Fortinet 419 FortiWeb 5.0 Patch 6 Administration Guide
8. Click OK.
9. Repeat the previous steps for each start page that you want to add to the group of start
pages.
10.To apply a start page rule:
• select it in an inline protection profile (see “Configuring a protection profile for inline
topologies” on page 468)
•enable Session Management
Attack log messages contain Start Page Violation when this feature detects a start
page violation. Additionally, if the start page rule was configured to redirect the attacker,
parameters will be appended to the redirect URL to indicate the reason. e.g.:
http://example.com/index.html?redirect491=1&reason747sha=Start%20Pag
e%20Violation
Default If Action is Redirect, for requests that either:
• do not specify any URL (such as requesting
http://www.example.com/ instead of
http://www.example.com/index.php), and therefore neither
explicitly match nor violate the rule
• violate the start page rule (applies only if you have selected Redirect from
Action)
select Yes if you want FortiWeb to redirect the client to this page, indicated in
URL Pattern. (i.e., This URL will be treated as the web site’s default/home
page.) Otherwise, select No and configure the redirect URL separately from
this rule, in the protection profile’s Redirect URL.
To prevent the redirect from having more than one possible destination, only
one URL in the start page rule can be configured as the “default” at a given
time.
URL Pattern Depending on your selection in Type , type either:
• the literal URL, such as /index.php, that the HTTP request must
contain in order to match the start page rule. The URL must begin with a
slash ( / ).
If Default is Yes, the literal URL also indicates the redirect URL and/or
session initiation URL.
• a regular expression, such as ^/*.php, matching all and only the URLs
to which the start page rule should apply. The pattern does not require a
slash ( / ). However, it must at match URLs that begin with a slash, such
as /index.cfm.
Do not include the domain name, such as www.example.com, which is
configured separately in the Host drop-down list.
To create and test a regular expression, click the >> (test) icon. This opens
the Regular Expression Validator window where you can fine-tune the
expression (see “Regular expression syntax” on page 673).
Setting
name
Description
Because the new active appliance does not know previous session history, after an HA failover,
for existing sessions, FortiWeb will not be able to apply this feature. See “Sessions & FortiWeb
HA” on page 39.