Support User Manuals

Fortinet 5.0 Patch 6 Microscope & Magnifier User Manual

Open as PDF

of 705

Fortinet 440 FortiWeb 5.0 Patch 6 Administration Guide

8. Click OK.

9. Repeat the previous steps for each exception that you want to add to the allowed method

exceptions.

10.To apply the allowed method exception, select it in an allowed method policy. For details,

see “Specifying allowed HTTP methods” on page 436.

See also

• Configuring a protection profile for inline topologies

• Configuring a protection profile for an out-of-band topology or asynchronous mode of

operation

HTTP/HTTPS protocol constraints

Protocol constraints govern features such as the HTTP header fields in the protocol itself, as

well as the length of the HTML, XML, or other documents or encapsulated protocols carried in

the HTTP body payload.

URL Pattern De

pend

ing on your selection in Type, enter either:

• the literal URL, such as /index.php, that is an exception to the

generally allowed HTTP request methods. The URL must begin with a

slash ( / ).

• a regular expression, such as ^/*.php, matching all and only the URLs

which are exceptions to the generally allowed HTTP request methods.

The pattern does not require a slash ( / ); however, it must at match URLs

that begin with a slash, such as /index.cfm.

For example, if multiple URLs on a host have identical HTTP request

method requirements, you would type a regular expression matching all

of and only those URLs.

Do not include the domain name, such as www.example.com, which is

configured separately in the Host drop-down list.

To create and test a regular expression, click the >> (test) icon. This opens

the Regular Expression Validator window where you can fine-tune the

expression (see “Regular expression syntax” on page 673).

Allow

Method

Exception

Mark the check boxes of all HTTP request methods that you want to allow.

Methods that you do not select will be denied.

The OTHERS option includes methods not specifically named in the other

options. It often may be required by WebDAV (RFC 4918) applications such

as Microsoft Exchange Server 2003 and Subversion, which may require

HTTP methods not commonly used by web browsers, such as PROPFIND

and BCOPY.

Note: If a WAF Auto Learning Profile will be selected in the policy with an

offline protection profile that uses this allowed method exception, you must

enable the HTTP request methods that will be used by sessions that you

want the FortiWeb appliance to learn about. If a method is disabled, the

FortiWeb appliance will reset the connection, and therefore cannot learn

about the session.

Setting

name

Description

previous next