config : server-policy allow-hosts
server-policy allow-hosts
Use this command to configure protected host groups.
A protected host group contains one or more IP addresses and/or fully qualified domain names (FQDNs). Each entry in the protected host group defines a virtual or real web host, according to the Host: field in the HTTP header of requests from clients, that you want the FortiWeb appliance to protect.
For example, if your web servers receive requests with HTTP headers such as:
GET /index.php HTTP/1.1
Host: www.example.com
you might define a protected host group with an entry of www.example.com and select it in the policy. This would reject requests that are not for that host.
Unlike a physical server, which is a single IP at the network layer, a protected host group should contain all network IPs, virtual IPs, and domain names that clients use to access the web server at the application (HTTP) layer.
For example, clients often access a web server via a public network such as the Internet. Therefore the protected host group contains domain names, public IP addresses, and public virtual IPs on a network edge router or firewall that are routable from that public network. But the physical server is only the IP address that the FortiWeb appliance uses to forward traffic to the server and, therefore, is often a private network address (unless the FortiWeb appliance operates in offline protection or either of the transparent modes).
Protected host groups can be used by:
• policies
• input rules
• server protection exceptions
• start page rules
• page access rules
• URL access rules
• allowed method exceptions
• HTTP authentication rules
• hidden fields rules
• many others
Rules can use protected host definitions to apply rules only to requests for a protected host. If you do not specify a protected host group in the rule, the rule will be applied based upon other criteria such as the URL, but regardless of the Host: field.
Policies can use protected host definitions to block connections that are not destined for a protected host. If you do not select a protected host group in a policy, connections will be accepted or blocked regardless of the Host: field.
To use this command, your administrator account’s access control profile must have either
w or
rw permission to the
traroutegrp area. For more information, see
“Permissions”.
Syntax
config server-policy allow-hosts
config host-list
next
end
next
end
Variable | Description | Default |
<protected-hosts_name> | Type the name of a new or existing group of protected hosts.The maximum length is 35 characters. To display the list of existing groups, type: edit ? | No default. |
default-action {allow | deny} | Select whether to accept or deny HTTP requests whose Host: field does not match any of the host definitions that you will add to this protected hosts group. | allow |
<protected-host_index> | Type the index number of a protected host within its group. The valid range is from 1 to 9,223,372,036,854,775,807. Each host-list can contain up to 64 IP addresses and/or fully qualified domain names (FQDNs). | No default. |
action {allow | deny} | Select whether to accept or deny HTTP requests whose Host: field matches the host definition in host {<host_ipv4> | <host_fqdn> | <host_ipv6>}. | allow |
host {<host_ipv4> | <host_fqdn> | <host_ipv6>} | Type the IP address or FQDN of a virtual or real web host, as it appears in the Host: field of HTTP headers, such as www.example.com. The maximum length is 255 characters. If clients connect to your web servers through the IP address of a virtual server on the FortiWeb appliance, this should be the IP address of that virtual server or any domain name to which it resolves, not the actual IP address of the web server. For example, if a virtual server 10.0.0.1/24 forwards traffic to the physical server 192.168.1.1, for protected hosts, you would enter: • 10.0.0.1, the address of the virtual server • www.example.com, the domain name that resolves to the virtual server | No default. |
Example
This example configures a protected hosts group named example_com_hosts that contains a web site’s domain names and its IP address in order to match HTTP requests regardless of which form they use to identify the host.
config server-policy allow-hosts
set default-action deny
edit example_com_hosts
config host-list
edit 0
set host example.com
next
edit 1
set host www.example.com
next
edit 2
set host 10.0.0.1
next
end
next
end
Related topics