Fortinet white logo
Fortinet white logo

CLI Reference

server-policy policy

server-policy policy

Use this command to configure HTTP, FTP, and AD FS server policies.

FortiWeb applies only one server policy to each connection.

HTTP policy behavior varies by the operation mode. FTP and AD FS server policies are available only in Reverse Proxy mode. For details, see FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

When you switch the operation mode, FortiWeb deletes server policies from the configuration file if they are not applicable in the current operation mode.

To determine which type of server policy to create, configure protocol {HTTP | FTP | ADFSPIP}.

Before you configure an HTTP server policy, you can configure several policies and profiles:

You can also use SNMP traps to notify you of policy status changes, or when a policy enforces your network usage policy. For details, see system snmp community.

Before you configure an FTP server policy, you need to:

Before you configure an AD FS server policy, you need to:

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy policy

edit "<policy_name>"

set allow-hosts "<hosts_name>"

set block-port <port_int>

set case-sensitive {enable | disable}

set certificate "<certificate_name>"

set chunk-decode-enabled {enable | disable}

set client-certificate-forwarding {enable | disable}

set server-policy policy

set client-certificate-forwarding-sub-header "<header_str>"

set client-real-ip {enable | disable}

set real-ip-addr <real-ip-addr_str>

set client-timeout <seconds_int>

set comment "<comment_str>"

set data-capture-port <port_int>

set deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers}

set ftp-protection-profile <profile_name>

set half-open-threshold <packets_int>

set hpkp-header "<hpkp_name>"

set hsts-header {enable | disable}

set hsts-max-age <timeout_int>

set http2 {enable | disable}

set http-header-timeout <seconds_int>

set http-pipeline {enable | disable}

set http-to-https {enable | disable}

set https-service "<service_name>"

set implicit_ssl {enable | disable}

set intermediate-certificate-group "<CA-group_name>"

set internal-cookie-httponly {enable | disable}

set internal-cookie-secure {enable | disable}

set internal-cookie-samesite {enable | disable}

set internal-cookie-samesite-value {strict | lax | none}

set monitor-mode {enable | disable}

set noparse {enable | disable}

set prefer-current-session {enable |disable}

set protocol {HTTP | FTP | ADFSPIP}

set server-pool "<server-pool_name>"

set service "<service_name>"

set proxy-protocol {enable | disable}

set use-proxy-protocol-addr {enable | disable}

set replacemsg <replacemsg_name>

set sessioncookie-enforce {enable | disable}

set sni {enable | disable}

set sni-certificate "<sni_name>"

set sni-strict {enable | disable}

set certificate-type {enable | disable}

set lets-certificate <name>

set ssl {enable | disable}

set ssl-cipher {medium | high | custom}

set ssl-client-verify "<verifier_name>"

set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

set tls13-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

set ssl-noreg {enable | disable}

set ssl-quiet-shutdown {enable | disable}

set ssl-session-timeout <ssl-session-timeout_int>

set status {enable | disable}

set syncookie {enable | disable}

set tcp-recv-timeout <seconds_int>

set tls-v10 {enable | disable}

set tls-v11 {enable | disable}

set tls-v12 {enable | disable}

set tls-v13 {enable | disable}

set urlcert {enable | disable}

set urlcert-group "<urlcert-group_name>"

set urlcert-hlen <len_int>

set vserver "<vserver_name>"

set v-zone "<bridge_name>"

set server-policy policy

set traffic-mirror {enable | disable}

set traffic-mirror-type {client-side | server-side| both-side}

set traffic-mirror-profile <traffic-mirror-profile_str>

set adfs-certificate-ssl-client-verify <adfs-certificate-ssl-client-verify_str>}

set adfs-certificate-service <adfs-certificate-service_str>}

set multi-certificate {enable | disable}

set certificate-group <certificate-group_str>}

set acceleration-policy <acceleration-policy_str>

set web-cache {enable | disable}

set retry-on {enable | disable}

set retry-on-cache-size <retry-on-cache-size_int>

set retry-on-connect-failure {enable | disable}

set retry-times-on-connect-failure <retry-times-on-connect-failure_int>

set retry-on-http-layer {enable | disable}

set retry-times-on-http-layer <retry-times-on-http-layer_int>

set retry-on-http-response-codes {404 | 408 | 500 | 501 | 502 | 503 | 504}

set replacemsg-on-connect-failure {disable | enable}

set tcp-conn-timeout <integer>

config http-content-routing-list

edit <entry_index>

set content-routing-policy-name "<content-routing_name>"

set is-default {yes | no}

set profile-inherit {enable | disable}

set server-policy policy

next

end

next

end

Variable Description Default

"<policy_name>"

Enter the name of the policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

allow-hosts "<hosts_name>"

Enter the name of a protected hosts group to allow or reject connections based upon whether the Host: field in the HTTP header is empty or does or does not match the protected hosts group. The maximum length is 63 characters.

To display the list of existing groups, enter:

edit ?

If you do not select a protected hosts group, FortiWeb accepts pr blocks requests based upon other criteria in the policy or protection profile, but regardless of the Host: field in the HTTP header.

Note: Unlike HTTP 1.1, HTTP 1.0 does not require the Host: field. The FortiWeb appliance does not block HTTP 1.0 requests because they do not have this field, regardless of whether or not you have selected a protected hosts group.

No default.

block-port <port_int>

Enter the number of the physical network interface port that FortiWeb uses to send TCP RST (reset) packets when a request violates the policy. The valid range varies by the number of physical ports on the NIC.

For example, to send TCP RST from port1, enter:

set block-port port1

Available only when the operating mode is Offline Protection.

No default.

case-sensitive {enable | disable}

Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests, such as block list rules, and allow list rules.

For example, when enabled, an HTTP request involving http://www.Example.com/ would not match protection profile features that specify http://www.example.com (difference highlighted in bold).

No default.

certificate "<certificate_name>"

Enter the name of the certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections. The maximum length is 63 characters.

To display the list of existing certificates, enter:

edit ?

If sni {enable | disable} is enable, FortiWeb uses a Server Name Indication (SNI) configuration instead of or in addition to this server certificate. For details, see sni {enable | disable}.

This option is used only if https-service "<service_name>" is configured.

No default.

chunk-decode-enabled {enable | disable}

Enable or disable chunk decoding in the response packets.

enable

client-certificate-forwarding {enable | disable}

Enable to include the X.509 personal certificate presented by the client during the SSL/TLS handshake, if any, in an X-Client-Cert: HTTP header when forwarding the traffic to the protected web server.

FortiWeb still validates the client certificate itself, but this can be useful if the web server requires the client certificate for the purpose of server-side identity-based functionality.

disable

client-certificate-forwarding-cert-header "<header_str>"

Enter a custom certificate header that will include the Base64 certificate of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

x-client-cert

client-certificate-forwarding-sub-header "<header_str>"

Enter a custom subject header that will include the subject of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

x-client-dn

client-real-ip {enable | disable}

Enter enable to configure FortiWeb to use the source IP address of the client that originated the request when it connects to a back-end server on behalf of that client.

By default, when the operation mode is Reverse Proxy, the source IP for connections between FortiWeb and back-end servers is the address of a FortiWeb network interface.

Note: To ensure FortiWeb receives the server's response, configure FortiWeb as the server’s gateway.

Available only if the operating mode is Reverse Proxy.

disable

real-ip-addr <real-ip-addr_str>

Specify an IP address or address range to directly connect to the back-end server.

No default.

client-timeout <seconds_int>

Enter the amount of time (in seconds) that FortiWeb will keep open a connection with an idle client that isn't sending data. The valid range is 1–1200. A value of 0 means that there is no timeout.

0

comment "<comment_str>"

Enter a description or other comment. If the comment is more than one word or contains special characters, surround the comment with double quotes ( " ). The maximum length is 999 characters. No default.

data-capture-port <port_int>

Enter the network interface of incoming traffic that the policy attempts to apply a profile to. The IP address is ignored.

Available only if the operating mode is offline inspection.

deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers}

Specify the distribution method that FortiWeb uses when it forwards connections accepted by this policy.

  • server-pool—Forwards connections to a server pool. Depending on the pool configuration, FortiWeb either forwards connections to a single physical server or domain server or distributes the connection among the pool members. Also configure server-pool "<server-pool_name>". This option is available only if the operating mode is Reverse Proxy mode.
  • http-content-routing—Use HTTP content routing to route HTTP requests to a specific server pool. This option is available only if the FortiWeb appliance is operating in Reverse Proxy mode.
  • offline-detection — Allows connections to pass through the FortiWeb appliance and applies an Offline Protection profile. Also configure server-pool "<server-pool_name>". This is the only option available if operating mode is Offline Protection.
  • transparent-servers—Allows connections to pass through the FortiWeb appliance and applies a protection profile. Also configure server-pool "<server-pool_name>". This is the only option available when the operating mode is either True Transparent Proxy or Transparent Inspection.
  • wccp-servers—FortiWeb is a Web Cache Communication Protocol (WCCP) client that receives traffic from a FortiGate configured as a WCCP server. Also configure server-pool "<server-pool_name>". This is the only option available when the operation mode is WCCP.
No default.

ftp-protection-profile <profile_name>

Enter the FTP security profile to apply to connections that this policy monitors. If you haven't created a profile yet, see waf ftp-protection-profile or instructions about creating one.

No default.

half-open-threshold <packets_int>

Enter the maximum number of TCP SYN packets, including retransmission, that FortiWeb allows to be sent per second to a destination address. If this threshold is exceeded, the FortiWeb appliance treats the traffic as a DoS attack and ignores additional traffic from that source address.

The valid range is 10–10,000.

Available only when the operating mode is Reverse Proxy or True Transparent Proxy and syncookie {enable | disable} is enabled.

8192

hpkp-header "<hpkp_name>"

Select an HPKP profile, if any, to use to verify certificates when clients attempt to access a server.

HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates.

Available only when the operating mode is Reverse Proxy.

No default.

hsts-header {enable | disable}

Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as:

Strict-Transport-Security: max-age=31536000;

This header forces the client to use HTTPS for subsequent visits to this domain. If the certificate does not validate, it also causes a fatal connection error: the client’s web browser does not display any dialog that allows the user to override the certificate mismatch error and continue.

Available only if https-service "<service_name>" is configured.

disable

hsts-max-age <timeout_int>

Enter the time to live in seconds for the HSTS header.

Available only if hsts-header {enable | disable} is enabled.

The valid range is 3,600–31,536,000.

7776000

http2 {enable | disable}

FortiWeb's HTTP/2 security inspection is only supported for Revers Proxy mode and True Transparent Proxy mode. This option enables FortiWeb operating in Reverse Proxy mode (see opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}) to negotiate HTTP/2 with clients via SSL ALPN (Application-Layer Protocol Negotiation) during the SSL handshake if the client's browser supports HTTP/2 protocol. With the HTTP/2 being enabled, FortiWebcan recognize HTTP/2 traffic and apply the security services to it. To enable HTTP/2 communication between the FortiWeb and back-end web servers for HTTP/2 inspections in Reverse Proxy mode, see http2 {enable | disable}.

Available only when opmode is set to reverse-proxy, deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers} is set to server-pool and https-service "<service_name>" is set correctly. FortiWeb supports HTTP/2 only for HTTPS connections and HTTP Content Routing is not supported for HTTP/2.

When opmode is set to transparent and deployment-mode is set to transparent-servers, this is not available. It only requires http2 {enable | disable} to enable the HTTP/2 security inspections in True Transparent Proxy mode; this option here is not required. For more details about HTTP/2 support, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

disable

http-header-timeout <seconds_int>

Enter the amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. The valid range is 0–1200. A value of 0 means that there is no timeout.

0

http-pipeline {enable | disable}

Specify whether FortiWeb accelerates transactions by bundling them inside the same TCP connection, instead of waiting for a response before sending/receiving the next request. This can increase performance when pages containing many images, scripts, and other auxiliary files are all hosted on the same domain, and therefore logically could use the same connection.

When FortiWeb is operating in Reverse Proxy or True Transparent Proxy mode, it can automatically use HTTP pipelining for requests with the following characteristics:

  • HTTP version is 1.1
  • The Connection general-header field does not include the "close" option (for example, Connection: close)
  • The HTTP method is GET or HEAD
enable

http-to-https {enable | disable}

Specify enable to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters.

Also configure https-service and ensure service uses port 443 (the default).

FortiWeb does not apply the protection profile for this policy (specified by server-policy policy) to the redirected traffic.

Available only when the operation mode is Reverse Proxy.

disable

https-service "<service_name>"

Enter the custom or predefined service that defines the port number on which the virtual server receives HTTPS traffic. The maximum length is 63 characters.

To display the list of existing services, enter:

edit ?

Available only when the operating mode is Reverse Proxy. For other operation modes, use the server pool configuration to enable SSL inspection instead.

No default.

proxy-protocol {enable | disable}

Enable this option when proxy servers or load balancers are installed before FortiWeb, for example, when a load balancer with proxy protocol enabled is deployed before FortiWeb-VM on AWS.

When Proxy Protocol is enabled, FortiWeb can receive client connection

information in the proxy protocol package passed through proxy servers and load balancers.

disable

use-proxy-protocol-addr {enable | disable}

Enable to use the source address of the proxy protocol in server policy.

If disabled, the source address of the connection will be used.

enable

replacemsg <replacemsg_name>

Select the replacement message to apply to the policy.

No default.

intermediate-certificate-group "<CA-group_name>"

Enter the name of an intermediate certificate authority (CA) group, if any, that FortiWeb uses to validate the CA signing chain in a client’s certificate. The maximum length is 63 characters.

To display the list of existing groups, enter:

edit ?

Available only if https-service "<service_name>" is configured.

No default.

internal-cookie-httponly {enable | disable}

Enable to assign an httponly flag to internal cookies. This feature is independent of the Cookie Security policy, if any, that you have in use.

enable

internal-cookie-secure {enable | disable}

Enable to assign a secure flag to internal cookies. This flag can only be assigned if the connection is over SSL. This feature is independent of the Cookie Security policy, if any, that you have in use.

disable

internal-cookie-samesite {enable | disable}

Enable to assign a SameSite flag to internal cookies. This feature is independent of the Cookie Security policy, if any, that you have in use.

If enabled, it applies to User Tracking, Anomaly Detection, Site Publish, and Client Management.

disable

internal-cookie-samesite-value {strict | lax | none}

  • strict: any request from the third parties will not carry such cookies;
  • lax: any request from the third parties will not carry such cookies except for GET requests that navigate to the destination URL.
  • none: set the value as none if a cookie is required to be sent by cross origin.

lax

monitor-mode {enable | disable}

Enable to override deny and redirect actions defined in the server protection rules for the selected policy. This setting enables FortiWeb to log attacks without performing the deny or redirect action.

Disable to allow FortiWeb to perform attack deny/redirect actions as defined by the server protection rules.

disable

noparse {enable | disable}

Enable this option to apply the server policy as a pure proxy, without parsing the content. In this case, the policy allows all traffic to pass through the FortiWeb appliance without applying any protection rules. See also "debug application http" on page 1 and debug flow trace.

This option applies to server policy only when the FortiWeb appliance operates in Reverse Proxy or True Transparent Proxy mode.

Caution: Use this only during debugging and for as brief a period as possible. This feature disables many protection features. See also http-parse-error-output {enable | disable}.

disable

prefer-current-session {enable |disable}

Enable to forward subsequent requests from an identified client connection to the same server pool as the initial connection from the client.

This option allows FortiWeb to improve its performance by skipping the process of matching HTTP header content to content routing policies for connections it has already evaluated and routed.

Available only when deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers} is http-content-routing.

disable

protocol {HTTP | FTP | ADFSPIP}

Select one of the following:

  • HTTP—Specifies that the server policy governs HTTP traffic. Specific options for configuring an HTTP server policy become available.
  • FTP—Specifies that the server policy governs FTP traffic. Specific options for configuring an FTP server policy become available.
  • ADFSPIP—Specifies that the server policy governs AD FS traffic. Specific options for configuring an AD FS server policy become available.

HTTP

server-pool "<server-pool_name>"

Enter the name of the server pool whose members receive the connections.

To display the list of existing servers, enter:

edit ?

This field is applicable only if deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers} is server-pool, offline-protection or transparent-servers.

Caution: Multiple virtual servers/policies can forward traffic to the same server pool. If you do this, consider the total maximum load of connections that all virtual servers forward to your server pool. This configuration can multiply traffic forwarded to your server pool, which can overload it and cause dropped connections.

No default.

service "<service_name>"

Enter the custom or predefined service that defines the port number on which the virtual server receives HTTP traffic. The maximum length is 63 characters.

To display the list of existing services, enter:

edit ?

Available only when the operating mode is Reverse Proxy.

No default.

sessioncookie-enforce {enable | disable}

  • enable—When FortiWeb maintains session persistence using cookies, it inserts a cookie in subsequent transactions in a session if the transaction does not contain a control cookie.

This option is useful if your environment uses TCP multiplexing, which combines HTTP requests from multiple clients in a single session for load balancing or other purposes.

  • disable—When FortiWeb maintains session persistence using cookies, it tracks or inserts the cookie for the first transaction of a session only. It does not track or insert a cookie in subsequent transactions in the session, even if the transaction does not contain a control cookie.

For details about configuring session persistence, see server-policy persistence-policy.

disable

sni {enable | disable}

Enable to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by certificate <certificate_name>.

The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see system certificate sni.

If you specify both a SNI configuration and a certificate, FortiWeb uses the certificate specified by certificate "<certificate_name>" when the requested domain does not match a value in the SNI configuration.

If you enable sni-strict {enable | disable}, FortiWeb always ignores the value of certificate "<certificate_name>".

Available only if https-service "<service_name>" is configured.

disable

sni-certificate "<sni_name>"

Enter the name of the Server Name Indication (SNI) configuration that specifies which certificate FortiWeb uses when encrypting or decrypting SSL-secured connections for a specified domain.

The SNI configuration enables FortiWeb to present different certificates on behalf of the members of a pool according to the requested domain.

If only one certificate is required to encrypt and decrypt traffic that this policy applies to, specify certificate "<certificate_name>" instead.

Available only if https-service "<service_name>" is configured.

No default.

sni-strict {enable | disable}

Select to configure FortiWeb to ignore the value of certificate "<certificate_name>" when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the specified SNI configuration. disable

certificate-type {enable | disable}

Enable allow FortiWeb to automatically retrieve CA certificates from Let's Encrypt.

disable

lets-certificate <name>

Select the Letsencrypt certificate you have created. See system certificate letsencrypt.

No default.

ssl {enable | disable}

Enable so that connections between clients and FortiWeb use SSL/TLS. Enabling ssl will allow you to configure additional SSL options and settings, including specifying supported SSL protocols and uploading certificates.

disable

ssl-cipher {medium | high | custom}

Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration.

If custom, also specify ssl-custom-cipher.

This is not allowed to set to custom if http2 is set to enable.

For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Available only if https-service "<service_name>" is configured.

medium

ssl-client-verify "<verifier_name>"

Enter the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. If you do not select one, the client is not required to present a personal certificate.

If the client presents an invalid certificate, the FortiWeb appliance does not allow the connection.

To be valid, a client certificate must:

  • Not be expired
  • Not be revoked by either the certificate revocation list (CRL) (see system certificate verify)
  • Be signed by a certificate authority (CA) whose certificate you have imported into the FortiWeb appliance; if the certificate has been signed by a chain of intermediate CAs, those certificates must be included in an intermediate CA group (see intermediate-certificate-group "<CA-group_name>")
  • Contain a CA field whose value matches the CA certificate
  • Contain an Issuer field whose value matches the Subject field in the CA certificate

Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website.

You can require that clients present a certificate alternatively or in addition to HTTP authentication. For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

The maximum length is 63 characters.

To display the list of existing verifiers, type:

edit ?

This option is used only if https-service "<service_name>" is configured.

The client must support TLS 1.0, TLS 1.1, or TLS 1.2.

No default.

ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

Specify one or more cipher suites that FortiWeb allows.

Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list.

Valid values are:

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

DHE-DSS-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

DHE-RSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES256-CCM8

ECDHE-ECDSA-AES256-CCM

DHE-RSA-AES256-CCM8

DHE-RSA-AES256-CCM

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

DHE-DSS-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-CCM8

ECDHE-ECDSA-AES128-CCM

DHE-RSA-AES128-CCM8

DHE-RSA-AES128-CCM

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

DHE-RSA-AES256-SHA256

DHE-DSS-AES256-SHA256

ECDHE-ECDSA-CAMELLIA256-SHA384

ECDHE-RSA-CAMELLIA256-SHA384

DHE-RSA-CAMELLIA256-SHA256

DHE-DSS-CAMELLIA256-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA256

DHE-DSS-AES128-SHA256

ECDHE-ECDSA-CAMELLIA128-SHA256

ECDHE-RSA-CAMELLIA128-SHA256

DHE-RSA-CAMELLIA128-SHA256

DHE-DSS-CAMELLIA128-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES256-SHA

DHE-RSA-AES256-SHA

DHE-DSS-AES256-SHA

DHE-RSA-CAMELLIA256-SHA

DHE-DSS-CAMELLIA256-SHA

ECDHE-ECDSA-AES128-SHA

ECDHE-RSA-AES128-SHA

DHE-RSA-AES128-SHA

DHE-DSS-AES128-SHA

DHE-RSA-CAMELLIA128-SHA

DHE-DSS-CAMELLIA128-SHA

AES256-GCM-SHA384

AES256-CCM8

AES256-CCM

AES128-GCM-SHA256

AES128-CCM8

AES128-CCM

AES256-SHA256

CAMELLIA256-SHA256

AES128-SHA256

CAMELLIA128-SHA256

AES256-SHA

CAMELLIA256-SHA

AES128-SHA

CAMELLIA128-SHA

DHE-RSA-SEED-SHA

ECDHE_RSA_DES_CBC3_SHA

DES_CBC3_SHA

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES256-SHA

ECDHE-ECDSA-AES128-SHA

ECDHE-RSA-AES128-SHA

AES256-GCM-SHA384

AES128-GCM-SHA256

AES256-SHA256

AES128-SHA256

tls13-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

Specify one or more TLS 1.3 cipher suites that FortiWeb allows.

Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list.

Valid values are:

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_128_CCM_SHA256

TLS_AES_128_CCM_8_SHA256

TLS_AES_256_GCM_SHA384

ssl-noreg {enable | disable}

Specify whether FortiWeb ignores requests from clients to renegotiate TLS or SSL.

Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server.

Available only if https-service "<service_name>" is configured.

enable
ssl-session-timeout <ssl-session-timeout_int> When FortiWeb is configured as an SSL server, you can set SSL session timeout intervals via the CLI. This is available only in Reverse Proxy and True Transparent Proxy modes. No default.

status {enable | disable}

Enable to allow the policy to be used when evaluating traffic for a matching policy.

Note: You can use SNMP traps to notify you of changes to the policy’s status. For details, see system snmp community.

No default.

syncookie {enable | disable}

Enable to detect TCP SYN flood attacks.

For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Available only when the operating mode is Reverse Proxy or True Transparent Proxy.

disable

tcp-recv-timeout <seconds_int>

Enter the amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. The valid range is 0–300. A value of 0 means that there is no timeout.

0

tls-v10 {enable | disable}

Specifies whether clients can connect securely to FortiWeb using the TLS 1.0 cryptographic protocol.

This must be set to disable if http2 {enable | disable} is set to enable.

Available only if https-service "<service_name>" is configured.

enable

tls-v11 {enable | disable}

Specifies whether clients can connect securely to FortiWeb using the TLS 1.1 cryptographic protocol.

This must be set to disable if http2 {enable | disable} is set to enable.

Available only if https-service "<service_name>" is configured.

enable

tls-v12 {enable | disable}

Specifies whether clients can connect securely to FortiWeb using the TLS 1.2 cryptographic protocol.

Available only if https-service "<service_name>" is configured.

enable

tls-v13 {enable | disable}

Specifies whether clients can connect securely to FortiWeb using the TLS 1.3 cryptographic protocol.

Available only if https-service "<service_name>" is configured.

disable

urlcert {enable | disable}

Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate.

Available only if https-service "<service_name>" is configured.

disable

urlcert-group "<urlcert-group_name>"

Enter the URL-based client certificate group that determines whether a client is required to present a personal certificate.

If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate.

For details about creating a group, see system certificate urlcert.

No default.

urlcert-hlen <len_int>

Specify the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group, in kilobytes.

FortiWeb blocks any matching requests that exceed the specified size.

This setting prevents a request from exceeding the maximum buffer size.

The valid range is 16–10240.

No default.

vserver "<vserver_name>"

Enter the name of a virtual server that provides the IP address and network interface of incoming traffic that FortiWeb routes and to which the policy applies a protection profile. The maximum length is 63 characters.

To display the list of existing virtual servers, enter:

edit ?

Available only if the operating mode is Reverse Proxy.

No default.

v-zone "<bridge_name>"

Enter the name of the bridge that specifies the network interface of the incoming traffic that the policy applies a protection profile to. The maximum length is 15 characters.

To display the list of existing bridges, enter:

edit ?

Available only if the operating mode is True Transparent Proxy or Transparent Inspection.

No default.

Note: If the connection fails when you have selected a certificate verifier, verify that the certificate meets the web browser’s requirements. Web browsers may have their own certificate validation requirements in addition to FortiWeb requirements. For example, personal certificates for client authentication may be required to either:

  • Not be restricted in usage/purpose by the CA, or
  • Contain a Key Usage field that contains Digital Signature or have a ExtendedKeyUsage or EnhancedKeyUsage field whose value contains Client Authentication

If the certificate does not satisfy browser requirements, although it may be installed in the browser, when the FortiWeb appliance requests the client’s certificate, the browser may not display a certificate selection dialog to the user, or the dialog may not contain that certificate. In that case, verification fails. For browser requirements, see your web browser’s documentation.

<entry_index>

Enter the index number of the individual entry in the table. No default.

content-routing-policy-name "<content-routing_name>"

Enter the name of a HTTP content routing policy that this server policy uses.

To display the list of existing error pages, enter:

edit ?

No default.

is-default {yes | no}

Enter yes to specify that FortiWeb applies the protection profile to any traffic that does not match conditions specified in the HTTP content routing policies. No default.

profile-inherit {enable | disable}

Enter enable to specify that FortiWeb applies the web protection profile for the server policy to connections that match the routing policy. disable
implicit_ssl {enable | disable} Enable so that FortiWeb will communicate with the pool member using implicit SSL. No default.
ssl-quiet-shutdown {enable | disable} For HTTPS connection, when disabled, FortiWeb sends ssl alert message to the client or server pool first, and then FIN.
When enabled, FortiWeb directly sends FIN message instead of sending ssl alert message.
disable
traffic-mirror {enable | disable} Enable to send traffic to third party IPS/IDS devices through network interfaces for traffic monitoring.
Available only when protocol {HTTP | FTP | ADFSPIP} is HTTP.
disable
traffic-mirror-profile <traffic-mirror-profile_str> Select the mirror policy created. No default.
traffic-mirror-type {client-side | server-side| both-side} Select the traffic mirror type.
For True Transparent Proxy mode, only Client Side type is available, which only allows traffic from client side to be sent to IPS/IDS devices.

For Reverse Proxy mode, you can select Client Side, Server Side, or Client and Server.
No default.
multi-certificate {enable | disable} Enable to allow FortiWeb to use multiple local certificates. disable
adfs-certificate-service <adfs-certificate-service_str>} Configure this option if the AD FS server requires client certificate for authentication.
Select the pre-defined service TLSCLIENTPORT if FortiWeb uses service port 49443 to listen the certification authentication requests.
No default.
adfs-certificate-ssl-client-verify <adfs-certificate-ssl-client-verify_str>} Select the certificate validation rule you have created. No default.
certificate-group <certificate-group_str>} Select the multi-certificate file you have created.
No default.

acceleration-policy <acceleration-policy_str>

Select the acceleration policy you have created.

No default.

web-cache {enable | disable}

Enable to create a web cache policy to allow FortiWeb to cache responses from your servers.

disable

real-ip-addr <real-ip-addr_str>

Specify an IP address or address range to directly connect to the back-end server.

No default.

retry-on {enable | disable}

Enable to configure whether to retry a failed TCP connection or HTTP request in Reverse Proxy mode.

A TCP connection failure retry can help when pserver is unreachable unexpectedly, FortiWeb will reconnect the single server or switch to the other

server when more than one pserver is available in the server pool.

An HTTP layer retry can help when pserver can be connected but it returns

certain failure response codes, such as 404, 408, 500, 501, 502, 503, and 504. FortiWeb will reconnect the single server or switch to the other server when more than one pserver is available in the server pool.

disable

retry-on-cache-size <retry-on-cache-size_int>

Enter a cache size limit for the HTTP request packet.

HTTP failure retry will take effect once the request packet size is smaller than this defined size.

TCP connection failure retry will take effect once the HTTP request packet

size in TCP connection is smaller than this defined size.

512

retry-on-connect-failure {enable | disable}

Enable to configure the retry times in case of any TCP connection failure.

disable

retry-times-on-connect-failure <retry-times-on-connect-failure_int>

Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5.

3

retry-on-http-layer {enable | disable}

Enable to configure the retry times and failure response code in case of any HTTP connection failure.

Only GET and HEAD methods are supported now.

enable

retry-times-on-http-layer <retry-times-on-http-layer_int>

Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5.

3

retry-on-http-response-codes {404 | 408 | 500 | 501 | 502 | 503 | 504}

Select the failure return code when pserver can be connected to determine enabling HTTP failure retry.

All values

replacemsg-on-connect-failure {disable | enable}

If this option is enabled, when the health check is disabled and the back-end server is not responsive, FortiWeb will send the 503 error code to the client.

When enabled, you should also configure tcp-conn-timeout to specify the timeout value.

disable

tcp-conn-timeout <integer>

When the health check is disabled and the back-end server is not responsive, FortiWeb will wait for the specified time until it sends the 503 error code. It's recommended to set a value smaller than 20 (seconds). This is to avoid too many times of retry being accumulated during the waiting time, which may cause the connection to be closed before FortiWeb has the chance to send the error code.

This option is at the server policy level. You can also set the tcp-usertimeout under system network-option which affects all server policies on FortiWeb appliance. If the timeout is configured both at the policy and the appliance level, FortiWeb will take the value whichever is smaller.

Sometimes when there is a third device, such as a gateway, deployed between FortiWeb and the back-end server, FortiWeb will directly get the status code from the third device instead of waiting along the timeout period.

The valid range for this option is 0-600 (seconds).

0 means FortiWeb will send 503 error code as soon as it detects the back-end server is not responsive.

120

Example

This example configures a web protection server policy. FortiWeb forwards HTTPS connections received by the virtual server named virtual_ip1 to a server pool named apache1, which contains a single physical server. FortiWeb uses the certificate named certificate1 during SSL negotiations with the client, then forwards traffic to the server pool.

config server-policy policy

edit "https-policy"

set deployment-mode server-pool

set vserver "virtual_ip1"

set server-pool "apache1"

set web-protection-profile "inline-protection1"

set https-service HTTPS

set certificate "certificate1"

set ssl-client-verify

set case-sensitive disable

set status enable

next

end

Related topics

server-policy policy

server-policy policy

Use this command to configure HTTP, FTP, and AD FS server policies.

FortiWeb applies only one server policy to each connection.

HTTP policy behavior varies by the operation mode. FTP and AD FS server policies are available only in Reverse Proxy mode. For details, see FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

When you switch the operation mode, FortiWeb deletes server policies from the configuration file if they are not applicable in the current operation mode.

To determine which type of server policy to create, configure protocol {HTTP | FTP | ADFSPIP}.

Before you configure an HTTP server policy, you can configure several policies and profiles:

You can also use SNMP traps to notify you of policy status changes, or when a policy enforces your network usage policy. For details, see system snmp community.

Before you configure an FTP server policy, you need to:

Before you configure an AD FS server policy, you need to:

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy policy

edit "<policy_name>"

set allow-hosts "<hosts_name>"

set block-port <port_int>

set case-sensitive {enable | disable}

set certificate "<certificate_name>"

set chunk-decode-enabled {enable | disable}

set client-certificate-forwarding {enable | disable}

set server-policy policy

set client-certificate-forwarding-sub-header "<header_str>"

set client-real-ip {enable | disable}

set real-ip-addr <real-ip-addr_str>

set client-timeout <seconds_int>

set comment "<comment_str>"

set data-capture-port <port_int>

set deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers}

set ftp-protection-profile <profile_name>

set half-open-threshold <packets_int>

set hpkp-header "<hpkp_name>"

set hsts-header {enable | disable}

set hsts-max-age <timeout_int>

set http2 {enable | disable}

set http-header-timeout <seconds_int>

set http-pipeline {enable | disable}

set http-to-https {enable | disable}

set https-service "<service_name>"

set implicit_ssl {enable | disable}

set intermediate-certificate-group "<CA-group_name>"

set internal-cookie-httponly {enable | disable}

set internal-cookie-secure {enable | disable}

set internal-cookie-samesite {enable | disable}

set internal-cookie-samesite-value {strict | lax | none}

set monitor-mode {enable | disable}

set noparse {enable | disable}

set prefer-current-session {enable |disable}

set protocol {HTTP | FTP | ADFSPIP}

set server-pool "<server-pool_name>"

set service "<service_name>"

set proxy-protocol {enable | disable}

set use-proxy-protocol-addr {enable | disable}

set replacemsg <replacemsg_name>

set sessioncookie-enforce {enable | disable}

set sni {enable | disable}

set sni-certificate "<sni_name>"

set sni-strict {enable | disable}

set certificate-type {enable | disable}

set lets-certificate <name>

set ssl {enable | disable}

set ssl-cipher {medium | high | custom}

set ssl-client-verify "<verifier_name>"

set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

set tls13-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

set ssl-noreg {enable | disable}

set ssl-quiet-shutdown {enable | disable}

set ssl-session-timeout <ssl-session-timeout_int>

set status {enable | disable}

set syncookie {enable | disable}

set tcp-recv-timeout <seconds_int>

set tls-v10 {enable | disable}

set tls-v11 {enable | disable}

set tls-v12 {enable | disable}

set tls-v13 {enable | disable}

set urlcert {enable | disable}

set urlcert-group "<urlcert-group_name>"

set urlcert-hlen <len_int>

set vserver "<vserver_name>"

set v-zone "<bridge_name>"

set server-policy policy

set traffic-mirror {enable | disable}

set traffic-mirror-type {client-side | server-side| both-side}

set traffic-mirror-profile <traffic-mirror-profile_str>

set adfs-certificate-ssl-client-verify <adfs-certificate-ssl-client-verify_str>}

set adfs-certificate-service <adfs-certificate-service_str>}

set multi-certificate {enable | disable}

set certificate-group <certificate-group_str>}

set acceleration-policy <acceleration-policy_str>

set web-cache {enable | disable}

set retry-on {enable | disable}

set retry-on-cache-size <retry-on-cache-size_int>

set retry-on-connect-failure {enable | disable}

set retry-times-on-connect-failure <retry-times-on-connect-failure_int>

set retry-on-http-layer {enable | disable}

set retry-times-on-http-layer <retry-times-on-http-layer_int>

set retry-on-http-response-codes {404 | 408 | 500 | 501 | 502 | 503 | 504}

set replacemsg-on-connect-failure {disable | enable}

set tcp-conn-timeout <integer>

config http-content-routing-list

edit <entry_index>

set content-routing-policy-name "<content-routing_name>"

set is-default {yes | no}

set profile-inherit {enable | disable}

set server-policy policy

next

end

next

end

Variable Description Default

"<policy_name>"

Enter the name of the policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

allow-hosts "<hosts_name>"

Enter the name of a protected hosts group to allow or reject connections based upon whether the Host: field in the HTTP header is empty or does or does not match the protected hosts group. The maximum length is 63 characters.

To display the list of existing groups, enter:

edit ?

If you do not select a protected hosts group, FortiWeb accepts pr blocks requests based upon other criteria in the policy or protection profile, but regardless of the Host: field in the HTTP header.

Note: Unlike HTTP 1.1, HTTP 1.0 does not require the Host: field. The FortiWeb appliance does not block HTTP 1.0 requests because they do not have this field, regardless of whether or not you have selected a protected hosts group.

No default.

block-port <port_int>

Enter the number of the physical network interface port that FortiWeb uses to send TCP RST (reset) packets when a request violates the policy. The valid range varies by the number of physical ports on the NIC.

For example, to send TCP RST from port1, enter:

set block-port port1

Available only when the operating mode is Offline Protection.

No default.

case-sensitive {enable | disable}

Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests, such as block list rules, and allow list rules.

For example, when enabled, an HTTP request involving http://www.Example.com/ would not match protection profile features that specify http://www.example.com (difference highlighted in bold).

No default.

certificate "<certificate_name>"

Enter the name of the certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections. The maximum length is 63 characters.

To display the list of existing certificates, enter:

edit ?

If sni {enable | disable} is enable, FortiWeb uses a Server Name Indication (SNI) configuration instead of or in addition to this server certificate. For details, see sni {enable | disable}.

This option is used only if https-service "<service_name>" is configured.

No default.

chunk-decode-enabled {enable | disable}

Enable or disable chunk decoding in the response packets.

enable

client-certificate-forwarding {enable | disable}

Enable to include the X.509 personal certificate presented by the client during the SSL/TLS handshake, if any, in an X-Client-Cert: HTTP header when forwarding the traffic to the protected web server.

FortiWeb still validates the client certificate itself, but this can be useful if the web server requires the client certificate for the purpose of server-side identity-based functionality.

disable

client-certificate-forwarding-cert-header "<header_str>"

Enter a custom certificate header that will include the Base64 certificate of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

x-client-cert

client-certificate-forwarding-sub-header "<header_str>"

Enter a custom subject header that will include the subject of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server.

x-client-dn

client-real-ip {enable | disable}

Enter enable to configure FortiWeb to use the source IP address of the client that originated the request when it connects to a back-end server on behalf of that client.

By default, when the operation mode is Reverse Proxy, the source IP for connections between FortiWeb and back-end servers is the address of a FortiWeb network interface.

Note: To ensure FortiWeb receives the server's response, configure FortiWeb as the server’s gateway.

Available only if the operating mode is Reverse Proxy.

disable

real-ip-addr <real-ip-addr_str>

Specify an IP address or address range to directly connect to the back-end server.

No default.

client-timeout <seconds_int>

Enter the amount of time (in seconds) that FortiWeb will keep open a connection with an idle client that isn't sending data. The valid range is 1–1200. A value of 0 means that there is no timeout.

0

comment "<comment_str>"

Enter a description or other comment. If the comment is more than one word or contains special characters, surround the comment with double quotes ( " ). The maximum length is 999 characters. No default.

data-capture-port <port_int>

Enter the network interface of incoming traffic that the policy attempts to apply a profile to. The IP address is ignored.

Available only if the operating mode is offline inspection.

deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers}

Specify the distribution method that FortiWeb uses when it forwards connections accepted by this policy.

  • server-pool—Forwards connections to a server pool. Depending on the pool configuration, FortiWeb either forwards connections to a single physical server or domain server or distributes the connection among the pool members. Also configure server-pool "<server-pool_name>". This option is available only if the operating mode is Reverse Proxy mode.
  • http-content-routing—Use HTTP content routing to route HTTP requests to a specific server pool. This option is available only if the FortiWeb appliance is operating in Reverse Proxy mode.
  • offline-detection — Allows connections to pass through the FortiWeb appliance and applies an Offline Protection profile. Also configure server-pool "<server-pool_name>". This is the only option available if operating mode is Offline Protection.
  • transparent-servers—Allows connections to pass through the FortiWeb appliance and applies a protection profile. Also configure server-pool "<server-pool_name>". This is the only option available when the operating mode is either True Transparent Proxy or Transparent Inspection.
  • wccp-servers—FortiWeb is a Web Cache Communication Protocol (WCCP) client that receives traffic from a FortiGate configured as a WCCP server. Also configure server-pool "<server-pool_name>". This is the only option available when the operation mode is WCCP.
No default.

ftp-protection-profile <profile_name>

Enter the FTP security profile to apply to connections that this policy monitors. If you haven't created a profile yet, see waf ftp-protection-profile or instructions about creating one.

No default.

half-open-threshold <packets_int>

Enter the maximum number of TCP SYN packets, including retransmission, that FortiWeb allows to be sent per second to a destination address. If this threshold is exceeded, the FortiWeb appliance treats the traffic as a DoS attack and ignores additional traffic from that source address.

The valid range is 10–10,000.

Available only when the operating mode is Reverse Proxy or True Transparent Proxy and syncookie {enable | disable} is enabled.

8192

hpkp-header "<hpkp_name>"

Select an HPKP profile, if any, to use to verify certificates when clients attempt to access a server.

HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates.

Available only when the operating mode is Reverse Proxy.

No default.

hsts-header {enable | disable}

Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as:

Strict-Transport-Security: max-age=31536000;

This header forces the client to use HTTPS for subsequent visits to this domain. If the certificate does not validate, it also causes a fatal connection error: the client’s web browser does not display any dialog that allows the user to override the certificate mismatch error and continue.

Available only if https-service "<service_name>" is configured.

disable

hsts-max-age <timeout_int>

Enter the time to live in seconds for the HSTS header.

Available only if hsts-header {enable | disable} is enabled.

The valid range is 3,600–31,536,000.

7776000

http2 {enable | disable}

FortiWeb's HTTP/2 security inspection is only supported for Revers Proxy mode and True Transparent Proxy mode. This option enables FortiWeb operating in Reverse Proxy mode (see opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}) to negotiate HTTP/2 with clients via SSL ALPN (Application-Layer Protocol Negotiation) during the SSL handshake if the client's browser supports HTTP/2 protocol. With the HTTP/2 being enabled, FortiWebcan recognize HTTP/2 traffic and apply the security services to it. To enable HTTP/2 communication between the FortiWeb and back-end web servers for HTTP/2 inspections in Reverse Proxy mode, see http2 {enable | disable}.

Available only when opmode is set to reverse-proxy, deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers} is set to server-pool and https-service "<service_name>" is set correctly. FortiWeb supports HTTP/2 only for HTTPS connections and HTTP Content Routing is not supported for HTTP/2.

When opmode is set to transparent and deployment-mode is set to transparent-servers, this is not available. It only requires http2 {enable | disable} to enable the HTTP/2 security inspections in True Transparent Proxy mode; this option here is not required. For more details about HTTP/2 support, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

disable

http-header-timeout <seconds_int>

Enter the amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. The valid range is 0–1200. A value of 0 means that there is no timeout.

0

http-pipeline {enable | disable}

Specify whether FortiWeb accelerates transactions by bundling them inside the same TCP connection, instead of waiting for a response before sending/receiving the next request. This can increase performance when pages containing many images, scripts, and other auxiliary files are all hosted on the same domain, and therefore logically could use the same connection.

When FortiWeb is operating in Reverse Proxy or True Transparent Proxy mode, it can automatically use HTTP pipelining for requests with the following characteristics:

  • HTTP version is 1.1
  • The Connection general-header field does not include the "close" option (for example, Connection: close)
  • The HTTP method is GET or HEAD
enable

http-to-https {enable | disable}

Specify enable to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters.

Also configure https-service and ensure service uses port 443 (the default).

FortiWeb does not apply the protection profile for this policy (specified by server-policy policy) to the redirected traffic.

Available only when the operation mode is Reverse Proxy.

disable

https-service "<service_name>"

Enter the custom or predefined service that defines the port number on which the virtual server receives HTTPS traffic. The maximum length is 63 characters.

To display the list of existing services, enter:

edit ?

Available only when the operating mode is Reverse Proxy. For other operation modes, use the server pool configuration to enable SSL inspection instead.

No default.

proxy-protocol {enable | disable}

Enable this option when proxy servers or load balancers are installed before FortiWeb, for example, when a load balancer with proxy protocol enabled is deployed before FortiWeb-VM on AWS.

When Proxy Protocol is enabled, FortiWeb can receive client connection

information in the proxy protocol package passed through proxy servers and load balancers.

disable

use-proxy-protocol-addr {enable | disable}

Enable to use the source address of the proxy protocol in server policy.

If disabled, the source address of the connection will be used.

enable

replacemsg <replacemsg_name>

Select the replacement message to apply to the policy.

No default.

intermediate-certificate-group "<CA-group_name>"

Enter the name of an intermediate certificate authority (CA) group, if any, that FortiWeb uses to validate the CA signing chain in a client’s certificate. The maximum length is 63 characters.

To display the list of existing groups, enter:

edit ?

Available only if https-service "<service_name>" is configured.

No default.

internal-cookie-httponly {enable | disable}

Enable to assign an httponly flag to internal cookies. This feature is independent of the Cookie Security policy, if any, that you have in use.

enable

internal-cookie-secure {enable | disable}

Enable to assign a secure flag to internal cookies. This flag can only be assigned if the connection is over SSL. This feature is independent of the Cookie Security policy, if any, that you have in use.

disable

internal-cookie-samesite {enable | disable}

Enable to assign a SameSite flag to internal cookies. This feature is independent of the Cookie Security policy, if any, that you have in use.

If enabled, it applies to User Tracking, Anomaly Detection, Site Publish, and Client Management.

disable

internal-cookie-samesite-value {strict | lax | none}

  • strict: any request from the third parties will not carry such cookies;
  • lax: any request from the third parties will not carry such cookies except for GET requests that navigate to the destination URL.
  • none: set the value as none if a cookie is required to be sent by cross origin.

lax

monitor-mode {enable | disable}

Enable to override deny and redirect actions defined in the server protection rules for the selected policy. This setting enables FortiWeb to log attacks without performing the deny or redirect action.

Disable to allow FortiWeb to perform attack deny/redirect actions as defined by the server protection rules.

disable

noparse {enable | disable}

Enable this option to apply the server policy as a pure proxy, without parsing the content. In this case, the policy allows all traffic to pass through the FortiWeb appliance without applying any protection rules. See also "debug application http" on page 1 and debug flow trace.

This option applies to server policy only when the FortiWeb appliance operates in Reverse Proxy or True Transparent Proxy mode.

Caution: Use this only during debugging and for as brief a period as possible. This feature disables many protection features. See also http-parse-error-output {enable | disable}.

disable

prefer-current-session {enable |disable}

Enable to forward subsequent requests from an identified client connection to the same server pool as the initial connection from the client.

This option allows FortiWeb to improve its performance by skipping the process of matching HTTP header content to content routing policies for connections it has already evaluated and routed.

Available only when deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers} is http-content-routing.

disable

protocol {HTTP | FTP | ADFSPIP}

Select one of the following:

  • HTTP—Specifies that the server policy governs HTTP traffic. Specific options for configuring an HTTP server policy become available.
  • FTP—Specifies that the server policy governs FTP traffic. Specific options for configuring an FTP server policy become available.
  • ADFSPIP—Specifies that the server policy governs AD FS traffic. Specific options for configuring an AD FS server policy become available.

HTTP

server-pool "<server-pool_name>"

Enter the name of the server pool whose members receive the connections.

To display the list of existing servers, enter:

edit ?

This field is applicable only if deployment-mode {server-pool | http-content-routing | offline-protection | transparent-servers | wccp-servers} is server-pool, offline-protection or transparent-servers.

Caution: Multiple virtual servers/policies can forward traffic to the same server pool. If you do this, consider the total maximum load of connections that all virtual servers forward to your server pool. This configuration can multiply traffic forwarded to your server pool, which can overload it and cause dropped connections.

No default.

service "<service_name>"

Enter the custom or predefined service that defines the port number on which the virtual server receives HTTP traffic. The maximum length is 63 characters.

To display the list of existing services, enter:

edit ?

Available only when the operating mode is Reverse Proxy.

No default.

sessioncookie-enforce {enable | disable}

  • enable—When FortiWeb maintains session persistence using cookies, it inserts a cookie in subsequent transactions in a session if the transaction does not contain a control cookie.

This option is useful if your environment uses TCP multiplexing, which combines HTTP requests from multiple clients in a single session for load balancing or other purposes.

  • disable—When FortiWeb maintains session persistence using cookies, it tracks or inserts the cookie for the first transaction of a session only. It does not track or insert a cookie in subsequent transactions in the session, even if the transaction does not contain a control cookie.

For details about configuring session persistence, see server-policy persistence-policy.

disable

sni {enable | disable}

Enable to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by certificate <certificate_name>.

The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see system certificate sni.

If you specify both a SNI configuration and a certificate, FortiWeb uses the certificate specified by certificate "<certificate_name>" when the requested domain does not match a value in the SNI configuration.

If you enable sni-strict {enable | disable}, FortiWeb always ignores the value of certificate "<certificate_name>".

Available only if https-service "<service_name>" is configured.

disable

sni-certificate "<sni_name>"

Enter the name of the Server Name Indication (SNI) configuration that specifies which certificate FortiWeb uses when encrypting or decrypting SSL-secured connections for a specified domain.

The SNI configuration enables FortiWeb to present different certificates on behalf of the members of a pool according to the requested domain.

If only one certificate is required to encrypt and decrypt traffic that this policy applies to, specify certificate "<certificate_name>" instead.

Available only if https-service "<service_name>" is configured.

No default.

sni-strict {enable | disable}

Select to configure FortiWeb to ignore the value of certificate "<certificate_name>" when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the specified SNI configuration. disable

certificate-type {enable | disable}

Enable allow FortiWeb to automatically retrieve CA certificates from Let's Encrypt.

disable

lets-certificate <name>

Select the Letsencrypt certificate you have created. See system certificate letsencrypt.

No default.

ssl {enable | disable}

Enable so that connections between clients and FortiWeb use SSL/TLS. Enabling ssl will allow you to configure additional SSL options and settings, including specifying supported SSL protocols and uploading certificates.

disable

ssl-cipher {medium | high | custom}

Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration.

If custom, also specify ssl-custom-cipher.

This is not allowed to set to custom if http2 is set to enable.

For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Available only if https-service "<service_name>" is configured.

medium

ssl-client-verify "<verifier_name>"

Enter the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. If you do not select one, the client is not required to present a personal certificate.

If the client presents an invalid certificate, the FortiWeb appliance does not allow the connection.

To be valid, a client certificate must:

  • Not be expired
  • Not be revoked by either the certificate revocation list (CRL) (see system certificate verify)
  • Be signed by a certificate authority (CA) whose certificate you have imported into the FortiWeb appliance; if the certificate has been signed by a chain of intermediate CAs, those certificates must be included in an intermediate CA group (see intermediate-certificate-group "<CA-group_name>")
  • Contain a CA field whose value matches the CA certificate
  • Contain an Issuer field whose value matches the Subject field in the CA certificate

Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website.

You can require that clients present a certificate alternatively or in addition to HTTP authentication. For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

The maximum length is 63 characters.

To display the list of existing verifiers, type:

edit ?

This option is used only if https-service "<service_name>" is configured.

The client must support TLS 1.0, TLS 1.1, or TLS 1.2.

No default.

ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

Specify one or more cipher suites that FortiWeb allows.

Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list.

Valid values are:

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

DHE-DSS-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

DHE-RSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES256-CCM8

ECDHE-ECDSA-AES256-CCM

DHE-RSA-AES256-CCM8

DHE-RSA-AES256-CCM

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

DHE-DSS-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-CCM8

ECDHE-ECDSA-AES128-CCM

DHE-RSA-AES128-CCM8

DHE-RSA-AES128-CCM

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

DHE-RSA-AES256-SHA256

DHE-DSS-AES256-SHA256

ECDHE-ECDSA-CAMELLIA256-SHA384

ECDHE-RSA-CAMELLIA256-SHA384

DHE-RSA-CAMELLIA256-SHA256

DHE-DSS-CAMELLIA256-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA256

DHE-DSS-AES128-SHA256

ECDHE-ECDSA-CAMELLIA128-SHA256

ECDHE-RSA-CAMELLIA128-SHA256

DHE-RSA-CAMELLIA128-SHA256

DHE-DSS-CAMELLIA128-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES256-SHA

DHE-RSA-AES256-SHA

DHE-DSS-AES256-SHA

DHE-RSA-CAMELLIA256-SHA

DHE-DSS-CAMELLIA256-SHA

ECDHE-ECDSA-AES128-SHA

ECDHE-RSA-AES128-SHA

DHE-RSA-AES128-SHA

DHE-DSS-AES128-SHA

DHE-RSA-CAMELLIA128-SHA

DHE-DSS-CAMELLIA128-SHA

AES256-GCM-SHA384

AES256-CCM8

AES256-CCM

AES128-GCM-SHA256

AES128-CCM8

AES128-CCM

AES256-SHA256

CAMELLIA256-SHA256

AES128-SHA256

CAMELLIA128-SHA256

AES256-SHA

CAMELLIA256-SHA

AES128-SHA

CAMELLIA128-SHA

DHE-RSA-SEED-SHA

ECDHE_RSA_DES_CBC3_SHA

DES_CBC3_SHA

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES256-SHA

ECDHE-ECDSA-AES128-SHA

ECDHE-RSA-AES128-SHA

AES256-GCM-SHA384

AES128-GCM-SHA256

AES256-SHA256

AES128-SHA256

tls13-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}

Specify one or more TLS 1.3 cipher suites that FortiWeb allows.

Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list.

Valid values are:

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_128_CCM_SHA256

TLS_AES_128_CCM_8_SHA256

TLS_AES_256_GCM_SHA384

ssl-noreg {enable | disable}

Specify whether FortiWeb ignores requests from clients to renegotiate TLS or SSL.

Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server.

Available only if https-service "<service_name>" is configured.

enable
ssl-session-timeout <ssl-session-timeout_int> When FortiWeb is configured as an SSL server, you can set SSL session timeout intervals via the CLI. This is available only in Reverse Proxy and True Transparent Proxy modes. No default.

status {enable | disable}

Enable to allow the policy to be used when evaluating traffic for a matching policy.

Note: You can use SNMP traps to notify you of changes to the policy’s status. For details, see system snmp community.

No default.

syncookie {enable | disable}

Enable to detect TCP SYN flood attacks.

For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Available only when the operating mode is Reverse Proxy or True Transparent Proxy.

disable

tcp-recv-timeout <seconds_int>

Enter the amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. The valid range is 0–300. A value of 0 means that there is no timeout.

0

tls-v10 {enable | disable}

Specifies whether clients can connect securely to FortiWeb using the TLS 1.0 cryptographic protocol.

This must be set to disable if http2 {enable | disable} is set to enable.

Available only if https-service "<service_name>" is configured.

enable

tls-v11 {enable | disable}

Specifies whether clients can connect securely to FortiWeb using the TLS 1.1 cryptographic protocol.

This must be set to disable if http2 {enable | disable} is set to enable.

Available only if https-service "<service_name>" is configured.

enable

tls-v12 {enable | disable}

Specifies whether clients can connect securely to FortiWeb using the TLS 1.2 cryptographic protocol.

Available only if https-service "<service_name>" is configured.

enable

tls-v13 {enable | disable}

Specifies whether clients can connect securely to FortiWeb using the TLS 1.3 cryptographic protocol.

Available only if https-service "<service_name>" is configured.

disable

urlcert {enable | disable}

Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate.

Available only if https-service "<service_name>" is configured.

disable

urlcert-group "<urlcert-group_name>"

Enter the URL-based client certificate group that determines whether a client is required to present a personal certificate.

If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate.

For details about creating a group, see system certificate urlcert.

No default.

urlcert-hlen <len_int>

Specify the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group, in kilobytes.

FortiWeb blocks any matching requests that exceed the specified size.

This setting prevents a request from exceeding the maximum buffer size.

The valid range is 16–10240.

No default.

vserver "<vserver_name>"

Enter the name of a virtual server that provides the IP address and network interface of incoming traffic that FortiWeb routes and to which the policy applies a protection profile. The maximum length is 63 characters.

To display the list of existing virtual servers, enter:

edit ?

Available only if the operating mode is Reverse Proxy.

No default.

v-zone "<bridge_name>"

Enter the name of the bridge that specifies the network interface of the incoming traffic that the policy applies a protection profile to. The maximum length is 15 characters.

To display the list of existing bridges, enter:

edit ?

Available only if the operating mode is True Transparent Proxy or Transparent Inspection.

No default.

Note: If the connection fails when you have selected a certificate verifier, verify that the certificate meets the web browser’s requirements. Web browsers may have their own certificate validation requirements in addition to FortiWeb requirements. For example, personal certificates for client authentication may be required to either:

  • Not be restricted in usage/purpose by the CA, or
  • Contain a Key Usage field that contains Digital Signature or have a ExtendedKeyUsage or EnhancedKeyUsage field whose value contains Client Authentication

If the certificate does not satisfy browser requirements, although it may be installed in the browser, when the FortiWeb appliance requests the client’s certificate, the browser may not display a certificate selection dialog to the user, or the dialog may not contain that certificate. In that case, verification fails. For browser requirements, see your web browser’s documentation.

<entry_index>

Enter the index number of the individual entry in the table. No default.

content-routing-policy-name "<content-routing_name>"

Enter the name of a HTTP content routing policy that this server policy uses.

To display the list of existing error pages, enter:

edit ?

No default.

is-default {yes | no}

Enter yes to specify that FortiWeb applies the protection profile to any traffic that does not match conditions specified in the HTTP content routing policies. No default.

profile-inherit {enable | disable}

Enter enable to specify that FortiWeb applies the web protection profile for the server policy to connections that match the routing policy. disable
implicit_ssl {enable | disable} Enable so that FortiWeb will communicate with the pool member using implicit SSL. No default.
ssl-quiet-shutdown {enable | disable} For HTTPS connection, when disabled, FortiWeb sends ssl alert message to the client or server pool first, and then FIN.
When enabled, FortiWeb directly sends FIN message instead of sending ssl alert message.
disable
traffic-mirror {enable | disable} Enable to send traffic to third party IPS/IDS devices through network interfaces for traffic monitoring.
Available only when protocol {HTTP | FTP | ADFSPIP} is HTTP.
disable
traffic-mirror-profile <traffic-mirror-profile_str> Select the mirror policy created. No default.
traffic-mirror-type {client-side | server-side| both-side} Select the traffic mirror type.
For True Transparent Proxy mode, only Client Side type is available, which only allows traffic from client side to be sent to IPS/IDS devices.

For Reverse Proxy mode, you can select Client Side, Server Side, or Client and Server.
No default.
multi-certificate {enable | disable} Enable to allow FortiWeb to use multiple local certificates. disable
adfs-certificate-service <adfs-certificate-service_str>} Configure this option if the AD FS server requires client certificate for authentication.
Select the pre-defined service TLSCLIENTPORT if FortiWeb uses service port 49443 to listen the certification authentication requests.
No default.
adfs-certificate-ssl-client-verify <adfs-certificate-ssl-client-verify_str>} Select the certificate validation rule you have created. No default.
certificate-group <certificate-group_str>} Select the multi-certificate file you have created.
No default.

acceleration-policy <acceleration-policy_str>

Select the acceleration policy you have created.

No default.

web-cache {enable | disable}

Enable to create a web cache policy to allow FortiWeb to cache responses from your servers.

disable

real-ip-addr <real-ip-addr_str>

Specify an IP address or address range to directly connect to the back-end server.

No default.

retry-on {enable | disable}

Enable to configure whether to retry a failed TCP connection or HTTP request in Reverse Proxy mode.

A TCP connection failure retry can help when pserver is unreachable unexpectedly, FortiWeb will reconnect the single server or switch to the other

server when more than one pserver is available in the server pool.

An HTTP layer retry can help when pserver can be connected but it returns

certain failure response codes, such as 404, 408, 500, 501, 502, 503, and 504. FortiWeb will reconnect the single server or switch to the other server when more than one pserver is available in the server pool.

disable

retry-on-cache-size <retry-on-cache-size_int>

Enter a cache size limit for the HTTP request packet.

HTTP failure retry will take effect once the request packet size is smaller than this defined size.

TCP connection failure retry will take effect once the HTTP request packet

size in TCP connection is smaller than this defined size.

512

retry-on-connect-failure {enable | disable}

Enable to configure the retry times in case of any TCP connection failure.

disable

retry-times-on-connect-failure <retry-times-on-connect-failure_int>

Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5.

3

retry-on-http-layer {enable | disable}

Enable to configure the retry times and failure response code in case of any HTTP connection failure.

Only GET and HEAD methods are supported now.

enable

retry-times-on-http-layer <retry-times-on-http-layer_int>

Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5.

3

retry-on-http-response-codes {404 | 408 | 500 | 501 | 502 | 503 | 504}

Select the failure return code when pserver can be connected to determine enabling HTTP failure retry.

All values

replacemsg-on-connect-failure {disable | enable}

If this option is enabled, when the health check is disabled and the back-end server is not responsive, FortiWeb will send the 503 error code to the client.

When enabled, you should also configure tcp-conn-timeout to specify the timeout value.

disable

tcp-conn-timeout <integer>

When the health check is disabled and the back-end server is not responsive, FortiWeb will wait for the specified time until it sends the 503 error code. It's recommended to set a value smaller than 20 (seconds). This is to avoid too many times of retry being accumulated during the waiting time, which may cause the connection to be closed before FortiWeb has the chance to send the error code.

This option is at the server policy level. You can also set the tcp-usertimeout under system network-option which affects all server policies on FortiWeb appliance. If the timeout is configured both at the policy and the appliance level, FortiWeb will take the value whichever is smaller.

Sometimes when there is a third device, such as a gateway, deployed between FortiWeb and the back-end server, FortiWeb will directly get the status code from the third device instead of waiting along the timeout period.

The valid range for this option is 0-600 (seconds).

0 means FortiWeb will send 503 error code as soon as it detects the back-end server is not responsive.

120

Example

This example configures a web protection server policy. FortiWeb forwards HTTPS connections received by the virtual server named virtual_ip1 to a server pool named apache1, which contains a single physical server. FortiWeb uses the certificate named certificate1 during SSL negotiations with the client, then forwards traffic to the server pool.

config server-policy policy

edit "https-policy"

set deployment-mode server-pool

set vserver "virtual_ip1"

set server-pool "apache1"

set web-protection-profile "inline-protection1"

set https-service HTTPS

set certificate "certificate1"

set ssl-client-verify

set case-sensitive disable

set status enable

next

end

Related topics