Technical Tip: Excluding specific URLs from Site Publish in FortiWeb

shafiq23 · ‎09-17-2025

Description

This article describes how to exclude a specific URL from the authentication page(Site Publish) in FortiWeb using HTTP content routing. The goal is to allow certain URLs to bypass the Site Publish login page while still requiring authentication for other URLs.

Scope

FortiWeb.

Solution

Application behavior:
All URLs start with a common name, such as /app.

Require authentication:

/app/user/post

Bypass authentication:

/app/api/path

Since Site Publish has no regular expression support to exclude certain URLs from authentication offloading, use HTTP Content Routing to match traffic and bypass certain URLs from Site Publish.

Configuration:

Go to Policy -> Server Policy and select the server policy to modify or create a new policy.
Select Deployment Mode - HTTP Content Routing and then select OK to save the configuration.
Pre-configure two Web Protection Profiles. One with Site Publish defined and the other without Site Publish.
In the Server Policy page, edit, modify, or create a policy.
Configure two HTTP content routing rules to match the bypass URL and authentication-required URLs.
Assign Web Protection Profile in the HTTP content routing rule according to the match condition of NoAuth and Auth.

For more information on configuring HTTP content routing in FortiWeb and its Match Object for granular match conditions, refer to this document: Routing based on HTTP content.

Technical Tip: Excluding specific URLs from Site Publish in FortiWeb

You are leaving our website