Fortinet 5.0 Patch 6

Fortinet 38 FortiWeb 5.0 Patch 6 Administration Guide

How can FortiWeb know if a request is the client’s first HTTP request? If FortiWeb were to treat

each request independently, without knowledge of anything previous, it would not be able to

remember the authentication request, and therefore could not enforce page order.

To fill this need for context, enable Session Management. When enabled:

1. For the first HTTP/HTTPS request from a client, FortiWeb embeds a cookie in the response’s

Set-Cookie: field in the HTTP header. It is named cookiesession1. (FortiWeb does not

use source IP addresses and timestamps alone for sessions: NAT can cloak multiple clients;

clocks can be altered.)

If you have configured rules such as start page rules that are enforced when a page request

is the first in a session, FortiWeb can enforce them at this point.

2. Later requests from the same client must include this same cookie in the Cookie: field to

be regarded as part of the same session. (Otherwise, the request will be regarded as

session-initiating, and return to step 1.)

Figure 5: Attack blocked via a start page or page order rule with session management

Once a request’s session is identified by the session ID in this cookie (e.g.

K8BXT3TNYUM710UEGWC8IQBTPX9PRWHB), FortiWeb can perform any configured tracking

or enforcement actions that are based upon the requests that it remembers for that session

ID, such as rate limiting per session ID per URL, or based upon the order of page requests in

a session, such as page order rules. Violating traffic may be dropped or blocked, depending

on your configuration.

3. After some time, if the FortiWeb has not received any more requests, the session will time

out.

The next request from that client, even if it contains the old session cookie, will restart the

process at step 1.

Traffic logs include the HTTP/HTTPS session ID so you can locate all requests in each session.

Correlating requests by session ID can be useful for forensic purposes, such as when analyzing

an attack from a specific client, or when analyzing web application behavior that occurs during

a session so that you can design an appropriate policy to protect it. For details, see “Viewing

log messages” on page 557 and the FortiWeb Log Message Reference.

Exceptions to this process include network topologies and operation modes that do not

support FortiWeb session cookies: instead of adding its own cookie, which is not possible,

FortiWeb can instead cue its session states from your web application’s cookie. See Session

Key Word.