Access control > Restricting access to specific URLs

Restricting access to specific URLs

You can configure rules that define which HTTP requests FortiWeb accepts or denies based on their Host: name and URL, as well as the origin of the request.

Typically, for example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.

X-header-derived client source IPs (see Defining your proxies, clients, & X-headers) do not support this feature in this release. If FortiWeb is deployed behind a load balancer or other web proxy that applies source NAT, this feature does not work.

 

URL access rules are evaluated after some other rules. As a result, permitted access can still be denied if it violates one of the rules that execute prior in the sequence. For details, see Sequence of scans.

You can use SNMP traps to notify you when a URL access rule is enforced. For details, see SNMP traps & queries.

To configure an URL access rule

1.  Go to Web Protection > Access > URL Access Rule.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

2.  Click Create New.

A dialog appears.

3.  Configure these settings:

Setting name Description
Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Host Status Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL access rule. Also configure Host.
Host

Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

This option is available only if Host Status is enabled.

Action

Select the action that FortiWeb takes when it detects a violation of the rule. Supported options vary (available options are listed in the description for each specific rule), but may include:

  • Alert & DenyBlock the request (reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. See Customizing error and authentication pages (replacement messages).

  • PassAllow the request. Do not generate an alert and/or log message.
  • Continue — Continue by evaluating any subsequent rules defined in the web protection profile (see Sequence of scans). If the request does not violate any other rules, FortiWeb allows the request. If the single request violates multiple rules, it generates multiple attack log messages.

The default value is Alert.

Caution: This setting will be ignored if Monitor Mode is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. See Logging and Alert email.

Note: If you will use this rule set with auto-learning, you should select Pass or Continue. If Action is Alert & Deny, or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the interruption will cause incomplete session information for auto-learning.

Severity

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

  • Low
  • Medium
  • High

The default value is High.

Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See Viewing log messages.

4.  Click OK.

5.  Click Create New to add an entry to the set.

A dialog appears.

6.  Configure these settings:

Setting name Description
ID Type the index number of the individual rule within the URL access rule, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number.
Source Address Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure Source Address Type Source Domain.
Source Address Type

Select how FortiWeb determines matching client source IPs:

  • IPv4/IPv6 / IP Range — A single IP address or an address range. Also configure IPv4/IPv6 / IP Range.
  • IP Resolved by Specified DomainFortiWeb determines the source IP to match by performing a DNS lookup for the specified domain. Also configure Type and IP Resolved by Specified Domain.
  • Source Domain — To determine a match, FortiWeb performs a reverse DNS lookup for the client source IP to determine its corresponding domain, and then compares the domain to the value of Source Domain. Also configure Source Domain Type and Source Domain.
IPv4/IPv6 / IP Range

Enter one of the following values:

  • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 172.16.1.20).
  • A range of addresses (e.g., 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100).

Available only if Source Address Type is IPv4/IPv6 / IP Range.

Type

Select the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by IP Resolved by Specified Domain.

Available only if Source Address Type is IP Resolved by Specified Domain.

IP Resolved by Specified Domain

Enter the domain to match the client source IP after DNS lookup.

Available only if Source Address Type is IP Resolved by Specified Domain.

Source Domain Type

Specify whether the Source Domain field contains a literal domain (Simple String) or a regular expression designed to match multiple URLs (Regular Expression).

When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression (see Regular expression syntax).

Available only if Source Address Type is Source Domain.

Source Domain

Specify the domain to match.

Depending on the value of Source Domain Type, enter one of the following:

  • the literal domain
  • a regular expression.

Available only if Source Address Type is Source Domain.

URL Type Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
URL Pattern

Depending on your selection in URL Type, enter either:

  • the literal URL, such as /admin.php. The URL must begin with a slash ( / ).
  • a regular expression.

For example, the URL is:

/send/?packet=1&token=41

Use the following expression to match the exact, full URL, with both parameters set to any number:

^\/send\/\?packet=[0-9]+\&token=[0-9]+

To match the exact, full URL when the values of the parameters are between 0 and 999,999:

^\/send\/\?packet=[0-9]{1,6}\&token=[0-9]{1,6}

To match the root path regardless of appended parameters and without regard to order:

^\/send\/

The pattern does not require a slash ( / ). However, it must at least match URLs that begin with a slash, such as /admin.cfm.
When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression (see Regular expression syntax).

Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list for the URL access rule.

Meet this condition if: Select whether the access condition is met when the HTTP request matches both the regular expression (or text string) and source IP address of the client, or when it does not match the regular expression (or text string) and/or source IP address of the client.

7.  Click OK.

8.  Repeat the previous steps for each individual condition that you want to add to the URL access rule.

9.  Go to Web Protection > Access > URL Access Policy.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

10.  Click Create New.

A dialog appears.

11.  In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.

12.  Click OK.

13.  Click Create New to add an entry to the set.

A dialog appears.

14.  From the Access Rule Name drop-down list, select the name of a URL access rule to include in the policy.

To view or change the information associated with the rule, select the Detail link. The URL Access Rule dialog appears. Use the browser Back button to return.

15.  Click OK.

16.  Repeat the previous steps for each individual rule that you want to add to the URL access policy.

Rules at the top of the list have priority over rules further down. Use Move to change the order of the rules. (The ID value does not affect rule priority).

17.  To apply the URL access policy, select it in an inline or offline protection profile (see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation).

Attack log messages contain URL Access Violation when this feature detects a suspicious HTTP request.

See also