Fortinet 5.0 Patch 6

Fortinet 390 FortiWeb 5.0 Patch 6 Administration Guide

•Send 403 Forbidden — Reply to the client with an HTTP 403

Access Forbidden error message and generate an alert

email and/or log message.

•Pass — Allow the request. Do not generate an alert email

and/or log message.

•Continue — Generate an alert and/or log message, then

continue by evaluating any subsequent rules defined in the web

protection profile (see “Sequence of scans” on page 23). If no

other rules are violated, allow the request. If multiple rules are

violated, a single request will generate multiple attack log

messages and/or alert email.

•Alert & Erase — Hide sensitive information in replies from the

web server (sometimes called “cloaking”). Block the request or

remove the sensitive information, and generate an alert email

and/or log message. 

Caution: This option is not fully supported in offline protection

mode. Only an alert and/or log message can be generated;

sensitive information cannot be blocked or erased.

•Erase, no Alert — Hide sensitive information in replies from the

web server (sometimes called “cloaking”). Block the request or

remove the sensitive information, but do not generate an alert

email and/or log message. 

Caution: This option is not supported in offline protection

mode.

The default value is Alert. See also “Reducing false positives” on

page 624.

Caution: This setting will be ignored if Monitor Mode is enabled.

Note: Logging and/or alert email will occur only if enabled and

configured. See “Logging” on page 542 and “Alert email” on

page 576.

Note: If you will use this rule set with auto-learning, you should

select Alert. If Action is Alert & Deny, or any other option that

causes the FortiWeb appliance to terminate or modify the request

or reply when it detects an attack attempt, the interruption will

cause incomplete session information for auto-learning.

Block Period

(column)

In each row, type the number of seconds that you want to block

subsequent requests from the client after the FortiWeb appliance

detects that the client has violated the rule.

This setting is available only if Action is set to Period Block. The

valid range is from 1 to 3,600 (1 hour). The default value is 1. See

also “Monitoring currently blocked IPs” on page 606.

Severity

(column)

When rule violations are recorded in the attack log, each log

message contains a Severity Level (severity_level) field. In

each row, select which severity level the FortiWeb appliance will

use when it logs a violation of the rule:

•L

•Medium

•High

The default value is High.

Setting name Description