A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Article Id 192709



This article explains how to configure a protected host or an allowed host in FortiWeb.


FortiWeb - All versions.


A protected host group (also called 'allowed hosts' or 'protected host names', depending on how the hostname is used in each context) defines one or more IP addresses or fully qualified domain names (FQDNs). Each entry in the group defines a virtual or real web host, according to the host field in the HTTP header of requests. These entries can be used to determine which host names:


- FortiWeb allows in requests.

- Will cause FortiWeb to apply scans or other features.


Consider an example scenario where the FortiWeb instance receives requests with HTTP headers, such as:

GET /index.php HTTP/1.1


In this case, a protected host group might be defined with an entry of and selected under Protected Hostnames in the policy. This would block requests that are not for that host.

Note that a protected host names group is usually not the same as a back-end web server.


To configure a protected host group:

1) Go to Server Objects -> Protected Hostnames.

To access this part of the web UI, the administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

2) Select Create New.



A dialog appears.


3) Under Name, enter a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.

4) Under Default Action, select whether to accept or deny HTTP requests that do not match any of the host definitions in this protected host group 
(in step 8, it is possible to override this default for specific hosts).
Consider an example where 10 web hosts are protected by FortiWeb and it is necessary to allow 8 and block 2.
To do this, first set the Default Action to Accept. Then, as explained later in step 8, create 2 entries for the host names to be blocked. Under the Action section for each, select Deny.

5) Select OK.

6) To treat one or more hosts differently than indicated under Default Action, select Create New. A dialog menu will appear.



7) Enter the IP address or FQDN of a real or virtual host according to the Host: field in the relevant HTTP requests.

If clients connect to the web servers through the IP address of a virtual server on the FortiWeb appliance, this should be the IP address of that virtual server or any domain name to which it resolves, not the IP address of the protected web server.

For example, if a virtual server forwards traffic to the physical server, for protected host names, enter '', the address of the virtual server, and the domain name that resolves to the virtual server. The 'Host' field in the configuration value must match the Host header value exactly.

Wild cards such as * are not supported. If wild card host name matches are required, use URL access rules instead.

8 ) Under Action, select whether to Accept or Deny HTTP requests where the Host: field matches this Host entry.

9) Select OK.

10) Repeat the previous steps for each host to add to the protected host group.

11) To apply a protected host group, select it in a server policy. Policies use protected host definitions to block connections that are not destined for a protected host. If a protected host group is not selected in a server policy and the URL access rule is not configured with an HTTP Host: condition either, FortiWeb accepts or blocks connections regardless of the Host: field.