Fortinet black logo

CLI Reference

system advanced

system advanced

Use this command to configure several system-wide options that determine how FortiWeb scans traffic.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system advanced

set circulate-url-decode {enable | disable}

set decoding-enhancement {enable | disable}

set max-cache-size <cache_int>

set max-dlp-cache-size <percentage_int>

set max-dos-alert-interval <seconds_int>

set share-ip {enable | disable}

set anypktstream {enable | disable}

set max-bot-alert-interval <interval_int>

set ignore-undefined-query-param {enable | disable}

set key-attr {enable | disable}

set key-max-length <int>

set key-printable {enable | disable}

set owasp-top10-compliance {enable | disable}

end

Variable Description Default

circulate-url-decode {enable | disable}

Enable to detect URL-embedded attacks that are obfuscated using recursive URL encoding (that is, multiple levels’ worth of URL encoding).

Encoded URLs can be legitimately used for non-English URLs, but can also be used to avoid detection of attacks that use special characters. Encoded URLs can now be decoded to scan for these types of attacks. Several encoding types are supported.

For example, you could detect the character A that is encoded as either %41, %x41, %u0041, or \t41.

Disable to decode only one level’s worth of the URL, if encoded.

enable

decoding-enhancement {enable | disable}

Enable to decode cookies and parameters using base64 or CSS for specified URLs. To configure decoding enhancement, see system decoding enhancement.

disable

max-cache-size <cache_int>

Type the maximum size (in KB) of the body of the HTTP response from the web server that FortiWeb will cache per URL for body compression, decompression, rewriting, and XML detection.

Increasing the body cache may decrease performance.

Valid values range from 32 to 10240. The default value is 64.

Increasing the body cache may decrease performance.

512

max-dlp-cache-size <percentage_int>

Type the maximum percentage of max-cache-size <cache_int>—the body of the HTTP response from the web server—that FortiWeb buffers and scans.

Responses are cached to improve performance on compression, decompression, and rewriting on often-requested URLs.

12

max-dos-alert-interval <seconds_int>

Type the maximum amount of time that FortiWeb will converge into a single log message during a DoS attack or padding oracle attack. 180

share-ip {enable | disable}

Enable to analyze the ID field of IP headers in order to attempt to detect when multiple clients share the same source IP address. To configure the difference between packets’ ID fields that FortiWeb will treat as a shared IP, see system ip-detection.

Enabling this option is required for features that have a separate threshold for shared IP addresses. If you disable the option, those features will behave as if there is only a single threshold, regardless of whether the source IP is shared by many clients.

disable

anypktstream {enable | disable}

Enable to configure FortiWeb to scan partial TCP connections.
In some cases, FortiWeb is deployed after a client has already created a connection with a back-end server. If this option is disabled, FortiWeb ignores any traffic that is part of a pre-existing session.
disable

max-bot-alert-interval <interval_int>

Type the maximum amount of interval time that FortiWeb will send an attack log during a bot attack. The valid range is 0-300 seconds. 60

ignore-undefined-query-param {enable | disable}

Enable to bypass undefined query parameters in policies.

disable

key-attr {enable | disable}

Requests with certain content types, such as PDF, tend to have extremely long parameter names or non-printable characters. While these characteristics are legitimate, they are prone to triggering signatures, resulting in unnecessary resource consumption and numerous false positives.

To avoid such situations, you can enable key-attr. This feature allows requests with extremely long parameter names or non-printable characters to bypass scanning and be directly forwarded to the back-end server.

However, it's important to note that in certain content types listed below, an unusually long parameter name or non-printable characters can actually be an indicator of attacks. In these cases, FortiWeb will conduct a security scan on requests with these content types, regardless of the key-attr settings. Additionally, if the content-type header is absent, the request will be treated as high-risk, prompting a security scan as well.

  • multipart

  • soap+xml

  • text/xml, application/xml,application/vnd.syncml+xml, application/vnd.ms-sync.wbxml

  • multipart/form-data (boundary is required)

  • text/html

  • application/x-www-form-urlencoded

  • text/plain

  • text/css

  • application/x-javascript

  • multipart/x-mixed-replace

  • application/javascript

  • text/javascript

  • application/rss+xml

  • message/HTTP

  • application/json, text/json

  • all other application/...xml

disable

key-max-length <int>

If the parameter name exceeds the max length value you have specified, FortiWeb will skip the security check and directly pass it on to the back-end server.

The valid range is 1-1,024.

1024

key-printable {enable | disable}

If this option is enabled, all the characters in the parameter name must be printable. Otherwise FortiWeb will skip the security check and directly pass it on to the back-end server.

If this option is disabled, regardless whether the characters in the parameter name is printable or not, it should be proceeded for security check.

disable

owasp-top10-compliance {enable | disable}

Enable this option so that the OWASP Top10 Compliance dashboard will display as one of the monitors in Dashboard. It provides visibility into the level of security your applications have in terms of protection from OWASP (Open Web Application Security Project) vulnerabilities.

disable

Related topics

system advanced

Use this command to configure several system-wide options that determine how FortiWeb scans traffic.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system advanced

set circulate-url-decode {enable | disable}

set decoding-enhancement {enable | disable}

set max-cache-size <cache_int>

set max-dlp-cache-size <percentage_int>

set max-dos-alert-interval <seconds_int>

set share-ip {enable | disable}

set anypktstream {enable | disable}

set max-bot-alert-interval <interval_int>

set ignore-undefined-query-param {enable | disable}

set key-attr {enable | disable}

set key-max-length <int>

set key-printable {enable | disable}

set owasp-top10-compliance {enable | disable}

end

Variable Description Default

circulate-url-decode {enable | disable}

Enable to detect URL-embedded attacks that are obfuscated using recursive URL encoding (that is, multiple levels’ worth of URL encoding).

Encoded URLs can be legitimately used for non-English URLs, but can also be used to avoid detection of attacks that use special characters. Encoded URLs can now be decoded to scan for these types of attacks. Several encoding types are supported.

For example, you could detect the character A that is encoded as either %41, %x41, %u0041, or \t41.

Disable to decode only one level’s worth of the URL, if encoded.

enable

decoding-enhancement {enable | disable}

Enable to decode cookies and parameters using base64 or CSS for specified URLs. To configure decoding enhancement, see system decoding enhancement.

disable

max-cache-size <cache_int>

Type the maximum size (in KB) of the body of the HTTP response from the web server that FortiWeb will cache per URL for body compression, decompression, rewriting, and XML detection.

Increasing the body cache may decrease performance.

Valid values range from 32 to 10240. The default value is 64.

Increasing the body cache may decrease performance.

512

max-dlp-cache-size <percentage_int>

Type the maximum percentage of max-cache-size <cache_int>—the body of the HTTP response from the web server—that FortiWeb buffers and scans.

Responses are cached to improve performance on compression, decompression, and rewriting on often-requested URLs.

12

max-dos-alert-interval <seconds_int>

Type the maximum amount of time that FortiWeb will converge into a single log message during a DoS attack or padding oracle attack. 180

share-ip {enable | disable}

Enable to analyze the ID field of IP headers in order to attempt to detect when multiple clients share the same source IP address. To configure the difference between packets’ ID fields that FortiWeb will treat as a shared IP, see system ip-detection.

Enabling this option is required for features that have a separate threshold for shared IP addresses. If you disable the option, those features will behave as if there is only a single threshold, regardless of whether the source IP is shared by many clients.

disable

anypktstream {enable | disable}

Enable to configure FortiWeb to scan partial TCP connections.
In some cases, FortiWeb is deployed after a client has already created a connection with a back-end server. If this option is disabled, FortiWeb ignores any traffic that is part of a pre-existing session.
disable

max-bot-alert-interval <interval_int>

Type the maximum amount of interval time that FortiWeb will send an attack log during a bot attack. The valid range is 0-300 seconds. 60

ignore-undefined-query-param {enable | disable}

Enable to bypass undefined query parameters in policies.

disable

key-attr {enable | disable}

Requests with certain content types, such as PDF, tend to have extremely long parameter names or non-printable characters. While these characteristics are legitimate, they are prone to triggering signatures, resulting in unnecessary resource consumption and numerous false positives.

To avoid such situations, you can enable key-attr. This feature allows requests with extremely long parameter names or non-printable characters to bypass scanning and be directly forwarded to the back-end server.

However, it's important to note that in certain content types listed below, an unusually long parameter name or non-printable characters can actually be an indicator of attacks. In these cases, FortiWeb will conduct a security scan on requests with these content types, regardless of the key-attr settings. Additionally, if the content-type header is absent, the request will be treated as high-risk, prompting a security scan as well.

  • multipart

  • soap+xml

  • text/xml, application/xml,application/vnd.syncml+xml, application/vnd.ms-sync.wbxml

  • multipart/form-data (boundary is required)

  • text/html

  • application/x-www-form-urlencoded

  • text/plain

  • text/css

  • application/x-javascript

  • multipart/x-mixed-replace

  • application/javascript

  • text/javascript

  • application/rss+xml

  • message/HTTP

  • application/json, text/json

  • all other application/...xml

disable

key-max-length <int>

If the parameter name exceeds the max length value you have specified, FortiWeb will skip the security check and directly pass it on to the back-end server.

The valid range is 1-1,024.

1024

key-printable {enable | disable}

If this option is enabled, all the characters in the parameter name must be printable. Otherwise FortiWeb will skip the security check and directly pass it on to the back-end server.

If this option is disabled, regardless whether the characters in the parameter name is printable or not, it should be proceeded for security check.

disable

owasp-top10-compliance {enable | disable}

Enable this option so that the OWASP Top10 Compliance dashboard will display as one of the monitors in Dashboard. It provides visibility into the level of security your applications have in terms of protection from OWASP (Open Web Application Security Project) vulnerabilities.

disable

Related topics