Fortinet black logo

Administration Guide

Creating an MiTB protection rule

Creating an MiTB protection rule

To create an MiTB protection rule:

  1. Go to Web Protection > Advanced Protection > Man in the Browser Protection.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Select the Man in the Browser Protection Rule tab, then click Create New.
  4. Configure these settings:

    Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an Man in the Browser Protection policy. The maximum length is 63 characters.

    Host status

    Enable to compare the MiTB rule to the Host: field in the HTTP header. If enabled, also configure Host.

    Host

    Select the IP address or FQDN of a protected host. For details, see Defining your protected/allowed HTTP “Host:” header names.

    URL type

    Select whether the Request URL and POST URL fields must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    The URL which hosts the web page containing the user input fields you want to protect.

    Depending on your selection in URL type , enter either:

    • Simple String—The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in Host.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

    POST URL When the user inputs (e.g. password) are posted to the web server, a new URL will open. This is the POST URL.
    The format of the POST URL field is similar to that of the Request URL field. It supports both Simple String and Regular Expression.
    Note: The AJAX request rule only checks the Request URL, and it doesn't involve POST URLs, so the POST URL of the AJAX request rule should be set as "*" to match any URLs.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule. This options is only required if you are setting a rule for the AJAX request.

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and /or log message.

    The default value is Alert. See also Reducing false positives.

    Caution: This setting will be ignored if Monitor Mode is enabled.

    Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.

    Severity

    When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is violated. This options is only required if you are setting a rule for the AJAX request.

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Policy

    Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages. This options is only required if you are setting a rule for the AJAX request.

  5. Click OK.

Creating an MiTB protection rule

To create an MiTB protection rule:

  1. Go to Web Protection > Advanced Protection > Man in the Browser Protection.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Select the Man in the Browser Protection Rule tab, then click Create New.
  4. Configure these settings:

    Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an Man in the Browser Protection policy. The maximum length is 63 characters.

    Host status

    Enable to compare the MiTB rule to the Host: field in the HTTP header. If enabled, also configure Host.

    Host

    Select the IP address or FQDN of a protected host. For details, see Defining your protected/allowed HTTP “Host:” header names.

    URL type

    Select whether the Request URL and POST URL fields must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    The URL which hosts the web page containing the user input fields you want to protect.

    Depending on your selection in URL type , enter either:

    • Simple String—The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in Host.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

    POST URL When the user inputs (e.g. password) are posted to the web server, a new URL will open. This is the POST URL.
    The format of the POST URL field is similar to that of the Request URL field. It supports both Simple String and Regular Expression.
    Note: The AJAX request rule only checks the Request URL, and it doesn't involve POST URLs, so the POST URL of the AJAX request rule should be set as "*" to match any URLs.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule. This options is only required if you are setting a rule for the AJAX request.

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and /or log message.

    The default value is Alert. See also Reducing false positives.

    Caution: This setting will be ignored if Monitor Mode is enabled.

    Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.

    Severity

    When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is violated. This options is only required if you are setting a rule for the AJAX request.

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Policy

    Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages. This options is only required if you are setting a rule for the AJAX request.

  5. Click OK.