Fortinet 466 FortiWeb 5.0 Patch 6 Administration Guide
3. From Type , select the part of the HTTP request where you want to white list an object.
Available configuration fields vary by the type that you choose.
•If Type is URL:
•If Type is Parameter, in Name, type the name of the variable exactly as it appears in the
URL or HTTP body (varies by HTTP GET/POST method).
For example, if the URL ends with the parameter substring ?userName=rowan, you
would type userName (note the capital letter).
•If Type is Cookie:
4. Click OK.
5. To verify that an item is now whitelisted, you can enable auto-learning, then make a request
to a protected web site. The auto-learning report should include any items that you have
whitelisted. Alternatively, use the parameter or URL to attempt to trigger an attack signature
that would normally block it; the item should now be allowed.
Request Type Indicate whether the Request URL field will contain a literal URL
(Simple String), or a regular expression designed to match
multiple URLs (Regular Expression).
Request URL Depending on your selection in the Request Type field, enter
either:
• the literal URL, such as /robots.txt, that the HTTP request
must contain in order to match the rule. The URL must begin
with a backslash ( / ).
• a regular expression, such as ^/*.html, matching all and
only the URLs to which the rule should apply. The pattern does
not require a slash ( / ); however, it must at match URLs that
begin with a backslash, such as /index.html.
Do not include the domain name, such as www.example.com.
To create and test a regular expression, click the >> (test) icon.
This opens the Regular Expression Validator window where you
can fine-tune the expression (see “Regular expression syntax” on
page 673)
Name Type the name of the cookie as it appears in the HTTP request,
such as NID.
Domain Type the partial or complete domain name or IP address as it
appears in the cookie, such as:
•www.example.com
•.google.com
•10.0.2.50
If clients sometimes access the host via IP address instead of
DNS, create white list objects for both.
Caution: Do not whitelist untrusted subdomains that use
vulnerable cookies. It could compromise the security of that
domain and its network.
Path Type the path as it appears in the cookie, such as / or
/blog/folder.