Fortinet 447 FortiWeb 5.0 Patch 6 Administration Guide
Exceptions define HTTP constraints that will not be subject to HTTP protocol constraint.
Exceptions are useful when you know that some HTTP protocol constraints, during normal use,
will cause false positives by matching an attack signature.
For example, if no exceptions are defined, FortiWeb executes the HTTP protocol constraint as
defined in “HTTP/HTTPS protocol constraints” on page 440. But, if you mark the check box for
Header Length in a HTTP protocol constraint exception for a specific host, FortiWeb will skip
the HTTP header length check when executing the web protection profile for that host.
As another example, some web applications require very large HTTP POST requests. You can
use Malformed Request to create an exception from the constraint for those requests.
To configure an HTTP constraint exception
1. Go to Web Protection > Protocol > HTTP Constraints Exception.
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Web Protection Configuration category. For
details, see “Permissions” on page 47.
2. Click Create New.
A dialog appears.
3. In Name, type a unique name that can be referenced by other parts of the configuration. Do
not use spaces or special characters. The maximum length is 35 characters.
4. Click OK.
5. Click Create New to add an entry to the set.
A dialog appears.
Like any software, FortiWeb’s buffers are not endless. If an HTTP request overall or its individual
components such as parameters are too long to fit the scan buffer, they will you do not want to