Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.0.2 Administration Guide
    7.0.2
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Configuring the allow list at server policy level

    Configuring the allow list at server policy level

    You can configure an allow list and reference it in a server policy. For the traffic that arrives at this server policy, it will be screened only according to the server policy based allow list instead of the global one.

    The server policy level allow list is defined in Server Objects > Allow List. It has predefined allow list, but unlike the global one, here it's not allowed to disable items in the predefined allow list. You can create a custom allow list.

    To create a custom allow list
    1. Go to Server Objects > Allow List.

      2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

    2. Click Create New.
    3. Enter a name for the allow list.
    4. Click OK.
    5. Click Create New.
    6. From Type, select the part of the HTTP request where you want to allow list an object. Available configuration fields vary by the type that you choose.
    • If Type is URL:
      • Request Type Indicate whether the Configuring the allow list at server policy level field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
      Request URL

      Depending on your selection in the Configuring the allow list at server policy level field, enter either:

      • The literal URL, such as /robots.txt, that the HTTP request must contain in order to match the rule. The URL must begin with a backslash ( / ).
      • A regular expression, such as ^/*.html, matching all and only the URLs to which the rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as /index.html.

      Do not include the domain name, such as www.example.com.

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    • If Type is Parameter:

      Name Type

      		Indicate whether the Name field will contain a literal parameter name (Simple String), or a regular expression designed to match all parameter names (Regular Expression).
      Name

      Enter one of the following:

      • The name of the parameter as it appears in the URL or HTTP body if Name Type is Simple String.

        For example, if the URL ends with the parameter substring ?userName=rowan, you would type userName.

      • A regular expression that matches the name attribute of the parameter if Name Type is Regular Expression.

      Note: FortiWeb does not support regular expressions that begin with an exclamation point ( ! ). For information on language and regular expression matching, see Regular expression syntax.

      Request Status

      Enable to apply this rule only to HTTP requests for specific URLs. Configure Request URL if it is enabled.

      Request Type

      		 Indicate whether the Request URL field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).

      Request URL

      Depending on your selection in the Request Type field, enter either:

      • The literal URL, such as /robots.txt, that the HTTP request must contain in order to match the rule. The URL must begin with a backslash ( / ).
      • A regular expression, such as ^/*.html, matching all and only the URLs to which the rule should apply. The pattern does not require a slash ( / ); however, it must match URLs that begin with a slash, such as /index.html.

      Do not include the domain name, such as www.example.com.

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Domain Status

      Enable to apply this rule only to HTTP requests for specific domains.

      If enabled, also configure Domain.

      Domain Type

      Indicate whether the Domain field will contain a literal domain/IP address (Simple String), or a regular expression designed to match multiple domains/IP addresses (Regular Expression).
      Domain

      Depending on your selection in the Domain Type field, enter either:

      • The literal domain, such as /robots.com, that the HTTP request must contain in order to match the rule. The domain must begin with a backslash ( / ).
      • A regular expression, such as ^/*.com, matching all and only the domains to which the rule should apply. The pattern does not require a slash ( / ); however, it must match domains that begin with a slash, such as /robots.com.

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Caution: Do not allowlist untrusted subdomains that use vulnerable cookies. It could compromise the security of that domain and its network.

    • If Type is Cookie:
      • Name Type the name of the cookie as it appears in the HTTP request, such as NID.
      Domain

      Type the partial or complete domain name or IP address as it appears in the cookie, such as:

      www.example.com

      .google.com

      10.0.2.50

      If clients sometimes access the host via IP address instead of DNS, create allow list objects for both.

      Caution: Do not allowlist untrusted subdomains that use vulnerable cookies. It could compromise the security of that domain and its network.

      Path Type the path as it appears in the cookie, such as / or /blog/folder.
    • If Type is Header Field:
      • Header Name Type Indicate whether the Name field will contain a literal name (Simple String), or a regular expression designed to match multiple names (Regular Expression).
      Name

      Depending on your selection in the Header Name Type field, enter either:

      • The literal name, such as Accept-Encoding, that the HTTP request must contain in order to match the rule.
      • A regular expression, such as */*\r\n, matching the names to which the rule should apply. .

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Value Status

      Enable to also check the value of the HTTP header. Only the HTTP headers which match both the name and the value will be allowlisted.

      Header Value Type

      Indicate whether the Name field will contain a literal name (Simple String), or a regular expression designed to match multiple names (Regular Expression).

      Value

      The value of the HTTP header.

      Depending on your selection in the Header Value Type field, enter either a literal value or a regular expression.
  • Click OK.

    • For the allowlist to take effect, you need to reference it in a server policy.

    To verify that an item is now allowlisted, use the parameter or URL to attempt to trigger an attack signature that would normally block it; the item should now be allowed.

    See also
    Previous
    Next

    Configuring the allow list at server policy level

    Configuring the allow list at server policy level

    You can configure an allow list and reference it in a server policy. For the traffic that arrives at this server policy, it will be screened only according to the server policy based allow list instead of the global one.

    The server policy level allow list is defined in Server Objects > Allow List. It has predefined allow list, but unlike the global one, here it's not allowed to disable items in the predefined allow list. You can create a custom allow list.

    To create a custom allow list
    1. Go to Server Objects > Allow List.

      2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

    2. Click Create New.
    3. Enter a name for the allow list.
    4. Click OK.
    5. Click Create New.
    6. From Type, select the part of the HTTP request where you want to allow list an object. Available configuration fields vary by the type that you choose.
    • If Type is URL:
      • Request Type Indicate whether the Configuring the allow list at server policy level field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
      Request URL

      Depending on your selection in the Configuring the allow list at server policy level field, enter either:

      • The literal URL, such as /robots.txt, that the HTTP request must contain in order to match the rule. The URL must begin with a backslash ( / ).
      • A regular expression, such as ^/*.html, matching all and only the URLs to which the rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as /index.html.

      Do not include the domain name, such as www.example.com.

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    • If Type is Parameter:

      Name Type

      		Indicate whether the Name field will contain a literal parameter name (Simple String), or a regular expression designed to match all parameter names (Regular Expression).
      Name

      Enter one of the following:

      • The name of the parameter as it appears in the URL or HTTP body if Name Type is Simple String.

        For example, if the URL ends with the parameter substring ?userName=rowan, you would type userName.

      • A regular expression that matches the name attribute of the parameter if Name Type is Regular Expression.

      Note: FortiWeb does not support regular expressions that begin with an exclamation point ( ! ). For information on language and regular expression matching, see Regular expression syntax.

      Request Status

      Enable to apply this rule only to HTTP requests for specific URLs. Configure Request URL if it is enabled.

      Request Type

      		 Indicate whether the Request URL field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).

      Request URL

      Depending on your selection in the Request Type field, enter either:

      • The literal URL, such as /robots.txt, that the HTTP request must contain in order to match the rule. The URL must begin with a backslash ( / ).
      • A regular expression, such as ^/*.html, matching all and only the URLs to which the rule should apply. The pattern does not require a slash ( / ); however, it must match URLs that begin with a slash, such as /index.html.

      Do not include the domain name, such as www.example.com.

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Domain Status

      Enable to apply this rule only to HTTP requests for specific domains.

      If enabled, also configure Domain.

      Domain Type

      Indicate whether the Domain field will contain a literal domain/IP address (Simple String), or a regular expression designed to match multiple domains/IP addresses (Regular Expression).
      Domain

      Depending on your selection in the Domain Type field, enter either:

      • The literal domain, such as /robots.com, that the HTTP request must contain in order to match the rule. The domain must begin with a backslash ( / ).
      • A regular expression, such as ^/*.com, matching all and only the domains to which the rule should apply. The pattern does not require a slash ( / ); however, it must match domains that begin with a slash, such as /robots.com.

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Caution: Do not allowlist untrusted subdomains that use vulnerable cookies. It could compromise the security of that domain and its network.

    • If Type is Cookie:
      • Name Type the name of the cookie as it appears in the HTTP request, such as NID.
      Domain

      Type the partial or complete domain name or IP address as it appears in the cookie, such as:

      www.example.com

      .google.com

      10.0.2.50

      If clients sometimes access the host via IP address instead of DNS, create allow list objects for both.

      Caution: Do not allowlist untrusted subdomains that use vulnerable cookies. It could compromise the security of that domain and its network.

      Path Type the path as it appears in the cookie, such as / or /blog/folder.
    • If Type is Header Field:
      • Header Name Type Indicate whether the Name field will contain a literal name (Simple String), or a regular expression designed to match multiple names (Regular Expression).
      Name

      Depending on your selection in the Header Name Type field, enter either:

      • The literal name, such as Accept-Encoding, that the HTTP request must contain in order to match the rule.
      • A regular expression, such as */*\r\n, matching the names to which the rule should apply. .

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Value Status

      Enable to also check the value of the HTTP header. Only the HTTP headers which match both the name and the value will be allowlisted.

      Header Value Type

      Indicate whether the Name field will contain a literal name (Simple String), or a regular expression designed to match multiple names (Regular Expression).

      Value

      The value of the HTTP header.

      Depending on your selection in the Header Value Type field, enter either a literal value or a regular expression.
  • Click OK.

    • For the allowlist to take effect, you need to reference it in a server policy.

    To verify that an item is now allowlisted, use the parameter or URL to attempt to trigger an attack signature that would normally block it; the item should now be allowed.

    See also
    Previous
    Next