waf cookie-security
Use this command to configure FortiWeb features that prevent cookie-based attacks.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the sysgrp
area. For details, see Permissions.
Syntax
config waf cookie-security
set security-mode {no |encrypted | signed}
set action {alert |alert_deny | block-period | remove_cookie | deny_no_log}
set block-period <block-period_int>
set severity {High |Medium | Low | Info}
set trigger "trigger-policy_name>"
set cookie-replay-protection-type {no | IP}
set secure-cookie {enable | disable}
set http-only {enable | disable}
set allow-suspicious-cookies{Never |Always | Custom}
config cookie-security-exception-list
edit <entry_index>
set cookie-name "<cookie-name_str>"
set cookie-domain "<cookie-domain_str>"
set cookie-path "<cookie-path_str>"
end
next
end
Variable | Description | Default |
Enter the cookie security policy name. The maximum length is 63 characters. | No default. | |
Enter the security mode for the cookie security policy
|
no
|
|
action {alert |alert_deny | block-period | remove_cookie | deny_no_log} |
Select one of the following actions that the FortiWeb appliance will perform when it detects cookie poisoning:
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. See config log disk and config log alertemail. Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile. |
alert
|
Enter the number of seconds to block a connection when action {alert |alert_deny | block-period | remove_cookie | deny_no_log} is set to block-period . The valid range is from 1 to 3,600 seconds.
|
600
|
|
Select the severity level to use in logs and reports generated when cookie poisoning is detected. |
High
|
|
Enter the name of the trigger to apply when cookie poisoning is detected. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, type:
|
No default. | |
Select whether FortiWeb uses the IP address of a request to determine the owner of the cookie. Because the public IP of a client is not static in many environments, Fortinet recommends that you do not enable Cookie Replay. Available only when security-mode {no |encrypted | signed} is |
no
|
|
Set the cookie security attributes. Enter the maximum age, in minutes, permitted for cookies that do not have an “Expires” or “Max-Age” attribute. To configure no expiry age for cookies, enter 0. |
0
|
|
Set the cookie security attributes. Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page. |
disable
|
|
Set the cookie security attributes. Enable to add the HttpOnly flag to cookies, which prevents client-side scripts from accessing the cookie. |
enable
|
|
samesite { enable | disable } |
Enable to add the "SameSite" attribute so that you can declare that your cookie should be restricted to a first-party or same-site context. |
|
samesite-value {strict | lax | none} |
|
|
Select whether FortiWeb allows requests that contain cookies that it does not recognize or that are missing cookies.
In many cases, when you first introduce the cookie security features,
cookies that client browsers have cached earlier generate false
positives. To avoid this problem, either select
|
Custom
|
|
Set the date on which
FortiWeb starts to take the specified action against suspicious cookies if allow-suspicious-cookies{Never |Always | Custom} is Custom . |
No default. | |
Enter the index number of a new or existing entry in the exception list of the cookie security policy. | No default. | |
Set the exception cookie entry name. | No default. | |
Enter the partial or complete domain name or IP address
as it appears in the cookie. For example:
www.example.com ,
.google.com or
192.0.2.50 . |
No default. | |
Enter the path as it appears in the cookie, such as / or
/blog/folder . |
No default. |