Fortinet 5.0 Patch 6

Fortinet 466 FortiWeb 5.0 Patch 6 Administration Guide

3. From Type , select the part of the HTTP request where you want to white list an object.

Available configuration fields vary by the type that you choose.

•If Type is URL:

•If Type is Parameter, in Name, type the name of the variable exactly as it appears in the

URL or HTTP body (varies by HTTP GET/POST method).

For example, if the URL ends with the parameter substring ?userName=rowan, you

would type userName (note the capital letter).

•If Type is Cookie:

4. Click OK.

5. To verify that an item is now whitelisted, you can enable auto-learning, then make a request

to a protected web site. The auto-learning report should include any items that you have

whitelisted. Alternatively, use the parameter or URL to attempt to trigger an attack signature

that would normally block it; the item should now be allowed.

Request Type Indicate whether the Request URL field will contain a literal URL

(Simple String), or a regular expression designed to match

multiple URLs (Regular Expression).

Request URL Depending on your selection in the Request Type field, enter

either:

• the literal URL, such as /robots.txt, that the HTTP request

must contain in order to match the rule. The URL must begin

with a backslash ( / ).

• a regular expression, such as ^/*.html, matching all and

only the URLs to which the rule should apply. The pattern does

not require a slash ( / ); however, it must at match URLs that

begin with a backslash, such as /index.html.

Do not include the domain name, such as www.example.com.

To create and test a regular expression, click the >> (test) icon.

This opens the Regular Expression Validator window where you

can fine-tune the expression (see “Regular expression syntax” on

page 673)

Name Type the name of the cookie as it appears in the HTTP request,

such as NID.

Domain Type the partial or complete domain name or IP address as it

appears in the cookie, such as:

•www.example.com

•.google.com

•10.0.2.50

If clients sometimes access the host via IP address instead of

DNS, create white list objects for both.

Caution: Do not whitelist untrusted subdomains that use

vulnerable cookies. It could compromise the security of that

domain and its network.

Path Type the path as it appears in the cookie, such as / or

/blog/folder.