Fortinet black logo

Administration Guide

Specifying URLs allowed to initiate sessions

Specifying URLs allowed to initiate sessions

To prevent attackers from exploiting web applications that are vulnerable to state-based attacks, you may need to define legitimate entry points into your web applications.

When you configure a start page rule in CLI, and apply it in an inline protection profile, clients must begin from a valid start page in order to initiate a valid HTTP session. If they violate this rule, they will whether be logged, blocked, or redirected to one of the valid entry pages.

All web pages in a start page rule must belong to the same website. Start page rules cannot redirect each violation to a different location, depending on which of the rules was violated. If you choose to redirect violations, all violations will be redirected to the same “default” URL.

For example, you may insist that HTTP clients of an e-commerce website begin their session from either the main page, an item view, or login. Clients are not allowed to begin a valid session from the third stage of the shopping cart checkout. If someone initiates a session from partway through the shopping cart checkout, it is likely to be an attack. But just in case it was due to a legitimate client clearing the browser’s cookies or clicking a link or bookmark, FortiWeb could redirect the request to one of the valid start pages.

Refer to FortiWeb CLI Reference for how to configure a start page rule and apply it in an inline protection profile.

In order for start page rules to be enforced, you must also enable http-session-management {enable | disable} in waf web-protection-profile inline-protection.

Attack log messages contain Start Page Violation when this feature detects a start page violation. Additionally, if the start page rule was configured to redirect the attacker, parameters will be appended to the redirect URL to indicate the reason. e.g.:

http://example.com/index.html?redirect491=1&reason747sha=Start%20Page%20Violation

Because the new active appliance does not know previous session history, after an HA failover, for existing sessions, FortiWeb will not be able to apply this feature. It will apply to new sessions as they are formed. For details, see Sessions & FortiWeb HA.
See also

Specifying URLs allowed to initiate sessions

To prevent attackers from exploiting web applications that are vulnerable to state-based attacks, you may need to define legitimate entry points into your web applications.

When you configure a start page rule in CLI, and apply it in an inline protection profile, clients must begin from a valid start page in order to initiate a valid HTTP session. If they violate this rule, they will whether be logged, blocked, or redirected to one of the valid entry pages.

All web pages in a start page rule must belong to the same website. Start page rules cannot redirect each violation to a different location, depending on which of the rules was violated. If you choose to redirect violations, all violations will be redirected to the same “default” URL.

For example, you may insist that HTTP clients of an e-commerce website begin their session from either the main page, an item view, or login. Clients are not allowed to begin a valid session from the third stage of the shopping cart checkout. If someone initiates a session from partway through the shopping cart checkout, it is likely to be an attack. But just in case it was due to a legitimate client clearing the browser’s cookies or clicking a link or bookmark, FortiWeb could redirect the request to one of the valid start pages.

Refer to FortiWeb CLI Reference for how to configure a start page rule and apply it in an inline protection profile.

In order for start page rules to be enforced, you must also enable http-session-management {enable | disable} in waf web-protection-profile inline-protection.

Attack log messages contain Start Page Violation when this feature detects a start page violation. Additionally, if the start page rule was configured to redirect the attacker, parameters will be appended to the redirect URL to indicate the reason. e.g.:

http://example.com/index.html?redirect491=1&reason747sha=Start%20Page%20Violation

Because the new active appliance does not know previous session history, after an HA failover, for existing sessions, FortiWeb will not be able to apply this feature. It will apply to new sessions as they are formed. For details, see Sessions & FortiWeb HA.
See also