Fortinet 341 FortiWeb 5.0 Patch 6 Administration Guide
Setting name Description
Name Type a unique name that can be referenced in other parts of the
configuration. Do not use spaces or special characters. The
maximum length is 35 characters.
HTTP Request
Limit/sec
(Standalone IP)
Type a rate limit for the maximum number of HTTP requests per
second from each source IP address that is a single HTTP client.
For example, if loading a web page involves:
1 HTML file request
1 external JavaScript file request
3 image requests
the rate limit should be at least 5, but could be some multiple such
as 10 or 15 in order to allow 2 or 3 page loads per second from
each client.
For best results, this should be at least as many requests as
required to normally load the URL. When a client accesses a web
application, it normally requests many files, such as images and
style sheets, used by the web page itself. If you set limits too low, it
can cause false positive attack detections and block requests. In
extreme cases, this could prevent a single web page from fully
loading all of its components — images, CSS, and other external
files.
The valid range is from 0 to 65,536. The default value is 0. Fortinet
suggests an initial value of 500. See also “Reducing false
positives” on page 624.
HTTP Request
Limit/sec (Shared IP)
Type a rate limit for the maximum number of HTTP requests per
second from each source IP address that is shared by multiple
HTTP clients.
Typically, this limit should be greater than HTTP Request Limit/sec
(Standalone IP).
For example, let’s say a branch office with 10 employees is
accessing your web site. Some solitary telecommuters also access
your web site. Each telecommuter has her own IP address.
However, the 10 people at the branch office are behind a firewall
with NAT, and from the perspective of the Internet appear to have a
single source IP address. If the appropriate rate limit for solitary
telecommuters is 20 requests/sec., a fair rate limit for the branch
office might be 200 requests/sec.:
20 requests/sec/person x 10 persons =
200 requests/sec.
The valid range is from 0 to 65,536. The default value is 0. Fortinet
suggests an initial value of 1000. See also “Reducing false
positives” on page 624.
Note: If detection of shared IP addresses is disabled, this setting
will be ignored and all source IP addresses will be limited by HTTP
Request Limit/sec (Standalone IP) instead. See “Advanced
settings” on page 521.