server-policy policy
Use this command to configure HTTP, FTP, and AD FS server policies.
FortiWeb applies only one server policy to each connection.
HTTP policy behavior varies by the operation mode. FTP and AD FS server policies are available only in Reverse Proxy mode. For details, see FortiWeb Administration Guide:
HTTP://docs.fortinet.com/fortiweb/admin-guides
When you switch the operation mode, FortiWeb deletes server policies from the configuration file if they are not applicable in the current operation mode. |
To determine which type of server policy to create, configure protocol {HTTP | FTP | ADFSPIP}.
Before you configure an HTTP server policy, you can configure several policies and profiles:
- Configure a virtual server and server pool. For details, see server-policy vserver and server-policy server-pool.
- To route traffic based on headers in the HTTP layer, configure one or more HTTP content routing policies. For details, see server-policy HTTP-content-routing-policy.
- To restrict traffic based upon which hosts you want to protect, configure a group of protected host names. For details, see server-policy allow-hosts.
- If you plan to authenticate users, you need to configure users, user groups, and authentication rules and policy, and include the policy in an inline web protection profile. For details, see user ldap-user, user local-user, user ntlm-user, user user-group, waf HTTP-authen HTTP-authen-rule, and waf HTTP-authen HTTP-authen-policy.
- To apply a web protection profile to a server policy, you must first configure them. For details, see waf web-protection-profile inline-protection (Reverse Proxy mode or either of the transparent modes), or waf web-protection-profile offline-protection (Offline Protection mode) .
- If you want to use the FortiWeb appliance to apply SSL to connections instead of using physical servers, you must also import a server certificate or create a Server Name Indication (SNI) configuration. For details, see system certificate local, system certificate sni, and system certificate urlcert.
- If you want the FortiWeb appliance to verify the certificate provided by an HTTP client to authenticate themselves, you must also define a certificate verification rule. If you want to specify whether a client is required to present a personal certificate or not based on the request URL, create a URL-based client certificate group. For details, see system certificate verify.
You can also use SNMP traps to notify you of policy status changes, or when a policy enforces your network usage policy. For details, see system snmp community.
Before you configure an FTP server policy, you need to:
- Configure an FTP command restriction rule. For details, see waf ftp-command-restriction-rule.
- Configure an FTP file check rule. For details, see waf ftp-file-security.
- Enable IP reputation intelligence. For details, see waf ip-intelligence.
- Create a geo IP rule. For details, see waf geo-block-list.
- Create an IP list. For details, see waf ip-list.
- Configure an FTP security inline profile. For details, see waf ftp-protection-profile.
Before you configure an AD FS server policy, you need to:
- Configure a virtual server and server pool. For details, see server-policy vserver and server-policy server-pool.server-policy vserver
- Import a certificate file and a CA file. For details, see system certificate local and system certificate ca.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the traroutegrp
area. For details, see Permissions.
Syntax
edit "<policy_name>"
set allow-hosts "<hosts_name>"
set case-sensitive {enable | disable}
set certificate "<certificate_name>"
set chunk-decode-enabled {enable | disable}
set
set client-certificate-forwarding {enable | disable}
set client-certificate-forwarding-sub-header "<header_str>"
set client-real-ip {enable | disable}
set real-ip-addr <real-ip-addr_str>
set client-timeout <seconds_int>
set data-capture-port <port_int>
set ftp-protection-profile <profile_name>
set half-open-threshold <packets_int>
set hsts-header {enable | disable}
set hsts-max-age <timeout_int>
set HTTP-header-timeout <seconds_int>
set HTTP-pipeline {enable | disable}
set HTTP-to-HTTPs {enable | disable}
set HTTPs-service "<service_name>"
set implicit_ssl {enable | disable}
set intermediate-certificate-group "<CA-group_name>"
set internal-cookie-HTTPonly {enable | disable}
set internal-cookie-secure {enable | disable}
set internal-cookie-samesite {enable | disable}
set internal-cookie-samesite-value {strict | lax | none}
set monitor-mode {enable | disable}
set noparse {enable | disable}
set prefer-current-session {enable |disable}
set protocol {HTTP | FTP | ADFSPIP}
set server-pool "<server-pool_name>"
set proxy-protocol {enable | disable}
set use-proxy-protocol-addr {enable | disable}
set replacemsg <replacemsg_name>
set sessioncookie-enforce {enable | disable}
set sni-certificate "<sni_name>"
set sni-strict {enable | disable}
set certificate-type {enable | disable}
set ssl-cipher {medium | high | custom}
set ssl-client-verify "<verifier_name>"
set ssl-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}
set tls13-custom-cipher {<cipher_1> <cipher2> <cipher3> ...}
set ssl-noreg {enable | disable}
set ssl-quiet-shutdown {enable | disable}
set ssl-session-timeout <ssl-session-timeout_int>
set syncookie {enable | disable}
set tcp-recv-timeout <seconds_int>
set tls-v10 {enable | disable}
set tls-v11 {enable | disable}
set tls-v12 {enable | disable}
set tls-v13 {enable | disable}
set urlcert {enable | disable}
set urlcert-group "<urlcert-group_name>"
set traffic-mirror {enable | disable}
set traffic-mirror-type {client-side | server-side| both-side}
set traffic-mirror-profile <traffic-mirror-profile_str>
set adfs-certificate-ssl-client-verify <adfs-certificate-ssl-client-verify_str>}
set adfs-certificate-service <adfs-certificate-service_str>}
set multi-certificate {enable | disable}
set certificate-group <certificate-group_str>}
set acceleration-policy <acceleration-policy_str>
set web-cache {enable | disable}
set retry-on {enable | disable}
set retry-on-cache-size <retry-on-cache-size_int>
set retry-on-connect-failure {enable | disable}
set retry-times-on-connect-failure <retry-times-on-connect-failure_int>
set retry-on-HTTP-layer {enable | disable}
set retry-times-on-HTTP-layer <retry-times-on-HTTP-layer_int>
set retry-on-HTTP-response-codes {404 | 408 | 500 | 501 | 502 | 503 | 504}
set replacemsg-on-connect-failure {disable | enable}
set tcp-conn-timeout <integer>
config HTTP-content-routing-list
edit <entry_index>
set content-routing-policy-name "<content-routing_name>"
set profile-inherit {enable | disable}
next
end
next
end
Variable | Description | Default |
Enter the name of the policy. The maximum length is 63 characters. To display the list of existing policies, enter:
|
No default. | |
Enter the name of a protected hosts group to allow or reject connections based upon whether the To display the list of existing groups, enter:
If you do not select a protected hosts group, FortiWeb accepts pr blocks requests based upon other criteria in the policy or protection profile, but regardless of the Note: Unlike HTTP 1.1, HTTP 1.0 does not require the |
No default. | |
Enter the number of the physical network interface port that FortiWeb uses to send TCP For example, to send TCP
Available only when the operating mode is Offline Protection. |
No default. | |
Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests, such as block list rules, and allow list rules. For example, when enabled, an HTTP request involving |
No default. | |
Enter the name of the certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections. The maximum length is 63 characters. To display the list of existing certificates, enter:
If sni {enable | disable} is This option is used only if HTTPs-service "<service_name>" is configured. |
No default. | |
Enable or disable chunk decoding in the response packets. |
|
|
Enable to encode the response packets. |
|
|
Enable to include the X.509 personal certificate presented by the client during the SSL/TLS handshake, if any, in an FortiWeb still validates the client certificate itself, but this can be useful if the web server requires the client certificate for the purpose of server-side identity-based functionality. |
disable
|
|
Enter a custom certificate header that will include the Base64 certificate of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server. |
x-client-cert |
|
Enter a custom subject header that will include the subject of the X.509 personal certificate presented by the client during the SSL/TLS handshake when it forwards the traffic to the protected web server. |
x-client-dn |
|
Enter By default, when the operation mode is Reverse Proxy, the source IP for connections between FortiWeb and back-end servers is the address of a FortiWeb network interface.
Note: To ensure FortiWeb receives the server's response, configure FortiWeb as the server’s gateway. Available only if the operating mode is Reverse Proxy. |
disable
|
|
Specify an IP address or address range to directly connect to the back-end server. |
No default. |
|
Enter the amount of time (in seconds) that FortiWeb will keep open a connection with an idle client that isn't sending data. The valid range is 1–1200. A value of 0 means that there is no timeout. |
0 |
|
Enter a description or other comment. If the comment is more than one word or contains special characters, surround the comment with double quotes ( " ). The maximum length is 999 characters. |
No default. | |
Enter the network interface of incoming traffic that the policy attempts to apply a profile to. The IP address is ignored. Available only if the operating mode is offline inspection. |
||
deployment-mode {server-pool | HTTP-content-routing | offline-protection | transparent-servers | wccp-servers} |
Specify the distribution method that FortiWeb uses when it forwards connections accepted by this policy.
|
No default. |
Enter the FTP security profile to apply to connections that this policy monitors. If you haven't created a profile yet, see waf ftp-protection-profile or instructions about creating one. |
No default. |
|
Enter the maximum number of TCP The valid range is 10–10,000. Available only when the operating mode is Reverse Proxy or True Transparent Proxy and syncookie {enable | disable} is enabled. |
8192
|
|
Select an HPKP profile, if any, to use to verify certificates when clients attempt to access a server. HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates. Available only when the operating mode is Reverse Proxy. |
No default. | |
Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (HTTP://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as:
This header forces the client to use HTTPS for subsequent visits to this domain. If the certificate does not validate, it also causes a fatal connection error: the client’s web browser does not display any dialog that allows the user to override the certificate mismatch error and continue. Available only if HTTPs-service "<service_name>" is configured. |
disable
|
|
Enter the time to live in seconds for the HSTS header. Available only if hsts-header {enable | disable} is enabled. The valid range is 3,600–31,536,000. |
7776000
|
|
FortiWeb's HTTP/2 security inspection is only supported for Revers Proxy mode and True Transparent Proxy mode. This option enables FortiWeb operating in Reverse Proxy mode (see opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}) to negotiate HTTP/2 with clients via SSL ALPN (Application-Layer Protocol Negotiation) during the SSL handshake if the client's browser supports HTTP/2 protocol. With the HTTP/2 being enabled, FortiWebcan recognize HTTP/2 traffic and apply the security services to it. To enable HTTP/2 communication between the FortiWeb and back-end web servers for HTTP/2 inspections in Reverse Proxy mode, see HTTP2 {enable | disable}. Available only when
When |
disable | |
Enter the amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. The valid range is 0–1200. A value of 0 means that there is no timeout. |
0 |
|
Specify whether FortiWeb accelerates transactions by bundling them inside the same TCP connection, instead of waiting for a response before sending/receiving the next request. This can increase performance when pages containing many images, scripts, and other auxiliary files are all hosted on the same domain, and therefore logically could use the same connection. When FortiWeb is operating in Reverse Proxy or True Transparent Proxy mode, it can automatically use HTTP pipelining for requests with the following characteristics:
|
enable |
|
Specify enable to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters. Also configure HTTPs-service and ensure service uses port 443 (the default). FortiWeb does not apply the protection profile for this policy (specified by server-policy policy) to the redirected traffic. Available only when the operation mode is Reverse Proxy. |
disable
|
|
Enter the custom or predefined service that defines the port number on which the virtual server receives HTTPS traffic. The maximum length is 63 characters. To display the list of existing services, enter:
Available only when the operating mode is Reverse Proxy. For other operation modes, use the server pool configuration to enable SSL inspection instead. |
No default. | |
Enable this option when proxy servers or load balancers are installed before FortiWeb, for example, when a load balancer with proxy protocol enabled is deployed before FortiWeb-VM on AWS. When Proxy Protocol is enabled, FortiWeb can receive client connection information in the proxy protocol package passed through proxy servers and load balancers. |
|
|
Enable to use the source address of the proxy protocol in server policy. If disabled, the source address of the connection will be used. |
|
|
Select the replacement message to apply to the policy. |
No default. |
|
Enter the name of an intermediate certificate authority (CA) group, if any, that FortiWeb uses to validate the CA signing chain in a client’s certificate. The maximum length is 63 characters. To display the list of existing groups, enter:
Available only if HTTPs-service "<service_name>" is configured. |
No default. | |
Enable to assign an |
|
|
Enable to assign a |
|
|
Enable to assign a If enabled, it applies to User Tracking, Anomaly Detection, Site Publish, and Client Management. |
|
|
|
|
|
Enable to override deny and redirect actions defined in the server protection rules for the selected policy. This setting enables FortiWeb to log attacks without performing the deny or redirect action. Disable to allow FortiWeb to perform attack deny/redirect actions as defined by the server protection rules. |
disable
|
|
Enable this option to apply the server policy as a pure proxy, without parsing the content. In this case, the policy allows all traffic to pass through the FortiWeb appliance without applying any protection rules. See also "debug application HTTP" on page 1 and debug flow trace. This option applies to server policy only when the FortiWeb appliance operates in Reverse Proxy or True Transparent Proxy mode. Caution: Use this only during debugging and for as brief a period as possible. This feature disables many protection features. See also HTTP-parse-error-output {enable | disable}. |
disable
|
|
Enable to forward subsequent requests from an identified client connection to the same server pool as the initial connection from the client. This option allows FortiWeb to improve its performance by skipping the process of matching HTTP header content to content routing policies for connections it has already evaluated and routed. Available only when deployment-mode {server-pool | HTTP-content-routing | offline-protection | transparent-servers | wccp-servers} is HTTP-content-routing. |
disable
|
|
Select one of the following:
|
HTTP |
|
Enter the name of the server pool whose members receive the connections. To display the list of existing servers, enter:
This field is applicable only if deployment-mode {server-pool | HTTP-content-routing | offline-protection | transparent-servers | wccp-servers} is Caution: Multiple virtual servers/policies can forward traffic to the same server pool. If you do this, consider the total maximum load of connections that all virtual servers forward to your server pool. This configuration can multiply traffic forwarded to your server pool, which can overload it and cause dropped connections. |
No default. | |
Enter the custom or predefined service that defines the port number on which the virtual server receives HTTP traffic. The maximum length is 63 characters. To display the list of existing services, enter:
Available only when the operating mode is Reverse Proxy. |
No default. | |
This option is useful if your environment uses TCP multiplexing, which combines HTTP requests from multiple clients in a single session for load balancing or other purposes.
For details about configuring session persistence, see server-policy persistence-policy. |
disable
|
|
Enable to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see system certificate sni. If you specify both a SNI configuration and a certificate, FortiWeb uses the certificate specified by certificate "<certificate_name>" when the requested domain does not match a value in the SNI configuration. If you enable sni-strict {enable | disable}, FortiWeb always ignores the value of certificate "<certificate_name>". Available only if HTTPs-service "<service_name>" is configured. |
disable
|
|
Enter the name of the Server Name Indication (SNI) configuration that specifies which certificate FortiWeb uses when encrypting or decrypting SSL-secured connections for a specified domain. The SNI configuration enables FortiWeb to present different certificates on behalf of the members of a pool according to the requested domain. If only one certificate is required to encrypt and decrypt traffic that this policy applies to, specify certificate "<certificate_name>" instead. Available only if HTTPs-service "<service_name>" is configured. |
No default. | |
Select to configure FortiWeb to ignore the value of certificate "<certificate_name>" when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the specified SNI configuration. |
disable
|
|
Enable allow FortiWeb to automatically retrieve CA certificates from Let's Encrypt. |
disable |
|
Select the Letsencrypt certificate you have created. See system certificate letsencrypt. |
No default. |
|
Enable so that connections between clients and FortiWeb use SSL/TLS. Enabling |
disable |
|
Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration. If custom, also specify This is not allowed to set to For details, see the FortiWeb Administration Guide: HTTP://docs.fortinet.com/fortiweb/admin-guides Available only if HTTPs-service "<service_name>" is configured. |
medium
|
|
Enter the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. If you do not select one, the client is not required to present a personal certificate. If the client presents an invalid certificate, the FortiWeb appliance does not allow the connection. To be valid, a client certificate must:
Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website. You can require that clients present a certificate alternatively or in addition to HTTP authentication. For details, see the FortiWeb Administration Guide: HTTP://docs.fortinet.com/fortiweb/admin-guides The maximum length is 63 characters. To display the list of existing verifiers, type:
This option is used only if HTTPs-service "<service_name>" is configured. The client must support TLS 1.0, TLS 1.1, or TLS 1.2. |
No default. | |
Specify one or more cipher suites that FortiWeb allows. Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list. Valid values are: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-CCM8 ECDHE-ECDSA-AES128-CCM DHE-RSA-AES128-CCM8 DHE-RSA-AES128-CCM ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDHE-RSA-CAMELLIA256-SHA384 DHE-RSA-CAMELLIA256-SHA256 DHE-DSS-CAMELLIA256-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDHE-RSA-CAMELLIA128-SHA256 DHE-RSA-CAMELLIA128-SHA256 DHE-DSS-CAMELLIA128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA AES256-GCM-SHA384 AES256-CCM8 AES256-CCM AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES256-SHA256 CAMELLIA256-SHA256 AES128-SHA256 CAMELLIA128-SHA256 AES256-SHA CAMELLIA256-SHA AES128-SHA CAMELLIA128-SHA DHE-RSA-SEED-SHA ECDHE_RSA_DES_CBC3_SHA DES_CBC3_SHA |
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 |
|
Specify one or more TLS 1.3 cipher suites that FortiWeb allows. Separate the name of each cipher with a space. To remove from or add to the list of ciphers, retype the entire list. Valid values are: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 |
TLS_AES_256_GCM_SHA384 |
|
Specify whether FortiWeb ignores requests from clients to renegotiate TLS or SSL. Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server. Available only if HTTPs-service "<service_name>" is configured. |
enable
|
|
ssl-session-timeout <ssl-session-timeout_int> | When FortiWeb is configured as an SSL server, you can set SSL session timeout intervals via the CLI. This is available only in Reverse Proxy and True Transparent Proxy modes. | No default. |
Enable to allow the policy to be used when evaluating traffic for a matching policy. Note: You can use SNMP traps to notify you of changes to the policy’s status. For details, see system snmp community. |
No default. | |
Enable to detect TCP For details, see the FortiWeb Administration Guide: HTTP://docs.fortinet.com/fortiweb/admin-guides Available only when the operating mode is Reverse Proxy or True Transparent Proxy. |
disable
|
|
Enter the amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. The valid range is 0–300. A value of 0 means that there is no timeout. |
0 |
|
Specifies whether clients can connect securely to FortiWeb using the TLS 1.0 cryptographic protocol. This must be set to Available only if HTTPs-service "<service_name>" is configured. |
enable
|
|
Specifies whether clients can connect securely to FortiWeb using the TLS 1.1 cryptographic protocol. This must be set to Available only if HTTPs-service "<service_name>" is configured. |
enable
|
|
Specifies whether clients can connect securely to FortiWeb using the TLS 1.2 cryptographic protocol. Available only if HTTPs-service "<service_name>" is configured. |
enable
|
|
Specifies whether clients can connect securely to FortiWeb using the TLS 1.3 cryptographic protocol. Available only if HTTPs-service "<service_name>" is configured. |
enable
|
|
Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate. Available only if HTTPs-service "<service_name>" is configured. |
disable | |
Enter the URL-based client certificate group that determines whether a client is required to present a personal certificate. If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate. For details about creating a group, see system certificate urlcert. |
No default. | |
Specify the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group, in kilobytes. FortiWeb blocks any matching requests that exceed the specified size. This setting prevents a request from exceeding the maximum buffer size. The valid range is 16–10240. |
No default. | |
Enter the name of a virtual server that provides the IP address and network interface of incoming traffic that FortiWeb routes and to which the policy applies a protection profile. The maximum length is 63 characters. To display the list of existing virtual servers, enter:
Available only if the operating mode is Reverse Proxy. |
No default. | |
Enter the name of the bridge that specifies the network interface of the incoming traffic that the policy applies a protection profile to. The maximum length is 15 characters. To display the list of existing bridges, enter:
Available only if the operating mode is True Transparent Proxy or Transparent Inspection. |
No default. | |
Note: If the connection fails when you have selected a certificate verifier, verify that the certificate meets the web browser’s requirements. Web browsers may have their own certificate validation requirements in addition to FortiWeb requirements. For example, personal certificates for client authentication may be required to either:
If the certificate does not satisfy browser requirements, although it may be installed in the browser, when the FortiWeb appliance requests the client’s certificate, the browser may not display a certificate selection dialog to the user, or the dialog may not contain that certificate. In that case, verification fails. For browser requirements, see your web browser’s documentation. |
||
Enter the index number of the individual entry in the table. | No default. | |
Enter the name of a HTTP content routing policy that this server policy uses. To display the list of existing error pages, enter:
|
No default. | |
Enter yes to specify that FortiWeb applies the protection profile to any traffic that does not match conditions specified in the HTTP content routing policies. |
No default. | |
Enter enable to specify that FortiWeb applies the web protection profile for the server policy to connections that match the routing policy. |
disable
|
|
implicit_ssl {enable | disable} | Enable so that FortiWeb will communicate with the pool member using implicit SSL. | No default. |
ssl-quiet-shutdown {enable | disable} | For HTTPS connection, when disabled, FortiWeb sends ssl alert message to the client or server pool first, and then FIN. When enabled, FortiWeb directly sends FIN message instead of sending ssl alert message. |
disable
|
traffic-mirror {enable | disable} | Enable to send traffic to third party IPS/IDS
devices through network interfaces for traffic monitoring. Available only when protocol {HTTP | FTP | ADFSPIP} is HTTP . |
disable
|
traffic-mirror-profile <traffic-mirror-profile_str> | Select the mirror policy created. | No default. |
traffic-mirror-type {client-side | server-side| both-side} | Select the traffic mirror type. For True Transparent Proxy mode, only Client Side type is available, which only allows traffic from client side to be sent to IPS/IDS devices. For Reverse Proxy mode, you can select Client Side, Server Side, or Client and Server. |
No default. |
multi-certificate {enable | disable} | Enable to allow FortiWeb to use multiple local certificates. |
disable
|
adfs-certificate-service <adfs-certificate-service_str>} | Configure this option if the AD FS server requires client certificate for
authentication. Select the pre-defined service TLSCLIENTPORT if FortiWeb uses service port 49443 to listen the certification authentication requests. |
No default. |
adfs-certificate-ssl-client-verify <adfs-certificate-ssl-client-verify_str>} | Select the certificate validation rule you have created. | No default. |
certificate-group <certificate-group_str>} | Select the multi-certificate file you have created. |
No default. |
Select the acceleration policy you have created. |
No default. |
|
Enable to create a web cache policy to allow FortiWeb to cache responses from your servers. |
disable
|
|
Specify an IP address or address range to directly connect to the back-end server. |
No default. |
|
Enable to configure whether to retry a failed TCP connection or HTTP request in Reverse Proxy mode. A TCP connection failure retry can help when pserver is unreachable unexpectedly, FortiWeb will reconnect the single server or switch to the other server when more than one pserver is available in the server pool. An HTTP layer retry can help when pserver can be connected but it returns certain failure response codes, such as 404, 408, 500, 501, 502, 503, and 504. FortiWeb will reconnect the single server or switch to the other server when more than one pserver is available in the server pool. |
disable
|
|
Enter a cache size limit for the HTTP request packet. HTTP failure retry will take effect once the request packet size is smaller than this defined size. TCP connection failure retry will take effect once the HTTP request packet size in TCP connection is smaller than this defined size. |
512 |
|
Enable to configure the retry times in case of any TCP connection failure. |
disable
|
|
retry-times-on-connect-failure <retry-times-on-connect-failure_int> |
Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5. |
3 |
Enable to configure the retry times and failure response code in case of any HTTP connection failure. Only GET and HEAD methods are supported now. |
enable
|
|
Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5. |
3 |
|
retry-on-HTTP-response-codes {404 | 408 | 500 | 501 | 502 | 503 | 504} |
Select the failure return code when pserver can be connected to determine enabling HTTP failure retry. |
All values |
If this option is enabled, when the health check is disabled and the back-end server is not responsive, FortiWeb will send the 503 error code to the client. When enabled, you should also configure |
disable |
|
When the health check is disabled and the back-end server is not responsive, FortiWeb will wait for the specified time until it sends the 503 error code. It's recommended to set a value smaller than 20 (seconds). This is to avoid too many times of retry being accumulated during the waiting time, which may cause the connection to be closed before FortiWeb has the chance to send the error code. This option is at the server policy level. You can also set the Sometimes when there is a third device, such as a gateway, deployed between FortiWeb and the back-end server, FortiWeb will directly get the status code from the third device instead of waiting along the timeout period.
The valid range for this option is 0-600 (seconds). 0 means FortiWeb will send 503 error code as soon as it detects the back-end server is not responsive. |
120 |
|
Enable to log traffic events such as HTTP requests and responses, and the expiration of HTTP sessions. To avoid unnecessary resource consumption, the system will not generate traffic log for all server policies unless specified. After enabling this option, you also need to enable the traffic log setting in Log&Report.
Tip: Because resources for this feature increase as your traffic increases, if you do not need traffic data, disable this feature to improve performance and improve hardware life. |
disable |
|
Enable LDAP server’s health check. |
disable |
Example
This example configures a web protection server policy. FortiWeb forwards HTTPS connections received by the virtual server named virtual_ip1
to a server pool named apache1
, which contains a single physical server. FortiWeb uses the certificate named certificate1
during SSL negotiations with the client, then forwards traffic to the server pool.
config server-policy policy
edit "HTTPs-policy"
set deployment-mode server-pool
set vserver "virtual_ip1"
set server-pool "apache1"
set web-protection-profile "inline-protection1"
set HTTPs-service HTTPS
set certificate "certificate1"
set ssl-client-verify
set case-sensitive disable
set status enable
next
end
Related topics
- server-policy allow-hosts
- system certificate local
- system certificate ocsp-stapling
- server-policy HTTP-content-routing-policy
- server-policy server-pool
- server-policy service custom
- server-policy vserver
- system snmp community
- system settings
- system v-zone
- waf web-protection-profile inline-protection
- waf web-protection-profile offline-protection
- "debug application dssl" on page 1
- "debug application HTTP" on page 1
- "debug application ssl" on page 1
- "debug application ustack" on page 1
- debug flow filter
- policy