Fortinet 5.0 Patch 6

Fortinet 341 FortiWeb 5.0 Patch 6 Administration Guide

Setting name Description

Name Type a unique name that can be referenced in other parts of the

configuration. Do not use spaces or special characters. The

maximum length is 35 characters.

HTTP Request

Limit/sec

(Standalone IP)

Type a rate limit for the maximum number of HTTP requests per

second from each source IP address that is a single HTTP client.

For example, if loading a web page involves:

• 1 HTML file request

• 1 external JavaScript file request

• 3 image requests

the rate limit should be at least 5, but could be some multiple such

as 10 or 15 in order to allow 2 or 3 page loads per second from

each client.

For best results, this should be at least as many requests as

required to normally load the URL. When a client accesses a web

application, it normally requests many files, such as images and

style sheets, used by the web page itself. If you set limits too low, it

can cause false positive attack detections and block requests. In

extreme cases, this could prevent a single web page from fully

loading all of its components — images, CSS, and other external

files.

The valid range is from 0 to 65,536. The default value is 0. Fortinet

suggests an initial value of 500. See also “Reducing false

positives” on page 624.

HTTP Request

Limit/sec (Shared IP)

Type a rate limit for the maximum number of HTTP requests per

second from each source IP address that is shared by multiple

HTTP clients.

Typically, this limit should be greater than HTTP Request Limit/sec

(Standalone IP).

For example, let’s say a branch office with 10 employees is

accessing your web site. Some solitary telecommuters also access

your web site. Each telecommuter has her own IP address.

However, the 10 people at the branch office are behind a firewall

with NAT, and from the perspective of the Internet appear to have a

single source IP address. If the appropriate rate limit for solitary

telecommuters is 20 requests/sec., a fair rate limit for the branch

office might be 200 requests/sec.:

20 requests/sec/person x 10 persons =

200 requests/sec.

The valid range is from 0 to 65,536. The default value is 0. Fortinet

suggests an initial value of 1000. See also “Reducing false

positives” on page 624.

Note: If detection of shared IP addresses is disabled, this setting

will be ignored and all source IP addresses will be limited by HTTP

Request Limit/sec (Standalone IP) instead. See “Advanced

settings” on page 521.