Fortinet 191 FortiWeb 5.0 Patch 6 Administration Guide
6. From each drop-down list in the Action column, select one of the following options:
•Alert — Accept the request and generate an alert email and/or log message.
•Alert & Deny — Block the request (or reset the connection) and generate an alert email
and/or log message.
You can customize the web page that will be returned to the client with the HTTP status
code. See “Uploading a custom error page” on page 467 or Error Message.
•Send 403 Forbidden — Reply to the client with an HTTP 403 Forbidden error message
and generate an alert and/or log message.
•Redirect — Redirect the request to the URL that you specify in the protection profile and
generate an alert email and/or log message. Also configure Redirect URL and Redirect
URL With Reason.
•Period Block — Block subsequent requests from the client for a number of seconds. Also
configure Block Period. See also “Monitoring currently blocked IPs” on page 606.
You can customize the web page that will be returned to the client with the HTTP status
code. See “Uploading a custom error page” on page 467 or Error Message.
About the attack count
Sometimes, auto-learning reports may contain fewer attacks than you see in the FortiWeb
appliance’s attack logs. Possible causes include:
• The attack was attempted, but was targeted towards a URL that did not actually exist on the
server (that is, it resulted in an HTTP 404 File Not Found reply code). Because the URL
did not exist, the auto-learning report does not include it in its tree of requested URLs. In
other words, the attack was not counted in the report because it did not result in an actual
page hit.
• The attack was attempted, and the URL existed, but the FortiWeb appliance was configured
to block the attack (Alert & Deny), resulting in an unsuccessful request attempt.
Unsuccessful requests do not result in an actual page hit and have incomplete session data,
and therefore are not included in auto-learning reports.
To ensure that auto-learning reports have complete session data, you should log but not block
or sanitize attack attempts while gathering auto-learning data (that is, either enable Monitor
Mode or select Alert as the Action for all attacks).
Visits tab
The Visits tab provides statistics in both tabular and graphical format on the HTTP request
methods used. The content of the tab and its display styles vary with the level of the item
selected in the navigation pane: some statistics are displayed as a pie chart, others a bar chart,
and others as both. When you select a policy in the navigation pane, this tab includes a set of
bar charts that give statistics about the most used and least used URLs, plus suspicious URLs.
When you select a host in the navigation pane, the report includes a set of tables that give
statistics on HTTP return codes in the 400 and 500 series.
The Visits tab includes several buttons that you can use to manually fine-tune the profile that
auto-learning will generate from its statistics. (Look for the buttons at the top, midpoint, and
bottom of the page, just above each chart.)
If FortiWeb is deployed behind a NAT load balancer, when using Period Block, you must also
define an X-header that indicates the original client’s IP (see “Defining your proxies, clients, &
X-headers” on page 266). Failure to do so may cause FortiWeb to block all connections when it
detects a violation of this type.