Key concepts : Sequence of scans
 
Sequence of scans
FortiWeb appliances apply protection rules and perform protection profile scans in the following order of execution, which varies by whether you have applied a web protection profile. To understand the scan sequence, read from the top of the table (the first scan/action) towards the bottom (the last scan/action). Disabled scans are skipped.
 
To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique.
 
The blocking style varies by feature and configuration. For example, when detecting cookie poisoning, instead of resetting the TCP connection or blocking the HTTP request, you could log and remove the offending cookie. For details, see each specific feature.
Table 1: Execution sequence (web protection profile)
Scan/action
Involves
Request from client to server
TCP Connection Number Limit
(TCP Flood Prevention)
Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:)
Block Period
Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:)
IP List *
(individual client IP black list or white list)
Source IP address of the client in the IP layer
Add X-Forwarded-For:
Add X-Real-IP:
Source IP address of the client in the HTTP layer
IP Reputation
Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:)
Allow Known Search Engines
Source IP address of the client in the IP layer
Geo IP
Source IP address of the client in the IP layer
Host
(allowed/protected host name)
Host:
Allow Method
Host:
URL in HTTP header
Request method in HTTP header
HTTP Request Limit/sec
Cookie:
Session state
Responses from the JavaScript browser tests, if any
Session Management
Cookie:
Session state
TCP Connection Number Limit
(Malicious IP)
Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:)
HTTP Request Limit/sec
(HTTP Flood Prevention)
Cookie:
Session state
URL in the HTTP header
HTTP Request Limit/sec (Standalone IP)
or
HTTP Request Limit/sec (Shared IP)
(HTTP Access Limit)
ID field of the IP header
Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:)
HTTP Authentication
Authorization:
Global White List
Cookie: cookiesession1
URL if /favicon.ico, AJAX URL parameters such as __LASTFOCUS, and others as updated by the FortiGuard Security Service
URL Access
Host:
URL in HTTP header
Source IP of the client in the IP header
Brute Force Login
Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers”) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:)
URL in the HTTP header
HTTP Protocol Constraints
Content-Length:
Parameter length
Body length
Header length
Header line length
Count of Range: header lines
Count of cookies
Cookie Poisoning
Cookie:
Start Pages
Host:
URL in HTTP header
Session state
Page Access
(page order)
Host:
URL in HTTP header
Session state
File Upload Restriction
Content-Length:
Content-Type:
in PUT and POST requests
Trojans
HTTP body
Bad Robot
User-Agent:
Parameter Validation
Host:
URL in the HTTP header
Name, data type, and length of <input> tags except <input type="hidden">
Cross Site Scripting, SQL Injection, Generic Attacks
(attack signatures)
Cookie:
Parameters in the URL in the HTTP header, or in the HTTP body (depending on the HTTP method) for <input> tags except <input type="hidden">
XML content in the HTTP body (if Enable XML Protocol Detection is enabled)
Hidden Fields Protection
Host:
URL in the HTTP header
Name, data type, and length of <input type="hidden">
X-Forwarded-For
X-Forwarded-For: in HTTP header
URL Rewriting
(rewriting & redirects)
Host:
Referer:
Location:
URL in HTTP header
HTTP body
Auto-learning
Any of the other features included by the auto-learning profile
Data Analytics
Source IP address of the client
URL in the HTTP header
Results from other scans
Client Certificate Forwarding
Client’s personal certificate, if any, supplied during the SSL/TLS handshake
Reply from server to client
Information Disclosure
Server-identifying custom HTTP headers such as Server: and X-Powered-By:
Credit Card Detection
Credit card number in the body, and, if configured, Credit Card Detection Threshold
File Uncompress
Content-Encoding:
URL Rewriting
(rewriting)
Host:
Referer:
Location:
URL in HTTP header
HTTP body
File Compress
Accept-Encoding:
* If a source IP is white listed, subsequent checks will be skipped.