A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Article Id 252489
Description This article describes how to limit access to specific URLs from specific User Agents.
It is maybe necessary to preconfigure other respective Application setups and refer to the documentation at the end of this article for more information on onboarding the application.
Scope FortiWeb Cloud WAF-as-a-Service.

It is necessary to limit access to specific URLs from specific User Agents.


For example:

There is a requirement to allow access from mobile devices (for example Android, iPhone, and iPad) to access


The Custom Rule feature may be used for the requirement.


1) Go to ADVANCED APPLICATIONS -> Custom Rule.

It is maybe necessary to enable this module in the '+ ADD MODULES' menu, under ADVANCED APPLICATIONS -> Custom Rule.

2) Select the '+ Create Rule' button on the right.

3) For the Create Custom Rule, enter the respective information.
For Name, specify the respective name to identify the rule, and for
Operation, select Alert & Deny.

4) Select the 'ADD FILTER' button on the right. For Filter Type, select HTTP Header and set HTTP Header to ON. Under Header Name, select User-Agent.

For the Value Pattern enter 'Mobile|iP(hone|ad)|Android' (without quote).
Enable the Reverse Matching option. Select the SAVE FILTER.



5) Select the 'ADD FILTER' button again. For Filter Type, select URL and for URL Pattern, input the respective URL that needs to be allowed access. Select the SAVE FILTER.




6) Select 'OK'.

7) Select 'SAVE' on the Custom Rule page to apply the Custom Rule.



Related document on Onboarding applications:


Related document on Custom Rule: