FortiWeb appliances apply protection rules and perform protection profile scans in the following order of execution, which varies by whether you have applied a web protection profile. To understand the scan sequence, read from the top of the table (the first scan/action) towards the bottom (the last scan/action). Disabled scans are skipped.
To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique. |
The blocking style varies by feature and configuration. For example, when detecting cookie poisoning, instead of resetting the TCP connection or blocking the HTTP request, you could log and remove the offending cookie. For details, see each specific feature. |
Scan/action | Involves |
---|---|
Request from client to server | |
TCP Connection Number Limit (TCP Flood Prevention) | Source IP address of the client (depending on your configuration of X-header rules (see Defining your proxies, clients, & X-headers) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP: ) |
Block Period | Source IP address of the client (depending on your configuration of X-header rules (see Defining your proxies, clients, & X-headers) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP: ) |
IP List * (individual client IP black list or white list) | Source IP address of the client in the IP layer |
Source IP address of the client in the HTTP layer | |
IP Reputation |
Source IP address of the client (depending on your configuration of X-header rules (see Defining your proxies, clients, & X-headers) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP: )
|
Allow Known Search Engines | Source IP address of the client in the IP layer |
Geo IP | Source IP address of the client in the IP layer |
Host (allowed/protected host name) | Host:
|
Allow Method |
|
HTTP Request Limit/sec | |
Session Management | |
TCP Connection Number Limit (Malicious IP) | Source IP address of the client (depending on your configuration of X-header rules (see Defining your proxies, clients, & X-headers) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP: ) |
HTTP Request Limit/sec (HTTP Flood Prevention) | |
HTTP Request Limit/sec (Shared IP) or HTTP Request Limit/sec (Shared IP) (HTTP Access Limit) |
|
HTTP Authentication | Authorization:
|
Global White List | |
URL Access |
|
Brute Force Login |
|
HTTP Protocol Constraints | |
Cookie Poisoning | Cookie:
|
Start Pages |
|
Page Access (page order) |
|
File Upload Restriction |
in PUT and POST requests |
Trojans | HTTP body |
Bad Robot | User-Agent:
|
Parameter Validation | |
Cross Site Scripting, SQL Injection, Generic Attacks (attack signatures) |
|
Hidden Fields Protection | |
X-Forwarded-For | X-Forwarded-For: in HTTP header |
URL Rewriting (rewriting & redirects) | |
Auto-learning | Any of the other features included by the auto-learning profile |
Data Analytics |
|
Client Certificate Forwarding | Client’s personal certificate, if any, supplied during the SSL/TLS handshake |
Reply from server to client | |
Information Disclosure | Server-identifying custom HTTP headers such as Server: and X-Powered-By: |
Credit Card Detection | Credit card number in the body, and, if configured, Credit Card Detection Threshold |
File Uncompress | Content-Encoding:
|
URL Rewriting (rewriting) | |
File Compress | Accept-Encoding:
|
* If a source IP is white listed, subsequent checks will be skipped. |