You are here: How to set up your FortiWeb > Testing your installation

Testing your installation

When the configuration is complete, test it by forming connections between legitimate clients and servers at various points within your network topology.

In offline protection mode and transparent inspection mode, if your web server applies SSL and you need to support Google Chrome browsers, you must disable Diffie-Hellman key exchanges on the web server. These sessions cannot be inspected.

Examine the HTTP Traffic Monitor section of the Policy Summary widget on System > Status > Status. If there is no traffic, you have a problem. See Connectivity issues.

HTTP Traffic Monitor section of the Policy Summary widget

If a connection fails, you can use tools included in the firmware to determine whether the problem is local to the appliance or elsewhere on the network. See Troubleshooting. Also revisit troubleshooting recommendations included with each feature’s instructions.

If you have another FortiWeb appliance, you can use its web vulnerability scanner to verify that your policies are blocking attacks as you expect. For details, see Vulnerability scans.

You may need to refine the configuration (see Expanding the initial configuration).

Once testing is complete, finish your basic setup with either Switching out of offline protection mode or Backups. Your FortiWeb appliance has many additional protection and maintenance features you can use. For details, see the other chapters in this guide.

Reducing false positives

If the dashboard indicates that you are getting dozens or hundreds of nearly identical attacks, they may actually be legitimate requests that were mistakenly identified as attacks (i.e. false positives). Many of the signatures, rules, and policies that make up protection profiles are based, at least in part, on regular expressions. If your web sites’ inputs and other values are hard for you to predict, the regular expression may match some values incorrectly. If the matches are not exact, many of your initial alerts may not be real attacks or violations. They will be false positives.

Fix false positives that appear in your attack logs so that you can focus on genuine attacks.

Here are some tips:

Testing for vulnerabilities & exposure

Even if you are not a merchant, hospital, or other agency that is required by law to demonstrate compliance with basic security diligence to a regulatory body, you still may want to verify your security.

To verify your configuration, start by running a vulnerability scan. See Vulnerability scans. You may also want to schedule a penetration test on a lab environment. Based upon results, you may decide to expand or harden your FortiWeb’s initial configuration (see Hardening security ).

Expanding the initial configuration

After your FortiWeb appliance has operated for several days without significant problems, it is a good time to adjust profiles and policies to provide additional protection and to improve performance.

Especially if you began in offline protection mode and later transitioned to another operation mode such as reverse proxy, new features may be available that were not supported in the previous operation mode.

Attack Event History section of the Policy Summary widget

You can create reports to track trends that may deserve further attention. See Data analytics, Vulnerability scans, and Reports.