Fortinet white logo
Fortinet white logo

CLI Reference

waf bot-mitigation-exception

waf bot-mitigation-exception

You can use this command to create exception policy to omit bot mitigation attack scans when you know that some parameters or URLs may trigger positives during normal use. The exception policy can be applied in Bot Mitigation policy, Biometrics Based Detection, Threshold Based Detection, and Bot Deception.

Syntax

config waf bot-mitigate-exception

edit edit "<bot_excetpion_policy-name>"

config exception-element-list

edit <index>

set match-target CLIENT_IP

set operator {EQ |NE}

set ip-range <IP_range>

set concatenate-type {AND | OR}

next

edit <index>

set match-target host

set operator {STRING_MATCH | REGEXP_MATCH}

set value <string>

set concatenate-type {AND | OR}

next

edit <index>

set match-target URI

set operator {STRING_MATCH | REGEXP_MATCH}

set value <string>

set concatenate-type {AND | OR}

next

edit <index>

set match-target FULL_URL

set operator {STRING_MATCH | REGEXP_MATCH}

set value <string>

set concatenate-type {AND | OR}

next

edit <index>

set match-target PARAMETER

set operator {STRING_MATCH | REGEXP_MATCH}

set value-name <string>

set value-check {enable | disable}

set value <string>

set concatenate-type {AND | OR}

next

edit <index>

set match-target COOKIE

set operator {STRING_MATCH | REGEXP_MATCH}

set value-name <string>

set value-check {enable | disable}

set value <string>

set concatenate-type {AND | OR}

next

end

next

end

Variable Description Default

<bot_excetpion_policy-name>

Enter the name of the bot mitigation exception policy.

No default

<index>

Enter the index number of the exception element.

No default

match-target CLIENT_IP
operator {EQ |NE}
  • EQ—Equal. FortiWeb does not perform a bot mitigation attack scan for requests with a client IP address or IP range that matches the value of ip-range.
  • NE—Not Equal. FortiWeb only performs a bot mitigation attack scan for requests with a client IP address or IP range that matches the value of ip-range.
EQ
CLIENT_IP <ip> Specify the client IP addres that FortiWeb uses to determine whether or not to perform a bot mitigation attack scan for the request. No default

ip-range <IP_range>

Specify the client IP address or IP range that FortiWeb uses to determine whether or not to perform a bot mitigation attack scan for the request.

No default

match-target host

operator {STRING_MATCH | REGEXP_MATCH}
  • STRING_MATCHValue is a literal host name.
  • REGEXP_MATCHValue is a regular expression that matches all and only the host name that the exception applies to.

REGEXP_MATCH

value <string>

Specifies the Host: field value to match.

No default

match-target URI

operator {STRING_MATCH | REGEXP_MATCH}
  • STRING_MATCHValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
  • REGEXP_MATCHValue is a regular expression that matches all and only the URIs that the exception applies to.

REGEXP_MATCH

value <string>

Specifies a URL value to match. You can use up to 2048 characters in regex configuration for signature. The value does not include parameters. For example, /testpage.php, which match requests for http://www.test.com/testpage.php?a=1&b=2.

If operator is STRING_MATCH, ensure the value starts with a forward slash ( / ) (for example, /causes-false-positives.php).

If operator is REGEXP_MATCH, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.
When the URL value is a string, such as /causes-false-positives.php, the URL must begin with a slash ( / ).
Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type.

No default

match-target FULL_URL

operator {STRING_MATCH | REGEXP_MATCH}
  • STRING_MATCHValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
  • REGEXP_MATCHValue is a regular expression that matches all and only the URLs that the exception applies to.

REGEXP_MATCH

value <string>

Specifies a URL value that includes parameters to match. For example, /testpage.php?a=1&b=2, which match requests for http://www.test.com/testpage.php?a=1&b=2.

If operator is STRING_MATCH, ensure the value starts with a forward slash ( / ) (for example, /testpage.php?a=1&b=2).

If operator is REGEXP_MATCH, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.

Do not include a domain name. To match a domain name, use the Host element type. To match a URL that does not include parameters, use the URI type.

No default

match-target PARAMETER

operator {STRING_MATCH | REGEXP_MATCH}

  • STRING_MATCHName is the literal name of a parameter.
  • REGEXP_MATCHName is a regular expression that matches all and only the name of the parameter that the exception applies to.

REGEXP_MATCH

value-name <string>

Specifies the name of the parameter to match.

No default

value-check {enable | disable}

Enable to specify a parameter value to match in addition to the parameter name.

disable

value <string>

Specifies the parameter value to match.

No default

match-target COOKIE

operator {STRING_MATCH | REGEXP_MATCH}

  • STRING_MATCHName is the literal name of a cookie.
  • REGEXP_MATCHName is a regular expression that matches all and only the name of the cookie that the exception applies to.

REGEXP_MATCH

value-name <string>

Specifies the name of the cookie to match.

No default

value-check {enable | disable}

Select to specify a cookie value to match in addition to the cookie name.

disable

value <string>

Specifies the cookie value to match.

No default

concatenate-type {and | or}

  • And—A matching request matches this entry in addition to other entries in the exemption list.
  • Or—A matching request matches this entry instead of other entries in the exemption list.

Later, you can use the exception list options to adjust the matching sequence for entries. The lower the index number, the earlier it will be processed.

and

Related topics

waf bot-mitigation-exception

waf bot-mitigation-exception

You can use this command to create exception policy to omit bot mitigation attack scans when you know that some parameters or URLs may trigger positives during normal use. The exception policy can be applied in Bot Mitigation policy, Biometrics Based Detection, Threshold Based Detection, and Bot Deception.

Syntax

config waf bot-mitigate-exception

edit edit "<bot_excetpion_policy-name>"

config exception-element-list

edit <index>

set match-target CLIENT_IP

set operator {EQ |NE}

set ip-range <IP_range>

set concatenate-type {AND | OR}

next

edit <index>

set match-target host

set operator {STRING_MATCH | REGEXP_MATCH}

set value <string>

set concatenate-type {AND | OR}

next

edit <index>

set match-target URI

set operator {STRING_MATCH | REGEXP_MATCH}

set value <string>

set concatenate-type {AND | OR}

next

edit <index>

set match-target FULL_URL

set operator {STRING_MATCH | REGEXP_MATCH}

set value <string>

set concatenate-type {AND | OR}

next

edit <index>

set match-target PARAMETER

set operator {STRING_MATCH | REGEXP_MATCH}

set value-name <string>

set value-check {enable | disable}

set value <string>

set concatenate-type {AND | OR}

next

edit <index>

set match-target COOKIE

set operator {STRING_MATCH | REGEXP_MATCH}

set value-name <string>

set value-check {enable | disable}

set value <string>

set concatenate-type {AND | OR}

next

end

next

end

Variable Description Default

<bot_excetpion_policy-name>

Enter the name of the bot mitigation exception policy.

No default

<index>

Enter the index number of the exception element.

No default

match-target CLIENT_IP
operator {EQ |NE}
  • EQ—Equal. FortiWeb does not perform a bot mitigation attack scan for requests with a client IP address or IP range that matches the value of ip-range.
  • NE—Not Equal. FortiWeb only performs a bot mitigation attack scan for requests with a client IP address or IP range that matches the value of ip-range.
EQ
CLIENT_IP <ip> Specify the client IP addres that FortiWeb uses to determine whether or not to perform a bot mitigation attack scan for the request. No default

ip-range <IP_range>

Specify the client IP address or IP range that FortiWeb uses to determine whether or not to perform a bot mitigation attack scan for the request.

No default

match-target host

operator {STRING_MATCH | REGEXP_MATCH}
  • STRING_MATCHValue is a literal host name.
  • REGEXP_MATCHValue is a regular expression that matches all and only the host name that the exception applies to.

REGEXP_MATCH

value <string>

Specifies the Host: field value to match.

No default

match-target URI

operator {STRING_MATCH | REGEXP_MATCH}
  • STRING_MATCHValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
  • REGEXP_MATCHValue is a regular expression that matches all and only the URIs that the exception applies to.

REGEXP_MATCH

value <string>

Specifies a URL value to match. You can use up to 2048 characters in regex configuration for signature. The value does not include parameters. For example, /testpage.php, which match requests for http://www.test.com/testpage.php?a=1&b=2.

If operator is STRING_MATCH, ensure the value starts with a forward slash ( / ) (for example, /causes-false-positives.php).

If operator is REGEXP_MATCH, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.
When the URL value is a string, such as /causes-false-positives.php, the URL must begin with a slash ( / ).
Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type.

No default

match-target FULL_URL

operator {STRING_MATCH | REGEXP_MATCH}
  • STRING_MATCHValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
  • REGEXP_MATCHValue is a regular expression that matches all and only the URLs that the exception applies to.

REGEXP_MATCH

value <string>

Specifies a URL value that includes parameters to match. For example, /testpage.php?a=1&b=2, which match requests for http://www.test.com/testpage.php?a=1&b=2.

If operator is STRING_MATCH, ensure the value starts with a forward slash ( / ) (for example, /testpage.php?a=1&b=2).

If operator is REGEXP_MATCH, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.

Do not include a domain name. To match a domain name, use the Host element type. To match a URL that does not include parameters, use the URI type.

No default

match-target PARAMETER

operator {STRING_MATCH | REGEXP_MATCH}

  • STRING_MATCHName is the literal name of a parameter.
  • REGEXP_MATCHName is a regular expression that matches all and only the name of the parameter that the exception applies to.

REGEXP_MATCH

value-name <string>

Specifies the name of the parameter to match.

No default

value-check {enable | disable}

Enable to specify a parameter value to match in addition to the parameter name.

disable

value <string>

Specifies the parameter value to match.

No default

match-target COOKIE

operator {STRING_MATCH | REGEXP_MATCH}

  • STRING_MATCHName is the literal name of a cookie.
  • REGEXP_MATCHName is a regular expression that matches all and only the name of the cookie that the exception applies to.

REGEXP_MATCH

value-name <string>

Specifies the name of the cookie to match.

No default

value-check {enable | disable}

Select to specify a cookie value to match in addition to the cookie name.

disable

value <string>

Specifies the cookie value to match.

No default

concatenate-type {and | or}

  • And—A matching request matches this entry in addition to other entries in the exemption list.
  • Or—A matching request matches this entry instead of other entries in the exemption list.

Later, you can use the exception list options to adjust the matching sequence for entries. The lower the index number, the earlier it will be processed.

and

Related topics