Variable | Description | Default |
<allowed-methods_name> | Type the name of a new or existing allowed methods policy. This field cannot be modified if you are editing an existing allowed method exception. To modify the name, delete the entry, then recreate it using the new name. The maximum length is 35 characters. To display a list of the existing policies, type: edit ? | No default. |
allow-method {connect delete get head options others post put trace} | Select one or more HTTP request methods that you want to allow for this specific policy. Methods that you do not select will be denied, unless specifically allowed for a host and/or URL in [allow-method-exception <method-exception_name>]. The OTHERS option includes methods not specifically named in the other options. It often may be required by WebDAV (RFC 2518) applications such as Microsoft Exchange Server 2003 and Subversion, which may require HTTP methods not commonly used by web browsers, such as PROPFIND and BCOPY. Note: If a WAF Auto Learning Profile is used in the server policy where the HTTP request method is applied (via the Web Protection Profile), you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb appliance to learn about. If a method is disabled, the FortiWeb appliance will reset the connection, and therefore cannot learn about the session. | No default. |
severity {High | Medium | Low} | Select the severity level to use in logs and reports generated when a violation of the policy occurs. | High |
triggered-action <trigger-policy_name> | Type the name of the trigger policy you want FortiWeb to apply when a violation of the HTTP request method policy occurs. Trigger policies determine who will be notified by email when the policy violation occurs, and whether the log message associated with the violation are recorded. The maximum length is 35 characters. To display a list of the existing policies, type: set triggered-action ? | No default. |
[allow-method-exception <method-exception_name>] | Type the name of an existing HTTP request method exception, if any, to apply to it. The maximum length is 35 characters. To display a list of the existing policy, type: set allow-method-exception ? | No default. |