Fortinet 172 FortiWeb 5.0 Patch 6 Administration Guide
Web applications’ administrative URLs often should not be accessible by clients on the
Internet, and therefore any request for those URLs from source IP addresses on the Internet
may represent an attempt to scout your web servers in advance of an attack. (Exceptions
include hosting providers, whose clients may span the globe and often configure their own web
applications.) Administrative requests from the Internet are therefore suspicious: the host may
have been compromised by a rootkit, or its administrative login credentials may have been
stolen via spyware, phishing, or social engineering.
FortiWeb appliances can compare each request URL with regular expressions that define
known administrative URLs, and log and/or block these requests.
Regular expressions for suspicious requests by URL are categorized as:
Predefined — Regular expressions included with the firmware. These match common
administrative URLs, and URLs for back-end data such as caches. Cannot be modified
except via FortiGuard updates, but can be copied and used as the basis for a custom
definitions of sensitive URLs.
Custom — A regular expression that you have configured to detect any suspicious access
attempts by URL that cannot be recognized by the predefined set. Can be modified.
Both types can be grouped into a set that can be used in auto-learning profiles.
See also
How often does Fortinet provide FortiGuard updates for FortiWeb?
Predefined suspicious request URLs
Predefined regular expressions can be used by auto-learning to detect requests that are
suspicious because they are for a URL that provides administrative access to the web server,
servlet, or web application, such as:
/admin.php
/conf/Catalina/localhost/admin.xml
or access to its back-end cache, data files, or Berkeley databases, such as:
/local/notesdata
Normally, requests for these URLs should only originate from a trusted network such as your
management computers, not from the Internet. (Exceptions include hosting providers, whose
clients around the globe configure their own web applications.) Therefore these requests are a
good candidate for URL access control rules.
Many signatures exist for popular web servers and applications such as Apache, nginx IIS,
Tomcat, and Subversion. Known suspicious request URLs can be updated. See “Connecting to
FortiGuard services” on page 134.
To access this part of the web UI, your administrator’s account access profile must have Read
and Write permission to items in the Server Policy Configuration category. For details, see
“Permissions” on page 47.