Fortinet black logo

CLI Reference

waf ws security

waf ws security

Use this command to create WS-security rules.

You can use WS-Security rules to do the following:

  • Encrypt and decrypt parts of SOAP messages
  • Digitally sign parts of SOAP messages
  • Verify parts of SOAP messages using digital signatures

Syntax

config waf ws-security rule

edit "<ws-security_rule_name>"

set encryption-algorithm {3EDS | AES-128 | AES-256}

set encryption-part {Element Value | Element Markup}

set key-transport-algorithm {RSA-15 | RSA-OAEP}

set request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify}

set request-security-status {enable | disable}

set response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign}

set response-security-status {enable | disable}

set signature-algorithm {RSA-SHA-1 | HMAC-SHA-1}

set xml-client-certificate-group <xml-client-certificate_group_str>

set xml-server-certificate <xml-server-certificate_str>

config namespace-mapping

edit waf ws security

set prefix <prefix _str>

set namespace <namespace_str>

next

end

config element-list

edit waf ws security

set xpath <xpath_str>

set direction {request | response}

next

end

next

end

Variable Description Default

"<ws-security_rule_name>"

Enter a name that can be referenced by other parts of the configuration. No default.

encryption-algorithm {3EDS | AES-128 | AES-256}

Select the encryption algorithm.

  • 3EDS
  • AES-128
  • AES-256

Available only when response-security-status {enable | disable} is

enable, and response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign} is Encrypt, Sign & Encrypt, or Encrypt & Sign.

3EDS

encryption-part {Element Value | Element Markup}

Select which part of the SOAP messages to encrypt.

  • Element Value
  • Element Markup

Element Value

key-transport-algorithm {RSA-15 | RSA-OAEP}

Select the key transport algorithm.

  • RSA-15
  • RSA-OAEP

RSA-15

request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify}

Select the operation that FortiWeb performs for the encryped SOAP messages from the client.

  • Sign Verify & Decrypt
  • Decrypt
  • Sign Verify

Sign Verify

request-security-status {enable | disable}

Enable to configure FortiWeb to decrypt, sign and verify the encryped SOAP messages from the client.

disable

response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign}

Select the operation that FortiWeb performs for the SOAP messages returned from the server.

  • Sign
  • Encrypt
  • Sign & Encrypt
  • Encrypt & Sign

Sign

response-security-status {enable | disable}

Enable to configure FortiWeb to encrypt , and sign the SOAP messages returned from the server.

disable

signature-algorithm {RSA-SHA-1 | HMAC-SHA-1}

Select the signature algorithm.

  • RSA-SHA-1
  • HMAC-SHA-1

RSA-SHA-1

xml-client-certificate-group <xml-client-certificate_group_str>

Select the XML client certificate group created from XML Certificate > Client Certifcate Group.

Available only when request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify} is enable, and the request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify} is Sign Verify & Decrypt or Sign Verify.

Or

Available only when response-security-status {enable | disable} is enable, and the response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign} is Encrypt, Sign & Encrypt or Encrypt & Sign.

No default.

xml-server-certificate <xml-server-certificate_str>

Select the XML server certificate uploaded from XML Certificate>

Server Certifcate.

Available only when request-security-status {enable | disable} is

enable, and the request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify} is Sign Verify & Decrypt or Decrypt .

Or

Available only when response-security-status {enable | disable} is enable, and the response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign} is Sign, Sign & Encrypt, or Encrypt & Sign.

No default.

"<namespace-mapping_name_id>"

Enter the index number of an entry to create a namespace mapping.

No default.

namespace <namespace_str>

Enter the namespace.

No default.

prefix <prefix _str>

Enter a prefix for the namaspace.

No default.

"<element-list_name_id>"

Enter the index number of an entry to create an element list.

No default.

xpath <xpath_str>

Enter an XPath to specify which part of the XML file to process.

No default.

direction {request | response}

Select either Request or Response to define in which direction the XPath applies to.

request

Related topics

waf ws security

waf ws security

Use this command to create WS-security rules.

You can use WS-Security rules to do the following:

  • Encrypt and decrypt parts of SOAP messages
  • Digitally sign parts of SOAP messages
  • Verify parts of SOAP messages using digital signatures

Syntax

config waf ws-security rule

edit "<ws-security_rule_name>"

set encryption-algorithm {3EDS | AES-128 | AES-256}

set encryption-part {Element Value | Element Markup}

set key-transport-algorithm {RSA-15 | RSA-OAEP}

set request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify}

set request-security-status {enable | disable}

set response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign}

set response-security-status {enable | disable}

set signature-algorithm {RSA-SHA-1 | HMAC-SHA-1}

set xml-client-certificate-group <xml-client-certificate_group_str>

set xml-server-certificate <xml-server-certificate_str>

config namespace-mapping

edit waf ws security

set prefix <prefix _str>

set namespace <namespace_str>

next

end

config element-list

edit waf ws security

set xpath <xpath_str>

set direction {request | response}

next

end

next

end

Variable Description Default

"<ws-security_rule_name>"

Enter a name that can be referenced by other parts of the configuration. No default.

encryption-algorithm {3EDS | AES-128 | AES-256}

Select the encryption algorithm.

  • 3EDS
  • AES-128
  • AES-256

Available only when response-security-status {enable | disable} is

enable, and response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign} is Encrypt, Sign & Encrypt, or Encrypt & Sign.

3EDS

encryption-part {Element Value | Element Markup}

Select which part of the SOAP messages to encrypt.

  • Element Value
  • Element Markup

Element Value

key-transport-algorithm {RSA-15 | RSA-OAEP}

Select the key transport algorithm.

  • RSA-15
  • RSA-OAEP

RSA-15

request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify}

Select the operation that FortiWeb performs for the encryped SOAP messages from the client.

  • Sign Verify & Decrypt
  • Decrypt
  • Sign Verify

Sign Verify

request-security-status {enable | disable}

Enable to configure FortiWeb to decrypt, sign and verify the encryped SOAP messages from the client.

disable

response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign}

Select the operation that FortiWeb performs for the SOAP messages returned from the server.

  • Sign
  • Encrypt
  • Sign & Encrypt
  • Encrypt & Sign

Sign

response-security-status {enable | disable}

Enable to configure FortiWeb to encrypt , and sign the SOAP messages returned from the server.

disable

signature-algorithm {RSA-SHA-1 | HMAC-SHA-1}

Select the signature algorithm.

  • RSA-SHA-1
  • HMAC-SHA-1

RSA-SHA-1

xml-client-certificate-group <xml-client-certificate_group_str>

Select the XML client certificate group created from XML Certificate > Client Certifcate Group.

Available only when request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify} is enable, and the request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify} is Sign Verify & Decrypt or Sign Verify.

Or

Available only when response-security-status {enable | disable} is enable, and the response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign} is Encrypt, Sign & Encrypt or Encrypt & Sign.

No default.

xml-server-certificate <xml-server-certificate_str>

Select the XML server certificate uploaded from XML Certificate>

Server Certifcate.

Available only when request-security-status {enable | disable} is

enable, and the request-operation {Sign Verify & Decrypt | Decrypt | Sign Verify} is Sign Verify & Decrypt or Decrypt .

Or

Available only when response-security-status {enable | disable} is enable, and the response-operation {Sign | Encrypt | Sign & Encrypt | Encrypt & Sign} is Sign, Sign & Encrypt, or Encrypt & Sign.

No default.

"<namespace-mapping_name_id>"

Enter the index number of an entry to create a namespace mapping.

No default.

namespace <namespace_str>

Enter the namespace.

No default.

prefix <prefix _str>

Enter a prefix for the namaspace.

No default.

"<element-list_name_id>"

Enter the index number of an entry to create an element list.

No default.

xpath <xpath_str>

Enter an XPath to specify which part of the XML file to process.

No default.

direction {request | response}

Select either Request or Response to define in which direction the XPath applies to.

request

Related topics