Vulnerability scans

You can scan for known vulnerabilities on your web servers and web applications, helping you to design protection profiles that are an effective and efficient use of processing resources.

Vulnerability reports from a certified vendor can help you comply with regulations and certifications that require periodic vulnerability scans, such as Payment Card Industry Data Security Standard (PCI DSS).

Run vulnerability scans during initial FortiWeb deployment (see “How to set up your FortiWeb”) and any time you are staging a new version of your web applications. You may also be required by your compliance regime to provide reports on a periodic basis, such as quarterly.

Each vulnerability scan starts from an initial URL, authenticates if set up to do so, then scans for vulnerabilities in web pages that it crawls to from links on the initial page. After performing the scan, the FortiWeb appliance generates a report from the scan results.


	Create and run web vulnerability scans early in the configuration of your FortiWeb appliance. Use the reports to locate vulnerabilities and fine-tune your protection settings.


	If you have many web servers, you may want a FortiScan appliance to: • deepen vulnerability scans • integrate patch deployment • prioritize and track fixes via ticketing • offload and distribute scans to improve performance and remove bottlenecks

1. Optionally, configure email settings. Email settings included in vulnerability scan profiles cause FortiWeb to email scan reports (see “Configuring email settings”).

2. Prepare the staging or development web server for the scan (see “Preparing for the vulnerability scan”).

3. Create a scan schedule, unless you plan to execute the scan manually. The schedule defines the frequency the scan will be run (see “Scheduling web vulnerability scans”).

4. Create a scan profile. The profile defines which vulnerabilities to scan for (see “Configuring vulnerability scan settings”).

5. Create a scan policy. The policy integrates a scan profile and schedule (see “Running vulnerability scans”).

6. Either start the vulnerability scan manually (see “Manually starting & stopping a vulnerability scan”), or wait for it to run automatically according to its schedule.

7. Examine vulnerability scan report. The report provides details and analysis of the scan results (see “Viewing vulnerability scan reports”).