Fortinet black logo

User Guide

Home FortiWeb Cloud User Guide

Sequence of scans

Copy Link
Copy Doc ID a9687b55-f2f2-11ee-8c42-fa163e15d75b:234292
Download PDF

Sequence of scans

FortiWeb Cloud applies protection rules and performs scans according to orders in the table below (from the top to the bottom).

You may find that the actual scan sequence sometimes is different from that listed in the following scan sequence table. Various reasons may explain this, for example, for the scans involving the whole request or response packet, its sequence may vary depending on when the packet is fully transferred to FortiWeb Cloud. File Protection is one of the scan items that involve scanning the whole packet. FortiWeb Cloud scans Content-Type: and the body of the file for File Protection. While the Content-Type: is scanned instantly, the body of the file may be postponed after the subsequent scans until the whole body of the file is done uploading to FortiWeb Cloud.

Please also note that the scan sequence refers to the sequence within the same packet. For example, TCP Connection Number Limit precedes HTTP Request Limit in the scan sequence table. However, if there are two packets containing HTTP traffic and TCP traffic respectively, and the HTTP packet arrives first, FortiWeb Cloud thus checks the HTTP Connection Number Limit first.

To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique. The blocking style varies by feature and configuration. For example, when detecting Syntax-based SQL injection, instead of blocking the SQL injection by its syntax, you could log and block the injection by the blocklist defined in IP List. For details, see each specific feature.

Scan/action Involves
TCP Connection Number Limit (TCP Flood Prevention)
  • Source IP address of the client in the IP layer.
  • Source port of the client in the TCP layer.
Add X-Forwarded-For:
  • X-Forwarded-For:
  • X-Real-IP:
  • X-Forwarded-Proto:
IP List
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers.
    For details, see Rewriting Requests.
  • Source IP address of the client in the IP layer.

Note: If a source IP is in allowlist, subsequent checks will be skipped.
IP Reputation

Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers.
For details, see Rewriting Requests.

Geo IP
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers.
    For details, see Rewriting Requests.
  • Source IP address of the client in the IP layer.
WebSocket security
  • Host:
  • URL in HTTP header
  • Origin:
  • Upgrade:
  • Frame Size/Message Size
  • sec-websocket-extenstions

HTTP Allow Method

  • Host:
  • URL in HTTP header
  • Request method in HTTP header
HTTP Request Limit (HTTP Flood Prevention)
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • Cookie:
  • Session state
  • URL in the HTTP header
  • HTTP request body
TCP Connection Number Limit (Malicious IP)
  • Cookie:
  • Session state
  • Source IP address of the client in the IP layer
  • Source port of the client in the TCP layer

HTTP Request Limit (HTTP Access Limit)

  • ID field of the IP header
  • Source IP address of the client depending on your configuration of X-header rules.
    This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests. .
  • HTTP request body
URL Access
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • Host:
  • URL in HTTP header
  • Source IP of the client in the IP header
Mobile API Protection
  • Host:
  • URL in HTTP header
  • Token header
Protocol Limits
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • Content-Length:
  • Parameter length
  • Body length
  • Header length
  • Header line length
  • Count of Range: header lines
  • Count of cookies
File Protection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • Content-Type: in PUT and POST requests
  • URL in HTTP header
  • The body of the file

Bot Deception

  • Host:
  • URL in the HTTP header
Cross-site request forgery (CSRF) attacks
  • <a href>
  • <form>
Protection for Man-in-the-Browser (MITB) attacks
  • Host:
  • URL in HTTP header
  • Request method in HTTP header
  • Parameters in URL
  • Content-Type:

Biometrics Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • URL
  • Host:
  • X-Forwarded-For:

XML Protection

  • URL
  • HTTP header
  • Body

JSON Protection

  • URL
  • HTTP header
  • Body
Signature Based Detection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • HTTP headers
  • HTML Body
  • URL in HTTP header
  • Parameters in URL and request body

SQL Syntax Based Detection

  • Host:
  • Cookie:
  • URL in HTTP header
  • Parameters in URL and request body
Custom Rule
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • URL in the HTTP header
  • HTTP header
  • Parameter in the URL

Threshold Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • URL
  • Host:
  • X-Forwarded-For:
Account Takeover
  • Host:
  • Cookie:
  • Parameters in the URL
  • URL in HTTP header
  • HTTP body
  • Client's certificate

API Gateway

  • Host:
  • URL in HTTP header
  • API Key as HTTP parameter in URL
  • API Key as HTTP header
  • Source IP address of the client depending on your configuration of API user

  • Request methods in HTTP header

  • HTTP Referer depending on your configuration of API user
OpenAPI Validation
  • Host:
  • HTTP headers, especially the content-type: headers
  • URL in HTTP header
  • Request method in HTTP header
  • Parameters in URL
  • Multipart filename
URL Rewriting (rewriting & redirection)
  • Host:
  • Referer:
  • Location:
  • URL in HTTP header
  • HTML body
Machine Learning - Anomaly Detection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 1.
  • URL in the HTTP header
  • Request method in HTTP header
  • Parameter in the URL, or the HTTP header or body
  • Content-Type:
Compression Accept-Encoding:
Cookie Security
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Request Limits
  • Cookie:
Reply from server to client
Web Socket Protocol
  • Upgrade:
Caching
  • Host:
  • HTTP method
  • Return code
  • URL in the HTTP header
  • Content-Type:
  • HTTP headers
  • Size in kilobytes (KB) of each URL to cache

Bot Deception

  • Host:
  • URL in the HTTP header
Protection for Man-in-the-Browser (MiTB) attacks
  • Status code
  • Response body

Biometrics Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Request Limits
  • URL
  • Host:
  • X-Forwarded-For:
  • HTTP header

  • Custom signature

  • Body
  • The latest HTTP transaction time
  • The response content type

  • Status code
Signature Based Detection (Information Leakage)
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Request Limits
  • HTTP headers
  • HTML Body
  • URL in HTTP header
  • Parameters in URL and body
  • XML in the body of HTTP POST requests
  • Cookies
  • Headers
  • JSON Protocol Detection
  • Uploaded filename (MULTIPART_FORM_DATA_FILENAME)
Custom Rule
  • HTTP response code
  • Content-Type:
Account Takeover
  • Status code
  • HTTP headers
  • HTML body
URL Rewriting (rewriting)
  • Host:
  • Referer:
  • Location:
  • URL in HTTP header
  • HTML body
HTTP Header Security
  • HTTP headers
Previous
Next

Sequence of scans

FortiWeb Cloud applies protection rules and performs scans according to orders in the table below (from the top to the bottom).

You may find that the actual scan sequence sometimes is different from that listed in the following scan sequence table. Various reasons may explain this, for example, for the scans involving the whole request or response packet, its sequence may vary depending on when the packet is fully transferred to FortiWeb Cloud. File Protection is one of the scan items that involve scanning the whole packet. FortiWeb Cloud scans Content-Type: and the body of the file for File Protection. While the Content-Type: is scanned instantly, the body of the file may be postponed after the subsequent scans until the whole body of the file is done uploading to FortiWeb Cloud.

Please also note that the scan sequence refers to the sequence within the same packet. For example, TCP Connection Number Limit precedes HTTP Request Limit in the scan sequence table. However, if there are two packets containing HTTP traffic and TCP traffic respectively, and the HTTP packet arrives first, FortiWeb Cloud thus checks the HTTP Connection Number Limit first.

To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique. The blocking style varies by feature and configuration. For example, when detecting Syntax-based SQL injection, instead of blocking the SQL injection by its syntax, you could log and block the injection by the blocklist defined in IP List. For details, see each specific feature.

Scan/action Involves
TCP Connection Number Limit (TCP Flood Prevention)
  • Source IP address of the client in the IP layer.
  • Source port of the client in the TCP layer.
Add X-Forwarded-For:
  • X-Forwarded-For:
  • X-Real-IP:
  • X-Forwarded-Proto:
IP List
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers.
    For details, see Rewriting Requests.
  • Source IP address of the client in the IP layer.

Note: If a source IP is in allowlist, subsequent checks will be skipped.
IP Reputation

Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers.
For details, see Rewriting Requests.

Geo IP
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers.
    For details, see Rewriting Requests.
  • Source IP address of the client in the IP layer.
WebSocket security
  • Host:
  • URL in HTTP header
  • Origin:
  • Upgrade:
  • Frame Size/Message Size
  • sec-websocket-extenstions

HTTP Allow Method

  • Host:
  • URL in HTTP header
  • Request method in HTTP header
HTTP Request Limit (HTTP Flood Prevention)
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • Cookie:
  • Session state
  • URL in the HTTP header
  • HTTP request body
TCP Connection Number Limit (Malicious IP)
  • Cookie:
  • Session state
  • Source IP address of the client in the IP layer
  • Source port of the client in the TCP layer

HTTP Request Limit (HTTP Access Limit)

  • ID field of the IP header
  • Source IP address of the client depending on your configuration of X-header rules.
    This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests. .
  • HTTP request body
URL Access
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • Host:
  • URL in HTTP header
  • Source IP of the client in the IP header
Mobile API Protection
  • Host:
  • URL in HTTP header
  • Token header
Protocol Limits
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • Content-Length:
  • Parameter length
  • Body length
  • Header length
  • Header line length
  • Count of Range: header lines
  • Count of cookies
File Protection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • Content-Type: in PUT and POST requests
  • URL in HTTP header
  • The body of the file

Bot Deception

  • Host:
  • URL in the HTTP header
Cross-site request forgery (CSRF) attacks
  • <a href>
  • <form>
Protection for Man-in-the-Browser (MITB) attacks
  • Host:
  • URL in HTTP header
  • Request method in HTTP header
  • Parameters in URL
  • Content-Type:

Biometrics Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • URL
  • Host:
  • X-Forwarded-For:

XML Protection

  • URL
  • HTTP header
  • Body

JSON Protection

  • URL
  • HTTP header
  • Body
Signature Based Detection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • HTTP headers
  • HTML Body
  • URL in HTTP header
  • Parameters in URL and request body

SQL Syntax Based Detection

  • Host:
  • Cookie:
  • URL in HTTP header
  • Parameters in URL and request body
Custom Rule
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • URL in the HTTP header
  • HTTP header
  • Parameter in the URL

Threshold Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Rewriting Requests.
  • URL
  • Host:
  • X-Forwarded-For:
Account Takeover
  • Host:
  • Cookie:
  • Parameters in the URL
  • URL in HTTP header
  • HTTP body
  • Client's certificate

API Gateway

  • Host:
  • URL in HTTP header
  • API Key as HTTP parameter in URL
  • API Key as HTTP header
  • Source IP address of the client depending on your configuration of API user

  • Request methods in HTTP header

  • HTTP Referer depending on your configuration of API user
OpenAPI Validation
  • Host:
  • HTTP headers, especially the content-type: headers
  • URL in HTTP header
  • Request method in HTTP header
  • Parameters in URL
  • Multipart filename
URL Rewriting (rewriting & redirection)
  • Host:
  • Referer:
  • Location:
  • URL in HTTP header
  • HTML body
Machine Learning - Anomaly Detection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 1.
  • URL in the HTTP header
  • Request method in HTTP header
  • Parameter in the URL, or the HTTP header or body
  • Content-Type:
Compression Accept-Encoding:
Cookie Security
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Request Limits
  • Cookie:
Reply from server to client
Web Socket Protocol
  • Upgrade:
Caching
  • Host:
  • HTTP method
  • Return code
  • URL in the HTTP header
  • Content-Type:
  • HTTP headers
  • Size in kilobytes (KB) of each URL to cache

Bot Deception

  • Host:
  • URL in the HTTP header
Protection for Man-in-the-Browser (MiTB) attacks
  • Status code
  • Response body

Biometrics Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Request Limits
  • URL
  • Host:
  • X-Forwarded-For:
  • HTTP header

  • Custom signature

  • Body
  • The latest HTTP transaction time
  • The response content type

  • Status code
Signature Based Detection (Information Leakage)
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Request Limits
  • HTTP headers
  • HTML Body
  • URL in HTTP header
  • Parameters in URL and body
  • XML in the body of HTTP POST requests
  • Cookies
  • Headers
  • JSON Protocol Detection
  • Uploaded filename (MULTIPART_FORM_DATA_FILENAME)
Custom Rule
  • HTTP response code
  • Content-Type:
Account Takeover
  • Status code
  • HTTP headers
  • HTML body
URL Rewriting (rewriting)
  • Host:
  • Referer:
  • Location:
  • URL in HTTP header
  • HTML body
HTTP Header Security
  • HTTP headers
Previous
Next