Preventing zero-day attacks : Specifying allowed HTTP methods : Configuring allowed method exceptions
 
Configuring allowed method exceptions
You can configure exceptions to allowed HTTP method policies.
While most URL and host name combinations controlled by a profile may require similar HTTP request methods, you may have some that require different methods. Instead of forming separate policies and profiles for those requests, you can configure allowed method exceptions. The exceptions define specific HTTP request methods that are allowed by specific URLs and hosts.
To configure an allowed method exception
1. Before you configure an allowed method exception, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected host names group. For details, see “Defining your protected/allowed HTTP “Host:” header names”.
2. Go to Web Protection > Access > Allow Method Exceptions.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions”.
3. Click Create New.
A dialog appears.
4. In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
5. Click OK.
6. Click Create New to add an entry to the set.
A dialog appears.
7. Configure these settings:
Setting name
Description
Host Status
Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the allowed method exception. Also configure Host.
Host
Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the allowed method exception.
This option is available only if Host Status is enabled.
Type
Select whether URL Pattern is a Simple String (that is, a literal URL) or a Regular Expression.
URL Pattern
Depending on your selection in Type, enter either:
the literal URL, such as /index.php, that is an exception to the generally allowed HTTP request methods. The URL must begin with a slash ( / ).
a regular expression, such as ^/*.php, matching all and only the URLs which are exceptions to the generally allowed HTTP request methods. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as /index.cfm.
For example, if multiple URLs on a host have identical HTTP request method requirements, you would type a regular expression matching all of and only those URLs.
Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.
To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression (see “Regular expression syntax”).
Allow Method Exception
Mark the check boxes of all HTTP request methods that you want to allow.
Methods that you do not select will be denied.
The OTHERS option includes methods not specifically named in the other options. It often may be required by WebDAV (RFC 4918) applications such as Microsoft Exchange Server 2003 and Subversion, which may require HTTP methods not commonly used by web browsers, such as PROPFIND and BCOPY.
Note: If a WAF Auto Learning Profile will be selected in the policy with an offline protection profile that uses this allowed method exception, you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb appliance to learn about. If a method is disabled, the FortiWeb appliance will reset the connection, and therefore cannot learn about the session.
8. Click OK.
9. Repeat the previous steps for each exception that you want to add to the allowed method exceptions.
10. To apply the allowed method exception, select it in an allowed method policy. For details, see “Specifying allowed HTTP methods”.
See also
Configuring a protection profile for inline topologies
Configuring a protection profile for an out-of-band topology or asynchronous mode of operation