Fortinet black logo

CLI Reference

waf url-encryption

waf url-encryption

To prevent users from forceful browsing, you can now encrypt the URLs, which can ensure that the internal directory

structure of the web application is not revealed to users.

Use this command to create URL encryption rules and policies.

Syntax

config waf url-encryption url-encryption-rule

edit "<encryption-rule_name>"

set host-status {enable | disable}

set host <host_str>

set allow-unencrypted {enable | disable}

set action {alert | deny_no_log | alert_deny | block-period}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger <trigger_str>

config url-list

edit "<url-list_id>"

set url-type {plain | regular}

set url-pattern <url-pattern_str>

end

config exceptions

edit "<exceptions-item_id>"

set url-type {plain | regular}

set url-pattern <url-pattern_str>

end

next

end

config waf url-encryption url-encryption-policy

edit "<url-encryption-policy_name>"

set full-mode {enable | disable}

config rule-list

edit "<rule-list_id>"

set rule <rule_str>

end

next

end

Variable Description Default
"<encryption-rule_name>" Enter a name for the encryption rule. No default.
host-status {enable | disable} Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL acceleration rule. Also configure host <host_str>. disable

host <host_str>

Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL acceleration rule.

No default.

allow-unencrypted {enable | disable}

When enabled, unencrypted URL requests will be allowed.

Unencrypted URL requests are the valid requests from the client that FortiWeb failed to decrypt.

When disabled, if the URL can match the rule, and FortiWeb detects unencrypted URLs, the action will be triggered.

enable

action {alert | deny_no_log | alert_deny | block-period}

Select which action the FortiWeb appliance will take when it detects a violation.
alert—Accept the connection and generate an alert email and/or log message.
alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
deny_no_log—Block the request (or reset the connection).

block-period—Blocks the request for a certain period of time.

Alert
block-period <block-period_int>

Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds.

This option only takes effect when you choose Period Block in action {alert | deny_no_log | alert_deny | block-period}.

60

severity {High | Medium | Low | Info}

When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is violated:

  • Low
  • Medium
  • High
  • Informative

The default value is High.

High
trigger <trigger_str> Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see "Viewing log messages" on page 1.

No default.

"<url-list_id>" Enter the ID for the URL request. No default.
url-type {plain | regular} Select whether the URL Pattern field will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). plain
url-pattern <url-pattern_str>

Depending on the url-type, enter either:

  • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
  • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.
No default.
"<exceptions-item_id>" Enter the exception URL ID. No default.
url-type {plain | regular} Select whether the URL Pattern field will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

plain

url-pattern <url-pattern_str>

Depending on the url-type, enter either:

  • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
  • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

No default.

"<url-encryption-policy_name>" Enter an encryption policy name.

No default.

full-mode {enable | disable} When enabled, Script Events,Embedded non-HTML content - scripts, js files, and Embedded non-HTML content - stylesheets that match the rule will be encrypted. enable
"<rule-list_id>"

Enter the URL encryption rule ID.

No default.

rule <rule_str>

Select the URL encryption rule name.

No default.

Related topics


waf url-encryption

To prevent users from forceful browsing, you can now encrypt the URLs, which can ensure that the internal directory

structure of the web application is not revealed to users.

Use this command to create URL encryption rules and policies.

Syntax

config waf url-encryption url-encryption-rule

edit "<encryption-rule_name>"

set host-status {enable | disable}

set host <host_str>

set allow-unencrypted {enable | disable}

set action {alert | deny_no_log | alert_deny | block-period}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger <trigger_str>

config url-list

edit "<url-list_id>"

set url-type {plain | regular}

set url-pattern <url-pattern_str>

end

config exceptions

edit "<exceptions-item_id>"

set url-type {plain | regular}

set url-pattern <url-pattern_str>

end

next

end

config waf url-encryption url-encryption-policy

edit "<url-encryption-policy_name>"

set full-mode {enable | disable}

config rule-list

edit "<rule-list_id>"

set rule <rule_str>

end

next

end

Variable Description Default
"<encryption-rule_name>" Enter a name for the encryption rule. No default.
host-status {enable | disable} Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL acceleration rule. Also configure host <host_str>. disable

host <host_str>

Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL acceleration rule.

No default.

allow-unencrypted {enable | disable}

When enabled, unencrypted URL requests will be allowed.

Unencrypted URL requests are the valid requests from the client that FortiWeb failed to decrypt.

When disabled, if the URL can match the rule, and FortiWeb detects unencrypted URLs, the action will be triggered.

enable

action {alert | deny_no_log | alert_deny | block-period}

Select which action the FortiWeb appliance will take when it detects a violation.
alert—Accept the connection and generate an alert email and/or log message.
alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
deny_no_log—Block the request (or reset the connection).

block-period—Blocks the request for a certain period of time.

Alert
block-period <block-period_int>

Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds.

This option only takes effect when you choose Period Block in action {alert | deny_no_log | alert_deny | block-period}.

60

severity {High | Medium | Low | Info}

When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is violated:

  • Low
  • Medium
  • High
  • Informative

The default value is High.

High
trigger <trigger_str> Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see "Viewing log messages" on page 1.

No default.

"<url-list_id>" Enter the ID for the URL request. No default.
url-type {plain | regular} Select whether the URL Pattern field will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). plain
url-pattern <url-pattern_str>

Depending on the url-type, enter either:

  • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
  • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.
No default.
"<exceptions-item_id>" Enter the exception URL ID. No default.
url-type {plain | regular} Select whether the URL Pattern field will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

plain

url-pattern <url-pattern_str>

Depending on the url-type, enter either:

  • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
  • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

No default.

"<url-encryption-policy_name>" Enter an encryption policy name.

No default.

full-mode {enable | disable} When enabled, Script Events,Embedded non-HTML content - scripts, js files, and Embedded non-HTML content - stylesheets that match the rule will be encrypted. enable
"<rule-list_id>"

Enter the URL encryption rule ID.

No default.

rule <rule_str>

Select the URL encryption rule name.

No default.

Related topics