Fortinet 5.0 Patch 6 Configuring the global object white list

Fortinet 464 FortiWeb 5.0 Patch 6 Administration Guide

When determining which policy to apply to a connection, FortiWeb matching behavior varies by

operation mode. The FortiWeb appliance will apply only one policy to each connection.

If a TCP connection does not match any of the policies, the FortiWeb appliance will either refuse

the connection (if operating in reverse proxy mode) or deny the connection (if operating in other

operation modes). Even if the TCP connection has a matching policy and is allowed,

subsequently, if the HTTP/HTTPS request is not allowed by the policy’s profiles, it is considered

to be in violation of the policy, and the client may be blocked at the application (request) level or

connection level, depending on the Action that you configure.

Policies are not applied while they are disabled. See “Enabling or disabling a policy” on

page 497.

Configuring the global object white list

Server Objects > Global > Predefined Global White List displays a predefined list of common

Internet entities, such as:

• the FortiWeb session cookie named cookiesession1

• Google Analytics cookies such as __utma

• the URL icon /favicon.ico

• AJAX parameters such as __LASTFOCUS

that your FortiWeb appliance can ignore when it enforces your policies. FortiGuard FortiWeb

Security Service service updates the predefined global white list. However, you can also

SSL Certificate used to

offload SSL from the

servers to FortiWeb; can

optionally re-encrypt

before forwarding to the

destination server.

Certificate used to

decrypt and scan only;

does not act as an SSL

origin or terminator.

Certificate used to

decrypt and scan

only; does not act

as an SSL origin or

terminator.

Certificate used to

decrypt and scan only;

does not act as an

SSL origin or

terminator.

Forwarding • Forwards to a single

web server or

member of a server

farm using the port

number where it

listens; similar to a

network address

translation (NAT)

policy on a

general-purpose

firewall.

• Can load balance or

route connections to

a specific server

based upon HTTP

content.

Lets the traffic pass

through to a member of

a server farm, but does

not load-balance.

Forwards to a

member of a

server farm (but

allowing to pass

through, without

actively

redistributing

connections) using

the port number

where it listens.

Lets the traffic pass

through to a member

of a server farm, but

does not load balance.

Table 42:Policy behavior by operation mode

Operation mode

Reverse Proxy Offline Protection True Transparent

Proxy

Transparent

Inspection