Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.2.4 CLI Reference
    6.2.4
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf page-access-rule

    waf page-access-rule

    Use this command to configure page access rules.

    Page access rules define URLs that can be accessed only in a specific order, such as to enforce the business logic of a web application. Requests for other, non-ordered URLs may interleave ordered URLs during the client’s session. Page access rules may be specific to a web host.

    For example, an e-commerce application might be designed to work properly in this order:

    1. A client begins a session by adding an item to a shopping cart (/addToCart.do?*).
    2. The client either views and adds additional items to the shopping cart, or proceeds directly to the checkout.
    3. The client confirms the items that he or she wants to purchase (/checkout.do).
    4. The client provides shipping information (/shipment.do).
    5. The client pays for the items and shipment, completing the transaction (/payment.do).

    Sessions that begin at the shipping or payment stage should therefore be invalid. If the web application does not enforce this rule itself, it could be open to cross-site request forgery (CSRF) attacks on the payment feature. To prevent such abuse, the FortiWeb appliance could enforce the rule itself using a page access rule set with the following order:

    1. /addToCart.do?item=*
    2. /checkout.do?login=*
    3. /shipment.do
    4. /payment.do

    Attempts to request /payment.do before those other URLs during a session would be denied, and generate an alert and attack log message. For details, see log disk.

    To apply page access rules, select them within an inline protection profile. For details, see waf web-protection-profile inline-protection.

    Before you configure a page access rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

    You can use SNMP traps to notify you when a page access rule is enforced. For details, see system snmp community.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    In order for page access rules to be enforced, you must also enable http-session-management {enable | disable} in the inline protection profile.

    Syntax

    config waf page-access-rule

    edit "<page-access-rule_name>"

    set page-severity {Low | Medium | High | Info}

    set page-trigger <page-trigger-policy_name>

    config page-access-list

    edit <entry_index>

    set host "<protected-hosts_name>"

    set host-status {enable | disable}

    set request-file "<url_str>"

    set request-type {plain | regular}

    next

    end

    next

    end

    Variable Description Default

    "<page-access-rule_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    page-severity {Low | Medium | High | Info}

    		 When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:
    • Informative
    • Low
    • Medium
    • High
    The default value is Medium.

    page-trigger <page-trigger-policy_name>

    		 Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule.

    <entry_index>

    Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999.

    Page access rules should be added to the set in the order which clients will be permitted to access them.

    For example, if a client must access /login.asp before /account.asp, add the rule for /login.asp first.

    		 No default.

    host "<protected-hosts_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the page access rule. The maximum length is 256 characters.

    This setting applies only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    Enable to apply this page access rule only to HTTP requests for specific web hosts. Also configure host "<protected-hosts_name>".

    Disable to match the page access rule based upon the other criteria, such as the URL, but regardless of the Host: field.

    		 disable

    request-file "<url_str>"

    Depending on your selection in request-type {plain | regular}, enter either:

    • The literal URL, such as /cart.php, that the HTTP request must contain in order to match the page access rule. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php, matching all and only the URLs to which the page access rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /cart.cfm.

    Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    		No default.

    request-type {plain | regular}

    		 Specify whether request-file "<url_str>" will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). plain

    Example

    This example allows any request to www.example.com, as long as it follows the expected sequence within a session for the four key shopping cart URLs (/addToCart.do, /checkout.do, /shipment.do, then /payment.do).

    config waf page-access-rule

    edit "page-access-rule1"

    config page-access-list

    edit 1

    set host "www.example.com"

    set host-status enable

    set request-file "/addToCart.do?item=*"

    set request-type regular

    next

    edit 2

    set host "www.example.com"

    set host-status enable

    set request-file "/checkout.do?login=*"

    set request-type regular

    next

    edit 3

    set host "www.example.com"

    set host-status enable

    set request-file "/shipment.do"

    set request-type plain

    next

    edit 4

    set host "www.example.com"

    set host-status enable

    set request-file "/payment.do"

    set request-type plain

    next

    end

    next

    end

    Related topics

    Previous
    Next

    waf page-access-rule

    waf page-access-rule

    Use this command to configure page access rules.

    Page access rules define URLs that can be accessed only in a specific order, such as to enforce the business logic of a web application. Requests for other, non-ordered URLs may interleave ordered URLs during the client’s session. Page access rules may be specific to a web host.

    For example, an e-commerce application might be designed to work properly in this order:

    1. A client begins a session by adding an item to a shopping cart (/addToCart.do?*).
    2. The client either views and adds additional items to the shopping cart, or proceeds directly to the checkout.
    3. The client confirms the items that he or she wants to purchase (/checkout.do).
    4. The client provides shipping information (/shipment.do).
    5. The client pays for the items and shipment, completing the transaction (/payment.do).

    Sessions that begin at the shipping or payment stage should therefore be invalid. If the web application does not enforce this rule itself, it could be open to cross-site request forgery (CSRF) attacks on the payment feature. To prevent such abuse, the FortiWeb appliance could enforce the rule itself using a page access rule set with the following order:

    1. /addToCart.do?item=*
    2. /checkout.do?login=*
    3. /shipment.do
    4. /payment.do

    Attempts to request /payment.do before those other URLs during a session would be denied, and generate an alert and attack log message. For details, see log disk.

    To apply page access rules, select them within an inline protection profile. For details, see waf web-protection-profile inline-protection.

    Before you configure a page access rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

    You can use SNMP traps to notify you when a page access rule is enforced. For details, see system snmp community.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    In order for page access rules to be enforced, you must also enable http-session-management {enable | disable} in the inline protection profile.

    Syntax

    config waf page-access-rule

    edit "<page-access-rule_name>"

    set page-severity {Low | Medium | High | Info}

    set page-trigger <page-trigger-policy_name>

    config page-access-list

    edit <entry_index>

    set host "<protected-hosts_name>"

    set host-status {enable | disable}

    set request-file "<url_str>"

    set request-type {plain | regular}

    next

    end

    next

    end

    Variable Description Default

    "<page-access-rule_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    page-severity {Low | Medium | High | Info}

    		 When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:
    • Informative
    • Low
    • Medium
    • High
    The default value is Medium.

    page-trigger <page-trigger-policy_name>

    		 Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule.

    <entry_index>

    Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999.

    Page access rules should be added to the set in the order which clients will be permitted to access them.

    For example, if a client must access /login.asp before /account.asp, add the rule for /login.asp first.

    		 No default.

    host "<protected-hosts_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the page access rule. The maximum length is 256 characters.

    This setting applies only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    Enable to apply this page access rule only to HTTP requests for specific web hosts. Also configure host "<protected-hosts_name>".

    Disable to match the page access rule based upon the other criteria, such as the URL, but regardless of the Host: field.

    		 disable

    request-file "<url_str>"

    Depending on your selection in request-type {plain | regular}, enter either:

    • The literal URL, such as /cart.php, that the HTTP request must contain in order to match the page access rule. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php, matching all and only the URLs to which the page access rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /cart.cfm.

    Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    		No default.

    request-type {plain | regular}

    		 Specify whether request-file "<url_str>" will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). plain

    Example

    This example allows any request to www.example.com, as long as it follows the expected sequence within a session for the four key shopping cart URLs (/addToCart.do, /checkout.do, /shipment.do, then /payment.do).

    config waf page-access-rule

    edit "page-access-rule1"

    config page-access-list

    edit 1

    set host "www.example.com"

    set host-status enable

    set request-file "/addToCart.do?item=*"

    set request-type regular

    next

    edit 2

    set host "www.example.com"

    set host-status enable

    set request-file "/checkout.do?login=*"

    set request-type regular

    next

    edit 3

    set host "www.example.com"

    set host-status enable

    set request-file "/shipment.do"

    set request-type plain

    next

    edit 4

    set host "www.example.com"

    set host-status enable

    set request-file "/payment.do"

    set request-type plain

    next

    end

    next

    end

    Related topics

    Previous
    Next