Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

What’s new

The tables below list commands newly added for FortiWeb 6.3.0.

Command Change
backup full-config-with-ML-data  

execute backup full-config-with-ML-data

Use this command to back up full configurations with machine learning data.
debug proxy log  
diagnose debug proxy log {1 | 2 |3} Use this command to print the logs generated by proxyd.
system firewall fwmark-policy  

config system firewall fwmark-policy

edit "<fwmark-policy-name>"

set from <firewall_source-address_name>

set to <firewall_destination-address_name>

set in-interface <incoming_interface_name>

set service <firewall-service_name>"

set mark <mark_int>

end

New command.
router policy  

config router policy

edit <policy_index>

set action {forward-traffic | stop-policy-routing}

set fwmark <fwmark_int>

next

end

New commands.
system firewall dnat policy  

config system firewall dnat-policy

edit "<policy_name>"

set external-start <external_ipv4>

set mapped-start <mapped_ipv4>

set mapped-end <mapped_ipv4>

set ingress-interface <ingress_port>

set protocol {tcp | udp | icmp}

set port-forwarding {enable | disable}

set external-port-start <external_port>

set external-port-end <external_port>

set mapped-port-start <mapped_port>

set mapped-port-end <mapped_port>

next

end

New commands.
system firewall snat-policy  

config system firewall snat-policy

edit "<policy_name>"

set source-start <source_ipv4>

set source-end <source_ipv4>

set destination-start <destination_ipv4>

set destination-end <destination_ipv4>

set trans-to-type {ip | pool | no-nat}

next

end

New commands.
server-policy setting  

config server-policy setting

set using-dns-proxy {enable | disable}

end

Enable to use getaddrinfo to resolve the domain name.

system global  

config system global

set fortiguard-anycast {enable | disable}

set ipv6-dad-ha {enable | disable}

end

New commands.
system network-option  

config system network-option

set ipfrag-high-thresh <ipfrag-high-thresh_int>

set ipfrag-low-thresh <ipfrag-low-thresh_int>

set ipfrag-timeout <ipfrag-timeout_int>

set ip6frag-high-thresh <ip6frag-high-thresh_int>

set ip6frag-low-thresh <ip6frag-low-thresh_int>

set ip6frag-timeout <ip6frag-timeout_int>

end

Configure the IP fragmentation protection feature.

system feature-visibility

 

config system feature-visibility

set acceleration-policy {enable | disable}

set web-cache {enable | disable}

end

Add acceleration and web cache switch on/off.

server-policy setting

 

config server-policy setting

set df-flag {enable | disable}

end

Enable to allow FortiWeb to send non DF-flag packet to pass the device with low MTU.
waf user-tracking rule  

config waf user-tracking rule

edit <rule_name>

set hostname-ip "<hostname-ip_str>"

set host-status { enable | disable}

set limit-users {enable | disable}

set maximum-users <maximum-users_int>

set session-idle-timeout <session-idle-timeout_int>

set session-timeout-enable {enable | disable}

next

end

You can now configure FortiWeb to limit the concurrent number of users accessing the same account in User Tracking
waf file-upload-restriction-rule  

config waf file-upload-restriction-rule

edit "<file-upload-restriction-rule_name>"

set host-status {enable | disable}

set host "<protected-host_name>"

set request-file "<url_pattern>"

set request-type {regular | plain}

set file-uncompress {enable | disable}

next

end

Enable file unzip in CLI to verify file type and size in the compressed files.
waf x-forwarded-for  

config waf x-forwarded-for

edit "<x-forwarded-for_name>"

set x-forwarded-for-support {enable | disable}

set add-source-port {enable | disable}

set x-forwarded-port {enable | disable}

next

end

Configure to add the X-Forwarded-Port and Source Port in X-Forwarded-For Rule to record the source IP of TCP connection.
waf application-layer-dos-prevention  

config waf application-layer-dos-prevention

edit "<app-dos-policy_name>"

set enable-http-session-based-prevention {enable | disable}

set layer3-fragment-protection {enable | disable}

next

end

Enable to prevent attacks of fragmented packets.
waf web-protection-profile inline-protection  

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set url-encryption-policy <url-encryption-policy_str>

next

end

Select the URL encryption policy name.
server-policy server-pool  

config server-policy server-pool

edit <server-pool_name>

set adfs-server-name <adfs-server-name_str>

next

end

Enter the ADFS server name.

server-policy http-content-routing-policy

 

set ip-list <ip-list_str>

Add these two fields to configur multiple IPs or IP range.
server-policy policy  

config server-policy policy

edit <policy_name>

set acceleration-policy <acceleration-policy_str>

set web-cache {enable | disable}

set real-ip-addr <real-ip-addr_str>

set retry-on {enable | disable}

set retry-on-cache-size <retry-on-cache-size_int>

set retry-on-connect-failure {enable | disable}

set retry-times-on-connect-failure <retry-times-on-connect-failure_int>

set retry-on-http-layer {enable | disable}

set retry-times-on-http-layer <retry-times-on-http-layer_int>

set retry-on-http-response-codes {404 | 408 | 500 | 501 | 502 | 503 | 504}

next

end

Add acceleration policy, web cache, and retry on related commands.

server-policy acceleration

 

config server-policy acceleration exception

edit "<exception_name>"

config list

edit "<exception-item_id>"

set host-status {enable | disable}

set host <host_int>

set url-type {plain | regular}

set url-pattern <url-pattern_str>

next

end

next

end

config server-policy acceleration policy

edit "<policy_name>"

set exception <exception_str>

set html-minify {enable | disable}

set html-combine-heads {enable | disable}

set html-css2head {enable | disable}

set js-minify {enable | disable}

set css-minify {enable | disable}

next

end

Configure the acceleration module to speed up web application response and optimize web pages and resources in real time.
waf web-cache  

config waf web-cache-rule

edit "<web-cache-rule_name>"

set host-status {enable | disable}

set host <host_str>

set path <path_str>

set http-method {get-head | get-head-options | all-methods}

set request-file-type {text | picture | media | binary | other}

set allow-return-code {allow-200 | allow-200-206 | allow-200-206-301-302}

set cache-inactive-time <cache-inactive-time_int>

set inactive-time-type {minutes | hours}

set client-cache-expire <client-cache-expire_int>

set client-cache-expire-type {minutes | hours}

set key-factor {method | protocol | host | url | arguments | cookies}

set enable-client-expire {enable | disable}

set policy-id <entry_index>

config cookie-name-list

edit <cookie-name-list_name>

set cookie-name "<cookie-name_str>"

end

config bypass-sub-url

edit <bypass-sub-url_id>

set http-method {get | post | head | options | trace | connect | delete | put | patch | any}

set type {plain | regular}

set url-expression <url-expression_str>

set enable-bypass-args {enable | disable}

set bypass-args <bypass-args_str>

set enable-bypass-cookies {enable | disable}

set bypass-cookies <bypass-cookies_str>

end

next

end

config waf web-cache-policy

edit "<web-cache-policy_name>"

next

end

Configure web cache rules and policies.
waf url-encryption  

config waf url-encryption url-encryption-rule

edit "<encryption-rule_name>"

set host-status {enable | disable}

set host <host_str>

set allow-unencrypted {enable | disable}

set action {alert | deny_no_log | alert_deny | block-period}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger <trigger_str>

config url-list

edit "<url-list_id>"

set url-type {plain | regular}

set url-pattern <url-pattern_str>

end

config exceptions

edit "<exceptions-item_id>"

set url-type {plain | regular}

set url-pattern <url-pattern_str>

end

next

end

 

config waf url-encryption url-encryption-policy

edit "<url-encryption-policy_name>"

set full-mode {enable | disable}

config rule-list

edit "<rule-list_id>"

set rule <rule_str>

end

next

end

Configure the URL encryption rules and policies.

What’s new

The tables below list commands newly added for FortiWeb 6.3.0.

Command Change
backup full-config-with-ML-data  

execute backup full-config-with-ML-data

Use this command to back up full configurations with machine learning data.
debug proxy log  
diagnose debug proxy log {1 | 2 |3} Use this command to print the logs generated by proxyd.
system firewall fwmark-policy  

config system firewall fwmark-policy

edit "<fwmark-policy-name>"

set from <firewall_source-address_name>

set to <firewall_destination-address_name>

set in-interface <incoming_interface_name>

set service <firewall-service_name>"

set mark <mark_int>

end

New command.
router policy  

config router policy

edit <policy_index>

set action {forward-traffic | stop-policy-routing}

set fwmark <fwmark_int>

next

end

New commands.
system firewall dnat policy  

config system firewall dnat-policy

edit "<policy_name>"

set external-start <external_ipv4>

set mapped-start <mapped_ipv4>

set mapped-end <mapped_ipv4>

set ingress-interface <ingress_port>

set protocol {tcp | udp | icmp}

set port-forwarding {enable | disable}

set external-port-start <external_port>

set external-port-end <external_port>

set mapped-port-start <mapped_port>

set mapped-port-end <mapped_port>

next

end

New commands.
system firewall snat-policy  

config system firewall snat-policy

edit "<policy_name>"

set source-start <source_ipv4>

set source-end <source_ipv4>

set destination-start <destination_ipv4>

set destination-end <destination_ipv4>

set trans-to-type {ip | pool | no-nat}

next

end

New commands.
server-policy setting  

config server-policy setting

set using-dns-proxy {enable | disable}

end

Enable to use getaddrinfo to resolve the domain name.

system global  

config system global

set fortiguard-anycast {enable | disable}

set ipv6-dad-ha {enable | disable}

end

New commands.
system network-option  

config system network-option

set ipfrag-high-thresh <ipfrag-high-thresh_int>

set ipfrag-low-thresh <ipfrag-low-thresh_int>

set ipfrag-timeout <ipfrag-timeout_int>

set ip6frag-high-thresh <ip6frag-high-thresh_int>

set ip6frag-low-thresh <ip6frag-low-thresh_int>

set ip6frag-timeout <ip6frag-timeout_int>

end

Configure the IP fragmentation protection feature.

system feature-visibility

 

config system feature-visibility

set acceleration-policy {enable | disable}

set web-cache {enable | disable}

end

Add acceleration and web cache switch on/off.

server-policy setting

 

config server-policy setting

set df-flag {enable | disable}

end

Enable to allow FortiWeb to send non DF-flag packet to pass the device with low MTU.
waf user-tracking rule  

config waf user-tracking rule

edit <rule_name>

set hostname-ip "<hostname-ip_str>"

set host-status { enable | disable}

set limit-users {enable | disable}

set maximum-users <maximum-users_int>

set session-idle-timeout <session-idle-timeout_int>

set session-timeout-enable {enable | disable}

next

end

You can now configure FortiWeb to limit the concurrent number of users accessing the same account in User Tracking
waf file-upload-restriction-rule  

config waf file-upload-restriction-rule

edit "<file-upload-restriction-rule_name>"

set host-status {enable | disable}

set host "<protected-host_name>"

set request-file "<url_pattern>"

set request-type {regular | plain}

set file-uncompress {enable | disable}

next

end

Enable file unzip in CLI to verify file type and size in the compressed files.
waf x-forwarded-for  

config waf x-forwarded-for

edit "<x-forwarded-for_name>"

set x-forwarded-for-support {enable | disable}

set add-source-port {enable | disable}

set x-forwarded-port {enable | disable}

next

end

Configure to add the X-Forwarded-Port and Source Port in X-Forwarded-For Rule to record the source IP of TCP connection.
waf application-layer-dos-prevention  

config waf application-layer-dos-prevention

edit "<app-dos-policy_name>"

set enable-http-session-based-prevention {enable | disable}

set layer3-fragment-protection {enable | disable}

next

end

Enable to prevent attacks of fragmented packets.
waf web-protection-profile inline-protection  

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set url-encryption-policy <url-encryption-policy_str>

next

end

Select the URL encryption policy name.
server-policy server-pool  

config server-policy server-pool

edit <server-pool_name>

set adfs-server-name <adfs-server-name_str>

next

end

Enter the ADFS server name.

server-policy http-content-routing-policy

 

set ip-list <ip-list_str>

Add these two fields to configur multiple IPs or IP range.
server-policy policy  

config server-policy policy

edit <policy_name>

set acceleration-policy <acceleration-policy_str>

set web-cache {enable | disable}

set real-ip-addr <real-ip-addr_str>

set retry-on {enable | disable}

set retry-on-cache-size <retry-on-cache-size_int>

set retry-on-connect-failure {enable | disable}

set retry-times-on-connect-failure <retry-times-on-connect-failure_int>

set retry-on-http-layer {enable | disable}

set retry-times-on-http-layer <retry-times-on-http-layer_int>

set retry-on-http-response-codes {404 | 408 | 500 | 501 | 502 | 503 | 504}

next

end

Add acceleration policy, web cache, and retry on related commands.

server-policy acceleration

 

config server-policy acceleration exception

edit "<exception_name>"

config list

edit "<exception-item_id>"

set host-status {enable | disable}

set host <host_int>

set url-type {plain | regular}

set url-pattern <url-pattern_str>

next

end

next

end

config server-policy acceleration policy

edit "<policy_name>"

set exception <exception_str>

set html-minify {enable | disable}

set html-combine-heads {enable | disable}

set html-css2head {enable | disable}

set js-minify {enable | disable}

set css-minify {enable | disable}

next

end

Configure the acceleration module to speed up web application response and optimize web pages and resources in real time.
waf web-cache  

config waf web-cache-rule

edit "<web-cache-rule_name>"

set host-status {enable | disable}

set host <host_str>

set path <path_str>

set http-method {get-head | get-head-options | all-methods}

set request-file-type {text | picture | media | binary | other}

set allow-return-code {allow-200 | allow-200-206 | allow-200-206-301-302}

set cache-inactive-time <cache-inactive-time_int>

set inactive-time-type {minutes | hours}

set client-cache-expire <client-cache-expire_int>

set client-cache-expire-type {minutes | hours}

set key-factor {method | protocol | host | url | arguments | cookies}

set enable-client-expire {enable | disable}

set policy-id <entry_index>

config cookie-name-list

edit <cookie-name-list_name>

set cookie-name "<cookie-name_str>"

end

config bypass-sub-url

edit <bypass-sub-url_id>

set http-method {get | post | head | options | trace | connect | delete | put | patch | any}

set type {plain | regular}

set url-expression <url-expression_str>

set enable-bypass-args {enable | disable}

set bypass-args <bypass-args_str>

set enable-bypass-cookies {enable | disable}

set bypass-cookies <bypass-cookies_str>

end

next

end

config waf web-cache-policy

edit "<web-cache-policy_name>"

next

end

Configure web cache rules and policies.
waf url-encryption  

config waf url-encryption url-encryption-rule

edit "<encryption-rule_name>"

set host-status {enable | disable}

set host <host_str>

set allow-unencrypted {enable | disable}

set action {alert | deny_no_log | alert_deny | block-period}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger <trigger_str>

config url-list

edit "<url-list_id>"

set url-type {plain | regular}

set url-pattern <url-pattern_str>

end

config exceptions

edit "<exceptions-item_id>"

set url-type {plain | regular}

set url-pattern <url-pattern_str>

end

next

end

 

config waf url-encryption url-encryption-policy

edit "<url-encryption-policy_name>"

set full-mode {enable | disable}

config rule-list

edit "<rule-list_id>"

set rule <rule_str>

end

next

end

Configure the URL encryption rules and policies.