Add a protection policy

  1. Go to Web server > Protection policies and click Add.
  2. Type a name.
  3. Specify protection settings.
    OptionDescription
    Pass Outlook anywhere Allow external Microsoft Outlook clients to bypass web server protection to access the Microsoft Exchange Server.
    Mode Behavior to use for HTTP requests. (The firewall logs monitored requests.)
    Cookie signing Protect against cookie tampering.
    Static URL hardening Protect against rewriting of the specified URLs.
    Note This setting is not effective for dynamic URLs created by the client, for example, using JavaScript.
    Form hardening Protect against form rewriting.
    Anti-virus Protect against viruses. If you turn on this setting, you can specify additional behaviors.
    Block clients with bad reputation Block clients that have a bad reputation according to real-time blackhole lists (RBLs) and GeoIP information.
    Tip Skipping remote lookups for clients with a bad reputation may result in improved performance.
    Common threat filter Specify common threat protection against, for example, protocol violations and cross-site scripting (XSS) attacks. Depending on the results, a notice or a warning will be shown in the live log or the request will be blocked directly.

    You can use rigid filtering to tighten the enforcement of rules associated with the selected threat types.

    Note Turning on rigid filtering may lead to false positives.

    To avoid false positives induced by a specific rule, add the rule number that you want to skip.

    Note Static URL hardening and form hardening affect all files with a content type of HTML or XML. Binary files and other files may be corrupted by this type of protection if they are specified as HTML or XML. To exclude files, change your web server’s settings to deliver the affected files with a different content type, for example, application/octet-stream.
  4. Optional If you turned on anti-virus protection, specify additional behaviors.
    OptionDescription
    Mode Anti-virus engine or dual scan.
    Direction Uploads or downloads or both.
    Block unscannable content Block files that cannot be scanned, for example, if they are encrypted or corrupt.
    Limit scan size Do not scan files larger than the size specified. You can specify 0 or leave this value blank to scan every file.
    Note The scan size limit refers to the entire upload volume, not to a single file. If, for example, you limit the scan size to 50 MB and make an upload containing files of 45, 5, and 10 MB, the last file will not be scanned. In this scenario, a virus in the last file would not be detected.
  5. Click Save.