Introduction
Benefits
Architecture
Scope
What’s new
Documentation enhancements
Key concepts
Workflow
Sequence of scans
IPv6 support
Solutions for specific web attacks
HTTP/HTTPS threats
DoS attacks
HTTP sessions & security
FortiWeb sessions vs. web application sessions
Sessions & FortiWeb HA
Example: Magento & FortiWeb sessions during failover
HA heartbeat & synchronization
Data that is not synchronized by HA
Configuration settings that are not synchronized by HA
How HA chooses the active appliance
Administrative domains (ADOMs)
Defining ADOMs
Assigning administrators to an ADOM
How to use the web UI
System requirements
URL for access
Workflow
Permissions
Trusted hosts
Maximum concurrent administrator sessions
Global web UI & CLI settings
Buttons, menus, & the displays
Deleting entries
Renaming entries
Shutdown
How to set up your FortiWeb
Appliance vs. VMware
Registering your FortiWeb
Planning the network topology
External load balancers: before or after?
How to choose the operation mode
Supported features in each operation mode
Matching topology with operation mode & HA mode
Topology for reverse proxy mode
Topology for either of the transparent modes
Topology for offline protection mode
Topologies for high availability (HA) clustering
Connecting to the web UI or CLI
Connecting to the web UI
Connecting to the CLI
Updating the firmware
Testing new firmware before installing it
Installing firmware
Updating firmware on an HA pair
Installing alternate firmware
Booting from the alternate partition
Changing the “admin” account password
Setting the system time & date
Setting the operation mode
Configuring a high availability (HA) FortiWeb cluster
Replicating the configuration without FortiWeb HA (external HA)
Configuring the network settings
Network interface or bridge?
Configuring the network interfaces
Adding VLAN subinterfaces
Link aggregation
Configuring a bridge (V-zone)
Adding a gateway
Creating a policy route
Fixing asymmetric routing problems with policy-based routing
Configuring DNS settings
Connecting to FortiGuard services
Choosing the virus signature database & decompression buffer
Accessing FortiGuard via a web proxy
How often does Fortinet provide FortiGuard updates for FortiWeb?
Scheduling automatic signature updates
Manually initiating update requests
Uploading signature & geography-to-IP updates
Configuring basic policies
Example 1: Configuring a policy for HTTP via auto-learning
Example 2: Configuring a policy for HTTPS
Example 3: Configuring a policy for load balancing
Auto-learning
How to adapt auto-learning to dynamic URLs & unusual parameters
Configuring URL interpreters
Example: URL interpreter for a JSP application
Example: URL interpreter for Microsoft Outlook Web App 2007
Example: URL interpreter for WordPress
Grouping URL interpreters
Recognizing data types
Predefined data types
Grouping predefined data types
Recognizing suspicious requests
Predefined suspicious request URLs
Configuring custom suspicious request URLs
Grouping custom suspicious request URLs
Grouping all suspicious request URLs
Configuring an auto-learning profile
Running auto-learning
Pausing auto-learning for a URL
Viewing auto-learning reports
Using the report navigation pane
Using the report display pane
Overview tab
Attacks tab
About the attack count
Visits tab
Most hit IP table and web scraping detection
Parameters tab
Cookies tab
Generating a profile from auto-learning data
Transitioning out of the auto-learning phase
Removing old auto-learning data
Testing your installation
Reducing false positives
Testing for vulnerabilities & exposure
Expanding the initial configuration
Switching out of offline protection mode
Backups
Restoring a previous configuration
Administrators
Configuring access profiles
Grouping remote authentication queries for administrators
Changing an administrator’s password
Users
Authentication styles
Via the “Authorization:” header in the HTTP/HTTPS protocol
Via forms embedded in the HTML
Via a personal certificate
Offloading HTTP authentication & authorization
Configuring local end-user accounts
Configuring queries for remote end-user accounts
Configuring LDAP queries
Example for a configuration for AD
Configuring RADIUS queries
Configuring NTLM queries
Configuring a Kerberos Key Distribution Center (KDC)
Grouping users
Applying user groups to an authorization realm
Grouping authorization rules
Single sign-on (SSO) (site publishing)
Two-factor authentication
RSA SecurID authentication
Using Kerberos authentication delegation
Types of Kerberos authentication delegation
Configuring Windows Authentication for Kerberos authentication delegation
Offloaded authentication and optional SSO configuration
To create an Active Directory (AD) user for FortiWeb
Example: Enforcing complex passwords
Defining your web servers & load balancers
Protected web servers vs. allowed/protected host names
Defining your protected/allowed HTTP “Host:” header names
Defining your web servers
Configuring server up/down checks
Configuring session persistence
Configuring session persistence per transaction
Creating a server pool
Routing based on HTTP header content, source IP, or cookie
Example: Routing according to URL/path
Example: Routing according to the HTTP “Host:” field
Example: HTTP routing with full URL & host name rewriting
Defining your proxies, clients, & X-headers
Indicating the original client’s IP to back-end web servers
Indicating to back-end web servers that the client’s request was HTTPS
Blocking the attacker’s IP, not your load balancer
Configuring virtual servers on your FortiWeb
Defining your network services
Defining custom services
Predefined services
Enabling or disabling traffic forwarding to your servers
Secure connections (SSL/TLS)
Offloading vs. inspection
Supported cipher suites & protocol versions
SSL offloading cipher suites and protocols (reverse proxy and true transparent proxy)
SSL inspection cipher suites and protocols (offline and transparent inspection)
Uploading trusted CAs’ certificates
Grouping trusted CAs’ certificates
How to offload or inspect HTTPS
Generating a certificate signing request
Uploading a server certificate
Supplementing a server certificate with its signing chain
Allowing FortiWeb to support multiple server certificates
How to force clients to use HTTPS
How to apply PKI client authentication (personal certificates)
Example: Generating & downloading a personal certificate from Microsoft Windows 2003 Server
Example: Downloading the CA’s certificate from Microsoft Windows 2003 Server
Example: Importing the personal certificate & private key to a client’s trust store on Microsoft Windows 7
Uploading the CA’s certificate to FortiWeb’s trusted CA store
Configuring FortiWeb to validate client certificates
Use URLs to determine whether a client is required to present a certificate
Revoking certificates
How to export/back up certificates & private keys
Access control
Restricting access to specific URLs
Combination access control & rate limiting
Blacklisting & whitelisting clients
Blacklisting source IPs with poor reputation
Blacklisting & whitelisting countries & regions
Blacklisting & whitelisting clients using a source IP or source IP range
Blacklisting content scrapers, search engines, web crawlers, & other robots
Rate limiting
DoS prevention
Configuring application-layer DoS protection
Limiting the total HTTP request rate from an IP
Example: HTTP request rate limit per IP
Limiting TCP connections per IP address by session cookie
Example: TCP connection per session limit
Preventing an HTTP request flood
Example: HTTP request flood prevention
Configuring network-layer DoS protection
Limiting TCP connections per IP address
Example: TCP flood prevention
Preventing a TCP SYN flood
Grouping DoS protection rules
Preventing brute force logins
Rewriting & redirecting
Example: HTTP-to-HTTPS redirect
Example: Full host name/URL translation
Example: Sanitizing poisoned HTML
Example: Inserting & deleting body text
Example: Rewriting URLs using regular expressions
Example: Rewriting URLs using variables
Caching
What can be cached?
Blocking known attacks & data leaks
Configuring action overrides or exceptions to data leak & attack detection signatures
Finding signatures that are disabled or “Alert Only”
Defining custom data leak & attack signatures
Example: ASP .Net version & other multiple server detail leaks
Example: Zero-day XSS
Example: Local file inclusion fingerprinting via Joomla
Defeating cipher padding attacks on individually encrypted inputs
Enforcing page order that follows application logic
Specifying URLs allowed to initiate sessions
Preventing zero-day attacks
Validating parameters (“input rules”)
Bulk changes to input validation rules
Defining custom data types
Preventing tampering with hidden inputs
Specifying allowed HTTP methods
Configuring allowed method exceptions
HTTP/HTTPS protocol constraints
Configuring HTTP protocol constraint exceptions
Limiting file uploads
Compression & decompression
Configuring compression/decompression exemptions
Configuring compression offloading
Configuring temporary decompression for scanning & rewriting
Policies
How operation mode affects server policy behavior
Configuring the global object white list
Configuring a protection profile for inline topologies
Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
Configuring a server policy
HTTP pipelining
Enabling or disabling a policy
Anti-defacement
Specifying files that anti-defacement does not monitor
Reverting a defaced web site
Compliance
Database security
Authorization
Preventing data leaks
Vulnerability scans
Preparing for the vulnerability scan
Live web sites
Network accessibility
Traffic load & scheduling
Scheduling web vulnerability scans
Configuring vulnerability scan settings
Running vulnerability scans
Manually starting & stopping a vulnerability scan
Viewing vulnerability scan reports
Scan report contents
Downloading vulnerability scan reports
Advanced/optional system settings
Changing the FortiWeb appliance’s host name
Fail-to-wire for power loss/reboots
Customizing error and authentication pages (replacement messages)
Attack block page HTTP response codes
Macros in custom error and authentication pages
Label macros
Image macros
Advanced settings
Example: Setting a separate rate limit for shared Internet connections
Monitoring your system
Status dashboard
System Information widget
FortiGuard Information widget
CLI Console widget
System Resources widget
Attack Log Console widget
Real Time Monitor widget
Event Log Console widget
Policy Sessions widget
Operation widget
Policy Status dashboard
Health Check Status
Session Count
RAID level & disk statuses
Logging
About logs & logging
Log types
Log severity levels
Log rate limits
Configuring logging
Enabling log types, packet payload retention, & resource shortage alerts
Configuring log destinations
Obscuring sensitive data in the logs
Configuring Syslog settings
Configuring FortiAnalyzer policies
Configuring SIEM policies
Configuring triggers
Viewing log messages
Viewing a single log message as a table
Viewing packet payloads
Switching between Raw & Formatted log views
Displaying & arranging log columns
Filtering log messages
Downloading log messages
Deleting log files
Searching attack logs
Coalescing similar attack log messages
Alert email
Configuring email settings
Configuring alert email for event logs
SNMP traps & queries
Configuring an SNMP community
MIB support
Reports
Customizing the report’s headers, footers, & logo
Restricting the report’s scope
Choosing the type & format of a report profile
Scheduling reports
Selecting the report’s file type & email delivery
Viewing & downloading generated reports
Data analytics
Configuring policies to gather data
Updating data analytics definitions
Viewing web site statistics
Filtering the data analytics report
Bot analysis
Monitoring currently blocked IPs
FortiGuard updates
Vulnerability scans
Fine-tuning & best practices
Hardening security
Topology
Administrator access
User access
Signatures & patches
Buffer hardening
Enforcing valid, applicable HTTP
Sanitizing HTML application inputs
Improving performance
System performance
Antivirus performance
Regular expression performance tips
Logging performance
Report performance
Auto-learning performance
Vulnerability scan performance
Packet capture performance
Improving fault tolerance
Alerting the SNMP manager when HA switches the primary appliance
Reducing false positives
Regular backups
Downloading logs in RAM before shutdown or reboot
Troubleshooting
Frequently asked questions
Administration
Administration
FortiGuard
Access control and rewriting
Logging and packet capture
Security
Performance
How do I recover the password of the admin account?
What is the maximum number of ADOMs I can create?
How do I upload and validate a license for FortiWeb-VM?
How do I troubleshoot a high availability (HA) problem?
How do I upload a file to or download a file from FortiWeb?
Why did the FortiGuard service update fail?
Why is URL rewriting not working?
How do I create a custom signature that erases response packet content?
How do I reduce false positives and false negatives?
Why is FortiWeb not forwarding non-HTTP traffic (for example, RDP, FTP) to back-end servers even though set ip-forward is enabled?
How do I prevent cross-site request forgery (CRSF or XSRF) with a custom rule?
Why is the Signature Violation filter I added to my Advanced Protection custom rule not working?
Why do I not see HTTP traffic in the logs?
Why do I see HTTP traffic in the logs but not HTTPS traffic?
How do I store traffic log messages on the appliance hard disk?
Why is the most recent log message not displayed in the Aggregated Attack log?
How can I sniff FortiWeb packets (packet capture)?
How do I trace packet flow in FortiWeb?
Why is the number of cookies reported in my attack log message different from the number of cookies that message detail displays?
How do I detect which cipher suite is used for HTTPS connections?
How do I use performance tests to determine maximum performance?
How can I measure the memory usage of individual processes?
Tools
Ping & traceroute
Log messages
Diff
Packet capture
Diagnostic commands in the CLI
Retrieving kernel or daemon logs
How to troubleshoot
Establishing a system baseline
Determining the source of the problem
Planning & access privileges
Solutions by issue type
Connectivity issues
Checking hardware connections
Examining the ARP table
Checking routing
Testing for connectivity with ping
Testing routes & latency with traceroute
Examining the routing table
Checking port assignments
Performing a packet trace
Debugging the packet processing flow
Checking the SSL/TLS handshake & encryption
Resource issues
Killing system-intensive processes
Monitoring traffic load
Preparing for attacks
Login issues
Checking user authentication policies
When an administrator account cannot log in from a specific IP
Remote authentication query failures
Resetting passwords
Data storage issues
Bootup issues
Hard disk corruption or failure
Power supply failure
Issues forwarding non-HTTP/HTTPS traffic
Resetting the configuration
Restoring firmware (“clean install”)
Appendix A: Port numbers
Appendix B: Maximum configuration values
Maximum values on FortiWeb-VM
Data analytics maximums
Appendix D: Regular expressions
Regular expression syntax
What are back-references?
Cookbook regular expressions
Language support
Appendix C: Supported RFCs, W3C, & IEEE standards
RFCs
W3C standards
IEEE standards
Introduction
Appendix C: Supported RFCs, W3C, & IEEE standards
admin_setting
firmware_upgrade
time
operationMode
ha
sys_config_sync
interface_list
interface_edit
bridge_list
bridge_edit
router_static_list
router_static_edit
router_policy_list
dns
auto_update
upload_signatures
urlReplacer_view
urlReplacer_add
applicationPolicy_view
applicationPolicy_add
predefinedDataTypes_view
dataTypeGroups_view
dataTypeGroups_add
predefinedSuspiciousURLs_view
cust_susp_url
cust_susp_url_rule
customsuspiciousURLrule_tabledlg
suspiciousURL_view
suspiciousURL_add
autoLearnProfiles_view
autoLearnProfiles_add
autoLearnReport_list
autoLearnReport_view
backup_restore
ftp_backup_view
ftp_backup_add
administrator_list
administrator_new
access_profile_list
access_profile_new
adminGroups_view
adminGroups_edit
admin_password
localUsers_view
localUsers_edit
ldapUsers_view
ldapUsers_edit
radiusUsers_view
radiusUsers_edit
ntlmUsers_view
ntlmUsers_edit
kdcUsers_edit
kdcUsers_view
userGroups_view
userGroups_edit
authRules_view
authRules_edit
authPolicies_view
authPolicies_edit
site_publish
protectedServers_view
protectedServers_add
allow_hosts_tabledlg
serverHealthCheck_view
serverHealthCheck_add
persistence
server_pool
serverFarm_add
http_content_routing_policy
x_forwarded_for
virtualServers_view
virtualServer_add
customServices_view
customServices_add
predefinedServices_view
cert_ca_list
cert_ca_import
cagroup_list
cagroup_edit
cert_local_list
cert_local_dlg
cert_local_import
intcert_ca_list
intcert_ca_import
intcagroup_edit
sni
cert_verify_list
url
cert_verify_dlg
cert_crl_list
cert_crl_import
url_access
url_access_rule
url_access_add
url_access_rule_add
advanced_access_rule
ip_intelligence
ip_intelligence_exemptions
geoIP
ipList_view
ipList_add
known_search_engines
httpAccessLimit_view
httpAccessLimit_add
maliciousIPs_view
maliciousIPs_add
httpRequestFlood
httpFloodLimit_view
httpFloodLimit_add
tcpFloodLimit_view
tcpFloodLimit_add
synCookie
dosProtection_view
dosProtection_add
bruteForceLogin_view
bruteForceLogin_add
urlRewrite_view
urlRewriteGroup_view
urlRewriteGroup_edit
urlRewrite_edit
caching
serverProtectionRule_view
serverProtectionRule_add
serverProtectionException_view
serverProtectionException_add
cust_protect_rule
cust_protect_group
customprotectiongroup_tabledlg
padding_oracle
pageAccessRule_view
pageAccessRule_add
startPages_view
startPages_add
parameterValidationRule_view
inputRule_view
inputRule_add
parameterValidationRule_add
cust_data_type
hiddenField_new
hiddenFieldGroup_new
allowMethodPolicy_view
allowMethodPolicy_add
allowMethodExceptions_view
allowMethodExceptions_add
protocolConstraints_edit
protocolConstraints_view
protocolConstraints_expt_view
protocolConstraints_expt_add
protocolConstraints_expt_subtb_add
uploadRule_view
uploadPolicy_view
uploadRule_add
uploadPolicy_add
exclusionRule_view
exclusionRule_add
compressPolicy_view
compressPolicy_add
uncompressPolicy_view
uncompressPolicy_add
globalWhitelist_view
webProtectionProfiles_view
webProtectionProfiles_add
offlineDetectionProfiles_view
offlineDetectionProfiles_add
policies_add
policies_view
defacement_view
defacement_new
wad_file_filter
defacement_revert
wvs_schedule_list
vulnerability_scan_sched
wvs_list
wvs_edit
wvs_policy_list
vulnerability_scan_policy
vulnerability_scan_hist
host_name_edit
failopen
replacement_message
share_ip
system_status
system_status_operationMode
policy_status
raid_settings
log_other_settings
global_log_setting
log_sensitive_rule_list
log_syslog_policy
log_fortianalyzer_policy
log_siem_policy
log_trigger_policy
log_access
log_download
aggregate_log
log_email_policy
snmp
snmp_community
reportConfig_list
reportConfig_view
report_list
dataAnalytics
bot_analysis
blacklistedIPs_top10Candidates_view
console_log