You can configure rules that define which HTTP requests FortiWeb accepts or denies based on their Host: name and URL, as well as the origin of the request.
Typically, for example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.
|
|
X-header-derived client source IPs (see Defining your proxies, clients, & X-headers) do not support this feature in this release. If FortiWeb is deployed behind a load balancer or other web proxy that applies source NAT, this feature does not work. |
|
|
URL access rules are evaluated after some other rules. As a result, permitted access can still be denied if it violates one of the rules that execute prior in the sequence. For details, see Sequence of scans. |
You can use SNMP traps to notify you when a URL access rule is enforced. For details, see SNMP traps & queries.
1. Go to Web Protection > Access > URL Access Rule.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
2. Click Create New.
A dialog appears.
3. Configure these settings:
| Setting name | Description |
|---|---|
| Name | Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. |
| Host Status | Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL access rule. Also configure Host. |
| Host |
Select which protected host names entry (either a web host name or IP address) that the This option is available only if Host Status is enabled. |
| Action |
Select the action that FortiWeb takes when it detects a violation of the rule. Supported options vary (available options are listed in the description for each specific rule), but may include:
The default value is Alert. Caution: This setting will be ignored if Monitor Mode is enabled. Note: Logging and/or alert email will occur only if enabled and configured. See Logging and Alert email. Note: If you will use this rule set with auto-learning, you should select Pass or Continue. If Action is Alert & Deny, or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the interruption will cause incomplete session information for auto-learning. |
| Severity |
When rule violations are recorded in the attack log, each log message contains a Severity Level (
The default value is High. |
| Trigger Action | Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See Viewing log messages. |
4. Click OK.
5. Click Create New to add an entry to the set.
A dialog appears.
6. Configure these settings:
| Setting name | Description |
|---|---|
| ID | Type the index number of the individual rule within the URL access rule, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number. |
| Source Address | Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure Source Address Type Source Domain. |
| Source Address Type |
Select how FortiWeb determines matching client source IPs:
|
| IPv4/IPv6 / IP Range |
Enter one of the following values:
Available only if Source Address Type is IPv4/IPv6 / IP Range. |
| Type |
Select the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by IP Resolved by Specified Domain. Available only if Source Address Type is IP Resolved by Specified Domain. |
| IP Resolved by Specified Domain |
Enter the domain to match the client source IP after DNS lookup. Available only if Source Address Type is IP Resolved by Specified Domain. |
| Source Domain Type |
Specify whether the Source Domain field contains a literal domain (Simple String) or a regular expression designed to match multiple URLs (Regular Expression). When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression (see Regular expression syntax). Available only if Source Address Type is Source Domain. |
| Source Domain |
Specify the domain to match. Depending on the value of Source Domain Type, enter one of the following:
Available only if Source Address Type is Source Domain. |
| URL Type | Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression). |
| URL Pattern |
Depending on your selection in URL Type, enter either: For example, the URL is: /send/?packet=1&token=41 Use the following expression to match the exact, full URL, with both parameters set to any number: ^\/send\/\?packet=[0-9]+\&token=[0-9]+ To match the exact, full URL when the values of the parameters are between 0 and 999,999: ^\/send\/\?packet=[0-9]{1,6}\&token=[0-9]{1,6} To match the root path regardless of appended parameters and without regard to order: ^\/send\/ The pattern does not require a slash ( / ). However, it must at least match URLs that begin with a slash, such as Do not include the domain name, such as |
| Meet this condition if: | Select whether the access condition is met when the HTTP request matches both the regular expression (or text string) and source IP address of the client, or when it does not match the regular expression (or text string) and/or source IP address of the client. |
7. Click OK.
8. Repeat the previous steps for each individual condition that you want to add to the URL access rule.
9. Go to Web Protection > Access > URL Access Policy.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
10. Click Create New.
A dialog appears.
11. In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
12. Click OK.
13. Click Create New to add an entry to the set.
A dialog appears.
14. From the Access Rule Name drop-down list, select the name of a URL access rule to include in the policy.
To view or change the information associated with the rule, select the Detail link. The URL Access Rule dialog appears. Use the browser Back button to return.
15. Click OK.
16. Repeat the previous steps for each individual rule that you want to add to the URL access policy.
Rules at the top of the list have priority over rules further down. Use Move to change the order of the rules. (The ID value does not affect rule priority).
17. To apply the URL access policy, select it in an inline or offline protection profile (see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation).
Attack log messages contain URL Access Violation when this feature detects a suspicious HTTP request.