waf web-cache-policy

Use this command to configure FortiWeb to cache responses from your servers.

Use web-cache-policy to cache only a few URLs. To cache all URLs except for a few, see waf web-cache-exception.

To apply this policy, include it in an inline protection profile. For details, see waf web-protection-profile inline-protection.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.


config waf web-cache-policy

edit "<web-cache-policy_rule_name>"

set cache-buffer-size <cache-size_int>

set max-cached-page size <page-size_int>

set default-cache-timeout <cache-timeout_int>

set exception "<web-cache-exception_name>"

config url-match-list

edit <entry_index>

set host-status {enable | disable}

set host "<host_str>"

set url-type {plain | regular}

set url-pattern "<url-pattern_str>"




Variable Description Default


Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

cache-buffer-size <cache-size_int>

Specify the maximum amount of RAM to allocate to caching content, in MB (megabytes).

You cannot store cached content on FortiWeb’s hard disk.

The FortiWeb model determines the valid range of values:

  • FortiWeb 400C, FortiWeb-VM (2-4 GB RAM): 1–100 MB
  • FortiWeb 1000C, FortiWeb-VM (4-8 GB RAM): 1–200 MB
  • FortiWeb 3000C, FortiWeb 3000C/CFsx, FortiWeb-VM (8–16 GB RAM): 1–400 MB
  • FortiWeb 4000C: 1–600 MB
  • FortiWeb 1000D: 1–800 MB
  • FortiWeb 1000E: 1–800 MB
  • FortiWeb-VM (16+ GB RAM): 1–1,024 MB
  • FortiWeb 3000D/DFsx: 1–1,200 MB
  • FortiWeb 4000D: 1–2,048 MB

If administrative domains (ADOMs) are enabled, the maximums apply to the total RAM allotted to all ADOMs. For example, a FortiWeb 1000D has two ADOMs. If the cache-buffer-size value for the first ADOM is 600, the valid range for cache-buffer-size for the second ADOM is 1–200.

Tip: For improved performance, adjust this setting until it is as small as possible yet FortiWeb can still fit most graphics and server processing-intensive pages into its cache. This allows FortiWeb to allocate more RAM to other features that also affect throughput, such as scanning for attacks.


max-cached-page size <page-size_int>

Specify the maximum size of each URL that FortiWeb caches, in kilobytes (KB). FortiWeb does not cache objects such as high-resolution images, movies, or music that are larger than this value.

The valid range is 1–10,240.

Tip: For improved performance, adjust this setting until FortiWeb can fit most graphics and server processing-intensive pages into its cache.


default-cache-timeout <cache-timeout_int>

Specify the time to live for each entry in the cache. FortiWeb removes expired entries.

Valid range is 0–7,200.

When it receives a subsequent request for the URL, FortiWeb forwards the request to the server and refreshes the cached response. Any additional requests receive the new cached response until the URL’s cache timeout expires.


exception "<web-cache-exception_name>"

Specify the name of a list of exceptions.

For details, see waf web-cache-exception.

No default.


Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999.

No default.

host-status {enable | disable}

Specify enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the policy. Also specify a value for host "<host_str>".


host "<host_str>"

Specify which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the policy.

This option is available only if the value of host-status {enable | disable} is enabled.

No default.

url-type {plain | regular}

Specify the type of value that is used for url-pattern "<url-pattern_str>":

plain—A literal URL.

regular—A regular expression designed to match multiple URLs.


url-pattern "<url-pattern_str>"

If the value of url-type {plain | regular} is plain, specify the literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).

If the value of url-type is regular, specify a regular expression, such as ^/*.php, that matches all and only the URLs that the rule applies to. The pattern does not require a slash ( / ); however, it must match URLs that begin with a slash, such as /index.cfm.

Do not include the domain name, such as www.example.com, which is specified by host "<host_str>".

No default.

Related topics