Fortinet 472 FortiWeb 5.0 Patch 6 Administration Guide
Setting name Description
Session
Management
Enable to add a cookie to the reply in order for FortiWeb to be able to
track the state of web applications across multiple requests (i.e., to
implement HTTP sessions). Also configure Session Timeout.
This feature adds the FortiWeb’s own session support, and does not
duplicate or require that your web applications have its own sessions.
For details, see “HTTP sessions & security” on page 34.
Note: Enabling this option is required if:
• you select features requiring session cookies, such as DoS
Protection, Start Pages, Page Access, or Hidden Fields Protection
• in any policy, you will select an auto-learning profile with this
profile
• you want to include this profile’s traffic in the traffic log
Note: This feature requires that the client support cookies. RPC
clients and browsers where the person has disabled cookies do not
support FortiWeb HTTP sessions, and therefore also do not support
FortiWeb features that are dependent upon them.
Session Timeout Type the HTTP session timeout in seconds.
After this time elapses during which there were no more subsequent
requests, after which the FortiWeb appliance will regard the next
request as the start of a new HTTP session.
This option appears only if Session Management is enabled. The
default is 1200 (20 minutes).
X-Forwarded-For Select the X-Forwarded-For: and X-Real-IP: HTTP header
settings to use, if any. For details, see “Defining your proxies, clients,
& X-headers” on page 266.
Note: Configuring this option is required if the true IP address of the
client is hidden from FortiWeb because a load balancer or other web
proxy is deployed in front. In that case, you must configure an
X-header rule so that FortiWeb will block only requests related to the
original client. Otherwise, it may block all requests whenever any
attack occurs, since all requests will appear to originate from the
proxy’s IP.