Fortinet black logo

CLI Reference

waf web-protection-profile offline-protection

waf web-protection-profile offline-protection

Use this command to configure Offline Protection profiles.

Detection profiles are useful when you want to preview the effects of some web protection features without affecting traffic, or without affecting your network topology.

Unlike protection profiles, a detection profile is designed for use in Offline Protection mode. Detection profiles cannot be guaranteed to block attacks. They attempt to reset the connection, but due to variable speeds of different routing paths, the reset request may arrive after the attack has been completed. Their primary purpose is to detect attacks, especially for use in conjunction with auto-learning profiles. In fact, if used in conjunction with auto-learning profiles, you should configure the detection profile to log only and not block attacks in order to gather complete session statistics for the auto-learning feature. As a result, detection profiles can only be selected in policies whose deployment-mode is offline-detection, and those policies will only be used by the FortiWeb appliance when its operation mode is offline-detection.

Unlike inline protection profiles, Offline Protection profiles do not support HTTP conversion, or cookie poisoning detection.

To apply detection profiles, select them within a server policy. For details, see server-policy policy.

Before configuring an Offline Protection profile, first configure any of the following that you want to include in the profile:

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf web-protection-profile offline-protection

edit "<offline-protection-profile_name>"

set client-management {enable | disable}

set http-session-timeout <seconds_int>

set x-forwarded-for-rule "<x-forwarded-for_name>"

set http-session-keyword "<key_str>"

set signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | "<signature-set_name>"}

set amf3-protocol-detection {enable | disable}

set custom-access-policy "<combo-access_name>"

set padding-oracle "<rule_name>"

set parameter-validation-rule "<rule_name>"

set hidden-fields-protection "<group_name>"

set file-upload-policy "<policy_name>"

set http-protocol-parameter-restriction "<constraint_name>"

set url-access-policy "<policy_name>"

set allow-method-policy "<policy_name>"

set ip-list-policy "<policy_name>"

set geo-block-list-policy "<policy_name>"

set ip-intelligence {enable | disable}

set csrf-protection "<rule_name>"

set user-tracking-policy "<user-tracking-policy_name>"

set data-analysis {enable | disable}

set comment "<comment_str>"

set openapi-validation-policy "<openapi-validation-policy_name>"

set json-validation-policy "<json-validation-policy_name>"

set mobile-app-identification {enable | disable}

set token-secret <token-secret_str>

set token-header <token-header_str>

set mobile-api-protection <mobile-api-protection_name>

set syntax-based-attack-detection <detection_name>

next

end

Variable Description Default

"<offline-protection-profile_name>"

Enter the name of the Offline Protection profile. The maximum length is 63 characters.

To display the list of existing profiles, enter:

edit ?

No default.

client-management {enable | disable}

Enable to track the states of HTTP sessions. Also configure http-session-timeout <seconds_int>.

Although HTTP has no inherent support for sessions, a notion of individual HTTP client sessions, rather than simply the source IP address and/or timestamp, is required by some features.

For example, you might want to require that a client’s first HTTP request always be a login page: the rest of the web pages should be inaccessible if they have not authenticated. Out-of-order requests could represent an attempt to bypass the web application’s native authentication mechanism. How can FortiWeb know if a request is the client’s first HTTP request? If FortiWeb were to treat each request independently, without knowledge of anything previous, it could not, by definition, enforce page order. Therefore FortiWeb must keep some record of the first request from that client (the session initiation). It also must record their previous HTTP request(s), until a span of time (the session timeout) has elapsed during which there were no more subsequent requests, after which it would require that the session be initiated again.

The session management feature provides such FortiWeb session support.

Note: This feature requires that the client support cookies.

Note: You must enable this option if you want to

include this profile’s traffic in the traffic log, in addition to enabling traffic logs in general. For details, see log attack-log.

disable

http-session-timeout <seconds_int>

Enter the HTTP session timeout in seconds. The valid range is 20–3,600.

This setting is available only if waf web-protection-profile offline-protection is enabled.

1200

x-forwarded-for-rule "<x-forwarded-for_name>"

Specify the name of a rule that configures FortiWeb’s use of X-Forwarded-For: and X-Real-IP. For details, see waf x-forwarded-for.

To display a list of existing rules, enter:

set forwarded-for-rule ?

No default.

http-session-keyword "<key_str>"

If you want to use an HTTP header other than Session-Id: to track separate HTTP sessions, enter the key portion of the HTTP header that you want to use, such as Session-Num.

The maximum length is 63 characters.

No default.

signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | "<signature-set_name>"}

Specify a signature policy to include in the profile. The maximum length is 63 characters. For details, see waf signature.

To display the list of existing rules, enter:

set server-protection-rule ?

The type of attack that FortiWeb detects determines the attack log messages for this feature. For a list, see waf signature.

No default.

amf3-protocol-detection {enable | disable}

Enable to scan requests that use the action message format 3.0 (AMF3) for these attacks if you have enabled those in the set of signatures specified by signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | "<signature-set_name>"}:

  • Cross-site scripting (XSS) attacks
  • SQL injection attacks
  • Common exploits

AMF3 is a binary format that can be used by Adobe Flash clients to send input to server-side software.

Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option makes the FortiWeb appliance unable to scan AMF3 requests for attacks.

disable

custom-access-policy "<combo-access_name>"

Enter the name of a custom access policy. The maximum length is 63 characters. For details, see waf custom-access policy.

To display the list of existing policies, enter:

set custom-access-policy ?

No default.

padding-oracle "<rule_name>"

Enter the name of a padding oracle protection rule. The maximum length is 63 characters. For details, see waf padding-oracle.

To display the list of existing rules, enter:

set padding-oracle ?

No default.

parameter-validation-rule "<rule_name>"

Enter the name of a parameter validation rule. The maximum length is 63 characters. For details, see waf parameter-validation-rule.

To display the list of existing rules, enter:

set parameter-validation-rule ?

No default.

hidden-fields-protection "<group_name>"

Enter the name of a hidden field rule group that you want to apply, if any. The maximum length is 63 characters. For details, see waf hidden-fields-protection.

To display the list of existing groups, enter:

set hidden-fields-protection ?

No default.

file-upload-policy "<policy_name>"

Enter the name of a file security policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set file-upload-policy ?

No default.

http-protocol-parameter-restriction "<constraint_name>"

Enter the name of an HTTP protocol constraint that you want to apply, if any. The maximum length is 63 characters. For details, see waf http-protocol-parameter-restriction.

To display the list of existing constraints, enter:

set http-protocol-parameter-restriction ?

No default.

url-access-policy "<policy_name>"

Enter the name of a URL access policy. The maximum length is 63 characters. For details, see waf url-access url-access-policy.

To display the list of existing policies, enter:

set url-access-policy ?

No default.

allow-method-policy "<policy_name>"

Enter the name of an allowed method policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set allow-method-policy ?

No default.

ip-list-policy "<policy_name>"

Enter the name of a trusted IP or blacklisted IP policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set ip-list-policy ?

No default.

geo-block-list-policy "<policy_name>"

Enter the name of a geographically-based client IP black list that you want to apply, if any. The maximum length is 63 characters. For details, see waf geo-block-list.

To display the list of existing policies, enter:

set geo-block-list-policy ?

No default.

ip-intelligence {enable | disable}

Enable to apply intelligence about the reputation of the client’s source IP. Blocking and logging behavior is configured in waf ip-intelligence.

disable

csrf-protection "<rule_name>"

Select the name of cross-site request forgery protection rule, if any, to apply to matching requests. See waf csrf-protection.

To display the list of existing rules, enter:

set csrf-protection ?

Available only when client-management {enable | disable} is enabled.

user-tracking-policy "<user-tracking-policy_name>"

Select the name of a user tracking policy. The maximum length is 63 characters. For details, see waf user-tracking policy.

To display the list of existing policies, enter:

set user-tracking-policy ?

No default.

data-analysis {enable | disable}

Enable this to collect data for servers covered by this profile. To view the statistics for collected data, in the web UI, go to Log&Report > Monitor > Data Analytics.

disable

comment "<comment_str>"

Enter a description or other comment. If the comment contains more than one word or contains an apostrophe, surround the comment in double quotes ( " ). The maximum length is 199 characters.

No default.
openapi-validation-policy "<openapi-validation-policy_name>" Select the openapi validation policy name. No default.
json-validation-policy "<json-validation-policy_name>" Select the JSON protection policy name. No default.

mobile-app-identification {enable | disable}

Enable to configure the JWT token secret and token header to verify a request from a mobile application.

Refer to Approov doc for how to get the token.

disable

token-secret <token-secret_str>

Enter the token secret that you have got from Approov.

Available only when mobile-app-identification {enable | disable} is enable.

No default

token-header <token-header_str>

Specify the header where the token is carried.

Available only when mobile-app-identification {enable | disable} is enable.

No default

mobile-api-protection <mobile-api-protection_name>

Select the name of an existing API protection policy. For details, see waf mobile-api-protection.

Available only when mobile-app-identification {enable | disable} is enable.

No default

syntax-based-attack-detection <detection_name>

Select the name of an existing SQL/XSS syntax based detection policy. For details, see waf syntax-based-attack-detection.

No default

Related topics

waf web-protection-profile offline-protection

Use this command to configure Offline Protection profiles.

Detection profiles are useful when you want to preview the effects of some web protection features without affecting traffic, or without affecting your network topology.

Unlike protection profiles, a detection profile is designed for use in Offline Protection mode. Detection profiles cannot be guaranteed to block attacks. They attempt to reset the connection, but due to variable speeds of different routing paths, the reset request may arrive after the attack has been completed. Their primary purpose is to detect attacks, especially for use in conjunction with auto-learning profiles. In fact, if used in conjunction with auto-learning profiles, you should configure the detection profile to log only and not block attacks in order to gather complete session statistics for the auto-learning feature. As a result, detection profiles can only be selected in policies whose deployment-mode is offline-detection, and those policies will only be used by the FortiWeb appliance when its operation mode is offline-detection.

Unlike inline protection profiles, Offline Protection profiles do not support HTTP conversion, or cookie poisoning detection.

To apply detection profiles, select them within a server policy. For details, see server-policy policy.

Before configuring an Offline Protection profile, first configure any of the following that you want to include in the profile:

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf web-protection-profile offline-protection

edit "<offline-protection-profile_name>"

set client-management {enable | disable}

set http-session-timeout <seconds_int>

set x-forwarded-for-rule "<x-forwarded-for_name>"

set http-session-keyword "<key_str>"

set signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | "<signature-set_name>"}

set amf3-protocol-detection {enable | disable}

set custom-access-policy "<combo-access_name>"

set padding-oracle "<rule_name>"

set parameter-validation-rule "<rule_name>"

set hidden-fields-protection "<group_name>"

set file-upload-policy "<policy_name>"

set http-protocol-parameter-restriction "<constraint_name>"

set url-access-policy "<policy_name>"

set allow-method-policy "<policy_name>"

set ip-list-policy "<policy_name>"

set geo-block-list-policy "<policy_name>"

set ip-intelligence {enable | disable}

set csrf-protection "<rule_name>"

set user-tracking-policy "<user-tracking-policy_name>"

set data-analysis {enable | disable}

set comment "<comment_str>"

set openapi-validation-policy "<openapi-validation-policy_name>"

set json-validation-policy "<json-validation-policy_name>"

set mobile-app-identification {enable | disable}

set token-secret <token-secret_str>

set token-header <token-header_str>

set mobile-api-protection <mobile-api-protection_name>

set syntax-based-attack-detection <detection_name>

next

end

Variable Description Default

"<offline-protection-profile_name>"

Enter the name of the Offline Protection profile. The maximum length is 63 characters.

To display the list of existing profiles, enter:

edit ?

No default.

client-management {enable | disable}

Enable to track the states of HTTP sessions. Also configure http-session-timeout <seconds_int>.

Although HTTP has no inherent support for sessions, a notion of individual HTTP client sessions, rather than simply the source IP address and/or timestamp, is required by some features.

For example, you might want to require that a client’s first HTTP request always be a login page: the rest of the web pages should be inaccessible if they have not authenticated. Out-of-order requests could represent an attempt to bypass the web application’s native authentication mechanism. How can FortiWeb know if a request is the client’s first HTTP request? If FortiWeb were to treat each request independently, without knowledge of anything previous, it could not, by definition, enforce page order. Therefore FortiWeb must keep some record of the first request from that client (the session initiation). It also must record their previous HTTP request(s), until a span of time (the session timeout) has elapsed during which there were no more subsequent requests, after which it would require that the session be initiated again.

The session management feature provides such FortiWeb session support.

Note: This feature requires that the client support cookies.

Note: You must enable this option if you want to

include this profile’s traffic in the traffic log, in addition to enabling traffic logs in general. For details, see log attack-log.

disable

http-session-timeout <seconds_int>

Enter the HTTP session timeout in seconds. The valid range is 20–3,600.

This setting is available only if waf web-protection-profile offline-protection is enabled.

1200

x-forwarded-for-rule "<x-forwarded-for_name>"

Specify the name of a rule that configures FortiWeb’s use of X-Forwarded-For: and X-Real-IP. For details, see waf x-forwarded-for.

To display a list of existing rules, enter:

set forwarded-for-rule ?

No default.

http-session-keyword "<key_str>"

If you want to use an HTTP header other than Session-Id: to track separate HTTP sessions, enter the key portion of the HTTP header that you want to use, such as Session-Num.

The maximum length is 63 characters.

No default.

signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | "<signature-set_name>"}

Specify a signature policy to include in the profile. The maximum length is 63 characters. For details, see waf signature.

To display the list of existing rules, enter:

set server-protection-rule ?

The type of attack that FortiWeb detects determines the attack log messages for this feature. For a list, see waf signature.

No default.

amf3-protocol-detection {enable | disable}

Enable to scan requests that use the action message format 3.0 (AMF3) for these attacks if you have enabled those in the set of signatures specified by signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | "<signature-set_name>"}:

  • Cross-site scripting (XSS) attacks
  • SQL injection attacks
  • Common exploits

AMF3 is a binary format that can be used by Adobe Flash clients to send input to server-side software.

Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option makes the FortiWeb appliance unable to scan AMF3 requests for attacks.

disable

custom-access-policy "<combo-access_name>"

Enter the name of a custom access policy. The maximum length is 63 characters. For details, see waf custom-access policy.

To display the list of existing policies, enter:

set custom-access-policy ?

No default.

padding-oracle "<rule_name>"

Enter the name of a padding oracle protection rule. The maximum length is 63 characters. For details, see waf padding-oracle.

To display the list of existing rules, enter:

set padding-oracle ?

No default.

parameter-validation-rule "<rule_name>"

Enter the name of a parameter validation rule. The maximum length is 63 characters. For details, see waf parameter-validation-rule.

To display the list of existing rules, enter:

set parameter-validation-rule ?

No default.

hidden-fields-protection "<group_name>"

Enter the name of a hidden field rule group that you want to apply, if any. The maximum length is 63 characters. For details, see waf hidden-fields-protection.

To display the list of existing groups, enter:

set hidden-fields-protection ?

No default.

file-upload-policy "<policy_name>"

Enter the name of a file security policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set file-upload-policy ?

No default.

http-protocol-parameter-restriction "<constraint_name>"

Enter the name of an HTTP protocol constraint that you want to apply, if any. The maximum length is 63 characters. For details, see waf http-protocol-parameter-restriction.

To display the list of existing constraints, enter:

set http-protocol-parameter-restriction ?

No default.

url-access-policy "<policy_name>"

Enter the name of a URL access policy. The maximum length is 63 characters. For details, see waf url-access url-access-policy.

To display the list of existing policies, enter:

set url-access-policy ?

No default.

allow-method-policy "<policy_name>"

Enter the name of an allowed method policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set allow-method-policy ?

No default.

ip-list-policy "<policy_name>"

Enter the name of a trusted IP or blacklisted IP policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set ip-list-policy ?

No default.

geo-block-list-policy "<policy_name>"

Enter the name of a geographically-based client IP black list that you want to apply, if any. The maximum length is 63 characters. For details, see waf geo-block-list.

To display the list of existing policies, enter:

set geo-block-list-policy ?

No default.

ip-intelligence {enable | disable}

Enable to apply intelligence about the reputation of the client’s source IP. Blocking and logging behavior is configured in waf ip-intelligence.

disable

csrf-protection "<rule_name>"

Select the name of cross-site request forgery protection rule, if any, to apply to matching requests. See waf csrf-protection.

To display the list of existing rules, enter:

set csrf-protection ?

Available only when client-management {enable | disable} is enabled.

user-tracking-policy "<user-tracking-policy_name>"

Select the name of a user tracking policy. The maximum length is 63 characters. For details, see waf user-tracking policy.

To display the list of existing policies, enter:

set user-tracking-policy ?

No default.

data-analysis {enable | disable}

Enable this to collect data for servers covered by this profile. To view the statistics for collected data, in the web UI, go to Log&Report > Monitor > Data Analytics.

disable

comment "<comment_str>"

Enter a description or other comment. If the comment contains more than one word or contains an apostrophe, surround the comment in double quotes ( " ). The maximum length is 199 characters.

No default.
openapi-validation-policy "<openapi-validation-policy_name>" Select the openapi validation policy name. No default.
json-validation-policy "<json-validation-policy_name>" Select the JSON protection policy name. No default.

mobile-app-identification {enable | disable}

Enable to configure the JWT token secret and token header to verify a request from a mobile application.

Refer to Approov doc for how to get the token.

disable

token-secret <token-secret_str>

Enter the token secret that you have got from Approov.

Available only when mobile-app-identification {enable | disable} is enable.

No default

token-header <token-header_str>

Specify the header where the token is carried.

Available only when mobile-app-identification {enable | disable} is enable.

No default

mobile-api-protection <mobile-api-protection_name>

Select the name of an existing API protection policy. For details, see waf mobile-api-protection.

Available only when mobile-app-identification {enable | disable} is enable.

No default

syntax-based-attack-detection <detection_name>

Select the name of an existing SQL/XSS syntax based detection policy. For details, see waf syntax-based-attack-detection.

No default

Related topics