To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique. |
The blocking style varies by feature and configuration. For example, when detecting cookie poisoning, instead of resetting the TCP connection or blocking the HTTP request, you could log and remove the offending cookie. For details, see each specific feature. |
Scan/action | Involves |
Request from client to server | |
(TCP Flood Prevention) | Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:) |
Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:) | |
IP List * (individual client IP black list or white list) | Source IP address of the client in the IP layer |
Source IP address of the client in the HTTP layer | |
Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:) | |
Source IP address of the client in the IP layer | |
Source IP address of the client in the IP layer | |
(allowed/protected host name) | Host: |
• Host: • URL in HTTP header • Request method in HTTP header | |
• Cookie: • Session state • Responses from the JavaScript browser tests, if any | |
• Cookie: • Session state | |
(Malicious IP) | Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:) |
(HTTP Flood Prevention) | • Cookie: • Session state • URL in the HTTP header |
or (HTTP Access Limit) | • ID field of the IP header • Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:) |
Authorization: | |
• Cookie: cookiesession1 • URL if /favicon.ico, AJAX URL parameters such as __LASTFOCUS, and others as updated by the FortiGuard Security Service | |
• Host: • URL in HTTP header • Source IP of the client in the IP header | |
• Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:) • URL in the HTTP header | |
• Content-Length: • Parameter length • Body length • Header length • Header line length • Count of Range: header lines • Count of cookies | |
Cookie: | |
• Host: • URL in HTTP header • Session state | |
(page order) | • Host: • URL in HTTP header • Session state |
• Content-Length: • Content-Type: in PUT and POST requests | |
HTTP body | |
User-Agent: | |
• Host: • URL in the HTTP header • Name, data type, and length of <input> tags except <input type="hidden"> | |
(attack signatures) | • Cookie: • Parameters in the URL in the HTTP header, or in the HTTP body (depending on the HTTP method) for <input> tags except <input type="hidden"> • XML content in the HTTP body (if Enable XML Protocol Detection is enabled) |
• Host: • URL in the HTTP header • Name, data type, and length of <input type="hidden"> | |
X-Forwarded-For: in HTTP header | |
(rewriting & redirects) | • Host: • Referer: • Location: • URL in HTTP header • HTTP body |
Any of the other features included by the auto-learning profile | |
• Source IP address of the client • URL in the HTTP header • Results from other scans | |
Client’s personal certificate, if any, supplied during the SSL/TLS handshake | |
Reply from server to client | |
Server-identifying custom HTTP headers such as Server: and X-Powered-By: | |
Credit card number in the body, and, if configured, Credit Card Detection Threshold | |
Content-Encoding: | |
(rewriting) | • Host: • Referer: • Location: • URL in HTTP header • HTTP body |
Accept-Encoding: | |
* If a source IP is white listed, subsequent checks will be skipped. |