Fortinet 321 FortiWeb 5.0 Patch 6 Administration Guide
Access controlYou can control clients’ access to your web applications and limit the rate of requests. There are
multiple ways to do this, depending on whether your goal is to act based upon the URL, the
client’s source IP, or something more complex.
See also
•Sequence of scans
•Preventing brute force logins
•Enforcing page order that follows application logic
•Specifying URLs allowed to initiate sessions
•Specifying allowed HTTP methods
Restricting access to specific URLs
You can configure rules to define which HTTP requests will be accepted or denied based upon
their Host: name and URL, as well as the origin of the request.
Typically, for example, access to administrative panels for your web application should only be
allowed if the client’s source IP address is an administrator’s computer on your private
management network. Unauthenticated access from unknown locations increases risk of
compromise. Best practice dictates that such risk should be minimized.
You can use SNMP traps to notify you when a URL access rule is enforced. For details, see
“SNMP traps & queries” on page 580.
To configure an URL access rule
1. Go to Web Protection > Access > URL Access Rule.
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Web Protection Configuration category. For
details, see “Permissions” on page 47.
2. Click Create New.
A dialog appears.
X-header-derived client source IPs (see “Defining your proxies, clients, & X-headers” on
page 266) do not support this feature in this release. If FortiWeb is deployed behind a load
balancer or other web proxy that applies source NAT, this feature will not work.
URL access rules are evaluated after some other rules. As a result, permitted access still could
be denied if it violates one of the rules that execute prior in the sequence. For details, see
“Sequence of scans” on page 23.