Fortinet 249 FortiWeb 5.0 Patch 6 Administration Guide
Defining your protected/allowed HTTP “Host:” header names
A protected host group (also called “allowed hosts” or “protected hosts”, depending on how the
host name is used in each context) defines one or more IP addresses or fully qualified domain
names (FQDNs). Each entry in the group defines a virtual or real web host, according to the
Host: field in the HTTP header of requests. You can use these entries to determine which host
names:
FortiWeb allows in requests, and/or
will cause FortiWeb to apply scans or other features
For example, if your FortiWeb receives requests with HTTP headers, such as:
GET /index.php HTTP/1.1
Host: www.example.com
you might define a protected host group with an entry of www.example.com and select it in
Protected Servers in the policy. This would block requests that are not for that host.
Used differently, you might select the www.example.com entry in Host when defining requests
where the parameters should be validated. This would apply protection only for that host.
Unlike a web server, which is a single IP at the network layer, a protected host group should
contain all network IPs, virtual IPs, and domain names that clients use to access the web server
at the HTTP layer.
For example, clients often access a web server via a public network such as the Internet.
Therefore, the protected host group contains public domain names, IP addresses and virtual
IPs on a network edge router or firewall, such as:
www.example.com and
• www.example.co.uk and
•example.de
But in reverse proxy mode, the physical or domain server is the IP address or domain name that
the FortiWeb appliance uses to forward traffic to the back-end web server behind the NAT and,
therefore, is often a private network address:
192.168.1.10 or
•exa
mple.local
As another example, for entry level or virtualized web hosting, many Apache virtual hosts:
• business.example.cn
university.example.cn
• province.example.cn
may exist on one or more back-end web servers which each have one or more network
adapters, each with one or more private network IP addresses that are hidden behind a reverse
proxy FortiWeb:
• 172.16.1.5
• 172.16.1.6
• 172.16.1.7
A protected hosts group is usually not the same as a back-end web server.