Description
Use of the ‘Protected Server’ configuration within the FortiWeb Web Security Appliance.
Server Policy -> Protected Server
Server Policy -> Policy | Protected Servers
A protected servers group contains one or more IP addresses and/or fully qualified domain names (FQDNs). Each of those entries in the protected servers group defines a virtual or real web host, according to the Host: field in the HTTP header of requests, that you want the FortiWeb unit to protect.
For example, if your web servers receive requests with HTTP headers such as:
GET /index.php HTTP/1.1
Host: www.example.com
You might define a protected server group with an entry of www.example.com and select it in the policy. This would reject requests that are not for that host.
Protected server groups can be used by:
• Policies
• Input Rules
• Start Page Rules
• Page Access Rules
• Black List Rules
• White List Rules
Policies can use protected server definitions to block connections that are not destined for a protected server. If you do not select a protected servers group in a policy, connections will be accepted or blocked regardless of the Host: field.
Input rules, start page rules, page access rules, black list rules, and white list rules can use protected server definitions to apply rules only to requests for a protected server. If you do not specify a protected servers group in the rule, the rule will be applied based upon other criteria such as the URL, but regardless of the Host: field.
To view the list of protected server groups, go to
Server Policy -> Protected Servers | Protected Servers.
Scope
FortiWeb Release 3.2
Solution
The common mistake seen is that administrators tend to specify "physical server" IP as the "protected server". Indeed, you should use "virtual server" IP or any domain names which can be mapped to that IP by DNS.
