Fortinet 23 FortiWeb 5.0 Patch 6 Administration Guide
Except for features
independent of
policies such as
anti-defacement,
most features are
configured before
policies. Policies
link protection
components
together and apply
them. As such,
policies usually
should be
configured last,
not first.
Sequence of scans
FortiWeb appliances apply protection rules and perform protection profile scans in the following
order of execution, which varies by whether you have applied a web protection profile. To
understand the scan sequence, read from the top of the table (the first scan/action) towards the
bottom (the last scan/action). Disabled scans are skipped.
To improve performance, block attackers using the earliest possible technique in the execution
sequence and/or the least memory-consuming technique.
The blocking style varies by feature and configuration. For example, when detecting cookie
poisoning, instead of resetting the TCP connection or blocking the HTTP request, you could log
and remove the offending cookie. For details, see each specific feature.
Tabl e 1 : Execution sequence (web protection profile)
Scan/action Involves
Request from client to server
TCP Connection Number Limit
(TCP Flood Prevention)
Source IP address of the client (depending on your
configuration of X-header rules (see “Defining your
proxies, clients, & X-headers” on page 266) this could be
derived from either the SRC field in the IP header, or an
HTTP header such as X-Forwarded-For: or
X-Real-IP:)