Fortinet white logo
Fortinet white logo

CLI Reference

waf web-protection-profile inline-protection

waf web-protection-profile inline-protection

Use this command to configure inline protection profiles.

Inline protection profiles are a set of attack protection settings. The FortiWeb appliance applies the profile when a connection matches a server policy that includes the protection profile. You can use inline protection profiles in server policies for any mode except Offline Protection.

To apply protection profiles, select them within a server policy. For details, see server-policy policy.

Before configuring an inline protection profile, first configure any of the following that you want to include in the profile:

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set client-management {enable | disable}

set threat-score-profile <name>

set http-session-cookie {enable | disable}

set HTTP-session-timeout <seconds_int>

set x-forwarded-for-rule "<x-forwarded-for_name>"

set signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>}

set amf3-protocol-detection {enable | disable}

set custom-access-policy "<combo-access_name>"

set padding-oracle "<rule_name>"

set csrf-protection "<rule_name>"

set cookie-security-policy "<cookie-security_name>"

set parameter-validation-rule "<rule_name>"

set hidden-fields-protection "<group_name>"

set file-upload-policy "<policy_name>"

set HTTP-protocol-parameter-restriction "<constraint_name>"

set url-access-policy "<policy_name>"

set allow-method-policy "<policy_name>"

set ip-list-policy "<policy_name>"

set geo-block-list-policy "<policy_name>"

set application-layer-dos-prevention "<policy_name>"

set ip-intelligence {enable | disable}

set fortigate-quarantined-ips {enable | disable}

set quarantined-ip-action {alert | alert_deny}

set quarantined-ip-severity {High | Medium | Low}

set quarantined-ip-trigger "<trigger-policy_name>"

set url-rewrite-policy "<group_name>"

set HTTP-authen-policy "<policy_name>"

set HTTP-header-security "<policy_name>"

set site-publisher-helper "<policy_name>"

set file-compress-rule "<rule_name>"

set user-tracking-policy "<user-tracking-policy_name>"

set redirect-url "<redirect_fqdn>"

set rdt-reason {enable | disable}

set data-analysis {enable | disable}

set comment "<comment_str>"

set profile-id "<profile-id_str>"

set mitb-protection "<mitb-protection_name>"

set openapi-validation-policy "<openapi-validation-policy_name>"

set websocket-security-policy "<websocket-security-policy_name>"

set json-validation-policy "<json-validation-policy_name>"

set cors-protection-policy "<cors-protection-policy>"

set mobile-app-identification {enable | disable}

set token-secret <token-secret_str>

set token-header <token-header_str>

set mobile-api-protection <mobile-api-protection_name>

set bot-mitigate-policy <bot-mitigate-policy_name>

set api-management-policy <api-management-policy_name>

set url-encryption-policy <url-encryption-policy_str>

set syntax-based-attack-detection <detection_name>

set owasp_api_top10_log_field {enable/disable}

next

end

Variable Description Default

"<inline-protection-profile_name>"

Enter the name of the inline protection profile. The maximum length is 63 characters.

To display the list of existing profiles, enter:

edit ?

No default.

client-management {enable | disable}

Enable to add an implementation of HTTP sessions, and track their states, using a cookie such as cookiesession1. Also configure HTTP-session-timeout <seconds_int>.

Although HTTP has no inherent support for sessions, a notion of individual HTTP client sessions, rather than simply the source IP address and/or timestamp, is required by some features.

For example, you might want to require that a client’s first HTTP request always be a login page: the rest of the web pages should be inaccessible if they have not authenticated. Out-of-order requests could represent an attempt to bypass the web application’s native authentication mechanism. How can FortiWeb know if a request is the client’s first HTTP request?

Therefore FortiWeb must keep some record of the first request from that client (the session initiation). It also must record their previous HTTP request(s), until a span of time (the session timeout) has elapsed during which there were no more subsequent requests, after which it would require that the session be initiated again.

The session management feature provides such FortiWeb session support.

This feature requires that the client support cookies.

Note: You must enable this option:

  • If you want to include this profile’s traffic in the traffic log, in addition to enabling traffic logs in general. For details, see log attack-log.
enable

threat-score-profile <name>

Select the Threat Score Profile so that FortiWeb can take action on IPs or clients when their threat score accumulates to a certain value. The threat score profile is configured in config server-policy pattern threat-score-profile.

If you have enabled client-management, but does not configure threat-score-profile, the system will by default applies the configurations in config server-policy pattern threat-weight.

This option is available only when client-management is enabled.

http-session-cookie {enable | disable}

In Client Management we use cookiesession1 to track users.

  • If disabled, the cookiesession1 will not expire when the session is ended or timeout (the timeout value is defined by HTTP-session-timeout <seconds_int>); instead, it will have a 1-year expiry time unless it's cleared from the client's side. This means that even if a user closes the browser multiple times within one year, they will still be identified as the same user throughout that period.

  • If enabled, the cookiesession1 will expire when the session is ended or the HTTP-session-timeout is reached.

For more information, see this FAQ in Troubleshooting part: Why is the cookiesession1 generated by Client Management persistent cookie?

disabled

HTTP-session-timeout <seconds_int>

Enter the HTTP session timeout in seconds. The valid range is 20–3,600.

This setting is available only if client-management {enable | disable} is enabled.

1200

x-forwarded-for-rule "<x-forwarded-for_name>"

Specify the name of a rule that configures FortiWeb’s use of X-Forwarded-For: and X-Real-IP. The maximum length is 63 characters. For details, see waf x-forwarded-for.

To display the list of existing rules, enter:

set x-forwarded-for-rule ?

No default.

signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>}

Specify a signature policy to include in the profile. The maximum length is 63 characters. For details, see waf signature.

To display the list of existing rules, enter:

set server-protection-rule ?

The type of attack that FortiWeb detects determines the attack log messages for this feature. For a list, see waf signature.

No default.

amf3-protocol-detection {enable | disable}

Enable to scan requests that use action message format 3.0 (AMF3) for these attacks if you have enabled those in the signature set specified by signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>}:

  • Cross-site scripting (XSS) attacks
  • SQL injection attacks
  • Common exploits

AMF3 is a binary format that Adobe Flash clients can use to send input to server-side software.

Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will make the FortiWeb appliance unable to scan AMF3 requests for attacks.

disable

json-validation-policy "<json-validation-policy_name>"

Enter the JSON protection policy name. No default.

cors-protection-policy "<cors-protection-policy>"

Enter the CORS protection policy name. No default.

mobile-app-identification {enable | disable}

Enable to configure the JWT token secret and token header to verify a request from a mobile application.

Refer to Approov doc for how to get the token.

disable

token-secret <token-secret_str>

Enter the token secret that you have got from Approov.

Available only when mobile-app-identification {enable | disable} is enable.

No default

token-header <token-header_str>

Specify the header where the token is carried.

Available only when mobile-app-identification {enable | disable} is enable.

No default

mobile-api-protection <mobile-api-protection_name>

Select the name of an existing API protection policy. For details, see waf mobile-api-protection.

No default

bot-mitigate-policy <bot-mitigate-policy_name>

Select the name of a bot mitigation policy. For details, see waf mobile-api-protection.

No default.

api-management-policy <api-management-policy_name>

Select the name of an API gateway policy. For details, see waf api-rules.

No default.

custom-access-policy "<combo-access_name>"

Select the name of a custom access policy. The maximum length is 63 characters. For details, see waf custom-access policy.

To display the list of existing policies, enter:

set custom-access-policy ?

No default.

padding-oracle "<rule_name>"

Select the name of a padding oracle protection rule. The maximum length is 63 characters. For details, see waf padding-oracle.

To display the list of existing rules, enter:

set padding-oracle ?

No default.

csrf-protection "<rule_name>"

Select the name of cross-site request forgery protection rule, if any, to apply to matching requests. For details, see waf csrf-protection.

Available only when client-management {enable | disable} is enabled.
No default.

cookie-security-policy "<cookie-security_name>"

Select the name of a cookie security policy. For details, see waf cookie-security.

To display the list of existing policies, enter:

set cookie-security-policy ?

parameter-validation-rule "<rule_name>"

Select the name of a parameter validation rule. The maximum length is 63 characters. For details, see waf parameter-validation-rule.

To display the list of existing rules, enter:

set parameter-validation-rule ?

No default.

hidden-fields-protection "<group_name>"

Select the name of a hidden field rule group that you want to apply, if any. The maximum length is 63 characters. For details, see waf hidden-fields-protection.

To display the list of existing groups, enter:

set hidden-fields-protection ?

No default.

file-upload-policy "<policy_name>"

Select the name of a file upload security policy to use, if any. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set file-upload-policy ?

No default.

HTTP-protocol-parameter-restriction "<constraint_name>"

Select the name of an HTTP protocol constraint that you want to apply, if any. The maximum length is 63 characters. For details, see waf HTTP-protocol-parameter-restriction.

To display the list of existing profiles, enter:

set HTTP-protocol-parameter-restriction ?

No default.

url-access-policy "<policy_name>"

Select the name of a URL access policy. The maximum length is 63 characters. For details, see waf url-access url-access-policy.

To display the list of existing policies, enter:

set url-access-policy ?

No default.

allow-method-policy "<policy_name>"

Select the name of an allowed method policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set allow-method-policy ?

No default.

ip-list-policy "<policy_name>"

Select the name of a trusted IP or blocklisted IP policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set ip-list-policy ?

No default.

geo-block-list-policy "<policy_name>"

Select the name of a geographically-based client IP block list that you want to apply, if any. The maximum length is 63 characters. For details, see waf geo-block-list.

To display the list of existing groups, enter:

set geo-block-list-policy ?

No default.

application-layer-dos-prevention "<policy_name>"

Select the name of an existing DoS protection policy to use with this profile, if any. The maximum length is 63 characters. For details, see waf application-layer-dos-prevention.

To display the list of existing profiles, enter:

set application-layer-dos-prevention ?

No default.

ip-intelligence {enable | disable}

Enable to apply intelligence about the reputation of the client’s source IP. Blocking and logging behavior is configured in waf ip-intelligence.

disable

fortigate-quarantined-ips {enable | disable}

Enable to detect source IP addresses that a FortiGate unit is currently preventing from interacting with the network and protected systems.

To configure communication between the FortiOS and FortiWeb, see system fortigate-integration.

disable

quarantined-ip-action {alert | alert_deny}

Specify the action that FortiWeb takes if it detects a quarantined IP address:

  • alert—Accept the request and generate an alert email, log message, or both.
  • alert_deny—Block the request and generate an alert, log message, or both.
alert

quarantined-ip-severity {High | Medium | Low}

Specify the severity that FortiWeb assigns to quarantined IP log messages.

High

quarantined-ip-trigger "<trigger-policy_name>"

Select the name of the trigger to apply when FortiWeb detects a quarantined IP. For deails, see log trigger-policy.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

url-rewrite-policy "<group_name>"

Select the name of a URL rewriting rule set, if any, that will be applied to matching HTTP requests. The maximum length is 63 characters.

To display the list of existing policies, enter:

set url-rewrite-policy ?

For details, see waf url-access url-access-policy.

No default.

HTTP-authen-policy "<policy_name>"

Select the name of an HTTP authentication policy, if any, that will be applied to matching HTTP requests. The maximum length is 63 characters. For details, see waf HTTP-authen HTTP-authen-policy.

To display the list of existing profiles, enter:

set HTTP-authen-policy ?

If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message.

No default.

HTTP-header-security "<policy_name>"

Select the name of an HTTP Header Security Policy, if any. For details, see waf HTTP-header-security.

To display the list of existing policies, enter:

set HTTP-header-security ?

No default.

site-publisher-helper "<policy_name>"

Select the name of a site publishing policy, if any, that will be applied to matching HTTP requests. The maximum length is 63 characters. For details, see waf site-publish-helper policy.

To display the list of existing profiles, enter:

set site-publisher-policy ?

If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message.

No default.

file-compress-rule "<rule_name>"

Select the name of an existing file compression rule to use with this profile, if any. The maximum length is 63 characters. For details, see waf file-compress-rule.

To display the list of existing rules, enter:

set file-compress-rule ?

No default.

user-tracking-policy "<user-tracking-policy_name>"

Select the name of a user tracking policy. The maximum length is 63 characters. For details, see waf user-tracking policy.

To display the list of existing policies, enter:

set user-tracking-policy ?

No default.

redirect-url "<redirect_fqdn>"

Enter a URL, including the FQDN/IP and path, if any, to which an HTTP client will be redirected if their HTTP request violates any of the rules in this profile.

For example, you could enter www.example.com/products/.

If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb appliance will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP 403 (Access Forbidden) or 404 (File Not Found) error message.

The maximum length is 256 characters.

No default.

rdt-reason {enable | disable}

Enable to include the reason for URL redirection as a parameter in the URL, such as reason=DETECT_PARAM_RULE_FAILED, when traffic has been redirected using redirect-url "<redirect_fqdn>".

The FortiWeb appliance also adds fortiwaf=1 to the URL to detect and cancel a redirect loop when the redirect action recursively triggers an attack event.

Caution: If you specify a redirect URL that is protected by the FortiWeb appliance, you should enable this option to prevent infinite redirect loops.

No default.

data-analysis {enable | disable}

Enable this to collect data for servers covered by this profile.

disable

comment "<comment_str>"

Enter a description or other comment. If the comment contains more than one word or contains an apostrophe, surround the comment in double quotes ( " ). The maximum length is 199 characters.

No default.

xml-validation-policy "<xml_policy_name>"

Select the name of an XML protection policy, if any. The maximum length is 63 characters. For details, see waf xml-validation.

To display the list of existing policies, enter:

set xml-validation-policy ?

No default.

profile-id "<profile-id_str>"

Enter the inline profile ID. No default.

mitb-protection "<mitb-protection_name>"

Select the MiTB protection policy name.

For details, see waf mitb-policy.

No default.

openapi-validation-policy "<openapi-validation-policy_name>"

Select the openapi validation policy name.

For details, see waf openapi-validation-policy.

No default.

websocket-security-policy "<websocket-security-policy_name>"

Select the websocket security policy name.

For details, see waf websocket-security policy.

No default.

url-encryption-policy <url-encryption-policy_str>

Select the URL encryption policy name.

For details, see waf url-encryption.

No default.

syntax-based-attack-detection <detection_name>

Select the name of an existing SQL/XSS syntax based detection policy. For details, see waf syntax-based-attack-detection.

No default.

owasp_api_top10_log_field {enable/disable}

Enable to record the OWASP API Top10 attack categories in attack logs so that you can filter the attack logs by OWASP API Top10.

enable

Related topics

waf web-protection-profile inline-protection

waf web-protection-profile inline-protection

Use this command to configure inline protection profiles.

Inline protection profiles are a set of attack protection settings. The FortiWeb appliance applies the profile when a connection matches a server policy that includes the protection profile. You can use inline protection profiles in server policies for any mode except Offline Protection.

To apply protection profiles, select them within a server policy. For details, see server-policy policy.

Before configuring an inline protection profile, first configure any of the following that you want to include in the profile:

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf web-protection-profile inline-protection

edit "<inline-protection-profile_name>"

set client-management {enable | disable}

set threat-score-profile <name>

set http-session-cookie {enable | disable}

set HTTP-session-timeout <seconds_int>

set x-forwarded-for-rule "<x-forwarded-for_name>"

set signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>}

set amf3-protocol-detection {enable | disable}

set custom-access-policy "<combo-access_name>"

set padding-oracle "<rule_name>"

set csrf-protection "<rule_name>"

set cookie-security-policy "<cookie-security_name>"

set parameter-validation-rule "<rule_name>"

set hidden-fields-protection "<group_name>"

set file-upload-policy "<policy_name>"

set HTTP-protocol-parameter-restriction "<constraint_name>"

set url-access-policy "<policy_name>"

set allow-method-policy "<policy_name>"

set ip-list-policy "<policy_name>"

set geo-block-list-policy "<policy_name>"

set application-layer-dos-prevention "<policy_name>"

set ip-intelligence {enable | disable}

set fortigate-quarantined-ips {enable | disable}

set quarantined-ip-action {alert | alert_deny}

set quarantined-ip-severity {High | Medium | Low}

set quarantined-ip-trigger "<trigger-policy_name>"

set url-rewrite-policy "<group_name>"

set HTTP-authen-policy "<policy_name>"

set HTTP-header-security "<policy_name>"

set site-publisher-helper "<policy_name>"

set file-compress-rule "<rule_name>"

set user-tracking-policy "<user-tracking-policy_name>"

set redirect-url "<redirect_fqdn>"

set rdt-reason {enable | disable}

set data-analysis {enable | disable}

set comment "<comment_str>"

set profile-id "<profile-id_str>"

set mitb-protection "<mitb-protection_name>"

set openapi-validation-policy "<openapi-validation-policy_name>"

set websocket-security-policy "<websocket-security-policy_name>"

set json-validation-policy "<json-validation-policy_name>"

set cors-protection-policy "<cors-protection-policy>"

set mobile-app-identification {enable | disable}

set token-secret <token-secret_str>

set token-header <token-header_str>

set mobile-api-protection <mobile-api-protection_name>

set bot-mitigate-policy <bot-mitigate-policy_name>

set api-management-policy <api-management-policy_name>

set url-encryption-policy <url-encryption-policy_str>

set syntax-based-attack-detection <detection_name>

set owasp_api_top10_log_field {enable/disable}

next

end

Variable Description Default

"<inline-protection-profile_name>"

Enter the name of the inline protection profile. The maximum length is 63 characters.

To display the list of existing profiles, enter:

edit ?

No default.

client-management {enable | disable}

Enable to add an implementation of HTTP sessions, and track their states, using a cookie such as cookiesession1. Also configure HTTP-session-timeout <seconds_int>.

Although HTTP has no inherent support for sessions, a notion of individual HTTP client sessions, rather than simply the source IP address and/or timestamp, is required by some features.

For example, you might want to require that a client’s first HTTP request always be a login page: the rest of the web pages should be inaccessible if they have not authenticated. Out-of-order requests could represent an attempt to bypass the web application’s native authentication mechanism. How can FortiWeb know if a request is the client’s first HTTP request?

Therefore FortiWeb must keep some record of the first request from that client (the session initiation). It also must record their previous HTTP request(s), until a span of time (the session timeout) has elapsed during which there were no more subsequent requests, after which it would require that the session be initiated again.

The session management feature provides such FortiWeb session support.

This feature requires that the client support cookies.

Note: You must enable this option:

  • If you want to include this profile’s traffic in the traffic log, in addition to enabling traffic logs in general. For details, see log attack-log.
enable

threat-score-profile <name>

Select the Threat Score Profile so that FortiWeb can take action on IPs or clients when their threat score accumulates to a certain value. The threat score profile is configured in config server-policy pattern threat-score-profile.

If you have enabled client-management, but does not configure threat-score-profile, the system will by default applies the configurations in config server-policy pattern threat-weight.

This option is available only when client-management is enabled.

http-session-cookie {enable | disable}

In Client Management we use cookiesession1 to track users.

  • If disabled, the cookiesession1 will not expire when the session is ended or timeout (the timeout value is defined by HTTP-session-timeout <seconds_int>); instead, it will have a 1-year expiry time unless it's cleared from the client's side. This means that even if a user closes the browser multiple times within one year, they will still be identified as the same user throughout that period.

  • If enabled, the cookiesession1 will expire when the session is ended or the HTTP-session-timeout is reached.

For more information, see this FAQ in Troubleshooting part: Why is the cookiesession1 generated by Client Management persistent cookie?

disabled

HTTP-session-timeout <seconds_int>

Enter the HTTP session timeout in seconds. The valid range is 20–3,600.

This setting is available only if client-management {enable | disable} is enabled.

1200

x-forwarded-for-rule "<x-forwarded-for_name>"

Specify the name of a rule that configures FortiWeb’s use of X-Forwarded-For: and X-Real-IP. The maximum length is 63 characters. For details, see waf x-forwarded-for.

To display the list of existing rules, enter:

set x-forwarded-for-rule ?

No default.

signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>}

Specify a signature policy to include in the profile. The maximum length is 63 characters. For details, see waf signature.

To display the list of existing rules, enter:

set server-protection-rule ?

The type of attack that FortiWeb detects determines the attack log messages for this feature. For a list, see waf signature.

No default.

amf3-protocol-detection {enable | disable}

Enable to scan requests that use action message format 3.0 (AMF3) for these attacks if you have enabled those in the signature set specified by signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>}:

  • Cross-site scripting (XSS) attacks
  • SQL injection attacks
  • Common exploits

AMF3 is a binary format that Adobe Flash clients can use to send input to server-side software.

Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will make the FortiWeb appliance unable to scan AMF3 requests for attacks.

disable

json-validation-policy "<json-validation-policy_name>"

Enter the JSON protection policy name. No default.

cors-protection-policy "<cors-protection-policy>"

Enter the CORS protection policy name. No default.

mobile-app-identification {enable | disable}

Enable to configure the JWT token secret and token header to verify a request from a mobile application.

Refer to Approov doc for how to get the token.

disable

token-secret <token-secret_str>

Enter the token secret that you have got from Approov.

Available only when mobile-app-identification {enable | disable} is enable.

No default

token-header <token-header_str>

Specify the header where the token is carried.

Available only when mobile-app-identification {enable | disable} is enable.

No default

mobile-api-protection <mobile-api-protection_name>

Select the name of an existing API protection policy. For details, see waf mobile-api-protection.

No default

bot-mitigate-policy <bot-mitigate-policy_name>

Select the name of a bot mitigation policy. For details, see waf mobile-api-protection.

No default.

api-management-policy <api-management-policy_name>

Select the name of an API gateway policy. For details, see waf api-rules.

No default.

custom-access-policy "<combo-access_name>"

Select the name of a custom access policy. The maximum length is 63 characters. For details, see waf custom-access policy.

To display the list of existing policies, enter:

set custom-access-policy ?

No default.

padding-oracle "<rule_name>"

Select the name of a padding oracle protection rule. The maximum length is 63 characters. For details, see waf padding-oracle.

To display the list of existing rules, enter:

set padding-oracle ?

No default.

csrf-protection "<rule_name>"

Select the name of cross-site request forgery protection rule, if any, to apply to matching requests. For details, see waf csrf-protection.

Available only when client-management {enable | disable} is enabled.
No default.

cookie-security-policy "<cookie-security_name>"

Select the name of a cookie security policy. For details, see waf cookie-security.

To display the list of existing policies, enter:

set cookie-security-policy ?

parameter-validation-rule "<rule_name>"

Select the name of a parameter validation rule. The maximum length is 63 characters. For details, see waf parameter-validation-rule.

To display the list of existing rules, enter:

set parameter-validation-rule ?

No default.

hidden-fields-protection "<group_name>"

Select the name of a hidden field rule group that you want to apply, if any. The maximum length is 63 characters. For details, see waf hidden-fields-protection.

To display the list of existing groups, enter:

set hidden-fields-protection ?

No default.

file-upload-policy "<policy_name>"

Select the name of a file upload security policy to use, if any. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set file-upload-policy ?

No default.

HTTP-protocol-parameter-restriction "<constraint_name>"

Select the name of an HTTP protocol constraint that you want to apply, if any. The maximum length is 63 characters. For details, see waf HTTP-protocol-parameter-restriction.

To display the list of existing profiles, enter:

set HTTP-protocol-parameter-restriction ?

No default.

url-access-policy "<policy_name>"

Select the name of a URL access policy. The maximum length is 63 characters. For details, see waf url-access url-access-policy.

To display the list of existing policies, enter:

set url-access-policy ?

No default.

allow-method-policy "<policy_name>"

Select the name of an allowed method policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set allow-method-policy ?

No default.

ip-list-policy "<policy_name>"

Select the name of a trusted IP or blocklisted IP policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy.

To display the list of existing policies, enter:

set ip-list-policy ?

No default.

geo-block-list-policy "<policy_name>"

Select the name of a geographically-based client IP block list that you want to apply, if any. The maximum length is 63 characters. For details, see waf geo-block-list.

To display the list of existing groups, enter:

set geo-block-list-policy ?

No default.

application-layer-dos-prevention "<policy_name>"

Select the name of an existing DoS protection policy to use with this profile, if any. The maximum length is 63 characters. For details, see waf application-layer-dos-prevention.

To display the list of existing profiles, enter:

set application-layer-dos-prevention ?

No default.

ip-intelligence {enable | disable}

Enable to apply intelligence about the reputation of the client’s source IP. Blocking and logging behavior is configured in waf ip-intelligence.

disable

fortigate-quarantined-ips {enable | disable}

Enable to detect source IP addresses that a FortiGate unit is currently preventing from interacting with the network and protected systems.

To configure communication between the FortiOS and FortiWeb, see system fortigate-integration.

disable

quarantined-ip-action {alert | alert_deny}

Specify the action that FortiWeb takes if it detects a quarantined IP address:

  • alert—Accept the request and generate an alert email, log message, or both.
  • alert_deny—Block the request and generate an alert, log message, or both.
alert

quarantined-ip-severity {High | Medium | Low}

Specify the severity that FortiWeb assigns to quarantined IP log messages.

High

quarantined-ip-trigger "<trigger-policy_name>"

Select the name of the trigger to apply when FortiWeb detects a quarantined IP. For deails, see log trigger-policy.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

url-rewrite-policy "<group_name>"

Select the name of a URL rewriting rule set, if any, that will be applied to matching HTTP requests. The maximum length is 63 characters.

To display the list of existing policies, enter:

set url-rewrite-policy ?

For details, see waf url-access url-access-policy.

No default.

HTTP-authen-policy "<policy_name>"

Select the name of an HTTP authentication policy, if any, that will be applied to matching HTTP requests. The maximum length is 63 characters. For details, see waf HTTP-authen HTTP-authen-policy.

To display the list of existing profiles, enter:

set HTTP-authen-policy ?

If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message.

No default.

HTTP-header-security "<policy_name>"

Select the name of an HTTP Header Security Policy, if any. For details, see waf HTTP-header-security.

To display the list of existing policies, enter:

set HTTP-header-security ?

No default.

site-publisher-helper "<policy_name>"

Select the name of a site publishing policy, if any, that will be applied to matching HTTP requests. The maximum length is 63 characters. For details, see waf site-publish-helper policy.

To display the list of existing profiles, enter:

set site-publisher-policy ?

If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message.

No default.

file-compress-rule "<rule_name>"

Select the name of an existing file compression rule to use with this profile, if any. The maximum length is 63 characters. For details, see waf file-compress-rule.

To display the list of existing rules, enter:

set file-compress-rule ?

No default.

user-tracking-policy "<user-tracking-policy_name>"

Select the name of a user tracking policy. The maximum length is 63 characters. For details, see waf user-tracking policy.

To display the list of existing policies, enter:

set user-tracking-policy ?

No default.

redirect-url "<redirect_fqdn>"

Enter a URL, including the FQDN/IP and path, if any, to which an HTTP client will be redirected if their HTTP request violates any of the rules in this profile.

For example, you could enter www.example.com/products/.

If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb appliance will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP 403 (Access Forbidden) or 404 (File Not Found) error message.

The maximum length is 256 characters.

No default.

rdt-reason {enable | disable}

Enable to include the reason for URL redirection as a parameter in the URL, such as reason=DETECT_PARAM_RULE_FAILED, when traffic has been redirected using redirect-url "<redirect_fqdn>".

The FortiWeb appliance also adds fortiwaf=1 to the URL to detect and cancel a redirect loop when the redirect action recursively triggers an attack event.

Caution: If you specify a redirect URL that is protected by the FortiWeb appliance, you should enable this option to prevent infinite redirect loops.

No default.

data-analysis {enable | disable}

Enable this to collect data for servers covered by this profile.

disable

comment "<comment_str>"

Enter a description or other comment. If the comment contains more than one word or contains an apostrophe, surround the comment in double quotes ( " ). The maximum length is 199 characters.

No default.

xml-validation-policy "<xml_policy_name>"

Select the name of an XML protection policy, if any. The maximum length is 63 characters. For details, see waf xml-validation.

To display the list of existing policies, enter:

set xml-validation-policy ?

No default.

profile-id "<profile-id_str>"

Enter the inline profile ID. No default.

mitb-protection "<mitb-protection_name>"

Select the MiTB protection policy name.

For details, see waf mitb-policy.

No default.

openapi-validation-policy "<openapi-validation-policy_name>"

Select the openapi validation policy name.

For details, see waf openapi-validation-policy.

No default.

websocket-security-policy "<websocket-security-policy_name>"

Select the websocket security policy name.

For details, see waf websocket-security policy.

No default.

url-encryption-policy <url-encryption-policy_str>

Select the URL encryption policy name.

For details, see waf url-encryption.

No default.

syntax-based-attack-detection <detection_name>

Select the name of an existing SQL/XSS syntax based detection policy. For details, see waf syntax-based-attack-detection.

No default.

owasp_api_top10_log_field {enable/disable}

Enable to record the OWASP API Top10 attack categories in attack logs so that you can filter the attack logs by OWASP API Top10.

enable

Related topics