Fortinet black logo

Administration Guide

Restricting access to specific URLs

Restricting access to specific URLs

You can configure URL access rules that define which HTTP requests FortiWeb accepts or denies based on their Host: name and URL, as well as the origin of the request.

For example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.

URL access rules check the URL path and parameter, and do not support query string checks. In addition, they are evaluated after some other rules. As a result, permitted access can still be denied if it violates one of the rules that execute prior in the sequence. For details, see Sequence of scans.

You can use SNMP traps to notify you when a URL access rule is enforced. For details, see SNMP traps & queries.

To configure an URL access parameter
  1. Go to Web Protection > Access > URL Access and select the URL Access parameter tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Click Create New.
  3. Enter a name for the parameter rule.
  4. Click OK.
  5. Click Create New to add parameters.
  6. Configure these settings:
    NameEnter a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Name Type

    Select whether the parameter name field must contain either:

    • Simple String—The field is a string that the name must match exactly.

    • Regular Expression—The field is a regular expression that defines a set of matching names.

    Name

    Depending on your selection in Type, enter either:

    • The literal name that the HTTP request must contain in order to match the rule.
    • A regular expression.

    To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Use Type CheckIf Use Type Check is enabled, parameter value must match the Data Type specified
    Argument TypeSelect the type of the parameter value.
    Data TypeIf Data Type is selected in Argument Type, you need to select the specific data type.
  • To configure an URL access rule
    1. Go to Web Protection > Access > URL Access and select the URL Access Rule tab.
      To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
    2. Click Create New.
    3. Configure these settings:
    4. Name Enter a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
      Host Status Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL access rule. Also configure Host.
      Host

      Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

      This option is available only if Host Status is enabled.

      Action

      Select the action that FortiWeb takes when it detects a violation of the rule. Supported options vary (available options are listed in the description for each specific rule), but may include:

      • Deny (no log)—Block the request (or reset the connection).

      • Pass—Allow the request. Do not generate an alert and/or log message.

      • Continue—Continue by evaluating any subsequent rules defined in the web protection profile. For details, see Sequence of scans. If the request does not violate any other rules, FortiWeb allows the request. If the single request violates multiple rules, it generates multiple attack log messages.

      The default value is Pass.

      Caution: This setting will be ignored if Monitor Mode is enabled.

      Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

      Severity

      When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

      • Informative
      • Low
      • Medium
      • High

      The default value is Low.

      Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
    5. Click OK.
    6. Click Create New to add a new URL access condition entry to the set.
    7. Configure these settings:
    8. ID Type the index number of the individual rule within the URL access rule, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number.
      Source Address Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure Source Address Type and Source Domain.
      Source Address Type

      Select how FortiWeb determines matching client source IPs:

      • IPv4/IPv6 / IP Range—A single IP address or an address range. Also configure IPv4/IPv6 / IP Range.
      • IP Resolved by Specified DomainFortiWeb determines the source IP to match by performing a DNS lookup for the specified domain. Also configure Type and IP Resolved by Specified Domain.
      • Source Domain—To determine a match, FortiWeb performs a reverse DNS lookup for the client source IP to determine its corresponding domain, and then compares the domain to the value of Source Domain. Also configure Source Domain Type and Source Domain.
      IPv4/IPv6 / IP Range

      Enter one of the following values:

      • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 192.0.2.109).
      • A range of addresses (e.g., 192.0.2.1-192.0.2.256 or 10:200::10:1-10:200:10:100).

      Available only if Source Address Type is IPv4/IPv6 / IP Range.

      Type

      Select the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by IP Resolved by Specified Domain.

      Available only if Source Address Type is IP Resolved by Specified Domain.

      IP Resolved by Specified Domain

      Enter the domain to match the client source IP after DNS lookup.

      Available only if Source Address Type is IP Resolved by Specified Domain.

      Source Domain Type

      Specify whether the Source Domain field contains a literal domain (Simple String) or a regular expression designed to match multiple URLs (Regular Expression).

      When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Available only if Source Address Type is Source Domain.

      Source Domain

      Specify the domain to match.

      Depending on the value of Source Domain Type, enter one of the following:

      • the literal domain
      • a regular expression.

      Available only if Source Address Type is Source Domain.

      URL Type Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
      URL Pattern

      Depending on your selection in URL Type, enter either:

      • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
      • A regular expression.

      For example, if the URL is:

      /send/index1.html

      To match the exact, full URL when the name is between index1.html and index9.html:

      ^/send/index[0-9]\.html

      To match the root path regardless:

      ^/send/.*


      The pattern does not require a slash ( / ). However, it must at least match URLs that begin with a slash, such as /admin.cfm.

      When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list for the URL access rule.

      Most of the web protection modules including URL Access does not detect RPC traffic, so if you set a URL in the URL Access policy that matches RPC traffic, it will not take effect. If you want to restrict RPC traffic, use HTTP Protocol Constraints.

      URL Access Parameter

      Select the parameter rule you have created in the URL Access Parameter tab.

      Use HTTP Method Check

      Enable so that only the requests with the specified HTTP methods will match.

      Only Method

      Select the HTTP methods to match.

      Use HTTP Protocol Check

      Enable so that only the requests with the specified HTTP protocols will match.

      Only Protocol

      Select the HTTP protocols to match.

      Meet this condition if: Select whether the access condition is met when the HTTP request matches both the regular expression (or text string) and source IP address of the client, or when it does not match the regular expression (or text string) and/or source IP address of the client.
    9. Click OK.
    10. Repeat the previous steps for each individual condition that you want to add to the URL access rule.
    11. Go to Web Protection > Access > URL Access.
      To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
    12. Click Create New.
    13. In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    14. Click OK.
    15. Click Create New to add an entry to the set.
    16. From the Access Rule Name drop-down list, select the name of a URL access rule to include in the policy.
      To view or change the information associated with the rule, select the Detail link. The URL Access Rule dialog appears. Use the browser Back button to return.
    17. Click OK.
    18. Repeat the previous steps for each individual rule that you want to add to the URL access policy.
      Rules at the top of the list have priority over rules further down. Use Move to change the order of the rules. The ID value does not affect rule priority.
    19. To apply the URL access policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
      Attack log messages contain URL Access Violation when this feature detects a suspicious HTTP request.
    See also

    Restricting access to specific URLs

    You can configure URL access rules that define which HTTP requests FortiWeb accepts or denies based on their Host: name and URL, as well as the origin of the request.

    For example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.

    URL access rules check the URL path and parameter, and do not support query string checks. In addition, they are evaluated after some other rules. As a result, permitted access can still be denied if it violates one of the rules that execute prior in the sequence. For details, see Sequence of scans.

    You can use SNMP traps to notify you when a URL access rule is enforced. For details, see SNMP traps & queries.

    To configure an URL access parameter
    1. Go to Web Protection > Access > URL Access and select the URL Access parameter tab.
      To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
    2. Click Create New.
    3. Enter a name for the parameter rule.
    4. Click OK.
    5. Click Create New to add parameters.
    6. Configure these settings:
      NameEnter a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
      Name Type

      Select whether the parameter name field must contain either:

      • Simple String—The field is a string that the name must match exactly.

      • Regular Expression—The field is a regular expression that defines a set of matching names.

      Name

      Depending on your selection in Type, enter either:

      • The literal name that the HTTP request must contain in order to match the rule.
      • A regular expression.

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Use Type CheckIf Use Type Check is enabled, parameter value must match the Data Type specified
      Argument TypeSelect the type of the parameter value.
      Data TypeIf Data Type is selected in Argument Type, you need to select the specific data type.
  • To configure an URL access rule
    1. Go to Web Protection > Access > URL Access and select the URL Access Rule tab.
      To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
    2. Click Create New.
    3. Configure these settings:
    4. Name Enter a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
      Host Status Enable to require that the Host: field of the HTTP request match a protected host names entry in order to match the URL access rule. Also configure Host.
      Host

      Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

      This option is available only if Host Status is enabled.

      Action

      Select the action that FortiWeb takes when it detects a violation of the rule. Supported options vary (available options are listed in the description for each specific rule), but may include:

      • Deny (no log)—Block the request (or reset the connection).

      • Pass—Allow the request. Do not generate an alert and/or log message.

      • Continue—Continue by evaluating any subsequent rules defined in the web protection profile. For details, see Sequence of scans. If the request does not violate any other rules, FortiWeb allows the request. If the single request violates multiple rules, it generates multiple attack log messages.

      The default value is Pass.

      Caution: This setting will be ignored if Monitor Mode is enabled.

      Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

      Severity

      When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

      • Informative
      • Low
      • Medium
      • High

      The default value is Low.

      Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
    5. Click OK.
    6. Click Create New to add a new URL access condition entry to the set.
    7. Configure these settings:
    8. ID Type the index number of the individual rule within the URL access rule, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number.
      Source Address Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure Source Address Type and Source Domain.
      Source Address Type

      Select how FortiWeb determines matching client source IPs:

      • IPv4/IPv6 / IP Range—A single IP address or an address range. Also configure IPv4/IPv6 / IP Range.
      • IP Resolved by Specified DomainFortiWeb determines the source IP to match by performing a DNS lookup for the specified domain. Also configure Type and IP Resolved by Specified Domain.
      • Source Domain—To determine a match, FortiWeb performs a reverse DNS lookup for the client source IP to determine its corresponding domain, and then compares the domain to the value of Source Domain. Also configure Source Domain Type and Source Domain.
      IPv4/IPv6 / IP Range

      Enter one of the following values:

      • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 192.0.2.109).
      • A range of addresses (e.g., 192.0.2.1-192.0.2.256 or 10:200::10:1-10:200:10:100).

      Available only if Source Address Type is IPv4/IPv6 / IP Range.

      Type

      Select the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by IP Resolved by Specified Domain.

      Available only if Source Address Type is IP Resolved by Specified Domain.

      IP Resolved by Specified Domain

      Enter the domain to match the client source IP after DNS lookup.

      Available only if Source Address Type is IP Resolved by Specified Domain.

      Source Domain Type

      Specify whether the Source Domain field contains a literal domain (Simple String) or a regular expression designed to match multiple URLs (Regular Expression).

      When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Available only if Source Address Type is Source Domain.

      Source Domain

      Specify the domain to match.

      Depending on the value of Source Domain Type, enter one of the following:

      • the literal domain
      • a regular expression.

      Available only if Source Address Type is Source Domain.

      URL Type Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
      URL Pattern

      Depending on your selection in URL Type, enter either:

      • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
      • A regular expression.

      For example, if the URL is:

      /send/index1.html

      To match the exact, full URL when the name is between index1.html and index9.html:

      ^/send/index[0-9]\.html

      To match the root path regardless:

      ^/send/.*


      The pattern does not require a slash ( / ). However, it must at least match URLs that begin with a slash, such as /admin.cfm.

      When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list for the URL access rule.

      Most of the web protection modules including URL Access does not detect RPC traffic, so if you set a URL in the URL Access policy that matches RPC traffic, it will not take effect. If you want to restrict RPC traffic, use HTTP Protocol Constraints.

      URL Access Parameter

      Select the parameter rule you have created in the URL Access Parameter tab.

      Use HTTP Method Check

      Enable so that only the requests with the specified HTTP methods will match.

      Only Method

      Select the HTTP methods to match.

      Use HTTP Protocol Check

      Enable so that only the requests with the specified HTTP protocols will match.

      Only Protocol

      Select the HTTP protocols to match.

      Meet this condition if: Select whether the access condition is met when the HTTP request matches both the regular expression (or text string) and source IP address of the client, or when it does not match the regular expression (or text string) and/or source IP address of the client.
    9. Click OK.
    10. Repeat the previous steps for each individual condition that you want to add to the URL access rule.
    11. Go to Web Protection > Access > URL Access.
      To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
    12. Click Create New.
    13. In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    14. Click OK.
    15. Click Create New to add an entry to the set.
    16. From the Access Rule Name drop-down list, select the name of a URL access rule to include in the policy.
      To view or change the information associated with the rule, select the Detail link. The URL Access Rule dialog appears. Use the browser Back button to return.
    17. Click OK.
    18. Repeat the previous steps for each individual rule that you want to add to the URL access policy.
      Rules at the top of the list have priority over rules further down. Use Move to change the order of the rules. The ID value does not affect rule priority.
    19. To apply the URL access policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
      Attack log messages contain URL Access Violation when this feature detects a suspicious HTTP request.
    See also