Fortinet 446 FortiWeb 5.0 Patch 6 Administration Guide
5. Click OK.
6. To apply the HTTP protocol constraint profile, select it in an inline or offline protection profile
(see “Configuring a protection profile for inline topologies” on page 468 or “Configuring a
protection profile for an out-of-band topology or asynchronous mode of operation” on
page 477).
See also
•Sequence of scans
Configuring HTTP protocol constraint exceptionsYou can configure exceptions for use with HTTP protocol constraints.
Malformed Request Enable to inspect the request for:
•syntax errors
• exceeding the maximum buffer size allowed by FortiWeb’s HTTP
parser
Errors and buffer overflows can cause problems in web servers that
do not handle them gracefully. Such problems can lead to security
vulnerabilities.
Attack log messages contain Too Many Parameters or Too
Many Flash Parameters or another message that indicates the
specific cause when this feature detects a request with parser
errors or a FortiWeb buffer overflow attempt.
Caution: Fortinet strongly recommends to enable this option
unless large requests/parameters are required by the web
application. If part of a request is too large for its scan buffer,
FortiWeb cannot scan it for attacks. It also cannot perform rewrites.
Unless you configure it to block, FortiWeb will allow oversized
requests to pass through without scanning or rewriting. This
could allow padded attacks to pass through, and rewriting to be
skipped.
If feasible, instead of disabling this option:
• Enlarge the scan buffer for each parameter (see
http-cachesize in the FortiWeb CLI Reference). Requests
larger than the buffer will be flagged as potentially malformed by
FortiWeb’s parser, causing FortiWeb to block normal requests
(i.e. false positives). For more buffer specifications, see “Buffer
hardening” on page 612.
• Disable this setting only for URLs that require oversized
parameters (see “Configuring HTTP protocol constraint
exceptions” on page 446)
Exception Name Select the HTTP constraints exception, if any, that you want to
apply to this policy (see “Configuring HTTP protocol constraint
exceptions” on page 446).
If you want to view or change the information associated with a
exception, select the Detail link. The HTTP Constraints Exception
dialog appears, where you can view and edit the exceptions.
Setting name Description