Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Fortiweb URL Access Rule REGEX

I have implemented a Web Protection Access policy, so it matches a URL format.

The format is /somedirectory/012345678910? after the "/"  it has to start with a zero "[0]" then exactly 12 digits [0-9] followed by a question mark,


The REGEX when testing works fine, and the URL rule is set to "Pass" and in live testing if the URL is in the correct format, we get a positive response. however if it doesnt match, it still passes? I added another REGEX to deny anything else ".*"  this now denies everything?


so the REGEX matches, but just drops to the next rule and denies. surely if it doesnt match the first rule, it should then deny by default?


I don't think so. Logically talking on a website usually all pub folder is accessible except few exceptions.

It's because your case (allowing only URL starting with zero) is an exception that you are thinking opposite :)


I dont really understand your response? it has nothing to do with public folders? the Fortiweb has a URL access list, if it doesnt match, its supposed to DENY and Alert. this is on host behind the VIP, what do you mean thinking opposite? opposite what?

New Contributor

It is possible that your backend has a redirect too. Probably FortiWeb is receiving the request for the client in https and passing it to the backend in http, which return a 301 to https site.

In that case, I would disable it in the backend .

Why are you not using the flag Redirect Http-to-Https on Server Policy?


The Fortiweb should block it before it even sends to the backend, and send a 500 error, it does if the first characer is not a Zero after the "/"  the character length is just sending a 400 error.. this is a very old system that we are using the Fortiweb for, so its not straight cut! the regex works, but it just drops to the next rule, even if it has an alert and deny

Top Kudoed Authors