Deny IP based host header requests on FortiWeb

Deny IP based host header requests on FortiWeb

A quick post about how you can deny services if requested using the IP address (no FQDN used) of your FortiWeb provided Virtual Servers.

In order to reply with an error message in the occurrence of an attempt to initiate an HTTP(s) connection toward a given Server Policy using it's public IP address, you can create what is referred to as "Custom Policy". You can create these within Web Protection > Advanced Protection > Custom Policy:

Here we create a Custom Rule first (part of our Custom Policy later). That rule will match the value of the Host HTTP Header and trigger in the occurrence of an IP address is found within the request.

We use here a RegEx matching string: \d+\.\d+\.\d+\.\d+ which will match the use of an IP address within the Host Header.

Once your rule is made, simply embed it within a new Custom Policy (in my example below coupled with a few other default policies present on FWB).

After what, our last step is to add our new Custom Policy within our Web Protection Profile bound to our Server Policy:

Once this is setup, a quick test of reaching your Web Application through it's public IP shall get you a nice HTTP status code of 500... (custom replacement messages used here)

And the Attack Logs will show such attempts, obviously:

That's it for this post.
Have fun,

Image Credits: Larry Southberg -

Show Comments