Fortinet 5.0 Patch 6 Specifying URLs allowed to initiate sessions

Fortinet 415 FortiWeb 5.0 Patch 6 Administration Guide

10.To apply an access rule:

• select it in an inline protection profile (see “Configuring a protection profile for inline

topologies” on page 468)

•enable Session Management

Attack log messages contain Page Access Rule Violation when this feature detects a

request for a URL that violates the required sequence of URLs within a session.

See also

•Configuring a protection profile for inline topologies

Specifying URLs allowed to initiate sessions

To prevent attackers from exploiting web applications that are vulnerable to state-based

attacks, you may need to define legitimate entry points into your web applications.

When you select a start page group in the inline protection profile, clients must begin from a

valid start page in order to initiate a valid HTTP session. If they violate this rule, they will wither

be logged, blocked, or redirected to one of the valid entry pages (in the web UI, this is called the

“default” page).

For example, you may insist that HTTP clients of an e-commerce web site begin their session

from either the main page, an item view, or login. Clients are not allowed to begin a valid session

from the third stage of the shopping cart checkout. If someone initiates a session from partway

Because the new active appliance does not know previous session history, after an HA failover,

for existing sessions, FortiWeb will not be able to apply this feature. See “Sessions & FortiWeb

HA” on page 39.

All web pages in a start page rule must belong to the same web site. Start page rules cannot

redirect each violation to a different location, depending on which of the rules was violated. If

you choose to redirect violations, all violations will be redirected to the same “default” URL.