As the last step in the setup sequence, you must configure at least one policy.
Until you configure a policy, by default, FortiWeb will:
Once traffic matches a policy, protection profile rules are applied using a negative security model — that is, traffic that matches a policy is allowed unless it is flagged as disallowed by any of the enabled scans.
Keep in mind:
This section contains examples to get you started:
Once completed, continue with Testing your installation.
In the simplest scenario, if you want to protect a single, basic web server (that is, it does not use HTTPS) while the FortiWeb is operating as a reverse proxy, you can save time configuring your policy by using the auto-learning feature.
1. Create a virtual server on the FortiWeb appliance (Server Objects > Server > Virtual Server). When used by a policy, it receives traffic from clients.
2. Define your web server within a Single Server server pool using its IP address or domain name (Server Objects > Server > Server Pool). When used by a policy, a server pool defines the IP address of the web server that FortiWeb forwards accepted client traffic to.
3. Create a new policy (Policy > Server Policy > Server Policy).
|
|
When you use an auto-learning profile, any inline protection profile that you use with it should have Session Management enabled. |
Traffic should now pass through the FortiWeb appliance to your server. If it does not, see Troubleshooting. Auto-learning gathers data based upon the characteristics of requests and responses that it observes.
4. Use the auto-learning report to determine whether auto-learning has observed enough URLs, parameters, and attacks (Auto Learn > Auto Learn Report > Auto Learn Report; see Auto-learning).
5. Generate an initial configuration (Auto Learn > Auto Learn Report > Auto Learn Report then click Generate Config).
6. If necessary, modify the generated profiles to suit your security policy.
7. Modify the policy to select your generated profile in Web Protection Profile.
8. Disable auto-learning by deselecting the auto-learning profile in WAF Auto Learn Profile .
If you want to protect a single HTTPS web server, and the FortiWeb appliance is operating in reverse proxy mode, configuration is similar to Example 1: Configuring a policy for HTTP via auto-learning. (Optionally, you can configure a server policy that includes both an HTTP service and an HTTPS service.)
To be able to scan secure traffic, however, you must also configure FortiWeb to decrypt it, and therefore must provide it with the server’s certificate and private key.
1. Upload a copy of the web server’s certificate (System > Certificates > Local).
2. Configure a policy and profiles according to Example 1: Configuring a policy for HTTP via auto-learning, except for auto-learning, which you will postpone until these steps are complete.
3. Modify the server policy (Policy > Server Policy > Server Policy).
Traffic should now pass through the FortiWeb appliance to your server. If it does not, see Troubleshooting.
If you want protect multiple web servers, configuration is similar to Example 1: Configuring a policy for HTTP via auto-learning.
To distribute load among multiple servers, however, instead of specifying a single physical server in the server pool, you specify a group of servers (server farm or server pool).
|
|
This example assumes a basic network topology. If there is another, external proxy or load balancer between clients and your FortiWeb, you may need to define it (see Defining your web servers & load balancers). Similarly, if there is a proxy or load balancer between FortiWeb and your web servers, you may need to configure your server pool for a single web server (the proxy or load balancer), not a Server Balance pool. |
1. Define multiple web servers by either their IP address or domain name in a Server Balance server pool (Server Objects > Server > Server Pool). When used by a policy, it tells the FortiWeb appliance how to distribute incoming web connections to those destination IP addresses. In the server pool configuration, do the following:
2. Configure a policy and profiles according to Example 1: Configuring a policy for HTTP via auto-learning, except for auto-learning, which you will postpone until these steps are complete.
Traffic should now pass through the FortiWeb appliance and be distributed among your servers. If it does not, see Troubleshooting.