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

    • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

    • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

    • deny_no_log—Deny a request. Do not generate a log message.

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    		 No default.

    block-period <seconds_int>

    If action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} is block-period, type, specify the number of seconds that the connection will be blocked. The valid range is 1–3,600.

    		 1

    severity {Low | Medium | High | Info}

    		 Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

    trigger "<trigger-policy_name>"

    Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    <entry_index>

    Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999.

    		 No default.

    host "<protected-hosts_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the start page rule. The maximum length is 256 characters.

    This setting applies only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    Enable to apply this start page rule only to HTTP requests for specific web hosts. Also configure host "<protected-hosts_name>".

    Disable to match the start page rule based upon the other criteria, such as the URL, but regardless of the Host: field.

    		 disable

    request-file "<url_str>"

    Depending on your selection in request-type {plain | regular}, enter either:

    • The literal URL, such as /index.php, that the HTTP request must contain in order to match the start page rule. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php, matching all and only the URLs to which the start page rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

    Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    		No default.

    request-type {plain | regular}

    Select whether request-file "<url_str>" will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

    		 plain

    default {yes | no}

    Enter yes to use the page as the default for HTTP requests that either:

    • Do not specify a URL.
    • Do not specify the URL of a valid start page (only if you have selected redirect from action).

    Otherwise, enter no.

    		 no

    Example

    This example redirects clients to the default start page, /index.html, if clients request a page that is not one of the valid start pages (/index.html or /cart/login.jsp). Redirection will occur only if the request is destined for one of the virtual or real hosts defined in the protected hosts group named example_com_hosts.

    config waf start-pages

    edit "start-page-rule1"

    edit 1

    set host "example_com"

    set host-status enable

    set request-file "/index.html"

    set default yes

    next

    edit 2

    set host "example_com_hosts"

    set host-status enable

    set request-file "/cart/login.jsp"

    set default no

    next

    next

    end

    Related topics

    Previous
    Next