Variable | Description | Default |
<http-exception_name> | Type the name of a new or existing HTTP protocol constraint exception. The maximum length is 35 characters. To display the list of existing exceptions, type: edit ? | No default. |
<entry_index> | Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999. | No default. |
request-file <url_pattern> | Type either: • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ). • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm. Do not include the name of the web host, such as www.example.com, which is configured separately in host. The maximum length is 255 characters. | No default. |
request-type {plain | regular} | Type either plain or regular (for a regular expression) to match the string entered in request-file. | No default. |
host <protected-hosts_name> | Type the name of a protected host that the Host: field of an HTTP request must be in order to match the exception. The maximum length is 255 characters. This setting applies only if host-status is enable. | No default. |
host-status {enable | disable} | Enable to apply this exception only to HTTP requests for specific web hosts. Also configure host <protected-hosts_name>. Disable to match the exception based upon the other criteria, such as the URL, but regardless of the Host: field. | disable |
block-malformed-request {enable | disable} | Enable to omit the constraint on syntax and FortiWeb parsing errors. Caution: Some web applications require abnormal or very large HTTP POST requests. Since allowing such errors and excesses is generally bad practice and can lead to vulnerabilities, use this option to omit the malformed request scan only if absolutely necessary. | |
Illegal-host-name-check {enable | disable} | Enable to omit the constraint on host names with illegal characters. | disable |
Illegal-http-request-method-check {enable | disable} | Enable to omit the constraint on illegal HTTP request methods. | disable |
max-cookie-in-request {enable | disable} | Enable to omit the constraint on the maximum number of cookies per request. | disable |
max-header-line-request {enable | disable} | Enable to omit the constraint on the maximum number of HTTP header lines. | disable |
max-http-body-length {enable | disable} | Enable to omit the constraint on the maximum HTTP body length. | disable |
max-http-content-length {enable | disable} | Enable to omit the constraint on the maximum HTTP content length. | disable |
max-http-header-length {enable | disable} | Enable to omit the constraint on the maximum HTTP header length. | disable |
max-http-header-line-length {enable | disable} | Enable to omit the constraint on the maximum HTTP header line length. | disable |
max-http-parameter-length {enable | disable} | Enable to omit the constraint on the maximum HTTP parameter length. | disable |
max-http-request-length {enable | disable} | Enable to omit the constraint on the maximum HTTP request length. | disable |
max-url-parameter {enable | disable} | Enable to omit the constraint on the maximum number of parameters in the URL. | disable |
max-url-parameter-length {enable | disable} | Enable to omit the constraint on the maximum length of parameters in the URL. | disable |
number-of-ranges-in-range-header {enable | disable} | Enable to omit the constraint on the maximum acceptable number of Range: fields of an HTTP header. | disable |