Fortinet white logo
Fortinet white logo

CLI Reference

server-policy allow-hosts

server-policy allow-hosts

Use this command to configure protected host groups.

A protected host group contains one or more IP addresses and/or fully qualified domain names (FQDNs). Each entry in the protected host group defines a virtual or real web host, according to the Host: field in the HTTP header of requests from clients, that you want the FortiWeb appliance to protect.

For example, if your web servers receive requests with HTTP headers such as:

GET /index.php HTTP/1.1

Host: www.example.com


you might define a protected host group with an entry of www.example.com and select it in the policy. This would reject requests that are not for that host.

A protected hosts group is usually not the same as a physical server.

Unlike a physical server, which is a single IP at the network layer, a protected host group should contain all network IPs, virtual IPs, and domain names that clients use to access the web server at the application (HTTP) layer.

For example, clients often access a web server via a public network such as the Internet. Therefore the protected host group contains domain names, public IP addresses, and public virtual IPs on a network edge router or firewall that are routable from that public network. But the physical server is only the IP address that the FortiWeb appliance uses to forward traffic to the server and, therefore, is often a private network address (unless the FortiWeb appliance operates in Offline Protection or either of the transparent modes).

Protected host groups can be used by:

  • Policies
  • Input rules
  • Server protection exceptions
  • URL access rules
  • Allowed method exceptions
  • HTTP authentication rules
  • Hidden fields rules
  • Many others

Rules can use protected host definitions to apply rules only to requests for a protected host. If you do not specify a protected host group in the rule, the rule will be applied based upon other criteria such as the URL, but regardless of the Host: field.

Policies can use protected host definitions to block connections that are not destined for a protected host. If you do not select a protected host group in a policy, connections will be accepted or blocked regardless of the Host: field.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy allow-hosts

edit "<protected-hosts_name>"

set default-action {allow | deny | deny_no_log}

config host-list

edit <protected-host_index>

set action {allow | deny | deny_no_log}

set host {"<host_ipv4>" | "<host_fqdn>" | "<host_ipv6>"}

set ignore-port {enable|disable}

set include-subdomains {enable|disable}

set override-headers {enable|disable}

next

end

next

end

Variable Description Default

"<protected-hosts_name>"

Enter the name of a new or existing group of protected hosts. The maximum length is 63 characters.

To display the list of existing groups, enter:

edit ?

No default.

default-action {allow | deny | deny_no_log}

Select whether to accept or deny HTTP requests whose Host: field does not match any of the host definitions that you will add to this protected hosts group. allow

<protected-host_index>

Enter the index number of a protected host within its group. Each host-list can contain up to 64 IP addresses and/or fully qualified domain names (FQDNs).

The valid range is 1–9,223,372,036,854,775,807.

No default.

action {allow | deny | deny_no_log}

Select whether to accept or deny HTTP requests whose Host: field matches the host definition in host {"<host_ipv4>" | "<host_fqdn>" | "<host_ipv6>"}. allow

host {"<host_ipv4>" | "<host_fqdn>" | "<host_ipv6>"}

Enter the IP address or FQDN of a virtual or real web host, as it appears in the Host: field of HTTP headers, such as www.example.com. The maximum length is 256 characters.

If clients connect to your web servers through the IP address of a virtual server on the FortiWeb appliance, this should be the IP address of that virtual server or any domain name to which it resolves, not the actual IP address of the web server.

For example, if a virtual server 192.0.2.1/24 forwards traffic to the physical server 192.0.2.155, for protected hosts, you would enter:

  • 192.0.2.1, the address of the virtual server
  • www.example.com, the domain name that resolves to the virtual server
No default.

ignore-port {enable|disable}

Enable ignore-port so that FortiWeb will ignore the port numbers after the host name, and consider them as a match.
For example, if you configure the host name as example.com, and enable Ignore Port, then the host name with any port numbers (e.g. example.com:443, example.com:80) will be considered a match. However, please be aware that if the port number falls outside the range of 0 to 65535 or contains a string instead of a numerical value, the system will identify it as abnormal. In such cases, the system will consider it abnormal and take the Alert and Deny action.
If you don't enable Ignore Port but you want to match specific port numbers such as example.com:443 and example.com:80, then you need to add two host name items respectively for example.com:443 and example.com:80.

disable

include-subdomains {enable|disable}

Enable include-subdomains so that the sub domains of the host (for example abc.myhost.com) will be protected.

disable

override-headers {enable|disable}

Enable override-headers so that host headers can still be identified even if they are overridden with the following headers:

  • X-Forwarded-Host

  • X-Host

  • X-Forwarded-Server

  • X-HTTP-Host-Override

  • Forwarded

disable

Example

This example configures a protected hosts group named example_com_hosts that contains a website’s domain names and its IP address in order to match HTTP requests regardless of which form they use to identify the host.

config server-policy allow-hosts

set default-action deny

edit "example_com_hosts"

config host-list

edit 0

set host "example.com"

next

edit 1

set host "www.example.com"

next

edit 2

set host "10.0.0.1"

next

end

next

end

Related topics

server-policy allow-hosts

server-policy allow-hosts

Use this command to configure protected host groups.

A protected host group contains one or more IP addresses and/or fully qualified domain names (FQDNs). Each entry in the protected host group defines a virtual or real web host, according to the Host: field in the HTTP header of requests from clients, that you want the FortiWeb appliance to protect.

For example, if your web servers receive requests with HTTP headers such as:

GET /index.php HTTP/1.1

Host: www.example.com


you might define a protected host group with an entry of www.example.com and select it in the policy. This would reject requests that are not for that host.

A protected hosts group is usually not the same as a physical server.

Unlike a physical server, which is a single IP at the network layer, a protected host group should contain all network IPs, virtual IPs, and domain names that clients use to access the web server at the application (HTTP) layer.

For example, clients often access a web server via a public network such as the Internet. Therefore the protected host group contains domain names, public IP addresses, and public virtual IPs on a network edge router or firewall that are routable from that public network. But the physical server is only the IP address that the FortiWeb appliance uses to forward traffic to the server and, therefore, is often a private network address (unless the FortiWeb appliance operates in Offline Protection or either of the transparent modes).

Protected host groups can be used by:

  • Policies
  • Input rules
  • Server protection exceptions
  • URL access rules
  • Allowed method exceptions
  • HTTP authentication rules
  • Hidden fields rules
  • Many others

Rules can use protected host definitions to apply rules only to requests for a protected host. If you do not specify a protected host group in the rule, the rule will be applied based upon other criteria such as the URL, but regardless of the Host: field.

Policies can use protected host definitions to block connections that are not destined for a protected host. If you do not select a protected host group in a policy, connections will be accepted or blocked regardless of the Host: field.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy allow-hosts

edit "<protected-hosts_name>"

set default-action {allow | deny | deny_no_log}

config host-list

edit <protected-host_index>

set action {allow | deny | deny_no_log}

set host {"<host_ipv4>" | "<host_fqdn>" | "<host_ipv6>"}

set ignore-port {enable|disable}

set include-subdomains {enable|disable}

set override-headers {enable|disable}

next

end

next

end

Variable Description Default

"<protected-hosts_name>"

Enter the name of a new or existing group of protected hosts. The maximum length is 63 characters.

To display the list of existing groups, enter:

edit ?

No default.

default-action {allow | deny | deny_no_log}

Select whether to accept or deny HTTP requests whose Host: field does not match any of the host definitions that you will add to this protected hosts group. allow

<protected-host_index>

Enter the index number of a protected host within its group. Each host-list can contain up to 64 IP addresses and/or fully qualified domain names (FQDNs).

The valid range is 1–9,223,372,036,854,775,807.

No default.

action {allow | deny | deny_no_log}

Select whether to accept or deny HTTP requests whose Host: field matches the host definition in host {"<host_ipv4>" | "<host_fqdn>" | "<host_ipv6>"}. allow

host {"<host_ipv4>" | "<host_fqdn>" | "<host_ipv6>"}

Enter the IP address or FQDN of a virtual or real web host, as it appears in the Host: field of HTTP headers, such as www.example.com. The maximum length is 256 characters.

If clients connect to your web servers through the IP address of a virtual server on the FortiWeb appliance, this should be the IP address of that virtual server or any domain name to which it resolves, not the actual IP address of the web server.

For example, if a virtual server 192.0.2.1/24 forwards traffic to the physical server 192.0.2.155, for protected hosts, you would enter:

  • 192.0.2.1, the address of the virtual server
  • www.example.com, the domain name that resolves to the virtual server
No default.

ignore-port {enable|disable}

Enable ignore-port so that FortiWeb will ignore the port numbers after the host name, and consider them as a match.
For example, if you configure the host name as example.com, and enable Ignore Port, then the host name with any port numbers (e.g. example.com:443, example.com:80) will be considered a match. However, please be aware that if the port number falls outside the range of 0 to 65535 or contains a string instead of a numerical value, the system will identify it as abnormal. In such cases, the system will consider it abnormal and take the Alert and Deny action.
If you don't enable Ignore Port but you want to match specific port numbers such as example.com:443 and example.com:80, then you need to add two host name items respectively for example.com:443 and example.com:80.

disable

include-subdomains {enable|disable}

Enable include-subdomains so that the sub domains of the host (for example abc.myhost.com) will be protected.

disable

override-headers {enable|disable}

Enable override-headers so that host headers can still be identified even if they are overridden with the following headers:

  • X-Forwarded-Host

  • X-Host

  • X-Forwarded-Server

  • X-HTTP-Host-Override

  • Forwarded

disable

Example

This example configures a protected hosts group named example_com_hosts that contains a website’s domain names and its IP address in order to match HTTP requests regardless of which form they use to identify the host.

config server-policy allow-hosts

set default-action deny

edit "example_com_hosts"

config host-list

edit 0

set host "example.com"

next

edit 1

set host "www.example.com"

next

edit 2

set host "10.0.0.1"

next

end

next

end

Related topics