Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    8.0.0
    8.0.0
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    system web-service

    system web-service

    Use this command to configure web services on FortiMail, such as:

    • webmail or personal quarantines

    • Microsoft 365 or Google cloud connector API

    • administrative GUI

    • REST API

    including redirects, enabling the REST API, and rate limits to prevent abuse.

    If HTTPS or HTTP requests occur through a proxy or load balancer, for accurate logging, rate limits, and repeat offender control, consider client-ip-x-header-status {enable | disable}.

    Valid value ranges for certain commands vary by FortiMail model. See FortiMail Maximum Values.

    Syntax

    config system web-service

    set https-redirect-status {enable | disable}

    set https-redirect-host <fortimail_fqdn>

    set webmail-session-ttl <seconds_int>

    set rest-api-status {enable | disable}

    set client-ip-x-header-status {enable | disable}

    set client-ip-x-header-name <key_str>

    set max-concurrent-request-all <limit_int>

    set max-concurrent-request-per-ip <limit_int

    set max-concurrent-request-admin <limit_int>

    set max-concurrent-request-webmail <limit_int>

    set max-concurrent-request-ms365 <limit_int>

    set max-concurrent-request-restful <limit_int>

    config exempt-list

    edit <list_index>

    set <client_ipv4mask>

    next

    end

    set max-active-session-admin <limit_int>

    set max-active-session-restful <limit_int>

    set max-request-rate-admin <limit_int>

    set max-request-rate-webmail <limit_int>

    set max-request-rate-ms365 <limit_int>

    set max-request-rate-restful <limit_int>

    set repeat-offender-status {enable | disable}

    set repeat-offender-count <limit_int>

    set repeat-offender-period <minutes_int>

    config repeat-offender-exempt-list

    edit <list_index>

    set ip-address <client_ipv4>

    next

    end

    end

    Variable

    Description

    Default

    <client_ipv4mask>

    Enter an IP address and netmask that you want to exempt from concurrent request rate limits.

    <list_index>

    Enter a number to identify the entry in the table.

    client-ip-x-header-name <key_str>

    Enter the name of the HTTP X-header. Do not include the colon ( : ) after the name.

    This setting is used if client-ip-x-header-status {enable | disable} is enable.

    X-Real-IP

    client-ip-x-header-status {enable | disable}

    Enable to identify the IP addresses of clients behind a proxy or load balancer by using an HTTP X-header. Also configure client-ip-x-header-name <key_str>.

    In a network topology where web service clients connect through a proxy, load balancer, or web application firewall (for example, a FortiWeb that is not transparent), the source IP address in the IP packet header is changed to be the proxy itself instead of the original client. Therefore if any attacker or misconfigured agent exceeds the limits, then FortiMail would block the proxy — and therefore all innocent clients that connect through the proxy — not only the bad client. Log messages would also indicate that the problem is the proxy, instead of the real endpoint. To solve this:

    1. On the upstream proxy:

      1. Choose which X-header will identify the original client.

        To see whether an X-header is already being used in requests, you can use a packet capture tool.

      2. If the X-header does not exist in requests yet, insert it with the original client's public IP address.

        RFC 1918 private network addresses are not globally unique identifiers, and should not be used to avoid effecting other clients with the same private network address. Due to network address translation (NAT), however, multiple clients still could be behind the same public IP address. This is a known limitation of networks with NAT.

      3. If the X-header exists in requests already, but either it contains a list of multiple addresses, or it was not inserted by a trusted proxy that you control, then replace it with the original client's public IP address or, if that cannot be done, remove the header.

        Lists, if any, start with the original client IP address but may be in order of left-to-right, or right-to-left. Keep only the first public IP address, relative to that direction. For example, if this header is left-to-right:

        X-Forwarded-For: 10.0.0.1, 1.1.1.1, 2.2.2.2, 192.168.0.2

        then replace it with:

        X-Forwarded-For: 1.1.1.1

      4. On FortiMail, enable client-ip-x-header-status {enable | disable} and enter the name of the X-header.

        Caution

        Do not enable this setting unless you are sure that only a trusted proxy can insert the X-header. X-headers are not encrypted nor authenticated, and could be forgeries.

        If you enable the setting but the X-header does not exist or is empty, FortiMail will act as if the setting is disabled, and instead use the source IP address In the IP header.

    disable
    https-redirect-host <fortimail_fqdn>

    Enter the fully qualified domain name (FQDN) to use to use in HTTPS redirects for the FortiMail system.

    https-redirect-status {enable | disable}

    Enable to redirect insecure HTTP requests to secure access using HTTPS.

    This setting affects all FortiMail URLs: REST APIs, administrator GUI, FortiMail webmail, and personal quarantines.

    For this setting to take effect, you must also enable both HTTP and HTTPS access protocols on the network interface(s) that receive these connections. FortiMail cannot redirect HTTP if it is not listening for it. See allowaccess {ping http https snmp ssh telnet}.

    disable

    ip-address <client_ipv4>

    Enter an IP address that you want to exempt from the repeat offender list.

    This setting is used if repeat-offender-status {enable | disable} is enable.

    max-active-session-admin <limit_int>

    Enter the maximum number of active administrator sessions.

    100

    max-active-session-restful <limit_int>

    Enter the maximum number of active REST API sessions.

    50

    max-concurrent-request-admin <limit_int>

    Enter the maximum number of concurrent administrative GUI requests.

    50

    max-concurrent-request-all <limit_int>

    Enter the maximum number of concurrent HTTP requests from all clients.

    0

    max-concurrent-request-ms365 <limit_int>

    Enter the maximum number of concurrent Microsoft 365 or Google API requests permitted.

    50

    max-concurrent-request-per-ip <limit_int

    Enter the maximum number of concurrent HTTP requests for a single IP address.

    50

    max-concurrent-request-restful <limit_int>

    Enter the maximum number of concurrent REST API requests.

    50

    max-concurrent-request-webmail <limit_int>

    Enter the maximum number of concurrent webmail or personal quarantine requests.

    Valid ranges and default setting varies by platform. For details, see FortiMail Maximum Values.

    100

    max-request-rate-admin <limit_int>

    Enter the maximum request rate per second for administrators.

    0

    max-request-rate-ms365 <limit_int>

    Enter the maximum request rate (per second) for Microsoft 365 or Google cloud APIs.

    50

    max-request-rate-restful <limit_int>

    Enter the maximum request rate per second to the REST API.

    50

    max-request-rate-webmail <limit_int>

    Enter the maximum request rate per second for webmail or personal quarantines.

    0

    repeat-offender-count <limit_int>

    Enter the threshold for how many bad requests within the time period will trigger repeat offender control. Valid range is 1 to 50.

    This setting is used if repeat-offender-status {enable | disable} is enable.

    5

    repeat-offender-period <minutes_int>

    Enter the range of time in minutes during which to count the number of bad requests. Valid range is 1 to 120.

    This setting is used if repeat-offender-status {enable | disable} is enable.

    5

    repeat-offender-status {enable | disable}

    Enable to block the IP addresses that repeatedly send HTTP requests to FortiMail that result in HTTP 404 or 405 errors. Also configure repeat-offender-count <limit_int> and repeat-offender-period <minutes_int>.

    For example, if FortiMail receives 3 bad requests during a 5 minute interval, that IP address will be blocked for the remaining of the 5 minute interval. After the interval expires, the client IP address will be able to send requests again and the counter will restart for the next interval.

    disable
    rest-api-status {enable | disable}

    Enable or disable access to the FortiMail REST API.

    For this setting to take effect, you must also enable HTTPS access protocols on the network interface(s) that receive these connections. FortiMail cannot respond to an API requestif it is not listening for it. See allowaccess {ping http https snmp ssh telnet}.

    		 disable

    webmail-session-ttl <seconds_int>

    Enter the amount of time, in seconds, that an inactive FortiMail webmail session is still valid.

    Valid range is 0 to 600 seconds (10 minutes). To disable the session keepalive, enter 0.

    While a webmail user is logged in, their browser periodically sends a request to FortiMail. This GUI heartbeat keeps the session alive — even if the user is idle (they do not open any email, etc.). Heartbeats are not sent if the

    • user closes the browser tab or window

    • network connection is interrupted — even temporarily

    FortiMail waits for the heartbeat to reconnect. If it does not (the session time to live (TTL) elapses), then the session expires and the user is automatically logged out. Otherwise an idle session can continue until the idle timeout occurs (idle-timeout {enable | disable}).

    Note

    If your network connection is reliable, you can use a smaller session TTL for better security and performance.
    Tooltip

    Before the session TTL elapses, users may still need to log in again if they:

    • log out

    • clear cookies

    • open a new incognito/private browser tab or window

    180

    Related topics

    system interface

    Previous
    Next

    system web-service

    system web-service

    Use this command to configure web services on FortiMail, such as:

    • webmail or personal quarantines

    • Microsoft 365 or Google cloud connector API

    • administrative GUI

    • REST API

    including redirects, enabling the REST API, and rate limits to prevent abuse.

    If HTTPS or HTTP requests occur through a proxy or load balancer, for accurate logging, rate limits, and repeat offender control, consider client-ip-x-header-status {enable | disable}.

    Valid value ranges for certain commands vary by FortiMail model. See FortiMail Maximum Values.

    Syntax

    config system web-service

    set https-redirect-status {enable | disable}

    set https-redirect-host <fortimail_fqdn>

    set webmail-session-ttl <seconds_int>

    set rest-api-status {enable | disable}

    set client-ip-x-header-status {enable | disable}

    set client-ip-x-header-name <key_str>

    set max-concurrent-request-all <limit_int>

    set max-concurrent-request-per-ip <limit_int

    set max-concurrent-request-admin <limit_int>

    set max-concurrent-request-webmail <limit_int>

    set max-concurrent-request-ms365 <limit_int>

    set max-concurrent-request-restful <limit_int>

    config exempt-list

    edit <list_index>

    set <client_ipv4mask>

    next

    end

    set max-active-session-admin <limit_int>

    set max-active-session-restful <limit_int>

    set max-request-rate-admin <limit_int>

    set max-request-rate-webmail <limit_int>

    set max-request-rate-ms365 <limit_int>

    set max-request-rate-restful <limit_int>

    set repeat-offender-status {enable | disable}

    set repeat-offender-count <limit_int>

    set repeat-offender-period <minutes_int>

    config repeat-offender-exempt-list

    edit <list_index>

    set ip-address <client_ipv4>

    next

    end

    end

    Variable

    Description

    Default

    <client_ipv4mask>

    Enter an IP address and netmask that you want to exempt from concurrent request rate limits.

    <list_index>

    Enter a number to identify the entry in the table.

    client-ip-x-header-name <key_str>

    Enter the name of the HTTP X-header. Do not include the colon ( : ) after the name.

    This setting is used if client-ip-x-header-status {enable | disable} is enable.

    X-Real-IP

    client-ip-x-header-status {enable | disable}

    Enable to identify the IP addresses of clients behind a proxy or load balancer by using an HTTP X-header. Also configure client-ip-x-header-name <key_str>.

    In a network topology where web service clients connect through a proxy, load balancer, or web application firewall (for example, a FortiWeb that is not transparent), the source IP address in the IP packet header is changed to be the proxy itself instead of the original client. Therefore if any attacker or misconfigured agent exceeds the limits, then FortiMail would block the proxy — and therefore all innocent clients that connect through the proxy — not only the bad client. Log messages would also indicate that the problem is the proxy, instead of the real endpoint. To solve this:

    1. On the upstream proxy:

      1. Choose which X-header will identify the original client.

        To see whether an X-header is already being used in requests, you can use a packet capture tool.

      2. If the X-header does not exist in requests yet, insert it with the original client's public IP address.

        RFC 1918 private network addresses are not globally unique identifiers, and should not be used to avoid effecting other clients with the same private network address. Due to network address translation (NAT), however, multiple clients still could be behind the same public IP address. This is a known limitation of networks with NAT.

      3. If the X-header exists in requests already, but either it contains a list of multiple addresses, or it was not inserted by a trusted proxy that you control, then replace it with the original client's public IP address or, if that cannot be done, remove the header.

        Lists, if any, start with the original client IP address but may be in order of left-to-right, or right-to-left. Keep only the first public IP address, relative to that direction. For example, if this header is left-to-right:

        X-Forwarded-For: 10.0.0.1, 1.1.1.1, 2.2.2.2, 192.168.0.2

        then replace it with:

        X-Forwarded-For: 1.1.1.1

      4. On FortiMail, enable client-ip-x-header-status {enable | disable} and enter the name of the X-header.

        Caution

        Do not enable this setting unless you are sure that only a trusted proxy can insert the X-header. X-headers are not encrypted nor authenticated, and could be forgeries.

        If you enable the setting but the X-header does not exist or is empty, FortiMail will act as if the setting is disabled, and instead use the source IP address In the IP header.

    disable
    https-redirect-host <fortimail_fqdn>

    Enter the fully qualified domain name (FQDN) to use to use in HTTPS redirects for the FortiMail system.

    https-redirect-status {enable | disable}

    Enable to redirect insecure HTTP requests to secure access using HTTPS.

    This setting affects all FortiMail URLs: REST APIs, administrator GUI, FortiMail webmail, and personal quarantines.

    For this setting to take effect, you must also enable both HTTP and HTTPS access protocols on the network interface(s) that receive these connections. FortiMail cannot redirect HTTP if it is not listening for it. See allowaccess {ping http https snmp ssh telnet}.

    disable

    ip-address <client_ipv4>

    Enter an IP address that you want to exempt from the repeat offender list.

    This setting is used if repeat-offender-status {enable | disable} is enable.

    max-active-session-admin <limit_int>

    Enter the maximum number of active administrator sessions.

    100

    max-active-session-restful <limit_int>

    Enter the maximum number of active REST API sessions.

    50

    max-concurrent-request-admin <limit_int>

    Enter the maximum number of concurrent administrative GUI requests.

    50

    max-concurrent-request-all <limit_int>

    Enter the maximum number of concurrent HTTP requests from all clients.

    0

    max-concurrent-request-ms365 <limit_int>

    Enter the maximum number of concurrent Microsoft 365 or Google API requests permitted.

    50

    max-concurrent-request-per-ip <limit_int

    Enter the maximum number of concurrent HTTP requests for a single IP address.

    50

    max-concurrent-request-restful <limit_int>

    Enter the maximum number of concurrent REST API requests.

    50

    max-concurrent-request-webmail <limit_int>

    Enter the maximum number of concurrent webmail or personal quarantine requests.

    Valid ranges and default setting varies by platform. For details, see FortiMail Maximum Values.

    100

    max-request-rate-admin <limit_int>

    Enter the maximum request rate per second for administrators.

    0

    max-request-rate-ms365 <limit_int>

    Enter the maximum request rate (per second) for Microsoft 365 or Google cloud APIs.

    50

    max-request-rate-restful <limit_int>

    Enter the maximum request rate per second to the REST API.

    50

    max-request-rate-webmail <limit_int>

    Enter the maximum request rate per second for webmail or personal quarantines.

    0

    repeat-offender-count <limit_int>

    Enter the threshold for how many bad requests within the time period will trigger repeat offender control. Valid range is 1 to 50.

    This setting is used if repeat-offender-status {enable | disable} is enable.

    5

    repeat-offender-period <minutes_int>

    Enter the range of time in minutes during which to count the number of bad requests. Valid range is 1 to 120.

    This setting is used if repeat-offender-status {enable | disable} is enable.

    5

    repeat-offender-status {enable | disable}

    Enable to block the IP addresses that repeatedly send HTTP requests to FortiMail that result in HTTP 404 or 405 errors. Also configure repeat-offender-count <limit_int> and repeat-offender-period <minutes_int>.

    For example, if FortiMail receives 3 bad requests during a 5 minute interval, that IP address will be blocked for the remaining of the 5 minute interval. After the interval expires, the client IP address will be able to send requests again and the counter will restart for the next interval.

    disable
    rest-api-status {enable | disable}

    Enable or disable access to the FortiMail REST API.

    For this setting to take effect, you must also enable HTTPS access protocols on the network interface(s) that receive these connections. FortiMail cannot respond to an API requestif it is not listening for it. See allowaccess {ping http https snmp ssh telnet}.

    		 disable

    webmail-session-ttl <seconds_int>

    Enter the amount of time, in seconds, that an inactive FortiMail webmail session is still valid.

    Valid range is 0 to 600 seconds (10 minutes). To disable the session keepalive, enter 0.

    While a webmail user is logged in, their browser periodically sends a request to FortiMail. This GUI heartbeat keeps the session alive — even if the user is idle (they do not open any email, etc.). Heartbeats are not sent if the

    • user closes the browser tab or window

    • network connection is interrupted — even temporarily

    FortiMail waits for the heartbeat to reconnect. If it does not (the session time to live (TTL) elapses), then the session expires and the user is automatically logged out. Otherwise an idle session can continue until the idle timeout occurs (idle-timeout {enable | disable}).

    Note

    If your network connection is reliable, you can use a smaller session TTL for better security and performance.
    Tooltip

    Before the session TTL elapses, users may still need to log in again if they:

    • log out

    • clear cookies

    • open a new incognito/private browser tab or window

    180

    Related topics

    system interface

    Previous
    Next