Configuring compression/decompression exemptions
If necessary, you can exempt HTTP Host: names and URLs from compression or decompression by FortiWeb. Generally, if a specific web server already applies compression, and if a specific response never needs to be scanned, compressed, or rewritten, it should be exempt from compression/decompression by FortiWeb.
| If compressed, a request or response usually cannot be scanned, rewritten, or otherwise modified by FortiWeb. If you exempt vulnerable URLs, this will compromise the security of your network. |
To configure a rule exclusion
1. Go to Application Delivery > Compression > Exclusion Rule.
To access this part of the web UI, your administrator’s account access profile must have
Read and
Write permission to items in the
Web Protection Configuration category. For details, see
“Permissions”.
2. Click Create New.
A dialog appears.
3. In Name, type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
4. Click OK.
5. Click Create New.
A dialog appears.
6. Enable Host Status to require that the Host: field of the HTTP request match a protected host names entry in order to match the exclusion.
Also configure Host.
7. From the Host drop-down list, select which protected host entry that the Host: field of the HTTP request must be in to match the exclusion.
This option is available only if Host Status is enabled.
8. In Request URL, type the exact URL of the page to use in the exclusion.
The URL must begin with a slash ( / ). The URL must not include the domain or IP address.
9. Click OK.