Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
AACastillo
Staff
Staff

Created on ‎07-27-2025 03:09 PM Edited on ‎07-28-2025 03:44 AM By Community Manager

Article Id 403452

Technical Tip: Block access to URL with query string in published web services by FortiWeb

Description This article describes how to block user access to a published web server through FortiWeb that can be accessed using URLs with query strings.
Scope FortiWeb.
Solution

Some resources in a published web site can be accessed using URLs with query strings that add additional information. These kind of URL can be blocked using a URL access policy.

 

For example, to block URL https://www.usbwebcosas1.com/?q=user, the following configuration will block the web traffic with the URI '/?q=user' and will allow all other traffic to this site.

 

  1. Go to Web Protection -> Access -> URL Access. Under 'URL Access Parameter', select 'Create New':

 

01a.png

 

  1. Write a name to the new URL Access Parameter and then select OK. After that, select 'Create New':

 

02a.png

 

  1. In the New Parameter Rule, based on the URL https://www.usbwebcosas1.com/?q=user, configure the following parameters:

 

  • Name Type: Simple String
  • Name: q
  • Use Type Check: Enable
  • Argument Type: Regular Expression
  • Regular Expression: user

 

03a.png

 

After configuring these settings, select 'OK'. Then, under 'Edit URL Access Parameter', select 'OK'.

 

  1. Go to the URL Access Rule and then select 'Create new':

 

04a.png

 

  1. Write a name for the new URL Access Rule and configure the following settings:

 

  • Action: Alert & Deny.
  • Severity: High.

 

05a.png

 

After configuring these settings, select 'OK'. Then, select 'Create New' to create a new URL Access Condition.

 

  1. In the new URL Access Condition, configure the following settings:
  • URL Type: Simple String.
  • URL Pattern: /*
  • URL Access Parameter: Select the URL Access Parameter created in point 3.
  • Meet this condition if: Object matches the URL Pattern and Parameters.

 

06a.png

 

Leave all other options disabled. After, select OK. Then, under 'Edit URL Access Rule', select OK.

 

  1. Go to URL Access Policy and then select 'Create new':

 

07a.png

 

  1. Write a name to the new URL Access Policy and then select OK. After that, select 'Create New':

 

08a.png

 

  1. While configuring a New URL Access Item: under 'Access Rule Name', select the Access Rule created in steps 5 and 6, then select OK:

 

09a.png

 

  1. To use this configuration, the created URL Access policy must be configured in a web protection profile. Go to Policy -> Web Protection Profile and open the web protection profile configured in the server policy which is publishing the web service.

 

10a.png

 

If the policy does not have a web protection profile, create a new one.

 

  1. In the Web Protection profile, go to Access -> URL Access and select the URL Access policy created in steps 8 and 9, then select OK:

 

11a.png

 

  1. Go to Policy -> Server Policy, select the server policy or HTTP content routing policy that is publishing the web service and confirm the web protection profile is applied.

 

12a.png

 

After that, when users try to access this, traffic will be blocked. For example, if a user uses a browser to access the configured URL, a block page will be showed:

 

13a.png

 

This blocked traffic can be checked by viewing the attack log under Log & Report -> Log Access -> Attack:

 

14a.png

 

Related document:
Restricting access based on specific URLs
122
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.