FortiWeb applies protection rules and performs protection profile scans in the order of execution according to the below table. To understand the scan sequence, read from the top of the table (the first scan/action) toward the bottom (the last scan/action). Disabled scans are skipped.
To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique. The blocking style varies by feature and configuration. For example, when detecting cookie poisoning, instead of resetting the TCP connection or blocking the HTTP request, you could log and remove the offending cookie. For details, see each specific feature. |
Scan/action | Involves |
---|---|
Request from client to server | |
TCP Connection Number Limit (TCP Flood Prevention) |
Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers. |
Block Period |
Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers. |
IP List * (individual client IP black list or white list) | Source IP address of the client in the IP layer |
Source IP address of the client in the HTTP layer | |
IP Reputation |
Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers. |
Allow Known Search Engines | Source IP address of the client in the IP layer |
Geo IP | Source IP address of the client in the IP layer |
Add HSTS Header | Strict-Transport-Security: header |
Defining your protected/allowed HTTP “Host:” header names (allowed/protected host name) | Host:
|
Allow Method |
|
Bot Recognition | Tests whether the client is a web browser or automated tool. |
Session Management |
|
HTTP Request Limit/sec (HTTP Flood Prevention) |
|
TCP Connection Number Limit (Malicious IP) |
Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers. |
HTTP Request Limit/sec (Shared IP) or HTTP Request Limit/sec (Shared IP) (HTTP Access Limit) |
|
Brute Force Login |
|
HTTP Authentication | Authorization:
|
Site Publish |
|
Configuring the global object white list |
|
URL Access |
|
Padding Oracle Protection |
|
HTTP Protocol Constraints |
|
Cookie Security Policy | Cookie:
|
Start Pages |
|
Page Access (page order) |
|
File Security |
in |
Parameter Validation |
|
File Uncompress | Content-Type:
|
Web Cache |
|
|
|
Hidden Fields Protection |
|
Custom Policy |
|
X-Forwarded-For | X-Forwarded-For: in HTTP header |
URL Rewriting (rewriting & redirects) |
|
File Compress | Content-Type:
|
Client Certificate Forwarding | Client’s personal certificate, if any, supplied during the SSL/TLS handshake |
Auto-learning | Any of the other features included by the auto-learning profile |
Data Analytics |
|
Reply from server to client | |
File Uncompress | Content-Encoding:
|
|
|
Hidden Fields Protection |
|
Custom Policy |
|
URL Rewriting (rewriting) |
|
File Compress | Accept-Encoding:
|
Auto-learning | Any of the other features included by the auto-learning profile |
Data Analytics |
|
* If a source IP is white listed, subsequent checks will be skipped. |