Enable to detect URL-embedded attacks that are obfuscated using recursive URL encoding (that is, multiple levels’ worth of URL encoding).

Encoded URLs can be legitimately used for non-English URLs, but can also be used to avoid detection of attacks that use special characters. Encoded URLs can now be decoded to scan for these types of attacks. Several encoding types are supported.

For example, you could detect the character A that is encoded as either %41, %x41, %u0041, or \t41.

Disable to decode only one level’s worth of the URL, if encoded.

Type the maximum size in kilobytes (KB) of the body of the HTTP response from the web server that FortiWeb will cache per URL.

Responses are cached to improve performance on compression, decompression, and rewriting on often-requested URLs.

Valid values range from 32 to 1,024. The default value is 64.

Increasing the body cache may decrease performance.

Type the maximum percentage of max-cache-size <cache_int> — the body of the HTTP response from the web server — that FortiWeb buffers and scans.

Responses are cached to improve performance on compression, decompression, and rewriting on often-requested URLs.

Type the maximum amount of time that FortiWeb will converge into a single log message during a DoS attack or padding oracle attack.

180

Select the maximum buffer size in kilobytes (KB) for each parameter in the HTTP request. The buffer applies regardless of HTTP method, and whether the parameters are in the URL or body.

Caution: Fortinet strongly recommends that you configure FortiWeb to block requests larger than this buffer. Parameters exceeding this buffer size cannot be scanned. As a result, unless you configure FortiWeb to block oversized parameters using max-url-parameter-length {enable | disable} and max-url-parameter {enable | disable}, they will be passed. This could allow oversized attacks to pass through.

Some web applications require very large requests or parameters, and will not work if oversized parameters are blocked. To be sure that hardening the configuration will not disrupt normal traffic, first configure <parameter_name>-action {alert | alert_deny | block-period} to be alert. If no problems occur, switch it to alert_deny.

Tip: Increasing the buffer size increases memory consumption slightly, and may decrease performance. Only increase this value if necessary.

8k-cache

Select the maximum buffer size in kilobytes (KB) for the Cookie:, User‑Agent:, Host:, Referer:, and other headers in the HTTP request.

Caution: Fortinet strongly recommends that you configure FortiWeb to block requests if those headers are larger than this buffer. Headers exceeding this buffer size cannot be scanned. As a result, unless you configure FortiWeb to block oversized headers using max-http-header-line-length <limit_int>, they will be passed. This could allow oversized attacks to pass through.

Some web applications require very large requests, cookies, or parameters, and will not work if oversized parameters or cookies are blocked. To be sure that hardening the configuration will not disrupt normal traffic, first configure <parameter_name>-action {alert | alert_deny | block-period} to be alert. If no problems occur, switch it to alert_deny.

Tip: Increasing the buffer size increases memory consumption slightly, and may decrease performance. Only increase this value if necessary.

8k-cache

Enable to analyze the ID field of IP headers in order to attempt to detect when multiple clients share the same source IP address. To configure the difference between packets’ ID fields that FortiWeb will treat as a shared IP, use config system ip-detection.

Enabling this option is required for features that have a separate threshold for shared IP addresses, such as brute force login prevention. If you disable the option, those features will behave as if there is only a single threshold, regardless of whether the source IP is shared by many clients.

Select the maximum number of uploaded files that FortiWeb antivirus will scan before deciding to pass or block the request.

8