Fortinet 415 FortiWeb 5.0 Patch 6 Administration Guide
10.To apply an access rule:
• select it in an inline protection profile (see “Configuring a protection profile for inline
topologies” on page 468)
•enable Session Management
Attack log messages contain Page Access Rule Violation when this feature detects a
request for a URL that violates the required sequence of URLs within a session.
See also
•Configuring a protection profile for inline topologies
Specifying URLs allowed to initiate sessionsTo prevent attackers from exploiting web applications that are vulnerable to state-based
attacks, you may need to define legitimate entry points into your web applications.
When you select a start page group in the inline protection profile, clients must begin from a
valid start page in order to initiate a valid HTTP session. If they violate this rule, they will wither
be logged, blocked, or redirected to one of the valid entry pages (in the web UI, this is called the
“default” page).
For example, you may insist that HTTP clients of an e-commerce web site begin their session
from either the main page, an item view, or login. Clients are not allowed to begin a valid session
from the third stage of the shopping cart checkout. If someone initiates a session from partway
Because the new active appliance does not know previous session history, after an HA failover,
for existing sessions, FortiWeb will not be able to apply this feature. See “Sessions & FortiWeb
HA” on page 39.
All web pages in a start page rule must belong to the same web site. Start page rules cannot
redirect each violation to a different location, depending on which of the rules was violated. If
you choose to redirect violations, all violations will be redirected to the same “default” URL.