Fortinet 616 FortiWeb 5.0 Patch 6 Administration Guide
complex, involving many more computations, and the most difficult addresses to verify
might be complex enough to impact traffic throughput.
•Avoid backtracking (i.e. revisiting the match string after failing to match part of the pattern).
Backtracking occurs when regular expression features use recursion (definite or indefinite).
This can increase execution time exponentially. Examples include the following:
•Avoid nested parentheses with indefinite repeats such as:
^((a+)b+)*
which can take a very long time to evaluate, especially if a long string does not match,
but this cannot be determined until the very last character is evaluated.
In the above example, both the + and * indicate matches that repeat potentially infinitely,
forcing the regular expression engine to continue until it finds the longest possible match
(or runs out of RAM; see “Killing system-intensive processes” on page 654). Using both
in a nested set of parentheses compounds the problem.
• Minimize capture groups and back-references such as:
(/a)(/b)/(c)
$0$1\?user=$2
To use back-references, FortiWeb must keep the text that matched the capture groups in
memory, which increases RAM consumption.
• Order matters if using alternate match patterns (i.e. multiple patterns are concatenated
with a pipe ( | )). Put rare patterns last. If you put less likely patterns first, most times
If missed matches are an acceptable performance trade-off (for example, if matching 99%
of cases is efficient, but matching 100% of cases would require deep recursion), or if you do
not need to match the whole text, remove the unnecessary part of the regular expression.
For example, if a phone number always resembles 555-5555, your regular expression would
not have to accommodate cases where a space separates the numbers, or it is prefixed by a
country code. This is less comprehensive, but also less CPU-intensive.