Fortinet black logo

Administration Guide

Configuring a protection profile for inline topologies

Configuring a protection profile for inline topologies

Inline protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Inline protection profiles contain only the features that are supported in inline topologies, which you use with operation modes such as Reverse Proxy and True Transparent Proxy.

Inline protection profiles include features that require an inline network topology. They can be configured at any time, but cannot be applied by a policy if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior.
To configure an inline protection profile
  1. Before configuring an inline protection profile, first configure any of the following that you want to include in the profile:
  • Go to Policy > Web Protection Profile and select the Inline Protection Profile tab.
  • To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  • Click Create New.
  • Alternatively, click the Clone icon to copy an existing profile as the basis for a new one. The predefined profiles supplied with your FortiWeb appliance cannot be edited, only viewed or cloned.

  • Configure these settings:
  • Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Session Management

    Enable to add a cookie to the reply in order for FortiWeb to be able to track the state of web applications across multiple requests (i.e., to implement HTTP sessions). Also configure Session Timeout.

    This feature adds the FortiWeb’s own session support, and does not duplicate or require that your web applications have its own sessions. For details, see HTTP sessions & security.

    Note: Enabling this option is required if:

    Note: This feature requires that the client support cookies. RPC clients and browsers where the person has disabled cookies do not support FortiWeb HTTP sessions, and therefore also do not support FortiWeb features that are dependent upon them.

    Note: This option is not supported in an Active-Active HA deployment when the algorithm By connections or Round-robin is used for load-balancing.

    Session Timeout

    Type the HTTP session timeout in seconds.

    After this time elapses during which there were no more subsequent requests, after which the FortiWeb appliance will regard the next request as the start of a new HTTP session.

    This option appears only if Session Management is enabled. The default is 1200 (20 minutes). The valid range is from 20 to 3,600 seconds.

    X-Forwarded-For

    Select the X-Forwarded-For: and X-Real-IP: HTTP header settings to use, if any. For details, see Defining your proxies, clients, & X-headers.

    Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP.

    Signatures

    Select the name of the signature set you have configured in Web Protection > Known Attacks, if any, that will be applied to matching requests.

    Enable AMF3, XML, or JSON Protocol Detection if applicable.

    Attack log messages for this feature vary by which type of attack was detected. For a list, see Blocking known attacks & data leaks.

    Enable AMF3 Protocol Detection

    Enable to scan requests that use action message format 3.0 (AMF3) for:

    • Cross-site scripting (XSS) attacks
    • SQL injection attacks
    • Common exploits

    and other attack signatures that you have enabled in Signatures.

    AMF3 is a binary format that can be used by Adobe Flash/Flex clients to send input to server-side software.

    Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb appliance to be unable to scan AMF3 requests for attacks.

    Custom Policy

    Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that will be applied to matching requests. For details, see Combination access control & rate limiting.

    Attack log messages contain Custom Access Violation when this feature detects a violation.

    Padding Oracle Protection

    Select the name of padding oracle protection rule, if any, that will be applied to matching requests. For details, see Defeating cipher padding attacks on individually encrypted inputs.

    Attack log messages contain Padding Oracle Attack when this feature detects a violation.

    CSRF Protection

    Select the name of cross-site request forgery protection rule, if any, to apply to matching requests. For details, see Defeating cross-site request forgery (CSRF) attacks.

    Available only when Session Management is selected.

    HTTP Header Security

    Select the name of HTTP header security policy, if any, to apply to matching responses.

    For details, see Addressing security vulnerabilities by HTTP Security Headers.

    Man in the Browser Protection

    Select the name of an MiTB protection rule, if any, that will be applied to matching requests. For details, see Protection for Man-in-the-Browser (MiTB) attacks.

    Cookie Security Policy Select the name of a cookie security policy to apply to matching requests. For details, see Protecting against cookie poisoning and other cookie-based attacks.

    If the Security Mode option in the policy is Signed, ensure that Session Management is On.
    Parameter Validation

    Select the name of the parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”).

    Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

    Hidden Fields Protection

    Select the name of the hidden fields protection rule, if any, to use to protect hidden fields on your website. For details, see Preventing tampering with hidden inputs.

    Attack log messages contain Hidden Field Manipulation when this feature detects tampering.

    This option appears only when Session Management is enabled.

    File Security

    Select an existing file security policy, if any, that will be applied to matching HTTP requests. For details, see Limiting file uploads.

    Attack log messages contain Illegal File Size when this feature detects an excessively large upload.

    HTTP Protocol Constraints

    Select the name of an HTTP parameter constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints.

    Attack log messages for this feature vary by which type of constraint was violated.

    WebSocket Security

    Select the name of a WebSocket security rule, if any, that will be applied to matching requests. For details, see WebSocket protocol.

    Brute Force Login

    Select the name of a brute force login attack profile, if any, that will be applied to matching requests. For details, see Preventing brute force logins.

    Attack log messages contain Brute Force Login Violation when this feature detects a brute force login attack.

    URL Access

    Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. For details, see Restricting access to specific URLs.

    Attack log messages contain URL Access Violation when this feature detects a URL matched by this policy.

    Page Access

    Select the page access rule, if any, that defines the URLs that must be accessed in a specific order. See Enforcing page order that follows application logic.

    Attack log messages contain Page Access Violation when this feature detects an illegal request order.

    This option appears only when Session Management is enabled.

    Start Pages

    Select the start pages rule, if any, that represent legitimate entry points into your web pages and web services. For details, see Specifying URLs allowed to initiate sessions.

    Attack log messages contain Start Page Violation when this feature detects a session attempting to initiate illegally.

    This option appears only when Session Management is enabled.

    Allow Method

    Select an existing allow method policy, if any, that will be applied to matching HTTP requests. For details, see Specifying allowed HTTP methods.

    Attack log messages contain HTTP Method Violation when this feature detects a non-allowed HTTP request method.

    IP List Select the name of a client white list or black list, if any, that will be applied to matching requests. For details, see Blacklisting & whitelisting clients using a source IP or source IP range.
    Geo IP Select the name of a geographically-based client black list, if any, that will be applied to matching requests. For details, see Blacklisting & whitelisting countries & regions.

    XML Protection

    Select the name of an existing XML protection policy. For details, see Configuring XML protection.

    JSON Protection

    Select the name of an existing JSON protection policy. For details, see Configuring JSON protection.

    OpenAPI Protection

    Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation.

    API Gateway

    Select the name of an existing API gateway policy. For details, see Configuring API gateway policy.
    CORS Protection Select the name of an existing CORS Protection policy. For details, see Cross-Origin Resource Sharing (CORS) protection.

    Bot Mitigation Policy

    Select the name of an existing bot mitigation policy. For details, see Configuring bot mitigation policy.

    DoS Protection Policy Select the name of an existing DoS prevention policy. For details, see Grouping DoS protection rules.
    IP Reputation Enable to apply IP reputation intelligence. For details, see Blacklisting source IPs with poor reputation.

    Mobile Application Identification

    Enable to configure the JWT token secret and token header to verify a request from a mobile application.

    Refer to Approov doc for how to get the token.

    For details, see Configuring mobile API protection.

    Note: You need to enable Mobile Application Identification first from System > Config > Feature Visibility.

    Token Secret

    Enter the token secret that you have got from Approov.

    Available only when Mobile Application Identification is enabled.

    Token Header

    Specify the header where the token is carried.

    Available only when Mobile Application Identification is enabled.

    Mobile API Protection

    Select the name of an existing API protection policy. For details, see Configuring mobile API protection.

    FortiGate Quarantined IPs

    Enable to detect source IP addresses that a FortiGate unit is currently preventing from interacting with the network and protected systems. Then, select the action that FortiWeb takes if it detects a quarantined IP address:

    • Alert—Accept the request and generate an alert email, log message, or both.
    • Alert & Deny—Block the request and generate an alert, log message, or both.
    • Deny (no log)—Block the request (or reset the connection).

    Note: If FortiWeb is deployed behind a NAT load balancer and this option is enabled, to prevent FortiWeb from blocking all connections when it detects a violation of this type, define an X-header that indicates the original client’s IP. For details, see Defining your proxies, clients, & X-headers.

    In addition, select a severity level and trigger policy.

    For information on configuring communication with the FortiGate that provides the list of quarantined IP addresses, see Receiving quarantined source IP addresses from FortiGate.

    Allow Known Search Engines

    Enable to exempt popular search engines’ spiders from DoS sensors, brute force login sensors, HTTP protocol constraints, combination rate & access control (called “advanced protection” and “custom policies” in the web UI), and blocking by geographic location (Geo IP).

    This option improves access for search engines. Rapid access rates, unusual HTTP usage, and other characteristics that may be suspicious for web browsers are often normal with search engines. If you block them, your websites’ rankings and visibility may be affected.

    By default, this option allows all popular predefined search engines. Known search engine indexer source IPs are updated via FortiGuard Security Service. To specify which search engines are exempt, click the Details link. A new frame appears on the right side of the protection profile. Enable or disable each search engine, then click Apply. See also Blacklisting content scrapers, search engines, web crawlers, & other robots.

    URL Rewriting

    Select the name of a URL rewriting rule set, if any, that will be applied to matching requests.

    For details, see Rewriting & redirecting.

    HTTP Authentication

    Select the name of an authorization policy, if any, that will be applied to matching requests. For details, see Offloading HTTP authentication & authorization.

    If the client fails to authenticate, it will receive an HTTP 403 Access Forbidden error message.

    Site Publish Select the name of a site publishing policy, if any, that will be applied to matching requests. For details, see Single sign-on (SSO) (site publishing).
    File Compress Select the name of an compression policy, if any, that will be applied to matching requests. For details, see Configuring compression offloading.
    Web Cache Select the name of a content caching policy, if any, that will be used for matching requests. For details, see Caching.
    User Tracking Select the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking users.
    Device Tracking Enable to begin tracking client devices. When this feature is enabled, each device is tracked regardless of its location or IP, and security violations can be defined according to the risk level of devices using device reputation security policies. For details, see Blocking client devices with poor reputation.
    Device Reputation Security Policy

    Select the name of a device reputation security policy, if any, so that FortiWeb can carry out violation actions according to the risk level of devices defined in a device reputation security policy.

    This option appears only if Device Tracking is enabled. If a device reputation security policy is not selected when Device Tracking is enabled, violation actions will be carried out as defined in the individual policy and rule selected in the protection profile. For details, see Blocking client devices with poor reputation.

    Redirect URL

    Type a URL including the FQDN/IP and path, if any, to which a client will be redirected if:

    • Its request violates any of the rules in this profile, and
    • The Action for the rule is set to Redirect.

    For example, you could enter:

    www.example.com/products/

    If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb appliance will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP 403 Access Forbidden or 404 File Not Found error message.

    Redirect URL With Reason

    Enable to include the reason for redirection as a parameter in the URL, such as reason=Parameter%20Validation%20Violation, when traffic has been redirected using Redirect URL. The FortiWeb appliance also adds fortiwaf=1 to the URL to detect and cancel a redirect loop (if the redirect action would otherwise recursively triggers an attack event).

    By default, this option is disabled.

    Caution: If the FortiWeb appliance is protecting a redirect URL, enable this option to prevent infinite redirect loops.

    To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.

  • Click OK.
  • To apply the inline protection profile, select it in a server policy. For details, see Configuring an HTTP server policy.
  • See also

    Configuring a protection profile for inline topologies

    Inline protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Inline protection profiles contain only the features that are supported in inline topologies, which you use with operation modes such as Reverse Proxy and True Transparent Proxy.

    Inline protection profiles include features that require an inline network topology. They can be configured at any time, but cannot be applied by a policy if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior.
    To configure an inline protection profile
    1. Before configuring an inline protection profile, first configure any of the following that you want to include in the profile:
  • Go to Policy > Web Protection Profile and select the Inline Protection Profile tab.
  • To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  • Click Create New.
  • Alternatively, click the Clone icon to copy an existing profile as the basis for a new one. The predefined profiles supplied with your FortiWeb appliance cannot be edited, only viewed or cloned.

  • Configure these settings:
  • Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Session Management

    Enable to add a cookie to the reply in order for FortiWeb to be able to track the state of web applications across multiple requests (i.e., to implement HTTP sessions). Also configure Session Timeout.

    This feature adds the FortiWeb’s own session support, and does not duplicate or require that your web applications have its own sessions. For details, see HTTP sessions & security.

    Note: Enabling this option is required if:

    Note: This feature requires that the client support cookies. RPC clients and browsers where the person has disabled cookies do not support FortiWeb HTTP sessions, and therefore also do not support FortiWeb features that are dependent upon them.

    Note: This option is not supported in an Active-Active HA deployment when the algorithm By connections or Round-robin is used for load-balancing.

    Session Timeout

    Type the HTTP session timeout in seconds.

    After this time elapses during which there were no more subsequent requests, after which the FortiWeb appliance will regard the next request as the start of a new HTTP session.

    This option appears only if Session Management is enabled. The default is 1200 (20 minutes). The valid range is from 20 to 3,600 seconds.

    X-Forwarded-For

    Select the X-Forwarded-For: and X-Real-IP: HTTP header settings to use, if any. For details, see Defining your proxies, clients, & X-headers.

    Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP.

    Signatures

    Select the name of the signature set you have configured in Web Protection > Known Attacks, if any, that will be applied to matching requests.

    Enable AMF3, XML, or JSON Protocol Detection if applicable.

    Attack log messages for this feature vary by which type of attack was detected. For a list, see Blocking known attacks & data leaks.

    Enable AMF3 Protocol Detection

    Enable to scan requests that use action message format 3.0 (AMF3) for:

    • Cross-site scripting (XSS) attacks
    • SQL injection attacks
    • Common exploits

    and other attack signatures that you have enabled in Signatures.

    AMF3 is a binary format that can be used by Adobe Flash/Flex clients to send input to server-side software.

    Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb appliance to be unable to scan AMF3 requests for attacks.

    Custom Policy

    Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that will be applied to matching requests. For details, see Combination access control & rate limiting.

    Attack log messages contain Custom Access Violation when this feature detects a violation.

    Padding Oracle Protection

    Select the name of padding oracle protection rule, if any, that will be applied to matching requests. For details, see Defeating cipher padding attacks on individually encrypted inputs.

    Attack log messages contain Padding Oracle Attack when this feature detects a violation.

    CSRF Protection

    Select the name of cross-site request forgery protection rule, if any, to apply to matching requests. For details, see Defeating cross-site request forgery (CSRF) attacks.

    Available only when Session Management is selected.

    HTTP Header Security

    Select the name of HTTP header security policy, if any, to apply to matching responses.

    For details, see Addressing security vulnerabilities by HTTP Security Headers.

    Man in the Browser Protection

    Select the name of an MiTB protection rule, if any, that will be applied to matching requests. For details, see Protection for Man-in-the-Browser (MiTB) attacks.

    Cookie Security Policy Select the name of a cookie security policy to apply to matching requests. For details, see Protecting against cookie poisoning and other cookie-based attacks.

    If the Security Mode option in the policy is Signed, ensure that Session Management is On.
    Parameter Validation

    Select the name of the parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”).

    Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

    Hidden Fields Protection

    Select the name of the hidden fields protection rule, if any, to use to protect hidden fields on your website. For details, see Preventing tampering with hidden inputs.

    Attack log messages contain Hidden Field Manipulation when this feature detects tampering.

    This option appears only when Session Management is enabled.

    File Security

    Select an existing file security policy, if any, that will be applied to matching HTTP requests. For details, see Limiting file uploads.

    Attack log messages contain Illegal File Size when this feature detects an excessively large upload.

    HTTP Protocol Constraints

    Select the name of an HTTP parameter constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints.

    Attack log messages for this feature vary by which type of constraint was violated.

    WebSocket Security

    Select the name of a WebSocket security rule, if any, that will be applied to matching requests. For details, see WebSocket protocol.

    Brute Force Login

    Select the name of a brute force login attack profile, if any, that will be applied to matching requests. For details, see Preventing brute force logins.

    Attack log messages contain Brute Force Login Violation when this feature detects a brute force login attack.

    URL Access

    Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. For details, see Restricting access to specific URLs.

    Attack log messages contain URL Access Violation when this feature detects a URL matched by this policy.

    Page Access

    Select the page access rule, if any, that defines the URLs that must be accessed in a specific order. See Enforcing page order that follows application logic.

    Attack log messages contain Page Access Violation when this feature detects an illegal request order.

    This option appears only when Session Management is enabled.

    Start Pages

    Select the start pages rule, if any, that represent legitimate entry points into your web pages and web services. For details, see Specifying URLs allowed to initiate sessions.

    Attack log messages contain Start Page Violation when this feature detects a session attempting to initiate illegally.

    This option appears only when Session Management is enabled.

    Allow Method

    Select an existing allow method policy, if any, that will be applied to matching HTTP requests. For details, see Specifying allowed HTTP methods.

    Attack log messages contain HTTP Method Violation when this feature detects a non-allowed HTTP request method.

    IP List Select the name of a client white list or black list, if any, that will be applied to matching requests. For details, see Blacklisting & whitelisting clients using a source IP or source IP range.
    Geo IP Select the name of a geographically-based client black list, if any, that will be applied to matching requests. For details, see Blacklisting & whitelisting countries & regions.

    XML Protection

    Select the name of an existing XML protection policy. For details, see Configuring XML protection.

    JSON Protection

    Select the name of an existing JSON protection policy. For details, see Configuring JSON protection.

    OpenAPI Protection

    Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation.

    API Gateway

    Select the name of an existing API gateway policy. For details, see Configuring API gateway policy.
    CORS Protection Select the name of an existing CORS Protection policy. For details, see Cross-Origin Resource Sharing (CORS) protection.

    Bot Mitigation Policy

    Select the name of an existing bot mitigation policy. For details, see Configuring bot mitigation policy.

    DoS Protection Policy Select the name of an existing DoS prevention policy. For details, see Grouping DoS protection rules.
    IP Reputation Enable to apply IP reputation intelligence. For details, see Blacklisting source IPs with poor reputation.

    Mobile Application Identification

    Enable to configure the JWT token secret and token header to verify a request from a mobile application.

    Refer to Approov doc for how to get the token.

    For details, see Configuring mobile API protection.

    Note: You need to enable Mobile Application Identification first from System > Config > Feature Visibility.

    Token Secret

    Enter the token secret that you have got from Approov.

    Available only when Mobile Application Identification is enabled.

    Token Header

    Specify the header where the token is carried.

    Available only when Mobile Application Identification is enabled.

    Mobile API Protection

    Select the name of an existing API protection policy. For details, see Configuring mobile API protection.

    FortiGate Quarantined IPs

    Enable to detect source IP addresses that a FortiGate unit is currently preventing from interacting with the network and protected systems. Then, select the action that FortiWeb takes if it detects a quarantined IP address:

    • Alert—Accept the request and generate an alert email, log message, or both.
    • Alert & Deny—Block the request and generate an alert, log message, or both.
    • Deny (no log)—Block the request (or reset the connection).

    Note: If FortiWeb is deployed behind a NAT load balancer and this option is enabled, to prevent FortiWeb from blocking all connections when it detects a violation of this type, define an X-header that indicates the original client’s IP. For details, see Defining your proxies, clients, & X-headers.

    In addition, select a severity level and trigger policy.

    For information on configuring communication with the FortiGate that provides the list of quarantined IP addresses, see Receiving quarantined source IP addresses from FortiGate.

    Allow Known Search Engines

    Enable to exempt popular search engines’ spiders from DoS sensors, brute force login sensors, HTTP protocol constraints, combination rate & access control (called “advanced protection” and “custom policies” in the web UI), and blocking by geographic location (Geo IP).

    This option improves access for search engines. Rapid access rates, unusual HTTP usage, and other characteristics that may be suspicious for web browsers are often normal with search engines. If you block them, your websites’ rankings and visibility may be affected.

    By default, this option allows all popular predefined search engines. Known search engine indexer source IPs are updated via FortiGuard Security Service. To specify which search engines are exempt, click the Details link. A new frame appears on the right side of the protection profile. Enable or disable each search engine, then click Apply. See also Blacklisting content scrapers, search engines, web crawlers, & other robots.

    URL Rewriting

    Select the name of a URL rewriting rule set, if any, that will be applied to matching requests.

    For details, see Rewriting & redirecting.

    HTTP Authentication

    Select the name of an authorization policy, if any, that will be applied to matching requests. For details, see Offloading HTTP authentication & authorization.

    If the client fails to authenticate, it will receive an HTTP 403 Access Forbidden error message.

    Site Publish Select the name of a site publishing policy, if any, that will be applied to matching requests. For details, see Single sign-on (SSO) (site publishing).
    File Compress Select the name of an compression policy, if any, that will be applied to matching requests. For details, see Configuring compression offloading.
    Web Cache Select the name of a content caching policy, if any, that will be used for matching requests. For details, see Caching.
    User Tracking Select the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking users.
    Device Tracking Enable to begin tracking client devices. When this feature is enabled, each device is tracked regardless of its location or IP, and security violations can be defined according to the risk level of devices using device reputation security policies. For details, see Blocking client devices with poor reputation.
    Device Reputation Security Policy

    Select the name of a device reputation security policy, if any, so that FortiWeb can carry out violation actions according to the risk level of devices defined in a device reputation security policy.

    This option appears only if Device Tracking is enabled. If a device reputation security policy is not selected when Device Tracking is enabled, violation actions will be carried out as defined in the individual policy and rule selected in the protection profile. For details, see Blocking client devices with poor reputation.

    Redirect URL

    Type a URL including the FQDN/IP and path, if any, to which a client will be redirected if:

    • Its request violates any of the rules in this profile, and
    • The Action for the rule is set to Redirect.

    For example, you could enter:

    www.example.com/products/

    If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb appliance will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP 403 Access Forbidden or 404 File Not Found error message.

    Redirect URL With Reason

    Enable to include the reason for redirection as a parameter in the URL, such as reason=Parameter%20Validation%20Violation, when traffic has been redirected using Redirect URL. The FortiWeb appliance also adds fortiwaf=1 to the URL to detect and cancel a redirect loop (if the redirect action would otherwise recursively triggers an attack event).

    By default, this option is disabled.

    Caution: If the FortiWeb appliance is protecting a redirect URL, enable this option to prevent infinite redirect loops.

    To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.

  • Click OK.
  • To apply the inline protection profile, select it in a server policy. For details, see Configuring an HTTP server policy.
  • See also