Fortinet 25 FortiWeb 5.0 Patch 6 Administration Guide
HTTP Request Limit/sec
(Standalone IP)
or
HTTP Request Limit/sec (Shared
IP)
(HTTP Access Limit)
•ID field of the IP header
• Source IP address of the client (depending on your
configuration of X-header rules (see “Defining your
proxies, clients, & X-headers” on page 266) this could
be derived from either the SRC field in the IP header, or
an HTTP header such as X-Forwarded-For: or
X-Real-IP:)
HTTP Authentication Authorization:
Global White List • Cookie: cookiesession1
•UR
L if /favicon.ico, AJAX URL parameters such as
__LASTFOCUS, and others as updated by the
FortiGuard Security Service
URL Access •Host:
• URL in HTTP header
• Source IP of the client in the IP header
Brute Force Login • Source IP address of the client (depending on your
configuration of X-header rules (see “Defining your
proxies, clients, & X-headers” on page 266) this could
be derived from either the SRC field in the IP header, or
an HTTP header such as X-Forwarded-For: or
X-Real-IP:)
• URL in the HTTP header
HTTP Protocol Constraints •Content-Length:
•Parameter length
• Body length
• Header length
• Header line length
•Count of Range: header lines
• Count of cookies
Cookie Poisoning Detection Cookie:
Start Pages •Host:
•URL in HTTP header
• Session state
Page Access
(page order)
•Host:
•URL in HTTP header
• Session state
File Upload Restriction • Content-Length:
•Content-Type:
in PUT and POST requests
Tabl e 1 : Execution sequence (web protection profile)
Scan/action Involves