Fortinet black logo

Handbook

HTTP Profile

Copy Link
Copy Doc ID 369dfb00-033f-11ed-bb32-fa163e15d75b:162065
Download PDF

HTTP Profile

Note: HTTP Profile is not valid for HTTPS services. See SSL/TLS. However many HTTPS servers support HTTP if only to redirect to HTTPS. Use the HTTP Profile for any SPP where TCP connections can be made to TCP 80 or other TCP ports defined for HTTP.

As detailed below, some settings are recommended for expert use only.

HTTP Profile parameters can be used with symmetric or asymmetric traffic.

The same HTTP profile can be used by multiple SPPs but any SPP can only use one HTTP profile at a time.

All HTTP parameters can be used with symmetric or asymmetric traffic. You can create a maximum of 64 TCP Profiles.

Field/Selection

Description

Recommendation

Web Servers

(If HTTP is used)

Firewalls

(Optional)

DNS ServersIf (If HTTP is used)

Name 1-35 characters (a-Z, 0-9, "-", "_" only)

Known Method Anomaly

  • GET
  • HEAD
  • OPTIONS
  • TRACE
  • POST
  • PUT
  • DELETE
  • CONNECT

Drops any HTTP packet with the selected Method(s).

Dropped packets will be shown in the Monitor Graphs as well as in the Attack Log.

Expert use. All HTTP Methods have Thresholds set. Additionally, there is a Methods-per-Source Threshold. If you are unsure which Methods are used, allow the system to manage the Thresholds and do not use this feature.
Unknown Method Anomaly

While 8 Methods are defined above the HTTP Method field allows 16 entries (0-15). Drops undefined Methods.

Dropped packets will be shown in the Monitor Graphs as well as in the Attack Log.

Expert use
Version Anomaly

Drops HTTP traffic with an HTTP version other than one of the following: 0.9, 1.0, 1.1, 1.2 or 1.3.

Dropped packets will be shown in the Monitor Graphs as well as in the Attack Log.

Expert use. You can enable this feature while in DETECTION Mode. If you see many Version Anomalies OUTBOUND, disable this features before entering Prevention Mode.

Do Not Parse HTTP Version 0.9

Drops HTTP traffic with HTTP version 0.9. This version has been deprecated for security and should not be supported by web servers.

Expert use

Drop Range Header

Drops sessions when the HTTP request includes the HTTP Range header. The Range header can be abused by attackers to exhaust HTTP server resources. However some services expect to see Range Headers.

Dropped packets will be shown in the Monitor Graphs as well as in the Attack Log.

Expert use

Persistent Transaction

A simple HTTP transaction is one where the client makes a single request for HTTP content within a TCP session. Persistent connections allow the browser / HTTP client to utilize the same connection for different object requests to the same host name. If Persistent HTTP Transactions feature is enabled, FortiDDoS checks for application-level conformity in every packet of a TCP connection. If this feature is disabled (default), checks are limited to the first transaction of a TCP connection. It is recommended to use the disabled state to avoid HTTP anomalies, especially due to IP fragmentation and TCP segmentation.

Expert use

Incomplete Request Action

An incomplete HTTP message does not end with "/r/n/r/n"

Expert use. Many clients now have very large Cookies which result in segmentation of the HTTP GET message. This results in the "/r/n/r/n" characters being missing in one or more segmented packets and these packets will be dropped, preventing successful sessions.

  • None

No Action if incomplete message seen. (Default)

  • Drop

Drops packets where the HTTP message does not end with "/r/n/r/n".

  • Block Source With Incomplete Request

Blocks Source IP that sent the incomplete request.

Shown only when "Drop" Incomplete Request action is selected

  • Aggressive Aging

If an incomplete request is detected, sends a RST to the server to remove the session from the server connection table.

Aggressive Aging Flood

If an HTTP Method Flood is detected, sends a RST to the server to remove the session from the server connection table.

Recommended

GET Flood Mitigation (Validation) Direction

Uses redirect messaging to test that the sending Client is legitimate

  • Inbound

Enables Get Flood Validation inbound

Recommended

  • Outbound

Enables Get Flood Validation inbound

Expert use

POST Flood Mitigation Direction

Uses redirect messaging to test that the sending Client is legitimate

  • Inbound

Enables POST Flood Validation inbound

Recommended

  • Outbound

Enables POST Flood Validation inbound

Expert use

HTTP Parameter ACL

Used to create an ACL for any of the following HTTP Parameters. (Methods can be ACLed above)

Expert use

  • Name

1-35 characters (a-Z, 0-9, "-", "_" only)

  • Type

Select URL/Host/Referer/Cookie/User Agent

  • Regex

Enter Regex expression to describe the parameter selected above

Expert use

HTTP Profile

Note: HTTP Profile is not valid for HTTPS services. See SSL/TLS. However many HTTPS servers support HTTP if only to redirect to HTTPS. Use the HTTP Profile for any SPP where TCP connections can be made to TCP 80 or other TCP ports defined for HTTP.

As detailed below, some settings are recommended for expert use only.

HTTP Profile parameters can be used with symmetric or asymmetric traffic.

The same HTTP profile can be used by multiple SPPs but any SPP can only use one HTTP profile at a time.

All HTTP parameters can be used with symmetric or asymmetric traffic. You can create a maximum of 64 TCP Profiles.

Field/Selection

Description

Recommendation

Web Servers

(If HTTP is used)

Firewalls

(Optional)

DNS ServersIf (If HTTP is used)

Name 1-35 characters (a-Z, 0-9, "-", "_" only)

Known Method Anomaly

  • GET
  • HEAD
  • OPTIONS
  • TRACE
  • POST
  • PUT
  • DELETE
  • CONNECT

Drops any HTTP packet with the selected Method(s).

Dropped packets will be shown in the Monitor Graphs as well as in the Attack Log.

Expert use. All HTTP Methods have Thresholds set. Additionally, there is a Methods-per-Source Threshold. If you are unsure which Methods are used, allow the system to manage the Thresholds and do not use this feature.
Unknown Method Anomaly

While 8 Methods are defined above the HTTP Method field allows 16 entries (0-15). Drops undefined Methods.

Dropped packets will be shown in the Monitor Graphs as well as in the Attack Log.

Expert use
Version Anomaly

Drops HTTP traffic with an HTTP version other than one of the following: 0.9, 1.0, 1.1, 1.2 or 1.3.

Dropped packets will be shown in the Monitor Graphs as well as in the Attack Log.

Expert use. You can enable this feature while in DETECTION Mode. If you see many Version Anomalies OUTBOUND, disable this features before entering Prevention Mode.

Do Not Parse HTTP Version 0.9

Drops HTTP traffic with HTTP version 0.9. This version has been deprecated for security and should not be supported by web servers.

Expert use

Drop Range Header

Drops sessions when the HTTP request includes the HTTP Range header. The Range header can be abused by attackers to exhaust HTTP server resources. However some services expect to see Range Headers.

Dropped packets will be shown in the Monitor Graphs as well as in the Attack Log.

Expert use

Persistent Transaction

A simple HTTP transaction is one where the client makes a single request for HTTP content within a TCP session. Persistent connections allow the browser / HTTP client to utilize the same connection for different object requests to the same host name. If Persistent HTTP Transactions feature is enabled, FortiDDoS checks for application-level conformity in every packet of a TCP connection. If this feature is disabled (default), checks are limited to the first transaction of a TCP connection. It is recommended to use the disabled state to avoid HTTP anomalies, especially due to IP fragmentation and TCP segmentation.

Expert use

Incomplete Request Action

An incomplete HTTP message does not end with "/r/n/r/n"

Expert use. Many clients now have very large Cookies which result in segmentation of the HTTP GET message. This results in the "/r/n/r/n" characters being missing in one or more segmented packets and these packets will be dropped, preventing successful sessions.

  • None

No Action if incomplete message seen. (Default)

  • Drop

Drops packets where the HTTP message does not end with "/r/n/r/n".

  • Block Source With Incomplete Request

Blocks Source IP that sent the incomplete request.

Shown only when "Drop" Incomplete Request action is selected

  • Aggressive Aging

If an incomplete request is detected, sends a RST to the server to remove the session from the server connection table.

Aggressive Aging Flood

If an HTTP Method Flood is detected, sends a RST to the server to remove the session from the server connection table.

Recommended

GET Flood Mitigation (Validation) Direction

Uses redirect messaging to test that the sending Client is legitimate

  • Inbound

Enables Get Flood Validation inbound

Recommended

  • Outbound

Enables Get Flood Validation inbound

Expert use

POST Flood Mitigation Direction

Uses redirect messaging to test that the sending Client is legitimate

  • Inbound

Enables POST Flood Validation inbound

Recommended

  • Outbound

Enables POST Flood Validation inbound

Expert use

HTTP Parameter ACL

Used to create an ACL for any of the following HTTP Parameters. (Methods can be ACLed above)

Expert use

  • Name

1-35 characters (a-Z, 0-9, "-", "_" only)

  • Type

Select URL/Host/Referer/Cookie/User Agent

  • Regex

Enter Regex expression to describe the parameter selected above

Expert use