Sequence of scans

FortiWeb applies protection rules and performs protection profile scans in the order of execution according to the below table. To understand the scan sequence, read from the top of the table (the first scan/action) toward the bottom (the last scan/action). Disabled scans are skipped.

To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique. The blocking style varies by feature and configuration. For example, when detecting cookie poisoning, instead of resetting the TCP connection or blocking the HTTP request, you could log and remove the offending cookie. For details, see each specific feature.

Execution sequence (web protection profile)
Scan/action	Involves
Request from client to server
TCP Connection Number Limit (TCP Flood Prevention)	Source IP address of the client depending on your configuration of X-header rules (see Defining your proxies, clients, & X-headers). This could be derived from either the `SRC` field in the IP header, or the `X-Forwarded-For:` and `X-Real-IP:` HTTP headers.
Block Period	Source IP address of the client depending on your configuration of X-header rules (see Defining your proxies, clients, & X-headers). This could be derived from either the `SRC` field in the IP header, or the `X-Forwarded-For:` and `X-Real-IP:` HTTP headers.
IP List * (individual client IP black list or white list)	Source IP address of the client in the IP layer
Add X-Forwarded-For: Add X-Real-IP:	Source IP address of the client in the HTTP layer
IP Reputation	Source IP address of the client depending on your configuration of X-header rules (see Defining your proxies, clients, & X-headers). This could be derived from either the `SRC` field in the IP header, or the `X-Forwarded-For:` and `X-Real-IP:` HTTP headers.
Allow Known Search Engines	Source IP address of the client in the IP layer
Geo IP	Source IP address of the client in the IP layer
Add HSTS Header	`Strict-Transport-Security:` header
Defining your protected/allowed HTTP “Host:” header names (allowed/protected host name)	`Host:`
Allow Method	`Host:` URL in HTTP header Request method in HTTP header
Real Browser Enforcement	Tests whether the client is a web browser or automated tool.
Session Management	`Cookie:` Session state
HTTP Request Limit/sec (HTTP Flood Prevention)	`Cookie:` Session state URL in the HTTP header
TCP Connection Number Limit (Malicious IP)	Source IP address of the client depending on your configuration of X-header rules (see Defining your proxies, clients, & X-headers). This could be derived from either the `SRC` field in the IP header, or the `X-Forwarded-For:` and `X-Real-IP:` HTTP headers.
HTTP Request Limit/sec (Shared IP) or HTTP Request Limit/sec (Shared IP) (HTTP Access Limit)	`ID` field of the IP header Source IP address of the client depending on your configuration of X-header rules (see Defining your proxies, clients, & X-headers). This could be derived from either the `SRC` field in the IP header, or the `X-Forwarded-For:` and `X-Real-IP:` HTTP headers.
Brute Force Login	Source IP address of the client depending on your configuration of X-header rules (see Defining your proxies, clients, & X-headers). This could be derived from either the `SRC` field in the IP header, or the `X-Forwarded-For:` and `X-Real-IP:` HTTP headers. URL in the HTTP header
HTTP Authentication	`Authorization:`
Site Publish	`Host:` URL of the request for the web application
Configuring the global object white list	`Cookie: cookiesession1` URL if `/favicon.ico`, AJAX URL parameters such as `__LASTFOCUS`, and others as updated by the FortiGuard Security Service.
URL Access	`Host:` URL in HTTP header Source IP of the client in the IP header
Padding Oracle Protection	`Host:` URL in HTTP header Individually encrypted URL, cookie, or parameter
HTTP Protocol Constraints	`Content-Length:` Parameter length Body length Header length Header line length Count of `Range:` header lines Count of cookies
Cookie Security Policy	`Cookie:`
Start Pages	`Host:` URL in HTTP header Session state
Page Access (page order)	`Host:` URL in HTTP header Session state
File Security	`Content-Length:` `Content-Type:` in `PUT` and `POST` requests
Parameter Validation	`Host:` URL in the HTTP header Name, data type, and length
File Uncompress	`Content‑Type:`
Web Cache	`Host:` URL in the HTTP header Size in kilobytes (KB) of each URL to cache
Cross Site Scripting Cross Site Scripting Cross Site Scripting SQL Injection Generic Attacks (attack signatures)	`User-Agent:` (Bad Robot) `Cookie:` Parameters in the URL, or the HTTP header or body XML content in the HTTP body (if Enable XML Protocol Detection is enabled)
Hidden Fields Protection	`Host:` URL in the HTTP header Name, data type, and length of `<input type="hidden">`
Custom Policy	Source IP address of the client depending on your configuration of X-header rules (see Defining your proxies, clients, & X-headers). This could be derived from either the `SRC` field in the IP header, or the `X-Forwarded-For:` and `X-Real-IP:` HTTP headers. URL in the HTTP header HTTP header Parameter in the URL, or the HTTP header or body
X-Forwarded-For	`X-Forwarded-For:` in HTTP header
URL Rewriting (rewriting & redirects)	`Host:` `Referer:` `Location:` URL in HTTP header HTTP body
File Compress	`Content‑Type:`
Client Certificate Forwarding	Client’s personal certificate, if any, supplied during the SSL/TLS handshake
Auto-learning	Any of the other features included by the auto-learning profile
Data Analytics	Source IP address of the client URL in the HTTP header Results from other scans
Reply from server to client
File Uncompress	`Content-Encoding:`
Information Disclosure Credit Card Detection	Server-identifying custom HTTP headers such as `Server:` and `X-Powered-By:` Credit card number in the body, and, if configured, Credit Card Detection Threshold
Hidden Fields Protection	`Host:` URL in the HTTP header Name, data type, and length of `<input type="hidden">`
Custom Policy	HTTP response code `Content Type:`
URL Rewriting (rewriting)	`Host:` `Referer:` `Location:` URL in HTTP header HTTP body
File Compress	`Accept-Encoding:`
Auto-learning	Any of the other features included by the auto-learning profile
Data Analytics	Source IP address of the client URL in the HTTP header Results from other scans
* If a source IP is white listed, subsequent checks will be skipped.

Open topic with navigation