Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.4.5 Handbook
    7.4.5
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring an Allowed Origin List

    Configuring an Allowed Origin List

    The Allowed Origin List specifies the allowed domains using the HTTP response header. The header can contain either a * to indicate that all domains are allowed OR a specified domain to indicate the specified allowed domain.

    You can create and configure the Allowed Origin List from the Allowed Origin tab or as part of the CORS Protection Rule List.

    Allowed Origin can only take effect in the CORS Protection rule when the Apply to All CORS Traffic is disabled. In the CORS Protection Rule List configuration, the Apply to All CORS Traffic option is disabled by default, which then requires you to apply an Allowed Origin List for the CORS Protection rule. If the Allowed Origin List is not applied, the CORS Protection rule would not work as the empty list would not match the condition.

    Enabling the Apply to All CORS Traffic option hides the Allowed Origin option, making it inapplicable to the CORS Protection rule.

    To create and configure the Allowed Origin List from Allowed Origin tab:
    1. Go to Web Application Firewall > CORS Protection.
    2. Click the Allowed Origin tab.
    3. Click Create New to display the configuration editor.
      Configure the following:

      Parameter

      Description

      Name

      Enter a unique Allowed Origin name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

      Note: Once saved, the name of an Allowed Origin cannot be changed.

    4. Click Save.
    5. Under Allowed Origin List, click Create New to display the configuration editor.
      Configure the following:

      Parameter

      Description

      Protocol

      Select which type of protocols are allowed for the connections between foreign applications and your application.

      • HTTP

      • HTTPS

      • ANY

      The default is HTTP.

      Origin Name

      Enter the foreign application's domain name or IP address.

      Wildcards are supported. (Range: 1-128 characters).

      PortSpecify the TCP port number for the CORS connections. (Range: 0-65535; default: 80).
      Include Sub Domains

      Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.

      This is disabled by default.

    6. Click Save.
    To create and configure the Allowed Origin List as part of the CORS Protection Rule List:
    1. Go to Web Application Firewall > CORS Protection.
    2. Click the CORS Protection tab.
    3. Click Create New to display the configuration editor.
      Configure the following:

      Parameter

      Description

      Name

      Enter a unique CORS Protection name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

      Note: Once saved, the name of an CORS Protection cannot be changed.

      Status

      Enable/disable CORS protection. This is disabled by default.

      Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.

    4. Click Save.
      The newly created CORS Protection is listed under the CORS Protection tab.
    5. Locate the newly created CORS Protection on the list and double-click the row or click the (Edit icon).
    6. Under CORS Protection Rule List, click Create New to display the configuration editor.
    7. In the Allow Origin field, select Create New from the drop-down.
      The Allowed Origin configuration editor is displayed.
    8. Configure the following:

      Parameter

      Description

      Name

      Enter a unique Allowed Origin name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

      Note: Once saved, the name of an Allowed Origin cannot be changed.

    9. Click Save.
    10. Under Allowed Origin List, click Create New to display the configuration editor.
      Configure the following:

      Parameter

      Description

      Protocol

      Select which type of protocols are allowed for the connections between foreign applications and your application.

      • HTTP

      • HTTPS

      • ANY

      The default is HTTP.

      Origin Name

      Enter the foreign application's domain name or IP address.

      Wildcards are supported. (Range: 1-128 characters).

      PortSpecify the TCP port number for the CORS connections. (Range: 0-65535; default: 80).
      Include Sub Domains

      Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.

      This is disabled by default.

    11. Click Save.
    Previous
    Next

    Configuring an Allowed Origin List

    Configuring an Allowed Origin List

    The Allowed Origin List specifies the allowed domains using the HTTP response header. The header can contain either a * to indicate that all domains are allowed OR a specified domain to indicate the specified allowed domain.

    You can create and configure the Allowed Origin List from the Allowed Origin tab or as part of the CORS Protection Rule List.

    Allowed Origin can only take effect in the CORS Protection rule when the Apply to All CORS Traffic is disabled. In the CORS Protection Rule List configuration, the Apply to All CORS Traffic option is disabled by default, which then requires you to apply an Allowed Origin List for the CORS Protection rule. If the Allowed Origin List is not applied, the CORS Protection rule would not work as the empty list would not match the condition.

    Enabling the Apply to All CORS Traffic option hides the Allowed Origin option, making it inapplicable to the CORS Protection rule.

    To create and configure the Allowed Origin List from Allowed Origin tab:
    1. Go to Web Application Firewall > CORS Protection.
    2. Click the Allowed Origin tab.
    3. Click Create New to display the configuration editor.
      Configure the following:

      Parameter

      Description

      Name

      Enter a unique Allowed Origin name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

      Note: Once saved, the name of an Allowed Origin cannot be changed.

    4. Click Save.
    5. Under Allowed Origin List, click Create New to display the configuration editor.
      Configure the following:

      Parameter

      Description

      Protocol

      Select which type of protocols are allowed for the connections between foreign applications and your application.

      • HTTP

      • HTTPS

      • ANY

      The default is HTTP.

      Origin Name

      Enter the foreign application's domain name or IP address.

      Wildcards are supported. (Range: 1-128 characters).

      PortSpecify the TCP port number for the CORS connections. (Range: 0-65535; default: 80).
      Include Sub Domains

      Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.

      This is disabled by default.

    6. Click Save.
    To create and configure the Allowed Origin List as part of the CORS Protection Rule List:
    1. Go to Web Application Firewall > CORS Protection.
    2. Click the CORS Protection tab.
    3. Click Create New to display the configuration editor.
      Configure the following:

      Parameter

      Description

      Name

      Enter a unique CORS Protection name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

      Note: Once saved, the name of an CORS Protection cannot be changed.

      Status

      Enable/disable CORS protection. This is disabled by default.

      Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.

    4. Click Save.
      The newly created CORS Protection is listed under the CORS Protection tab.
    5. Locate the newly created CORS Protection on the list and double-click the row or click the (Edit icon).
    6. Under CORS Protection Rule List, click Create New to display the configuration editor.
    7. In the Allow Origin field, select Create New from the drop-down.
      The Allowed Origin configuration editor is displayed.
    8. Configure the following:

      Parameter

      Description

      Name

      Enter a unique Allowed Origin name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

      Note: Once saved, the name of an Allowed Origin cannot be changed.

    9. Click Save.
    10. Under Allowed Origin List, click Create New to display the configuration editor.
      Configure the following:

      Parameter

      Description

      Protocol

      Select which type of protocols are allowed for the connections between foreign applications and your application.

      • HTTP

      • HTTPS

      • ANY

      The default is HTTP.

      Origin Name

      Enter the foreign application's domain name or IP address.

      Wildcards are supported. (Range: 1-128 characters).

      PortSpecify the TCP port number for the CORS connections. (Range: 0-65535; default: 80).
      Include Sub Domains

      Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.

      This is disabled by default.

    11. Click Save.
    Previous
    Next