Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security waf cookie-security

Use this command to configure waf cookie-security.

Syntax

config security waf cookie-security

edit "test"

set security-mode <no / encrypted / signed>

set encrypted_cookie_type <all / list>

config cookie_list // if the encrypted cookie type is a list

edit 1

set cookie_name <name>

next

set cookie-replay <enable/disable> // if security mode is encrypted

set allow-suspicous-cookies < always/ never / custom > //if security mode is encrypted

set dont_block_until <date> // if allow-suspicous-cookies is custom

set action <action profile>

set remove-cookie <enable/disable>

set severity < high / medium / low >

set httponly <enable/disable>

set secure <enable/disable>

set max_age <integer> //default value is 0, range 0-2147483647

set exception <waf exception object>

next

end

config security waf cookie-security

WAF cookie security policy allows the user to configure features that prevent cookie-based attacks, features such as cookie poisoning detection.

security-mode < no/ encrypted/ signed >

No—does not apply cookie tampering protection or encrypted cookie.

Signed—Prevents tampering by tracking the cookie. This option requires that the client supports cookies.

When the virtual server receives the first HTTP(S) request from a client, it uses cookie to track the session. After receiving the first response from the back-end server, Forti ADC will append ADC_SIGNED_COOKIE in Set-Cookie and record it into session table. Since the session tracking cookie includes a hash value that FortiADC uses to detect tampering cookie, if FortiADC determines the cookie from the client has changed, it will takes the specified action.

Encrypted—FortiADC encrypts set-cookie values which have been sent from back-end web server to clients. Clients can only see the encrypted cookies. FortiADC also decrypts cookies which have been submitted by clients before sending them to the back-end server to determine if a cookie attack has been placed.

encrpyted_cookie_type <all / list>

Note: only for security-mode encrypted

All—will encrypt all the cookies.

List—will encrypt the cookie that match with the cookie-list.

config cookie_list

Note: only for security-mode encrypted and if encrypted_cookie_type is list.

The cookie to be encrypted.

cookie-replay <enable/disable>

Note: only for security-mode encrypted; optional.

Determines whether FortiADC uses the IP address of a request to determine the owner of the cookie.

Enable—If cookie replay is enabled, the client IP address will be appended to the set-cookie value before encryption. If X-forward header exists, FortiADC will use its IP. Otherwise src IP will become the client IP. Once FortiADC receives it, the cookie will be decrypted and FortiADC will check if the IP address matches with the client IP.

Since the public IP of a client is not static in many environments, we recommend that you do not enable cookie-replay.

allow-suspicous-cookies < always/ never/custom >

Note: only for security-mode encrypted.

Determines whether FortiADC allows requests that contain cookies which FortiADC does not recognize by encrypted cookie function or with missing cookies.

When cookie-replay is enabled, the suspicious cookie is a missing cookie that tracks the client IP address.

In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives. To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

Never—never allow suspicious cookies.

Always—always allow suspicious cookies.

Custom—Don't Block suspicious cookies Until dont_block_until specified date.

dont_block_until <date> // allow-suspicous-cookies is custom

Note: only for security-mode encrypted.

action <datasource>

WAF action.

severity < high / medium / low >

Log severity.

remove-cookie <enable/disable>

Note: for security-mode encrypted/signed.

Accepts the request, but removes the cookie before sending it to the backend web server.

httponly <enable/disable>

Note: cookie attribute.

Enable—add "HTTPOnly" flag to cookies. The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts).

Secure-cookie <enable/disable>

Note: cookie attribute.

Enable—adds the secure flag to cookies. The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel, typically HTTP over Transport Layer Security (TLS).

max_age <integer>

Note: cookie attribute.

Default value is 0 (do nothing), range 0- 65535.

Add the maximum age (in minutes) if the response from backend server does not have an “Expires” or “Max-Age” attribute.

exception <waf exception object>

Exception list for no/encrypted/ signed.

Example

Security-mode no

config security waf cookie-security

edit "security-no"

set security-mode no

set action <action waf profile>

set severity < high /medium / low >

set httponly <enable/disable>

set secure <enable/disable>

set max_age <integer> //default value is 0, range 0- 65535

set exception <waf exception object>

next

end

Security-mode signed

config security waf cookie-security

edit "security-signed"

set security-mode signed

set action <action waf profile>

set remove-cookie <enable/disable>

set severity < high /medium / low >

set httponly <enable/disable>

set secure <enable/disable>

set max_age <integer>//default value is 0, range 0- 65535

set exception <waf exception object>

next

Security-mode encrypted

config security waf cookie-security

edit "security-enc-list"

set security-mode encrypted

set encrpyted_cookie_type list (<all/list>)

config cookie_list //if the encrypted cookie type is list

edit 1

set cookie_name <name>

next

end

set cookie-replay <enable/disable>

set allow-suspicous-cookies <always/never/ custom>

set dont_block_until <date> // if allow-suspicous-cookies is custom

set action <action profile>

set remove-cookie <enable/disable>

set severity < high / medium / low >

set httponly <enable/disable>

set secure <enable/disable>

set max_age <integer>//default value is 0, range 0- 65535

set exception <waf exception object>

next

end

config security waf cookie-security

Use this command to configure waf cookie-security.

Syntax

config security waf cookie-security

edit "test"

set security-mode <no / encrypted / signed>

set encrypted_cookie_type <all / list>

config cookie_list // if the encrypted cookie type is a list

edit 1

set cookie_name <name>

next

set cookie-replay <enable/disable> // if security mode is encrypted

set allow-suspicous-cookies < always/ never / custom > //if security mode is encrypted

set dont_block_until <date> // if allow-suspicous-cookies is custom

set action <action profile>

set remove-cookie <enable/disable>

set severity < high / medium / low >

set httponly <enable/disable>

set secure <enable/disable>

set max_age <integer> //default value is 0, range 0-2147483647

set exception <waf exception object>

next

end

config security waf cookie-security

WAF cookie security policy allows the user to configure features that prevent cookie-based attacks, features such as cookie poisoning detection.

security-mode < no/ encrypted/ signed >

No—does not apply cookie tampering protection or encrypted cookie.

Signed—Prevents tampering by tracking the cookie. This option requires that the client supports cookies.

When the virtual server receives the first HTTP(S) request from a client, it uses cookie to track the session. After receiving the first response from the back-end server, Forti ADC will append ADC_SIGNED_COOKIE in Set-Cookie and record it into session table. Since the session tracking cookie includes a hash value that FortiADC uses to detect tampering cookie, if FortiADC determines the cookie from the client has changed, it will takes the specified action.

Encrypted—FortiADC encrypts set-cookie values which have been sent from back-end web server to clients. Clients can only see the encrypted cookies. FortiADC also decrypts cookies which have been submitted by clients before sending them to the back-end server to determine if a cookie attack has been placed.

encrpyted_cookie_type <all / list>

Note: only for security-mode encrypted

All—will encrypt all the cookies.

List—will encrypt the cookie that match with the cookie-list.

config cookie_list

Note: only for security-mode encrypted and if encrypted_cookie_type is list.

The cookie to be encrypted.

cookie-replay <enable/disable>

Note: only for security-mode encrypted; optional.

Determines whether FortiADC uses the IP address of a request to determine the owner of the cookie.

Enable—If cookie replay is enabled, the client IP address will be appended to the set-cookie value before encryption. If X-forward header exists, FortiADC will use its IP. Otherwise src IP will become the client IP. Once FortiADC receives it, the cookie will be decrypted and FortiADC will check if the IP address matches with the client IP.

Since the public IP of a client is not static in many environments, we recommend that you do not enable cookie-replay.

allow-suspicous-cookies < always/ never/custom >

Note: only for security-mode encrypted.

Determines whether FortiADC allows requests that contain cookies which FortiADC does not recognize by encrypted cookie function or with missing cookies.

When cookie-replay is enabled, the suspicious cookie is a missing cookie that tracks the client IP address.

In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives. To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

Never—never allow suspicious cookies.

Always—always allow suspicious cookies.

Custom—Don't Block suspicious cookies Until dont_block_until specified date.

dont_block_until <date> // allow-suspicous-cookies is custom

Note: only for security-mode encrypted.

action <datasource>

WAF action.

severity < high / medium / low >

Log severity.

remove-cookie <enable/disable>

Note: for security-mode encrypted/signed.

Accepts the request, but removes the cookie before sending it to the backend web server.

httponly <enable/disable>

Note: cookie attribute.

Enable—add "HTTPOnly" flag to cookies. The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts).

Secure-cookie <enable/disable>

Note: cookie attribute.

Enable—adds the secure flag to cookies. The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel, typically HTTP over Transport Layer Security (TLS).

max_age <integer>

Note: cookie attribute.

Default value is 0 (do nothing), range 0- 65535.

Add the maximum age (in minutes) if the response from backend server does not have an “Expires” or “Max-Age” attribute.

exception <waf exception object>

Exception list for no/encrypted/ signed.

Example

Security-mode no

config security waf cookie-security

edit "security-no"

set security-mode no

set action <action waf profile>

set severity < high /medium / low >

set httponly <enable/disable>

set secure <enable/disable>

set max_age <integer> //default value is 0, range 0- 65535

set exception <waf exception object>

next

end

Security-mode signed

config security waf cookie-security

edit "security-signed"

set security-mode signed

set action <action waf profile>

set remove-cookie <enable/disable>

set severity < high /medium / low >

set httponly <enable/disable>

set secure <enable/disable>

set max_age <integer>//default value is 0, range 0- 65535

set exception <waf exception object>

next

Security-mode encrypted

config security waf cookie-security

edit "security-enc-list"

set security-mode encrypted

set encrpyted_cookie_type list (<all/list>)

config cookie_list //if the encrypted cookie type is list

edit 1

set cookie_name <name>

next

end

set cookie-replay <enable/disable>

set allow-suspicous-cookies <always/never/ custom>

set dont_block_until <date> // if allow-suspicous-cookies is custom

set action <action profile>

set remove-cookie <enable/disable>

set severity < high / medium / low >

set httponly <enable/disable>

set secure <enable/disable>

set max_age <integer>//default value is 0, range 0- 65535

set exception <waf exception object>

next

end