Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.0 Administration Guide
    8.0.0
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Configuring a protection profile for inline topologies

    Configuring a protection profile for inline topologies

    Inline protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Inline protection profiles contain only the features that are supported in inline topologies, which you use with operation modes Reverse Proxy, True Transparent Proxy, and WCCP.

    When the operation mode is changed to Offline Protection or Transparent Inspection, the Inline Protection tab will be hidden.

    Inline protection profiles include features that require an inline network topology. They can be configured at any time, but cannot be applied by a policy if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior.
    To configure an inline protection profile
    1. Before configuring an inline protection profile, first configure any of the following that you want to include in the profile:
  • Go to Policy > Web Protection Profile and select the Inline Protection Profile tab.

    • To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  • Click Create New.

    • Alternatively, click the Clone icon to copy an existing profile as the basis for a new one. The predefined profiles supplied with your FortiWeb appliance cannot be edited, only viewed or cloned.

  • Configure these Inline Protection Profile settings:

    Setting

    Description

    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Standard Protection
    Signatures

    Select the name of the signature set you have configured in Web Protection > Known Attacks, if any, that will be applied to matching requests.

    To enable signature detection for API applications (XML, JSON, File Security, GraphQL, gRPC and WebSocket) make sure to enable signature detection in the relevant API Protection policy.

    Attack log messages for this feature vary by which type of attack was detected. For a list, see Known Attacks .

    HTTP Protocol Constraints

    Select the name of an HTTP parameter constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints.

    Attack log messages for this feature vary by which type of constraint was violated.

    X-Forwarded-For

    Select the X-Forwarded-For: and X-Real-IP: HTTP header settings to use, if any. For details, see Defining your proxies, clients, & X-headers.

    Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP.

    Client Side Security
    Client Management

    Enable to track a client by the inserted cookie, or source IP when cookie is prohibited.
    For details, see Client management.

    Client-Side Protection

    This field appears only when a valid Client-Side Protection license is present.

    Select the name of a Client-Side Protection policy. For details, see Client-Side Protection.

    Note: To activate this policy, both an HTTP Header Security policy and a Subresource Integrity Policy must also be configured in the same Web Protection Profile.

    HTTP Header Security

    Select the name of HTTP Header Security policy, if any, to apply to matching responses.

    For details, see HTTP Security Headers.

    CORS ProtectionSelect the name of an existing CORS Protection policy. For details, see Cross-Origin Resource Sharing (CORS) protection.

    Subresource Integrity Policy

    Select the name of an SRI policy to enforce integrity on external resources. For details, Subresource Integrity (SRI) Check.

    Man in the Browser Protection

    Select the name of an MiTB protection rule, if any, that will be applied to matching requests. For details, Man in the Browser (MitB) Protection.

    Cookie Security PolicySelect the name of a cookie security policy to apply to matching requests. For details, see Cookie Security.

    If the Security Mode option in the policy is Signed, ensure that Configuring a protection profile for inline topologies is On.

    Advanced Protection

    Custom Policy

    Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that will be applied to matching requests. For details, see Custom Policy.

    Attack log messages contain Custom Access Violation when this feature detects a violation.

    CSRF Protection

    Select the name of cross-site request forgery protection rule, if any, to apply to matching requests. For details, see Defeating cross-site request forgery (CSRF) attacks.

    Available only when Client Management is selected.

    URL Encryption Policy

    Select the name of a URL encryption policy if any, that will be applied to matching requests. For details, see URL encryption.

    Link Cloaking Policy

    Select the name of a Link Cloaking policy if any, that will be applied to matching requests. For details, see Link cloaking.

    Syntax Based Detection

    Select the name of a SQL/XSS syntax based detection policy if any, that will be applied to matching requests. For details, see Syntax Based Detection.

    Data Loss Prevention

    Data Loss Prevention

    Select the name of a Data Loss Prevention policy if any, that will be applied to matching requests. For details, see Data Loss Prevention.

    Input Validation

    Parameter Validation

    Select the name of the parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”).

    Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

    Hidden Fields Protection

    Select the name of the hidden fields protection rule, if any, to use to protect hidden fields on your website. For details, see Preventing tampering with hidden inputs.

    Attack log messages contain Hidden Field Manipulation when this feature detects tampering.

    This option appears only when Client Management is enabled.

    File Security

    Select an existing file security policy, if any, that will be applied to matching HTTP requests. For details, see Limiting file uploads.

    Attack log messages contain Illegal File Size when this feature detects an excessively large upload.

    Web Shell Detection

    Select the name of a Web Shell Detection policy if any, that will be applied to matching requests. For details, see Web Shell Detection.

    File List

    Select a File List configuration, if any, that will be applied to matching requests for Data Loss Prevention, File Security, and Web Shell Detection. For details, see Configuring a File List Policy.

    Protocol

    WebSocket Security

    Select the name of a WebSocket Security rule, if any, that will be applied to matching requests. For details, see WebSocket protocol.

    gRPC Security

    Select the name of a gRPC security rule, if any, that will be applied to matching requests. For details, see gRPC protocol.

    Access

    URL Access

    Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. For details, see Restricting access based on specific URLs.

    Attack log messages contain URL Access Violation when this feature detects a URL matched by this policy.

    Allow Method

    Select an existing allow method policy, if any, that will be applied to matching HTTP requests. For details, see Specifying allowed HTTP methods.

    Attack log messages contain HTTP Method Violation when this feature detects a non-allowed HTTP request method.

    Bot Mitigation

    Bot Mitigation Policy

    Select the name of an existing Bot Mitigation policy. For details, see Configuring bot mitigation policy.

    API Protection

    XML Protection

    		Select the name of an existing XML protection policy. For details, see Configuring XML protection.

    JSON Protection

    		Select the name of an existing JSON protection policy. For details, see Configuring JSON protection.

    GraphQL protection

    Select the name of an existing OpenAPI protection policy. For details, see Configuring GraphQL protection.

    OpenAPI Protection

    		Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation.

    Mobile API Protection

    Select the name of an existing Mobile API Protection policy. For details, see Configuring mobile API protection.

    Mobile Application Identification

    Select the JWT verification method FortiWeb uses to authenticate mobile application requests. This setting determines how FortiWeb validates the authenticity of JWTs (JSON Web Tokens) provided by mobile clients, typically in the HTTP request headers.

    Available options:

    • jwt-token-secret: Verifies the token signature using a symmetric key (HMAC). You must specify a shared secret (JWT Secret) known to both the token issuer and FortiWeb.

    • jwt-public-key: Verifies the token signature using an RSA public key. You must provide the public key in PEM format (JWT Public Key) for asymmetric verification.

    • jwks-endpoint: Retrieves public keys dynamically from a remote JWKS (JSON Web Key Set) endpoint. You must configure the URI (JWKS Endpoint) pointing to the JWKS source. FortiWeb will periodically cache and refresh these keys for validation.

    For all methods, you must also specify the Token Header, which indicates the HTTP header field (default: Jwt-Token) from which FortiWeb extracts the JWT for verification.

    This setting is essential for enabling secure, token-based client identification in mobile API workflows.

    DoS Protection

    DoS Protection PolicySelect the name of an existing DoS prevention policy. For details, see Grouping DoS protection rules.

    Application Delivery

    URL Rewriting

    Select the name of a URL rewriting rule set, if any, that will be applied to matching requests.

    For details, see Rewriting & redirecting.

    Site PublishSelect the name of a site publishing policy, if any, that will be applied to matching requests. For details, see Site Publishing (Single sign-on).
    File CompressSelect the name of an compression policy, if any, that will be applied to matching requests. For details, see Configuring compression offloading.

    Waiting Room

    Select the name of a Waiting Room policy, if any, that will be applied to matching requests. For details, see Waiting room.

    IP Protection

    IP ReputationEnable to apply IP reputation intelligence. For details, see IP Protection.
    FortiGate Quarantined IPs

    Enable to detect source IP addresses that a FortiGate unit is currently preventing from interacting with the network and protected systems. Then, select the action that FortiWeb takes if it detects a quarantined IP address:

    • Alert—Accept the request and generate an alert email, log message, or both.
    • Alert & Deny—Block the request and generate an alert, log message, or both.
    • Deny (no log)—Block the request (or reset the connection).

    Note: If FortiWeb is deployed behind a NAT load balancer and this option is enabled, to prevent FortiWeb from blocking all connections when it detects a violation of this type, define an X-header that indicates the original client’s IP. For details, see Defining your proxies, clients, & X-headers.

    In addition, select a severity level and trigger policy.

    For information on configuring communication with the FortiGate that provides the list of quarantined IP addresses, see Receiving quarantined source IP addresses from FortiGate.

    IP ListSelect the name of a client allow list or block list, if any, that will be applied to matching requests. For details, see IP Protection.
    Geo IPSelect the name of a geographically-based client block list, if any, that will be applied to matching requests. For details, see IP Protection.

    Tracking

    User TrackingSelect the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking.

    Redirect

    Redirect URL

    Type a URL including the FQDN/IP and path, if any, to which a client will be redirected if:

    • Its request violates any of the rules in this profile, and
    • The Action for the rule is set to Redirect.

    For example, you could enter:

    www.example.com/products/

    If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb appliance will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP 403 Access Forbidden or 404 File Not Found error message.

    Redirect URL With Reason

    Enable to include the reason for redirection as a parameter in the URL, such as reason747sha=Parameter%20Validation%20Violation, when traffic has been redirected using Redirect URL. The FortiWeb appliance also adds redirect491=1 to the URL to detect and cancel a redirect loop (if the redirect action would otherwise recursively triggers an attack event). FortiWeb will strip these two parameters before it forwards the processed traffic to the back-end servers.

    By default, this option is disabled.

    Caution: If the FortiWeb appliance is protecting a redirect URL, enable this option to prevent infinite redirect loops.

    CommentsOptional text describing the purpose or notes for this profile.

    • To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.

  • Click OK.
  • To apply the inline protection profile, select it in a server policy. For details, see Configuring an HTTP server policy.
    • See also
    Previous
    Next

    Configuring a protection profile for inline topologies

    Configuring a protection profile for inline topologies

    Inline protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Inline protection profiles contain only the features that are supported in inline topologies, which you use with operation modes Reverse Proxy, True Transparent Proxy, and WCCP.

    When the operation mode is changed to Offline Protection or Transparent Inspection, the Inline Protection tab will be hidden.

    Inline protection profiles include features that require an inline network topology. They can be configured at any time, but cannot be applied by a policy if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior.
    To configure an inline protection profile
    1. Before configuring an inline protection profile, first configure any of the following that you want to include in the profile:
  • Go to Policy > Web Protection Profile and select the Inline Protection Profile tab.

    • To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  • Click Create New.

    • Alternatively, click the Clone icon to copy an existing profile as the basis for a new one. The predefined profiles supplied with your FortiWeb appliance cannot be edited, only viewed or cloned.

  • Configure these Inline Protection Profile settings:

    Setting

    Description

    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Standard Protection
    Signatures

    Select the name of the signature set you have configured in Web Protection > Known Attacks, if any, that will be applied to matching requests.

    To enable signature detection for API applications (XML, JSON, File Security, GraphQL, gRPC and WebSocket) make sure to enable signature detection in the relevant API Protection policy.

    Attack log messages for this feature vary by which type of attack was detected. For a list, see Known Attacks .

    HTTP Protocol Constraints

    Select the name of an HTTP parameter constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints.

    Attack log messages for this feature vary by which type of constraint was violated.

    X-Forwarded-For

    Select the X-Forwarded-For: and X-Real-IP: HTTP header settings to use, if any. For details, see Defining your proxies, clients, & X-headers.

    Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP.

    Client Side Security
    Client Management

    Enable to track a client by the inserted cookie, or source IP when cookie is prohibited.
    For details, see Client management.

    Client-Side Protection

    This field appears only when a valid Client-Side Protection license is present.

    Select the name of a Client-Side Protection policy. For details, see Client-Side Protection.

    Note: To activate this policy, both an HTTP Header Security policy and a Subresource Integrity Policy must also be configured in the same Web Protection Profile.

    HTTP Header Security

    Select the name of HTTP Header Security policy, if any, to apply to matching responses.

    For details, see HTTP Security Headers.

    CORS ProtectionSelect the name of an existing CORS Protection policy. For details, see Cross-Origin Resource Sharing (CORS) protection.

    Subresource Integrity Policy

    Select the name of an SRI policy to enforce integrity on external resources. For details, Subresource Integrity (SRI) Check.

    Man in the Browser Protection

    Select the name of an MiTB protection rule, if any, that will be applied to matching requests. For details, Man in the Browser (MitB) Protection.

    Cookie Security PolicySelect the name of a cookie security policy to apply to matching requests. For details, see Cookie Security.

    If the Security Mode option in the policy is Signed, ensure that Configuring a protection profile for inline topologies is On.

    Advanced Protection

    Custom Policy

    Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that will be applied to matching requests. For details, see Custom Policy.

    Attack log messages contain Custom Access Violation when this feature detects a violation.

    CSRF Protection

    Select the name of cross-site request forgery protection rule, if any, to apply to matching requests. For details, see Defeating cross-site request forgery (CSRF) attacks.

    Available only when Client Management is selected.

    URL Encryption Policy

    Select the name of a URL encryption policy if any, that will be applied to matching requests. For details, see URL encryption.

    Link Cloaking Policy

    Select the name of a Link Cloaking policy if any, that will be applied to matching requests. For details, see Link cloaking.

    Syntax Based Detection

    Select the name of a SQL/XSS syntax based detection policy if any, that will be applied to matching requests. For details, see Syntax Based Detection.

    Data Loss Prevention

    Data Loss Prevention

    Select the name of a Data Loss Prevention policy if any, that will be applied to matching requests. For details, see Data Loss Prevention.

    Input Validation

    Parameter Validation

    Select the name of the parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”).

    Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

    Hidden Fields Protection

    Select the name of the hidden fields protection rule, if any, to use to protect hidden fields on your website. For details, see Preventing tampering with hidden inputs.

    Attack log messages contain Hidden Field Manipulation when this feature detects tampering.

    This option appears only when Client Management is enabled.

    File Security

    Select an existing file security policy, if any, that will be applied to matching HTTP requests. For details, see Limiting file uploads.

    Attack log messages contain Illegal File Size when this feature detects an excessively large upload.

    Web Shell Detection

    Select the name of a Web Shell Detection policy if any, that will be applied to matching requests. For details, see Web Shell Detection.

    File List

    Select a File List configuration, if any, that will be applied to matching requests for Data Loss Prevention, File Security, and Web Shell Detection. For details, see Configuring a File List Policy.

    Protocol

    WebSocket Security

    Select the name of a WebSocket Security rule, if any, that will be applied to matching requests. For details, see WebSocket protocol.

    gRPC Security

    Select the name of a gRPC security rule, if any, that will be applied to matching requests. For details, see gRPC protocol.

    Access

    URL Access

    Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. For details, see Restricting access based on specific URLs.

    Attack log messages contain URL Access Violation when this feature detects a URL matched by this policy.

    Allow Method

    Select an existing allow method policy, if any, that will be applied to matching HTTP requests. For details, see Specifying allowed HTTP methods.

    Attack log messages contain HTTP Method Violation when this feature detects a non-allowed HTTP request method.

    Bot Mitigation

    Bot Mitigation Policy

    Select the name of an existing Bot Mitigation policy. For details, see Configuring bot mitigation policy.

    API Protection

    XML Protection

    		Select the name of an existing XML protection policy. For details, see Configuring XML protection.

    JSON Protection

    		Select the name of an existing JSON protection policy. For details, see Configuring JSON protection.

    GraphQL protection

    Select the name of an existing OpenAPI protection policy. For details, see Configuring GraphQL protection.

    OpenAPI Protection

    		Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation.

    Mobile API Protection

    Select the name of an existing Mobile API Protection policy. For details, see Configuring mobile API protection.

    Mobile Application Identification

    Select the JWT verification method FortiWeb uses to authenticate mobile application requests. This setting determines how FortiWeb validates the authenticity of JWTs (JSON Web Tokens) provided by mobile clients, typically in the HTTP request headers.

    Available options:

    • jwt-token-secret: Verifies the token signature using a symmetric key (HMAC). You must specify a shared secret (JWT Secret) known to both the token issuer and FortiWeb.

    • jwt-public-key: Verifies the token signature using an RSA public key. You must provide the public key in PEM format (JWT Public Key) for asymmetric verification.

    • jwks-endpoint: Retrieves public keys dynamically from a remote JWKS (JSON Web Key Set) endpoint. You must configure the URI (JWKS Endpoint) pointing to the JWKS source. FortiWeb will periodically cache and refresh these keys for validation.

    For all methods, you must also specify the Token Header, which indicates the HTTP header field (default: Jwt-Token) from which FortiWeb extracts the JWT for verification.

    This setting is essential for enabling secure, token-based client identification in mobile API workflows.

    DoS Protection

    DoS Protection PolicySelect the name of an existing DoS prevention policy. For details, see Grouping DoS protection rules.

    Application Delivery

    URL Rewriting

    Select the name of a URL rewriting rule set, if any, that will be applied to matching requests.

    For details, see Rewriting & redirecting.

    Site PublishSelect the name of a site publishing policy, if any, that will be applied to matching requests. For details, see Site Publishing (Single sign-on).
    File CompressSelect the name of an compression policy, if any, that will be applied to matching requests. For details, see Configuring compression offloading.

    Waiting Room

    Select the name of a Waiting Room policy, if any, that will be applied to matching requests. For details, see Waiting room.

    IP Protection

    IP ReputationEnable to apply IP reputation intelligence. For details, see IP Protection.
    FortiGate Quarantined IPs

    Enable to detect source IP addresses that a FortiGate unit is currently preventing from interacting with the network and protected systems. Then, select the action that FortiWeb takes if it detects a quarantined IP address:

    • Alert—Accept the request and generate an alert email, log message, or both.
    • Alert & Deny—Block the request and generate an alert, log message, or both.
    • Deny (no log)—Block the request (or reset the connection).

    Note: If FortiWeb is deployed behind a NAT load balancer and this option is enabled, to prevent FortiWeb from blocking all connections when it detects a violation of this type, define an X-header that indicates the original client’s IP. For details, see Defining your proxies, clients, & X-headers.

    In addition, select a severity level and trigger policy.

    For information on configuring communication with the FortiGate that provides the list of quarantined IP addresses, see Receiving quarantined source IP addresses from FortiGate.

    IP ListSelect the name of a client allow list or block list, if any, that will be applied to matching requests. For details, see IP Protection.
    Geo IPSelect the name of a geographically-based client block list, if any, that will be applied to matching requests. For details, see IP Protection.

    Tracking

    User TrackingSelect the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking.

    Redirect

    Redirect URL

    Type a URL including the FQDN/IP and path, if any, to which a client will be redirected if:

    • Its request violates any of the rules in this profile, and
    • The Action for the rule is set to Redirect.

    For example, you could enter:

    www.example.com/products/

    If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb appliance will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP 403 Access Forbidden or 404 File Not Found error message.

    Redirect URL With Reason

    Enable to include the reason for redirection as a parameter in the URL, such as reason747sha=Parameter%20Validation%20Violation, when traffic has been redirected using Redirect URL. The FortiWeb appliance also adds redirect491=1 to the URL to detect and cancel a redirect loop (if the redirect action would otherwise recursively triggers an attack event). FortiWeb will strip these two parameters before it forwards the processed traffic to the back-end servers.

    By default, this option is disabled.

    Caution: If the FortiWeb appliance is protecting a redirect URL, enable this option to prevent infinite redirect loops.

    CommentsOptional text describing the purpose or notes for this profile.

    • To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.

  • Click OK.
  • To apply the inline protection profile, select it in a server policy. For details, see Configuring an HTTP server policy.
    • See also
    Previous
    Next