• Begin monitoring the third-party cookies FortiWeb observes in traffic to your web servers. When cookies are found, an icon appears on Policy > Server Policy > Server Policy for each affected server. If cookies are threats, such as if they are used for state tracking or database input, consider enabling the Cookie Poisoning option on the inline protection profiles for those servers.

• Add any missing rules and policies to your protection profiles, such as:

• page access rules (see “Enforcing page order that follows application logic”)

• start page rules (see “Specifying URLs allowed to initiate sessions”)

• brute force login profiles (see “Preventing brute force logins”)

• rewriting policies (see “Rewriting & redirecting”)

• denial-of-service protection (see “DoS prevention”)

• Examine the Attack Event History in the Policy Summary widget on System > Status > Status. If you have zero attacks, but you have reasonable levels of traffic, it may mean the protection profile used by your server policy is incomplete and not detecting some attack attempts.

• Examine the Attack Log widget on System > Status > Status. If the list includes many identical entries, it likely indicates false positives. If there are many entries of a different nature, it likely indicates real attacks. If there are no attack log entries but the Attack Event History shows attacks, it likely means you have not correctly configured logging. See “Configuring logging”.