Fortinet 522 FortiWeb 5.0 Patch 6 Administration Guide
Setting Name Description
Shared IP Enable to analyze the identification (ID) field in IP packet headers in order to
distinguish source IP addresses that are actually Internet connections
shared by multiple clients, not single clients. For an example, see
“Example: Setting a separate rate limit for shared Internet connections” on
page 523.
You can configure the ID difference threshold that triggers shared IP
detection. For details, see config system ip-detection in the
FortiWeb CLI Reference.
Note: The shared IP address rate limit for some features (see “Preventing
brute force logins” on page 362 and “Limiting the total HTTP request rate
from an IP” on page 339) will be ignored unless you enable this option.
Tip: To improve performance and reduce memory consumption, if all
source IP addresses should receive the same rate limit regardless of the
number of clients sharing each connection, disable this option.
Recursive URL
Decoding
Enable to detect URL-embedded attacks that are obfuscated using
recursive URL encoding (that is, multiple levels’ worth of URL encoding).
Encoded URLs can be legitimately used for non-English URLs, but can also
be used to avoid detection of attacks that use special characters. FortiWeb
can decode encoded URLs to scan for these types of attacks. Several
encoding types are supported, including IIS-specific Unicode encoding.
For example, you could detect the character A that is encoded as either
%41, %x41, %u0041, or \t41.
Disable to decode only one level, if the URL is encoded.
Maximum Body
Cache Size
Type the maximum size in kilobytes (KB) of the body of the HTTP response
from the web server that FortiWeb will cache per URL.
Responses are cached to improve performance on compression,
decompression, and rewriting on often-requested URLs.
Valid values range from 32 to 1,024. The default value is 64.
Maximum DLP
Cache Size
Type the maximum size in kilobytes (KB) of the body of the HTTP response
from the web server that FortiWeb will buffer and scan for data leak
protection (DLP).
Responses are cached to improve performance on compression,
decompression, and rewriting on often-requested URLs.
Valid values vary by Maximum Body Cache Size.