FortiWebCloud
Pwalia
Staff
Staff
Article Id 278958
Description This article describes how to Enable HTTP/2 Max Requests in HTTP Protocol Constraints for protection against HTTP/2 Rapid Reset Attack.
Scope FortiWeb, Foritweb Cloud
Solution

 

  1. In FortiWeb -> Web Protection -> Protocol -> HTTP, select Create New or Edit an existing entry. (The example in this article is made with Create New.)

Pwalia_0-1697233666469.png

 

  1. In the new window, input a name. Enable HTTP/2 Max Requests and set an action as need (the default action is Alert), then select OK.

Pwalia_1-1697233666500.png

 

 

  1. Check the new HTTP Protocol Constraints were created successfully. The name used here is http2_test.
Pwalia_2-1697233666519.png

 

  1. Under FortiWeb -> Policy -> Web Protection Profile, edit the corresponding profile.
Pwalia_3-1697233666535.png

 

  1. Select the newly added profile (http2_test in this example) in HTTP Protocol Constraints and select OK.

 

To apply it to FortiWeb Cloud models:

  • Navigate to the desired Application.
  • Navigate to Application Name -> Access Rules -> Request Limits, then set 'HTTP/2 Max Requests' to 'ON' and 'Number of HTTP/2 Max Requests' to '1000'.