Support User Manuals

Fortinet 5.0 Patch 6 Microscope & Magnifier User Manual

Open as PDF

of 705

Fortinet 353 FortiWeb 5.0 Patch 6 Administration Guide

4. Click OK.

Action Select which action the FortiWeb appliance will take when it

detects a violation of the rule:

• Alert — Accept the request and generate an alert email and/or

log message.

• Alert & Deny — Block the request (or reset the connection) and

generate an alert email and/or log message. 

You can customize the web page that will be returned to the

client with the HTTP status code. See “Uploading a custom

error page” on page 467 or Error Message.

• Period Block — Block subsequent requests from the client for

a number of seconds. Also configure Block Period.

You can customize the web page that will be returned to the

client with the HTTP status code. See “Uploading a custom

error page” on page 467 or Error Message.

Tip: For improved performance during a confirmed DDoS,

select this option. Attackers participating in the DoS will then

be blocked at the IP layer, conserving FortiWeb resources that

would otherwise be consumed by scanning each attacker’s

request at the HTTP layer, compounding the effects of the

DDoS.

The default value is Alert.

Caution: This setting will be ignored if Monitor Mode is enabled.

Note: Logging and/or alert email will occur only if enabled and

configured. See “Logging” on page 542 and “Alert email” on

page 576.

Note: If you will use this rule set with auto-learning, you should

select Alert. If Action is Alert & Deny, or any other option that

causes the FortiWeb appliance to terminate or modify the request

or reply when it detects an attack attempt, the interruption will

cause incomplete session information for auto-learning.

Block Period Type the number of seconds that you want to block subsequent

requests from the client after the FortiWeb appliance detects that

the client has violated the rule.

This setting is available only if Action is set to Period Block. The

valid range is from 1 to 3,600 (1 hour). The default value is 0. See

also “Monitoring currently blocked IPs” on page 606.

Severity When rule violations are recorded in the attack log, each log

message contains a Severity Level (severity_level) field.

Select which severity level the FortiWeb appliance will use when it

logs a violation of the rule:

•Low

•Medium

•High

The default value is Me

di

um.

Trigger Action Select which trigger, if any, that the FortiWeb appliance will use

when it logs and/or sends an alert email about a violation of the

rule. See “Configuring triggers” on page 557.

Setting name Description

previous next