Fortinet 324 FortiWeb 5.0 Patch 6 Administration Guide
7. Click OK.
8. Repeat the previous steps for each individual condition that you want to add to the URL
access rule.
9. Group the URL access rule in a URL access policy (see “Grouping access rules per
combination of URL & “Host:”” on page 324).
Attack log messages contain URL Access Violation when this feature detects a
suspicious HTTP request.
See also
Configuring a protection profile for inline topologies
Configuring a protection profile for an out-of-band topology or asynchronous mode of
operation
Grouping access rules per combination of URL & “Host:”
Before you can apply them in a policy via a protection profile, you must first combine access
rules into an access policy. URL access policies define a set of access rules, and their order of
evaluation.
To configure a URL access policy
1. Before you can configure an effective URL access policy, you must configure one or more
URL access rules. See “Restricting access to specific URLs” on page 321.
2. Go to Web Protection > Access > URL Access Policy.
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Web Protection Configuration category. For
details, see “Permissions” on page 47.
Domain Type the fully qualified domain name (FQDN) that a client source IP must
reverse resolve to in order to match.
This option appears only if Source Address Type is Domain.
URL Type Select whether the URL Pattern field will contain a literal URL (Simple String),
or a regular expression designed to match multiple URLs (Regular
Expression).
URL Pattern Depending on your selection in URL Type, enter either:
the literal URL, such as /admin.php. The URL must begin with a slash
( / ).
a regular expression, such as ^/admin*.php, matching all and only the
desired URLs. The pattern does not require a slash ( / ). However, it must
at least match URLs that begin with a slash, such as /admin.cfm.
When you finish typing the regular expression, click the >> (test) icon.
This opens the Regular Expression Validator window where you can
fine-tune the expression (see “Regular expression syntax” on page 673).
Do not include the domain name, such as www.example.com, which is
configured separately in the Host drop-down list for the URL access rule.
Meet this
condition if:
Select whether the access condition is met when the HTTP request matches
both the regular expression (or text string) and source IP address of the
client, or when it does not match the regular expression (or text string)
and/or source IP address of the client.