Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.5
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiWeb 8.0.5 CLI Reference
    8.0.5
    8.0.5
    8.0.4
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.8
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0

    system certificate hpkp

    system certificate hpkp

    Use this command to configure a HTTP Public Key Pinning (HPKP) rule.

    HPKP is a security feature in which FortiWeb inserts a cryptographic public key in server responses that clients then use to access a server. HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

    Syntax

    config system certificate hpkp

    edit <hpkp_name>

    set max-age <integer>

    set pin-sha256 <base64_pin>

    set report-only {enable | disable}

    set report-uri <report_url>

    set subdomains {enable | disable}

    next

    end

    Variable Description Default

    <hpkp_name>

    Enter a name for the HPKP profile. You will use this name to select the profile in other parts of the configuration. The maximum length is 63 characters.

    		 No default.

    max-age <integer>

    Enter an interval in which the client will use the SPKI fingerprint to attempt to access the server. The valid range is 0–31536000; the default value is 1296000. If you enter a value of 0, the cached pinning policy information will be removed.

    1296000

    pin-sha256 <base64_pin>

    Enter a Base64 encoded SPKI fingerprint. Enter at least two pins, and at most five pins. At least one pin serves as a backup and must not refer to an SPKI fingerprint in a current certificate chain.

    		 No default.

    report-only {enable | disable}

    Enable so that FortiWeb will send reports to the specified report-uri, if any, and allow the client to connect to the server when there is a pin validation failure.

    Disable so that FortiWeb will send reports to the specified report-uri, if any, and prevent the client from connecting to the server when there is a pin validation error.

    enable

    report-uri <report_url>

    Enter a URL that FortiWeb will send pin validation failures to.

    		 No default.

    subdomains {enable | disable}

    Enableto apply the public key pinning rule to all of the server's subdomains.

    disable

    Example

    This example creates a public key pinning profile called hpkp_1 with two pins.

    config system certificate hpkp

    edit hpkp_1

    set max-age 1296000

    set pin-sha256 cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs= M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=

    set report-only disable

    set report-uri https://www.example.org/hpkp-report

    set subdomain enable

    next

    end

    Related topics

    Previous
    Next

    system certificate hpkp

    system certificate hpkp

    Use this command to configure a HTTP Public Key Pinning (HPKP) rule.

    HPKP is a security feature in which FortiWeb inserts a cryptographic public key in server responses that clients then use to access a server. HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

    Syntax

    config system certificate hpkp

    edit <hpkp_name>

    set max-age <integer>

    set pin-sha256 <base64_pin>

    set report-only {enable | disable}

    set report-uri <report_url>

    set subdomains {enable | disable}

    next

    end

    Variable Description Default

    <hpkp_name>

    Enter a name for the HPKP profile. You will use this name to select the profile in other parts of the configuration. The maximum length is 63 characters.

    		 No default.

    max-age <integer>

    Enter an interval in which the client will use the SPKI fingerprint to attempt to access the server. The valid range is 0–31536000; the default value is 1296000. If you enter a value of 0, the cached pinning policy information will be removed.

    1296000

    pin-sha256 <base64_pin>

    Enter a Base64 encoded SPKI fingerprint. Enter at least two pins, and at most five pins. At least one pin serves as a backup and must not refer to an SPKI fingerprint in a current certificate chain.

    		 No default.

    report-only {enable | disable}

    Enable so that FortiWeb will send reports to the specified report-uri, if any, and allow the client to connect to the server when there is a pin validation failure.

    Disable so that FortiWeb will send reports to the specified report-uri, if any, and prevent the client from connecting to the server when there is a pin validation error.

    enable

    report-uri <report_url>

    Enter a URL that FortiWeb will send pin validation failures to.

    		 No default.

    subdomains {enable | disable}

    Enableto apply the public key pinning rule to all of the server's subdomains.

    disable

    Example

    This example creates a public key pinning profile called hpkp_1 with two pins.

    config system certificate hpkp

    edit hpkp_1

    set max-age 1296000

    set pin-sha256 cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs= M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=

    set report-only disable

    set report-uri https://www.example.org/hpkp-report

    set subdomain enable

    next

    end

    Related topics

    Previous
    Next