Variable | Description | Default |
<method-exception_name> | Type the name of the allowed methods exception. The maximum length is 35 characters. To display a list of the existing exceptions, type: edit ? | No default. |
<entry_index> | Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999. | No default. |
allow-request {connect delete get head options others post put trace} | Select one or more of the allowed HTTP request methods that are an exception for that combination of URL and host. Methods that you do not select will be denied. The OTHERS option includes methods not specifically named in the other options. It often may be required by WebDAV (RFC 2518) applications such as Microsoft Exchange Server 2003 and Subversion, which may require HTTP methods not commonly used by web browsers, such as PROPFIND and BCOPY. Note: If a WAF Auto Learning Profile will be selected in the policy with an offline protection profile that uses this allowed method exception, you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb appliance to learn about. If a method is disabled, the FortiWeb appliance will reset the connection, and therefore cannot learn about the session. | No default. |
host <protected-hosts_name> | Type the name of a protected host that the Host: field of an HTTP request must be in order to match the exception. The maximum length is 255 characters. This setting is used only if host-status is enable. | No default. |
host-status {enable | disable} | Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the allowed method exception. Also configure host <protected-hosts_name>. | disable |
request-file <url_str> | Depending on your selection in request-type {plain | regular}, either: • Type the literal URL, such as /index.php, that is an exception to the generally allowed HTTP request methods. The URL must begin with a slash ( / ). • Type a regular expression, such as ^/*.php, matching all and only the URLs which are exceptions to the generally allowed HTTP request methods. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm. For example, if multiple URLs on a host have identical HTTP request method requirements, you would type a regular expression matching all of and only those URLs. Do not include the name of the web host, such as www.example.com, which is configured separately in host <protected-hosts_name>. The maximum length is 255 characters. Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide. | No default. |
request-type {plain | regular} | plain |