Fortinet black logo

Administration Guide

Configuring exempted URLs

Configuring exempted URLs

When you configure schema location to forbid using location field to perform malicious requests, you can configure to exempt specific URLs from XML protection.

To create an exempted URLs list
  1. Go to XML Protection > Exempted URLs.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Click Create New.
  3. For Name, enter a name for the exempted URL list. You will use the Name to select the list in XML protection rule.
  4. Click OK.
  5. Click Create New.
  6. Configure these settings:
  7. URL type

    Select whether the URL field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    URL

    Depending on your selection in URL type, enter either:

    • Simple String—Enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

  8. Click OK.

Configuring exempted URLs

When you configure schema location to forbid using location field to perform malicious requests, you can configure to exempt specific URLs from XML protection.

To create an exempted URLs list
  1. Go to XML Protection > Exempted URLs.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Click Create New.
  3. For Name, enter a name for the exempted URL list. You will use the Name to select the list in XML protection rule.
  4. Click OK.
  5. Click Create New.
  6. Configure these settings:
  7. URL type

    Select whether the URL field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    URL

    Depending on your selection in URL type, enter either:

    • Simple String—Enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

  8. Click OK.