Fortinet 440 FortiWeb 5.0 Patch 6 Administration Guide
8. Click OK.
9. Repeat the previous steps for each exception that you want to add to the allowed method
exceptions.
10.To apply the allowed method exception, select it in an allowed method policy. For details,
see “Specifying allowed HTTP methods” on page 436.
See also
•Configuring a protection profile for inline topologies
•Configuring a protection profile for an out-of-band topology or asynchronous mode of
operation
HTTP/HTTPS protocol constraintsProtocol constraints govern features such as the HTTP header fields in the protocol itself, as
well as the length of the HTML, XML, or other documents or encapsulated protocols carried in
the HTTP body payload.
URL Pattern Depending on your selection in Type , enter either:
• the literal URL, such as /index.php, that is an exception to the
generally allowed HTTP request methods. The URL must begin with a
slash ( / ).
• a regular expression, such as ^/*.php, matching all and only the URLs
which are exceptions to the generally allowed HTTP request methods.
The pattern does not require a slash ( / ); however, it must at match URLs
that begin with a slash, such as /index.cfm.
For example, if multiple URLs on a host have identical HTTP request
method requirements, you would type a regular expression matching all
of and only those URLs.
Do not include the domain name, such as www.example.com, which is
configured separately in the Host drop-down list.
To create and test a regular expression, click the >> (test) icon. This opens
the Regular Expression Validator window where you can fine-tune the
expression (see “Regular expression syntax” on page 673).
Allow
Method
Exception
Mark the check boxes of all HTTP request methods that you want to allow.
Methods that you do not select will be denied.
The OTHERS option includes methods not specifically named in the other
options. It often may be required by WebDAV (RFC 4918) applications such
as Microsoft Exchange Server 2003 and Subversion, which may require
HTTP methods not commonly used by web browsers, such as PROPFIND
and BCOPY.
Note: If a WAF Auto Learning Profile will be selected in the policy with an
offline protection profile that uses this allowed method exception, you must
enable the HTTP request methods that will be used by sessions that you
want the FortiWeb appliance to learn about. If a method is disabled, the
FortiWeb appliance will reset the connection, and therefore cannot learn
about the session.
Setting
name
Description