Configuring a protection profile for inline topologies
Inline protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Inline protection profiles contain only the features that are supported in inline topologies, which you use with operation modes Reverse Proxy, True Transparent Proxy, and WCCP.
When the operation mode is changed to Offline Protection or Transparent Inspection, the Inline Protection tab will be hidden.
Inline protection profiles include features that require an inline network topology. They can be configured at any time, but cannot be applied by a policy if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior. |
To configure an inline protection profile
- Before configuring an inline protection profile, first configure any of the following that you want to include in the profile:
- a client management policy (see Client management)
- a signature set (see Blocking known attacks )
- a HTTP protocol constraints profile (see HTTP/HTTPS protocol constraints)
- an
X-Forwarded-For:
or other X-header rule (see Defining your proxies, clients, & X-headers) - a cookie security policy (see Cookie security)
- a custom policy (see Custom Policy)
- an oracle padding protection rule (see Defeating cipher padding attacks on individually encrypted inputs)
- a cross-site request forgery (CSRF) protection rule (see Defeating cross-site request forgery (CSRF) attacks)
- an HTTP header security policy (see HTTP Security Headers)
- a Man in the Browser protection policy (see Protection against Man-in-the-Browser (MiTB) attacks)
- a URL encryption policy (see "URL encryption")
- a SQL/XSS syntax based detection policy (see Syntax-based SQL/XSS injection detection)
- a parameter validation policy (see Validating parameters (“input rules”))
- a hidden field protection rule (see Preventing tampering with hidden inputs)
- a file security policy (see Limiting file uploads)
- a web shell detection policy (see Web Shell Detection
- a WebSocket security policy (see WebSocket protocol)
- a URL access policy (see Restricting access based on specific URLs)
- an allowed method policy (see Specifying allowed HTTP methods)
- a CORS protection policy (see Cross-Origin Resource Sharing (CORS) protection)
- a bot mitigation policy (see Configuring bot mitigation policy)
- an XML protection policy (see Configuring XML protection)
- a JSON protection policy (see Configuring JSON protection)
- an OpenAPI validation policy (see OpenAPI Validation)
- an API gateway policy (see Configuring API gateway policy)
- a DoS protection policy (see Grouping DoS protection rules)
- a mobile API protection policy (see Configuring mobile API protection)
- a URL rewriting or redirection set (see Rewriting & redirecting)
- an authentication policy (see Offloading HTTP authentication & authorization)
- a site publishing policy (see Site Publishing (Single sign-on))
- a file compression rule (see Configuring compression offloading)
- an IP reputation policy (see "blocklisting source IPs with poor reputation" on page 1)
- an IP list policy (see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1)
- a Geo IP policy (see "blocklisting & allowlisting countries & regions" on page 1)
- a user tracking policy (see Tracking)
- a trigger if you plan to use policy-wide log and alert settings (see Viewing log messages)
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
Alternatively, click the Clone icon to copy an existing profile as the basis for a new one. The predefined profiles supplied with your FortiWeb appliance cannot be edited, only viewed or cloned.
Name | Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters. |
Client Management | Enable to track a client by the inserted cookie, or source IP when cookie is prohibited. |
Threat Score Profile | Select the Threat Score Profile so that FortiWeb can take action on IPs or clients when their threat score accumulates to a certain value. If you leave it blank, the system will use the Global Configuration in Client Management. This option is available only when Client Management is enabled. |
Signatures | Select the name of the signature set you have configured in Web Protection > Known Attacks, if any, that will be applied to matching requests. To enable signature detection for API applications (XML, JSON, File Security, GraphQL, gRPC and WebSocket) make sure to enable signature detection in the relevant API Protection policy. Attack log messages for this feature vary by which type of attack was detected. For a list, see Blocking known attacks . |
HTTP Protocol Constraints | Select the name of an HTTP parameter constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints. Attack log messages for this feature vary by which type of constraint was violated. |
X-Forwarded-For | Select the Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP. |
Cookie Security Policy | Select the name of a cookie security policy to apply to matching requests. For details, see Cookie security. If the Security Mode option in the policy is Signed, ensure that Configuring a protection profile for inline topologies is On. |
Custom Policy | Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that will be applied to matching requests. For details, see Custom Policy. Attack log messages contain |
Padding Oracle Protection | Select the name of padding oracle protection rule, if any, that will be applied to matching requests. For details, see Defeating cipher padding attacks on individually encrypted inputs. Attack log messages contain |
CSRF Protection | Select the name of cross-site request forgery protection rule, if any, to apply to matching requests. For details, see Defeating cross-site request forgery (CSRF) attacks. |
HTTP Header Security | Select the name of HTTP header security policy, if any, to apply to matching responses. For details, see HTTP Security Headers. |
Man in the Browser Protection | Select the name of an MiTB protection rule, if any, that will be applied to matching requests. For details, see Protection against Man-in-the-Browser (MiTB) attacks. |
URL Encryption Policy | Select the name of a URL encryption policy if any, that will be applied to matching requests. For details, see URL encryption. |
SQL/XSS Syntax Based Detection | Select the name of a SQL/XSS syntax based detection policy if any, that will be applied to matching requests. For details, see Syntax-based SQL/XSS injection detection. |
Link cloaking | Select the name of a SQL/XSS syntax based detection policy if any, that will be applied to matching requests. For details, see Link cloaking. |
Data Loss Prevention | Select the name of a SQL/XSS syntax based detection policy if any, that will be applied to matching requests. For details, see Data Loss Prevention. |
Parameter Validation | Select the name of the parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”). Attack log messages contain |
Hidden Fields Protection | Select the name of the hidden fields protection rule, if any, to use to protect hidden fields on your website. For details, see Preventing tampering with hidden inputs. Attack log messages contain This option appears only when Client Management is enabled. |
File Security | Select an existing file security policy, if any, that will be applied to matching HTTP requests. For details, see Limiting file uploads. Attack log messages contain |
Enable AMF3 Protocol Detection | Enable to scan requests that use action message format 3.0 (AMF3) for:
and other attack signatures that you have enabled in Signatures. AMF3 is a binary format that can be used by Adobe Flash/Flex clients to send input to server-side software. Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb appliance to be unable to scan AMF3 requests for attacks. |
WebSocket Security | Select the name of a WebSocket security rule, if any, that will be applied to matching requests. For details, see WebSocket protocol. |
gRPC Security | Select the name of a gRPC security rule, if any, that will be applied to matching requests. For details, see gRPC protocol. |
URL Access | Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. For details, see Restricting access based on specific URLs. Attack log messages contain |
Allow Method | Select an existing allow method policy, if any, that will be applied to matching HTTP requests. For details, see Specifying allowed HTTP methods. Attack log messages contain |
CORS Protection | Select the name of an existing CORS Protection policy. For details, see Cross-Origin Resource Sharing (CORS) protection. |
Bot Mitigation Policy | Select the name of an existing bot mitigation policy. For details, see Configuring bot mitigation policy. |
XML Protection | Select the name of an existing XML protection policy. For details, see Configuring XML protection. |
JSON Protection | Select the name of an existing JSON protection policy. For details, see Configuring JSON protection. |
OpenAPI Protection | Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation. |
GraphQL protection | Select the name of an existing OpenAPI protection policy. For details, see Configuring GraphQL protection. |
API Gateway | Select the name of an existing API gateway policy. For details, see Configuring API gateway policy. |
DoS Protection Policy | Select the name of an existing DoS prevention policy. For details, see Grouping DoS protection rules. |
Enable to configure the JWT token secret and token header to verify a request from a mobile application. Refer to Approov doc for how to get the token. Note: You need to enable Mobile Application Identification first from System > Config > Feature Visibility. | |
Token Secret | Enter the token secret that you have got from Approov. Available only when Mobile Application Identification is enabled. |
Token Header | Specify the header where the token is carried. Available only when Mobile Application Identification is enabled. |
Mobile API Protection | Select the name of an existing API protection policy. For details, see Configuring mobile API protection. |
URL Rewriting | Select the name of a URL rewriting rule set, if any, that will be applied to matching requests. For details, see Rewriting & redirecting. |
HTTP Authentication | Select the name of an authorization policy, if any, that will be applied to matching requests. For details, see Offloading HTTP authentication & authorization. If the client fails to authenticate, it will receive an HTTP |
Site Publish | Select the name of a site publishing policy, if any, that will be applied to matching requests. For details, see Site Publishing (Single sign-on). |
File Compress | Select the name of an compression policy, if any, that will be applied to matching requests. For details, see Configuring compression offloading. |
Waiting Room | Select the name of a Waiting Room policy, if any, that will be applied to matching requests. For details, see Waiting room. |
IP Reputation | Enable to apply IP reputation intelligence. For details, see "blocklisting source IPs with poor reputation" on page 1. |
FortiGate Quarantined IPs | Enable to detect source IP addresses that a FortiGate unit is currently preventing from interacting with the network and protected systems. Then, select the action that FortiWeb takes if it detects a quarantined IP address:
Note: If FortiWeb is deployed behind a NAT load balancer and this option is enabled, to prevent FortiWeb from blocking all connections when it detects a violation of this type, define an X-header that indicates the original client’s IP. For details, see Defining your proxies, clients, & X-headers. In addition, select a severity level and trigger policy. For information on configuring communication with the FortiGate that provides the list of quarantined IP addresses, see Receiving quarantined source IP addresses from FortiGate. |
IP List | Select the name of a client allow list or block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1. |
Geo IP | Select the name of a geographically-based client block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting countries & regions" on page 1. |
User Tracking | Select the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking. |
Redirect URL | Type a URL including the FQDN/IP and path, if any, to which a client will be redirected if:
For example, you could enter:
If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb appliance will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP |
Redirect URL With Reason | Enable to include the reason for redirection as a parameter in the URL, such as By default, this option is disabled. Caution: If the FortiWeb appliance is protecting a redirect URL, enable this option to prevent infinite redirect loops. |
To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.