Fortinet black logo

CLI Reference

server-policy pattern custom-global-white-list-group

server-policy pattern custom-global-white-list-group

Use this command to configure objects that will be exempt from scans.

This command applies to all the server-policies. If you want to define an allow list that applies specifically to a certain server policiy, use config server-policy allow-list instead of this one.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy pattern custom-global-white-list-group

edit <entry_index>

set status {enable | disable}

set type {Cookie | Parameter | URL | Header_Field }

set domain "<cookie_str>"

set name "<name_str>"

set path "<url_str>"

set request-type {plain | regular}

set domain-type {plain | regular}

set name-type {plain | regular}

set request-file-status {enable | disable}

set domain-status {enable | disable}

set request-file "<url_str>"

set header-type {plain | regular}

set value-status {enable | disable}

set value-type {plain | regular}

set value <header_value_string>

next

end

Variable Description Default

<entry_index>

Enter the index number of the individual rule in the table. The valid range is 1–9,223,372,036,854,775,807. No default.

status {enable | disable}

Enable to exempt this object from all scans. enable

type {Cookie | Parameter | URL | Header_Field }

Indicate the type of the object. Depending on your selection, the remaining settings vary. URL

path "<url_str>"

Enter the path as it appears in the cookie, such as / or /blog/folder.

This setting is available if type {Cookie | Parameter | URL | Header_Field } is set to Cookie.

No default.

request-type {plain | regular}

Indicate whether the request-file "<url_str>" field contains a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

This setting is available if type {Cookie | Parameter | URL | Header_Field } is set to URL.

plain

domain-type {plain | regular}

Indicate whether the domain "<cookie_str>" field will contain a literal domain/IP address (Simple String), or a regular expression designed to match multiple domains/IP addresses (Regular Expression).

plain

domain "<cookie_str>"

Enter the partial or complete domain name or IP address as it appears in the cookie, such as:

www.example.com

.google.com

192.0.2.50

If clients sometimes access the host via IP address instead of DNS, create allow list objects for both.

This setting is available if type {Cookie | Parameter | URL | Header_Field } is set to Cookie.

Caution: Do not allowlist untrusted subdomains that use vulnerable cookies. It could compromise the security of that domain and its network.

No default.

name-type {plain | regular}

Indicate whether the name "<name_str>" field will contain a literal parameter name (Simple String), or a regular expression designed to match all parameter names (Regular Expression).

plain

name "<name_str>"

Depending on your selection in type {Cookie | Parameter | URL | Header_Field }, either:

  • Enter the name of the cookie as it appears in the HTTP request, such as NID.
  • Enter the name of the parameter as it appears in the HTTP URL or body, such as rememberme.

This setting is available if type {Cookie | Parameter | URL | Header_Field } is set to Cookie, Parameter, or Header_Field.

No default.

request-file-status {enable | disable}

Enable to apply this rule only to HTTP requests for specific URLs.

Configure request-file "<url_str>" if it is enabled.

disable

domain-status {enable | disable}

Enable to apply this rule only to HTTP requests for specific domains.

If enabled, also configure domain "<cookie_str>".

disable

request-file "<url_str>"

Depending on your selection in the request-type {plain | regular} field, enter either:

  • The literal URL, such as /robots.txt, that the HTTP request must contain in order to match the rule. The URL must begin with a backslash ( / ).
  • A regular expression, such as ^/*.html, matching all and only the URLs to which the rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a backslash, such as /index.html.

Do not include the domain name, such as www.example.com.

This setting is available if type {Cookie | Parameter | URL | Header_Field } is set to URL.

header-type {plain | regular}

Indicate whether the type field will contain a literal name (plain), or a regular expression designed to match multiple names (regular).

plain

value-status {enable | disable}

Enable to also check the value of the HTTP header. Only the HTTP headers which match both the name and the value will be allowlisted.

disable

value-type {plain | regular}

Indicate whether the header name will contain a literal name (plain), or a regular expression designed to match multiple names (regular).

plain

value <header_value_string>

The value of the HTTP header.

Depending on your selection in the value-type field, enter either a literal value or a regular expression.

No default.

Example

This example exempts requests for robots.txt from most scans.

config server-policy pattern custom-global-allow-list-group

edit 1

set request-file "/robots.txt"

next

end

Related topics

server-policy pattern custom-global-white-list-group

Use this command to configure objects that will be exempt from scans.

This command applies to all the server-policies. If you want to define an allow list that applies specifically to a certain server policiy, use config server-policy allow-list instead of this one.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy pattern custom-global-white-list-group

edit <entry_index>

set status {enable | disable}

set type {Cookie | Parameter | URL | Header_Field }

set domain "<cookie_str>"

set name "<name_str>"

set path "<url_str>"

set request-type {plain | regular}

set domain-type {plain | regular}

set name-type {plain | regular}

set request-file-status {enable | disable}

set domain-status {enable | disable}

set request-file "<url_str>"

set header-type {plain | regular}

set value-status {enable | disable}

set value-type {plain | regular}

set value <header_value_string>

next

end

Variable Description Default

<entry_index>

Enter the index number of the individual rule in the table. The valid range is 1–9,223,372,036,854,775,807. No default.

status {enable | disable}

Enable to exempt this object from all scans. enable

type {Cookie | Parameter | URL | Header_Field }

Indicate the type of the object. Depending on your selection, the remaining settings vary. URL

path "<url_str>"

Enter the path as it appears in the cookie, such as / or /blog/folder.

This setting is available if type {Cookie | Parameter | URL | Header_Field } is set to Cookie.

No default.

request-type {plain | regular}

Indicate whether the request-file "<url_str>" field contains a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

This setting is available if type {Cookie | Parameter | URL | Header_Field } is set to URL.

plain

domain-type {plain | regular}

Indicate whether the domain "<cookie_str>" field will contain a literal domain/IP address (Simple String), or a regular expression designed to match multiple domains/IP addresses (Regular Expression).

plain

domain "<cookie_str>"

Enter the partial or complete domain name or IP address as it appears in the cookie, such as:

www.example.com

.google.com

192.0.2.50

If clients sometimes access the host via IP address instead of DNS, create allow list objects for both.

This setting is available if type {Cookie | Parameter | URL | Header_Field } is set to Cookie.

Caution: Do not allowlist untrusted subdomains that use vulnerable cookies. It could compromise the security of that domain and its network.

No default.

name-type {plain | regular}

Indicate whether the name "<name_str>" field will contain a literal parameter name (Simple String), or a regular expression designed to match all parameter names (Regular Expression).

plain

name "<name_str>"

Depending on your selection in type {Cookie | Parameter | URL | Header_Field }, either:

  • Enter the name of the cookie as it appears in the HTTP request, such as NID.
  • Enter the name of the parameter as it appears in the HTTP URL or body, such as rememberme.

This setting is available if type {Cookie | Parameter | URL | Header_Field } is set to Cookie, Parameter, or Header_Field.

No default.

request-file-status {enable | disable}

Enable to apply this rule only to HTTP requests for specific URLs.

Configure request-file "<url_str>" if it is enabled.

disable

domain-status {enable | disable}

Enable to apply this rule only to HTTP requests for specific domains.

If enabled, also configure domain "<cookie_str>".

disable

request-file "<url_str>"

Depending on your selection in the request-type {plain | regular} field, enter either:

  • The literal URL, such as /robots.txt, that the HTTP request must contain in order to match the rule. The URL must begin with a backslash ( / ).
  • A regular expression, such as ^/*.html, matching all and only the URLs to which the rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a backslash, such as /index.html.

Do not include the domain name, such as www.example.com.

This setting is available if type {Cookie | Parameter | URL | Header_Field } is set to URL.

header-type {plain | regular}

Indicate whether the type field will contain a literal name (plain), or a regular expression designed to match multiple names (regular).

plain

value-status {enable | disable}

Enable to also check the value of the HTTP header. Only the HTTP headers which match both the name and the value will be allowlisted.

disable

value-type {plain | regular}

Indicate whether the header name will contain a literal name (plain), or a regular expression designed to match multiple names (regular).

plain

value <header_value_string>

The value of the HTTP header.

Depending on your selection in the value-type field, enter either a literal value or a regular expression.

No default.

Example

This example exempts requests for robots.txt from most scans.

config server-policy pattern custom-global-allow-list-group

edit 1

set request-file "/robots.txt"

next

end

Related topics