Fortinet black logo

CLI Reference

waf site-publish-helper policy

waf site-publish-helper policy

Use this command to group together web applications that you want to publish.

Before you configure site publishing policies, you must first define the individual sites that will be a part of the group. For details, see waf site-publish-helper rule.

To apply this policy, include it in an inline web protection profile. For details, see waf web-protection-profile inline-protection.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf site-publish-helper policy

edit "<site-publish-policy_name>"

set account-lockout {enable | disable}

set max-login-failures <failures_int>

set account-block-period <account-block-period_int>

set within <within_int>

set limit-users {enable | disable}

set maximum-users <integer>

set session-idle-timeout <integer>

set credential-stuffing-protection {enable | disable}

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <block_period_int>

set severity {high | medium | low | Info}

set trigger "<trigger_policy>"

config rule

edit <entry_index>

set rule-name "<site-publish-rule_name>"

next

end

next

end

Variable Description Default

"<site-publish-policy_name>"

Enter the name of a new or existing policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

account-lockout {enable | disable}

Enable to prevent account cracking by locking an account out after several failures logging into FortiWeb. disable

max-login-failures <failures_int>

Set the threshold of login failure. FortiWeb will trigger lockout to the account if number of login failure exceeds the threshold during the specified time period (within <within_int>). 5

account-block-period <account-block-period_int>

Set the time period (in minutes) that FortiWeb locks out an account for. No more login is accepted for the locked account during the period. 60

within <within_int>

Set the time period (in minutes) for FortiWeb counting the login failures and judging lockout to accounts. Count of login failure of an account will be reset when the time period is up. 3

limit-users {enable | disable}

Enable to limit the number of concurrent logins per account.

disable

maximum-users <integer>

Specify the maximum number of concurrent logins using the same account.

1

session-idle-timeout <integer>

When a session is idle for the specified period of time, the Concurrent Users count will be renewed. The user who is timed-out needs to re-log in.

30

credential-stuffing-protection {enable | disable}

Enable to use FortiGuard's Credential Stuffing Defense database to prevent against credential stuffing attacks. disable

action {alert | alert_deny | block-period | deny_no_log}

Set the action. The options are:

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message
  • block-period—Block subsequent requests from the client for a number of seconds.
  • deny_no_log—Deny a request. Do not generate a log message.

You can customize the web page that returns to the client with the HTTP status code.

No default.

block-period <block_period_int>

If the action {alert | alert_deny | block-period | deny_no_log} is block-period, set amount of time (in seconds) FortiWeb will block subsequent requests from the client. The valid range is 1–3600 seconds.

600

severity {high | medium | low | Info}

Set the severity of credential stuffing attacks. No default.

trigger "<trigger_policy>"

Select the trigger policy, if any, to apply in the Site Publish policy. For details, see log trigger-policy. No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

rule-name "<site-publish-rule_name>"

Enter the name of an existing rule. No default.

Example

For an example, see waf site-publish-helper rule.

Related topics

waf site-publish-helper policy

waf site-publish-helper policy

Use this command to group together web applications that you want to publish.

Before you configure site publishing policies, you must first define the individual sites that will be a part of the group. For details, see waf site-publish-helper rule.

To apply this policy, include it in an inline web protection profile. For details, see waf web-protection-profile inline-protection.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf site-publish-helper policy

edit "<site-publish-policy_name>"

set account-lockout {enable | disable}

set max-login-failures <failures_int>

set account-block-period <account-block-period_int>

set within <within_int>

set limit-users {enable | disable}

set maximum-users <integer>

set session-idle-timeout <integer>

set credential-stuffing-protection {enable | disable}

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <block_period_int>

set severity {high | medium | low | Info}

set trigger "<trigger_policy>"

config rule

edit <entry_index>

set rule-name "<site-publish-rule_name>"

next

end

next

end

Variable Description Default

"<site-publish-policy_name>"

Enter the name of a new or existing policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

account-lockout {enable | disable}

Enable to prevent account cracking by locking an account out after several failures logging into FortiWeb. disable

max-login-failures <failures_int>

Set the threshold of login failure. FortiWeb will trigger lockout to the account if number of login failure exceeds the threshold during the specified time period (within <within_int>). 5

account-block-period <account-block-period_int>

Set the time period (in minutes) that FortiWeb locks out an account for. No more login is accepted for the locked account during the period. 60

within <within_int>

Set the time period (in minutes) for FortiWeb counting the login failures and judging lockout to accounts. Count of login failure of an account will be reset when the time period is up. 3

limit-users {enable | disable}

Enable to limit the number of concurrent logins per account.

disable

maximum-users <integer>

Specify the maximum number of concurrent logins using the same account.

1

session-idle-timeout <integer>

When a session is idle for the specified period of time, the Concurrent Users count will be renewed. The user who is timed-out needs to re-log in.

30

credential-stuffing-protection {enable | disable}

Enable to use FortiGuard's Credential Stuffing Defense database to prevent against credential stuffing attacks. disable

action {alert | alert_deny | block-period | deny_no_log}

Set the action. The options are:

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message
  • block-period—Block subsequent requests from the client for a number of seconds.
  • deny_no_log—Deny a request. Do not generate a log message.

You can customize the web page that returns to the client with the HTTP status code.

No default.

block-period <block_period_int>

If the action {alert | alert_deny | block-period | deny_no_log} is block-period, set amount of time (in seconds) FortiWeb will block subsequent requests from the client. The valid range is 1–3600 seconds.

600

severity {high | medium | low | Info}

Set the severity of credential stuffing attacks. No default.

trigger "<trigger_policy>"

Select the trigger policy, if any, to apply in the Site Publish policy. For details, see log trigger-policy. No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

rule-name "<site-publish-rule_name>"

Enter the name of an existing rule. No default.

Example

For an example, see waf site-publish-helper rule.

Related topics