Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.3.0 CLI Reference
    6.3.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf file-upload-restriction-policy

    waf file-upload-restriction-policy

    Use this command to set file security policies that FortiWeb will use to manage the types of files that can be uploaded to your web servers.

    The policies are composed of individual rules set using the server-policy custom-application application-policy command. Each rule identifies the host and/or URL to which the restriction applies and the types of files allowed. To apply a file security policy, select it within an inline or Offline Protection profile.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf file-upload-restriction-policy

    edit "<file-upload-restriction-policy_name>"

    set action {alert | alert_deny | block-period | deny_no_log}

    set block-period <seconds_int>

    set severity {High | Medium | Low | Info}

    set trigger <trigger-policy_name>

    set trojan-detection {enable | disable}

    set av-scan {enable | disable}

    set fortisandbox-check {enable | disable}

    set hold-session-while-scanning-file {enable | disable}

    set icap-server-check {enable | disable}

    set exchange-mail-detection {enable | disable}

    set owa-protocol {enable | disable}

    set activesync-protocol {enable | disable}

    set mapi-protocol {enable | disable}

    config rule

    edit <entry_index>

    set file-upload-restriction-rule <rule_name>

    next

    end

    next

    end

    Variable Description Default

    "<file-upload-restriction-policy_name>"

    Enter the name of an existing or new file security policy. The maximum length is 63 characters.

    To display the list of existing policies, enter:

    edit ?

    		No default.

    action {alert | alert_deny | block-period | deny_no_log}

    Enter the action you want FortiWeb to perform when the policy is violated:

    • alert—Accept the request and generate an alert and/or log message.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg and the FortiWeb Administration Guide:

      http://docs.fortinet.com/fortiweb/admin-guides

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    • deny_no_log—Deny a request. Do not generate a log message.

      • Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select alert. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    		 alert

    block-period <seconds_int>

    		 If action {alert | alert_deny | block-period | deny_no_log} is block-period, type the number of seconds that violating requests will be blocked. The valid range is 1–3,600. 1

    severity {High | Medium | Low | Info}

    		 Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

    trigger <trigger-policy_name>

    Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters.

    To display the list of existing triggers, enter:

    set trigger ?

    		No default.

    trojan-detection {enable | disable}

    		 Enter enable to scan for Trojans.

    Attackers may attempt to upload Trojan horse code (written in scripting languages such as PHP and ASP) to the back-end web servers. The Trojan then infects clients who access an infected web page.    		 disable

    av-scan {enable | disable}

    Enter enable to scan for viruses, malware, and greyware.

    		 disable

    fortisandbox-check {enable | disable}

    		 Enter enable to send matching files to FortiSandbox for evaluation.

    Also specify the FortiSandbox settings for your FortiWeb. For details, see system fortisandbox.

    FortiSandbox evaluates the file and returns the results to FortiWeb.

    If trojan-detection {enable | disable} is enable and FortiWeb detects a virus, it does not send the file to FortiSandbox.    		 disable

    exchange-mail-detection {enable | disable}

    Enter enable so that FortiWeb will scan email attachments in applications using OWA or ActiveSync protocols. If enabled, FortiWeb will perform Trojan detection, an antivirus scan, and will send the attachments to FortiSandbox.

    Note: To perform Trojan detection, an antivirus scan, and send attachments to FortiSandbox, you must enable trojan-detection {enable | disable}, trojan-detection {enable | disable}, and fortisandbox-check {enable | disable}, respectively, in the file security policy.

    		 disable

    owa-protocol {enable | disable}

    		 Available only when exchange-mail-detection {enable | disable} is set to enable. If enabled, FortiWeb will scan attachments in Exchange Email sent and received via a web browser login. disable

    activesync-protocol {enable | disable}

    		 Available only when exchange-mail-detection {enable | disable} is set to enable. If enabled, FortiWeb will scan attachments in Exchange Email sent and received via a mobile phone login. disable

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    file-upload-restriction-rule <rule_name>

    Enter the name of an upload restriction rule to use with the policy, if any. For details, see server-policy custom-application application-policy. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    set file-upload-restriction-rule ?

    		No default.
    hold-session-while-scanning-file

    {enable | disable}

    		 Enable it, and FortiWeb waits for up to 30 minutes. If FortiWeb holds the session for over 30 minutes while FortiSandbox scans the file in the request, FortiWeb will forward the session without taking any other actions.
    This option is available only when you enable Send files to FortiSandbox.    		 disable
    mapi-protocol {enable | disable} FortiWeb will scan attachments in Email sent and received via the Messaging Application Programming Interface (MAPI), a new transport protocol implemented in Microsoft Exchange Server 2013 Service Pack 1 (SP1).
    Available only when Scan attachments in Email is enabled.    		 disable
    icap-server-check {enable | disable} Enable so that FortiWeb sends files to ICAP server that matches the uploading or downloading direction. disable

    Related topics

    Previous
    Next

    waf file-upload-restriction-policy

    waf file-upload-restriction-policy

    Use this command to set file security policies that FortiWeb will use to manage the types of files that can be uploaded to your web servers.

    The policies are composed of individual rules set using the server-policy custom-application application-policy command. Each rule identifies the host and/or URL to which the restriction applies and the types of files allowed. To apply a file security policy, select it within an inline or Offline Protection profile.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf file-upload-restriction-policy

    edit "<file-upload-restriction-policy_name>"

    set action {alert | alert_deny | block-period | deny_no_log}

    set block-period <seconds_int>

    set severity {High | Medium | Low | Info}

    set trigger <trigger-policy_name>

    set trojan-detection {enable | disable}

    set av-scan {enable | disable}

    set fortisandbox-check {enable | disable}

    set hold-session-while-scanning-file {enable | disable}

    set icap-server-check {enable | disable}

    set exchange-mail-detection {enable | disable}

    set owa-protocol {enable | disable}

    set activesync-protocol {enable | disable}

    set mapi-protocol {enable | disable}

    config rule

    edit <entry_index>

    set file-upload-restriction-rule <rule_name>

    next

    end

    next

    end

    Variable Description Default

    "<file-upload-restriction-policy_name>"

    Enter the name of an existing or new file security policy. The maximum length is 63 characters.

    To display the list of existing policies, enter:

    edit ?

    		No default.

    action {alert | alert_deny | block-period | deny_no_log}

    Enter the action you want FortiWeb to perform when the policy is violated:

    • alert—Accept the request and generate an alert and/or log message.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg and the FortiWeb Administration Guide:

      http://docs.fortinet.com/fortiweb/admin-guides

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    • deny_no_log—Deny a request. Do not generate a log message.

      • Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select alert. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    		 alert

    block-period <seconds_int>

    		 If action {alert | alert_deny | block-period | deny_no_log} is block-period, type the number of seconds that violating requests will be blocked. The valid range is 1–3,600. 1

    severity {High | Medium | Low | Info}

    		 Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

    trigger <trigger-policy_name>

    Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters.

    To display the list of existing triggers, enter:

    set trigger ?

    		No default.

    trojan-detection {enable | disable}

    		 Enter enable to scan for Trojans.

    Attackers may attempt to upload Trojan horse code (written in scripting languages such as PHP and ASP) to the back-end web servers. The Trojan then infects clients who access an infected web page.    		 disable

    av-scan {enable | disable}

    Enter enable to scan for viruses, malware, and greyware.

    		 disable

    fortisandbox-check {enable | disable}

    		 Enter enable to send matching files to FortiSandbox for evaluation.

    Also specify the FortiSandbox settings for your FortiWeb. For details, see system fortisandbox.

    FortiSandbox evaluates the file and returns the results to FortiWeb.

    If trojan-detection {enable | disable} is enable and FortiWeb detects a virus, it does not send the file to FortiSandbox.    		 disable

    exchange-mail-detection {enable | disable}

    Enter enable so that FortiWeb will scan email attachments in applications using OWA or ActiveSync protocols. If enabled, FortiWeb will perform Trojan detection, an antivirus scan, and will send the attachments to FortiSandbox.

    Note: To perform Trojan detection, an antivirus scan, and send attachments to FortiSandbox, you must enable trojan-detection {enable | disable}, trojan-detection {enable | disable}, and fortisandbox-check {enable | disable}, respectively, in the file security policy.

    		 disable

    owa-protocol {enable | disable}

    		 Available only when exchange-mail-detection {enable | disable} is set to enable. If enabled, FortiWeb will scan attachments in Exchange Email sent and received via a web browser login. disable

    activesync-protocol {enable | disable}

    		 Available only when exchange-mail-detection {enable | disable} is set to enable. If enabled, FortiWeb will scan attachments in Exchange Email sent and received via a mobile phone login. disable

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    file-upload-restriction-rule <rule_name>

    Enter the name of an upload restriction rule to use with the policy, if any. For details, see server-policy custom-application application-policy. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    set file-upload-restriction-rule ?

    		No default.
    hold-session-while-scanning-file

    {enable | disable}

    		 Enable it, and FortiWeb waits for up to 30 minutes. If FortiWeb holds the session for over 30 minutes while FortiSandbox scans the file in the request, FortiWeb will forward the session without taking any other actions.
    This option is available only when you enable Send files to FortiSandbox.    		 disable
    mapi-protocol {enable | disable} FortiWeb will scan attachments in Email sent and received via the Messaging Application Programming Interface (MAPI), a new transport protocol implemented in Microsoft Exchange Server 2013 Service Pack 1 (SP1).
    Available only when Scan attachments in Email is enabled.    		 disable
    icap-server-check {enable | disable} Enable so that FortiWeb sends files to ICAP server that matches the uploading or downloading direction. disable

    Related topics

    Previous
    Next