Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.4.1 CLI Reference
    7.4.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf bot-mitigation-exception

    waf bot-mitigation-exception

    You can use this command to create exception policy to omit bot mitigation attack scans when you know that some parameters or URLs may trigger positives during normal use. The exception policy can be applied in Bot Mitigation policy, Biometrics Based Detection, Threshold Based Detection, and Bot Deception.

    Syntax

    config waf bot-mitigate-exception

    edit edit "<bot_excetpion_policy-name>"

    config exception-element-list

    edit <index>

    set match-target CLIENT_IP

    set operator {EQ |NE}

    set ip-range <IP_range>

    set concatenate-type {AND | OR}

    next

    edit <index>

    set match-target host

    set operator {STRING_MATCH | REGEXP_MATCH}

    set value <string>

    set concatenate-type {AND | OR}

    next

    edit <index>

    set match-target URI

    set operator {STRING_MATCH | REGEXP_MATCH}

    set value <string>

    set concatenate-type {AND | OR}

    next

    edit <index>

    set match-target FULL_URL

    set operator {STRING_MATCH | REGEXP_MATCH}

    set value <string>

    set concatenate-type {AND | OR}

    next

    edit <index>

    set match-target PARAMETER

    set operator {STRING_MATCH | REGEXP_MATCH}

    set value-name <string>

    set value-check {enable | disable}

    set value <string>

    set concatenate-type {AND | OR}

    next

    edit <index>

    set match-target COOKIE

    set operator {STRING_MATCH | REGEXP_MATCH}

    set value-name <string>

    set value-check {enable | disable}

    set value <string>

    set concatenate-type {AND | OR}

    next

    end

    next

    end

    Variable Description Default

    <bot_excetpion_policy-name>

    Enter the name of the bot mitigation exception policy.

    No default

    <index>

    Enter the index number of the exception element.

    No default
    match-target CLIENT_IP
    operator {EQ |NE}
    • EQ—Equal. FortiWeb does not perform a bot mitigation attack scan for requests with a client IP address or IP range that matches the value of ip-range.
    • NE—Not Equal. FortiWeb only performs a bot mitigation attack scan for requests with a client IP address or IP range that matches the value of ip-range.
    		 EQ
    CLIENT_IP <ip> Specify the client IP addres that FortiWeb uses to determine whether or not to perform a bot mitigation attack scan for the request. No default

    ip-range <IP_range>

    Specify the client IP address or IP range that FortiWeb uses to determine whether or not to perform a bot mitigation attack scan for the request.

    No default

    match-target host
    operator {STRING_MATCH | REGEXP_MATCH}
    • STRING_MATCHValue is a literal host name.
    • REGEXP_MATCHValue is a regular expression that matches all and only the host name that the exception applies to.

    REGEXP_MATCH

    value <string>

    Specifies the Host: field value to match.

    No default

    match-target URI
    operator {STRING_MATCH | REGEXP_MATCH}
    • STRING_MATCHValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
    • REGEXP_MATCHValue is a regular expression that matches all and only the URIs that the exception applies to.

    REGEXP_MATCH

    value <string>

    Specifies a URL value to match. You can use up to 2048 characters in regex configuration for signature. The value does not include parameters. For example, /testpage.php, which match requests for http://www.test.com/testpage.php?a=1&b=2.

    If operator is STRING_MATCH, ensure the value starts with a forward slash ( / ) (for example, /causes-false-positives.php).

    If operator is REGEXP_MATCH, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.
    When the URL value is a string, such as /causes-false-positives.php, the URL must begin with a slash ( / ).
    Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type.

    No default

    match-target FULL_URL
    operator {STRING_MATCH | REGEXP_MATCH}
    • STRING_MATCHValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
    • REGEXP_MATCHValue is a regular expression that matches all and only the URLs that the exception applies to.

    REGEXP_MATCH

    value <string>

    Specifies a URL value that includes parameters to match. For example, /testpage.php?a=1&b=2, which match requests for http://www.test.com/testpage.php?a=1&b=2.

    If operator is STRING_MATCH, ensure the value starts with a forward slash ( / ) (for example, /testpage.php?a=1&b=2).

    If operator is REGEXP_MATCH, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.

    Do not include a domain name. To match a domain name, use the Host element type. To match a URL that does not include parameters, use the URI type.

    No default

    match-target PARAMETER

    operator {STRING_MATCH | REGEXP_MATCH}

    • STRING_MATCHName is the literal name of a parameter.
    • REGEXP_MATCHName is a regular expression that matches all and only the name of the parameter that the exception applies to.

    REGEXP_MATCH

    value-name <string>

    		Specifies the name of the parameter to match.

    No default

    value-check {enable | disable}

    		Enable to specify a parameter value to match in addition to the parameter name.

    disable

    value <string>

    		Specifies the parameter value to match.

    No default

    match-target COOKIE

    operator {STRING_MATCH | REGEXP_MATCH}

    • STRING_MATCHName is the literal name of a cookie.
    • REGEXP_MATCHName is a regular expression that matches all and only the name of the cookie that the exception applies to.

    REGEXP_MATCH

    value-name <string>

    		Specifies the name of the cookie to match.

    No default

    value-check {enable | disable}

    		Select to specify a cookie value to match in addition to the cookie name.

    disable

    value <string>

    		Specifies the cookie value to match.

    No default

    concatenate-type {and | or}

    • And—A matching request matches this entry in addition to other entries in the exemption list.
    • Or—A matching request matches this entry instead of other entries in the exemption list.

    Later, you can use the exception list options to adjust the matching sequence for entries. The lower the index number, the earlier it will be processed.

    and

    Related topics

    Previous
    Next

    waf bot-mitigation-exception

    waf bot-mitigation-exception

    You can use this command to create exception policy to omit bot mitigation attack scans when you know that some parameters or URLs may trigger positives during normal use. The exception policy can be applied in Bot Mitigation policy, Biometrics Based Detection, Threshold Based Detection, and Bot Deception.

    Syntax

    config waf bot-mitigate-exception

    edit edit "<bot_excetpion_policy-name>"

    config exception-element-list

    edit <index>

    set match-target CLIENT_IP

    set operator {EQ |NE}

    set ip-range <IP_range>

    set concatenate-type {AND | OR}

    next

    edit <index>

    set match-target host

    set operator {STRING_MATCH | REGEXP_MATCH}

    set value <string>

    set concatenate-type {AND | OR}

    next

    edit <index>

    set match-target URI

    set operator {STRING_MATCH | REGEXP_MATCH}

    set value <string>

    set concatenate-type {AND | OR}

    next

    edit <index>

    set match-target FULL_URL

    set operator {STRING_MATCH | REGEXP_MATCH}

    set value <string>

    set concatenate-type {AND | OR}

    next

    edit <index>

    set match-target PARAMETER

    set operator {STRING_MATCH | REGEXP_MATCH}

    set value-name <string>

    set value-check {enable | disable}

    set value <string>

    set concatenate-type {AND | OR}

    next

    edit <index>

    set match-target COOKIE

    set operator {STRING_MATCH | REGEXP_MATCH}

    set value-name <string>

    set value-check {enable | disable}

    set value <string>

    set concatenate-type {AND | OR}

    next

    end

    next

    end

    Variable Description Default

    <bot_excetpion_policy-name>

    Enter the name of the bot mitigation exception policy.

    No default

    <index>

    Enter the index number of the exception element.

    No default
    match-target CLIENT_IP
    operator {EQ |NE}
    • EQ—Equal. FortiWeb does not perform a bot mitigation attack scan for requests with a client IP address or IP range that matches the value of ip-range.
    • NE—Not Equal. FortiWeb only performs a bot mitigation attack scan for requests with a client IP address or IP range that matches the value of ip-range.
    		 EQ
    CLIENT_IP <ip> Specify the client IP addres that FortiWeb uses to determine whether or not to perform a bot mitigation attack scan for the request. No default

    ip-range <IP_range>

    Specify the client IP address or IP range that FortiWeb uses to determine whether or not to perform a bot mitigation attack scan for the request.

    No default

    match-target host
    operator {STRING_MATCH | REGEXP_MATCH}
    • STRING_MATCHValue is a literal host name.
    • REGEXP_MATCHValue is a regular expression that matches all and only the host name that the exception applies to.

    REGEXP_MATCH

    value <string>

    Specifies the Host: field value to match.

    No default

    match-target URI
    operator {STRING_MATCH | REGEXP_MATCH}
    • STRING_MATCHValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
    • REGEXP_MATCHValue is a regular expression that matches all and only the URIs that the exception applies to.

    REGEXP_MATCH

    value <string>

    Specifies a URL value to match. You can use up to 2048 characters in regex configuration for signature. The value does not include parameters. For example, /testpage.php, which match requests for http://www.test.com/testpage.php?a=1&b=2.

    If operator is STRING_MATCH, ensure the value starts with a forward slash ( / ) (for example, /causes-false-positives.php).

    If operator is REGEXP_MATCH, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.
    When the URL value is a string, such as /causes-false-positives.php, the URL must begin with a slash ( / ).
    Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type.

    No default

    match-target FULL_URL
    operator {STRING_MATCH | REGEXP_MATCH}
    • STRING_MATCHValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
    • REGEXP_MATCHValue is a regular expression that matches all and only the URLs that the exception applies to.

    REGEXP_MATCH

    value <string>

    Specifies a URL value that includes parameters to match. For example, /testpage.php?a=1&b=2, which match requests for http://www.test.com/testpage.php?a=1&b=2.

    If operator is STRING_MATCH, ensure the value starts with a forward slash ( / ) (for example, /testpage.php?a=1&b=2).

    If operator is REGEXP_MATCH, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.

    Do not include a domain name. To match a domain name, use the Host element type. To match a URL that does not include parameters, use the URI type.

    No default

    match-target PARAMETER

    operator {STRING_MATCH | REGEXP_MATCH}

    • STRING_MATCHName is the literal name of a parameter.
    • REGEXP_MATCHName is a regular expression that matches all and only the name of the parameter that the exception applies to.

    REGEXP_MATCH

    value-name <string>

    		Specifies the name of the parameter to match.

    No default

    value-check {enable | disable}

    		Enable to specify a parameter value to match in addition to the parameter name.

    disable

    value <string>

    		Specifies the parameter value to match.

    No default

    match-target COOKIE

    operator {STRING_MATCH | REGEXP_MATCH}

    • STRING_MATCHName is the literal name of a cookie.
    • REGEXP_MATCHName is a regular expression that matches all and only the name of the cookie that the exception applies to.

    REGEXP_MATCH

    value-name <string>

    		Specifies the name of the cookie to match.

    No default

    value-check {enable | disable}

    		Select to specify a cookie value to match in addition to the cookie name.

    disable

    value <string>

    		Specifies the cookie value to match.

    No default

    concatenate-type {and | or}

    • And—A matching request matches this entry in addition to other entries in the exemption list.
    • Or—A matching request matches this entry instead of other entries in the exemption list.

    Later, you can use the exception list options to adjust the matching sequence for entries. The lower the index number, the earlier it will be processed.

    and

    Related topics

    Previous
    Next