Preventing zero-day attacks : HTTP/HTTPS protocol constraints : Configuring HTTP protocol constraint exceptions
 
Configuring HTTP protocol constraint exceptions
You can configure exceptions for use with HTTP protocol constraints.
Exceptions define HTTP constraints that will not be subject to HTTP protocol constraint. Exceptions are useful when you know that some HTTP protocol constraints, during normal use, will cause false positives by matching an attack signature.
For example, if no exceptions are defined, FortiWeb executes the HTTP protocol constraint as defined in “HTTP/HTTPS protocol constraints”. But, if you mark the check box for Header Length in a HTTP protocol constraint exception for a specific host, FortiWeb will skip the HTTP header length check when executing the web protection profile for that host.
As another example, some web applications require very large HTTP POST requests. You can use Malformed Request to create an exception from the constraint for those requests.
 
Like any software, FortiWeb’s buffers are not endless. If an HTTP request overall or its individual components such as parameters are too long to fit the scan buffer, they will you do not want to
To configure an HTTP constraint exception
1. Go to Web Protection > Protocol > HTTP Constraints Exception.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions”.
2. Click Create New.
A dialog appears.
3. In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
4. Click OK.
5. Click Create New to add an entry to the set.
A dialog appears.
6. Configure these settings:
Setting name
Description
Host Status
Enable to apply this HTTP constraint exception only to HTTP requests for specific web hosts. Also configure Host.
Disable to apply the exceptions to all web hosts.
Host
Select the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies.
This setting is available only if Host Status is enabled.
Request Type
Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
URL Pattern
Depending on your selection in the Request Type field, enter either:
the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as /index.cfm.
Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.
To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression (see “Regular expression syntax”)n.
Header Length
Enable to omit the constraint on the maximum acceptable size in bytes of the HTTP header.
Content Length
Enable to omit the constraint on the maximum acceptable size in bytes of the request body.
Body Length
Enable to omit the constraint on the maximum acceptable size in bytes of the HTTP body.
Parameter Length
Enable to omit the constraint on the maximum acceptable size in bytes of parameters in the URL or, for HTTP POST requests.
Header Line Length
Enable to omit the constraint on the maximum acceptable size in bytes of each line in the HTTP header.
HTTP Request Length
Enable to omit the constraint on the maximum acceptable length in bytes of the HTTP request.
URL Parameter Length
Enable to omit the constraint on the maximum acceptable size of an URL parameter (including the name and value).
Number of Cookies In Request
Enable to omit the constraint on the maximum acceptable number of cookies in an HTTP request.
Number of Header Lines In Request
Enable to omit the constraint on the maximum acceptable number of lines in the HTTP header.
Illegal HTTP Request Method
Enable to omit the constraint on to check for invalid HTTP version numbers.
Number of URL Parameters
Enable to omit the constraint on the maximum number of parameters in the URL.
Illegal Host Name
Enable to omit the constraint on invalid characters in the Host: line of the HTTP header, such as null characters or encoded characters.
Number of ranges in Range Header
Enable to omit the constraint on the maximum acceptable number of Range: lines in an HTTP header.
Tip: Some versions of Apache are vulnerable to a denial of service (DoS) attack on this header, where a malicious client floods the server with many Range: headers. If your web servers do not run Apache and are not vulnerable to this attack, mark this check box to omit it from the scan and improve performance.
Malformed Request
Enable to omit the constraint on syntax and FortiWeb parsing errors.
Caution: Some web applications require abnormal or very large HTTP POST requests. Since allowing such errors and excesses is generally bad practice and can lead to vulnerabilities, use this option to omit the malformed request scan only if absolutely necessary.
7. Click OK.
8. Repeat the previous steps for each rule you want to add to the exception.
9. Group the HTTP protocol constraint exception in an HTTP protocol constraint profile (see “HTTP/HTTPS protocol constraints”).
See also
Configuring a protection profile for inline topologies
Configuring a protection profile for an out-of-band topology or asynchronous mode of operation