This article describes how to configure URL Access policy to restrict the domain website access and allow specific URLs to be public.
Scope
FortiWeb.
Solution
Prerequisite:
- The server policy is applied with the URL Access Policy.
- The incoming request IP is not Source-NAT or the source IP should be able to be identified via X-Forwarder-For header.
Adding an allowed IP in the URL access rule does not prevent the IP from blocking by other WAF modules in FortiWeb.
Understand the sequence of scans of FortiWeb to decide if the allowed IP should be added to the URL Access policy or into the IP List: Sequence of scans
Step 1: Navigate to the URL Access page and create a URL Access Rule. The URL Access Rule shall use the action ‘Alert & Deny‘. In the example, the hostname ‘restricted.ft-dev.site’ is used.
Step 2: In the URL Access rule, create the URL match pattern using the negate match option ‘Object does not match the URL Pattern and Parameters‘. Use the Regular Expression URL matching type and insert the URL pattern which excluded from the restriction.
Step 3: After creating the URL Access Rule, proceed to create a URL Access Policy and select the created URL Access rule into the policy.
Step 4: Select the URL Access policy rule in the Web Protection Profile.
Step 5: Test the page browsing to verify the blocking pages and allowed public pages.
Step 6: Go back to the URL Access page and create another URL Access rule that allows specific IP address to access the restricted host. The new rule should use the action ‘Pass’. In the URL matching rule, enable the Source Address option and insert the allowed IP address. The wildcard URL matching pattern is used to match all URLs.
Step 7: After creating the URL Access rule, select the rule in the same URL Access Policy. Change the order of the URL Access rule to make sure that the allowed IP access rule is on top of the restriction rule.
Step 8: Once saved, retest the web URL browsing with the different source to verify the access restriction.
