Sequence of scans

FortiWeb applies protection rules and performs protection profile scans in the order of execution according to the below table. To understand the scan sequence, read from the top of the table (the first scan/action) toward the bottom (the last scan/action). Disabled scans are skipped.

To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique. The blocking style varies by feature and configuration. For example, when detecting cookie poisoning, instead of resetting the TCP connection or blocking the HTTP request, you could log and remove the offending cookie. For details, see each specific feature.

Some of the scans involve the whole request or response. In this case, the scan will be postponed until FortiWeb receives all the data in the request or response, so the actual scan sequence shown in the log may be different from the ones in this table. For example, File Security involves scanning the Content-Type: and the body of the file. The Content-Type: is scanned instantly, but the body of the file may be postponed after the subsequent scans, depending on when the whole body of the file is done uploading to FortiWeb.

 

Execution sequence (web protection profile)

Scan/action Involves
Request from client to server

Add X-Forwarded-For:
  • X-Forwarded-For:
  • X-Real-IP:
  • X-Forwarded-Proto:
IP List * (individual client IP black list or white list)

Source IP address of the client in the IP layer.

IP Reputation

Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.

Quarantined source IP addresses

Source IP address of the client in the IP layer.

Allow Known Search Engines

Source IP address of the client in the IP layer.

Geo IP

Source IP address of the client in the IP layer.

Add HSTS Header

Strict-Transport-Security:

Protected Server Check

Host:

Allow Method
  • Host:
  • URL in HTTP header
  • Request method in HTTP header
Session Management
  • Cookie:
  • Session state
HTTP Request Limit/sec (HTTP Flood Prevention)
  • Cookie:
  • Session state
  • URL in the HTTP header
  • HTTP request body
TCP Connection Number Limit (Malicious IP)
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Cookie:
  • Session state
  • Source IP address of the client in the IP layer
  • Source port of the client in the TCP layer

HTTP Request Limit/sec (Shared IP) (HTTP Access Limit)

  • ID field of the IP header
  • Source IP address of the client depending on your configuration of X-header rules.
    This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • HTTP request body
TCP Connection Number Limit (TCP Flood Prevention)
  • Source IP address of the client in the IP layer.
  • Source port of the client in the TCP layer.
Brute Force Login
  • Source IP address of the client depending on your configuration of X-header rules.
    This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • URL in the HTTP header
  • Source port of the client in the TCP layer
  • ID field of the IP header
  • Host:
HTTP Authentication

Authorization:

Configuring the global object white list
  • Cookie: cookiesession1
  • URL if /favicon.ico, AJAX URL parameters such as __LASTFOCUS, and others as updated by the FortiGuard Security Service.
ADFS Proxy
  • Host:
  • URL in HTTP header
  • Request method in HTTP header
  • Other request headers, especially the X-MS-* headers
  • Parameters in the URL
  • Cookies
Site Publish
  • Host:
  • Cookie:
  • URL of the request for the web application
URL Access
  • Host:
  • URL in HTTP header
  • Source IP of the client in the IP header
Padding Oracle Protection
  • Host:
  • URL in HTTP header
  • Individually encrypted URL, cookie, or parameter
HTTP Protocol Constraints
  • Content-Length:
  • Parameter length
  • Body length
  • Header length
  • Header line length
  • Count of Range: header lines
  • Count of cookies
Start Pages
  • Host:
  • URL in HTTP header
  • Session state
Page Access (page order)
  • Host:
  • URL in HTTP header
  • Session state
File Security
  • Content-Type: in PUT and POST requests
  • URL in HTTP header
  • The body of the file
Parameter Validation
  • Host:
  • URL in the HTTP header
  • Name, data type, and length
File Uncompress Content-Type:
Defeating cross-site request forgery (CSRF) attacks
  • <a href>
  • <form>
Web Cache
  • Host:
  • URL in the HTTP header
  • Size in kilobytes (KB) of each URL to cache
Signatures
  • HTTP headers
  • HTML Body
  • URL in HTTP header
  • Parameters in URL and request body
Device Reputation
  • Cookies and other headers
  • URL in HTTP header
  • Request method in HTTP header
  • Parameters in URL
  • Multipart filename
Hidden Fields Protection
  • Host:
  • URL in the HTTP header
  • Name, data type, and length of <input type="hidden">
Custom Policy
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL in the HTTP header
  • HTTP header
  • Parameter in the URL, or the HTTP header or body
User Tracking
  • Host:
  • Cookie:
  • Parameters in the URL
  • URL in HTTP header
  • HTTP body
  • Client's certificate
XML Validation
  • Host:
  • URL in HTTP header
  • HTTP request headers & body
URL Rewriting (rewriting & redirects)
  • Host:
  • Referer:
  • Location:
  • URL in HTTP header
  • HTML body
Machine Learning
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL in the HTTP header
  • Request method in HTTP header
  • Parameter in the URL, or the HTTP header or body
  • Content-Type:
File Compress Accept-Encoding:
Cookie Security Policy Cookie:
Auto-learning Any of the other features included by the auto-learning profile
Reply from server to client

File Uncompress Content-Encoding:
Hidden Fields Protection
  • Host:
  • URL in the HTTP header
  • Name, data type, and length of <input type="hidden">
Custom Policy
  • HTTP response code
  • Content Type
URL Rewriting (rewriting)
  • Host:
  • Referer:
  • Location:
  • URL in HTTP header
  • HTML body
Chunk Decoding
  • Transfer-Encoding
  • Raw body
Signatures
  • HTTP headers
  • HTML Body
  • URL in HTTP header
  • Parameters in URL and body
  • XML in the body of HTTP POST requests
  • Cookies
  • Headers
  • JSON Protocol Detection
  • Uploaded filename(MULTIPART_FORM_DATA_FILENAME)
Device Reputation
  • Status code
  • Content-Type:
  • HTML body
User Tracking
  • Status code
  • HTTP headers
  • HTML body
HTTP Header Security
  • HTTP headers
Auto-learning Any of the other features included by the auto-learning profile
* If a source IP is white listed, subsequent checks will be skipped.