Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiWeb 8.0.3 CLI Reference
    8.0.3
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0

    waf custom-tracking policy

    waf custom-tracking policy

    Use this command to create and manage Custom Tracking policies. These policies facilitate high-fidelity session identification by extracting and hashing specific attributes from HTTP requests and responses.

    Tracking IDs generated by these policies are stored in an in-memory hash table rather than a persistent Redis server. Consequently, IDs are transient; they are cleared upon a system restart or when the tracking-timeout is reached. The maximum number of IDs the system can track is platform-dependent; for example, VM platforms support up to 200,000 IDs per ADOM and 1,000,000 per device.

    A maximum of 8 match conditions can be created per policy. Once configured, apply the policy to a Web Protection Profile to enable custom session correlation in your traffic and attack logs.

    Syntax

    config waf custom-tracking policy

    edit <policy_name>

    set tracking-timeout <integer>

    set waf custom-tracking policy

    set bypass-when-none-matched {enable|disable}

    config match-condition

    edit waf custom-tracking policy

    set match-target {source-ip|url|request-url-parameter|request-body-parameter|request-cookie|request-header|response-header|response-code}

    set target-name <string>

    set target-value-type {plain|regular}

    set target-value-regex <string>

    set response-code-min <integer>

    set response-code-max <integer>

    next

    end

    next

    end

    Variable Description Default
    <policy_name> Enter a name for the Custom Tracking policy. No default.
    tracking-timeout <integer> Enter the duration (in minutes) an ID remains in memory without new activity. Valid range is 1–1440. 30
    track-only-when-all-matched {enable|disable}

    Controls the strictness of the matching logic required to associate a request with a tracking ID.

    • enabled — FortiWeb requires a Full Match. A tracking ID is generated or updated only if every attribute defined in the policy is present. If even one attribute is missing, tracking is bypassed (regardless of the bypass-when-none-matched setting).

    • disabled — FortiWeb allows a Partial Match. A tracking ID is generated if at least one attribute matches, or potentially even with zero matches depending on the bypass-when-none-matched setting.

    		 enable
    bypass-when-none-matched {enable|disable}

    Controls the exception logic for requests that fail to meet the tracking criteria.

    • enabled — If a request contains none of the attributes specified in the policy, FortiWeb skips the ID creation process entirely for that request. This prevents the tracking table from being filled with "empty" or anonymous entries that provide no useful metadata.

    • disabled — FortiWeb generates a tracking ID even if zero attributes are detected. When combined with track-only-when-all-matched disable, this creates a "catch-all" tracking state where every request is assigned an ID. This ensures that every request is assigned an ID, ensuring every client is indexed even without identifiable fingerprints beyond the connection itself.

    		 enable
    config match-condition
    <id> Enter the index number of the individual entry in the table. No default.
    match-target {source-ip|url|request-url-parameter|request-body-parameter|request-cookie|request-header|response-header|response-code}

    Select the HTTP attribute to extract. FortiWeb normalizes these in a fixed sequence to ensure hash stability:

    Source IP > URL Path > Request URL Parameter > Request Cookie > Request Header > Request Body > Response Header > Response Code

    • source-ip (Source IP) — Uses the client IP address to help identify the requester. Can appear only once. No name or pattern required.

    • url (URL Path) — Matches or extracts portions of the request path. Supports plain or regex matching. Regex cannot be empty.

    • request-url-parameter (Request URL Parameter) — Extracts a value from the query string. Requires a non-empty parameter name. Name cannot be reused. Supports plain or regex.

    • request-body-parameter (Request Body) — Extracts a value from the request body. Requires a non-empty parameter name. Name cannot be reused. Supports plain or regex.

    • request-cookie (Request Cookie) — Uses a cookie value supplied by the application. Requires a non-empty cookie name. Name cannot be reused. Supports plain or regex.

    • request-header (Request Header) — Uses a request header such as X-User-ID or Authorization. Requires a non-empty header name. Name cannot be reused. Supports plain or regex.

    • response-header (Response Header) — Extracts a value from response headers. Requires a non-empty header name. Supports plain or regex.

    • response-code (Response Code) — Matches the HTTP response status returned to the client. Can appear only once. Requires a min and max code range. No regex or name.

    Note: You cannot create multiple conditions within one policy for source-ip, response-code, or url when its target-value-type is plain.

    		 source-ip

    target-name <string>

    Specify the attribute name (e.g., cookie or header name). This is required for all targets except source-ip, response-code, and url when its target-value-type is plain.

    Note: You cannot reuse the same target-name for the same match-target within one policy.

    No default.

    target-value-type {plain|regular}

    Specify the target value type:

    • plain — Use the attribute value exactly as the key.

    • regular — Use a regular expression to extract a specific portion of the value.

    plain

    target-value-regex <string>

    Enter the regular expression for value extraction. This cannot be empty if target-value-type is set to regular.

    No default.

    response-code-min <integer>

    The minimum HTTP status code in a range.

    100

    response-code-max <integer>

    The maximum HTTP status code in a range. This must be greater than or equal to the minimum.

    599
    Previous
    Next

    waf custom-tracking policy

    waf custom-tracking policy

    Use this command to create and manage Custom Tracking policies. These policies facilitate high-fidelity session identification by extracting and hashing specific attributes from HTTP requests and responses.

    Tracking IDs generated by these policies are stored in an in-memory hash table rather than a persistent Redis server. Consequently, IDs are transient; they are cleared upon a system restart or when the tracking-timeout is reached. The maximum number of IDs the system can track is platform-dependent; for example, VM platforms support up to 200,000 IDs per ADOM and 1,000,000 per device.

    A maximum of 8 match conditions can be created per policy. Once configured, apply the policy to a Web Protection Profile to enable custom session correlation in your traffic and attack logs.

    Syntax

    config waf custom-tracking policy

    edit <policy_name>

    set tracking-timeout <integer>

    set waf custom-tracking policy

    set bypass-when-none-matched {enable|disable}

    config match-condition

    edit waf custom-tracking policy

    set match-target {source-ip|url|request-url-parameter|request-body-parameter|request-cookie|request-header|response-header|response-code}

    set target-name <string>

    set target-value-type {plain|regular}

    set target-value-regex <string>

    set response-code-min <integer>

    set response-code-max <integer>

    next

    end

    next

    end

    Variable Description Default
    <policy_name> Enter a name for the Custom Tracking policy. No default.
    tracking-timeout <integer> Enter the duration (in minutes) an ID remains in memory without new activity. Valid range is 1–1440. 30
    track-only-when-all-matched {enable|disable}

    Controls the strictness of the matching logic required to associate a request with a tracking ID.

    • enabled — FortiWeb requires a Full Match. A tracking ID is generated or updated only if every attribute defined in the policy is present. If even one attribute is missing, tracking is bypassed (regardless of the bypass-when-none-matched setting).

    • disabled — FortiWeb allows a Partial Match. A tracking ID is generated if at least one attribute matches, or potentially even with zero matches depending on the bypass-when-none-matched setting.

    		 enable
    bypass-when-none-matched {enable|disable}

    Controls the exception logic for requests that fail to meet the tracking criteria.

    • enabled — If a request contains none of the attributes specified in the policy, FortiWeb skips the ID creation process entirely for that request. This prevents the tracking table from being filled with "empty" or anonymous entries that provide no useful metadata.

    • disabled — FortiWeb generates a tracking ID even if zero attributes are detected. When combined with track-only-when-all-matched disable, this creates a "catch-all" tracking state where every request is assigned an ID. This ensures that every request is assigned an ID, ensuring every client is indexed even without identifiable fingerprints beyond the connection itself.

    		 enable
    config match-condition
    <id> Enter the index number of the individual entry in the table. No default.
    match-target {source-ip|url|request-url-parameter|request-body-parameter|request-cookie|request-header|response-header|response-code}

    Select the HTTP attribute to extract. FortiWeb normalizes these in a fixed sequence to ensure hash stability:

    Source IP > URL Path > Request URL Parameter > Request Cookie > Request Header > Request Body > Response Header > Response Code

    • source-ip (Source IP) — Uses the client IP address to help identify the requester. Can appear only once. No name or pattern required.

    • url (URL Path) — Matches or extracts portions of the request path. Supports plain or regex matching. Regex cannot be empty.

    • request-url-parameter (Request URL Parameter) — Extracts a value from the query string. Requires a non-empty parameter name. Name cannot be reused. Supports plain or regex.

    • request-body-parameter (Request Body) — Extracts a value from the request body. Requires a non-empty parameter name. Name cannot be reused. Supports plain or regex.

    • request-cookie (Request Cookie) — Uses a cookie value supplied by the application. Requires a non-empty cookie name. Name cannot be reused. Supports plain or regex.

    • request-header (Request Header) — Uses a request header such as X-User-ID or Authorization. Requires a non-empty header name. Name cannot be reused. Supports plain or regex.

    • response-header (Response Header) — Extracts a value from response headers. Requires a non-empty header name. Supports plain or regex.

    • response-code (Response Code) — Matches the HTTP response status returned to the client. Can appear only once. Requires a min and max code range. No regex or name.

    Note: You cannot create multiple conditions within one policy for source-ip, response-code, or url when its target-value-type is plain.

    		 source-ip

    target-name <string>

    Specify the attribute name (e.g., cookie or header name). This is required for all targets except source-ip, response-code, and url when its target-value-type is plain.

    Note: You cannot reuse the same target-name for the same match-target within one policy.

    No default.

    target-value-type {plain|regular}

    Specify the target value type:

    • plain — Use the attribute value exactly as the key.

    • regular — Use a regular expression to extract a specific portion of the value.

    plain

    target-value-regex <string>

    Enter the regular expression for value extraction. This cannot be empty if target-value-type is set to regular.

    No default.

    response-code-min <integer>

    The minimum HTTP status code in a range.

    100

    response-code-max <integer>

    The maximum HTTP status code in a range. This must be greater than or equal to the minimum.

    599
    Previous
    Next