Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.0.9 CLI Reference
    7.0.9
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf url-encryption

    waf url-encryption

    To prevent users from forceful browsing, you can now encrypt the URLs, which can ensure that the internal directory

    structure of the web application is not revealed to users.

    Use this command to create URL encryption rules and policies.

    Syntax

    config waf url-encryption url-encryption-rule

    edit "<encryption-rule_name>"

    set host-status {enable | disable}

    set host <host_str>

    set allow-unencrypted {enable | disable}

    set action {alert | deny_no_log | alert_deny | block-period}

    set block-period <block-period_int>

    set severity {High | Medium | Low | Info}

    set trigger <trigger_str>

    config url-list

    edit "<url-list_id>"

    set url-type {plain | regular}

    set url-pattern <url-pattern_str>

    end

    config exceptions

    edit "<exceptions-item_id>"

    set url-type {plain | regular}

    set url-pattern <url-pattern_str>

    end

    next

    end

    config waf url-encryption url-encryption-policy

    edit "<url-encryption-policy_name>"

    set full-mode {enable | disable}

    config rule-list

    edit "<rule-list_id>"

    set rule <rule_str>

    end

    next

    end

    Variable Description Default
    "<encryption-rule_name>" Enter a name for the encryption rule. No default.
    host-status {enable | disable} Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL acceleration rule. Also configure host <host_str>. disable

    host <host_str>

    		 Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL acceleration rule.

    No default.
    allow-unencrypted {enable | disable}

    When enabled, unencrypted URL requests will be allowed.

    Unencrypted URL requests are the valid requests from the client that FortiWeb failed to decrypt.

    When disabled, if the URL can match the rule, and FortiWeb detects unencrypted URLs, the action will be triggered.

    enable

    action {alert | deny_no_log | alert_deny | block-period}

    Select which action the FortiWeb appliance will take when it detects a violation.
    alert—Accept the connection and generate an alert email and/or log message.
    alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
    deny_no_log—Block the request (or reset the connection).

    block-period—Blocks the request for a certain period of time.

    		 Alert
    block-period <block-period_int>

    Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds.

    This option only takes effect when you choose Period Block in action {alert | deny_no_log | alert_deny | block-period}.

    60
    severity {High | Medium | Low | Info}

    When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is violated:

    • Low
    • Medium
    • High
    • Informative

    The default value is High.

    		 High
    trigger <trigger_str> Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see "Viewing log messages" on page 1.

    No default.
    "<url-list_id>" Enter the ID for the URL request. No default.
    url-type {plain | regular} Select whether the URL Pattern field will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). plain
    url-pattern <url-pattern_str>

    Depending on the url-type, enter either:

    • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
    • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.
    		 No default.
    "<exceptions-item_id>" Enter the exception URL ID. No default.
    url-type {plain | regular} Select whether the URL Pattern field will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

    plain

    url-pattern <url-pattern_str>

    Depending on the url-type, enter either:

    • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
    • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    No default.
    "<url-encryption-policy_name>" Enter an encryption policy name.

    No default.
    full-mode {enable | disable} When enabled, Script Events,Embedded non-HTML content - scripts, js files, and Embedded non-HTML content - stylesheets that match the rule will be encrypted. enable
    "<rule-list_id>"

    Enter the URL encryption rule ID.

    No default.
    rule <rule_str>

    Select the URL encryption rule name.

    		 No default.

    Related topics


    Previous
    Next

    waf url-encryption

    waf url-encryption

    To prevent users from forceful browsing, you can now encrypt the URLs, which can ensure that the internal directory

    structure of the web application is not revealed to users.

    Use this command to create URL encryption rules and policies.

    Syntax

    config waf url-encryption url-encryption-rule

    edit "<encryption-rule_name>"

    set host-status {enable | disable}

    set host <host_str>

    set allow-unencrypted {enable | disable}

    set action {alert | deny_no_log | alert_deny | block-period}

    set block-period <block-period_int>

    set severity {High | Medium | Low | Info}

    set trigger <trigger_str>

    config url-list

    edit "<url-list_id>"

    set url-type {plain | regular}

    set url-pattern <url-pattern_str>

    end

    config exceptions

    edit "<exceptions-item_id>"

    set url-type {plain | regular}

    set url-pattern <url-pattern_str>

    end

    next

    end

    config waf url-encryption url-encryption-policy

    edit "<url-encryption-policy_name>"

    set full-mode {enable | disable}

    config rule-list

    edit "<rule-list_id>"

    set rule <rule_str>

    end

    next

    end

    Variable Description Default
    "<encryption-rule_name>" Enter a name for the encryption rule. No default.
    host-status {enable | disable} Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL acceleration rule. Also configure host <host_str>. disable

    host <host_str>

    		 Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL acceleration rule.

    No default.
    allow-unencrypted {enable | disable}

    When enabled, unencrypted URL requests will be allowed.

    Unencrypted URL requests are the valid requests from the client that FortiWeb failed to decrypt.

    When disabled, if the URL can match the rule, and FortiWeb detects unencrypted URLs, the action will be triggered.

    enable

    action {alert | deny_no_log | alert_deny | block-period}

    Select which action the FortiWeb appliance will take when it detects a violation.
    alert—Accept the connection and generate an alert email and/or log message.
    alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
    deny_no_log—Block the request (or reset the connection).

    block-period—Blocks the request for a certain period of time.

    		 Alert
    block-period <block-period_int>

    Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds.

    This option only takes effect when you choose Period Block in action {alert | deny_no_log | alert_deny | block-period}.

    60
    severity {High | Medium | Low | Info}

    When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is violated:

    • Low
    • Medium
    • High
    • Informative

    The default value is High.

    		 High
    trigger <trigger_str> Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see "Viewing log messages" on page 1.

    No default.
    "<url-list_id>" Enter the ID for the URL request. No default.
    url-type {plain | regular} Select whether the URL Pattern field will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). plain
    url-pattern <url-pattern_str>

    Depending on the url-type, enter either:

    • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
    • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.
    		 No default.
    "<exceptions-item_id>" Enter the exception URL ID. No default.
    url-type {plain | regular} Select whether the URL Pattern field will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

    plain

    url-pattern <url-pattern_str>

    Depending on the url-type, enter either:

    • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
    • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    No default.
    "<url-encryption-policy_name>" Enter an encryption policy name.

    No default.
    full-mode {enable | disable} When enabled, Script Events,Embedded non-HTML content - scripts, js files, and Embedded non-HTML content - stylesheets that match the rule will be encrypted. enable
    "<rule-list_id>"

    Enter the URL encryption rule ID.

    No default.
    rule <rule_str>

    Select the URL encryption rule name.

    		 No default.

    Related topics


    Previous
    Next