Technical Tip: FortiWeb - Troubleshooting back-references when using rewriting or redirecting

These back-references are associated with the Rewriting and Redirecting features. See back-references in the FortiWeb Administration Guide, available in the Fortinet Document Library.

Configuring this feature is not within the scope of this article; however, the logical steps are as follows:

• Create a URL Rewriting Rule based on the given criteria.
• Create a URL Rewriting Policy and apply the URL Rewriting Rules.
• Apply the URL Rewriting Policy in a Web Protection Profile.
• Apply the Protection Profile in a Server Policy or HTTP Content Routing Policy.
• Generate Traffic to the VS.

Considering that the purpose of the configuration is to perform a Redirect 301, with the following conditions:

Request:
HTTP Host: panel.domain.lab
HTTP URL: /system/logging

Redirect to:
HTTP Host: panel.domain.lab
HTTP URL: /system/logs

URL Rewrite rule in the FortiWeb CLI:

config waf url-rewrite url-rewrite-rule
    edit "redir301-PANEL-URL"
        set action redirect-301
        set location https://$0$1/logs
    end
    config match-condition
        edit 1
            set reg-exp (panel.domain.lab)
         next
         edit 2
             set object http-url
             set reg-exp "(\/system)(\/logging)"
         next

    end
end

An analysis of the configuration in the GUI makes the configuration easier to understand.

In the image above, each back-reference group has been mapped using parentheses. Subsequently, some of them were used in the reconstruction of the URL using tokens ($).

Run the following debug at the CLI and generate traffic:

diagnose debug flow filter module-detail url-rewriting 7
diagnose debug flow filter client-ip xx.xx.xx.xx
diagnose debug flow trace start
diagnose debug enable

While analyzing the debug output, among other functions, specifically examine the [URL Rewriting] module.

[URL Rewriting][Info]: (./waf_module/url_rewrite.c:2699): CLIENT -> SERVER.
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:2639): Request host: [panel.domain.lab].
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:2643): Request url: [/system/logging].
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1638): url rewrite policy name: [URL-RP-LAB].
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:576): url rewrite rule name: [redir301-PANEL-URL] ,check rule conds.
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:584): the matching host :panel.domain.lab
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:589): the matching url :/system/logging
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:712): all conditons matched!
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1684): matched...
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1687): the pcre capture $0 is : panel.domain.lab
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1687): the pcre capture $1 is : /system
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1687): the pcre capture $2 is : /logging
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1687): the pcre capture $3 is :
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1687): the pcre capture $4 is :
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1687): the pcre capture $5 is :
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1687): the pcre capture $6 is :
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1687): the pcre capture $7 is :
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1687): the pcre capture $8 is :
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1687): the pcre capture $9 is :
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1590): the action is :8
[URL Rewriting][Debug]: (./waf_module/url_rewrite.c:1602): -------- Do URL rewriting for URL "panel.domain.lab/system/logging" in request direction --------
Matched rule: "redir301-PANEL-URL"
Triggered action: "Redirect301"
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1360): make redirect response.
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:1369): the new location is : https://panel.domain.lab/system/logs
[URL Rewriting][Debug]: (./waf_module/url_rewrite.c:1370): Location "https://panel.domain.lab/system/logs"
[URL Rewriting][Info]: (./waf_module/url_rewrite.c:2734): The response custom redirect 301.
[URL Rewriting][Debug]: Module name:url_rewriting, Execution:4, Process error:1, Action:ACCEPT
[URL Rewriting][Debug]: (./waf_module/url_rewrite.c:2852): direction:0, exec_code:4, err_code:1, action:1

Note that the [URL Rewriting] module captured the information in a segmented manner and added values to each token, such as:

• $0 = panel.domain.lab
• $1 = /system
• $2 = /logging

Once the information is captured correctly, replacement using tokens becomes possible.

Links and related documents:

• Technical Tip: Basic web redirection from a specific website to another website
• Technical Tip: Adding 'www' to URL using URL redirection in FortiWeb