Fortinet 25 FortiWeb 5.0 Patch 6 Administration Guide
HTTP Request Limit/sec
(Standalone IP)
or
HTTP Request Limit/sec (Shared
IP)
(HTTP Access Limit)
• ID field of the IP header
• Source IP address of the client (depending on your
configuration of X-header rules (see “Defining your
proxies, clients, & X-headers” on page 266) this could
be derived from either the SRC field in the IP header, or
an HTTP header such as X-Forwarded-For: or
X-Real-IP:)
HTTP Authentication Authorization:
Global White List • Cookie: cookiese
ssion1
•UR
L if /favicon.ico, AJAX URL parameters such as
__LASTFOCUS, and others as updated by the
FortiGuard Security Service
URL Access • Host:
• URL in HTTP
header
• Source IP of the client in the IP header
Brute Force Login • Source IP address of the client (depending on your
co
nfigura
tion of X-header rules (see “Defining your
proxies, clients, & X-headers” on page 266) this could
be derived from either the SRC field in the IP header, or
an HTTP header such as X-Forwarded-For: or
X-Real-IP:)
• URL in the HTTP header
HTTP Protocol Constraints • Content-Length:
•
Pa
rameter length
• Body length
• Header length
• Header line length
•Count of Range: header lines
• Count of cookies
Cookie Poisoning Detection Cookie:
Start Pages • Host:
•
URL in HTTP
header
• Session state
Page Access
(page order)
• Host:
•
URL in HTTP
header
• Session state
File Upload Restriction • Content-Length:
• Content-Type:
in PUT an
d POST
requests
Table 1: Execution sequence (web protection profile)
Scan/action Involves