Fortinet black logo

CLI Reference

config security waf allowed-origin

config security waf allowed-origin

Use this command to configure the Allowed Origin List for Cross-Origin Resource Sharing (CORS) Protection.

The Allowed Origin List specifies the allowed domains using the HTTP response header. The header can contain either a * to indicate that all domains are allowed OR a specified domain to indicate the specified allowed domain.

Allowed Origin can only take effect in the CORS Protection rule when the Apply to All CORS Traffic is disabled. In the CORS Protection Rule List configuration, the Apply to All CORS Traffic option is disabled by default, which then requires you to apply an Allowed Origin List for the CORS Protection rule. If the Allowed Origin List is not applied, the CORS Protection rule would not work as the empty list would not match the condition.

Enabling the Apply to All CORS Traffic option hides the Allowed Origin option, making it inapplicable to the CORS Protection rule.

Syntax

config security waf allowed-origin

edit <name>

config allowed-origin-list

edit <name>

set protocol {HTTP|HTTPS|ANY}

set origin-name <string>

set port <integer>

set include-sub-domains {enable|disable}

next

end

next

end

protocol

Specify which type of protocols are allowed for the connections between foreign applications and your application.

  • HTTP

  • HTTPS

  • ANY

The default is HTTP.

origin-name

Enter the foreign application's domain name or IP address.

Wildcards are supported. (Range: 1-128 characters).

port Specify the TCP port number for the CORS connections. (Range: 0-65535; default: 80).
include-sub-domains

Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.

This is disabled by default.

Example

config security waf allowed-origin

edit "1"

config allowed-origin-list

edit 1

set protocol ANY

set origin-name *

set port 0

set include-sub-domains enable

next

end

next

end

config security waf allowed-origin

config security waf allowed-origin

Use this command to configure the Allowed Origin List for Cross-Origin Resource Sharing (CORS) Protection.

The Allowed Origin List specifies the allowed domains using the HTTP response header. The header can contain either a * to indicate that all domains are allowed OR a specified domain to indicate the specified allowed domain.

Allowed Origin can only take effect in the CORS Protection rule when the Apply to All CORS Traffic is disabled. In the CORS Protection Rule List configuration, the Apply to All CORS Traffic option is disabled by default, which then requires you to apply an Allowed Origin List for the CORS Protection rule. If the Allowed Origin List is not applied, the CORS Protection rule would not work as the empty list would not match the condition.

Enabling the Apply to All CORS Traffic option hides the Allowed Origin option, making it inapplicable to the CORS Protection rule.

Syntax

config security waf allowed-origin

edit <name>

config allowed-origin-list

edit <name>

set protocol {HTTP|HTTPS|ANY}

set origin-name <string>

set port <integer>

set include-sub-domains {enable|disable}

next

end

next

end

protocol

Specify which type of protocols are allowed for the connections between foreign applications and your application.

  • HTTP

  • HTTPS

  • ANY

The default is HTTP.

origin-name

Enter the foreign application's domain name or IP address.

Wildcards are supported. (Range: 1-128 characters).

port Specify the TCP port number for the CORS connections. (Range: 0-65535; default: 80).
include-sub-domains

Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.

This is disabled by default.

Example

config security waf allowed-origin

edit "1"

config allowed-origin-list

edit 1

set protocol ANY

set origin-name *

set port 0

set include-sub-domains enable

next

end

next

end