Fortinet black logo

CLI Reference

What’s new

What’s new

The tables below list commands newly added for FortiWeb 6.3.3.

Command Change

waf syntax-based-attack-detection

config waf syntax-based-attack-detection

edit "<policy_name>"

set sql-arithmetic-operation-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response

config exception-element-list

edit "<list-id>"

set match-target {HOST | URI | FULL-URL | PARAMETER | COOKIE}

set operator {STRING_MATCH| REGEXP_MATCH}

set value-name <name_str>

set value-check {enable | disable}

set value <value_str>

set concatenate-type {AND | OR}

set attack-type {arithmetic_operation_based_boolean_injection | condition_based_boolean_injection | embeded_queries_sql_injection | html_attr_based_xss_injection | html_css_based_xss_injection | html_tag_based_xss_injection | js_func_based_xss_injection | js_var_based_xss_injection | line_comments | invalid | sql_function_based_boolean_injection | stacked_queries_sql_injection}

next

end

next

end

Configure these commands to detect SQL/XSS injection attacks.

waf known-bots

config waf known-bots

edit "known-bots_rule_name"

set crawler-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

config malicious-bot-disable-list

edit "<malicious-bot-disable-list_name>"

next

end

config known-good-bots-disable-list

edit "<known-good-bots-disable-list_name>"

next

end

next

end

Use these commands to configure known bots prevention.

server-policy pattern threat-weight

config server-policy pattern threat-weight

set allow-method-level {low | critical | informational | moderate | substantial | severe}

set allow-method-op {enable | disable

...

set json-element-lengthexceeded- level {low | critical | informational | moderate | substantial | severe}

set json-element-lengthexceeded- op {enable | disable}

set known-bots-level {low | critical | informational | moderate | substantial | severe}

end

Use this command to configure the global threat weight of security violations.

system feature-visibility

config system feature-visibility

set support-ajax-requests {enable | disable}

end

Add AJAX request support switch on/off.

system replacemsg

config system replacemsg

edit replacemsg name <name_str>

set ajax-block-support {enable | disable}

config page-list

edit page-list name <name_str>

set code <code_int>

set group {alert | site-publish | captcha | ajax-block}

set msg <msg_str>

next

end

next

end

Enable AJAX requests support to respond to a AJAX request, and configure the AJAX block page message.

server-policy policy

set internal-cookie-samesite {enable | disable}

set internal-cookie-samesite-value {strict | lax | none}

Enable to assign a SameSite flag to internal cookies.

server-policy pattern custom-global-white-list-group

config server-policy pattern custom-global-white-list-group

edit <entry_index>

set status {enable | disable}

set domain-type {plain | regular}

set name-type {plain | regular}

set request-file-status {enable | disable}

set domain-status {enable | disable}

next

end

Add the URL and domain filters for parameter type.

waf web-protection-profile offline-protection

config waf web-protection-profile offline-protection

edit "<offline-protection-profile_name>"

set syntax-based-attack-detection <detection_name>

next

end

Add the syntax-based-attack-detection policy configuration.

waf web-protection-profile inline-protection

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set syntax-based-attack-detection <detection_name>

next

end

Add the syntax-based-attack-detection policy configuration.

waf custom-access policy

config waf custom-access policy

edit "<custom-policy_name>"

config rule

edit <entry_index>

set rule-name "<custom-rule_name>"

set threat-weight {low | critical | informational | moderate | substantial | severe}

next

end

next

end

Set the weight for the threat per the custom policy.

waf bot-mitigation-policy

config waf custom-access policy

edit "<custom-policy_name>"

config rule

edit <entry_index>

set rule-name "<custom-rule_name>"

set threat-weight {low | critical | informational | moderate | substantial | severe}

next

end

next

end

Set the weight for the threat per the custom policy.

waf http-protocol-parameter-restriction

set <parameter_name>-threat-weight {low | critical | informational | moderate | substantial | severe}

Change the threat weight levels.

waf signature

set scoring-grade {low | critical | informational | moderate | substantial | severe}

Change the scoring grade.

log attack-log

set packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection | malicious-bots | known-good-bots | syntax-based-detection}

Add three packet log types.

waf machine-learning-policy

config waf machine-learning-policy

edit <machine-learning-policy_id>

set start-min-count <start-min-count _int>

set switch-min-count <switch-min-count_int>

set switch-percent <switch-percent_int>

set denoise-percent <denoise-percent_int>

set denoise-threshold <denoise-threshold_int>

set renovate-short-time <renovate-short-time_int>

set renovate-long-time <renovate-long-time_int>

set pattern-expire-days <pattern-expire-days_int>

set svm-type {standard | extended}

next

end

next

end

new commands

system ha

config system ha

set encryption {enable | disable}

end

new command

waf ip-list

config waf ip-list

edit What’s new

config members

edit What’s new

set What’s new

next

end

next

end

new command

system fabric-connectors

config system fabric-connectors

set server-region-type {commercial | government}

set server-region <region-id>

end

new command

What’s new

The tables below list commands newly added for FortiWeb 6.3.3.

Command Change

waf syntax-based-attack-detection

config waf syntax-based-attack-detection

edit "<policy_name>"

set sql-arithmetic-operation-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response

config exception-element-list

edit "<list-id>"

set match-target {HOST | URI | FULL-URL | PARAMETER | COOKIE}

set operator {STRING_MATCH| REGEXP_MATCH}

set value-name <name_str>

set value-check {enable | disable}

set value <value_str>

set concatenate-type {AND | OR}

set attack-type {arithmetic_operation_based_boolean_injection | condition_based_boolean_injection | embeded_queries_sql_injection | html_attr_based_xss_injection | html_css_based_xss_injection | html_tag_based_xss_injection | js_func_based_xss_injection | js_var_based_xss_injection | line_comments | invalid | sql_function_based_boolean_injection | stacked_queries_sql_injection}

next

end

next

end

Configure these commands to detect SQL/XSS injection attacks.

waf known-bots

config waf known-bots

edit "known-bots_rule_name"

set crawler-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

config malicious-bot-disable-list

edit "<malicious-bot-disable-list_name>"

next

end

config known-good-bots-disable-list

edit "<known-good-bots-disable-list_name>"

next

end

next

end

Use these commands to configure known bots prevention.

server-policy pattern threat-weight

config server-policy pattern threat-weight

set allow-method-level {low | critical | informational | moderate | substantial | severe}

set allow-method-op {enable | disable

...

set json-element-lengthexceeded- level {low | critical | informational | moderate | substantial | severe}

set json-element-lengthexceeded- op {enable | disable}

set known-bots-level {low | critical | informational | moderate | substantial | severe}

end

Use this command to configure the global threat weight of security violations.

system feature-visibility

config system feature-visibility

set support-ajax-requests {enable | disable}

end

Add AJAX request support switch on/off.

system replacemsg

config system replacemsg

edit replacemsg name <name_str>

set ajax-block-support {enable | disable}

config page-list

edit page-list name <name_str>

set code <code_int>

set group {alert | site-publish | captcha | ajax-block}

set msg <msg_str>

next

end

next

end

Enable AJAX requests support to respond to a AJAX request, and configure the AJAX block page message.

server-policy policy

set internal-cookie-samesite {enable | disable}

set internal-cookie-samesite-value {strict | lax | none}

Enable to assign a SameSite flag to internal cookies.

server-policy pattern custom-global-white-list-group

config server-policy pattern custom-global-white-list-group

edit <entry_index>

set status {enable | disable}

set domain-type {plain | regular}

set name-type {plain | regular}

set request-file-status {enable | disable}

set domain-status {enable | disable}

next

end

Add the URL and domain filters for parameter type.

waf web-protection-profile offline-protection

config waf web-protection-profile offline-protection

edit "<offline-protection-profile_name>"

set syntax-based-attack-detection <detection_name>

next

end

Add the syntax-based-attack-detection policy configuration.

waf web-protection-profile inline-protection

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set syntax-based-attack-detection <detection_name>

next

end

Add the syntax-based-attack-detection policy configuration.

waf custom-access policy

config waf custom-access policy

edit "<custom-policy_name>"

config rule

edit <entry_index>

set rule-name "<custom-rule_name>"

set threat-weight {low | critical | informational | moderate | substantial | severe}

next

end

next

end

Set the weight for the threat per the custom policy.

waf bot-mitigation-policy

config waf custom-access policy

edit "<custom-policy_name>"

config rule

edit <entry_index>

set rule-name "<custom-rule_name>"

set threat-weight {low | critical | informational | moderate | substantial | severe}

next

end

next

end

Set the weight for the threat per the custom policy.

waf http-protocol-parameter-restriction

set <parameter_name>-threat-weight {low | critical | informational | moderate | substantial | severe}

Change the threat weight levels.

waf signature

set scoring-grade {low | critical | informational | moderate | substantial | severe}

Change the scoring grade.

log attack-log

set packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection | malicious-bots | known-good-bots | syntax-based-detection}

Add three packet log types.

waf machine-learning-policy

config waf machine-learning-policy

edit <machine-learning-policy_id>

set start-min-count <start-min-count _int>

set switch-min-count <switch-min-count_int>

set switch-percent <switch-percent_int>

set denoise-percent <denoise-percent_int>

set denoise-threshold <denoise-threshold_int>

set renovate-short-time <renovate-short-time_int>

set renovate-long-time <renovate-long-time_int>

set pattern-expire-days <pattern-expire-days_int>

set svm-type {standard | extended}

next

end

next

end

new commands

system ha

config system ha

set encryption {enable | disable}

end

new command

waf ip-list

config waf ip-list

edit What’s new

config members

edit What’s new

set What’s new

next

end

next

end

new command

system fabric-connectors

config system fabric-connectors

set server-region-type {commercial | government}

set server-region <region-id>

end

new command