config : server-policy custom-application url-replacer
 
server-policy custom-application url-replacer
When web applications have dynamic URLs or unusual parameter styles, you must adapt auto-learning to recognize them.
By default, auto-learning assumes that your web applications use the most common URL structure:
All parameters follow after a question mark? ). They do not follow a hash ( # ) or other separator character.
If there are multiple name-value pairs, each pair is separated by an ampersand ( & ). They are not separated by a semi-colon ( ; ) or other separator character.
All paths before the question mark ( ? ) are static — they do not change based upon input, blending the path with parameters (sometimes called a dynamic URL).
For example, the page at:
/app/main
always has that same path. After a person logs in, the page’s URL doesn’t become:
/app/marco/main
or
/app#deepa
For another example, the URL does not dynamically reflect inventory, such as:
/app/sprockets/widget1024894
Some web applications, however, embed parameters within the path structure of the URL, or use unusual or non-uniform parameter separator characters. If you do not configure URL replacers for such applications, it can cause your FortiWeb appliance to gather auto-learning data incorrectly. This can cause the following symptoms:
Auto-learning reports do not contain a correct URL structure.
URL or parameter learning is endless.
When you generate a protection profile from auto-learning, it contains many more URLs than actually exist, because auto-learning cannot predict that the URL is actually dynamic.
Parameter data is not complete, despite the face that the FortiWeb appliance has seen traffic containing the parameter.
For example, with Microsoft Outlook Web App (OWA), the user’s login name could be embedded within the path structure of the URL, such as:
/owa/tom/index.html
/owa/mary/index.html
instead of suffixed as a parameter, such as:
/owa/index.html?username=tom
/owa/index.html?username=mary
Auto-learning would continue to create new URLs as new users are added to OWA. Auto-learning would also expend extra resources learning about URLs and parameters that are actually the same. Additionally, auto-learning may not be able to fully learn the application structure, as each user may not request the same URLs.
To solve this, you would use this command and config server-policy custom-application application-policy to apply a URL replacer that recognizes the user name within the OWA URL as if it were a standard, suffixed parameter value so that auto-learning can function properly.
For example, if the URL is:
/application/value
and the URL replacer settings are:
Setting name
Value
custom-defined
(/application/)([^/]+\\.[^/]+)
$0
$1
setting
then the URL will be interpreted by auto-learning as:
/application?setting=value
To apply interpret non-standard URLs:
1 Create the custom URL replacer.
2 Add the URL replacer to a custom application policy see “config server-policy custom-application application-policy”).
3 Apply the custom application policy in an auto-learning profile (see “config waf web-protection-profile autolearning-profile”).
4 Finally, apply the auto-learning profiles in a server policy (see “config server-policy policy”).
To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For more information, see “Permissions”.
Syntax
config server-policy custom-application url-replacer
edit <interpreter_name>
set type {pre-defined | custom-defined}
set app-type {jsp | owa-2003}
set url "<original-url_str>"
set new-url <new-url_str>
set param <value_str>
set new-param <replaced-param_name>
next
end
Variable
Description
Default
<interpreter_name>
Type the name of a new or existing URL interpreter. The maximum length is 35 characters.
To display the list of existing URL interpreter, type:
edit ?
No default.
type {pre-defined | custom-defined}
Select either:
pre-defined — Use one of the predefined URL replacers for well-known web applications, which you select in app-type {jsp | owa-2003}.
custom-defined — Define your own URL replacer by configuring url "<original-url_str>", new-url <new-url_str>, param <value_str>, and new-param <replaced-param_name>.
pre-defined
app-type {jsp | owa-2003}
If type is pre-defined, select which predefined URL interpreter to use, either:
jsp — Use the URL replacer designed for Java server pages (JSP) web applications, where parameters are often separated by semi-colons ( ; ).
owa-2003 — User the URL replacer designed for Microsoft Outlook Web App (OWA) 2003, where user name and directory parameters are often embedded in the URL.
jsp
url "<original-url_str>"
Type a regular expression, such as ^/(.*)/(.*)$, matching all and only the URLs to which the URL replacer should apply.
The pattern does not require a backslash ( / ). However, it must at least match URLs that begin with a slash as they appear in the HTTP header, such as /index.html. Do not include the domain name, such as www.example.com.
This setting is used only if type is custom-defined. The maximum length is 255 characters.
Note: Auto-learning consider URLs up to approximately 180 characters long (assuming single-byte character encoding, after FortiWeb has decoded any nested hexadecimal or other URL encoding — therefore, the limit is somewhat dynamic). If the URL is greater than that buffer size, auto-learning will not be able to learn it, and so will ignore it. No event log will be created in this case.
Note: If this URL replacer will be used sequentially in its set of URL replacers, instead of being mutually exclusive, this regular expression should match the URL produced by the previous interpreter, not the original URL from the request.
No default.
new-url <new-url_str>
Type either a literal URL, such as /index.html, or a regular expression with a back-reference (such as /$1) defining how the URL will be interpreted.
This setting is used only if type is custom-defined. The maximum length is 255 characters.
Note: Back-references can only refer to capture groups (parts of the expression surrounded with parentheses) within the same URL replacer. Back-references cannot refer to capture groups in other URL replacers.
No default.
param <value_str>
Type either the parameter’s literal value, such as user1, or a back-reference (such as /$0) defining how the value will be interpreted.
This setting is used only if type is custom-defined. The maximum length is 255 characters.
No default.
new-param <replaced-param_name>
Type either the parameter’s literal name, such as username, or a back-reference (such as $2) defining how the parameter’s name will be interpreted in the auto-learning report.
This setting is used only if type is custom-defined. The maximum length is 255 characters.
Note: Back-references can only refer to capture groups (parts of the expression surrounded with parentheses) within the same URL replacer. Back-references cannot refer to capture groups in other URL replacers.
No default.
Example
This example assumes the HTTP request URL from a client is /mary/login.asp. The URL replacer interprets the URL to be /login.asp?username=mary.
config server-policy custom-application url-replacer
edit url-replacer1
set type custom-defined
set url ^/(.*)/(.*)$
set new-url /$1
set param $0
set new-param username
next
end
Related topics
config server-policy custom-application application-policy