Fortinet 437 FortiWeb 5.0 Patch 6 Administration Guide
To configure an HTTP request method policy
1. If you want to include method exceptions in a policy, create them first. For more information,
see “Configuring allowed method exceptions” on page 438.
2. Go to Web Protection > Access > Allow Method Policy.
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Web Protection Configuration category. For
details, see “Permissions” on page 47.
3. Click Create New.
A dialog appears.
4. Configure these settings:
Setting
name
Description
Name Type a unique name that can be referenced in other parts of the
configuration. Do not use spaces or special characters. The maximum length
is 35 characters.
Allow
Request
Mark the check boxes for all HTTP request methods that you want to allow
for this specific policy.
Methods that you do not select will be denied, unless specifically allowed for
a host and/or URL in the selected Allow Method Exceptions.
The OTHERS option includes methods not specifically named in the other
options. It often may be required by WebDAV (RFC 4918) applications such
as Microsoft Exchange Server 2003 and Subversion, which may require
HTTP methods not commonly used by web browsers, such as PROPFIND
and BCOPY.
Note: If a WAF Auto Learning Profile is used in the server policy where the
HTTP request method is applied (via the Web Protection Profile), you must
enable the HTTP request methods that will be used by sessions that you
want the FortiWeb appliance to learn about. If a method is disabled, the
FortiWeb appliance will reset the connection, and therefore cannot learn
about the session.
Severity When rule violations are recorded in the attack log, each log message
contains a Severity Level (severity_level) field. Select which severity
level the FortiWeb appliance will use when it logs a violation of the rule:
•Low
•Medium
High
The default value is Medium.