Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.3.16 CLI Reference
    6.3.16
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf url-access url-access-rule

    waf url-access url-access-rule

    Use this command to configure URL access rules that define the HTTP requests that are allowed or denied based on their host name and URL.

    Typically, for example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.

    To apply URL access rules, first group them within a URL access policy. For details see, waf url-access url-access-policy.

    You can use SNMP traps to notify you when a URL access rule is enforced. For details, see system snmp community.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf url-access url-access-rule

    edit "<url-access-rule_name>"

    set action {alert_deny | continue | pass | deny_no_log}

    set host "<protected-hosts_name>"

    set host-status {enable | disable}

    set severity {Informative | Low | Medium | High | Info}

    set trigger "<trigger-policy_name>"

    config match-condition

    edit <entry_index>

    set sip-address-check {enable | disable}

    set sip-address-type {sip | sdomain | source-domain}

    set sip-address-value "<client_ip>"

    set sdomain-type {"<ipv4>" | "<ipv6>"}

    set sip-address-domain "<fqdn_str>"

    set source-domain-type {simple-string | regex-expression}

    set source-domain "<source-domain_str>"

    set type {regex-expression | simple-string}

    set reg-exp "<object_pattern>"

    set reverse-match {yes | no}

    next

    end

    next

    end

    Variable Description Default

    "<url-access-rule_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    action {alert_deny | continue | pass | deny_no_log}

    Select which action the FortiWeb appliance will take when a request matches the URL access rule.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

    • continue—Generate an alert and/or log message, then continue by evaluating any subsequent rules defined in the web protection profile. If no other rules are violated, allow the request. If multiple rules are violated, a single request will generate multiple attack log messages. For details, see debug flow trace.

    • pass—Allow the request. Do not generate an alert and/or log message.

    • deny_no_log—Deny a request. Do not generate a log message.

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select pass. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    		 pass

    host "<protected-hosts_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

    This setting is used only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    		 Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the rule. Also configure host "<protected-hosts_name>". disable

    severity {Informative | Low | Medium | High | Info}

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers:

    • Informative
    • Low
    • Medium
    • High
    • Info

    Low

    trigger "<trigger-policy_name>"

    Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. The maximum length is 63 characters. For details, see log trigger-policy.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    sip-address-check {enable | disable}

    		 Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure sip-address-type {sip | sdomain | source-domain} and the specific settings for each source address type. disable

    sip-address-type {sip | sdomain | source-domain}

    		 sip

    sip-address-value "<client_ip>"

    Enter one of the following values:

    • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 172.16.1.20).
    • A range or addresses (e.g., 172.22.14.1-172.22.14.256 or 10:200::10:1-10:200:10:100).

    Available only if sip-address-type {sip | sdomain | source-domain} is sip.

    		 0.0.0.0

    sdomain-type {"<ipv4>" | "<ipv6>"}

    Specifies the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by sip-address-domain "<fqdn_str>".

    Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

    		 No default.

    sip-address-domain "<fqdn_str>"

    Specifies the domain to match the client source IP after DNS lookup.

    Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

    		 No default.

    source-domain-type {simple-string | regex-expression}
    • simple-stringsource-domain specifies a literal domain.
    • regex-expressionsource-domain specifies a regular expression that is designed to match multiple URLs.

    Available only if sip-address-type {sip | sdomain | source-domain} is source-domain.

    		 simple-string

    source-domain "<source-domain_str>"

    Enter a literal domain or a regular expression that is designed to match multiple URLs.

    Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

    		 No default.

    type {regex-expression | simple-string}

    Select how to use the text in reg-exp "<object_pattern>" to determine whether or not a request URL meets the conditions for this rule.

    • simple-string—The text is a string that request URLs must match exactly.
    • regular-expression—The text is a regular expression that defines a set of matching URLs.
    		 No default.

    reg-exp "<object_pattern>"

    Depending on your selection in type {regex-expression | simple-string} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {yes | no}.

    For example, for the URL access rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, for reverse-match, enter no.

    The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.

    		 No default.

    reverse-match {yes | no}

    Indicate how to use reg-exp "<object_pattern>" when determining whether or not this rule’s condition has been met.

    • no—If the simple string or regular expression does match the request URL, the condition is met.
    • yes—If the simple string or regular expression does not match the request URL, the condition is met.
      The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).
    		 no

    Example

    This example defines two sets of URL access rules.

    The first set, Blocked URL, defines two URL match conditions: one uses a simple string to match an administrative page, and the other uses a regular expression to match a set of dynamic URLs for statistics pages.

    The second set, Allowed URL, defines a single match condition that uses a regular expression to match all dynamic forms of the index page.

    Actual blocking or allowing of the URLs, however, would not occur until a policy applies these URL access rules, and sets an action that the FortiWeb appliance will perform when an HTTP request matches either rule set.

    config waf url-access url-access-rule

    edit "Blocked URL"

    config match-condition

    edit 1

    set type simple-string

    set reg-exp "/admin.php"

    next

    edit 2

    set type regular-expression

    set reverse-match no

    set reg-exp "statistics.php*"

    next

    end

    next

    edit "Allowed URL"

    config match-condition

    edit 1

    set type regular-expression

    set reverse-match no

    set reg-exp "index.php*"

    next

    end

    next

    end

    Related topics

    Previous
    Next

    waf url-access url-access-rule

    waf url-access url-access-rule

    Use this command to configure URL access rules that define the HTTP requests that are allowed or denied based on their host name and URL.

    Typically, for example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.

    To apply URL access rules, first group them within a URL access policy. For details see, waf url-access url-access-policy.

    You can use SNMP traps to notify you when a URL access rule is enforced. For details, see system snmp community.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf url-access url-access-rule

    edit "<url-access-rule_name>"

    set action {alert_deny | continue | pass | deny_no_log}

    set host "<protected-hosts_name>"

    set host-status {enable | disable}

    set severity {Informative | Low | Medium | High | Info}

    set trigger "<trigger-policy_name>"

    config match-condition

    edit <entry_index>

    set sip-address-check {enable | disable}

    set sip-address-type {sip | sdomain | source-domain}

    set sip-address-value "<client_ip>"

    set sdomain-type {"<ipv4>" | "<ipv6>"}

    set sip-address-domain "<fqdn_str>"

    set source-domain-type {simple-string | regex-expression}

    set source-domain "<source-domain_str>"

    set type {regex-expression | simple-string}

    set reg-exp "<object_pattern>"

    set reverse-match {yes | no}

    next

    end

    next

    end

    Variable Description Default

    "<url-access-rule_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    action {alert_deny | continue | pass | deny_no_log}

    Select which action the FortiWeb appliance will take when a request matches the URL access rule.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

    • continue—Generate an alert and/or log message, then continue by evaluating any subsequent rules defined in the web protection profile. If no other rules are violated, allow the request. If multiple rules are violated, a single request will generate multiple attack log messages. For details, see debug flow trace.

    • pass—Allow the request. Do not generate an alert and/or log message.

    • deny_no_log—Deny a request. Do not generate a log message.

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select pass. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    		 pass

    host "<protected-hosts_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

    This setting is used only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    		 Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the rule. Also configure host "<protected-hosts_name>". disable

    severity {Informative | Low | Medium | High | Info}

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers:

    • Informative
    • Low
    • Medium
    • High
    • Info

    Low

    trigger "<trigger-policy_name>"

    Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. The maximum length is 63 characters. For details, see log trigger-policy.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    sip-address-check {enable | disable}

    		 Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure sip-address-type {sip | sdomain | source-domain} and the specific settings for each source address type. disable

    sip-address-type {sip | sdomain | source-domain}

    		 sip

    sip-address-value "<client_ip>"

    Enter one of the following values:

    • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 172.16.1.20).
    • A range or addresses (e.g., 172.22.14.1-172.22.14.256 or 10:200::10:1-10:200:10:100).

    Available only if sip-address-type {sip | sdomain | source-domain} is sip.

    		 0.0.0.0

    sdomain-type {"<ipv4>" | "<ipv6>"}

    Specifies the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by sip-address-domain "<fqdn_str>".

    Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

    		 No default.

    sip-address-domain "<fqdn_str>"

    Specifies the domain to match the client source IP after DNS lookup.

    Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

    		 No default.

    source-domain-type {simple-string | regex-expression}
    • simple-stringsource-domain specifies a literal domain.
    • regex-expressionsource-domain specifies a regular expression that is designed to match multiple URLs.

    Available only if sip-address-type {sip | sdomain | source-domain} is source-domain.

    		 simple-string

    source-domain "<source-domain_str>"

    Enter a literal domain or a regular expression that is designed to match multiple URLs.

    Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

    		 No default.

    type {regex-expression | simple-string}

    Select how to use the text in reg-exp "<object_pattern>" to determine whether or not a request URL meets the conditions for this rule.

    • simple-string—The text is a string that request URLs must match exactly.
    • regular-expression—The text is a regular expression that defines a set of matching URLs.
    		 No default.

    reg-exp "<object_pattern>"

    Depending on your selection in type {regex-expression | simple-string} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {yes | no}.

    For example, for the URL access rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, for reverse-match, enter no.

    The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.

    		 No default.

    reverse-match {yes | no}

    Indicate how to use reg-exp "<object_pattern>" when determining whether or not this rule’s condition has been met.

    • no—If the simple string or regular expression does match the request URL, the condition is met.
    • yes—If the simple string or regular expression does not match the request URL, the condition is met.
      The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).
    		 no

    Example

    This example defines two sets of URL access rules.

    The first set, Blocked URL, defines two URL match conditions: one uses a simple string to match an administrative page, and the other uses a regular expression to match a set of dynamic URLs for statistics pages.

    The second set, Allowed URL, defines a single match condition that uses a regular expression to match all dynamic forms of the index page.

    Actual blocking or allowing of the URLs, however, would not occur until a policy applies these URL access rules, and sets an action that the FortiWeb appliance will perform when an HTTP request matches either rule set.

    config waf url-access url-access-rule

    edit "Blocked URL"

    config match-condition

    edit 1

    set type simple-string

    set reg-exp "/admin.php"

    next

    edit 2

    set type regular-expression

    set reverse-match no

    set reg-exp "statistics.php*"

    next

    end

    next

    edit "Allowed URL"

    config match-condition

    edit 1

    set type regular-expression

    set reverse-match no

    set reg-exp "index.php*"

    next

    end

    next

    end

    Related topics

    Previous
    Next