Fortinet 403 FortiWeb 5.0 Patch 6 Administration Guide
Expression Depending on your selection in Direction, type a regular expression
that matches either:
an attack from a client
server information disclosure from the server
To prevent false positives, it should not match anything else. The
maximum length is 2,071 characters.
To create and test a regular expression, click the >> (test) icon. This
opens the Regular Expression Validator window where you can
fine-tune the expression (see “Regular expression syntax” on
page 673).
For an example signature and tips on how to prevent evasive
attacks, see “Example: Sanitizing poisoned HTML” on page 380.
Action Select which action the FortiWeb appliance will take when it
detects a violation of the rule:
Alert — Accept the request and generate an alert email and/or
log message.
Note: If Direction is Data Leakage, does not cloak, except for
removing sensitive headers. (Sensitive information in the body
remains unaltered.)
Alert & Deny — Block the request (reset the connection) and
generate an alert and/or log message. This option is applicable
only if Direction is Signature Creation.
You can customize the web page that will be returned to the
client with the HTTP status code. See “Uploading a custom
error page” on page 467 or Error Message.
Alert & Erase — Hide replies with sensitive information
(sometimes called “cloaking”). Block the reply (or reset the
connection) or remove the sensitive information, and generate
an alert email and/or log message. This option is applicable
only if Direction is Data Leakage.
If the sensitive information is a status code, you can customize
the web page that will be returned to the client with the HTTP
status code.
Note: This option is not fully supported in offline protection
mode. Effects will be identical to Alert; sensitive information will
not be blocked or erased.
Period Block — Block subsequent requests from the client for
a number of seconds. Also configure Block Period.
You can customize the web page that will be returned to the
client with the HTTP status code. See “Uploading a custom
error page” on page 467 or Error Message.
Note: If FortiWeb is deployed behind a NAT load balancer, when
using this option, you must also define an X-header that
indicates the original client’s IP (see “Defining your proxies,
clients, & X-headers” on page 266). Failure to do so may cause
FortiWeb to block all connections when it detects a violation of
this type.
Setting name Description