Fortinet white logo
Fortinet white logo

CLI Reference

waf cookie-security

waf cookie-security

Use this command to configure FortiWeb features that prevent cookie-based attacks.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config waf cookie-security

edit "<cookie-security_name>"

set security-mode {no |encrypted | signed}

set action {alert |alert_deny | block-period | remove_cookie | deny_no_log}

set block-period <block-period_int>

set severity {High |Medium | Low | Info}

set trigger "trigger-policy_name>"

set cookie-replay-protection-type {no | IP}

set max-age <max-age_int>

set secure-cookie {enable | disable}

set http-only {enable | disable}

set allow-suspicious-cookies{Never |Always | Custom}

set allow-time "<time_str>"

config cookie-security-exception-list

edit <entry_index>

set cookie-name "<cookie-name_str>"

set cookie-domain "<cookie-domain_str>"

set cookie-path "<cookie-path_str>"

end

next

end

Variable Description Default

"<cookie-security_name>"

Enter the cookie security policy name. The maximum length is 63 characters. No default.

security-mode {no |encrypted | signed}

Enter the security mode for the cookie security policy

  • no—FortiWeb does not apply cookie tampering protection or encrypt cookie values.

  • encrypted—Encrypts cookie values the back-end web server sends to clients. Clients see encrypted cookies only. FortiWeb decrypts cookies submitted by clients before it sends them to the back-end server.

  • signed—Prevents tampering (cookie poisoning) by tracking the cookie value. This option requires you to enable Session Management in the protection policy and the client to support cookies. For details, see waf web-protection-profile inline-protection.

    When FortiWeb receives the first HTTP or HTTPS request from a client, it uses a cookie to track the session. When you select this option, the session-tracking cookie includes a hash value that FortiWeb uses to detect tampering with the cookie from the back-end server response. If FortiWeb determines the cookie from the client has changed, it takes the specified action according to action {alert |alert_deny | block-period | remove_cookie | deny_no_log}.

no

action {alert |alert_deny | block-period | remove_cookie | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when it detects cookie poisoning:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <block-period_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. For details, see waf x-forwarded-for. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

  • remove_cookie—Accept the request, but remove the poisoned cookie from the datagram before it reaches the web server, and generate an alert and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. See config log disk and config log alertemail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

block-period <block-period_int>

Enter the number of seconds to block a connection when action {alert |alert_deny | block-period | remove_cookie | deny_no_log} is set to block-period. The valid range is from 1 to 3,600 seconds. 600

severity {High |Medium | Low | Info}

Select the severity level to use in logs and reports generated when cookie poisoning is detected. High

trigger "trigger-policy_name>"

Enter the name of the trigger to apply when cookie poisoning is detected. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, type:

set trigger ?

No default.

cookie-replay-protection-type {no | IP}

Select whether FortiWeb uses the IP address of a request to determine the owner of the cookie.

Because the public IP of a client is not static in many environments, Fortinet recommends that you do not enable Cookie Replay.

Available only when security-mode {no |encrypted | signed} is encrypted.

no

max-age <max-age_int>

Set the cookie security attributes. Enter the maximum age, in minutes, permitted for cookies that do not have an “Expires” or “Max-Age” attribute. To configure no expiry age for cookies, enter 0.

0

secure-cookie {enable | disable}

Set the cookie security attributes. Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page.

disable

http-only {enable | disable}

Set the cookie security attributes. Enable to add the HttpOnly flag to cookies, which prevents client-side scripts from accessing the cookie. enable

samesite { enable | disable }

Enable to add the "SameSite" attribute so that you can declare that your cookie should be restricted to a first-party or same-site context.

disable

samesite-value {strict | lax |

none}

  • strict: Any request from the third parties will not carry such cookies;
  • lax: Any request from the third parties will not carry such cookies except for GET requests that navigate to the destination URL.
  • none: Set the value as none if a cookie is required to be sent by cross origin.

lax

allow-suspicious-cookies{Never |Always | Custom}

Select whether FortiWeb allows requests that contain cookies that it does not recognize or that are missing cookies.

In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives. To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

  • NeverFortiWeb does not take the action specified by action against suspicious cookies.
  • AlwaysFortiWeb always takes the specified action against suspicious cookies.
  • CustomFortiWeb takes the specified action against suspicious cookies starting on the date specified by allow-time "<time_str>". This feature is not available if security-mode {no |encrypted | signed} is signed.
Custom

allow-time "<time_str>"

Set the date on which FortiWeb starts to take the specified action against suspicious cookies if allow-suspicious-cookies{Never |Always | Custom} is Custom. No default.

<entry_index>

Enter the index number of a new or existing entry in the exception list of the cookie security policy. No default.

cookie-name "<cookie-name_str>"

Set the exception cookie entry name. No default.

cookie-domain "<cookie-domain_str>"

Enter the partial or complete domain name or IP address as it appears in the cookie. For example: www.example.com, .google.com or 192.0.2.50. No default.

cookie-path "<cookie-path_str>"

Enter the path as it appears in the cookie, such as / or /blog/folder. No default.

Related topics

waf cookie-security

waf cookie-security

Use this command to configure FortiWeb features that prevent cookie-based attacks.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config waf cookie-security

edit "<cookie-security_name>"

set security-mode {no |encrypted | signed}

set action {alert |alert_deny | block-period | remove_cookie | deny_no_log}

set block-period <block-period_int>

set severity {High |Medium | Low | Info}

set trigger "trigger-policy_name>"

set cookie-replay-protection-type {no | IP}

set max-age <max-age_int>

set secure-cookie {enable | disable}

set http-only {enable | disable}

set allow-suspicious-cookies{Never |Always | Custom}

set allow-time "<time_str>"

config cookie-security-exception-list

edit <entry_index>

set cookie-name "<cookie-name_str>"

set cookie-domain "<cookie-domain_str>"

set cookie-path "<cookie-path_str>"

end

next

end

Variable Description Default

"<cookie-security_name>"

Enter the cookie security policy name. The maximum length is 63 characters. No default.

security-mode {no |encrypted | signed}

Enter the security mode for the cookie security policy

  • no—FortiWeb does not apply cookie tampering protection or encrypt cookie values.

  • encrypted—Encrypts cookie values the back-end web server sends to clients. Clients see encrypted cookies only. FortiWeb decrypts cookies submitted by clients before it sends them to the back-end server.

  • signed—Prevents tampering (cookie poisoning) by tracking the cookie value. This option requires you to enable Session Management in the protection policy and the client to support cookies. For details, see waf web-protection-profile inline-protection.

    When FortiWeb receives the first HTTP or HTTPS request from a client, it uses a cookie to track the session. When you select this option, the session-tracking cookie includes a hash value that FortiWeb uses to detect tampering with the cookie from the back-end server response. If FortiWeb determines the cookie from the client has changed, it takes the specified action according to action {alert |alert_deny | block-period | remove_cookie | deny_no_log}.

no

action {alert |alert_deny | block-period | remove_cookie | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when it detects cookie poisoning:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <block-period_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. For details, see waf x-forwarded-for. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

  • remove_cookie—Accept the request, but remove the poisoned cookie from the datagram before it reaches the web server, and generate an alert and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. See config log disk and config log alertemail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

block-period <block-period_int>

Enter the number of seconds to block a connection when action {alert |alert_deny | block-period | remove_cookie | deny_no_log} is set to block-period. The valid range is from 1 to 3,600 seconds. 600

severity {High |Medium | Low | Info}

Select the severity level to use in logs and reports generated when cookie poisoning is detected. High

trigger "trigger-policy_name>"

Enter the name of the trigger to apply when cookie poisoning is detected. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, type:

set trigger ?

No default.

cookie-replay-protection-type {no | IP}

Select whether FortiWeb uses the IP address of a request to determine the owner of the cookie.

Because the public IP of a client is not static in many environments, Fortinet recommends that you do not enable Cookie Replay.

Available only when security-mode {no |encrypted | signed} is encrypted.

no

max-age <max-age_int>

Set the cookie security attributes. Enter the maximum age, in minutes, permitted for cookies that do not have an “Expires” or “Max-Age” attribute. To configure no expiry age for cookies, enter 0.

0

secure-cookie {enable | disable}

Set the cookie security attributes. Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page.

disable

http-only {enable | disable}

Set the cookie security attributes. Enable to add the HttpOnly flag to cookies, which prevents client-side scripts from accessing the cookie. enable

samesite { enable | disable }

Enable to add the "SameSite" attribute so that you can declare that your cookie should be restricted to a first-party or same-site context.

disable

samesite-value {strict | lax |

none}

  • strict: Any request from the third parties will not carry such cookies;
  • lax: Any request from the third parties will not carry such cookies except for GET requests that navigate to the destination URL.
  • none: Set the value as none if a cookie is required to be sent by cross origin.

lax

allow-suspicious-cookies{Never |Always | Custom}

Select whether FortiWeb allows requests that contain cookies that it does not recognize or that are missing cookies.

In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives. To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

  • NeverFortiWeb does not take the action specified by action against suspicious cookies.
  • AlwaysFortiWeb always takes the specified action against suspicious cookies.
  • CustomFortiWeb takes the specified action against suspicious cookies starting on the date specified by allow-time "<time_str>". This feature is not available if security-mode {no |encrypted | signed} is signed.
Custom

allow-time "<time_str>"

Set the date on which FortiWeb starts to take the specified action against suspicious cookies if allow-suspicious-cookies{Never |Always | Custom} is Custom. No default.

<entry_index>

Enter the index number of a new or existing entry in the exception list of the cookie security policy. No default.

cookie-name "<cookie-name_str>"

Set the exception cookie entry name. No default.

cookie-domain "<cookie-domain_str>"

Enter the partial or complete domain name or IP address as it appears in the cookie. For example: www.example.com, .google.com or 192.0.2.50. No default.

cookie-path "<cookie-path_str>"

Enter the path as it appears in the cookie, such as / or /blog/folder. No default.

Related topics