Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.4.3 CLI Reference
    6.4.3
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf user-tracking rule

    waf user-tracking rule

    Use this command to configure FortiWeb to track sessions by user and capture a username to reference in traffic and attack log messages.

    When FortiWeb detects users that match the criteria that you specify in a user tracking policy, it stores the session ID and username.

    To apply a user tracking rule, add it to a user tracking policy that you can select in an inline or Offline Protection profile. For details, see waf user-tracking policy.

    You can apply a user tracking policy using either an inline or Offline Protection profile. However, Session Fixation Protection, Session Timeout, Limit Concurrent Users per Account, and Credential Stuffing Defense are not supported in Offline Protection mode.

    You can also use the user tracking feature to create a filter in a custom rule that matches specific users. This type of custom rule requires you to create a user tracking policy and apply it to the protection profile that uses the custom rule. For details, see waf custom-access rule.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf user-tracking rule

    edit "<rule_name>"

    set hostname-ip "<hostname-ip_str>"

    set host-status { enable | disable}

    set authentication-url "<url_str>"

    set username-parameter "<username_str>"

    set password-parameter "<password_str>"

    set session-id-name "<session-id_str>"

    set logoff-path "<logoff_str>"

    set session-fixation-protection {enable | disable}

    set limit-users {enable | disable}

    set maximum-users <maximum-users_int>

    set session-idle-timeout <session-idle-timeout_int>

    set session-timeout-enable {enable | disable}

    set session-timeout-enforcement {enable | disable}

    set session-timeout <timeout_int>

    set session-frozen-time <frozen-time_int>

    set session-frozen-action {alert | alert_deny | redirect | block-period | deny_no_log}

    set session-frozen-block-period <block-period_int>

    set session-frozen-severity {High | Medium | Low | Info}

    set session-frozen-trigger "<trigger-policy_name>"

    set default-action {failed | success}

    set credential-stuffing-protection {enable | disable}

    config match-condition

    edit <entry_index>

    set authentication-result-type {failed | success}

    set HTTP-match-target {return-code | response-body | redirect-url}

    set value-type {plain | regular}

    set value "<value-str>"

    next

    end

    next

    end

    Variable Description Default

    "<rule_name>"

    Enter a name that identifies the rule. You will use this name to reference the rule in other parts of the configuration. The maximum length is 63 characters.

    		 No default.

    hostname-ip "<hostname-ip_str>"

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the rule.

    Available only when host-status { enable | disable} is enable.

    		 No default.

    host-status { enable | disable}

    Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL access rule.

    Also configure hostname-ip "<hostname-ip_str>".

    		 disable

    authentication-url "<url_str>"

    Enter the URL to match in authorization requests.

    Ensure that the value begins with a forward slash ( / ).

    		 No default.

    username-parameter "<username_str>"

    Enter the username field value to match in authorization requests.

    		 No default.

    password-parameter "<password_str>"

    Enter the password field value to match in authorization requests.

    		 No default.

    session-id-name "<session-id_str>"

    Enter the name of the session ID that is used to identify each session.

    Examples of session ID names are sid, PHPSESSID, and JSESSIONID

    		 No default.

    logoff-path "<logoff_str>"

    Optionally, enter the URL of the request that a client sends to log out of the application.

    When the client sends this URL, FortiWeb stops tracking the user session.

    Ensure that the value begins with a forward slash ( / ).

    		 No default.

    session-fixation-protection {enable | disable}

    Enter enable to configure FortiWeb to erase session IDs from the cookie and argument fields of a matching login request.

    FortiWeb erases the IDs for non-authenticated sessions only.

    For web applications that do not renew the session cookie when a user logs in, it is possible for an attacker to trick a user into authenticating with a session ID that the attacker acquired earlier. This feature prevents the attacker from accessing the web app in an authenticated session.

    When this feature removes session IDs, FortiWeb does not generate a log message because it is very common for a legitimate user to access a web application using an existing cookie. For example, a client who leaves his or her web browser open between sessions presents the cookie from an earlier session.

    Caution: This option is not supported in Offline Protection mode.

    		 disable

    limit-users {enable | disable}

    Enable to limit the number of concurrent logins per account.

    		disable

    maximum-users <maximum-users_int>

    Specify the maximum number of concurrent logins using the same account.

    1

    session-idle-timeout <session-idle-timeout_int>

    When a session is idled for the specified period of time, the Concurrent Users count will be renewed. The user who is timed-out needs to re-log in. The valid range is 1-1440.

    30

    session-timeout-enable {enable | disable}

    Enable to set the time in minutes that FortiWeb waits before it stops tracking an inactive user session.

    		 disable

    session-timeout-enforcement {enable | disable}

    Enter enable to configure FortiWeb to remove the session ID for user sessions that are idle for longer than the length of time specified by session-timeout. When a session is reset, the client has to log in again to access the back-end server.

    If a session exceeds the timeout threshold, instead of tracking subsequent matching sessions by user, FortiWeb takes the specified action, for a length of time specified by session-frozen-time.

    		 disable

    session-timeout <timeout_int>

    Enter the length of time in minutes that FortiWeb waits before it stops tracking an inactive user session.

    The valid range is 1–60.

    		 30

    session-frozen-time <frozen-time_int>

    Enter the length of time after a session exceeds the timeout threshold that FortiWeb takes the specified action against requests with the ID of the timed-out session.

    After the freeze time has elapsed, FortiWeb removes the session ID for idle sessions but no longer takes the specified action.

    Available only when session-timeout-enforcement {enable | disable} is enable.

    		 30

    session-frozen-action {alert | alert_deny | redirect | block-period | deny_no_log}

    When session-timeout-enforcement {enable | disable} is enable, enter the action that FortiWeb takes against requests with the ID of a timed-out session during the specified time period, or when credential-stuffing-protection {enable | disable} is enabled enter the action that FortiWeb takes against spilled username/password pairs:

    • alert—Accept the request and generate an alert email and/or log message.

    • alert_deny—Block the request and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

      Note: In Offline Protection mode, because the deny action is not supported, this option has the same effect as alert.

    • redirect — Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message. Also configure redirect-url <redirect_fqdn> and rdt-reason {enable | disable}.

      Caution: This option is not supported in Offline Protection mode

    • block-period—Block subsequent requests from the client for a specified number of seconds.

      deny_no_log—Deny a request. Do not generate a log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

      Caution: This option is not supported in Offline Protection mode

    When the action generates a log message, the message field value is Session Timeout Enforcement: triggered by user <username>.

    Available only when session-timeout-enforcement {enable | disable} or credential-stuffing-protection {enable | disable} is set to enable.

    		 alert

    session-frozen-block-period <block-period_int>

    Enter the number of seconds to block requests with the ID of a timed-out session or when credential-stuffing-protection {enable | disable} is enabled and detects spilled username/password pairs.

    This setting is available only if session-frozen-action {alert | alert_deny | redirect | block-period | deny_no_log} is block-period. The valid range is 1–3,600 seconds.

    		 600

    session-frozen-severity {High | Medium | Low | Info}

    When the session timeout settings generate an attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb uses when it takes the specified action:

    • Low
    • Medium
    • High

    Available only when session-timeout-enforcement {enable | disable} or credential-stuffing-protection {enable | disable} is set to enable.

    		 Low

    session-frozen-trigger "<trigger-policy_name>"

    Enter the name of the trigger, if any, to apply when FortiWeb detects requests with the ID of a timed-out session or when credential-stuffing-protection is enabled and FortiWeb detects spilled username/password pairs. The maximum length is 63 characters.

    For details, see log trigger-policy.

    To display the list of existing triggers, enter:

    set trigger ?

    		No default.

    default-action {failed | success}

    Enter the authentication result that FortiWeb associates with requests that match the criteria but do not match an entry in the Authentication Result Condition Table.

    When the login result is successful, FortiWeb tracks the session using the session ID and username values.

    		 failed

    credential-stuffing-protection {enable | disable}

    Enable to use FortiGuard's Credential Stuffing Defense database to prevent against Credential Stuffing attacks. For details, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    		disable

    <entry_index>

    Enter the index number of the individual entry in the table.

    		 No default.

    authentication-result-type {failed | success}

    Specify the status FortiWeb assigns to user logins that match this table item: failed or successful.

    FortiWeb tracks sessions by user only when the status is successful.

    If the request does not match any rules in this table, FortiWeb uses the value specified by default-action {failed | success}.

    		 success

    HTTP-match-target {return-code | response-body | redirect-url}

    Select the location of the value to match with the string or regular expression specified in this table item: return-code, response-body, redirect-url.

    		 return-code

    value-type {plain | regular}

    Indicate whether value is a simple string (plain) or a regular expression (regular).

    		 plain

    value "<value-str>"

    Enter the value to match.

    		 No default.

    Example

    This example matches requests from clients using the URL /login2 with the parameters user and pass and a session ID specified by jsessionid. FortiWeb tracks matching sessions by user and stops tracking if the client logs out using the URL /logout2.

    FortiWeb tracks only requests with the return code 200, which it classifies as successful. It does not track requests with a response body that matches the regular expression deny. In addition, because the rule uses the default value for the default authentication result, it does not track requests that do not match an item in the list of match conditions.

    The rule enables both session fixation protection and session timeout enforcement for tracked sessions. If a session is idle longer than the default session timeout, FortiWeb blocks requests from clients that use the session ID that has timed out for the default period block time. It performs this action for 30 minutes after the session times out (the default session freeze time).

    config waf user-tracking

    edit "rule1"

    set authentication-url "/login2"

    set username-parameter user

    set password-parameter pass

    set session-id-name "jsessionid"

    set logoff-path "/logout2"

    set session-fixation-protection enable

    set timeout-enforcement enable

    set session-frozen-action period-block

    set session-frozen-severity High

    set session-frozen-trigger "trigger1"

    config match-condition

    edit 1

    set authentication-result-type success

    set HTTP-match-target return-code

    set value-type plain

    set value 200

    next

    edit 2

    set authentication-result-type failed

    set HTTP-match-target return

    set value-type regular

    set value deny

    next

    end

    next

    end

    Related topics

    Previous
    Next

    waf user-tracking rule

    waf user-tracking rule

    Use this command to configure FortiWeb to track sessions by user and capture a username to reference in traffic and attack log messages.

    When FortiWeb detects users that match the criteria that you specify in a user tracking policy, it stores the session ID and username.

    To apply a user tracking rule, add it to a user tracking policy that you can select in an inline or Offline Protection profile. For details, see waf user-tracking policy.

    You can apply a user tracking policy using either an inline or Offline Protection profile. However, Session Fixation Protection, Session Timeout, Limit Concurrent Users per Account, and Credential Stuffing Defense are not supported in Offline Protection mode.

    You can also use the user tracking feature to create a filter in a custom rule that matches specific users. This type of custom rule requires you to create a user tracking policy and apply it to the protection profile that uses the custom rule. For details, see waf custom-access rule.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf user-tracking rule

    edit "<rule_name>"

    set hostname-ip "<hostname-ip_str>"

    set host-status { enable | disable}

    set authentication-url "<url_str>"

    set username-parameter "<username_str>"

    set password-parameter "<password_str>"

    set session-id-name "<session-id_str>"

    set logoff-path "<logoff_str>"

    set session-fixation-protection {enable | disable}

    set limit-users {enable | disable}

    set maximum-users <maximum-users_int>

    set session-idle-timeout <session-idle-timeout_int>

    set session-timeout-enable {enable | disable}

    set session-timeout-enforcement {enable | disable}

    set session-timeout <timeout_int>

    set session-frozen-time <frozen-time_int>

    set session-frozen-action {alert | alert_deny | redirect | block-period | deny_no_log}

    set session-frozen-block-period <block-period_int>

    set session-frozen-severity {High | Medium | Low | Info}

    set session-frozen-trigger "<trigger-policy_name>"

    set default-action {failed | success}

    set credential-stuffing-protection {enable | disable}

    config match-condition

    edit <entry_index>

    set authentication-result-type {failed | success}

    set HTTP-match-target {return-code | response-body | redirect-url}

    set value-type {plain | regular}

    set value "<value-str>"

    next

    end

    next

    end

    Variable Description Default

    "<rule_name>"

    Enter a name that identifies the rule. You will use this name to reference the rule in other parts of the configuration. The maximum length is 63 characters.

    		 No default.

    hostname-ip "<hostname-ip_str>"

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the rule.

    Available only when host-status { enable | disable} is enable.

    		 No default.

    host-status { enable | disable}

    Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL access rule.

    Also configure hostname-ip "<hostname-ip_str>".

    		 disable

    authentication-url "<url_str>"

    Enter the URL to match in authorization requests.

    Ensure that the value begins with a forward slash ( / ).

    		 No default.

    username-parameter "<username_str>"

    Enter the username field value to match in authorization requests.

    		 No default.

    password-parameter "<password_str>"

    Enter the password field value to match in authorization requests.

    		 No default.

    session-id-name "<session-id_str>"

    Enter the name of the session ID that is used to identify each session.

    Examples of session ID names are sid, PHPSESSID, and JSESSIONID

    		 No default.

    logoff-path "<logoff_str>"

    Optionally, enter the URL of the request that a client sends to log out of the application.

    When the client sends this URL, FortiWeb stops tracking the user session.

    Ensure that the value begins with a forward slash ( / ).

    		 No default.

    session-fixation-protection {enable | disable}

    Enter enable to configure FortiWeb to erase session IDs from the cookie and argument fields of a matching login request.

    FortiWeb erases the IDs for non-authenticated sessions only.

    For web applications that do not renew the session cookie when a user logs in, it is possible for an attacker to trick a user into authenticating with a session ID that the attacker acquired earlier. This feature prevents the attacker from accessing the web app in an authenticated session.

    When this feature removes session IDs, FortiWeb does not generate a log message because it is very common for a legitimate user to access a web application using an existing cookie. For example, a client who leaves his or her web browser open between sessions presents the cookie from an earlier session.

    Caution: This option is not supported in Offline Protection mode.

    		 disable

    limit-users {enable | disable}

    Enable to limit the number of concurrent logins per account.

    		disable

    maximum-users <maximum-users_int>

    Specify the maximum number of concurrent logins using the same account.

    1

    session-idle-timeout <session-idle-timeout_int>

    When a session is idled for the specified period of time, the Concurrent Users count will be renewed. The user who is timed-out needs to re-log in. The valid range is 1-1440.

    30

    session-timeout-enable {enable | disable}

    Enable to set the time in minutes that FortiWeb waits before it stops tracking an inactive user session.

    		 disable

    session-timeout-enforcement {enable | disable}

    Enter enable to configure FortiWeb to remove the session ID for user sessions that are idle for longer than the length of time specified by session-timeout. When a session is reset, the client has to log in again to access the back-end server.

    If a session exceeds the timeout threshold, instead of tracking subsequent matching sessions by user, FortiWeb takes the specified action, for a length of time specified by session-frozen-time.

    		 disable

    session-timeout <timeout_int>

    Enter the length of time in minutes that FortiWeb waits before it stops tracking an inactive user session.

    The valid range is 1–60.

    		 30

    session-frozen-time <frozen-time_int>

    Enter the length of time after a session exceeds the timeout threshold that FortiWeb takes the specified action against requests with the ID of the timed-out session.

    After the freeze time has elapsed, FortiWeb removes the session ID for idle sessions but no longer takes the specified action.

    Available only when session-timeout-enforcement {enable | disable} is enable.

    		 30

    session-frozen-action {alert | alert_deny | redirect | block-period | deny_no_log}

    When session-timeout-enforcement {enable | disable} is enable, enter the action that FortiWeb takes against requests with the ID of a timed-out session during the specified time period, or when credential-stuffing-protection {enable | disable} is enabled enter the action that FortiWeb takes against spilled username/password pairs:

    • alert—Accept the request and generate an alert email and/or log message.

    • alert_deny—Block the request and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

      Note: In Offline Protection mode, because the deny action is not supported, this option has the same effect as alert.

    • redirect — Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message. Also configure redirect-url <redirect_fqdn> and rdt-reason {enable | disable}.

      Caution: This option is not supported in Offline Protection mode

    • block-period—Block subsequent requests from the client for a specified number of seconds.

      deny_no_log—Deny a request. Do not generate a log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

      Caution: This option is not supported in Offline Protection mode

    When the action generates a log message, the message field value is Session Timeout Enforcement: triggered by user <username>.

    Available only when session-timeout-enforcement {enable | disable} or credential-stuffing-protection {enable | disable} is set to enable.

    		 alert

    session-frozen-block-period <block-period_int>

    Enter the number of seconds to block requests with the ID of a timed-out session or when credential-stuffing-protection {enable | disable} is enabled and detects spilled username/password pairs.

    This setting is available only if session-frozen-action {alert | alert_deny | redirect | block-period | deny_no_log} is block-period. The valid range is 1–3,600 seconds.

    		 600

    session-frozen-severity {High | Medium | Low | Info}

    When the session timeout settings generate an attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb uses when it takes the specified action:

    • Low
    • Medium
    • High

    Available only when session-timeout-enforcement {enable | disable} or credential-stuffing-protection {enable | disable} is set to enable.

    		 Low

    session-frozen-trigger "<trigger-policy_name>"

    Enter the name of the trigger, if any, to apply when FortiWeb detects requests with the ID of a timed-out session or when credential-stuffing-protection is enabled and FortiWeb detects spilled username/password pairs. The maximum length is 63 characters.

    For details, see log trigger-policy.

    To display the list of existing triggers, enter:

    set trigger ?

    		No default.

    default-action {failed | success}

    Enter the authentication result that FortiWeb associates with requests that match the criteria but do not match an entry in the Authentication Result Condition Table.

    When the login result is successful, FortiWeb tracks the session using the session ID and username values.

    		 failed

    credential-stuffing-protection {enable | disable}

    Enable to use FortiGuard's Credential Stuffing Defense database to prevent against Credential Stuffing attacks. For details, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    		disable

    <entry_index>

    Enter the index number of the individual entry in the table.

    		 No default.

    authentication-result-type {failed | success}

    Specify the status FortiWeb assigns to user logins that match this table item: failed or successful.

    FortiWeb tracks sessions by user only when the status is successful.

    If the request does not match any rules in this table, FortiWeb uses the value specified by default-action {failed | success}.

    		 success

    HTTP-match-target {return-code | response-body | redirect-url}

    Select the location of the value to match with the string or regular expression specified in this table item: return-code, response-body, redirect-url.

    		 return-code

    value-type {plain | regular}

    Indicate whether value is a simple string (plain) or a regular expression (regular).

    		 plain

    value "<value-str>"

    Enter the value to match.

    		 No default.

    Example

    This example matches requests from clients using the URL /login2 with the parameters user and pass and a session ID specified by jsessionid. FortiWeb tracks matching sessions by user and stops tracking if the client logs out using the URL /logout2.

    FortiWeb tracks only requests with the return code 200, which it classifies as successful. It does not track requests with a response body that matches the regular expression deny. In addition, because the rule uses the default value for the default authentication result, it does not track requests that do not match an item in the list of match conditions.

    The rule enables both session fixation protection and session timeout enforcement for tracked sessions. If a session is idle longer than the default session timeout, FortiWeb blocks requests from clients that use the session ID that has timed out for the default period block time. It performs this action for 30 minutes after the session times out (the default session freeze time).

    config waf user-tracking

    edit "rule1"

    set authentication-url "/login2"

    set username-parameter user

    set password-parameter pass

    set session-id-name "jsessionid"

    set logoff-path "/logout2"

    set session-fixation-protection enable

    set timeout-enforcement enable

    set session-frozen-action period-block

    set session-frozen-severity High

    set session-frozen-trigger "trigger1"

    config match-condition

    edit 1

    set authentication-result-type success

    set HTTP-match-target return-code

    set value-type plain

    set value 200

    next

    edit 2

    set authentication-result-type failed

    set HTTP-match-target return

    set value-type regular

    set value deny

    next

    end

    next

    end

    Related topics

    Previous
    Next