FortiWeb applies protection rules and performs protection profile scans in the order of execution according to the below table. To understand the scan sequence, read from the top of the table (the first scan/action) toward the bottom (the last scan/action). Disabled scans are skipped.
To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique. The blocking style varies by feature and configuration. For example, when detecting cookie poisoning, instead of resetting the TCP connection or blocking the HTTP request, you could log and remove the offending cookie. For details, see each specific feature. Some of the scans involve the whole request or response. In this case, the scan will be postponed until FortiWeb receives all the data in the request or response, so the actual scan sequence shown in the log may be different from the ones in this table. For example, File Security involves scanning the |
Scan/action | Involves |
---|---|
Request from client to server
|
|
Add X-Forwarded-For: |
|
IP List * (individual client IP black list or white list) |
Source IP address of the client in the IP layer. |
IP Reputation |
Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the |
Quarantined source IP addresses |
Source IP address of the client in the IP layer. |
Allow Known Search Engines |
Source IP address of the client in the IP layer. |
Geo IP |
Source IP address of the client in the IP layer. |
Add HSTS Header |
|
Protected Server Check |
|
Allow Method |
|
Session Management |
|
HTTP Request Limit/sec (HTTP Flood Prevention) |
|
TCP Connection Number Limit (Malicious IP) |
|
HTTP Request Limit/sec (Shared IP) (HTTP Access Limit) |
|
TCP Connection Number Limit (TCP Flood Prevention) |
|
Brute Force Login |
|
HTTP Authentication |
|
Configuring the global object white list |
|
ADFS Proxy |
|
Site Publish |
|
URL Access |
|
Padding Oracle Protection |
|
HTTP Protocol Constraints |
|
Start Pages |
|
Page Access (page order) |
|
File Security |
|
Parameter Validation |
|
File Uncompress | Content-Type:
|
Defeating cross-site request forgery (CSRF) attacks |
|
Web Cache |
|
Signatures |
|
Device Reputation |
|
Hidden Fields Protection |
|
Custom Policy |
|
User Tracking |
|
XML Validation |
|
URL Rewriting (rewriting & redirects) |
|
Machine Learning |
|
File Compress | Accept-Encoding:
|
Cookie Security Policy | Cookie:
|
Auto-learning | Any of the other features included by the auto-learning profile |
Reply from server to client
|
|
File Uncompress | Content-Encoding:
|
Hidden Fields Protection |
|
Custom Policy |
|
URL Rewriting (rewriting) |
|
Chunk Decoding |
|
Signatures |
|
Device Reputation |
|
User Tracking |
|
HTTP Header Security |
|
Auto-learning | Any of the other features included by the auto-learning profile |
* If a source IP is white listed, subsequent checks will be skipped. |