Inline protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Inline protection profiles contain only the features that are supported in inline topologies, which you use with operation modes such as reverse proxy and true transparent.
Inline protection profiles’ primary purpose is to block attacks, especially for use in conjunction with auto-learning profiles. If used in conjunction with auto-learning profiles, you should configure the offline protection profile to log but not block attacks in order to gather complete session statistics for the auto-learning feature.
Inline protection profiles include features that require an inline network topology. They can be configured at any time, but cannot be applied by a policy if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior. |
1. Before configuring an inline protection profile, first configure any of the following that you want to include in the profile:
To save time, you may be able to use auto-learning to generate protection profiles and their components by observing your web servers’ traffic. For details, see Auto-learning. |
X-Forwarded-For:
or other X-header rule (see Defining your proxies, clients, & X-headers)2. Go to Policy > Web Protection Profile > Inline Protection Profile.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
3. Click Create New.
Alternatively, click the Clone icon to copy an existing profile as the basis for a new one. The predefined profiles supplied with your FortiWeb appliance cannot be edited, only viewed or cloned.
A dialog appears.
4. Configure these settings:
Setting name | Description |
---|---|
Session Management |
Enable to add a cookie to the reply in order for FortiWeb to be able to track the state of web applications across multiple requests (i.e., to implement HTTP sessions). Also configure Session Timeout. This feature adds the FortiWeb’s own session support, and does not duplicate or require that your web applications have its own sessions. For details, see HTTP sessions & security. Note: Enabling this option is required if:
Note: This feature requires that the client support cookies. RPC clients and browsers where the person has disabled cookies do not support FortiWeb HTTP sessions, and therefore also do not support FortiWeb features that are dependent upon them. |
Session Timeout |
Type the HTTP session timeout in seconds. After this time elapses during which there were no more subsequent requests, after which the FortiWeb appliance will regard the next request as the start of a new HTTP session. This option appears only if Session Management is enabled. The default is 1200 (20 minutes). The valid range is from 20 to 3,600 seconds. |
X-Forwarded-For |
Select the Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP. |
Signatures |
Select the name of the signature set, if any, that will be applied to matching requests. Also configure Enable AMF3 Protocol Detection. Attack log messages for this feature vary by which type of attack was detected. For a list, see Blocking known attacks & data leaks. |
Enable AMF3 Protocol Detection |
Enable to scan requests that use action message format 3.0 (AMF3) for: and other attack signatures that you have enabled in Signatures. AMF3 is a binary format that can be used by Adobe Flash/Flex clients to send input to server-side software. Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb appliance to be unable to scan AMF3 requests for attacks. |
Enable XML Protocol Detection | Enable to scan for matches with attack and data leak signatures in Web 2.0 (XML AJAX), SOAP, and other XML submitted by clients in the bodies of HTTP POST requests. |
Illegal XML Format |
Enable to validate that XML elements and attributes in the request’s body conform to the W3C XML 1.1 standard, the XML 2.0 standard, or both. Malformed XML, such as without the final > or with multiple >> in the closing tag, is often an attempt to exploit an unhandled error condition in a web application’s XHTML or XML parser. If the request fails the validation, FortiWeb takes the specified action. Attack log messages contain Caution: If your back-end web servers require extensive protection for a vulnerable XML parser, you should add 3rd-party XML protection to your security architecture. Unlike XML protection profiles in previous versions of FortiWeb, Illegal XML Format does not scan for conformity with the document object model (DOM)/DTD/W3C Schema, recursive payloads, Schema poisoning, or other advanced XML attacks. It also cannot encrypt or sign XML elements. Failure to provide adequate XML protection could allow attackers to penetrate your network.
In addition, select a severity level and trigger policy. Available only when Enable XML Protocol Detection is On. |
Enable JSON Protocol Detection | Enable to scan for matches with attack and data leak signatures in JSON data submitted by clients in HTTP requests with Content-Type: values application/json or text/json . |
Illegal JSON Format |
Enable to scan for illegal formatting in JSON data. If FortiWeb detects illegal formatting, it takes the specified action.
In addition, select a severity level and trigger policy. Available only when Enable JSON Protocol Detection is On. |
Custom Policy |
Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that will be applied to matching requests. See Combination access control & rate limiting. Attack log messages contain |
Padding Oracle Protection |
Select the name of padding oracle protection rule, if any, that will be applied to matching requests. See Defeating cipher padding attacks on individually encrypted inputs. Attack log messages contain |
CSRF Protection |
Select the name of cross-site request forgery protection rule, if any, to apply to matching requests. See Defeating cross-site request forgery (CSRF) attacks. |
Cookie Security Policy | Select the name of a cookie security policy to apply to matching requests. See Protecting against cookie poisoning and other cookie-based attacks. If the Security Mode option in the policy is Signed, ensure that Session Management is On. |
Parameter Validation |
Select the name of the parameter validation rule, if any, that will be applied to matching requests. See Validating parameters (“input rules”).) Attack log messages contain |
Hidden Fields Protection |
Select the name of the hidden fields protection rule, if any, to use to protect hidden fields on your web site. See Preventing tampering with hidden inputs. Attack log messages contain This option appears only when Session Management is enabled. |
File Upload Restriction |
Select an existing file upload restriction policy, if any, that will be applied to matching HTTP requests. See Limiting file uploads. Attack log messages contain |
HTTP Protocol Constraints |
Select the name of an HTTP parameter constraint, if any, that will be applied to matching requests. See HTTP/HTTPS protocol constraints. Attack log messages for this feature vary by which type of constraint was violated. |
Brute Force Login |
Select the name of a brute force login attack profile, if any, that will be applied to matching requests. See Preventing brute force logins. Attack log messages contain |
URL Access |
Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. See Restricting access to specific URLs. Attack log messages contain |
Page Access |
Select the page access rule, if any, that defines the URLs that must be accessed in a specific order. See Enforcing page order that follows application logic. Attack log messages contain This option appears only when Session Management is enabled. |
Start Pages |
Select the start pages rule, if any, that represent legitimate entry points into your web pages and web services. See Specifying URLs allowed to initiate sessions. Attack log messages contain This option appears only when Session Management is enabled. |
Allow Method |
Select an existing allow method policy, if any, that will be applied to matching HTTP requests. See Specifying allowed HTTP methods. Attack log messages contain |
IP List | Select the name of a client white list or black list, if any, that will be applied to matching requests. See Blacklisting & whitelisting clients using a source IP or source IP range. |
Geo IP | Select the name of a geographically-based client black list, if any, that will be applied to matching requests. See Blacklisting & whitelisting countries & regions. |
DoS Protection | Select the name of an existing DoS prevention policy. For details, see Grouping DoS protection rules. |
IP Reputation | Enable to apply IP reputation intelligence. See Blacklisting source IPs with poor reputation. |
FortiGate Quarantined IPs |
Enable to detect source IP addresses that a FortiGate unit is currently preventing from interacting with the network and protected systems. Then, select the action that FortiWeb takes if it detects a quarantined IP address:
In addition, select a severity level and trigger policy. For information on configuring communication with the FortiGate that provides the list of quarantined IP addresses, see Receive quarantined source IP addresses from FortiGate. |
Allow Known Search Engines |
Enable to exempt popular search engines’ spiders from DoS sensors, brute force login sensors, HTTP protocol constraints, combination rate & access control (called “advanced protection” and “custom policies” in the web UI), and blocking by geographic location (Geo IP). This option improves access for search engines. Rapid access rates, unusual HTTP usage, and other characteristics that may be suspicious for web browsers are often normal with search engines. If you block them, your web sites’ rankings and visibility may be affected. By default, this option allows all popular predefined search engines. Known search engine indexer source IPs are updated via FortiGuard Security Service. To specify which search engines are exempt, click the Details link. A new frame appears on the right side of the protection profile. Enable or disable each search engine, then click Apply. See also Blacklisting content scrapers, search engines, web crawlers, & other robots. Note: X-header-derived client source IPs (see Defining your proxies, clients, & X-headers) do not support this feature in this release. If FortiWeb is deployed behind a load balancer or other web proxy that applies source NAT, this feature will not work. |
URL Rewriting |
Select the name of a URL rewriting rule set, if any, that will be applied to matching requests. For details, see Rewriting & redirecting. |
HTTP Authentication |
Select the name of an authorization policy, if any, that will be applied to matching requests. For details, see Offloading HTTP authentication & authorization. If the client fails to authenticate, it will receive an HTTP |
Site Publish | Select the name of a site publishing policy, if any, that will be applied to matching requests. For details, see Single sign-on (SSO) (site publishing). |
File Compress | Select the name of an compression policy, if any, that will be applied to matching requests. For details, see Configuring compression offloading. |
File Uncompress | Select the name of a decompression policy, if any, that will be applied to matching requests. For details, see Configuring temporary decompression for scanning & rewriting. |
Web Cache | Select the name of a content caching policy, if any, that will be used for matching requests. See Caching. |
User Tracking | Select the name of a user tracking policy, if any, to use for matching requests. See Tracking users. |
Redirect URL |
Type a URL including the FQDN/IP and path, if any, to which a client will be redirected if:
For example, you could enter:
If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb appliance will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP |
Redirect URL With Reason |
Enable to include the reason for redirection as a parameter in the URL, such as By default, this option is disabled. Caution: If the FortiWeb appliance is protecting a redirect URL, enable this option to prevent infinite redirect loops. |
Data Analytics |
Enable to gather hit, attack, and traffic volume statistics for each server policy that includes this profile. See Configuring policies to gather data and Viewing web site statistics. Note: This option cannot be enabled until you have uploaded a geography-to-IP mapping database. See Updating data analytics definitions. |
To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.
5. Click OK.
6. If you intend to use this protection profile in conjunction with an auto-learning profile in order to indicate which attacks and other aspects should be discovered, also configure the auto-learning profile. For details, see Configuring an auto-learning profile.
7. To apply the inline protection profile, select it in a server policy. For details, see Configuring a server policy.