Support User Manuals

Fortinet 5.0 Patch 6 Microscope & Magnifier User Manual

Open as PDF

of 705

Fortinet 249 FortiWeb 5.0 Patch 6 Administration Guide

Defining your protected/allowed HTTP “Host:” header names

A protected host group (also called “allowed hosts” or “protected hosts”, depending on how the

host name is used in each context) defines one or more IP addresses or fully qualified domain

names (FQDNs). Each entry in the group defines a virtual or real web host, according to the

Host: field in the HTTP header of requests. You can use these entries to determine which host

names:

• FortiWeb allows in requests, and/or

• will cause FortiW

eb to apply scans or other features

For example, if your FortiWeb receives requests with HTTP headers, such as:

GET /index.php HTTP/1.1

Host: w

ww.example.com

you

might define a protected host group with an entry of www.example.com and select it in

Protected Servers in the policy. This would block req

uests that are not for that host.

Used differently, you might select the www.example.com entry in Host when defining requests

where the parameters should be validated. This wo

uld apply protection only for that host.

Unlike a web server, which is a single IP at the netwo

rk layer, a protected host group should

contain all network IPs, virtual IPs, and domain names that clients use to access the web server

at the HTTP layer.

For example, clients often access a web server via a public network such as the Internet.

Ther

efore, the protected host group contains public domain names, IP addresses and virtual

IPs on a network edge router or firewall, such as:

• www.example.com and

• www.e

xample.co.uk and

•example.de

But in reverse proxy mode, the physical or domain server is the IP address or domain name that

th

e Fo

rtiWeb appliance uses to forward traffic to the back-end web server behind the NAT and,

therefore, is often a private network address:

• 192.168.1.10 or

•exa

mple.local

As another example, for entry level or virtualized web hosting, many Apache virtual hosts:

• business.example.cn

•

univ

ersity.example.cn

• province.example.cn

may exist on one or more back-end web servers which each have one or more network

a

dap

ters, each with one or more private network IP addresses that are hidden behind a reverse

proxy FortiWeb:

• 172.16.1.5

• 172.16.1.6

• 172.16.1.7

A protected hosts group is usually not the same as a back-end web server.

previous next