Fortinet black logo

Administration Guide

URL encryption

URL encryption

To prevent users from forceful browsing, you can now encrypt the URLs, which can ensure that the internal directory structure of the web application is not revealed to users.

You can configure multiple URL encryption rules for a service, and add the rule to the URL encryption policy.

To configure a URL encryption rule
  1. Go to Web Protection > Advanced Protection > URL Encryption.
  2. Click URL Encryption Rule.
  3. Click Create New.
  4. Configure these settings:

    Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a URL encryption policy.

    Host status

    Enable to apply this rule only to HTTP requests for specific web hosts. If enabled, also configure Host.

    Host

    Select the name of a protected host that the Host: field of an HTTP request must be in to match the URL encryption rule.

    This option is available only if Host status is enabled.

    Allow Unencrypted

    When enabled, unencrypted URL requests will be allowed. Unencrypted URL requests are the valid requests from the client that FortiWeb failed to decrypt.

    When disabled, if the URL can match the rule, and FortiWeb detects unencrypted URLs, the action will be triggered.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    • Deny (no log)—Block the request.
    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    The default value is Alert. See also Reducing false positives.

    Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when Action is set to Period Block.

    The valid range is 1–3,600 seconds (1 hour).

    For details about tracking blocked clients, see Monitoring currently blocked IPs.

    Severity

    When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is vioated:

    • Low
    • Medium
    • High
    • Informative

    The default value is High.

    Trigger Policy

    Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages.

  5. Click OK.
  6. Click Create New in URL List Table to add the request URLs.
  7. Configure these settings:

    Type

    Select whether the Request URL field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    Depending on your selection in Type, enter either:

    • Simple String—The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in Host.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

  8. Click OK.
    You can add multiple URLs in the table.
  9. Click Create New in Exception List Table to exclude any URL patterns from URL encryption validation.
  10. Configure these settings:

    Type

    Select whether the Request URL field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    Depending on your selection in Type, enter either:

    • Simple String—The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in Host.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

  11. Click OK.
To configure a URL encryption policy

To avoid errors such as URL replacement, you can configure to disable full mode from CLI to not to encrypt some complex files such as Script Events, Embedded non-HTML content - scripts, js files, and Embedded non-HTML content - stylesheets on the page that match the URL encryption rule.

  1. Go to Web Protection > Advanced Protection > URL Encryption.
  2. Click URL Encryption Policy.
  3. Click Create New.
  4. For Name, enter a name for the URL encryption policy that can be referenced in Web Protection Policy.
  5. Click OK.
  6. Click Create New.
  7. Select the URL encryption rule created from the drop down list.
  8. Click OK.
To configure a URL encryption policy in a web protection profile
  1. Go to Policy > Web Protection Profile.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  3. Select the Inline Protection Profile tab.
  4. Select an existing web protection profile to which you want to include the URL encryption policy.
  5. Click Edit.
  6. For Advanced Protection > URL Encryption Policy, select the URL encryption policy from the drop down list.

    To view details about a selected URL encryption policy, click the view icon next to the drop down list.

  7. Click OK.

URL encryption

To prevent users from forceful browsing, you can now encrypt the URLs, which can ensure that the internal directory structure of the web application is not revealed to users.

You can configure multiple URL encryption rules for a service, and add the rule to the URL encryption policy.

To configure a URL encryption rule
  1. Go to Web Protection > Advanced Protection > URL Encryption.
  2. Click URL Encryption Rule.
  3. Click Create New.
  4. Configure these settings:

    Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a URL encryption policy.

    Host status

    Enable to apply this rule only to HTTP requests for specific web hosts. If enabled, also configure Host.

    Host

    Select the name of a protected host that the Host: field of an HTTP request must be in to match the URL encryption rule.

    This option is available only if Host status is enabled.

    Allow Unencrypted

    When enabled, unencrypted URL requests will be allowed. Unencrypted URL requests are the valid requests from the client that FortiWeb failed to decrypt.

    When disabled, if the URL can match the rule, and FortiWeb detects unencrypted URLs, the action will be triggered.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    • Deny (no log)—Block the request.
    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    The default value is Alert. See also Reducing false positives.

    Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when Action is set to Period Block.

    The valid range is 1–3,600 seconds (1 hour).

    For details about tracking blocked clients, see Monitoring currently blocked IPs.

    Severity

    When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is vioated:

    • Low
    • Medium
    • High
    • Informative

    The default value is High.

    Trigger Policy

    Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages.

  5. Click OK.
  6. Click Create New in URL List Table to add the request URLs.
  7. Configure these settings:

    Type

    Select whether the Request URL field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    Depending on your selection in Type, enter either:

    • Simple String—The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in Host.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

  8. Click OK.
    You can add multiple URLs in the table.
  9. Click Create New in Exception List Table to exclude any URL patterns from URL encryption validation.
  10. Configure these settings:

    Type

    Select whether the Request URL field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    Depending on your selection in Type, enter either:

    • Simple String—The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in Host.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

  11. Click OK.
To configure a URL encryption policy

To avoid errors such as URL replacement, you can configure to disable full mode from CLI to not to encrypt some complex files such as Script Events, Embedded non-HTML content - scripts, js files, and Embedded non-HTML content - stylesheets on the page that match the URL encryption rule.

  1. Go to Web Protection > Advanced Protection > URL Encryption.
  2. Click URL Encryption Policy.
  3. Click Create New.
  4. For Name, enter a name for the URL encryption policy that can be referenced in Web Protection Policy.
  5. Click OK.
  6. Click Create New.
  7. Select the URL encryption rule created from the drop down list.
  8. Click OK.
To configure a URL encryption policy in a web protection profile
  1. Go to Policy > Web Protection Profile.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  3. Select the Inline Protection Profile tab.
  4. Select an existing web protection profile to which you want to include the URL encryption policy.
  5. Click Edit.
  6. For Advanced Protection > URL Encryption Policy, select the URL encryption policy from the drop down list.

    To view details about a selected URL encryption policy, click the view icon next to the drop down list.

  7. Click OK.