Restricting access to specific URLs
You can configure URL access rules that define which HTTP requests FortiWeb accepts or denies based on their Host:
name and URL, as well as the origin of the request.
For example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.
URL access rules check the URL path and parameter, and do not support query string checks. In addition, they are evaluated after some other rules. As a result, permitted access can still be denied if it violates one of the rules that execute prior in the sequence. For details, see Sequence of scans.
You can use SNMP traps to notify you when a URL access rule is enforced. For details, see SNMP traps & queries.
To configure an URL access parameter
-
Go to Web Protection > Access > URL Access and select the URL Access parameter tab.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions. - Click Create New.
- Enter a name for the parameter rule.
- Click OK.
- Click Create New to add parameters.
- Configure these settings:
Name Enter a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters. Name Type Select whether the parameter name field must contain either:
Simple String—The field is a string that the name must match exactly.
Regular Expression—The field is a regular expression that defines a set of matching names.
Name Depending on your selection in Type, enter either:
- The literal name that the HTTP request must contain in order to match the rule.
- A regular expression.
To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.
Use Type Check If Use Type Check is enabled, parameter value must match the Data Type specified Argument Type Select the type of the parameter value. Data Type If Data Type is selected in Argument Type, you need to select the specific data type.
To configure an URL access rule
- Go to Web Protection > Access > URL Access and select the URL Access Rule tab.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions. - Click Create New.
- Configure these settings:
-
Alert & Deny—Block the request ( or reset the connection) and generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).
-
Deny (no log)—Block the request (or reset the connection).
-
Pass—Allow the request. Do not generate an alert and/or log message.
-
Continue—Continue by evaluating any subsequent rules defined in the web protection profile. For details, see Sequence of scans. If the request does not violate any other rules, FortiWeb allows the request. If the single request violates multiple rules, it generates multiple attack log messages.
- Informative
- Low
- Medium
- High
- Click OK.
- Click Create New to add a new URL access condition entry to the set.
- Configure these settings:
- IPv4/IPv6 / IP Range—A single IP address or an address range. Also configure IPv4/IPv6 / IP Range.
- IP Resolved by Specified Domain—FortiWeb determines the source IP to match by performing a DNS lookup for the specified domain. Also configure Type and IP Resolved by Specified Domain.
- Source Domain—To determine a match, FortiWeb performs a reverse DNS lookup for the client source IP to determine its corresponding domain, and then compares the domain to the value of Source Domain. Also configure Source Domain Type and Source Domain.
- A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer,
192.0.2.109
). - A range of addresses (e.g.,
192.0.2.1-192.0.2.256
or10:200::10:1-10:200:10:100
). - the literal domain
- a regular expression.
- The literal URL, such as
/folder1/index.htm
that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as/folder1/*
or/folder1/*/index.htm
. The URL must begin with a slash (/
). - A regular expression.
- Click OK.
- Repeat the previous steps for each individual condition that you want to add to the URL access rule.
- Go to Web Protection > Access > URL Access.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions. - Click Create New.
- In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
- Click OK.
- Click Create New to add an entry to the set.
- From the Access Rule Name drop-down list, select the name of a URL access rule to include in the policy.
To view or change the information associated with the rule, select the Detail link. The URL Access Rule dialog appears. Use the browser Back button to return. - Click OK.
- Repeat the previous steps for each individual rule that you want to add to the URL access policy.
Rules at the top of the list have priority over rules further down. Use Move to change the order of the rules. The ID value does not affect rule priority. - To apply the URL access policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
Attack log messages containURL Access Violation
when this feature detects a suspicious HTTP request.
Name | Enter a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters. |
Host Status | Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL access rule. Also configure Host. |
Host |
Select which protected host names entry (either a web host name or IP address) that the This option is available only if Host Status is enabled. |
Action |
Select the action that FortiWeb takes when it detects a violation of the rule. Supported options vary (available options are listed in the description for each specific rule), but may include: The default value is Pass. Caution: This setting will be ignored if Monitor Mode is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email. |
Severity |
When rule violations are recorded in the attack log, each log message contains a Severity Level ( The default value is Low. |
Trigger Action | Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages. |
ID | Type the index number of the individual rule within the URL access rule, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number. |
Source Address | Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure Source Address Type and Source Domain. |
Source Address Type |
Select how FortiWeb determines matching client source IPs: |
IPv4/IPv6 / IP Range |
Enter one of the following values: Available only if Source Address Type is IPv4/IPv6 / IP Range. |
Type |
Select the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by IP Resolved by Specified Domain. Available only if Source Address Type is IP Resolved by Specified Domain. |
IP Resolved by Specified Domain |
Enter the domain to match the client source IP after DNS lookup. Available only if Source Address Type is IP Resolved by Specified Domain. |
Source Domain Type |
Specify whether the Source Domain field contains a literal domain (Simple String) or a regular expression designed to match multiple URLs (Regular Expression). When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax. Available only if Source Address Type is Source Domain. |
Source Domain |
Specify the domain to match. Depending on the value of Source Domain Type, enter one of the following: Available only if Source Address Type is Source Domain. |
URL Type | Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression). |
URL Pattern |
Depending on your selection in URL Type, enter either: For example, if the URL is: /send/index1.html
To match the exact, full URL when the name is between index1.html and index9.html: ^/send/index[0-9]\.html
To match the root path regardless: ^/send/.*
The pattern does not require a slash ( / ). However, it must at least match URLs that begin with a slash, such as When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax. Do not include the domain name, such as Most of the web protection modules including URL Access does not detect RPC traffic, so if you set a URL in the URL Access policy that matches RPC traffic, it will not take effect. If you want to restrict RPC traffic, use HTTP Protocol Constraints. |
URL Access Parameter |
Select the parameter rule you have created in the URL Access Parameter tab. |
Use HTTP Method Check |
Enable so that only the requests with the specified HTTP methods will match. |
Only Method |
Select the HTTP methods to match. |
Use HTTP Protocol Check |
Enable so that only the requests with the specified HTTP protocols will match. |
Only Protocol |
Select the HTTP protocols to match. |
Meet this condition if: | Select whether the access condition is met when the HTTP request matches both the regular expression (or text string) and source IP address of the client, or when it does not match the regular expression (or text string) and/or source IP address of the client. |