set pattern "<any_string>"

This article describes how to use WAF to allow or block any URL that contains the desired string. Open the CLI and then create a WAF profile. Each profile should have its name and then set a name for each use case.

Copy the following CLI commands into the CLI window of the FortiGate.

It is also possible to copy the following CLI commands and replace <profile_exception> with the desired name for the signature-exception profile. Then replace <test_string> with the string desired to trigger the signature exception (regex is allowed). Then set the action to <block/allow> url when test_string is present.

config waf profile
    edit <waf_profile_name>
        config signature-exception
            edit 0
                set name "<profile_exception>"
                set type url
                set pattern "<test_string>"
                set action allow
            next
        end
    next
end

It can also be configured using constraint exception:

config waf profile
    edit "<Profile_Name>"
        config constraint
            config exception
                edit <ID>
                    set pattern "<pattern>"
                    set regex enable
                    set address "all"
                next
            end

    next
end

To configure URL access rules to define the HTTP requests that are allowed or denied based on their hostname and URL:

config waf profile 

    edit "<Profile_Name>"
        config url-access
            edit <ID>
                set address "all"
                set log enable
                set severity "low"
            next
        end

    next

end

To check the WAF profile configuration:

show waf profile <Profile_Name> <-- To show only a specific WAF profile.

show waf profile <-- To show all WAF profiles.