Fortinet black logo

CLI Reference

config security waf profile

config security waf profile

Use this command to configure web application firewall (WAF) profiles. A WAF profile references the WAF policies that are to be enforced.

In many cases, you can use predefined profiles to get started. Table 16 describes the three predefined policies.

Predefined WAF profiles

Predefined Rules Description

High-Level-Security

HTTP protocol constraints policy: High-Level-Security

SQL injection and XSS detection policy: High-Level-Security

Medium-Level-Security

HTTP protocol constraints policy: Medium-Level-Security

SQL injection and XSS detection policy: Medium-Level-Security

Alert-Only

HTTP protocol constraints policy: Alert-Only

SQL injection and XSS detection policy: Alert-Only

The configurations for these profiles are shown in the examples that follow. If desired, you can create user-defined profiles.

Before you begin:

  • You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this command to add them to a WAF profile.
  • You must have read-write permission for security settings.

After you have created a WAF profile, you can specify it in a virtual server configuration.

Syntax

config security waf profile

edit <name>

set advanced-protection <datasource>

set bot-detection <datasource>

set brute-force-login <datasource>

set cookie-security <datasource>

set csrf-protection <datasource>

set data-leak-prevention <datasource>

set description <string>

set exception <datasource>

set heuristic-sql-xss-injection-detection <datasource>

set http-header-cache {enable|disable}

set http-protocol-constraint <datasource>

set input-validation-policy <datasource>

set cors-protection <datasource>

set json-validation <datasource>

set openapi-validation <datasource>

set url-protection <datasource>

set web-attack-signature <datasource>

set xml-validation <datasource>

set body-decode-length <integer>

set multiple-decode-loop <integer>

set body-decode-type {xml | html | json}

next

end

exception

Specify an exception configuration object.

bot-detection

Specify a user-defined configuration object.

description

A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.

heuristic-sql-xss-injection-detection

Specify a predefined or user-defined configuration object.

http-protocol-constraint

Specify a predefined or user-defined configuration object.

url-protection

Specify a predefined or user-defined configuration object.

web-attack-signature

Specify a predefined or user-defined configuration object.

http-header-cache

Enable/disable caching HTTP headers. Enabled by default. If you experience performance issues, you can disable. However, the cached HTTP headers are used to populate fields in logs resulting from HTTP body scanning.

Can only be set with the CLI.

input-validation-policy

Specify a predefined or user-defined configuration object.

cors-protection

Specify a predefined or user-defined configuration object.

xml-validation

Specify a predefined or user-defined configuration object.

json-validation

Specify a predefined or user-defined configuration object.

openapi-validation

Specify a predefined or user-defined configuration object.

url-protection

Specify a predefined or user-defined configuration object.

web-attack-signature

Specify a predefined or user-defined configuration object.

body-decode-length

Specify a body decode length in byte. (Range: 0 - 4194304 B, default: 1024 B).

multiple-decode-loop

Specify the number of times for the multiple decode loop. (Range: 0 - 16, default: 6).

body-decode-type

Specify the body decode type.

Note: This only applies when the corresponding validation function is enabled.

Example

FortiADC-docs # get security waf profile High-Level-Security

web-attack-signature : High-Level-Security

url-protection :

http-protocol-constraint : High-Level-Security

heuristic-sql-xss-injection-detect: High-Level-Security

description :

http-header-cache : enable

exception :

FortiADC-docs # get security waf profile Medium-Level-Security

web-attack-signature : Medium-Level-Security

url-protection :

http-protocol-constraint : Medium-Level-Security

heuristic-sql-xss-injection-detect: Medium-Level-Security

description :

http-header-cache : enable

exception :

FortiADC-docs # get security waf profile Alert-Only

web-attack-signature : Alert-Only

url-protection :

http-protocol-constraint : Alert-Only

heuristic-sql-xss-injection-detect: Alert-Only

description :

http-header-cache : enable

exception :

FortiADC-docs # config security waf profile

FortiADC-docs (profile) # edit eval

Add new entry 'eval' for node 3000

FortiADC-docs (eval) # get

web-attack-signature :

url-protection :

http-protocol-constraint :

heuristic-sql-xss-injection-detect:

bot-detection:

description :

http-header-cache : enable

exception :

FortiADC-docs (eval) # set web-attack-signature Alert-Only

FortiADC-docs (eval) # set http-protocol-constraint Alert-Only

FortiADC-docs (eval) # set heuristic-sql-xss-injection-detect Alert-Only

FortiADC-docs (eval) # set exception exception-group

FortiADC-docs (eval) # set description "evaluate alert-only and exception list"

FortiADC-docs (eval-alert-onl~-) # end

config security waf profile

Use this command to configure web application firewall (WAF) profiles. A WAF profile references the WAF policies that are to be enforced.

In many cases, you can use predefined profiles to get started. Table 16 describes the three predefined policies.

Predefined WAF profiles

Predefined Rules Description

High-Level-Security

HTTP protocol constraints policy: High-Level-Security

SQL injection and XSS detection policy: High-Level-Security

Medium-Level-Security

HTTP protocol constraints policy: Medium-Level-Security

SQL injection and XSS detection policy: Medium-Level-Security

Alert-Only

HTTP protocol constraints policy: Alert-Only

SQL injection and XSS detection policy: Alert-Only

The configurations for these profiles are shown in the examples that follow. If desired, you can create user-defined profiles.

Before you begin:

  • You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this command to add them to a WAF profile.
  • You must have read-write permission for security settings.

After you have created a WAF profile, you can specify it in a virtual server configuration.

Syntax

config security waf profile

edit <name>

set advanced-protection <datasource>

set bot-detection <datasource>

set brute-force-login <datasource>

set cookie-security <datasource>

set csrf-protection <datasource>

set data-leak-prevention <datasource>

set description <string>

set exception <datasource>

set heuristic-sql-xss-injection-detection <datasource>

set http-header-cache {enable|disable}

set http-protocol-constraint <datasource>

set input-validation-policy <datasource>

set cors-protection <datasource>

set json-validation <datasource>

set openapi-validation <datasource>

set url-protection <datasource>

set web-attack-signature <datasource>

set xml-validation <datasource>

set body-decode-length <integer>

set multiple-decode-loop <integer>

set body-decode-type {xml | html | json}

next

end

exception

Specify an exception configuration object.

bot-detection

Specify a user-defined configuration object.

description

A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.

heuristic-sql-xss-injection-detection

Specify a predefined or user-defined configuration object.

http-protocol-constraint

Specify a predefined or user-defined configuration object.

url-protection

Specify a predefined or user-defined configuration object.

web-attack-signature

Specify a predefined or user-defined configuration object.

http-header-cache

Enable/disable caching HTTP headers. Enabled by default. If you experience performance issues, you can disable. However, the cached HTTP headers are used to populate fields in logs resulting from HTTP body scanning.

Can only be set with the CLI.

input-validation-policy

Specify a predefined or user-defined configuration object.

cors-protection

Specify a predefined or user-defined configuration object.

xml-validation

Specify a predefined or user-defined configuration object.

json-validation

Specify a predefined or user-defined configuration object.

openapi-validation

Specify a predefined or user-defined configuration object.

url-protection

Specify a predefined or user-defined configuration object.

web-attack-signature

Specify a predefined or user-defined configuration object.

body-decode-length

Specify a body decode length in byte. (Range: 0 - 4194304 B, default: 1024 B).

multiple-decode-loop

Specify the number of times for the multiple decode loop. (Range: 0 - 16, default: 6).

body-decode-type

Specify the body decode type.

Note: This only applies when the corresponding validation function is enabled.

Example

FortiADC-docs # get security waf profile High-Level-Security

web-attack-signature : High-Level-Security

url-protection :

http-protocol-constraint : High-Level-Security

heuristic-sql-xss-injection-detect: High-Level-Security

description :

http-header-cache : enable

exception :

FortiADC-docs # get security waf profile Medium-Level-Security

web-attack-signature : Medium-Level-Security

url-protection :

http-protocol-constraint : Medium-Level-Security

heuristic-sql-xss-injection-detect: Medium-Level-Security

description :

http-header-cache : enable

exception :

FortiADC-docs # get security waf profile Alert-Only

web-attack-signature : Alert-Only

url-protection :

http-protocol-constraint : Alert-Only

heuristic-sql-xss-injection-detect: Alert-Only

description :

http-header-cache : enable

exception :

FortiADC-docs # config security waf profile

FortiADC-docs (profile) # edit eval

Add new entry 'eval' for node 3000

FortiADC-docs (eval) # get

web-attack-signature :

url-protection :

http-protocol-constraint :

heuristic-sql-xss-injection-detect:

bot-detection:

description :

http-header-cache : enable

exception :

FortiADC-docs (eval) # set web-attack-signature Alert-Only

FortiADC-docs (eval) # set http-protocol-constraint Alert-Only

FortiADC-docs (eval) # set heuristic-sql-xss-injection-detect Alert-Only

FortiADC-docs (eval) # set exception exception-group

FortiADC-docs (eval) # set description "evaluate alert-only and exception list"

FortiADC-docs (eval-alert-onl~-) # end