Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Restricting access to specific URLs

You can configure URL access rules that define which HTTP requests FortiWeb accepts or denies based on their Host: name and URL, as well as the origin of the request.

For example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.

URL access rules check only the URL path, and do not support query string checks. In addition, they are evaluated after some other rules. As a result, permitted access can still be denied if it violates one of the rules that execute prior in the sequence. For details, see Sequence of scans.

You can use SNMP traps to notify you when a URL access rule is enforced. For details, see SNMP traps & queries.

To configure an URL access rule
  1. Go to Web Protection > Access > URL Access and select the URL Access Rule tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Click Create New.
  3. Configure these settings:
  4. Name Enter a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Host Status Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL access rule. Also configure Host.
    Host

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

    This option is available only if Host Status is enabled.

    Action

    Select the action that FortiWeb takes when it detects a violation of the rule. Supported options vary (available options are listed in the description for each specific rule), but may include:

    • Deny (no log)—Block the request (or reset the connection).

    • Pass—Allow the request. Do not generate an alert and/or log message.

    • Continue—Continue by evaluating any subsequent rules defined in the web protection profile. For details, see Sequence of scans. If the request does not violate any other rules, FortiWeb allows the request. If the single request violates multiple rules, it generates multiple attack log messages.

    The default value is Pass.

    Caution: This setting will be ignored if Monitor Mode is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
  5. Click OK.
  6. Click Create New to add a new URL access condition entry to the set.
  7. Configure these settings:
  8. ID Type the index number of the individual rule within the URL access rule, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number.
    Source Address Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure Source Address Type and Source Domain.
    Source Address Type

    Select how FortiWeb determines matching client source IPs:

    • IPv4/IPv6 / IP Range—A single IP address or an address range. Also configure IPv4/IPv6 / IP Range.
    • IP Resolved by Specified DomainFortiWeb determines the source IP to match by performing a DNS lookup for the specified domain. Also configure Type and IP Resolved by Specified Domain.
    • Source Domain—To determine a match, FortiWeb performs a reverse DNS lookup for the client source IP to determine its corresponding domain, and then compares the domain to the value of Source Domain. Also configure Source Domain Type and Source Domain.
    IPv4/IPv6 / IP Range

    Enter one of the following values:

    • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 192.0.2.109).
    • A range of addresses (e.g., 192.0.2.1-192.0.2.256 or 10:200::10:1-10:200:10:100).

    Available only if Source Address Type is IPv4/IPv6 / IP Range.

    Type

    Select the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by IP Resolved by Specified Domain.

    Available only if Source Address Type is IP Resolved by Specified Domain.

    IP Resolved by Specified Domain

    Enter the domain to match the client source IP after DNS lookup.

    Available only if Source Address Type is IP Resolved by Specified Domain.

    Source Domain Type

    Specify whether the Source Domain field contains a literal domain (Simple String) or a regular expression designed to match multiple URLs (Regular Expression).

    When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Available only if Source Address Type is Source Domain.

    Source Domain

    Specify the domain to match.

    Depending on the value of Source Domain Type, enter one of the following:

    • the literal domain
    • a regular expression.

    Available only if Source Address Type is Source Domain.

    URL Type Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
    URL Pattern

    Depending on your selection in URL Type, enter either:

    • The literal URL, such as /admin.php. The URL must begin with a slash ( / ).
    • A regular expression.

    For example, if the URL is:

    /send/index1.html

     

    To match the exact, full URL when the name is between index1.html and index9.html:

    ^\/send\/index[0-9]\.html

     

    To match the root path regardless:

    ^\/send\/.*


    The pattern does not require a slash ( / ). However, it must at least match URLs that begin with a slash, such as /admin.cfm.

    When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list for the URL access rule.

    Meet this condition if: Select whether the access condition is met when the HTTP request matches both the regular expression (or text string) and source IP address of the client, or when it does not match the regular expression (or text string) and/or source IP address of the client.
  9. Click OK.
  10. Repeat the previous steps for each individual condition that you want to add to the URL access rule.
  11. Go to Web Protection > Access > URL Access.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  12. Click Create New.
  13. In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  14. Click OK.
  15. Click Create New to add an entry to the set.
  16. From the Access Rule Name drop-down list, select the name of a URL access rule to include in the policy.
    To view or change the information associated with the rule, select the Detail link. The URL Access Rule dialog appears. Use the browser Back button to return.
  17. Click OK.
  18. Repeat the previous steps for each individual rule that you want to add to the URL access policy.
    Rules at the top of the list have priority over rules further down. Use Move to change the order of the rules. The ID value does not affect rule priority.
  19. To apply the URL access policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
    Attack log messages contain URL Access Violation when this feature detects a suspicious HTTP request.
See also

Restricting access to specific URLs

You can configure URL access rules that define which HTTP requests FortiWeb accepts or denies based on their Host: name and URL, as well as the origin of the request.

For example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.

URL access rules check only the URL path, and do not support query string checks. In addition, they are evaluated after some other rules. As a result, permitted access can still be denied if it violates one of the rules that execute prior in the sequence. For details, see Sequence of scans.

You can use SNMP traps to notify you when a URL access rule is enforced. For details, see SNMP traps & queries.

To configure an URL access rule
  1. Go to Web Protection > Access > URL Access and select the URL Access Rule tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Click Create New.
  3. Configure these settings:
  4. Name Enter a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Host Status Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL access rule. Also configure Host.
    Host

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

    This option is available only if Host Status is enabled.

    Action

    Select the action that FortiWeb takes when it detects a violation of the rule. Supported options vary (available options are listed in the description for each specific rule), but may include:

    • Deny (no log)—Block the request (or reset the connection).

    • Pass—Allow the request. Do not generate an alert and/or log message.

    • Continue—Continue by evaluating any subsequent rules defined in the web protection profile. For details, see Sequence of scans. If the request does not violate any other rules, FortiWeb allows the request. If the single request violates multiple rules, it generates multiple attack log messages.

    The default value is Pass.

    Caution: This setting will be ignored if Monitor Mode is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
  5. Click OK.
  6. Click Create New to add a new URL access condition entry to the set.
  7. Configure these settings:
  8. ID Type the index number of the individual rule within the URL access rule, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number.
    Source Address Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure Source Address Type and Source Domain.
    Source Address Type

    Select how FortiWeb determines matching client source IPs:

    • IPv4/IPv6 / IP Range—A single IP address or an address range. Also configure IPv4/IPv6 / IP Range.
    • IP Resolved by Specified DomainFortiWeb determines the source IP to match by performing a DNS lookup for the specified domain. Also configure Type and IP Resolved by Specified Domain.
    • Source Domain—To determine a match, FortiWeb performs a reverse DNS lookup for the client source IP to determine its corresponding domain, and then compares the domain to the value of Source Domain. Also configure Source Domain Type and Source Domain.
    IPv4/IPv6 / IP Range

    Enter one of the following values:

    • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 192.0.2.109).
    • A range of addresses (e.g., 192.0.2.1-192.0.2.256 or 10:200::10:1-10:200:10:100).

    Available only if Source Address Type is IPv4/IPv6 / IP Range.

    Type

    Select the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by IP Resolved by Specified Domain.

    Available only if Source Address Type is IP Resolved by Specified Domain.

    IP Resolved by Specified Domain

    Enter the domain to match the client source IP after DNS lookup.

    Available only if Source Address Type is IP Resolved by Specified Domain.

    Source Domain Type

    Specify whether the Source Domain field contains a literal domain (Simple String) or a regular expression designed to match multiple URLs (Regular Expression).

    When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Available only if Source Address Type is Source Domain.

    Source Domain

    Specify the domain to match.

    Depending on the value of Source Domain Type, enter one of the following:

    • the literal domain
    • a regular expression.

    Available only if Source Address Type is Source Domain.

    URL Type Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
    URL Pattern

    Depending on your selection in URL Type, enter either:

    • The literal URL, such as /admin.php. The URL must begin with a slash ( / ).
    • A regular expression.

    For example, if the URL is:

    /send/index1.html

     

    To match the exact, full URL when the name is between index1.html and index9.html:

    ^\/send\/index[0-9]\.html

     

    To match the root path regardless:

    ^\/send\/.*


    The pattern does not require a slash ( / ). However, it must at least match URLs that begin with a slash, such as /admin.cfm.

    When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list for the URL access rule.

    Meet this condition if: Select whether the access condition is met when the HTTP request matches both the regular expression (or text string) and source IP address of the client, or when it does not match the regular expression (or text string) and/or source IP address of the client.
  9. Click OK.
  10. Repeat the previous steps for each individual condition that you want to add to the URL access rule.
  11. Go to Web Protection > Access > URL Access.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  12. Click Create New.
  13. In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  14. Click OK.
  15. Click Create New to add an entry to the set.
  16. From the Access Rule Name drop-down list, select the name of a URL access rule to include in the policy.
    To view or change the information associated with the rule, select the Detail link. The URL Access Rule dialog appears. Use the browser Back button to return.
  17. Click OK.
  18. Repeat the previous steps for each individual rule that you want to add to the URL access policy.
    Rules at the top of the list have priority over rules further down. Use Move to change the order of the rules. The ID value does not affect rule priority.
  19. To apply the URL access policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
    Attack log messages contain URL Access Violation when this feature detects a suspicious HTTP request.
See also