Fortinet 5.0 Patch 6

Fortinet 422 FortiWeb 5.0 Patch 6 Administration Guide

Figure 45:An HTML form with two inputs: Account ID‘s type attribute is text; Password’s

type attribute is password

For example, one web page might have an HTML form with multiple inputs:

• a user name

• a password

• a preference for whether or not to remember the login

Within the input rule for that web page, you could define separate rules for each parameter in

the request: one rule for the user name parameter, one rule for the password parameter, and

one rule for the preference parameter. The password rule could be used to enforce password

complexity by requiring that it match a Level 2 Password data type.

Unlike hidden field rules, input rules are for visible inputs only, such as buttons and text areas.

For information on constraining hidden inputs, see “Preventing tampering with hidden inputs”

on page 430.

Each input rule contains one or more individual rules. Collectively, individual rules define all

parameter restrictions that apply to requests matching that combination of URL and host name.

If an HTTP/HTTPS request contains repeated parameters, FortiWeb will enforce the input rules

for all instances of the parameter — not just the first time it occurs in the request.

To configure an input rule

1. Before you configure an input rule, if you want to apply it only to HTTP requests for a specific

real or virtual host, you must first define the web host in a protected hosts group (see

Form input

Enforcement cannot occur if the parameter is bigger than the memory size you have configured

for FortiWeb’s scan buffers. To configure the buffer size, see http-cachesize in the FortiWeb

CLI Reference. If your web applications do not require requests larger than the buffer, enable

Malformed Request to harden your configuration.