Configuring the global object allow list
Go to Server Objects > Global > Global Allow List, the Predefined Global Allow List tab displays a predefined list of common Internet entities, such as:
- the FortiWeb session cookie named
cookiesession1
- Google Analytics cookies such as
__utma
- the URL icon
/favicon.ico
- AJAX parameters such as
__LASTFOCUS
that your FortiWeb appliance can ignore when it enforces your policies. FortiGuard FortiWeb Security Service updates the predefined global allow list. However, you can also allowlist your own custom URLs, header field, cookies, and parameters on the Custom Global Allow List tab in Server Objects > Global > Global Allow List.
When enabled, allow-listed items will skip the subsequent scans after Global Object allow list (See the scan sequence of Global Object allow list in Sequence of scans) . This feature reduces false positives and improves performance. Global allow list applies to all server policies.
To include allow list items during policy enforcement, you must first disable them in the global allow list.
To disable an item in the predefined global allow list
- Go to Server Objects > Global > Global Allow List and select the Predefined Global allow list tab.
- To see the items that each section contains and to expose those items’ Enable check box, click the plus (+) and minus (-) icons.
- In the row of the item that you want to disable, click the edit icon, then select Disable.
- Click Apply.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
The default status of Let's Encrypt is Disable. If you are using Let's Encrypt to generate a certificate, it is recommended to enable this allow list, otherwise it may result in certificate retrieval failures if requests from Let's Encrypt are blocked. For more information about Let's Encrypt certificate, see Let's Encrypt certificates. |
To configure a custom global allow list
- Go to Server Objects > Global > Global Allow List and select the Custom Global allow list tab.
- Click Create New.
- From Type, select the part of the HTTP request where you want to allow list an object. Available configuration fields vary by the type that you choose.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
- If Type is URL:
- The literal URL, such as
/robots.txt
, that the HTTP request must contain in order to match the rule. The URL must begin with a backslash ( / ). - A regular expression, such as
^/*.html
, matching all and only the URLs to which the rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as/index.html
.
Request Type | Indicate whether the Request URL field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression). |
Request URL |
Depending on your selection in the Request Type field, enter either: Do not include the domain name, such as To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax. |
-
If Type is Parameter:
Indicate whether the Name field will contain a literal parameter name (Simple String), or a regular expression designed to match all parameter names (Regular Expression). Name Enter one of the following:
-
The name of the parameter as it appears in the URL or HTTP body if Name Type is Simple String.
For example, if the URL ends with the parameter substring
?userName=rowan
, you would typeuserName.
- A regular expression that matches the name attribute of the parameter if Name Type is Regular Expression.
Note: FortiWeb does not support regular expressions that begin with an exclamation point ( ! ). For information on language and regular expression matching, see Regular expression syntax.
Request Status
Enable to apply this rule only to HTTP requests for specific URLs. Configure Request URL if it is enabled.
Indicate whether the Request URL field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression). Depending on your selection in the Request Type field, enter either:
- The literal URL, such as
/robots.txt
, that the HTTP request must contain in order to match the rule. The URL must begin with a backslash ( / ). - A regular expression, such as
^/*.html
, matching all and only the URLs to which the rule should apply. The pattern does not require a slash ( / ); however, it must match URLs that begin with a slash, such as/index.html
.
Do not include the domain name, such as
www.example.com
.To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.
Domain Status
Enable to apply this rule only to HTTP requests for specific domains.
If enabled, also configure Domain.
Indicate whether the Domain field will contain a literal domain/IP address (Simple String), or a regular expression designed to match multiple domains/IP addresses (Regular Expression).
Domain Depending on your selection in the Domain Type field, enter either:
- The literal domain, such as
/robots.com
, that the HTTP request must contain in order to match the rule. The domain must begin with a backslash ( / ). - A regular expression, such as
^/*.com
, matching all and only the domains to which the rule should apply. The pattern does not require a slash ( / ); however, it must match domains that begin with a slash, such as/robots.com
.
To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.
Caution: Do not allowlist untrusted subdomains that use vulnerable cookies. It could compromise the security of that domain and its network.
-
- If Type is Cookie:
Name | Type the name of the cookie as it appears in the HTTP request, such as NID . |
Domain |
Type the partial or complete domain name or IP address as it appears in the cookie, such as:
If clients sometimes access the host via IP address instead of DNS, create allow list objects for both. Caution: Do not allowlist untrusted subdomains that use vulnerable cookies. It could compromise the security of that domain and its network. |
Path | Type the path as it appears in the cookie, such as / or /blog/folder . |
- If Type is Header Field:
- The literal name, such as
Accept-Encoding
, that the HTTP request must contain in order to match the rule. - A regular expression, such as
*/*\r\n
, matching the names to which the rule should apply. .
Header Name Type | Indicate whether the Name field will contain a literal name (Simple String), or a regular expression designed to match multiple names (Regular Expression). |
Name |
Depending on your selection in the Header Name Type field, enter either: To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax. |
Value Status |
Enable to also check the value of the HTTP header. Only the HTTP headers which match both the name and the value will be allowlisted. |
Header Value Type |
Indicate whether the Name field will contain a literal name (Simple String), or a regular expression designed to match multiple names (Regular Expression). |
Value |
The value of the HTTP header. Depending on your selection in the Header Value Type field, enter either a literal value or a regular expression. |
To verify that an item is now allowlisted, use the parameter or URL to attempt to trigger an attack signature that would normally block it; the item should now be allowed.