Fortinet 441 FortiWeb 5.0 Patch 6 Administration Guide
Use protocol constraints to prevent attacks such as buffer overflows in web servers that do not
restrict elements of the HTTP protocol to acceptable lengths, or mishandle malformed requests.
Such errors can lead to security vulnerabilities.
To configure an HTTP protocol constraint
1. If you plan to add constraint exceptions to your HTTP protocol constraints, configure the
exceptions first. See “Configuring HTTP protocol constraint exceptions” on page 446. If you
want to use a trigger when the rule is violated, configure it also. See “Configuring triggers”
on page 557.
2. Go to Web Protection > Protocol > HTTP Protocol Constraints.
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Web Protection Configuration category. For
details, see “Permissions” on page 47.
3. Click Create New.
A dialog appears.
You can also use protocol constraints to block requests that are too large for the memory
size of FortiWeb’s scan buffers. (Without a corresponding protocol constraint, items that are
too large to be buffered will pass without scanning or rewriting. See “Buffer hardening” on
page 612.)
For example, if your web applications require HTTP POST requests with unusually large
parameters, you would adjust the HTTP body buffer size (see http-cachesize in the
FortiWeb CLI Reference). Then, you would configure Malformed Request and other HTTP
protocol constraints to harden your configuration.
This scan is bypassed if the client’s source IP is a known search engine and you have enabled
Allow Known Search Engines.