Panel timeout


System > Admin > Settings

Idle Timeout: 5 mins # Default: 5


Check Rules Exception


Web Protection > Known Attacks > Signatures > "YOUR_POLICY_NAME" > "Signature Details" BTN


FotiWeb Signatures Exception Rule



Specifies the Host: field value to match.


  • String Match
  • Regular Expression Match

String Match: ensure the value starts with a forward slash ( / )

for example, /causes-false-positives.php

Full URL

Specifies a URL value that includes parameters to match.

URI v.s Full URL



which match requests for

Full URL


which match requests for

  1. Do not include a domain name.
  2. To match a domain name, use the Host element type.
  3. To match a URL that does not include parameters, use the URI type.


Name: Specifies the name of the parameter to match.

Check Value of Specified Element: Select to specify a parameter value to match in addition to the parameter name.

HTTP header

  • Name: Specifies the name of the HTTP header to match.
  • Value: Specifies the HTTP header value to match.



SQL Injection


False Positive Mitigation

Click to enable or disable additional SQL syntax validation.

i.e. Signature ID 040000182 有這選項


Signature ID: 040000182
This signature prevents attackers from adding attack info through "NOT" SQL statement.
This attack can be archived in HTTP request URL, arguments and headers.

To verify whether the request is a SQL instruction FortiWeb uses lexical analysis which converts the statement characters in the request into a sequence of tokens.

It then runs the tokens through different built-in SQL templates and using a SQL parser it validates whether this is a true SQL structure.

If it is then this event is not a false positive and FortiWeb triggers the signature violation action

When this option is enabled and the validation is successful, FortiWeb takes the specified action.

If it fails, FortiWeb takes no action.




\S    Matches a character that is not white space, such as A or 9

\d    Matches a decimal digit such as 9.
\D    Matches a character that is not a digit, such as A or b or É.

\w    Matches a whole word. [a-zA-Z0-9_]


? Makes the preceding character or capture group optional


Regular expression: (www\.)?


|        # Or

{}      # \d{3}



Creative Commons license icon Creative Commons license icon