server-policy policy

Use this command to configure HTTP, FTP, and AD FS server policies.

FortiWeb applies only one server policy to each connection.

HTTP policy behavior varies by the operation mode. FTP and AD FS server policies are available only in Reverse Proxy mode. For details, see FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

When you switch the operation mode, FortiWeb deletes server policies from the configuration file if they are not applicable in the current operation mode.

To determine which type of server policy to create, configure protocol {HTTP | FTP | ADFSPIP}. If you're planning to configure an FTP server policy, you'll need to confirm that system feature-visibility is enabled. For details, see system feature-visibility.

Before you configure an HTTP server policy, you can configure several policies and profiles:

Configure a virtual server and server pool. For details, see server-policy vserver and server-policy server-pool.
To route traffic based on headers in the HTTP layer, configure one or more HTTP content routing policies. For details, see server-policy http-content-routing-policy.
To restrict traffic based upon which hosts you want to protect, configure a group of protected host names. For details, see server-policy allow-hosts.
If you plan to authenticate users, you need to configure users, user groups, and authentication rules and policy, and include the policy in an inline web protection profile. For details, see user ldap-user, user local-user, user ntlm-user, user user-group, waf http-authen http-authen-rule, and waf http-authen http-authen-policy.
To apply a web protection profile to a server policy, you must first configure them. For details, see waf web-protection-profile inline-protection (Reverse Proxy mode or either of the transparent modes), or waf web-protection-profile offline-protection (Offline Protection mode) .
If you want to use the FortiWeb appliance to apply SSL to connections instead of using physical servers, you must also import a server certificate or create a Server Name Indication (SNI) configuration. For details, see system certificate local, system certificate sni, and system certificate urlcert.
If you want the FortiWeb appliance to verify the certificate provided by an HTTP client to authenticate themselves, you must also define a certificate verification rule. If you want to specify whether a client is required to present a personal certificate or not based on the request URL, create a URL-based client certificate group. For details, see system certificate verify.

You can also use SNMP traps to notify you of policy status changes, or when a policy enforces your network usage policy. For details, see system snmp community.

Before you configure an FTP server policy, you need to:

Configure an FTP command restriction rule. For details, see waf ftp-command-restriction-rule.
Configure an FTP file check rule. For details, see waf ftp-file-security.
Enable IP reputation intelligence. For details, see waf ip-intelligence.
Create a geo IP rule. For details, see waf geo-block-list.
Create an IP list. For details, see waf ip-list.
Configure an FTP security inline profile. For details, see waf ftp-propredefined-global-white-listtection-profile .

Before you configure an AD FS server policy, you need to:

Configure a virtual server and server pool. For details, see server-policy vserver and server-policy server-pool.server-policy vserver
Import a certificate file and a CA file. For details, see system certificate local and system certificate ca.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy policy

edit "<policy_name>"

set allow-hosts "<hosts_name>"

set block-port <port_int>

set case-sensitive {enable | disable}

set certificate "<certificate_name>"

set client-certificate-forwarding {enable | disable}

set server-policy policy

set client-certificate-forwarding-sub-header "<header_str>"

set client-real-ip {enable | disable}

set real-ip-addr <real-ip-addr_str>

set client-timeout <seconds_int>

set comment "<comment_str>"

set data-capture-port <port_int>

set deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers}

set ftp-protection-profile <profile_name>

set half-open-threshold <packets_int>

set hpkp-header "<hpkp_name>"

set hsts-header {enable | disable}

set hsts-max-age <timeout_int>

set hsts-header {enable | disable}

set http-header-timeout <seconds_int>

set http-pipeline {enable | disable}

set http-to-https {enable | disable}

set https-service "<service_name>"

set implicit_ssl {enable | disable}

set intermediate-certificate-group "<CA-group_name>"

set internal-cookie-httponly {enable | disable}

set internal-cookie-secure {enable | disable}

set monitor-mode {enable | disable}

set noparse {enable | disable}

set server-policy policy

set prefer-current-session {enable |disable}

set protocol {HTTP | FTP | ADFSPIP}

set server-pool "<server-pool_name>"

set service "<service_name>"

set proxy-protocol {enable | disable}

set use-proxy-protocol-addr {enable | disable}

set replacemsg <replacemsg_name>

set sessioncookie-enforce {enable | disable}

set sni {enable | disable}

set sni-certificate "<sni_name>"

set sni-strict {enable | disable}

set ssl {enable | disable}

set ssl-cipher {medium | high | custom}

set ssl-client-verify "<verifier_name>"

set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

set tls13-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

set ssl-noreg {enable | disable}

set ssl-quiet-shutdown {enable | disable}

set ssl-session-timeout <ssl-session-timeout_int>

set status {enable | disable}

set syncookie {enable | disable}

set tcp-recv-timeout <seconds_int>

set tls-v10 {enable | disable}

set tls-v11 {enable | disable}

set tls-v12 {enable | disable}

set tls-v13 {enable | disable}

set urlcert {enable | disable}

set urlcert-group "<urlcert-group_name>"

set urlcert-hlen <len_int>

set vserver "<vserver_name>"

set v-zone "<bridge_name>"

set server-policy policy

set traffic-mirror {enable | disable}

set traffic-mirror-type {client-side | server-side| both-side}

set traffic-mirror-profile <traffic-mirror-profile_str>

set adfs-certificate-ssl-client-verify <adfs-certificate-ssl-client-verify_str>}

set adfs-certificate-service <adfs-certificate-service_str>}

set multi-certificate {enable | disable}

set certificate-group <certificate-group_str>}

set acceleration-policy <acceleration-policy_str>

set web-cache {enable | disable}

set retry-on {enable | disable}

set retry-on-cache-size <retry-on-cache-size_int>

set retry-on-connect-failure {enable | disable}

set retry-times-on-connect-failure <retry-times-on-connect-failure_int>

set retry-on-http-layer {enable | disable}

set retry-times-on-http-layer <retry-times-on-http-layer_int>

set retry-on-http-response-codes {404 | 408 | 500 | 501 | 502 | 503 | 504}

config http-content-routing-list

edit <entry_index>

set content-routing-policy-name "<content-routing_name>"

set is-default {yes | no}

set profile-inherit {enable | disable}

set server-policy policy

end

Variable	Description	Default
"<policy_name>"	Enter the name of the policy. The maximum length is 63 characters. To display the list of existing policies, enter: `edit ?`	No default.
allow-hosts "<hosts_name>"	Enter the name of a protected hosts group to allow or reject connections based upon whether the `Host:` field in the HTTP header is empty or does or does not match the protected hosts group. The maximum length is 63 characters. To display the list of existing groups, enter: `edit ?` If you do not select a protected hosts group, FortiWeb accepts pr blocks requests based upon other criteria in the policy or protection profile, but regardless of the `Host:` field in the HTTP header. Note: Unlike HTTP 1.1, HTTP 1.0 does not require the `Host:` field. The FortiWeb appliance does not block HTTP 1.0 requests because they do not have this field, regardless of whether or not you have selected a protected hosts group.	No default.
block-port <port_int>	Enter the number of the physical network interface port that FortiWeb uses to send TCP `RST` (reset) packets when a request violates the policy. The valid range varies by the number of physical ports on the NIC. For example, to send TCP `RST` from `port1`, enter: `set block-port port1` Available only when the operating mode is Offline Protection.	No default.
case-sensitive {enable \| disable}	Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests, such as start page rules, black list rules, white list rules, and page access rules. For example, when enabled, an HTTP request involving `http://www.`E`xample.com/` would not match protection profile features that specify `http://www.`e`xample.com` (difference highlighted in bold).	No default.
certificate "<certificate_name>"	Enter the name of the certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections. The maximum length is 63 characters. To display the list of existing certificates, enter: `edit ?` If sni {enable \| disable} is `enable`, FortiWeb uses a Server Name Indication (SNI) configuration instead of or in addition to this server certificate. For details, see sni {enable \| disable}. This option is used only if https-service "<service_name>" is configured.	No default.
client-certificate-forwarding {enable \| disable}	Enable to include the X.509 personal certificate presented by the client during the SSL/TLS handshake, if any, in an `X-Client-Cert:` HTTP header when forwarding the traffic to the protected web server. FortiWeb still validates the client certificate itself, but this can be useful if the web server requires the client certificate for the purpose of server-side identity-based functionality.	`disable`
client-certificate-forwarding-cert-header "<header_str>"	Enter a custom certificate header that will include the Base64 certificate of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.	x-client-cert
client-certificate-forwarding-sub-header "<header_str>"	Enter a custom subject header that will include the subject of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.	x-client-dn
client-real-ip {enable \| disable}	Enter `enable` to configure FortiWeb to use the source IP address of the client that originated the request when it connects to a back-end server on behalf of that client. By default, when the operation mode is Reverse Proxy, the source IP for connections between FortiWeb and back-end servers is the address of a FortiWeb network interface. Note: To ensure FortiWeb receives the server's response, configure FortiWeb as the server’s gateway. Available only if the operating mode is Reverse Proxy.	`disable`
real-ip-addr <real-ip-addr_str>	Specify an IP address or address range to directly connect to the back-end server.	No default.
client-timeout <seconds_int>	Enter the amount of time (in seconds) that FortiWeb will keep open a connection with an idle client that isn't sending data. The valid range is 1–1200. A value of 0 means that there is no timeout.	0
comment "<comment_str>"	Enter a description or other comment. If the comment is more than one word or contains special characters, surround the comment with double quotes ( `"` ). The maximum length is 999 characters.	No default.
data-capture-port <port_int>	Enter the network interface of incoming traffic that the policy attempts to apply a profile to. The IP address is ignored. Available only if the operating mode is offline inspection.
deployment-mode {server-pool \| http-content-routing \| offline-protection \| transparent-servers \| wccp-servers}	Specify the distribution method that FortiWeb uses when it forwards connections accepted by this policy. `server-pool`—Forwards connections to a server pool. Depending on the pool configuration, FortiWeb either forwards connections to a single physical server or domain server or distributes the connection among the pool members. Also configure server-pool "<server-pool_name>". This option is available only if the operating mode is Reverse Proxy mode. http-content-routing—Use HTTP content routing to route HTTP requests to a specific server pool. This option is available only if the FortiWeb appliance is operating in Reverse Proxy mode. `offline-detection` — Allows connections to pass through the FortiWeb appliance and applies an Offline Protection profile. Also configure server-pool "<server-pool_name>". This is the only option available if operating mode is Offline Protection. `transparent-servers`—Allows connections to pass through the FortiWeb appliance and applies a protection profile. Also configure server-pool "<server-pool_name>". This is the only option available when the operating mode is either True Transparent Proxy or Transparent Inspection. `wccp-servers`—FortiWeb is a Web Cache Communication Protocol (WCCP) client that receives traffic from a FortiGate configured as a WCCP server. Also configure server-pool "<server-pool_name>". This is the only option available when the operation mode is WCCP.	No default.
ftp-protection-profile <profile_name>	Enter the FTP security profile to apply to connections that this policy monitors. If you haven't created a profile yet, see waf ftp-propredefined-global-white-listtection-profile or instructions about creating one.	No default.
half-open-threshold <packets_int>	Enter the maximum number of TCP `SYN` packets, including retransmission, that FortiWeb allows to be sent per second to a destination address. If this threshold is exceeded, the FortiWeb appliance treats the traffic as a DoS attack and ignores additional traffic from that source address. The valid range is 10–10,000. Available only when the operating mode is Reverse Proxy or True Transparent Proxy and syncookie {enable \| disable} is enabled.	`8192`
hpkp-header "<hpkp_name>"	Select an HPKP profile, if any, to use to verify certificates when clients attempt to access a server. HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates. Available only when the operating mode is Reverse Proxy.	No default.
hsts-header {enable \| disable}	Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as: `Strict-Transport-Security: max-age=31536000; includeSubDomains` This header forces the client to use HTTPS for subsequent visits to this domain. If the certificate does not validate, it also causes a fatal connection error: the client’s web browser does not display any dialog that allows the user to override the certificate mismatch error and continue. Available only if https-service "<service_name>" is configured.	`disable`
hsts-max-age <timeout_int>	Enter the time to live in seconds for the HSTS header. Available only if hsts-header {enable \| disable} is enabled. The valid range is 3,600–31,536,000.	`7776000`
http2 {enable \| disable}	FortiWeb's HTTP/2 security inspection is only supported for Revers Proxy mode and True Transparent Proxy mode. This option enables FortiWeb operating in Reverse Proxy mode (see opmode {offline-protection \| reverse-proxy \| transparent \| transparent-inspection \| wccp}) to negotiate HTTP/2 with clients via SSL ALPN (Application-Layer Protocol Negotiation) during the SSL handshake if the client's browser supports HTTP/2 protocol. With the HTTP/2 being enabled, FortiWebcan recognize HTTP/2 traffic and apply the security services to it. To enable HTTP/2 communication between the FortiWeb and back-end web servers for HTTP/2 inspections in Reverse Proxy mode, see http2 {enable \| disable}. Available only when `opmode` is set to `reverse-proxy`, deployment-mode {server-pool \| http-content-routing \| offline-protection \| transparent-servers \| wccp-servers} is set to `server-pool` and https-service "<service_name>" is set correctly. FortiWeb supports HTTP/2 only for HTTPS connections and HTTP Content Routing is not supported for HTTP/2. When `opmode` is set to `transparent` and `deployment-mode` is set to `transparent-servers`, this is not available. It only requires http2 {enable \| disable} to enable the HTTP/2 security inspections in True Transparent Proxy mode; this option here is not required. For more details about HTTP/2 support, see the FortiWeb Administration Guide: http://docs.fortinet.com/fortiweb/admin-guides	disable
http-header-timeout <seconds_int>	Enter the amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. The valid range is 0–1200. A value of 0 means that there is no timeout.	0
http-pipeline {enable \| disable}	Specify whether FortiWeb accelerates transactions by bundling them inside the same TCP connection, instead of waiting for a response before sending/receiving the next request. This can increase performance when pages containing many images, scripts, and other auxiliary files are all hosted on the same domain, and therefore logically could use the same connection. When FortiWeb is operating in Reverse Proxy or True Transparent Proxy mode, it can automatically use HTTP pipelining for requests with the following characteristics: HTTP version is 1.1 The Connection general-header field does not include the "close" option (for example, `Connection: close`) The HTTP method is `GET` or `HEAD`	`enable`
http-to-https {enable \| disable}	Specify enable to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters. Also configure https-service and ensure service uses port 443 (the default). FortiWeb does not apply the protection profile for this policy (specified by server-policy policy) to the redirected traffic. Available only when the operation mode is Reverse Proxy.	`disable`
https-service "<service_name>"	Enter the custom or predefined service that defines the port number on which the virtual server receives HTTPS traffic. The maximum length is 63 characters. To display the list of existing services, enter: `edit ?` Available only when the operating mode is Reverse Proxy. For other operation modes, use the server pool configuration to enable SSL inspection instead.	No default.
proxy-protocol {enable \| disable}	Enable this option when proxy servers or load balancers are installed before FortiWeb, for example, when a load balancer with proxy protocol enabled is deployed before FortiWeb-VM on AWS. When Proxy Protocol is enabled, FortiWeb can receive client connection information in the proxy protocol package passed through proxy servers and load balancers.	`disable`
use-proxy-protocol-addr {enable \| disable}	Enable to use the source address of the proxy protocol in server policy. If disabled, the source address of the connection will be used.	`enable`
replacemsg <replacemsg_name>	Select the replacement message to apply to the policy.	No default.
intermediate-certificate-group "<CA-group_name>"	Enter the name of an intermediate certificate authority (CA) group, if any, that FortiWeb uses to validate the CA signing chain in a client’s certificate. The maximum length is 63 characters. To display the list of existing groups, enter: `edit ?` Available only if https-service "<service_name>" is configured.	No default.
internal-cookie-httponly {enable \| disable}	Enable to assign an `httponly` flag to internal cookies. This feature is independent of the Cookie Security policy, if any, that you have in use.	enable
internal-cookie-secure {enable \| disable}	Enable to assign a `secure` flag to internal cookies. This flag can only be assigned if the connection is over SSL. This feature is independent of the Cookie Security policy, if any, that you have in use.	disable
monitor-mode {enable \| disable}	Enable to override deny and redirect actions defined in the server protection rules for the selected policy. This setting enables FortiWeb to log attacks without performing the deny or redirect action. Disable to allow FortiWeb to perform attack deny/redirect actions as defined by the server protection rules.	`disable`
noparse {enable \| disable}	Enable this option to apply the server policy as a pure proxy, without parsing the content. In this case, the policy allows all traffic to pass through the FortiWeb appliance without applying any protection rules. See also debug application http and debug flow trace. This option applies to server policy only when the FortiWeb appliance operates in Reverse Proxy or True Transparent Proxy mode. Caution: Use this only during debugging and for as brief a period as possible. This feature disables many protection features. See also http-parse-error-output {enable \| disable}.	`disable`
prefer-current-session {enable \|disable}	Enable to forward subsequent requests from an identified client connection to the same server pool as the initial connection from the client. This option allows FortiWeb to improve its performance by skipping the process of matching HTTP header content to content routing policies for connections it has already evaluated and routed. Available only when deployment-mode {server-pool \| http-content-routing \| offline-protection \| transparent-servers \| wccp-servers} is http-content-routing.	`disable`
protocol {HTTP \| FTP \| ADFSPIP}	Select one of the following: `HTTP`—Specifies that the server policy governs HTTP traffic. Specific options for configuring an HTTP server policy become available. `FTP`—Specifies that the server policy governs FTP traffic. Specific options for configuring an FTP server policy become available. `ADFSPIP`—Specifies that the server policy governs AD FS traffic. Specific options for configuring an AD FS server policy become available.	HTTP
server-pool "<server-pool_name>"	Enter the name of the server pool whose members receive the connections. To display the list of existing servers, enter: `edit ?` This field is applicable only if deployment-mode {server-pool \| http-content-routing \| offline-protection \| transparent-servers \| wccp-servers} is `server-pool`, offline-protection or transparent-servers. Caution: Multiple virtual servers/policies can forward traffic to the same server pool. If you do this, consider the total maximum load of connections that all virtual servers forward to your server pool. This configuration can multiply traffic forwarded to your server pool, which can overload it and cause dropped connections.	No default.
service "<service_name>"	Enter the custom or predefined service that defines the port number on which the virtual server receives HTTP traffic. The maximum length is 63 characters. To display the list of existing services, enter: `edit ?` Available only when the operating mode is Reverse Proxy.	No default.
sessioncookie-enforce {enable \| disable}	`enable`—When FortiWeb maintains session persistence using cookies, it inserts a cookie in subsequent transactions in a session if the transaction does not contain a control cookie. This option is useful if your environment uses TCP multiplexing, which combines HTTP requests from multiple clients in a single session for load balancing or other purposes. disable—When FortiWeb maintains session persistence using cookies, it tracks or inserts the cookie for the first transaction of a session only. It does not track or insert a cookie in subsequent transactions in the session, even if the transaction does not contain a control cookie. For details about configuring session persistence, see server-policy persistence-policy.	`disable`
sni {enable \| disable}	Enable to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by `certificate <certificate_name>`. The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see system certificate sni. If you specify both a SNI configuration and a certificate, FortiWeb uses the certificate specified by certificate "<certificate_name>" when the requested domain does not match a value in the SNI configuration. If you enable sni-strict {enable \| disable}, FortiWeb always ignores the value of certificate "<certificate_name>". Available only if https-service "<service_name>" is configured.	`disable`
sni-certificate "<sni_name>"	Enter the name of the Server Name Indication (SNI) configuration that specifies which certificate FortiWeb uses when encrypting or decrypting SSL-secured connections for a specified domain. The SNI configuration enables FortiWeb to present different certificates on behalf of the members of a pool according to the requested domain. If only one certificate is required to encrypt and decrypt traffic that this policy applies to, specify certificate "<certificate_name>" instead. Available only if https-service "<service_name>" is configured.	No default.
sni-strict {enable \| disable}	Select to configure FortiWeb to ignore the value of certificate "<certificate_name>" when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the specified SNI configuration.	`disable`
ssl {enable \| disable}	Enable so that connections between clients and FortiWeb use SSL/TLS. Enabling `ssl` will allow you to configure additional SSL options and settings, including specifying supported SSL protocols and uploading certificates.	disable
ssl-cipher {medium \| high \| custom}	Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration. If custom, also specify `ssl-custom-cipher`. This is not allowed to set to `custom` if `http2` is set to `enable`. For details, see the FortiWeb Administration Guide: http://docs.fortinet.com/fortiweb/admin-guides Available only if https-service "<service_name>" is configured.	`medium`
ssl-client-verify "<verifier_name>"	Enter the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. If you do not select one, the client is not required to present a personal certificate. If the client presents an invalid certificate, the FortiWeb appliance does not allow the connection. To be valid, a client certificate must: Not be expired Not be revoked by either the certificate revocation list (CRL) (see system certificate verify) Be signed by a certificate authority (CA) whose certificate you have imported into the FortiWeb appliance; if the certificate has been signed by a chain of intermediate CAs, those certificates must be included in an intermediate CA group (see intermediate-certificate-group "<CA-group_name>") Contain a `CA` field whose value matches the CA certificate Contain an `Issuer` field whose value matches the `Subject` field in the CA certificate Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website. You can require that clients present a certificate alternatively or in addition to HTTP authentication. For details, see the FortiWeb Administration Guide: http://docs.fortinet.com/fortiweb/admin-guides The maximum length is 63 characters. To display the list of existing verifiers, type: `edit ?` This option is used only if https-service "<service_name>" is configured. The client must support TLS 1.0, TLS 1.1, or TLS 1.2.	No default.
ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}	Specify one or more cipher suites that FortiWeb allows. Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list. Valid values are: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-CCM8 ECDHE-ECDSA-AES128-CCM DHE-RSA-AES128-CCM8 DHE-RSA-AES128-CCM ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDHE-RSA-CAMELLIA256-SHA384 DHE-RSA-CAMELLIA256-SHA256 DHE-DSS-CAMELLIA256-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDHE-RSA-CAMELLIA128-SHA256 DHE-RSA-CAMELLIA128-SHA256 DHE-DSS-CAMELLIA128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA AES256-GCM-SHA384 AES256-CCM8 AES256-CCM AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES256-SHA256 CAMELLIA256-SHA256 AES128-SHA256 CAMELLIA128-SHA256 AES256-SHA CAMELLIA256-SHA AES128-SHA CAMELLIA128-SHA DHE-RSA-SEED-SHA ECDHE_RSA_DES_CBC3_SHA DES_CBC3_SHA	ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256
tls13-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}	Specify one or more TLS 1.3 cipher suites that FortiWeb allows. Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list. Valid values are: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256	TLS_AES_256_GCM_SHA384
ssl-noreg {enable \| disable}	Specify whether FortiWeb ignores requests from clients to renegotiate TLS or SSL. Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server. Available only if https-service "<service_name>" is configured.	`enable`
ssl-session-timeout <ssl-session-timeout_int>	When FortiWeb is configured as an SSL server, you can set SSL session timeout intervals via the CLI. This is available only in Reverse Proxy and True Transparent Proxy modes.	No default.
status {enable \| disable}	Enable to allow the policy to be used when evaluating traffic for a matching policy. Note: You can use SNMP traps to notify you of changes to the policy’s status. For details, see system snmp community.	No default.
syncookie {enable \| disable}	Enable to detect TCP `SYN` flood attacks. For details, see the FortiWeb Administration Guide: http://docs.fortinet.com/fortiweb/admin-guides Available only when the operating mode is Reverse Proxy or True Transparent Proxy.	`disable`
tcp-recv-timeout <seconds_int>	Enter the amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. The valid range is 0–300. A value of 0 means that there is no timeout.	0
tls-v10 {enable \| disable}	Specifies whether clients can connect securely to FortiWeb using the TLS 1.0 cryptographic protocol. This must be set to `disable` if http2 {enable \| disable} is set to `enable`. Available only if https-service "<service_name>" is configured.	`enable`
tls-v11 {enable \| disable}	Specifies whether clients can connect securely to FortiWeb using the TLS 1.1 cryptographic protocol. This must be set to `disable` if http2 {enable \| disable} is set to `enable`. Available only if https-service "<service_name>" is configured.	`enable`
tls-v12 {enable \| disable}	Specifies whether clients can connect securely to FortiWeb using the TLS 1.2 cryptographic protocol. Available only if https-service "<service_name>" is configured.	`enable`
tls-v13 {enable \| disable}	Specifies whether clients can connect securely to FortiWeb using the TLS 1.3 cryptographic protocol. Available only if https-service "<service_name>" is configured.	`enable`
urlcert {enable \| disable}	Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate. Available only if https-service "<service_name>" is configured.	disable
urlcert-group "<urlcert-group_name>"	Enter the URL-based client certificate group that determines whether a client is required to present a personal certificate. If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate. For details about creating a group, see system certificate urlcert.	No default.
urlcert-hlen <len_int>	Specify the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group, in kilobytes. FortiWeb blocks any matching requests that exceed the specified size. This setting prevents a request from exceeding the maximum buffer size. The valid range is 16–10240.	No default.
vserver "<vserver_name>"	Enter the name of a virtual server that provides the IP address and network interface of incoming traffic that FortiWeb routes and to which the policy applies a protection profile. The maximum length is 63 characters. To display the list of existing virtual servers, enter: `edit ?` Available only if the operating mode is Reverse Proxy.	No default.
v-zone "<bridge_name>"	Enter the name of the bridge that specifies the network interface of the incoming traffic that the policy applies a protection profile to. The maximum length is 15 characters. To display the list of existing bridges, enter: `edit ?` Available only if the operating mode is True Transparent Proxy or Transparent Inspection.	No default.
	Note: If the connection fails when you have selected a certificate verifier, verify that the certificate meets the web browser’s requirements. Web browsers may have their own certificate validation requirements in addition to FortiWeb requirements. For example, personal certificates for client authentication may be required to either: Not be restricted in usage/purpose by the CA, or Contain a `Key Usage` field that contains `Digital Signature` or have a `ExtendedKeyUsage` or `EnhancedKeyUsage` field whose value contains `Client Authentication` If the certificate does not satisfy browser requirements, although it may be installed in the browser, when the FortiWeb appliance requests the client’s certificate, the browser may not display a certificate selection dialog to the user, or the dialog may not contain that certificate. In that case, verification fails. For browser requirements, see your web browser’s documentation.
<entry_index>	Enter the index number of the individual entry in the table.	No default.
content-routing-policy-name "<content-routing_name>"	Enter the name of a HTTP content routing policy that this server policy uses. To display the list of existing error pages, enter: `edit ?`	No default.
is-default {yes \| no}	Enter `yes` to specify that FortiWeb applies the protection profile to any traffic that does not match conditions specified in the HTTP content routing policies.	No default.
profile-inherit {enable \| disable}	Enter `enable` to specify that FortiWeb applies the web protection profile for the server policy to connections that match the routing policy.	`disable`
implicit_ssl {enable \| disable}	Enable so that FortiWeb will communicate with the pool member using implicit SSL.	No default.
ssl-quiet-shutdown {enable \| disable}	For HTTPS connection, when disabled, FortiWeb sends ssl alert message to the client or server pool first, and then FIN. When enabled, FortiWeb directly sends FIN message instead of sending ssl alert message.	`disable`
traffic-mirror {enable \| disable}	Enable to send traffic to third party IPS/IDS devices through network interfaces for traffic monitoring. Available only when protocol {HTTP \| FTP \| ADFSPIP} is `HTTP`.	`disable`
traffic-mirror-profile <traffic-mirror-profile_str>	Select the mirror policy created.	No default.
traffic-mirror-type {client-side \| server-side\| both-side}	Select the traffic mirror type. For True Transparent Proxy mode, only Client Side type is available, which only allows traffic from client side to be sent to IPS/IDS devices. For Reverse Proxy mode, you can select Client Side, Server Side, or Client and Server.	No default.
multi-certificate {enable \| disable}	Enable to allow FortiWeb to use multiple local certificates.	`disable`
adfs-certificate-service <adfs-certificate-service_str>}	Configure this option if the AD FS server requires client certificate for authentication. Select the pre-defined service TLSCLIENTPORT if FortiWeb uses service port 49443 to listen the certification authentication requests.	No default.
adfs-certificate-ssl-client-verify <adfs-certificate-ssl-client-verify_str>}	Select the certificate validation rule you have created.	No default.
certificate-group <certificate-group_str>}	Select the multi-certificate file you have created.	No default.
acceleration-policy <acceleration-policy_str>	Select the acceleration policy you have created.	No default.
web-cache {enable \| disable}	Enable to create a web cache policy to allow FortiWeb to cache responses from your servers.	`disable`
real-ip-addr <real-ip-addr_str>	Specify an IP address or address range to directly connect to the back-end server.	No default.
retry-on {enable \| disable}	Enable to configure whether to retry a failed TCP connection or HTTP request in Reverse Proxy mode. A TCP connection failure retry can help when pserver is unreachable unexpectedly, FortiWeb will reconnect the single server or switch to the other server when more than one pserver is available in the server pool. An HTTP layer retry can help when pserver can be connected but it returns certain failure response codes, such as 404, 408, 500, 501, 502, 503, and 504. FortiWeb will reconnect the single server or switch to the other server when more than one pserver is available in the server pool.	`disable`
retry-on-cache-size <retry-on-cache-size_int>	Enter a cache size limit for the HTTP request packet. HTTP failure retry will take effect once the request packet size is smaller than this defined size. TCP connection failure retry will take effect once the HTTP request packet size in TCP connection is smaller than this defined size.	512
retry-on-connect-failure {enable \| disable}	Enable to configure the retry times in case of any TCP connection failure.	`disable`
retry-times-on-connect-failure <retry-times-on-connect-failure_int>	Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5.	3
retry-on-http-layer {enable \| disable}	Enable to configure the retry times and failure response code in case of any HTTP connection failure. Only GET and HEAD methods are supported now.	`enable`
retry-times-on-http-layer <retry-times-on-http-layer_int>	Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5.	3
retry-on-http-response-codes {404 \| 408 \| 500 \| 501 \| 502 \| 503 \| 504}	Select the failure return code when pserver can be connected to determine enabling HTTP failure retry.	All values

Example

This example configures a web protection server policy. FortiWeb forwards HTTPS connections received by the virtual server named virtual_ip1 to a server pool named apache1, which contains a single physical server. FortiWeb uses the certificate named certificate1 during SSL negotiations with the client, then forwards traffic to the server pool.

config server-policy policy

edit "https-policy"

set deployment-mode server-pool

set vserver "virtual_ip1"

set server-pool "apache1"

set web-protection-profile "inline-protection1"

set https-service HTTPS

set certificate "certificate1"

set ssl-client-verify

set case-sensitive disable

set status enable

end