Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiWeb 8.0.1 CLI Reference
    8.0.1
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0

    waf file-list

    waf file-list

    Use this command to configure a File List policy that allows FortiWeb to match uploaded files by MD5 or SHA256 hash. File List entries can be used to either trust or block specific files based on their cryptographic fingerprint. Enforcement actions are applied through the File Security module.

    When a file is uploaded, FortiWeb computes both its MD5 and SHA256 digests and compares them to entries in the configured File List policy. Matching logic behaves as follows:

    • If a Block File match is found, FortiWeb sets the internal file_list_flag to BLOCK, and enforcement is delegated to the File Security module. The action defined in the File List policy is applied, such as deny, block-period, or client-ID block. An attack log entry is generated with the type Block File Using Hash.

    • If a Trust File match is found, FortiWeb sets the file_list_flag to TRUST, and the file bypasses checks from:

      • File Security

      • Web Shell Detection

      • Data Loss Prevention (DLP)

    The File List module does not perform enforcement directly. To apply block actions, the File Security module must be enabled in the active Web Protection Profile. Trust File matches are honored across all three modules without additional configuration.

    This module replaces the legacy File Exception feature, which only supported trusted MD5 hashes. File List introduces:

    • Support for SHA256

    • Support for Block File entries

    • A shared matching backend to reduce redundant processing across modules

    Configuration is available through both GUI and CLI. Existing File Exception entries are automatically migrated to Trust File entries in the File List module.

    Syntax

    config waf file-list

    edit <policy_name>

    set action {alert | alert_deny | deny_no_log | block-period | client-id-block-period}

    set block-period <1–3600>

    set severity {High | Medium | Low | Info}

    set trigger-policy <policy>

    config members

    edit <entry_index>

    set type {trust-file | block-file}

    set hash-type {md5 | sha256}

    set hash-value <hex_string>

    set filename <filename>

    set comment <optional_comment>

    next

    end

    next

    end

    Variable Description Default
    <policy_name> Creates or edits a File List policy identified by policy_name. Policy names can be up to 63 characters. No default.
    action {alert | alert_deny | deny_no_log | block-period | client-id-block-period}

    Determines how FortiWeb responds to a Block File match:

    • alert — Accept the connection and generate an alert email and/or log message.

    • alert_deny — Block the request (or reset the connection) and generate an alert and/or log message.

    • deny_no_log — Block the request (or reset the connection).

    • block-period — Block subsequent requests from the client for a number of seconds.

    • client-id-block-period – Blocks the client’s session or device fingerprint (if Client Identification is enabled).

    		 alert
    block-period <1–3600>

    Required when action is block-period or client-id-block-period.

    Specify the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

    The valid range is from 1 to 3,600 seconds (1 hour).

    		 600
    severity {High | Medium | Low | Info}

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • High
    • Medium
    • Low
    • Info
    		Low
    trigger-policy <policy> Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. No default.
    config members
    <entry_index> Creates or edits a hash entry by index. No default.

    type {trust-file | block-file}

    Select the matching behavior:

    • trust-file – Files with matching hashes bypass inspection by File Security, Web Shell Detection, and DLP modules.

    • block-file – Files with matching hashes trigger the configured Action and are treated as threats.

    trust-file

    hash-type {md5 | sha256}

    Select the hash algorithm used for matching:

    • md5 – 128-bit hash, entered as a 32-character hex string.

    • sha256 – 256-bit hash, entered as a 64-character hex string.

    Choose based on the format used by your threat intelligence or file analysis tools.

    md5

    hash-value <hex_string>

    		 Enter the full MD5 or SHA256 hash string. This field is required and must match the selected Hash Type.

    No default.

    filename <filename>

    		 Specify the name of the File List to import. This file should be plain text file with one hash per line (no headers or metadata).

    No default.
    comment <optional_comment> Optional notes for internal use, such as source of the hash (e.g., "TI feed May 2025" or "manually reviewed"). No default.
    Previous
    Next

    waf file-list

    waf file-list

    Use this command to configure a File List policy that allows FortiWeb to match uploaded files by MD5 or SHA256 hash. File List entries can be used to either trust or block specific files based on their cryptographic fingerprint. Enforcement actions are applied through the File Security module.

    When a file is uploaded, FortiWeb computes both its MD5 and SHA256 digests and compares them to entries in the configured File List policy. Matching logic behaves as follows:

    • If a Block File match is found, FortiWeb sets the internal file_list_flag to BLOCK, and enforcement is delegated to the File Security module. The action defined in the File List policy is applied, such as deny, block-period, or client-ID block. An attack log entry is generated with the type Block File Using Hash.

    • If a Trust File match is found, FortiWeb sets the file_list_flag to TRUST, and the file bypasses checks from:

      • File Security

      • Web Shell Detection

      • Data Loss Prevention (DLP)

    The File List module does not perform enforcement directly. To apply block actions, the File Security module must be enabled in the active Web Protection Profile. Trust File matches are honored across all three modules without additional configuration.

    This module replaces the legacy File Exception feature, which only supported trusted MD5 hashes. File List introduces:

    • Support for SHA256

    • Support for Block File entries

    • A shared matching backend to reduce redundant processing across modules

    Configuration is available through both GUI and CLI. Existing File Exception entries are automatically migrated to Trust File entries in the File List module.

    Syntax

    config waf file-list

    edit <policy_name>

    set action {alert | alert_deny | deny_no_log | block-period | client-id-block-period}

    set block-period <1–3600>

    set severity {High | Medium | Low | Info}

    set trigger-policy <policy>

    config members

    edit <entry_index>

    set type {trust-file | block-file}

    set hash-type {md5 | sha256}

    set hash-value <hex_string>

    set filename <filename>

    set comment <optional_comment>

    next

    end

    next

    end

    Variable Description Default
    <policy_name> Creates or edits a File List policy identified by policy_name. Policy names can be up to 63 characters. No default.
    action {alert | alert_deny | deny_no_log | block-period | client-id-block-period}

    Determines how FortiWeb responds to a Block File match:

    • alert — Accept the connection and generate an alert email and/or log message.

    • alert_deny — Block the request (or reset the connection) and generate an alert and/or log message.

    • deny_no_log — Block the request (or reset the connection).

    • block-period — Block subsequent requests from the client for a number of seconds.

    • client-id-block-period – Blocks the client’s session or device fingerprint (if Client Identification is enabled).

    		 alert
    block-period <1–3600>

    Required when action is block-period or client-id-block-period.

    Specify the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

    The valid range is from 1 to 3,600 seconds (1 hour).

    		 600
    severity {High | Medium | Low | Info}

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • High
    • Medium
    • Low
    • Info
    		Low
    trigger-policy <policy> Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. No default.
    config members
    <entry_index> Creates or edits a hash entry by index. No default.

    type {trust-file | block-file}

    Select the matching behavior:

    • trust-file – Files with matching hashes bypass inspection by File Security, Web Shell Detection, and DLP modules.

    • block-file – Files with matching hashes trigger the configured Action and are treated as threats.

    trust-file

    hash-type {md5 | sha256}

    Select the hash algorithm used for matching:

    • md5 – 128-bit hash, entered as a 32-character hex string.

    • sha256 – 256-bit hash, entered as a 64-character hex string.

    Choose based on the format used by your threat intelligence or file analysis tools.

    md5

    hash-value <hex_string>

    		 Enter the full MD5 or SHA256 hash string. This field is required and must match the selected Hash Type.

    No default.

    filename <filename>

    		 Specify the name of the File List to import. This file should be plain text file with one hash per line (no headers or metadata).

    No default.
    comment <optional_comment> Optional notes for internal use, such as source of the hash (e.g., "TI feed May 2025" or "manually reviewed"). No default.
    Previous
    Next