Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Request Processing Rules

The FortiNAC application is divided into two primary components, the first being the Administrative components and the second being the End User components. The main portion of the End User side of the application is the Portal. The Portal is a series of customizable web pages that guide the end user, members of the customer’s organization, through the process of authenticating, scanning, and registering their device on the network.

As the portal is a web application, clients connect via their browser which sends HTTP requests, but more than just web browsers will send HTTP requests to the Portal. These requests need to be routed through the workflow differently based upon their purpose. Request Processing Rules is a way to control this routing by either blocking, allowing, forwarding, or returning a specific file for any request based on information available in the HTTP request.

Tools

Tool

Description

Create New The administrator may define a new Request Processing Rule which will be added to the end of the list. Request Processing Rules are ordered automatically in the system when written to the HTTP server to produce the correct result. The changes from adding a rule do not immediately go into effect for the web server, as applying them requires restarting a process.
Edit Functionally similar to the Create New action, this modifies the existing rule in place. The changes from editing a rule do not immediately go into effect for the web server, as applying them requires restarting a proces
Delete Following confirmation from the administrator, this action removes one or more selected rules. The changes from deleting a rule do not immediately go into effect for the web server, as applying them requires restarting a process.
Auto Configure This action brings up an overlay where the user may Enable or Disable detection for the Mac OS X and iOS Captive Network Assistants. The Captive Network Assistant (CNA) is a limited-functionality web view that appears on these operating systems when it detects a captive network. By clicking Enable or Disable, the system attempts to locate the rules which would influence the CNA and modify them so that the CNA either appears or does not appear when a device is placed in isolation. The changes from this do not immediately go into effect for the web server, as applying them requires restarting a process, but the administrator will be immediately presented with the overlay from the Publish action when they click either button.
Publish This action brings up an overlay where the user can write the existing set of Request Processing Rules to the web server and restart the process. This only restarts the HTTP server for the Portal and is generally very quick. Changes are automatically published whenever the FortiNAC process is started, such as after a system reboot or an upgrade. The Publish task will automatically define and order all rules to produce a correct chain of conditionals. The result is outputted to the Application server at /etc/httpd/conf.d/000_web_servces.conf

Add or Edit a Rule

  1. Navigate to Portal > Request Processing Rules
  2. Click Create New or select an existing entry and click Edit
  3. Fill out the available settings found below in the table
Settings

Field

Description

Field The field in the HTTP Request to read the value of when determining if the Action should be taken. Currently supported fields are Request URI and HTTP User Agent. If the value in the Field matches the Matcher, the Action will be taken.
Matcher A regular expression used to match the value read from the Field. Because this is a regular expression, certain characters have a special meaning, such as dot (.) meaning any character, star (*) meaning 0 or more instances, and backslash (\) being the escape character. See documentation about regular expressions for more information.
Action The action to take if the Matcher successfully matches the value in the Field. There are four possible actions: Allow, Block, Forward, and File. When selecting Forward and File, the Target value is also required.
Target Related to the Action, this value contains either the target URL for the Forward action or the target file path for the File action. In the case of the File target, entering only exclamation point (!) has the meaning of loading a file at the same path as the Request URI in the HTTP request.
Additional Rule Descriptors

Field

Description

Last Modified By The user ID of the last Administrator to modify this entry. If the entry was last modified by an automated process within FortiNAC, the ID listed here is SYSTEM.
Last Modified Date The date and time that the most recent modification took place. This is a UTC timestamp, so it should appear relative to the end user’s timezone as defined in their browser.

Request Processing Rules

The FortiNAC application is divided into two primary components, the first being the Administrative components and the second being the End User components. The main portion of the End User side of the application is the Portal. The Portal is a series of customizable web pages that guide the end user, members of the customer’s organization, through the process of authenticating, scanning, and registering their device on the network.

As the portal is a web application, clients connect via their browser which sends HTTP requests, but more than just web browsers will send HTTP requests to the Portal. These requests need to be routed through the workflow differently based upon their purpose. Request Processing Rules is a way to control this routing by either blocking, allowing, forwarding, or returning a specific file for any request based on information available in the HTTP request.

Tools

Tool

Description

Create New The administrator may define a new Request Processing Rule which will be added to the end of the list. Request Processing Rules are ordered automatically in the system when written to the HTTP server to produce the correct result. The changes from adding a rule do not immediately go into effect for the web server, as applying them requires restarting a process.
Edit Functionally similar to the Create New action, this modifies the existing rule in place. The changes from editing a rule do not immediately go into effect for the web server, as applying them requires restarting a proces
Delete Following confirmation from the administrator, this action removes one or more selected rules. The changes from deleting a rule do not immediately go into effect for the web server, as applying them requires restarting a process.
Auto Configure This action brings up an overlay where the user may Enable or Disable detection for the Mac OS X and iOS Captive Network Assistants. The Captive Network Assistant (CNA) is a limited-functionality web view that appears on these operating systems when it detects a captive network. By clicking Enable or Disable, the system attempts to locate the rules which would influence the CNA and modify them so that the CNA either appears or does not appear when a device is placed in isolation. The changes from this do not immediately go into effect for the web server, as applying them requires restarting a process, but the administrator will be immediately presented with the overlay from the Publish action when they click either button.
Publish This action brings up an overlay where the user can write the existing set of Request Processing Rules to the web server and restart the process. This only restarts the HTTP server for the Portal and is generally very quick. Changes are automatically published whenever the FortiNAC process is started, such as after a system reboot or an upgrade. The Publish task will automatically define and order all rules to produce a correct chain of conditionals. The result is outputted to the Application server at /etc/httpd/conf.d/000_web_servces.conf

Add or Edit a Rule

  1. Navigate to Portal > Request Processing Rules
  2. Click Create New or select an existing entry and click Edit
  3. Fill out the available settings found below in the table
Settings

Field

Description

Field The field in the HTTP Request to read the value of when determining if the Action should be taken. Currently supported fields are Request URI and HTTP User Agent. If the value in the Field matches the Matcher, the Action will be taken.
Matcher A regular expression used to match the value read from the Field. Because this is a regular expression, certain characters have a special meaning, such as dot (.) meaning any character, star (*) meaning 0 or more instances, and backslash (\) being the escape character. See documentation about regular expressions for more information.
Action The action to take if the Matcher successfully matches the value in the Field. There are four possible actions: Allow, Block, Forward, and File. When selecting Forward and File, the Target value is also required.
Target Related to the Action, this value contains either the target URL for the Forward action or the target file path for the File action. In the case of the File target, entering only exclamation point (!) has the meaning of loading a file at the same path as the Request URI in the HTTP request.
Additional Rule Descriptors

Field

Description

Last Modified By The user ID of the last Administrator to modify this entry. If the entry was last modified by an automated process within FortiNAC, the ID listed here is SYSTEM.
Last Modified Date The date and time that the most recent modification took place. This is a UTC timestamp, so it should appear relative to the end user’s timezone as defined in their browser.