Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiWeb 8.0.3 CLI Reference
    8.0.3
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0

    waf client-side-protection-policy

    waf client-side-protection-policy

    Use this command to configure a Client-Side Protection policy.

    Client-Side Protection enables browser-level threat detection by monitoring JavaScript execution and DOM activity in real time. Unlike traditional WAF features that inspect only HTTP traffic, this feature inserts a JavaScript collector or performs passive HTML analysis to detect in-browser threats such as script injection, credential theft, and DOM manipulation.

    Client-Side Protection is designed to mitigate risks highlighted in the OWASP Top 10 for client-side security and works in conjunction with static mechanisms like HTTP security headers and Subresource Integrity.

    After defining the policy, you must assign it to an inline Web Protection Profile and apply that profile to a Server Policy. To activate enforcement, the Web Protection Profile must also include an HTTP Header Security policy and a Subresource Integrity Check policy.

    Before You Begin:

    • A valid license for the Client-Side Protection service is required. Without it, the feature is unavailable in both the CLI and GUI.

    • Ensure that HTTP Header Security and Subresource Integrity Check policies are configured, as they are required for this feature to operate when applied in a Web Protection Profile.

    Syntax

    config waf client-side-protection-policy

    edit <name>

    set host-status {enable|disable}

    set host <string>

    set js-collector {enable|disable}

    set collect-ip-range <ip_range>

    set passive-assessment {enable|disable}

    set security-header-modification-detection {enable|disable}

    set trigger-policy-for-pci <datasource>

    set trigger <datasource>

    config page-list

    edit <entry_index>

    set url-type {plain|regular}

    set url-pattern <string>

    set for-payment {yes|no}

    next

    end

    next

    end

    Variable Description Default
    <name> Enter a name for the policy. No default
    host-status {enable|disable} Enable to apply the policy only to requests for a specific host. Useful in multi-tenant or multi-site deployments. disable
    host <string> Define the hostname to match when Host Status is enabled. No default
    js-collector {enable|disable}

    Enables or disables injection of the JavaScript collector into eligible HTTP responses.

    This option is available only through the CLI; in the GUI, the collector is always enabled and cannot be turned off.

    The JavaScript collector captures detailed browser-side telemetry, including: Script execution DOM changes Access to cookies or local storage

    If disabled, FortiWeb will no longer collect this dynamic behavioral data. The Client-Side Protection dashboard will instead display only static attributes—such as known file hashes, sizes, or CVE references. This option is intended for specialized environments where script injection must be avoided. It should be used with caution, as disabling it significantly reduces visibility and enforcement capabilities.

    		 enable
    collect-ip-range <ip_range> Define a set of client IP addresses from which JavaScript activity will be collected. In Monitor mode, only clients in this range will trigger data collection and enforcement logic. No default
    passive-assessment {enable|disable}

    Enable passive HTML analysis of script and resource elements (e.g., <script>, <iframe>, <form>) to identify unauthorized or modified third-party content without relying on JavaScript injection.

    This is disabled by default.

    		 disable

    security-header-modification-detection {enable|disable}

    Enable this to monitor and log instances where browser security headers (such as Content Security Policy or Strict-Transport-Security) are modified or stripped by client-side scripts or browser extensions.

    disable

    trigger-policy-for-pci <datasource>

    Select a specific PCI Trigger Policy to handle violations detected on pages defined within the PCI Scope. This allows for stricter logging or blocking actions specifically for payment-related pages.

    No default

    trigger <datasource>

    Select a Trigger Policy to define the logging and notification actions taken when a general client-side violation (e.g., a suspicious domain or unauthorized script) is detected.

    No default

    config page-list

    <entry_index>

    		Enter the index number of the individual entry in the table. The valid range is 1–9,223,372,036,854,775,807. No default.
    url-type {plain|regular}

    Specify the URL matching method:

    • plain — use a simple string for an exact match with a static path.

    • regular — use a regular expression pattern to match with regex syntax.

    		 plain

    url-pattern <string>

    		Enter the URL or pattern to target for monitoring. No default

    for-payment {yes|no}

    Enable to explicitly mark the URL as a payment page. This is a critical requirement for PCI DSS 4.0 (Requirement 6.4.3 and 11.6.1), as it instructs FortiWeb to:

    • Apply the stricter PCI Trigger Policy to any script activity on this page.

    • Inventory all JavaScript executing on the page for compliance audits.

    • Generate alerts for unauthorized script modifications specifically on cardholder data entry points.

    no

    Previous
    Next

    waf client-side-protection-policy

    waf client-side-protection-policy

    Use this command to configure a Client-Side Protection policy.

    Client-Side Protection enables browser-level threat detection by monitoring JavaScript execution and DOM activity in real time. Unlike traditional WAF features that inspect only HTTP traffic, this feature inserts a JavaScript collector or performs passive HTML analysis to detect in-browser threats such as script injection, credential theft, and DOM manipulation.

    Client-Side Protection is designed to mitigate risks highlighted in the OWASP Top 10 for client-side security and works in conjunction with static mechanisms like HTTP security headers and Subresource Integrity.

    After defining the policy, you must assign it to an inline Web Protection Profile and apply that profile to a Server Policy. To activate enforcement, the Web Protection Profile must also include an HTTP Header Security policy and a Subresource Integrity Check policy.

    Before You Begin:

    • A valid license for the Client-Side Protection service is required. Without it, the feature is unavailable in both the CLI and GUI.

    • Ensure that HTTP Header Security and Subresource Integrity Check policies are configured, as they are required for this feature to operate when applied in a Web Protection Profile.

    Syntax

    config waf client-side-protection-policy

    edit <name>

    set host-status {enable|disable}

    set host <string>

    set js-collector {enable|disable}

    set collect-ip-range <ip_range>

    set passive-assessment {enable|disable}

    set security-header-modification-detection {enable|disable}

    set trigger-policy-for-pci <datasource>

    set trigger <datasource>

    config page-list

    edit <entry_index>

    set url-type {plain|regular}

    set url-pattern <string>

    set for-payment {yes|no}

    next

    end

    next

    end

    Variable Description Default
    <name> Enter a name for the policy. No default
    host-status {enable|disable} Enable to apply the policy only to requests for a specific host. Useful in multi-tenant or multi-site deployments. disable
    host <string> Define the hostname to match when Host Status is enabled. No default
    js-collector {enable|disable}

    Enables or disables injection of the JavaScript collector into eligible HTTP responses.

    This option is available only through the CLI; in the GUI, the collector is always enabled and cannot be turned off.

    The JavaScript collector captures detailed browser-side telemetry, including: Script execution DOM changes Access to cookies or local storage

    If disabled, FortiWeb will no longer collect this dynamic behavioral data. The Client-Side Protection dashboard will instead display only static attributes—such as known file hashes, sizes, or CVE references. This option is intended for specialized environments where script injection must be avoided. It should be used with caution, as disabling it significantly reduces visibility and enforcement capabilities.

    		 enable
    collect-ip-range <ip_range> Define a set of client IP addresses from which JavaScript activity will be collected. In Monitor mode, only clients in this range will trigger data collection and enforcement logic. No default
    passive-assessment {enable|disable}

    Enable passive HTML analysis of script and resource elements (e.g., <script>, <iframe>, <form>) to identify unauthorized or modified third-party content without relying on JavaScript injection.

    This is disabled by default.

    		 disable

    security-header-modification-detection {enable|disable}

    Enable this to monitor and log instances where browser security headers (such as Content Security Policy or Strict-Transport-Security) are modified or stripped by client-side scripts or browser extensions.

    disable

    trigger-policy-for-pci <datasource>

    Select a specific PCI Trigger Policy to handle violations detected on pages defined within the PCI Scope. This allows for stricter logging or blocking actions specifically for payment-related pages.

    No default

    trigger <datasource>

    Select a Trigger Policy to define the logging and notification actions taken when a general client-side violation (e.g., a suspicious domain or unauthorized script) is detected.

    No default

    config page-list

    <entry_index>

    		Enter the index number of the individual entry in the table. The valid range is 1–9,223,372,036,854,775,807. No default.
    url-type {plain|regular}

    Specify the URL matching method:

    • plain — use a simple string for an exact match with a static path.

    • regular — use a regular expression pattern to match with regex syntax.

    		 plain

    url-pattern <string>

    		Enter the URL or pattern to target for monitoring. No default

    for-payment {yes|no}

    Enable to explicitly mark the URL as a payment page. This is a critical requirement for PCI DSS 4.0 (Requirement 6.4.3 and 11.6.1), as it instructs FortiWeb to:

    • Apply the stricter PCI Trigger Policy to any script activity on this page.

    • Inventory all JavaScript executing on the page for compliance audits.

    • Generate alerts for unauthorized script modifications specifically on cardholder data entry points.

    no

    Previous
    Next