Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.3.23 CLI Reference
    6.3.23
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf ip-list

    waf ip-list

    Use this command to define which source IP addresses are trusted clients, undetermined, or distrusted.

    • Trusted IPs—Almost always allowed to access to your protected web servers. Trusted IPs are exempt from many (but not all) of the restrictions that would otherwise be applied by a server policy. To determine skipped scans, see debug flow trace.
    • Neither—If a source IP address is neither explicitly blacklisted or trusted by an IP list policy, the client can access your web servers, unless it is blocked by any of your other configured, subsequent web protection scan techniques. For details, see debug flow trace.
    • Blacklisted IPs—Blocked and prevented from accessing your protected web servers. Requests from blacklisted IP addresses receive a warning message in response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blacklisted IPs.
    Because FortiWeb evaluates trusted and blacklisted IP policies before many other techniques, defining these IP addresses can improve performance.

    Alternatively, you can block sets of many clients based upon their reputation (see waf ip-intelligence) or geographical origin (see waf geo-block-list).

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf ip-list

    edit "<ip-list_name>"

    set severity {Low | Medium | High | Info}

    set action { alert_deny | block-period | deny_no_log}

    set block-period <block_period_int>

    set ignore-x-forwarded-for {enable | disable}

    set trigger-policy "<trigger-policy_name>"

    config members

    edit waf ip-list

    set ip "<client_ip>"

    set type {trust-ip | black-ip | allow-only-ip }

    next

    end

    next

    end

    Variable Description Default

    "<ip-list_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    action { alert_deny | block-period | deny_no_log}

    Select which action FortiWeb will take when it detects a violation of the rule:

    • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • deny_no_log—Block the request (or reset the connection).

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period.

    Note: This setting will be ignored if monitor-mode {enable | disable} is enabled in a server policy.

    alert_deny

    block-period <block_period_int>

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the rule. The valid range is 1–3,600 seconds.

    This setting is available only if Action is set to block-period.

    600

    severity {Low | Medium | High | Info}

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers:

    • Low
    • Medium
    • High
    • info
    		low

    trigger-policy "<trigger-policy_name>"

    Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. The maximum length is 63 characters. For details, see log trigger-policy.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    ignore-x-forwarded-for {enable | disable}

    By default, FortiWeb scans the IP addresses in the X-Forwarded-For header at the HTTP layer. This causes high resource consumption. To enhance the performance, you can enable Ignore X-Forwarded-For so that the IP addresses can be scanned at the TCP layer instead. This avoids HTTP packets being processed unnecessarily.

    disable

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    ip "<client_ip>"

    Enter one of the following values:

    • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 172.16.1.20).
    • A range or addresses (for example, 172.22.14.1-172.22.14.256 or 10:200::10:1-10:200:10:100).
    		 No default.

    type {trust-ip | black-ip | allow-only-ip }

    Select either:

    • black-ip—The source IP address that is distrusted, and is permanently blocked (blacklisted) from accessing your web servers, even if it would normally pass all other scans.
      Note: If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router performing network address translation (NAT), blacklisting the source IP address could block innocent clients that share the same source IP address with an offending client.
    • trust-ip—The source IP address is trusted and allowed to access your web servers, unless it fails a previous scan. For details, see Sequence of scans.

    By default, if the IP address of a request is neither in the Block IP nor Trust IP list, FortiWeb will pass this request to other scans to decide whether it is allowed to access your web servers. However, you can define the allow-only-ip IP addresses so that such requests can be screened against the Allow Only IPs before they are passed to other scans.

    • allow-only-ip—If the source IP address is a allow-only-ip, it will be passed to other scans to decide whether it's allowed to access your web servers. If not, FortiWeb will take actions according to the trigger policy.
      If the Allow Only range is empty, then the source IP addresses which are not in the Block IP and Trust IP list will be passed directly to other scans.

    Requests that are blocked according to the IP Lists will receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blocked IPs.

    		trust-ip

    Example

    The following shows the configuration for a trusted host of 192.0.2.0 followed by a blacklisted client of 192.0.2.1.

    config waf ip-list

    edit "IP-List-Policy1"

    config members

    edit 1

    set ip "192.0.2.0"

    next

    edit 2

    set type black-ip

    set ip "192.0.2.1"

    set severity Medium

    set trigger-policy "TriggerActionPolicy1"

    next

    end

    next

    end

    Related topics

    Previous
    Next

    waf ip-list

    waf ip-list

    Use this command to define which source IP addresses are trusted clients, undetermined, or distrusted.

    • Trusted IPs—Almost always allowed to access to your protected web servers. Trusted IPs are exempt from many (but not all) of the restrictions that would otherwise be applied by a server policy. To determine skipped scans, see debug flow trace.
    • Neither—If a source IP address is neither explicitly blacklisted or trusted by an IP list policy, the client can access your web servers, unless it is blocked by any of your other configured, subsequent web protection scan techniques. For details, see debug flow trace.
    • Blacklisted IPs—Blocked and prevented from accessing your protected web servers. Requests from blacklisted IP addresses receive a warning message in response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blacklisted IPs.
    Because FortiWeb evaluates trusted and blacklisted IP policies before many other techniques, defining these IP addresses can improve performance.

    Alternatively, you can block sets of many clients based upon their reputation (see waf ip-intelligence) or geographical origin (see waf geo-block-list).

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf ip-list

    edit "<ip-list_name>"

    set severity {Low | Medium | High | Info}

    set action { alert_deny | block-period | deny_no_log}

    set block-period <block_period_int>

    set ignore-x-forwarded-for {enable | disable}

    set trigger-policy "<trigger-policy_name>"

    config members

    edit waf ip-list

    set ip "<client_ip>"

    set type {trust-ip | black-ip | allow-only-ip }

    next

    end

    next

    end

    Variable Description Default

    "<ip-list_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    action { alert_deny | block-period | deny_no_log}

    Select which action FortiWeb will take when it detects a violation of the rule:

    • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • deny_no_log—Block the request (or reset the connection).

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period.

    Note: This setting will be ignored if monitor-mode {enable | disable} is enabled in a server policy.

    alert_deny

    block-period <block_period_int>

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the rule. The valid range is 1–3,600 seconds.

    This setting is available only if Action is set to block-period.

    600

    severity {Low | Medium | High | Info}

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers:

    • Low
    • Medium
    • High
    • info
    		low

    trigger-policy "<trigger-policy_name>"

    Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. The maximum length is 63 characters. For details, see log trigger-policy.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    ignore-x-forwarded-for {enable | disable}

    By default, FortiWeb scans the IP addresses in the X-Forwarded-For header at the HTTP layer. This causes high resource consumption. To enhance the performance, you can enable Ignore X-Forwarded-For so that the IP addresses can be scanned at the TCP layer instead. This avoids HTTP packets being processed unnecessarily.

    disable

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    ip "<client_ip>"

    Enter one of the following values:

    • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 172.16.1.20).
    • A range or addresses (for example, 172.22.14.1-172.22.14.256 or 10:200::10:1-10:200:10:100).
    		 No default.

    type {trust-ip | black-ip | allow-only-ip }

    Select either:

    • black-ip—The source IP address that is distrusted, and is permanently blocked (blacklisted) from accessing your web servers, even if it would normally pass all other scans.
      Note: If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router performing network address translation (NAT), blacklisting the source IP address could block innocent clients that share the same source IP address with an offending client.
    • trust-ip—The source IP address is trusted and allowed to access your web servers, unless it fails a previous scan. For details, see Sequence of scans.

    By default, if the IP address of a request is neither in the Block IP nor Trust IP list, FortiWeb will pass this request to other scans to decide whether it is allowed to access your web servers. However, you can define the allow-only-ip IP addresses so that such requests can be screened against the Allow Only IPs before they are passed to other scans.

    • allow-only-ip—If the source IP address is a allow-only-ip, it will be passed to other scans to decide whether it's allowed to access your web servers. If not, FortiWeb will take actions according to the trigger policy.
      If the Allow Only range is empty, then the source IP addresses which are not in the Block IP and Trust IP list will be passed directly to other scans.

    Requests that are blocked according to the IP Lists will receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blocked IPs.

    		trust-ip

    Example

    The following shows the configuration for a trusted host of 192.0.2.0 followed by a blacklisted client of 192.0.2.1.

    config waf ip-list

    edit "IP-List-Policy1"

    config members

    edit 1

    set ip "192.0.2.0"

    next

    edit 2

    set type black-ip

    set ip "192.0.2.1"

    set severity Medium

    set trigger-policy "TriggerActionPolicy1"

    next

    end

    next

    end

    Related topics

    Previous
    Next