Configuring basic policies
As the last step in the setup sequence, you must configure at least one policy.
Until you configure a policy, by default, FortiWeb will:
• while in reverse proxy mode, deny all traffic (positive security model)
• while in other operation modes, allow all traffic (negative security model)
Once traffic matches a policy, protection profile rules are applied using a negative security model — that is, traffic that matches a policy is allowed unless it is flagged as disallowed by any of the enabled scans.
Keep in mind:
• Change policy settings with care. Changes take effect immediately after you click OK.
• When you change any server policy, you should retest it.
• FortiWeb appliances apply policies, rules, and scans in a specific order. This decides each outcome. (See
“Sequence of scans”.)
Review the logic of your server policies to make sure they deliver the web protection and features you expect. This section contains examples to get you started:
Once completed, continue with
“Testing your installation”.