Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.2.7 CLI Reference
    7.2.7
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf allow-method-exceptions

    waf allow-method-exceptions

    Use this command to configure the FortiWeb appliance with combinations of URLs and host names, which are exceptions to HTTP request methods that are generally allowed or denied according to the inline or Offline Protection profile.

    While most URL and host name combinations controlled by a profile may require similar HTTP request methods, you may have some that require different methods. Instead of forming separate policies and profiles for those requests, you can configure allowed method exceptions. The exceptions define specific HTTP request methods that are allowed by specific URLs and hosts.

    To apply allowed method exceptions, select them within an inline or Offline Protection profile. For details, see waf web-protection-profile inline-protection or waf web-protection-profile offline-protection.

    Before you configure an allowed method exception, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf allow-method-exceptions

    edit "<method-exception_name>"

    config allow-method-exception-list

    edit <entry_index>

    set allow-request {get post head options trace connect delete put patch webdav rpc others}

    set host "<protected-hosts_name>"

    set host-status {enable | disable}

    set request-file "<url_str>"

    set request-type {plain | regular}

    next

    end

    next

    end

    Variable Description Default

    "<method-exception_name>"

    Enter the name of the allowed methods exception. The maximum length is 63 characters.

    To display a list of the existing exceptions, enter:

    edit ?

    		No default.

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    allow-request {get post head options trace connect delete put patch webdav rpc others}

    Select one or more of the allowed HTTP request methods that are an exception for that combination of URL and host.

    Methods that you do not select will be denied.

    The OTHERS option includes methods not specifically named in the other options. It often may be required by WebDAV applications such as Microsoft Exchange Server and Subversion, which may require HTTP methods not commonly used by web browsers, such as PROPFIND and BCOPY. For details, see RFC 4918 (http://tools.ietf.org/html/rfc4918).

    Note: If a WAF Auto Learning Profile will be selected in the policy with an Offline Protection profile that uses this allowed method exception, you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb appliance to learn about. If a method is disabled, the FortiWeb appliance will reset the connection, and therefore cannot learn about the session.

    		 No default.

    host "<protected-hosts_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the exception. The maximum length is 256 characters.

    This setting is used only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    		 Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the allowed method exception. Also configure host "<protected-hosts_name>". disable

    request-file "<url_str>"

    Depending on your selection in request-type {plain | regular}, either:

    • Enter the literal URL, such as /index.php, that is an exception to the generally allowed HTTP request methods. The URL must begin with a slash ( / ).

    • Enter a regular expression, such as ^/*.php, matching all and only the URLs which are exceptions to the generally allowed HTTP request methods. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

      For example, if multiple URLs on a host have identical HTTP request method requirements, you would type a regular expression matching all of and only those URLs.

    Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

    HTTPS://docs.fortinet.com/fortiweb/admin-guides

    		No default.

    request-type {plain | regular}

    		 Indicate whether request-file "<url_str>" is a literal URL (plain) or a regular expression (regular). plain

    Example

    This example adds an exception to the list of allowed methods (post) that can be used in HTTP requests. In addition to the allowed methods already specified in protection profiles that use this exception, web hosts included in the protected hosts group named example_com_hosts (such as example.com, www.example.com, and 192.0.2.10) are allowed to receive POST requests to the Perl file that handles the guestbook.

    config waf allow-method-exceptions

    edit "auto-learn-profile2"

    config allow-method-exception-list

    edit 1

    set allow-request post

    set host "example_com_hosts"

    set host-status enable

    set request-file "/perl/guesbook.pl"

    set request-type plain

    next

    end

    next

    end

    Related topics

    Previous
    Next

    waf allow-method-exceptions

    waf allow-method-exceptions

    Use this command to configure the FortiWeb appliance with combinations of URLs and host names, which are exceptions to HTTP request methods that are generally allowed or denied according to the inline or Offline Protection profile.

    While most URL and host name combinations controlled by a profile may require similar HTTP request methods, you may have some that require different methods. Instead of forming separate policies and profiles for those requests, you can configure allowed method exceptions. The exceptions define specific HTTP request methods that are allowed by specific URLs and hosts.

    To apply allowed method exceptions, select them within an inline or Offline Protection profile. For details, see waf web-protection-profile inline-protection or waf web-protection-profile offline-protection.

    Before you configure an allowed method exception, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf allow-method-exceptions

    edit "<method-exception_name>"

    config allow-method-exception-list

    edit <entry_index>

    set allow-request {get post head options trace connect delete put patch webdav rpc others}

    set host "<protected-hosts_name>"

    set host-status {enable | disable}

    set request-file "<url_str>"

    set request-type {plain | regular}

    next

    end

    next

    end

    Variable Description Default

    "<method-exception_name>"

    Enter the name of the allowed methods exception. The maximum length is 63 characters.

    To display a list of the existing exceptions, enter:

    edit ?

    		No default.

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    allow-request {get post head options trace connect delete put patch webdav rpc others}

    Select one or more of the allowed HTTP request methods that are an exception for that combination of URL and host.

    Methods that you do not select will be denied.

    The OTHERS option includes methods not specifically named in the other options. It often may be required by WebDAV applications such as Microsoft Exchange Server and Subversion, which may require HTTP methods not commonly used by web browsers, such as PROPFIND and BCOPY. For details, see RFC 4918 (http://tools.ietf.org/html/rfc4918).

    Note: If a WAF Auto Learning Profile will be selected in the policy with an Offline Protection profile that uses this allowed method exception, you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb appliance to learn about. If a method is disabled, the FortiWeb appliance will reset the connection, and therefore cannot learn about the session.

    		 No default.

    host "<protected-hosts_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the exception. The maximum length is 256 characters.

    This setting is used only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    		 Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the allowed method exception. Also configure host "<protected-hosts_name>". disable

    request-file "<url_str>"

    Depending on your selection in request-type {plain | regular}, either:

    • Enter the literal URL, such as /index.php, that is an exception to the generally allowed HTTP request methods. The URL must begin with a slash ( / ).

    • Enter a regular expression, such as ^/*.php, matching all and only the URLs which are exceptions to the generally allowed HTTP request methods. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

      For example, if multiple URLs on a host have identical HTTP request method requirements, you would type a regular expression matching all of and only those URLs.

    Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

    HTTPS://docs.fortinet.com/fortiweb/admin-guides

    		No default.

    request-type {plain | regular}

    		 Indicate whether request-file "<url_str>" is a literal URL (plain) or a regular expression (regular). plain

    Example

    This example adds an exception to the list of allowed methods (post) that can be used in HTTP requests. In addition to the allowed methods already specified in protection profiles that use this exception, web hosts included in the protected hosts group named example_com_hosts (such as example.com, www.example.com, and 192.0.2.10) are allowed to receive POST requests to the Perl file that handles the guestbook.

    config waf allow-method-exceptions

    edit "auto-learn-profile2"

    config allow-method-exception-list

    edit 1

    set allow-request post

    set host "example_com_hosts"

    set host-status enable

    set request-file "/perl/guesbook.pl"

    set request-type plain

    next

    end

    next

    end

    Related topics

    Previous
    Next