Fortinet 5.0 Patch 6 Configuring HTTP protocol constraint exceptions

Fortinet 446 FortiWeb 5.0 Patch 6 Administration Guide

5. Click OK.

6. To apply the HTTP protocol constraint profile, select it in an inline or offline protection profile

(see “Configuring a protection profile for inline topologies” on page 468 or “Configuring a

protection profile for an out-of-band topology or asynchronous mode of operation” on

page 477).

See also

•Sequence of scans

Configuring HTTP protocol constraint exceptions

You can configure exceptions for use with HTTP protocol constraints.

Malformed Request Enable to inspect the request for:

•syntax errors

• exceeding the maximum buffer size allowed by FortiWeb’s HTTP

parser

Errors and buffer overflows can cause problems in web servers that

do not handle them gracefully. Such problems can lead to security

vulnerabilities.

Attack log messages contain Too Many Parameters or Too

Many Flash Parameters or another message that indicates the

specific cause when this feature detects a request with parser

errors or a FortiWeb buffer overflow attempt.

Caution: Fortinet strongly recommends to enable this option

unless large requests/parameters are required by the web

application. If part of a request is too large for its scan buffer,

FortiWeb cannot scan it for attacks. It also cannot perform rewrites.

Unless you configure it to block, FortiWeb will allow oversized

requests to pass through without scanning or rewriting. This

could allow padded attacks to pass through, and rewriting to be

skipped.

If feasible, instead of disabling this option:

• Enlarge the scan buffer for each parameter (see

http-cachesize in the FortiWeb CLI Reference). Requests

larger than the buffer will be flagged as potentially malformed by

FortiWeb’s parser, causing FortiWeb to block normal requests

(i.e. false positives). For more buffer specifications, see “Buffer

hardening” on page 612.

• Disable this setting only for URLs that require oversized

parameters (see “Configuring HTTP protocol constraint

exceptions” on page 446)

Exception Name Select the HTTP constraints exception, if any, that you want to

apply to this policy (see “Configuring HTTP protocol constraint

exceptions” on page 446).

If you want to view or change the information associated with a

exception, select the Detail link. The HTTP Constraints Exception

dialog appears, where you can view and edit the exceptions.

Setting name Description