FortiWeb™ Web Application Firewall (PDFDrive)

FortiWeb™ Web
Application Firewall
Version 4.0 MR2
Administration Guide
FortiWeb™ Web Application Firewall Administration Guide
Version 4.0 MR2
Revision 10
16 June 2011
© Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
Contents
Contents
Introduction ............................................................................................ 13
Scope ............................................................................................................................. 14
Workflow ........................................................................................................................ 14
Deleting entries ............................................................................................................. 15
Characteristics of XML threats .................................................................................... 15
Characteristics of HTTP threats .................................................................................. 16
Customer service & technical support ....................................................................... 18
Documentation Conventions ....................................................................................... 19
IP addresses............................................................................................................. 19
Cautions, Notes, & Tips ............................................................................................ 19
Typographical conventions ....................................................................................... 19
Command syntax conventions.................................................................................. 20
What’s new ............................................................................................. 23

About the web-based manager............................................................. 25
Deployment guidelines.......................................................................... 27
Deployment prerequisites ......................................................................................... 27
Server policy ...................................................................................................... 27
Deployment workflow................................................................................................ 27
Phase 1: Examine the initial configuration ................................................................. 28
Do a visual check...................................................................................................... 28
Check dynamic data on the dashboard .................................................................... 28
Check your auto-learning data.................................................................................. 29
Phase 2: Monitor and tune the configuration ............................................................. 30
Stay diligent .............................................................................................................. 30
Tune up alerts........................................................................................................... 30
Define logs, reports and email alerts ........................................................................ 32
Phase 3: Test for vulnerabilities .................................................................................. 33
Stay diligent .............................................................................................................. 33
Aggregate attack types ............................................................................................. 34
Search for vulnerabilities .......................................................................................... 34
Phase 4: Switch from offline protection mode (if applicable)................................... 35
Prepare to switch operation mode ............................................................................ 36
Change operation mode ........................................................................................... 36
Reconfigure your system .......................................................................................... 36
Retest your system ................................................................................................... 37
Remain diligent ......................................................................................................... 37
FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Revision 10 3
http://docs.fortinet.com/ • Feedback
Contents
Phase 5: Prepare for full operation ............................................................................. 37

Extend your server configuration .............................................................................. 37
Remain diligent ......................................................................................................... 38
Make final deployment settings ................................................................................ 38
What else can you do? ................................................................................................. 39
System .................................................................................................... 41
Viewing system status.................................................................................................. 41
System Information widget ....................................................................................... 43
Changing the FortiWeb unit’s host name ........................................................... 45
CLI Console widget................................................................................................... 45
System Resources widget ........................................................................................ 47
Policy Summary widget ............................................................................................ 47
Attack Log Console widget ....................................................................................... 48
Event Log Console widget ........................................................................................ 48
Service Status widget ............................................................................................... 49
Policy Sessions widget ............................................................................................. 50
Configuring the network and VLAN interfaces .......................................................... 50
Adding a VLAN subinterface..................................................................................... 53
Configuring v-zones (bridges)................................................................................... 55
Configuring fail-open................................................................................................. 58
Configuring the DNS settings ...................................................................................... 58
Synchronizing configurations ..................................................................................... 59
Configuring high availability (HA) ............................................................................... 61
About the heartbeat and synchronization ................................................................. 65
Configuring the SNMP agent ....................................................................................... 66
Configuring an SNMP community............................................................................. 68
Configuring DoS protection ......................................................................................... 70
Configuring the operation mode ................................................................................. 71
Viewing RAID status ..................................................................................................... 74
Configuring administrator accounts ........................................................................... 75
Configuring trusted hosts.......................................................................................... 78
Configuring access profiles....................................................................................... 78
About permissions .................................................................................................... 80
Configuring the web-based manager’s global settings ............................................ 82
Managing certificates ................................................................................................... 84
Managing local and server certificates ..................................................................... 84
Generating a certificate signing request............................................................. 86
Submitting a certificate signing request.............................................................. 88
Uploading a certificate........................................................................................ 88
Managing OCSP server certificates.......................................................................... 90
Managing CA certificates.......................................................................................... 90

4 Revision 10
Contents
Grouping CA certificates .................................................................................... 91

Managing certificates for intermediate CAs........................................................ 92
Grouping certificates for intermediate CAs......................................................... 94
Managing the certificate revocation list..................................................................... 95
Configuring certificate verification rules .................................................................... 95
Backing up and restoring configurations ................................................................... 96
Configuring an FTP backup and schedule ................................................................. 98
Restoring an FTP backup ....................................................................................... 100
Configuring system time ............................................................................................ 100
Uploading signature updates..................................................................................... 101
Scheduling signature updates................................................................................... 102
Accessing the Setup Wizard ...................................................................................... 104
Router.................................................................................................... 105
Configuring static routes ........................................................................................... 105
Users and user groups ........................................................................ 107

User creation workflow ........................................................................................... 107
Configuring local users .............................................................................................. 108
Configuring LDAP user queries................................................................................. 109
Configuring RADIUS user queries............................................................................. 111
Configuring NTLM user queries ................................................................................ 113
Grouping users ........................................................................................................... 114
Server policy......................................................................................... 117

Server policy workflow requirements ...................................................................... 117
Configuring server policies........................................................................................ 118
Enabling or disabling a policy ................................................................................. 128
Configuring servers .................................................................................................... 129
Configuring virtual servers ...................................................................................... 129
Enabling or disabling a virtual server ............................................................... 130
Configuring physical servers................................................................................... 131
Enabling or disabling a physical server ............................................................ 133
Configuring domain servers.................................................................................... 133
Enabling or disabling a domain server ............................................................. 135
Grouping physical and domain servers into server farms....................................... 135
Configuring HTTP content routing policy ................................................................ 139
Configuring HTTP conversion policy ...................................................................... 141
Configuring server health checks ............................................................................. 143
Configuring services .................................................................................................. 145
Viewing the list of custom services ......................................................................... 145
Viewing the list of predefined services.................................................................... 146

Revision 10 5
Contents
Configuring protected servers................................................................................... 147

Configuring predefined patterns ............................................................................... 150
Grouping predefined data types ............................................................................. 150
Viewing the list of predefined data types ................................................................ 152
Grouping suspicious URLs ..................................................................................... 154
Viewing predefined URL rules ................................................................................ 155
Configuring custom patterns ..................................................................................... 156
Creating custom data types .................................................................................... 156
Creating custom suspicious URLs.......................................................................... 157
Creating custom suspicious URL rules................................................................... 158
Configuring custom application policies.................................................................. 160
Custom application workflow .................................................................................. 160
Configuring URL replacers ..................................................................................... 160
Configuring application policies .............................................................................. 161
XML protection ..................................................................................... 163

XML protection profile workflow.............................................................................. 163
Configuring protection schedules............................................................................. 163
Configuring one-time schedules ............................................................................. 164
Configuring recurring schedules ............................................................................. 165
Configuring content filter rules ................................................................................. 166
How priority affects content filter rule matching ...................................................... 169
Enabling or disabling a content filter rule................................................................ 169
Configuring intrusion prevention rules .................................................................... 170
Enabling or disabling an intrusion prevention rule .................................................. 172
Configuring WSDL content routing groups.............................................................. 173
Managing XML signature and encryption keys ........................................................ 175
Uploading a key ...................................................................................................... 175
Grouping keys into key management groups ......................................................... 176
Managing schema files............................................................................................... 178
Enabling or disabling a schema file ........................................................................ 180
Managing WSDL files.................................................................................................. 181
Enabling and disabling operations in a WSDL file .................................................. 182
Grouping WSDL files .............................................................................................. 183
Configuring XML protection profiles......................................................................... 184
Web protection ..................................................................................... 189

Web protection profile workflow.............................................................................. 189
Order of execution ...................................................................................................... 190
Responding to web protection rule violations ......................................................... 191
Configuring HTTP parameter validation rules.......................................................... 192
Configuring parameter validation input rules .......................................................... 194

6 Revision 10
Contents
Configuring page access rules.................................................................................. 198

Configuring server protection rules .......................................................................... 201
Configuring server protection exceptions ............................................................... 207
Configuring custom protection groups .................................................................... 209
Configuring custom protection rules ....................................................................... 211
Configuring start page rules ...................................................................................... 213
Configuring URL access policy ................................................................................. 216
Configuring URL access rules ................................................................................ 218
Configuring an IP list policy....................................................................................... 220
Viewing the top 10 IP blacklist candidates.............................................................. 223
Configuring brute force login profiles ...................................................................... 224
Configuring robot control profiles ............................................................................ 227
Configuring predefined robot groups ...................................................................... 230
Configuring custom robot groups............................................................................ 232
Viewing the list of predefined robots....................................................................... 234
Configuring allowed request method policy ............................................................ 235
Configuring allowed method exceptions ................................................................. 237
Configuring hidden field protection profiles ............................................................ 239
Configuring hidden field rules ................................................................................. 241
Configuring URL rewriting policy .............................................................................. 244
Configuring URL rewriting rules.............................................................................. 246
URL rewriting examples.......................................................................................... 250
Rewriting URLs using regular expressions ...................................................... 251
Rewriting URLs using variables ....................................................................... 251
Configuring HTTP protocol constraint profiles........................................................ 252
Configuring HTTP protocol constraint exceptions .................................................. 254
Configuring authentication policy ............................................................................. 257
HTTP authentication policy workflow...................................................................... 259
Configuring authentication policy............................................................................ 259
Configuring authentication rules ............................................................................. 261
Configuring file upload restriction policy ................................................................. 263
Configuring file upload restriction rules................................................................... 265
Configuring inline protection profiles ....................................................................... 268
Inline protection profile workflow............................................................................. 268
Configuring an inline protection profile ................................................................... 269
Configuring offline protection profiles ..................................................................... 274
Offline protection profile workflow........................................................................... 274
Configuring an offline protection profile .................................................................. 275
Applying auto-learning profiles ................................................................................. 278
Auto-learning profile workflow................................................................................. 278
Configuring auto-learning profiles........................................................................... 279

Revision 10 7
Contents
Auto learn ............................................................................................. 281

Generating an auto-learning profile and its components ....................................... 281
Viewing auto-learning reports ................................................................................... 282
Using the navigation pane ...................................................................................... 284
Using the report display pane ................................................................................. 285
Overview tab .................................................................................................... 286
Attacks tab ....................................................................................................... 287
Visits tab........................................................................................................... 288
Parameters tab................................................................................................. 288
Cookies tab ...................................................................................................... 288
About the attack count ............................................................................................ 289
Generating a profile from auto-learning data ........................................................... 289
Web anti-defacement ........................................................................... 293

Configuring anti-defacement ..................................................................................... 293
About web site backups.......................................................................................... 297
Reverting a web site to a backup revision................................................................ 297
Web vulnerability scans ...................................................................... 299

Web vulnerability scan workflow............................................................................. 299
Preparing for the vulnerability scan.......................................................................... 300
Configuring web vulnerability scan policies ............................................................ 300
Starting and stopping a web vulnerability scan....................................................... 302
Configuring web vulnerability scan profiles ............................................................ 303
Configuring web vulnerability scan schedules ........................................................ 308
Viewing scan history and reports.............................................................................. 309
About web vulnerability scan reports ...................................................................... 310
Logs and reports.................................................................................. 313

Log configuration workflow ..................................................................................... 313
About logging.............................................................................................................. 313
Log types ................................................................................................................ 314
Log priority levels.................................................................................................... 314
Log message field descriptions ................................................................................ 314
Configuring log alert policies .................................................................................... 316
Configuring email policies....................................................................................... 317
Configuring Syslog policies..................................................................................... 319
Configuring FortiAnalyzer policies .......................................................................... 321
Configuring trigger policies ..................................................................................... 322
Configuring and enabling logging............................................................................. 323
Configuring global log settings................................................................................ 324
Enabling logging ..................................................................................................... 327
Obscuring sensitive data in the logs ....................................................................... 329

8 Revision 10
Contents
Viewing log messages................................................................................................ 331

Selecting a log type to view .................................................................................... 332
Viewing log message details .................................................................................. 335
Viewing packet log details ...................................................................................... 336
Customizing the log view ........................................................................................ 337
Displaying and arranging log columns ............................................................. 338
Filtering log messages ..................................................................................... 339
Grouping similar attack log messages ............................................................. 340
Searching attack logs ............................................................................................. 341
Downloading log messages....................................................................................... 343
Configuring and generating reports.......................................................................... 344
Configuring a report profile ..................................................................................... 346
Configuring the headers, footers, and logo of a report profile .......................... 347
Configuring the time period and log filter of a report profile ............................. 348
Configuring the query selection of a report profile............................................ 349
Configuring the advanced options of a report profile........................................ 350
Configuring the schedule of a report profile ..................................................... 351
Configuring the output of a report profile.......................................................... 352
Viewing and downloading reports............................................................................. 353
Fine tuning and best practices ........................................................... 355

Avoiding problems...................................................................................................... 355
Tuning security ........................................................................................................... 357
Tuning high availability (HA)...................................................................................... 361
Set an SNMP HA heartbeat alert............................................................................ 362
Tuning policy............................................................................................................... 362
Tuning performance ................................................................................................... 363
Troubleshooting tip ................................................................................................. 368
Troubleshooting................................................................................... 369
Establish a system baseline ...................................................................................... 369
Check traffic flow ........................................................................................................ 369
Define the problem...................................................................................................... 370
Search for a known solution ...................................................................................... 371
Technical documentation........................................................................................ 371
Knowledge Base..................................................................................................... 371
Fortinet technical discussion forums....................................................................... 371
Fortinet training services online campus ................................................................ 371
Create a troubleshooting plan ................................................................................... 371
Check your access ................................................................................................. 372
Gather system information ........................................................................................ 372
Check port assignments ......................................................................................... 373

Revision 10 9
Contents
Troubleshoot connectivity issues ............................................................................. 373

Check hardware connections ................................................................................. 374
Run ping and traceroute ......................................................................................... 374
Check connections with ping............................................................................ 375
Check routes with traceroute ........................................................................... 376
Verify the contents of the routing table ................................................................... 377
Verify the contents of the ARP table....................................................................... 377
Perform a sniffer trace ............................................................................................ 377
What can sniffing packets tell you .................................................................... 378
Debug the packet flow ............................................................................................ 378
Troubleshoot resource issues................................................................................... 378
Look for system-intensive processes...................................................................... 378
Monitor traffic .......................................................................................................... 379
Prepare for attacks ................................................................................................. 379
Troubleshoot user and admin login issues .............................................................. 379
Use correct user name and password combination for user .................................. 379
Check user authentication policies ......................................................................... 379
Change an administrator's password ..................................................................... 380
Trusted hosts for admin account will not allow current IP....................................... 380
Troubleshoot bootup issues ...................................................................................... 381
A. Do you see the boot options menu..................................................................... 381
B. Do you have problems with the console text...................................................... 381
C. Do you have visible power problems ................................................................. 382
D. You have a suspected defective FortiWeb unit.................................................. 382
Contact Fortinet customer support for assistance.................................................. 382
Installing new firmware ....................................................................... 385

Testing new firmware before installing it ................................................................. 385
Installing firmware ...................................................................................................... 387
Installing backup firmware......................................................................................... 389
Restoring firmware ..................................................................................................... 391
Appendix A: Supported RFCs, W3C and IEEE standards................ 395

Appendix B: Maximum values ............................................................ 397
FortiWeb-VM........................................................................................................... 397
Interpreting maximum values .................................................................................... 397
Persistent server sessions...................................................................................... 398
Network and VLAN interfaces................................................................................. 398

10 Revision 10
Contents
Appendix C: SNMP MIB support......................................................... 399

Appendix D: Language support & regular expressions................... 401
Appendix E: Ports used by FortiWeb................................................. 403
Index...................................................................................................... 405

Revision 10 11
Contents

12 Revision 10
Introduction
Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
FortiWeb units are designed specifically to protect web servers.
Note: Any reference to a FortiWeb unit also applies to FortiWeb-VM, unless specifically
noted otherwise. Both versions perform the same tasks and you configure them the same
way. Only their installation differs.
The FortiWeb family of web application firewalls provides specialized, layered application
threat protection. FortiWeb’s integrated web application and XML firewalls protect your
web-based applications and internet-facing data from attack and data loss. Using
advanced techniques to provide bidirectional protection against sophisticated threats like
SQL injection and cross-site scripting, FortiWeb helps you prevent identity theft, financial
fraud and corporate espionage. FortiWeb delivers the technology you need to monitor and
enforce government regulations, industry best practices, and internal policies.
FortiWeb significantly reduces deployment costs by consolidating a web application
firewall, XML filtering, web traffic acceleration, and application traffic balancing into a
single device. It drastically reduces the time required to protect your internet-facing data
and eases the challenges associated with policy enforcement and regulatory compliance.
Its intelligent, application-aware, load-balancing engine:
• increases application performance
• improves resource utilization
• improves application stability
• reduces server response times.
In addition to providing application content-based routing and in-depth protection for many
HTTP/HTTPS- and XML-specific attacks, FortiWeb units contain specialized hardware to
accelerate SSL processing, and can thereby enhance both the security and the
performance of connections to your web servers.
This chapter introduces you to the following topics:
• Registering your Fortinet product
• Scope
• Workflow
• Deleting entries
• Characteristics of XML threats
• Characteristics of HTTP threats
• Customer service & technical support
• Documentation
• Documentation Conventions
Registering your Fortinet product

Before you begin, take a moment to register your Fortinet product at the Fortinet Technical
Support web site, https://support.fortinet.com.

Revision 10 13
Scope Introduction
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Base article Registration Frequently
Asked Questions.
Scope
This document describes how to use the web-based manager of the FortiWeb unit. It
assumes you have already successfully installed the FortiWeb unit by following the
instructions in the FortiWeb Install and Setup Guide.
At this stage:
• The FortiWeb unit is integrated into your network and is powered on.
• You have completed firmware updates, if applicable.
• You configured a port on the FortiWeb unit during installation. You must configure at
least one port to access the web-based manager or CLI. If not, consult the FortiWeb
Install and Setup Guide.
• You have administrative access to the web-based manager through a browser, and
you can log in successfully. If not, consult the FortiWeb Install and Setup Guide.
• You have given the default administrator a password. If not, consult the FortiWeb
Install and Setup Guide or refer to “Configuring administrator accounts” on page 75.
• You have set the operation mode. If not, consult the FortiWeb Install and Setup Guide
or refer to “Configuring the operation mode” on page 71.
• You have configured additional network interfaces. If not, consult the FortiWeb Install
and Setup Guide or refer to “Configuring the network and VLAN interfaces” on
page 50.
• You have configured the system time. If not, consult the FortiWeb Install and Setup
Guide or refer to “Configuring system time” on page 100.
• You have configured the DNS. If not, consult the FortiWeb Install and Setup Guide or
refer to “Configuring the DNS settings” on page 58.
• You have configured a default gateway. If not, consult the FortiWeb Install and Setup
Guide or refer to “Configuring static routes” on page 105.
• You have configured basic logging. If not, consult the FortiWeb Install and Setup Guide
or refer to “Configuring log alert policies” on page 316.
• You have created at least one server policy. If not, consult the FortiWeb Install and
Setup Guide or refer to “Server policy workflow requirements” on page 117.
This document does not cover commands for the command line interface (CLI). For
information on the CLI, see the FortiWeb CLI Reference.
Workflow
There is a logical order to follow during the setup and configuration of your FortiWeb unit.
Make sure you have followed the workflow steps documented in the FortiWeb Install and
Setup Guide. That workflow guides you through installation, setup, and the creation of a
basic system.
This document explains how to develop more comprehensive server policies and other
protection features for your web sites and web servers.

14 Revision 10
Introduction Deleting entries
For a first-time FortiWeb user, read the chapter on deployment guidelines before going
further. See “Deployment guidelines” on page 27.
You can find targeted workflow information throughout this guide:
• Look for a workflow topic on the opening page of several chapters.
• Within some chapters, complicated topics also have a workflow section.
• Within feature descriptions, look for a brief tip on recommended workflow.
Since server policies provide most of FortiWeb's protection features. When you begin to
expand existing server policies or create new ones, review “Server policy workflow
requirements” on page 117. This topic gives the highest level workflow. The creation of
server policy involves multiple steps. You can drill down into workflow topics in other
chapters.
Deleting entries
As you configure your FortiWeb unit, you create entries in the tables on tabs accessed by
the menu. The ability to delete entries on any table is limited—you cannot delete or
remove an item that is a component of something else. A few examples are:
• You cannot delete a user on one of the user tabs if that user is a member of a group,
unless you first remove the user from the group.
• You cannot delete a group if that group is used by an authentication rule, unless you
first remove the group from the rule.
• You cannot remove an XML protection schedule item if it is used in the Period option of
a content filter rule, unless you first remove the schedule reference from the rule.
• You cannot delete a web protection parameter validation rule if it is used by in an inline
or offline protection profile, unless you first remove the rule reference from the profile.
The Delete icon does not appear next to a table item if the delete operation is not allowed.
Characteristics of XML threats

XML messages can be relatively large: many megabytes and thousands of packets.
Unstructured matching of elements in those messages is both CPU and memory-
intensive. Because of the complexity of XML content, it is often not practical to develop
signatures for XML-specific attacks on a traditional firewall or UTM. This leads to “zero
day” vulnerabilities before attacks can be characterized and signatures developed.
FortiWeb units understand the XML protocol and only allow XML operations that you
specifically allow. Table 1 lists several XML-related threats and describes how FortiWeb
units protect against them.

Revision 10 15
Characteristics of HTTP threats Introduction
Table 1: XML-related threats
Attack Description Protection FortiWeb Solution

Technique
Schema Manipulating the XML Protect against schema Schema Poisoning option
Poisoning schema to alter processing poisoning by relying on in protection profile
information trusted WSDL documents prevents external
and XML schemas schemas references to
be used
XML Injection of malicious Validation of parameter Schema validation in
Parameter scripts or content into values to ensure they are protection profile
Tampering request parameters consistent with WSDL and
XML schema specifications
Inadvertent Poorly encoded SOAP Content inspection ensures Schema validation and
XML DoS messages causing the SOAP messages are WSDL verification and
application to fail constructed properly intrusion prevention rule
according to WSDL, XML in protection profile
schema and intrusion
prevention rules
WSDL Scanning the WSDL Web services cloaking WSDL scanning option
Scanning interface can reveal hides the web services true and ability to filter
sensitive information about location from consumers services from WSDL on a
invocation patterns, per IP / Time basis
underlying technology and
associated vulnerabilities
Oversized Sending oversized Inspect the payload and XML documents are
Payload messages to create an enforce element, checked with schema
XDoS attack document, and other and intrusion prevention
maximum payload rule
thresholds
Recursive Sending mass amounts of Content inspection ensures Intrusion prevention
Payload nested data to create an SOAP messages are definition
XDoS attack against the constructed properly
XML parser according to WSDL, XML
schema, and other security
specifications
SQL SQL Injection allows Rely on dirty word XML Profile option to filter
Injection commands to be executed searches, restrictive SQL transactions from
directly against the context-sensitive filtering XML documents
database for unauthorized and data validation
disclosure and modification techniques
of data
External An attack on an application Suppress external URI Similar to schema
Entity that parses XML input from references to protect poisoning
Attack un-trusted sources (DTD against malicious data
internal subset) sources and instructions;
rely on well-known and
certified URIs
Characteristics of HTTP threats

Web applications are increasingly being targeted by exploits such as SQL injection and
cross-site scripting attacks. These attacks aim to compromise the target web server, either
to steal information or to post malicious files on a trusted site to further exploit visitors to
the site. The types of attacks that web servers are vulnerable to are numerous and varied.
FortiWeb units offer several options for preventing web-related attacks. Table 2 lists
several Web-related threats and describes how FortiWeb units protect against them.

16 Revision 10
Introduction Characteristics of HTTP threats
Table 2: Web-related threats

Technique
Cross-site A script causes a browser Enforce web application Apply age access rules.
request forgery to access a web site on business logic to prevent
(CSRF) which the browser has random access to URLs.
already been
authenticated, giving a third
party access to a user’s
session on that site.
Cross-site Attackers cause a browser Content filtering, cookie Apply XSS signature
scripting (XSS) to execute a client-side security, disable client- scanning in server
script, allowing them to side scripts. protection rules.
bypass security.
SQL injection SQL Injection allows Rely on dirty word Apply parameter
commands to be executed searches, restrictive validation rules, hidden
directly against the context-sensitive filtering fields protection
database for unauthorized and data validation features, and SQL
disclosure and modification techniques. injection signature
of data. scanning.
Attacks via Attackers attempt XSS, Actively scan Flash action Apply AMF3 protocol
Flash AMF SQL injection or other message format binary scanning for known
binary protocol common exploits through a data for known exploits. exploits.
flash client.
Information A web server reveals Configure server software Information disclosure
leakage details (such as its OS, to minimize information detection in server
server software and leakage. protection rules can
installed modules) in alert when leakage
responses or error happens, or block it
messages. An attacker can altogether. URL re-
leverage this information to writing can hide
craft exploits for a specific underlying
system or configuration. implementation details.
Credit card Attackers use exploits to Detect and block credit Credit card detection in
theft obtain users’ credit card card disclosure. server protection rules
information from a secure can detect and block
server. disclosure of credit card
numbers on web pages.
SYN Flood An attacker sends multiple Detect increased SYN Use a configurable
DoS Attack SYN messages to a host activity, close half open threshold to detect a
without responding to an connections before flood of SYN messages.
ACK reply, leaving resources are exhausted.
connections half open and
consuming resources on
the server. This may cause
the server to ignore SYN
messages from legitimate
users and reduce service.
Brute force An attacker attempts to Require strong passwords Brute force login
login attack gain authorization by for users, and throttle policies can throttle the
repeatedly trying ID and login attempts. number of login
password combinations attempts per standalone
until one works. or shared IP for specific
resources.

Revision 10 17
Customer service & technical support Introduction
Table 2: Web-related threats

Technique
Bad robots Misbehaving web crawlers Ban bad robots by source Robot control can
ignore the robots.txt file, IP or User Agent field. throttle requests per IP,
and consume server and block robots
resources and bandwidth identified by the User
on a site. Agent field.
HTTP protocol Attackers use specially Limit the length of HTTP HTTP protocol
attack crafted HTTP requests to protocol fields. constraint policies
target web server enforce configurable
vulnerabilities (such as a limits on the length of
buffer overflow) to execute HTTP headers, bodies,
malicious code. and parameters.
Customer service & technical support

Fortinet Technical Support provides services designed to make sure that you can install
your Fortinet products quickly, configure them easily, and operate them reliably in your
network.
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Base article Technical Support
Requirements.
Training
Fortinet Training Services provides classes that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://training.fortinet.com, or email them at training@fortinet.com.
Fortinet Knowledge Base

The Fortinet Knowledge Base provides additional Fortinet technical documentation, such
as troubleshooting and how-to-articles, examples, FAQs, technical notes, and more. Visit
the Fortinet Knowledge Base at http://kb.fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Base.

18 Revision 10
Introduction Documentation Conventions
Fortinet Tools and Documentation CD

Many Fortinet publications are available on the Fortinet Tools and Documentation CD
shipped with your Fortinet product. The documents on this CD are current at shipping
time. For current versions of Fortinet documentation, visit the Fortinet Technical
Documentation web site, http://docs.fortinet.com.
Comments on Fortinet technical documentation

Please send information about any errors or omissions in this technical document to
techdoc@fortinet.com.
Documentation Conventions
Fortinet technical documentation uses the conventions described in this section.
• IP addresses
• Cautions, Notes, & Tips
• Typographical conventions
• Command syntax conventions
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Cautions, Notes, & Tips

Fortinet technical documentation uses the following guidance and styles for cautions,
notes and tips.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Note: Presents useful information, usually focused on an alternative, optional method, such
as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Typographical conventions
Fortinet documentation uses the following typographical conventions:

Revision 10 19
Documentation Conventions Introduction
Table 3: Typographical conventions in Fortinet technical documentation
Convention Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input config system dns
set primary <address_ipv4>
end
CLI output FGT-602803030703 # get system settings
comments : (null)
opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by
a third party.
File content <HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiGate Administration Guide.
Command syntax conventions

The command line interface (CLI) requires that you use valid syntax, and conform to
expected input constraints. It will reject invalid commands.
Brackets, braces, and pipes are used to denote valid permutations of the syntax.
Constraint notations, such as <address_ipv4>, indicate which data types or string
patterns are acceptable value input.
Table 4: Command syntax notation
Convention Description
Square brackets [ ] A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and
its accompanying option, such as:
verbose 3

20 Revision 10
Introduction Documentation Conventions
Angle brackets < > A word constrained by data type.

To define acceptable input, the angled brackets contain a descriptive
name followed by an underscore ( _ ) and suffix that indicates the
valid data type. For example:
<retries_int>
indicates that you should enter a number of retries, such as 5.
Data types include:
• <xxx_name>: A name referring to another part of the
configuration, such as policy_A.
• <xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
• <xxx_pattern>: A regular expression or word with wild cards
that matches possible variations, such as *@example.com to
match all email addresses ending in @example.com.
• <xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
• <xxx_email>: An email address, such as
admin@mail.example.com.
• <xxx_url>: A uniform resource locator (URL) and its associated
protocol and host name prefix, which together form a uniform
resource identifier (URI), such as
http://www.fortinet.com/.
• <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
• <xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
• <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask
separated by a space, such as
192.168.1.99 255.255.255.0.
• <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-
notation netmask separated by a slash, such as such as
192.168.1.99/24.
• <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address,
such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
• <xxx_v6mask>: An IPv6 netmask, such as /96.
• <xxx_ipv6mask>: An IPv6 address and netmask separated by a
space.
• <xxx_str>: A string of characters that is not another data type,
such as P@ssw0rd. Strings containing spaces or special
characters must be surrounded in quotes or use escape
sequences. See the FortiWeb CLI Reference.
• <xxx_int>: An integer number that is not another data type,
such as 15 for the number of minutes.
Curly braces { } A word or series of words that is constrained to a set of options
delimited by either vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].

Revision 10 21
Documentation Conventions Introduction
Options delimited Mutually exclusive options. For example:

by vertical bars | {enable | disable}
indicates that you must enter either enable or disable, but must
not enter both.
Options delimited Non-mutually exclusive options. For example:
by spaces {http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any
order, in a space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options,
instead of replacing it, or if the list is comma-delimited, the exception
will be noted.

22 Revision 10
What’s new
What’s new
The list below contains the new features or major changes in the current v4.2 FortiWeb
release.
IP List Policy - A new method to define source IPs that are trusted (trust IP) and not
trusted (black IP) was added to the Web protection IP List Policy. See “Configuring an IP
list policy” on page 220.
File Upload Restriction - Provides a new web protection technique to specify the exact
file types that are permitted to be uploaded to selected hosts or URLs. See “Configuring
file upload restriction policy” on page 263.
FortiAnalyzer support - FortiWeb now supports storage of log messages remotely on a
FortiAnalyzer unit. See “Configuring FortiAnalyzer policies” on page 321.
Event and Attack Log Console - The system status display now includes an Event Log
console widget and an Attack Log console widget. The Alert console widget was removed.
See“Attack Log Console widget” on page 48 and “Event Log Console widget” on page 48.
Rewrite URLs in HTTP body - URLs in the body of HTTP responses can now be
rewritten, similar to rewriting URLs in HTTP headers. See “Configuring URL rewriting
policy” on page 244.
Allow Request Method - The Allow Method Exceptions feature was changed to the Allow
Request Method. It includes Allow Method Policy and Allow Method Exceptions. See
“Configuring allowed request method policy” on page 235.
HTTP Protocol Constraints Exceptions - HTTP protocol exception settings were added
to HTTP protocol constraints. See “Configuring HTTP protocol constraint profiles” on
page 252.
Severity and trigger policy - Settings for severity level and trigger policy are now
available in all web protection rules, where appropriate. For example, see “Configuring
page access rules” on page 198
Policy item details link - The ability to view a read-only version of the details for a
specific rule associated with a policy is available, where appropriate, without leaving the
policy view. For example, see Detail link in “Configuring URL access policy” on page 216.
Support for HTTP and HTTPS in same policy - HTTPS service is now configurable in
the same policy as HTTP. See “Configuring server policies” on page 118.
Persistent server session values- The values for persistent server settings in server
policy were updated. See “Configuring server policies” on page 118 and “Appendix B:
Maximum values” on page 397.
Extended signature set granularity- The granularity of extended signature sets is now
selectable, with a range of none (disable), basic, enhanced or full. See “Configuring server
protection rules” on page 201.
Validation of multiple identical parameters in a single request - HTTP validation rules
now validate all instances of multiple identical parameters in a single request. See
“Configuring HTTP parameter validation rules” on page 192.
Cloning custom protection profiles - You can now clone customer protection profiles
and use as a base for new profiles. See “Configuring inline protection profiles” on
page 268 and “Configuring offline protection profiles” on page 274.

Revision 10 23
What’s new
Persistent Server Session Threshold - You can now define a threshold that triggers a
persistent server session event log. See “Enabling logging” on page 327.
Log message download - You can now download a specific range of event, attack or
traffic logs from the FortiWeb hard disk to your local computer. See “Downloading log
messages” on page 343.
Back up and Restore Web Protection Profile - In addition to system configuration files,
you can now back up and restore web protection profiles. See “Backing up and restoring
configurations” on page 96.
FTP configuration backup and schedule - You can now back up configurations to an
FTP server. See “Configuring an FTP backup and schedule” on page 98.
Severity information in log message - A severity level (high, medium, low) was added
to log messages. See “Responding to web protection rule violations” on page 191.
Configuration synchronization - You can synchronize configuration information on the
local FortiWeb unit to a peer (remote) FortiWeb unit, even if the unit is not part of a high-
availability (HA) pair. See “Synchronizing configurations” on page 59.
Signature update without restart - FortiWeb no longer requires a restart and login after a
signature update. See “Uploading signature updates” on page 101.
Brute force login - The GUI has been reorganized and PCRE regular expression
checking was added. See “Configuring brute force login profiles” on page 224.
Custom Application Policy - You can now create application policy plug-ins that
recognize non-standard, customized applications, and modify the URL information so that
an auto-learning profile can work more effectively. See “Configuring custom application
policies” on page 160.

24 Revision 10
About the web-based manager

This chapter describes aspects that are general to the use of the web-based manager, a
graphical user interface (GUI) that provides access the FortiWeb unit from within a web
browser.
This chapter includes the following topics:
• System requirements
• URL for access
• Settings
System requirements
The management computer that you use to access the web-based manager must have:
• a compatible web browser, such as Microsoft Internet Explorer 6.0 or greater, or
• Mozilla Firefox 3.0 or greater
• Adobe Flash Player 10 or greater plug-in
To minimize scrolling, the computer’s screen should have a resolution that is a minimum of
1280 x 1024 pixels.
URL for access

You access the web-based manager by URL using a network interface on the FortiWeb
unit that you have configured for administrative access.
The default URL to access the web-based manager through the network interface on
port1 is https://192.168.1.99/.
If the network interfaces were configured during installation of the FortiWeb unit (see the
FortiWeb Install and Setup Guide), the URL and/or permitted administrative access
protocols may no longer be in their default state. In that case, use either a DNS-resolvable
domain name for the FortiWeb unit as the URL, or the IP address that was assigned to the
network interface during the installation process.
For example, you might have configured port2 with the IP address 10.0.0.1 and enabled
HTTPS. You might have also configured a private DNS server on your network to resolve
fortiweb.example.com to 10.0.0.1. In this case, to access the web-based manager through
port2, you could enter either https://fortiweb.example.com/ or
https://10.0.0.1/.
For information on enabling administrative access protocols and configuring IP addresses
for the FortiWeb unit, see “Configuring the network and VLAN interfaces” on page 50.
Note: If the URL is correct and you still cannot access the web-based manager, you may
also need to configure from which hosts the FortiWeb unit will accept login attempts for your
administrator account (that is, trusted hosts), and/or static routes. For details, see
“Configuring administrator accounts” on page 75 and “Configuring static routes” on
page 105.

Revision 10 25
Settings
Some settings for the web-based manager apply regardless of which administrator
account you use to log in. Global settings include the idle timeout, TCP port number on
which the web-based manager listens for connection attempts, the network interfaces on
which it listens, the language of its display, and whether or not more than one
administrator can log in simultaneously.
For details, see “Configuring the web-based manager’s global settings” on page 82.
Single administrator mode

If single administrator mode is enabled, when you log in to the web-based manager, you
may be required to disconnect other administrator's account sessions before you can
continue.
Figure 1: Single administrator mode disconnection prompt
For details, see “Security Settings” on page 84.

26 Revision 10
Deployment guidelines
Deployment guidelines
Integrating FortiWeb into your network and configuring it to protect your web assets is not
an overnight process. Nor is it a linear process. Be prepared to roll out FortiWeb in phases
over several weeks with tests and configuration edits part of each stage.
These deployment guidelines apply to each web application you choose to protect with
FortiWeb. That is, for each server you protect with a server policy, go through these
phases. You can deploy multiple applications in sequence or in parallel.
Deployment prerequisites
This chapter assumes you have completed the following steps:
• You have installed and partly configured FortiWeb as described in the FortiWeb Install
and Setup Guide or the FortiWeb-VM Install Guide.
• A basic auto-learning profile is in place. (If not, see “Generating an auto-learning profile
and its components” on page 281).
• You have chosen your final operation mode, one of reverse proxy, true transparent
proxy, or transparent inspection. If you chose offline protection, that is fine for now. You
can switch to your final operation mode later.
• You can access the web-based manager and your administrator account profile has
read and write access to all relevant features. For details, see “About permissions” on
page 80.
Server policy
To begin deployment, you must have at least one active server policy monitoring at least
one real web server. If not, see “Configuring policies” in the FortiWeb Install and Setup
Guide for instructions on creating a basic server policy that you can start with.
The backbone of a FortiWeb unit's web site protection is the server policies that apply to
your web sites and web applications. Here are a few tips to remember as you deploy:
• Change policy settings with care. Any changes take effect immediately.
• When you change a server policy that has already been tested, you should retest it.
• The FortiWeb unit applies rules, policies and data scans in a set order. (See “Order of
execution” on page 190.) Review the logic of your server policies to make sure they
deliver the web protection you expect.
• By the end of your FortiWeb deployment, make sure that all physical web servers are
covered by a policy.
If a server has no associated policy or all policies for it are disabled, FortiWeb will not
monitor traffic to that web server. In reverse proxy mode, FortiWeb will block traffic to
servers without an enabled policy.
Deployment workflow
This chapter takes you through four or five phases, depending on your initial operation
mode. Those phases progress from a bare-bones, untested web server protection
configuration to the end of the deployment period several weeks later.
This chapter includes the following sections:

Revision 10 27
Phase 1: Examine the initial configuration Deployment guidelines
• Phase 1: Examine the initial configuration

• Phase 2: Monitor and tune the configuration
• Phase 3: Test for vulnerabilities
• Phase 4: Switch from offline protection mode (if applicable)
• Phase 5: Prepare for full operation
Phase 1: Examine the initial configuration

This phase covers activities the first day of the first week. Spend the time confirming you
have a working configuration.
Do a visual check
Access the FortiWeb web-based manager (see “URL for access” on page 25) and look for
obvious problems.
• If you cannot access the web-based manager or access seems incomplete, your
installation may not be correct. Review the FortiWeb Install and Setup Guide to make
sure you installed the unit correctly. If there is still a problem, see “Troubleshoot
connectivity issues” on page 373.
• Does the web-based manager’s URL, or the text or data on the dashboard contain odd
characters? If so, you may be using the wrong character set. See “Appendix D:
Language support & regular expressions” on page 401.)
• Examine the Service Status widget on the dashboard (go to System > Status > Status),
as shown in Figure 2. Does it list at least one policy and a real server. If not, you have
not created a valid server policy yet and FortiWeb has nothing to work with. Create at
least one server policy before going further. See “Configuring policies” in the FortiWeb
Install and Setup Guide. (Do not be concerned that nothing appears in the Server
Status column at this point. That column applies to servers in server farms.)
• Also examine the Policy Sessions widget on the dashboard. Are there active sessions
related to your policies. If not, it may mean that policy is not being applied to an active
web resource.
Figure 2: Service Status and Policy Sessions widgets
Check dynamic data on the dashboard

The FortiWeb dashboard is the first place to start, not just during deployment, but any time
you want to know the health of your system. Go to System > Status > Status and examine
the Policy Summary widget, as shown in Figure 3 on page 29.
• Examine the HTTP Traffic Monitor. If there is no traffic, you have a problem. Check to
see if your gateway setting is correct (go to Router > Static > Static Route). Also see
the troubleshooting topic “Check traffic flow” on page 369.

28 Revision 10
Deployment guidelines Phase 1: Examine the initial configuration
Figure 3: Policy Summary widget
• Examine the Attack Event History. If you have a large number of attacks, it may mean
some aspect of your policy configuration is generating false positives. If you have no
attacks, but you have reasonable levels of traffic, it may mean the protection profile
used by your server policy is incomplete.
• Examine the Attack Log widget. If the list includes many identical entries, it likely
indicates false positives (unless it is a DoS assault). If there are many entries of a
different nature, it likely indicates real attacks. If there are no attack log entries but the
Attack Event History shows attacks, it likely means you have not correctly configured
logging. See “Configuring and enabling logging” on page 323.
Figure 4: Attack Log Console widget
Check your auto-learning data

An auto-learning profile can teach you a great deal about the threats your web assets
face. A profile also helps you understand the application structure and how real users use
it.
• Check that each server policy includes an auto-learning profile. Go to Server >
Server Policy > Policy. Click the Edit icon for your policy. Look in the WAF Auto Learn
Profile field or the Web Protection Profile field to make sure at least one of those fields
references an auto-learn profile. If there is no profile, create one and use it. See
“Generating an auto-learning profile and its components” on page 281.

Revision 10 29
Phase 2: Monitor and tune the configuration Deployment guidelines
• If your server policy includes an auto-learning profile, check that it is gathering data. Go
to Auto Learn > Auto Learn Report and click the Detail icon to see the report. If the
report shows few or zero hits, the profile is not gathering data. (No data could also be a
result of no traffic.)
Figure 5: Auto Learn Report Overview tab
Phase 2: Monitor and tune the configuration

Once you confirm you have a working configuration in phase 1, move to the this phase.
Phase 2 covers the remaining days of the first week. Spend the time eliminating false
positives and refining log reports.
Stay diligent
Each day, check the dashboard for obvious problems.
Examine the auto-learn report for each server in your system (see “Check your auto-
learning data” on page 29). If an auto-learning profile is returning many URLs that do not
make sense, such as URLs with complex session IDs like this
/app/login.asp;jsessionid=xxx;p1=111;p2=123?p3=5555&p4=66aaaaa
you need to configure a custom application policy and a URL replacer; otherwise such
URLs reduce the value of the auto-learning profile. See “Configuring custom application
Tune up alerts
When you configure protection profiles, many of their components include an action option
that sets the response to a detected violation. Actions also combine with severity levels
and trigger responses, as shown in Figure 6 on page 31.

30 Revision 10
Deployment guidelines Phase 2: Monitor and tune the configuration
Figure 6: Dialog showing actions, severity and triggers
The available actions vary with the protection feature. See “Responding to web protection
rule violations” on page 191 for a list of all actions and their uses.
When you select many action items, such as Alert & Deny or Redirect, the auto-learning
feature stops gathering auto-learning data for the applicable connection, resulting in
incomplete session information for the auto-learning profile. During the deployment phase,
you want each connection processed completely.
To get complete connection processing, without having to change all your actions, enable
the Monitor Mode option on each server policy. Go to Server Policy > Server Policy. Edit
each policy and select Monitor Mode. When enabled, this mode treats all actions as if they
were the Alert action.
Alerts show up on the dashboard and may generate email if you configured email policy
for use in triggers. (If you are not getting email, see “Define logs, reports and email alerts”
on page 32.)
Since many of the rules and policies that make up protection profiles are based, at least in
part, on regular expressions or data ranges whose values are hard to predict, many of
your initial alerts will not be real attacks or violations. They will be false positives.
If the dashboard indicates you are getting dozens or hundreds of nearly identical alerts,
you need to search for and fix false positives. Here are some tips:
• Examine your web protection profile (go to Web Protection > Web Protection Profile
and view the settings in the applicable offline or inline protection profile). Does it
include a server protection rule that seems to be causing alerts for valid URLs. If so,
create and use exceptions to reduce false positives. See “Configuring server protection
exceptions” on page 207.
• If your web protection profile includes a server protection rule where the Extended
Signature Set option is set to Full, reduce it to Basic to see if that reduces false
positives. See “Configuring server protection rules” on page 201.
Figure 7: Extended signature set option
• If your web protection profile includes HTTP protocol constraints that seem to be
causing alerts for legitimate HTTP requests, create and use exceptions to reduce false
positives. See “Configuring HTTP protocol constraint exceptions” on page 254.
• Most dialog boxes that accept regular expressions include the >> (test) icon. This
opens the Regular Expression Validator window, as shown in Figure 8 on page 32,
where you can fine-tune the expression to eliminate false positives.

Revision 10 31
Phase 2: Monitor and tune the configuration Deployment guidelines
Figure 8: Regular expression validator dialog
• To learn more about the behavior of regular expressions that generate alerts, enable
the Retain Packet Payload options in the logging configuration. Packet payloads
provide the actual data that triggered the alert, which may help you to fine tune your
regular expressions to reduce false positives. See “Enabling logging” on page 327 and
“Viewing log message details” on page 335.
Define logs, reports and email alerts

Log messages, log reports and email alerts will provide you with valuable information
about problems with your system. It is time to review and augment your log settings.
• Go to Log&Report > Log Policy > Email Policy. Make sure an email policy exists that
directs email to you or other FortiWeb administrators. Set the Log Level option to
Critical. That way any problem rated as critical, alert or emergency generates an email.
See “Configuring email policies” on page 317.
• Go to Log&Report > Log Policy > Trigger Policy. Make sure a trigger policy exists that
references the email policy described above. Triggers can be added to many rules and
policies. See “Configuring trigger policies” on page 322.
• Go to Log&Report > Log Config > Global Log Settings. Enable the Alert Mail option
and set it to reference the email policy described above. See “Configuring global log
settings” on page 324.
• Go to Log&Report > Report Config. Either create a new report or edit an existing one.
(See Figure 9 on page 33.) Use the data filter options under Report Scope (click the
blue arrow to see options) to tailor the report’s contents. Use the options under
Schedule to create a report schedule. Under Output, pick a report format and select
the email policy described above. See “Configuring and generating reports” on
page 344.

32 Revision 10
Deployment guidelines Phase 3: Test for vulnerabilities
Figure 9: New log report dialog
• Consider directing reports to your web developers to get their feedback.

On a daily basis, review the attack log to find vulnerabilities in your system. Go to
Log&Report > Log Access > Attack.
Figure 10: Part of an attack log
Phase 3: Test for vulnerabilities

Once you have tuned your alerts and eliminate the most obvious false positive in phase 2,
move to the this phase.
Phase 3 covers the second week. Use this time to search for attack vulnerabilities and to
further tune alerts.
Stay diligent
Continue your regular daily checks and expand them.
• Each day, check the dashboard for obvious problems (see “Check dynamic data on the
dashboard” on page 28)
• Continue to examine the auto-learn report for each server in your system (see “Check
your auto-learning data” on page 29).
• Review the attack log.
• Review alerts and fix those that represent false positives.

Revision 10 33
Phase 3: Test for vulnerabilities Deployment guidelines
• Begin monitoring the third-party cookies FortiWeb observes in traffic to your web
servers. When cookies are found, an icon appears on the Server Policy > Policy >
Policy tab for each affected server. If cookies are threats, such as if they are used for
state tracking or database input, consider enabling the Cookie Poison option on the
inline protection profiles for those servers. See “Cookie Poison” on page 272.
Aggregate attack types

Use the Log Message aggregation feature to group similar attack types. This makes it
easier to quickly see all significant threats. See “Grouping similar attack log messages” on
page 340.
For example, a web worm let loose on the Internet can create hundreds if not thousands
of alerts. This could swamp FortiWeb's attack log with alerts and obscure other dangerous
problems. By aggregating similar alerts—group them under the Sub Type column of the
attack log—you will not miss other problem alerts.
Another tactic is to aggregate attacks under the Source IP column. This lets you closely
track an attacker and all of its attacking methods.
To view the contents of an aggregated group, click the blue arrow, as shown in Figure 11.
Figure 11: Part of an attack aggregation report
Search for vulnerabilities

Use FortiWeb’s web vulnerability scan feature to detect known vulnerabilities on your web
servers and web applications.
• Create a web vulnerability scan profile and enable all threat options. You can reduce
options later that do not apply. Go to Web Vulnerability Scan > Web Vulnerability Scan
> Web Vulnerability Scan Profile. See “Configuring web vulnerability scan profiles” on
page 303.
• Create a web vulnerability scan policy that includes the email alerts you created the
first week. Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability
Scan Policy. See “Configuring web vulnerability scan policies” on page 300.
• Start with a schedule that scans your site daily in off peak hours. Go to Web
Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Schedule. See
“Configuring web vulnerability scan schedules” on page 308.
Caution: Fortinet strongly recommends that you do not scan for vulnerabilities on live web
sites during peak hours. Either run the scans in off-peak hours or duplicate the web site
and its database in a test environment and perform the scan there.
• Go to Web Vulnerability Scan > Web Vulnerability Scan > Scan History to locate
vulnerabilities. Click the View scan report icon next to a report. It opens an HTML
report that lists vulnerabilities, as shown in Figure 12 on page 35. If you find a false
positive in the report, click the False Positive button to remove it from the current and
subsequent reports.

34 Revision 10
Deployment guidelines Phase 4: Switch from offline protection mode (if applicable)
Figure 12: Web vulnerabilities scan report
• Create XML protection rules and policies to protect against the discovered
vulnerabilities. See “XML protection profile workflow” on page 163.
• Create web protection rules and policies to protect against the discovered
vulnerabilities. See .“Web protection profile workflow” on page 189
Once you have tested for vulnerabilities and set policies to guard against the threats,
move to the next phase.
Phase 4: Switch from offline protection mode (if applicable)

This section applies only if you chose offline protection mode when you first set up your
FortiWeb unit. If you chose another mode, skip to “Phase 5: Prepare for full operation” on
page 37.
This phase covers about one week.
In this period, you will switch from offline protection mode to one of the other three modes:
reverse proxy, true transparent proxy, or transparent inspection. Following the switch, you
must reconfigure some of your network settings and protection profiles, and then test the
new configuration.
Caution: Switching modes is not a trivial matter. Back up your system before changing the
operation mode. Changing modes deletes the following: any policies not applicable to the
new mode, all static routes and all VLAN settings. You may also need to re-cable your
network topology to suit the operation mode.
If you plan to deploy multiple web applications, you can change the operation mode once
you deploy and test all servers and applications in offline protection mode, or change
modes after you deploy just the first one. In that case, the subsequent applications must
be deployed in the new mode.

Revision 10 35
Phase 4: Switch from offline protection mode (if applicable) Deployment guidelines
Prepare to switch operation mode

Before you switch from offline protection mode, take note of the following:
• Go to Router > Static > Static Route and take note of the configuration settings (such
as the gateway IP and port) for each static route.
• Go to System > Network > Interface and take note of the configuration settings for any
VLANs.
• Go to Web Protection > Web Protection Policy > Offline Protection Profile. View each
offline protection profile and take note of the policies and rules it references.
Change operation mode

When you switch operation mode, follow these steps:
1 Determine which operation mode to use. See “Configuring the operation mode” on
page 71 for an explanation of modes.
2 Review the topic “Matching topology with operation mode” in the FortiWeb Install and
Setup Guide to determine if you need to re-cable your FortiWeb unit for the new mode.
3 If re-cabling is needed, power off your unit, change the cables, and power on the unit.
Access the web-based manager again.
4 Change the operation mode in one of two ways:
• In the Operation Mode row of the System Information widget on the dashboard, click
Change. Select a new operation mode from the Mode dialog and click Apply.
• Go to System > Config > Operation. Select a new operation mode from the Mode
dialog and click Apply.
Figure 13: Changing modes
The fields presented in the dialog vary with the operation mode you select.
Reconfigure your system

Switching between vastly different operation modes results in a loss of some configuration
data. Check the following items:
• Go to Router > Static > Static Route. If your static routes were erased, recreate them.
See “Configuring static routes” on page 105.
• Go to System > Network > Interface. If your VLAN configurations were removed,
recreate them. If you chose one of the transparent modes, consider creating a v-zone
bridge instead of VLANs. See “Configuring v-zones (bridges)” on page 55.
• Go to Web Protection > Web Protection Policy > Inline Protection Profile. Create new
inline protection profiles that reference the rules and policies in each of your previous
offline protection profiles. See “Configuring inline protection profiles” on page 268 for
information on creating a profile.

36 Revision 10
Deployment guidelines Phase 5: Prepare for full operation
• Go to Server Policy > Policy > Policy. Edit your existing server policies to reference the
new inline protection profiles instead of the offline protection profiles. See “Configuring
server policies” on page 118.
Before going any further, let your reconfigured FortiWeb unit run and gather data. Watch
the monitors on the dashboard to make sure traffic is flowing through your unit in the new
mode.
Retest your system

A new operation mode means a new round of testing and alert tuning.
• Delete your existing auto-learning profiles and create new ones. Make sure your server
policies reference the new auto-learning profiles. See “Configuring server policies” on
page 118.
• Make sure the new auto-learning profiles are gathering data. See “Check your auto-
learning data” on page 29.
• Continue running web vulnerability scans and adjust your policies and rules to reflect
any vulnerabilities found. See “Search for vulnerabilities” on page 34.
Remain diligent
Each day, check the dashboard for obvious problems (see “Check dynamic data on the
dashboard” on page 28) and examine the auto-learn report for each server in your system
(see “Check your auto-learning data” on page 29).
Review the attack log (go to Go to Log&Report > Log Access > Attack tab) daily to find
vulnerabilities in your system.
Review alerts and fix those that represent false positives.
Phase 5: Prepare for full operation

This phase covers a week or more, depending on what new features you configure.
Extend your server configuration

After your FortiWeb unit has operated for several days without significant problems, it is a
good time to adjust profiles and policies to provide additional protection and to improve
performance. Here is a list of some enhancements:
• If your operation mode is reverse proxy or true transparent proxy mode (without
HTTPS), you can configure the FortiWeb unit to authenticate users. These can be local
users, LDAP user, RADIUS users, NTLM users, or a combination of these. See “Users
and user groups” on page 107.
• If your operation mode is reverse proxy, you can group physical servers and domain
servers into a server farm. See “Grouping physical and domain servers into server
farms” on page 135. Once you have a server farm, you can apply load-balancing (see
“Deployment Mode” on page 123) and server health checks (see “Configuring server
health checks” on page 143).
Once you create server farms and server health checks, indicators appear in the
Service Status widget on the dashboard, as shown in Figure 14 on page 38.

Revision 10 37
Phase 5: Prepare for full operation Deployment guidelines
Figure 14: Service status showing health-check indicators
• If your operation mode is reverse proxy, you can enable SSL to encrypt connections
from the FortiWeb unit to protected web servers. To do so, first download a certificate
(see “Uploading a certificate” on page 88) and then enable the SSL Server and
Certificate options on the server policy.
• Depending on your chosen operation mode, you can add other rules and policies to
your inline protection profiles, such as:
• page access rules (see “Configuring page access rules” on page 198)
• start page rules (see “Configuring start page rules” on page 213)
• brute force login profiles (see “Configuring brute force login profiles” on page 224)
• URL rewriting policy (see “Configuring URL rewriting policy” on page 244)
• Review the list of top candidates for your IP blacklist and add them, as applicable. See
“Viewing the top 10 IP blacklist candidates” on page 223.
Remain diligent
Make sure you locate and solve any problems created by new configuration settings made
in this phase.
Each day, check the dashboard for obvious problems (see “Check dynamic data on the
dashboard” on page 28) and examine the auto-learn report for each server in your system
(see “Check your auto-learning data” on page 29).
Review the attack log (go to Go to Log&Report > Log Access > Attack tab) daily to find
vulnerabilities in your system.
Review alerts and fix those that represent false positives.
Make final deployment settings

Once your FortiWeb unit has operated for several days without significant problems after
new configuration settings, it is time to make the final changes to prepare your FortiWeb
unit for normal operation.
• If you enabled the Monitor Mode server policy option, as suggested in phase 2, disable
it now. Go to Server Policy > Policy and edit each server policy to clear the option.
Clearing it instructs the FortiWeb unit to apply the specified action for each violation.
For example, if the action is Alert & Deny, monitor mode enforced just the Alert portion.
With monitor mode disabled, the Deny portion is now enforced too.
• Review each action related to rules and policies. For more serious violations, change a
simple Alert action to a blocking action, such as Alert & Deny, Deny or Redirect, as
applicable. See “Responding to web protection rule violations” on page 191 for a list of
actions and their uses.
• By this point, you have collected enough auto-learning data to generate protection
profiles. Consider turning off the auto-learning function to save resources. To do so,
deselect the auto-learning profile in applicable server policies.

38 Revision 10
Deployment guidelines What else can you do?
What else can you do?

Your FortiWeb unit has additional protection and maintenance features you can use:
• Configure DoS protection and synchronization with a remote FortiWeb unit. For details,
see “Configuring DoS protection” on page 70 and “Synchronizing configurations” on
page 59.
• Configure HTTP content routing and conversion policy. For details, see “Configuring
HTTP content routing policy” on page 139 and “Configuring HTTP conversion policy”
on page 141.
• Consider invoking the web anti-defacement feature to protect your web sites from
hackers. See “Configuring anti-defacement” on page 293.
• If you have configured and deployed two FortiWeb units, you can set them up for high
availability. “Configuring high availability (HA)” on page 61.
• Configure backups, firmware updates, and similar maintenance features. For details,
see “Backing up and restoring configurations” on page 96, “Configuring an FTP backup
and schedule” on page 98, “Uploading signature updates” on page 101, and
“Scheduling signature updates” on page 102.
• Make sure you are getting the most out of your configuration. See the chapter “Fine
tuning and best practices” on page 355.

Revision 10 39
What else can you do? Deployment guidelines

40 Revision 10
System Viewing system status
System
This chapter describes the System menu. Using its options you can view and configure a
wide variety of system settings.
This chapter includes:
• Viewing system status
• Configuring the network and VLAN interfaces
• Configuring the DNS settings
• Synchronizing configurations
• Configuring high availability (HA)
• Configuring the SNMP agent
• Configuring DoS protection
• Configuring the operation mode
• Viewing RAID status
• Configuring administrator accounts
• Configuring the web-based manager’s global settings
• Managing certificates
• Backing up and restoring configurations
• Configuring an FTP backup and schedule
• Configuring system time
• Uploading signature updates
• Scheduling signature updates
• Accessing the Setup Wizard
Viewing system status

System > Status > Status appears when you log in to the web-based manager. It contains
a dashboard with widgets that each indicate performance level or other status values.
The following widgets are available in the system status dashboard:
• System Information widget
• CLI Console widget
• System Resources widget
• Policy Summary widget
• Attack Log Console widget
• Event Log Console widget
• Service Status widget
• Policy Sessions widget

Revision 10 41
Viewing system status System
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the System Configuration category. For
details, see “About permissions” on page 80.
Figure 15: Viewing the dashboard
In the default dashboard setup, widgets display the serial number and current system
status of the FortiWeb unit, including uptime, system resource usage, event log
messages, host name, firmware version, system time, and status of connected web
servers and policy sessions. The dashboard also contains a CLI widget that enables you
to use the command line interface through the web-based manager.
To customize the dashboard, select which widgets to display, where they are located on
the tab, and whether they are minimized or maximized.
To move a widget, position your mouse cursor on the widget’s title bar, then click and drag
the widget to its new location.
To display any of the widgets not currently shown on the Status tab, click Add Content.
Any widgets currently already displayed on the Status tab will be grayed out in the Add
Content menu, as you can only have one of each display on the Status tab.
Figure 16: Adding a widget

42 Revision 10
To display the default set of widgets on the dashboard, select Back to Default.
To see the available options for a widget, position your mouse cursor over the icons in the
widget’s title bar. Options vary slightly from widget to widget, but always include options to
close, minimize or maximize the widget.
Table 5: A minimized widget
Widget title Refresh

Disclosure arrow Close
GUI item Description

Widget Title The name of the widget.
Disclosure arrow Click to maximize or minimize the widget.
This arrow replaces the widget’s icon when you place your mouse cursor
over the title bar.
Edit Click to change settings for the widget.
This option appears only on the CLI Console widget.
Refresh Click to update the displayed information.
This option does not appear on the CLI Console widget.
Close Click to close the widget on the dashboard. You will be prompted to confirm
the action. To show the widget again, click Add Content near the top of the
tab.
System Information widget

The System Information widget on the dashboard displays the serial number and the
status of basic systems, such as the firmware version, system time, up time, and host
name, and high availability (HA) status.
In addition to displaying system information, the System Information widget enables you to
configure some basic attributes such as the host name, operation mode, and high
availability (HA) mode, and to change the firmware.
FortiWeb administrators, whose access profiles permit Write access to items in the
System Configuration category, can change the system time, host name, firmware, and
operation mode, and high availability (HA) mode.
Table 6: System Information widget

Revision 10 43

HA Status Displays the status of high availability (HA) for this unit, either:
• Standalone: The FortiWeb unit is not operating in HA mode. It is operating
as a single, independent FortiWeb unit.
• Master: The FortiWeb unit is operating as the primary unit in an HA pair.
• Backup: The FortiWeb unit is operating as the backup unit in an HA pair.
The default value is Standalone.
Click Configure to configure the HA status for this unit. See “Configuring high
availability (HA)” on page 61.
Host Name Displays the host name of the FortiWeb unit.
Click Change to change the host name. See “Changing the FortiWeb unit’s
host name” on page 45.
Firmware Version Displays the version of the firmware currently installed on the FortiWeb unit.
Click Update to install a new version of firmware. See “Installing new firmware”
on page 385.
Serial Number Displays the serial number of the FortiWeb unit. The serial number is specific
to the FortiWeb unit’s hardware and does not change with firmware upgrades.
Use this number when registering the hardware with Fortinet Technical
Support.
System Uptime Displays the time in days, hours, and minutes since the FortiWeb unit last
started.
System Time Displays the current date and time according to the FortiWeb unit’s internal
clock.
Click Change to change the time or configure the FortiWeb unit to get the time
from an NTP server. See “Configuring system time” on page 100.
Operation Mode Displays the current operation mode of the FortiWeb unit, either:
• Reverse proxy: Reverse proxy traffic is destined for a virtual server’s
network interface and IP address. Forward it to a physical/domain server
and apply the first applicable policy. The FortiWeb unit logs, blocks, or
modifies traffic according to the matching policy and its protection profile.
• Offline protection: Monitor traffic received on the virtual server’s network
interface (regardless of the IP address) and apply the first applicable policy.
The FortiWeb unit logs or blocks traffic according to the matching policy
and its protection profile, but does not otherwise modify it. (It does not, for
example, apply SSL or load-balance connections.)
Caution: Unlike in reverse proxy mode, actions other than Alert cannot be
guaranteed to be successful in offline protection mode. The FortiWeb unit
will attempt to block traffic that violates the policy by mimicking the client or
server and requesting to reset the connection. However, the client or server
may receive the reset request after it receives the other traffic due to
possible differences in routing paths.
• True transparent proxy: Proxy traffic is destined for a physical/domain
serve. Apply the first applicable policy. Traffic is received on a network port
that belongs to a Layer 2 v-zone (bridge), and no changes to the IP
address scheme of the network are required.
• Transparent inspection: Inspect traffic destined for a physical/domain
server. Asynchronously capture traffic and apply the first applicable policy.
The FortiWeb unit logs or blocks traffic according to the matching policy
and its protection profile, but does not otherwise modify it. (It does not, for
example, apply SSL or load-balance connections.) Similar to offline
protection mode, actions other than Alert cannot be guaranteed to be
successful. It is easy to switch between transparent inspection and true
transparent proxy without changing your network topology.
The default operation mode is reverse proxy mode.
Click Change to switch the operation mode.
Caution: Back up the configuration before changing the operation mode.
Changing modes deletes any policies not applicable to the new mode, all static
routes, all v-zone IPs and all VLAN settings. For instructions on backing up the
configuration, see “Backing up and restoring configurations” on page 96.
Reboot Click to halt and restart the operating system of the FortiWeb unit.

44 Revision 10
ShutDown Click to halt the operating system of the FortiWeb unit, preparing its hardware
to be powered off.
Reset Click to revert the configuration of the FortiWeb unit to the default values for its
currently installed firmware version.
Caution: Back up the configuration before selecting Reset. This operation
cannot be undone. Configuration changes made since the last backup will be
lost. For instructions on backing up the configuration, see “Backing up and
restoring configurations” on page 96.
Changing the FortiWeb unit’s host name

The host name of the FortiWeb unit is used in several places.
• It appears in the System Information widget on the Status tab. For more information
about the System Information widget, see “System Information widget” on page 43.
• It is used in the command prompt of the CLI.
• It is used as the SNMP system name. For information about SNMP, see “Configuring
the SNMP agent” on page 66.
The System Information widget and the get system status CLI command will display
the full host name. If the host name is longer than 16 characters, the host name may
appear in a truncated form ending with a tilde ( ~ ) to indicate that additional characters
exist, but are not displayed.
For example, if the host name is FortiWeb1234567890, the CLI prompt would be
FortiWeb123456789~#.
Administrators whose access profiles permit Write access to items in the System
Configuration category can change the host name.
Note: You can also configure the local domain name of the FortiWeb unit. For details, see
“Configuring the DNS settings” on page 58.
To change the host name of the FortiWeb unit

1 Go to System > Status > Status.
2 In the System Information widget, in the Host Name row, click Change.
3 In the New Name field, type a new host name.
The host name can be up to 35 characters in length. It can include US-ASCII letters,
numbers, hyphens, and underscores, but not spaces and special characters.
4 Click OK.
CLI Console widget

The CLI Console widget on the dashboard enables you to enter CLI commands through
the web-based manager, without making a separate Telnet, SSH, or local console
connection to access the CLI.
Note: The CLI Console widget requires that your web browser support JavaScript.
To use the console, first click within the console area. Doing so automatically logs you in
using the same administrator account you used to access the web-based manager. You
can then type commands into the CLI Console widget. Alternatively, you can copy and
paste commands from or into the console.

Revision 10 45
Note: The prompt, by default the model number such as FortiWeb-1000B #, contains
the host name of the FortiWeb unit. To change the host name, see “Changing the FortiWeb
unit’s host name” on page 45.
For information on available commands, see the FortiWeb CLI Reference.
Table 7: CLI Console widget
Close
Edit

Close Click to hide the widget. It no longer appears on the dashboard unless you
add it again by clicking Add Content.
Edit Click to open the Console Preferences pop-up window, where you can
change the buffer length and input method, as well as the appearance of the
console by defining fonts and colors for the text and background.
Table 8: CLI Console Preferences window

Preview Shows a preview of your changes to the CLI Console widget’s appearance.
Text Click the current color swatch to the left of this label, then click a color from
the color palette to the right to change the color of the text in the CLI
Console.
Background Click the current color swatch to the left of this label, then click a color from
the color palette to the right to change the color of the background in the
CLI Console.

46 Revision 10
Use external Select to display a command input field below the normal console
command input box emulation area. When this option is enabled, you can enter commands by
typing them into either the console emulation area or the external command
input field.
Console buffer length Enter the number of lines the console buffer keeps in memory. The valid
range is from 20 to 9999.
Font Select a font from the list to change the display font of the CLI Console.
Size Select the size in points of the font. The default size is 10 points.
System Resources widget

The System Resources widget on the dashboard displays CPU and memory usage.
Table 9: System Resources widget

CPU Usage The current CPU usage displayed as a dial gauge and as a percentage.
The web-based manager displays CPU usage for core processes only. CPU
usage for management processes (for example, for HTTPS connections to
the web-based manager) is excluded.
Memory Usage The current memory (RAM) usage displayed as a dial gauge and as a
percentage.
The web-based manager displays memory usage for core processes only.
Memory usage for management processes (for example, for HTTPS
connections to the web-based manager) is excluded.
Policy Summary widget

The Policy Summary widget on the dashboard displays three graphs:
• HTTP Traffic Monitor: Displays the traffic volume throughput during each time period.
• Attack Event History: Displays the number of each type of common exploit, SQL
injection, cross-site scripting (XSS), or information disclosure attacks that were
prevented.
• HTTP Hit History: Displays the total number of requests.
For each graph, you can select which policy’s statistics to view and the size of the interval
(Rate threshold or Time interval) represented by each unit on the graph.
By positioning your cursor over a point in the graph, you can display information for that
point in time, such as (for HTTP Traffic Monitor) the traffic volume at that point in time.

Revision 10 47
Figure 17: Policy Summary widget
Attack Log Console widget

The Attack Log Console on the dashboard widget displays the latest attack logs. Attack
logs are recorded when there is an attack or intrusion attempt against the web servers
protected by the FortiWeb unit.
Attack logs help you track violations that are defined by the web protection and server
policies configured on the FortiWeb unit. Each attack log message in the console shows
the type of attack and the date and time of the attack. The attack type includes a link to a
log detail. Select the link to open a separate attack log details window with additional
information about the attack. For more information, see “Viewing log message details” on
page 335.
Figure 18: Attack Log Console widget
Event Log Console widget

The Event Log Console widget on the dashboard displays log-based messages.

48 Revision 10
Event logs help you track system events on your FortiWeb unit such as firmware changes,
and network events such as changes to policies. Each message shows the date and time
that the event occurred. For more information, see “Viewing log messages” on page 331.
Tip: Event log messages can also be delivered by email, Syslog, FortiAnalyzer or SNMP.
For more information, see “Enabling logging” on page 327,“Configuring and enabling
logging” on page 323,and “Configuring the SNMP agent” on page 66.
Figure 19: Event Log Console widget
Close
Refresh
Service Status widget

The Service Status widget on the dashboard lists configured policies, the real servers
(physical and domain servers) associated with the policy, and the connectivity status of
the servers associated with the policy.
Table 10: Service Status widget
Close
Refresh

# Shows the index number of the policy.
Policy Name Shows the name of the policy.
For information on policies, see “Configuring server policies” on page 118.
Real Server Lists the real servers that the policies protect.

Revision 10 49
Configuring the network and VLAN interfaces System
Server Status For servers that are part of a server farm, shows the connectivity status.
There may be multiple icons in this column.To determine which real server is
associated with an icon, hover your mouse cursor over the icon. The name of
the real server then appears in a tool tip.
• Green icon: The server health check is currently detecting that the real
server is responsive to connections.
• Flashing yellow-to-red icon: The server health check is currently
detecting that the real server is not responsive to connections. The
method that the FortiWeb unit will use to reroute connections to an
available server varies by your configuration of Deployment Mode.
For information on server health checks, see “Configuring server health
checks” on page 143.
Note: For a single server, there is no associated server health check, and
therefore no icon in this column. To make server health checks for a single
server, instead of configuring the policy with a Deployment Mode of Single
Server, create a server farm and add that real server as the sole member,
then select that server farm in the policy.
Refresh Click to refresh the information displayed on the widget.
Policy Sessions widget

The Policy Sessions widget on the dashboard displays the number of server sessions that
are currently governed by each policy.
Table 11: Policy Sessions widget
Close
Refresh

# Shows the index number of the policy.
Policy Shows the name of the policy.
For information on policies, see “Configuring server policies” on page 118.
Session Shows the total number of sessions currently being governed by the policy.
Refresh Click to refresh the information displayed on the widget.
Configuring the network and VLAN interfaces

System > Network > Interface displays two interface types: the network interfaces that are
associated with the physical ports on a FortiWeb unit, and if configured, the VLAN
subinterfaces. For more information about VLAN subinterfaces, see “Adding a VLAN
subinterface” on page 53.
You must always have at least one IP address configured on at least one FortiWeb
network interface in order to connect to your management computer to the FortiWeb unit
CLI or the web-based manager.
Note: When the FortiWeb unit operates in true transparent proxy or transparent inspection
mode and you configured a v-zone (bridge), do not configure any physical network
interfaces other than port1. For details, see “Configuring v-zones (bridges)” on page 55.

50 Revision 10
System Configuring the network and VLAN interfaces
Depending on your network topology and other considerations, you may need to configure
one or more of the FortiWeb unit’s other network interfaces to enable the FortiWeb unit to
connect to your network and to the web servers it protects. You can configure each
network interface separately, with its own IP address, netmask, and accepted
administrative access protocols.
Caution: Enable administrative access only on network interfaces connected to trusted

private networks or directly to your management computer. If possible, enable only secure
administrative access protocols such as HTTPS or SSH. Failure to restrict administrative
access could compromise the security of your FortiWeb unit.
Note: You can restrict which IP addresses are permitted to log in as a FortiWeb
administrator through the network interfaces. For details, see “Configuring administrator
accounts” on page 75.
To change settings in this part of the web-based manager, your administrator's account
access profile must have Write permission to items in the Network Configuration category.
For details, see “About permissions” on page 80.
Table 12: System > Network > Interface tab
Network interface description Edit

Create New Click to create a new VLAN subinterface. For more information, see “Adding a
VLAN subinterface” on page 53.
Note: You cannot create a new network interface, only a VLAN subinterface. To
view or modify an existing network interfaces, click the Edit icon.
(No column Shows an icon indicating that a description is available for the network
heading.) interface. To view the description, hover your cursor over the icon.
Name Shows the name of the network interface, usually directly associated with one
physical link as indicated by its name, such as port1.
Note: A pointer beside the name indicates there is a VLAN subinterface
associated with the port. For more information, see “Adding a VLAN
subinterface” on page 53.
IP/Netmask Displays the IP address and netmask of the network interface, separated by a
slash ( / ).
Access Displays the administrative access services that are enabled on the network
interface, such as HTTPS for the web-based manager.
Note: Administrative access is not available for VLAN subinterfaces.
Status Indicates the “up” (available) or “down” (unavailable) administrative status of
the network interface.
• Green up arrow: The network interface is up and permitted to receive or
transmit traffic. To disable the network interface, click Bring Down.
• Red down arrow: The network interface is down and not permitted to
receive or transmit traffic. To enable the network interface, click Bring Up.
(No column Click the Edit icon to view or modify the settings of the network interface or
heading.) VLAN subinterface.
Click the Delete icon to remove a VLAN subinterface.
Note: Network interfaces associated with a physical port cannot be deleted.

Revision 10 51
To edit a network interface

1 Go to System > Network > Interface.
2 In the row corresponding to a network interface, click the Edit icon.
3 Configure the following:

Name Displays the name (such as port2) and media access control (MAC)
address of this network interface.
IP/Netmask Type the IP address/subnet mask. The IP address must be on the
same subnet as the network to which the interface connects. Two
network interfaces cannot have IP addresses on the same subnet.
Warning: If you are changing the interface’s IP address and you
have configured a static route for the interface, the new IP address
of the interface must be in the same subnet as the default gateway.
Otherwise, all the static routes and the default gateway information
will be lost.
Administrative Access Enable the types of administrative access that you want to permit
on this interface.
Note: Administrative access is not available for VLAN
subinterfaces.
HTTPS Enable to allow secure HTTPS connections to the web-based
manager through this network interface.
For information on configuring the port number where the FortiWeb
unit listens for these connections, see “Configuring the web-based
manager’s global settings” on page 82.
PING Enable to allow ICMP ping responses from this network interface.
HTTP Enable to allow HTTP connections to the web-based manager
through this network interface.
For information on configuring the port number where the FortiWeb
listens for these connections, see “Configuring the web-based
Caution: HTTP connections are not secure, and can be
intercepted by a third party. If possible, enable this option only for
network interfaces connected to a trusted private network, or
directly to your management computer. Failure to restrict
administrative access through this protocol could compromise the
security of your FortiWeb unit.
SSH Enable to allow SSH connections to the CLI through this network
interface.
SNMP Enable to allow SNMP connections to this network interface.
Note: This setting only configures which network interface will
receive SNMP queries. To configure which network interface will
send traffic, see “Configuring the SNMP agent” on page 66.

52 Revision 10
TELNET Enable to allow Telnet connections to the CLI through this network
interface.
Caution: Telnet connections are not secure, and can be
intercepted by a third party. If possible, enable this option only for
network interfaces connected to a trusted private network, or
directly to your management computer. Failure to restrict
administrative access through this protocol could compromise the
security of your FortiWeb unit.
Description Type a comment. The comment may be up to 63 characters long.
This field is optional.
4 Click OK.
If you were connected to the web-based manager through this network interface and
you changed the IP, you are now disconnected from it.
5 To access the web-based manager again, in your web browser, modify the URL to
match the new IP address of the network interface. For example, if you configured the
network interface with the IP address 10.10.10.5, you would browse to
https://10.10.10.5.
If the new IP address is on a different subnet than the previous IP address, and your
computer is directly connected to the FortiWeb unit, you may also need to modify the
IP address and subnet of your computer to match the FortiWeb unit’s new IP address.
Adding a VLAN subinterface

This section describes how a virtual local area network (VLAN) works with FortiWeb and
how to add a VLAN subinterface to a network interface on the FortiWeb unit.
Similar to a local area network (LAN), use a IEEE 802.1q VLAN to reduce the size of a
broadcast domain and thereby reduce the amount of broadcast traffic received by network
hosts, improving network performance.
Unlike physical LANs, VLANs do not require you to install separate hardware switches
and routers to achieve this effect. Instead, VLAN-compliant switches, such as FortiWeb
units, restrict broadcast traffic based upon whether its VLAN ID matches that of the
destination network. As such, VLAN trunks can be used to join physically distant
broadcast domains as if they were close.
The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify
traffic for a specific VLAN. VLAN header addition is handled automatically by FortiWeb
units, and does not require that you adjust the maximum transmission unit (MTU).
Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the
network, this tag may be added, removed, or rewritten before forwarding to other nodes on
the network.
For example, a Layer 2 switch or FortiWeb unit operating in true transparent proxy mode
would typically add or remove a tag when forwarding traffic among members of the VLAN,
but would not route tagged traffic to a different VLAN ID. In contrast, a FortiWeb unit
operating in reverse proxy mode, inspecting the traffic to make routing decisions based
upon higher-level layers/protocols, might route traffic between different VLAN IDs (also
known as inter-VLAN routing) if indicated by its policy, such as if it has been configured to
do WSDL-based routing.
must have Read and Write permission to items in the Network Configuration category. For

Revision 10 53
Table 13: Interface tab with VLAN subinterface
VLAN subinterface name Edit

VLAN indicator
Network interface description

Create New Click to create a new VLAN subinterface.
(No column Displays an icon indicating that a description is available for the network
heading.) interface. To view the description, hover your cursor over the icon.
Note: VLAN subinterfaces do not provide a description.
Name If a VLAN subinterface exists, a pointer appears beside the name of the
network interface. Click the pointer to expand the list of VLANs associated with
IP/Netmask Displays the IP address and netmask of the VLAN subinterface, separated by a
slash ( / ).
Access Displays the administrative access services that are enabled on the network
interface.
Note: VLAN subinterfaces do not permit administrative access.
Status Indicates the “up” (available) or “down” (unavailable) administrative status of
• Green up arrow: The network interface is up and permitted to receive or
transmit traffic. To disable the network interface, click Bring Down.
• Red down arrow: The network interface is down and not permitted to
receive or transmit traffic. To enable the network interface, click Bring Up.
(No column Click the Edit icon to view or modify the settings of the VLAN subinterface.
heading.) Click the Delete icon to remove a VLAN subinterface.
To add a VLAN subinterface
Note: When the FortiWeb unit operates in either of the transparent modes, VLAN
subinterfaces do not support Cisco discovery protocol (CDP).
1 Go to System > Network > Interface.

2 Click Create New.

54 Revision 10

Name Type the name (such as vlan_100) of this VLAN subinterface.
You cannot modify this field if you are editing an existing entry. To
modify the name, delete the entry, then recreate it using the new
name.
Type Indicates whether the interface is directly associated with a physical
network port, or is instead a VLAN subinterface.
This option is set by the system automatically and cannot be
changed.
Interface Select the name of the network interface with which the VLAN
subinterface will be associated.
VLAN ID Type the VLAN ID of packets that belong to this VLAN subinterface.
• If one physical network port (that is, a VLAN trunk) will handle
multiple VLANs, create multiple VLAN subinterfaces on that
port, one for each VLAN ID that will be received.
• If multiple different physical network ports will handle the same
VLANs, on each of the ports, create VLAN subinterfaces that
have the same VLAN IDs.
The valid range is between 1 and 4094 and must match the VLAN
ID added by the IEEE 802.1q-compliant router or switch connected
to the VLAN subinterface.
For the maximum number of interfaces for your FortiWeb model,
including VLAN subinterfaces, see “Appendix B: Maximum values”
on page 397.
Note: Inter-VLAN routing is not supported if the FortiWeb unit is
operating in true transparent proxy mode. In that case, you must
configure the same VLAN IDs on each physical network port.
IP/Netmask Type the IP address/subnet mask associated with the VLAN, if any.
The IP address must be on the same subnet as the network to
which the interface connects. Two network interfaces cannot have
IP addresses on the same subnet.
4 Click OK.
Configuring v-zones (bridges)

System > Network > V-zone lists any of network ports configured as bridges.
Bridges allow network connections to travel through the FortiWeb unit’s physical network
ports without explicitly connecting to one of its IP addresses.
Use bridges only when:
• the FortiWeb unit operates in true transparent proxy or transparent inspection mode,
and

Revision 10 55
• you want to deploy FortiWeb between incoming connections and the web server it is
protecting, without changing your IP address scheme or performing routing or network
address translation (NAT)
In that case, do not assign IP addresses to the ports that you will connect to either the
web server or to the overall network. Instead, group the two physical network ports by
adding their associated network interfaces to a bridge.
Bridges on the FortiWeb unit support IEEE 802.1d spanning tree protocol (STP) and,
therefore, do not require that you manually test the bridged network for Layer 2 loops.
Bridges are also capable of electing a root switch and designing a tree on their own that
uses the minimum cost path to the root switch; although, you may prefer to do so manually
for design and performance reasons.
Note: If you prefer to disable STP, see the config system v-zone command in the
FortiWeb CLI Reference.
True bridges typically have no IP address of their own. They use only media access
control (MAC) addresses to describe the location of physical ports within the scope of their
network and do network switching at Layer 2 of the OSI model. However, if you require the
ability to use an IP address to use ICMP ECHO requests (ping) to test connectivity with
the physical ports comprising the bridge, you can assign an IP address to the bridge and
thereby create a virtual network interface that will respond.
To configure a bridge in the web-based manager, your administrator's account access
profile must have Read and Write permission to items in the Network Configuration
category. For details, see “About permissions” on page 80.
Table 14: System > Network > V-zone tab
Edit

Name Displays the name of the v-zone (bridge).

56 Revision 10
Interface name Displays the name and current status (in parentheses) of each network port
that belongs to the bridge, such as port4 (forwarding). Possible states include:
• listening: The port is up and, by using the spanning tree protocol (STP), has
determined that it will participate in forwarding frames. It is receiving bridge
protocol data units (BPDUs) that tell it about its distance from the root
switch, but it is not yet transmitting BPDUs about itself or forwarding frames,
and is not yet learning.
• learning: The port is building a database of media access control (MAC)
addresses of the network nodes that are connected on the Ethernet
network in order to discover which links in the tree are functional. It
continues to receive BPDUs, but now it is also transmitting BPDUs to allow
the spanning tree to learn about its existence in preparation for forwarding.
The time required to learn the spanning tree varies by the size of the
network, but can be many seconds.
• forwarding: Learning is sufficient for the port to be capable of forwarding
frames. It continues to receive and forward BPDUs and update its database
of MAC addresses, and, therefore, may leave this state if STP detects a
topology change that requires this port to, for example, block instead of
forward frames in order to maintain a valid, non-looping tree. This is the
usual state during normal operation.
• disabled: The port was automatically disabled. Its network cable may be
disconnected or the link is otherwise broken. The cause must be corrected
before the port can function in the bridge.
• blocked: The port was automatically disabled in order to prevent a Layer 2
loop in the spanning tree, because its link is redundant with another part of
the tree. It is on standby and could be automatically enabled in failover
scenarios, if the redundant part of the tree fails. If you do not want this port
to remain disabled, you must remove the redundant part of the tree that
causes this port to be blocked.
(No column Click the Edit icon to view or modify the settings of the bridge. For details, see
heading.) “Configuring the network and VLAN interfaces” on page 50.
To configure a v-zone (bridge)

1 Go to System > Network > V-zone.
2 Click Create New, or, in the row corresponding to an existing bridge, click the Edit icon.

Name Type the name of the v-zone (bridge).

Revision 10 57
Configuring the DNS settings System
IP/Netmask The FortiWeb unit is set to a default IP/Netmask of

0.0.0.0/0.0.0.0. To create a true bridge without its own IP
address, enter a unique IP/Netmask for your location.
Note: When operating in either of the transparent modes, failure to
change the IP/Netmask for your location will result in an Invalid
IP Address error message.
To create a virtual network interface that can respond to ICMP
ECHO (ping) requests, enter an IP address/subnet mask for the
virtual network interface.
Interface name Displays a list of network interfaces that currently have no IP
address of their own, are not members of another bridge, and which
therefore could be members of this bridge.
To add a pair of network interfaces to the bridge, select them and
click the right arrow.
Note: In either of the transparent modes, port1 cannot be included
in a bridge. It is configured with an IP address to allow CLI and web-
based manager connections.
Member Displays a list of network interfaces that belong to this bridge.
4 Click OK.
In the interface name column, each network interface’s status is in parentheses next to
the name of the port, such as port4 (forwarding). Depending on the status, each port in
the bridge may or may not be immediately functional. For detail see, see “Interface
name” on page 57.
5 Connect one of the physical ports in the bridge to your protected servers, and the other
port to your overall network.
Configuring fail-open
If your unit supports fail-open, selecting System > Network > Fail-open enables you to
configure fail-to-wire behavior in the event that the FortiWeb unit is shut down, rebooted,
or unexpectedly loses power.
Note: Fail-open is supported only when the FortiWeb unit operates in true transparent
proxy (TTP) mode or transparent inspection (TI) mode, and only for models with a CP7
processor, such as the FortiWeb-1000C and FortiWeb-3000C.
Fail-open is disabled if the FortiWeb unit is configured as a high availability master or
backup.
For FortiWeb units and operation modes that support fail-open, this feature allows
connections to pass through unfiltered when powered off. This may be useful if you are
required by contract to provide uninterrupted connectivity, or if you consider connectivity
interruption to be a greater risk than being open to attack during the power interruption.
Select either:
• PowerOff-Bypass: Behave as a wire when powered off, allowing connections to pass
through, bypassing policy and profile filtering.
• PowerOff-Cutoff: Interrupt connectivity when powered off.
Configuring the DNS settings

System > Network > DNS enables you to configure the FortiWeb unit with its local domain
name, and the IP addresses of the domain name system (DNS) servers that the FortiWeb
unit will query to resolve domain names such as www.example.com into IP addresses.
FortiWeb units require connectivity to DNS servers for DNS lookups. Your Internet service
provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP
addresses of your own DNS servers.

58 Revision 10
System Synchronizing configurations
Note: For improved performance, use DNS servers on your local network.
Table 15: System > Network > DNS tab

Primary DNS Server Type the IP address of the primary DNS server.
Secondary DNS Server Type the IP address of the secondary DNS server.
Local Domain Name Type the name of the local domain to which the FortiWeb unit belongs,
if any.
This field is optional. It will not appear in the Host: field of HTTP
headers for client connections to protected web servers.
Synchronizing configurations
System > Config > Config-Synchronization enables you to synchronize the configuration
information on the local FortiWeb unit with a peer (remote) FortiWeb unit. As a result, the
configuration information on the peer FortiWeb unit is updated with that of the local
FortiWeb unit.
This type of configuration synchronization is useful in the following scenario:
• two FortiWeb units are used in an environment where high availability (HA) or load-
balancing is performed by the gateway or the router
• the two FortiWeb units are not part of a high availability (HA) pair, but the units are
required to have the same security policies
Essentially, synchronization relieves you of the need to update policies on two FortiWeb
units whenever policies or settings change. The second unit updates its settings
automatically from the other.

Revision 10 59
Synchronizing configurations System
Figure 20: Example scenario for configuration synchronization
There are two levels of configuration synchronization: full and partial.
Note: Full synchronization option is not available in the reverse proxy operation mode.
Full synchronization updates all configuration files on the peer FortiWeb unit, except for
the following:
• Network interfaces define the physical connection of the FortiWeb unit to the network
(management IP) and must remain unchanged. For more information, see “Configuring
the network and VLAN interfaces” on page 50.
• Configuration data for administrator accounts, access profiles and administrator
settings must remain unchanged. For more information, see “Configuring administrator
accounts” on page 75.
Partial synchronization updates all configuration files on the peer FortiWeb unit, with the
exception of:
• All configurations on the System menu. For more information, see “System” on
page 41.
• Router > Static configurations. For more information, see “Router” on page 105
• Server Policy > Policy configurations. For more information, see “Configuring server
• Server Policy > Server configurations. For more informations, see “Configuring
servers” on page 129.
• Server Policy > Server Health Check configurations. For more information, see
“Configuring server health checks” on page 143.
• Server Policy > Service configurations. For more information, see “Configuring
services” on page 145.

60 Revision 10
System Configuring high availability (HA)
Table 16: System > Config > Config-Synchronization tab

Peer FortiWeb IP Type the IP address of the remote FortiWeb unit that you want to
synchronize with the local FortiWeb unit.
Test Select to test the connection from the local FortiWeb unit and the
remote FortiWeb unit.
Peer FortiWeb Port Type the port number of the remote FortiWeb unit that is used for
config synchronization. The default port is 8333.
For more information about how to set the port number for
configuration synchronization, see “Configuring the web-based
Peer FortiWeb Password Enter the administrator password for the remote FortiWeb unit.
Synchronization Type Select either Partial or Full (note that Full configuration sync is not
available in the reverse proxy operation mode). For details, see the
previous descriptions in this topic.
Synchronize Click to initiate the synchronization of configuration information from
the local FortiWeb unit to the peer FortiWeb unit.
Configuring high availability (HA)

System > Config > HA-Config enables you to configure a FortiWeb unit to operate as one
of two units in an active-passive high availability (HA) pair.
FortiWeb units that are joined as an HA pair enhance availability. To distinguish the units in
an HA pair, each unit is configured with a unique HA operating mode. The HA mode
determines whether the unit operates as a master HA unit or a backup HA unit.
Functionally, there is no difference between the master and backup.
Before configuring HA, verify that your FortiWeb units meet the HA requirements:
• You have two FortiWeb units.
• The units are the same hardware model (for example, both FortiWeb-1000C).
• The units have identical firmware versions installed.
• There is a redundant network topology in place: if the master fails, physical network
cabling and routes must redirect web traffic to the backup.
• To carry heartbeat and synchronization traffic between the HA pair, the heartbeat
interface on both HA units must be connected through Ethernet crossover cables or
through switches.
Note: If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must
be reachable by Layer2 Multicast.

Revision 10 61
Configuring high availability (HA) System
For more information on heartbeat and synchronization, see “About the heartbeat and
synchronization” on page 65.
You can have more than one HA pair on the same network as long as each pair has a
different group ID.
Each unit in the HA pair also has an Effective HA mode attribute. This mode defines
whether the HA unit is the main working unit or a backup unit. The main working unit is
responsible for scanning web traffic. The backup unit does not scan web traffic but is
ready to take over if a failure occurs in the main working unit.
The main and backup units synchronize and detect failures by communicating through a
heartbeat interface that connects the two units in the HA pair. Failure is assumed when the
main unit is unresponsive to a heartbeat signal from the backup unit for a configured
amount of time (Detection interval x Heartbeat lost threshold).
If the main working unit fails, the two units in the HA pair switch their effective HA modes:
standby becomes main, and main becomes a standby. The IP address carrying web traffic
is transferred automatically to the unit whose effective HA mode is the main working unit.
The master and backup HA modes do not change.
In a failure situation, the amount of time that it takes the backup unit to take over from the
main unit varies by your network’s responsiveness to changeover notification and by your
configuration (ARP packet numbers x ARP packet interval).
Figure 21 shows an example HA network topology with IP address transfer from the main
unit to the backup unit upon failover. In this example, the heartbeat interfaces are
connected with crossover Ethernet cables.
Figure 21: HA topology and failover - Ethernet cable connection for heartbeat
FortiWeb
HA pair
Web
Master Server 1
(main)
Client
port1 port2 192.168.1.2/24
10.0.0.1 192.168.1.1
Firewall
Switch
Internet Heartbeat
Interface
Primary Secondary
192.168.1.3/24
IP addresses transfer
Web
upon failover
Server 2
port1 port2
Backup
(standby)

62 Revision 10
Table 17: System > Config > HA-Config tab

Configured HA Select one of the following as the HA operating mode:
mode • MASTER: A FortiWeb unit configured with a master HA mode will form an HA
pair with another FortiWeb unit whose HA synchronize group ID matches that
defined on the master, and whose Heartbeat Interface are connected to the
master by Ethernet crossover cables or through switches.
The master initially acts as the main working unit in the HA pair and scans
web traffic.
• BACKUP: A FortiWeb unit configured with a backup HA mode will form an HA
pair with another FortiWeb unit whose HA synchronize group ID matches that
defined on the backup, and whose Heartbeat Interface are connected to the
backup by Ethernet crossover cables or through switches.
The backup unit initially acts as the backup unit in the HA pair and does not
scan web traffic.
If the backup detects through the heartbeat interface that the master has
failed, the backup automatically begins acting as the main working unit in the
HA pair and broadcasts ARP packets to notify the network of the changeover.
The network interface IP address is transferred to the backup, and the backup
takes over scanning web traffic. The master become a standby working unit.
The backup does not revert to a standby role if it detects that the master is
once again available. Instead, another failover must occur in order to cause
the master to become the main unit once again. Or you can manually switch
the roles of the master and backup units.
• STANDALONE: Do not operate as a member of an HA pair. Instead, operate
as a single, independent FortiWeb unit. No other dialog options appear when
this option is in effect.
The default value is STANDALONE.
Effective HA The effective HA mode defines whether the HA unit is the main working unit or a
mode backup unit. The main working unit is responsible for scanning web traffic. The
backup unit does not scan web traffic but is ready to take over if a failure occurs
in the main working unit.

Revision 10 63
Configuring high availability (HA) System
HA synchronize Enter a number that identifies the HA pair. Both members of the HA pair must
group ID have the same group ID. If you have more than one HA pair on the same
network, each HA pair must have a different group ID.
Changing the group ID changes the cluster’s virtual MAC address.
The default value is 0. The valid range is 0 to 63.
Detection Enter the number of 100-millisecond intervals between each heartbeat packet
interval that the FortiWeb unit sends to the other FortiWeb unit in the HA pair. This is also
the amount of time that a FortiWeb unit waits before expecting to receive a
heartbeat packet from the other unit.
This part of the configuration is synchronized between the main unit and backup
unit.
The default value is 1 (that is, 100 milliseconds). The valid range is 1 to 20 (that
is, between 100 and 2 000 milliseconds).
Note: Although this setting is synchronized between the main unit and the
backup unit, you should initially configure both units with the same Detection
interval to prevent inadvertent failover from occurring before the initial
synchronization.
Heartbeat lost Enter the number of heartbeat intervals that one of the HA units retries the
threshold heartbeat and waits to receive HA heartbeat packets from the other HA unit
before assuming that the other unit has failed.
This part of the configuration is synchronized between the main unit and backup
unit.
Normally, you do not need to change this setting. Exceptions include:
• Increase the failure detection threshold if a failure is detected when none has
actually occurred. For example, during peak traffic times, if the main unit is
very busy, it might not respond to heartbeat packets in time, and the backup
unit may assume that the main unit has failed.
• Reduce the failure detection threshold or detection interval if administrators
and HTTP clients have to wait too long before being able to connect through
the main unit, resulting in noticeable down time.
The default value is 1. The valid range is from 1 to 60.
Note: Although this setting is synchronized between the main unit and the
backup unit, you should initially configure both units with the same Heartbeat lost
threshold to prevent inadvertent failover from occurring before the initial
synchronization.
ARP packet Enter the number of times that the FortiWeb unit will broadcast address
numbers resolution protocol (ARP) packets when it takes on the main role in order to notify
the network that a new physical port has become associated with the HA pair IP
address and virtual MAC. This is sometimes called “using gratuitous ARP
packets to train the network,” and can occur when the main unit is starting up, or
during a failover. Also configure ARP packet interval.
• Increase the number of times the main unit sends gratuitous ARP packets if
your HA pair takes a long time to fail over or to train the network. Sending
more gratuitous ARP packets may help the failover to happen faster.
• Decrease the number of times the main unit sends gratuitous ARP packets if
your HA pair has a large number of VLAN interfaces and virtual domains.
Because gratuitous ARP packets are broadcast, sending gratuitous ARP
packets may generate a large amount of network traffic. As long as the HA
pair still fails over successfully, you could reduce the number of times
gratuitous ARP packets are sent to reduce the amount of traffic produced by a
failover.
The default value is 3. The valid range is 1 to 16.

64 Revision 10
ARP packet Enter the number of seconds to wait between each time that the FortiWeb unit
interval broadcasts ARP packets.
• Decrease the interval if your HA pair takes a long time to fail over or to train
the network. Sending ARP packets more frequently may help the failover to
happen faster.
• Increase the interval if your HA pair has a large number of VLAN interfaces
and virtual domains. Because gratuitous ARP packets are broadcast, sending
gratuitous ARP packets may generate a large amount of network traffic. As
long as the HA pair still fails over successfully, you could increase the interval
between when gratuitous ARP packets are sent to reduce the rate of traffic
produced by a failover.
The default value is 1. The valid range is from 1 to 20.
Port Monitor Enable to monitor for link failure the network interfaces that correlate directly to a
physical port.
Port monitoring (also called interface monitoring) monitors physical network ports
to verify that they are functioning properly and connected to their networks. If the
physical port fails or becomes disconnected, a failover will occur.
Note: To prevent unintentional failover, do not configure port monitoring until you
have configured HA on both units in the HA pair, and connected the physical
network ports that will be monitored .
Heartbeat Select the ports on the FortiWeb unit that the main unit and backup unit will use to
Interface send heartbeat signals between each other. The heartbeat interface must be
defined on each unit in the HA pair. Port matching is not necessary.
If enough ports are available, you can select a primary heartbeat interface and a
secondary heartbeat interface on each unit in the HA pair for redundancy.
You cannot use the same port for both the primary and secondary heartbeat
interface on the same unit. Ports that currently have an IP address assigned for
other purposes (that is, virtual servers or bridges) are disabled.
Note: Heartbeat interfaces can be connected through Ethernet crossover cables
or through switches. If a switch is used to connect the heartbeat interfaces, the
heartbeat interfaces must be reachable by Layer2 Multicast.
About the heartbeat and synchronization

To keep the configurations concurrent so the backup unit in an HA pair will be ready in
case of failover, HA pairs synchronize their configuration every 30 seconds.
Synchronization includes WSDL files, certificates, and schema files. (HTTP sessions,
state data related to protection profile features, and log messages, however, are not
synchronized. Upon failover, sessions must be re-formed with the new main unit.)
Note: If an HA pair is not configured, you can still synchronize the configuration between
the local FortiWeb unit and its peers. For more information, see “Synchronizing
configurations” on page 59
Only the FortiWeb unit currently acting as the main unit (scanning web traffic) is
configured with IP addresses on its network interface. The backup unit will only use the
configured IP addresses if a failover occurs, and the backup unit therefore must assume
the role of the main unit.
Note: Since backup units do not have IP addresses, the backup unit can only be accessed
through the local console. For more information on using the local console’s CLI, see the
FortiWeb CLI Reference.
Heartbeat and synchronization traffic occur over the network interface ports that you have
configured in Heartbeat Interface. Heartbeat and synchronization are performed through
multicast UDP on port numbers 5055 (heartbeat) and 5056 (synchronization). The
multicast IP address 224.0.0.1 is hard-coded, and cannot be configured.

Revision 10 65
Configuring the SNMP agent System
Note: If switches are used to connect heartbeat interfaces between an HA pair, the
heartbeat interfaces must be reachable by Layer2 Multicast.
Failover is triggered by any interruption to either the heartbeat or a port monitored network
interface whose length of time exceeds your configured limits (Detection interval x
Heartbeat lost threshold). While the main unit is unresponsive, the backup unit does the
following:
1 modifies the network that the IP addresses are now associated with its virtual MAC
addresses
2 performs the role of the main unit and scans network traffic
The HA units will not change roles when the failed unit resumes responsiveness to the
heartbeat. Instead, a second failover must occur to cause the HA units to change roles
again. You can manually switch over the roles if desired.
Because log messages are not synchronized, after a failover, you may notice that there is
a gap in the master log files that corresponds to the period of its down time. Log files are
stored on the backup during the time when the backup is acting as the main unit
subsequent to a failover.
Configuring the SNMP agent

System > Config > SNMP enables you to configure the FortiWeb unit’s simple network
management protocol (SNMP) agent to allow queries for system information and to send
traps (alarms or event messages) to the computer that you designate as its SNMP
manager. In this way you can use an SNMP manager to monitor the FortiWeb unit.
Before you can use SNMP, you must activate the FortiWeb unit’s SNMP agent and add it
as a member of at least one community. You must also enable SNMP access on the
network interface through which the SNMP manager connects. (See “Configuring the
network and VLAN interfaces” on page 50.)
On the SNMP manager, you must also verify that the SNMP manager is a member of the
community to which the FortiWeb unit belongs, and compile the necessary Fortinet-
proprietary management information blocks (MIBs) and Fortinet-supported standard MIBs.
For information on MIBs, see “Appendix C: SNMP MIB support” on page 399.
Caution: Failure to configure the SNMP manager as a host in a community to which the
FortiWeb unit belongs, or to supply it with required MIBs, will make the SNMP monitor
unable to query or receive traps from the FortiWeb unit.
To configure the SNMP agent

1 Go to System > Config > SNMP .
2 Configure the following and click OK.

66 Revision 10
System Configuring the SNMP agent
Table 18: Configuring an SNMP Agent
Delete
Edit

SNMP Agent Select to activate the SNMP agent, so that the FortiWeb unit can send
traps and receive queries for the communities in which you have
enabled queries and traps.
For more information on communities, see “Configuring an SNMP
community” on page 68.
Description Enter a comment about the FortiWeb unit. The description can be up
to 35 characters long, and can contain only letters (a-z, A-Z),
numbers, hyphens ( - ) and underscores ( _ ).
Location Enter the physical location of the FortiWeb unit. The location can be
up to 35 characters long, and can contain only letters (a-z, A-Z),
numbers, hyphens ( - ) and underscores ( _ ).
Contact Enter the contact information for the administrator or other person
responsible for this FortiWeb unit, such as a phone number or name.
The contact information can be up to 35 characters long, and can
contain only letters (a-z, A-Z), numbers, hyphens ( - ) and
underscores ( _ ).
Apply Click to save changes made to the description, location, and contact
information.
Create New Click Create New to add a new SNMP community. You can add up to
three communities. You must add at least one community for SNMP to
be functional.
For more information, see “Configuring an SNMP community” on
page 68.
Communities The list of SNMP communities to which the FortiWeb unit belongs.
Name The name of the SNMP community.
Queries Whether or not the SNMP manager of the community is permitted to
query the FortiWeb unit.
Traps Whether or not the FortiWeb unit will send traps to the SNMP
manager of the community.
Enable Select to activate the SNMP community.
(No column Click the Delete icon to remove an SNMP community.
heading.) Click the Edit icon to view or modify an SNMP community. For more
information, see “Configuring an SNMP community” on page 68.

Revision 10 67
Configuring the SNMP agent System
Configuring an SNMP community

An SNMP community is a grouping of equipment for network administration purposes. You
must configure your FortiWeb unit to belong to at least one SNMP community so that
community’s SNMP managers can query the FortiWeb unit’s system information and
receive SNMP traps from the FortiWeb unit.
You can add up to three SNMP communities. Each community can have a different
configuration for queries and traps, and the set of events that trigger a trap. You can also
add the IP addresses of up to eight SNMP managers to each community to designate the
destination of traps and which IP addresses are permitted to query the FortiWeb unit.
To add an SNMP community to the FortiWeb unit’s SNMP agent

1 Go to System > Config > SNMP.
2 Click Create New.
3 Configure the following, then click OK:
Table 19: Configuring an SNMP Community

Community Name Enter the name of the SNMP community to which the FortiWeb unit and at
least one SNMP manager belongs.
The FortiWeb unit will not respond to SNMP managers whose query packets
do not contain a matching community name. Similarly, trap packets from the
FortiWeb unit will include community name, and an SNMP manager may not
accept the trap if its community name does not match.

68 Revision 10
System Configuring the SNMP agent
Hosts
IP Address Enter the IP address of the SNMP manager that, if traps or queries are
enabled in this community:
• will receive traps from the FortiWeb unit
• will be permitted to query the FortiWeb unit
SNMP managers have read-only access.
To allow any IP address using this SNMP community name to query the
FortiWeb unit, enter 0.0.0.0.
Note: Entering 0.0.0.0 effectively disables traps if there are no other host IP
entries, because there is no specific destination for trap packets. If you do not
want to disable traps, you must add at least one other entry that specifies the
IP address of an SNMP manager.
Interface Select either ANY or the name of the network interface from which the
FortiWeb unit will send traps and reply to queries.
Note: You must select a specific network interface if the SNMP manager is not
on the same subnet as the FortiWeb unit. This can occur if the SNMP
manager is on the Internet or behind a router.
Note: This option only configures which network interface will send SNMP
traffic. To configure which network interface will receive queries, see
“Configuring the network and VLAN interfaces” on page 50.
Delete Click to remove an SNMP manager from the SNMP community configuration.
Add Click to add an SNMP manager entry. You can add up to eight SNMP
managers to each community.
Queries Enter the port number (161 by default) on which the FortiWeb unit listens for
SNMP queries from the SNMP managers in this community, then enable
queries for either or both SNMP v1 and SNMP v2c.
Traps Enter the port number (162 by default) that will be the source (Local) port
number and destination (Remote) port number for trap packets sent to SNMP
managers in this community, then enable traps for either or both SNMP v1 and
SNMP v2c.
SNMP Event Enable the types of SNMP traps that you want the FortiWeb unit to send to the
SNMP managers in this community. (See Figure 22 on page 70.)
While most trap events are described by their names, the following events
occur when a threshold has been exceeded:
• CPU Overusage: CPU usage has exceeded 80%.
• Memory Low: Memory (RAM) usage has exceeded 80%.
For more information on supported traps and queries, see “Appendix C:
SNMP MIB support” on page 399.

Revision 10 69
Configuring DoS protection System
Figure 22: SNMP Events
Configuring DoS protection

Go to System > Config > DOS Protection to configure protection from TCP SYN flood-
style denial of service (DoS) attacks. Once you configure DoS protection, the FortiWeb
unit automatically applies it to connections matching any server policy.
To configure DoS protection

1 Go to System > Config > DOS Protection.

70 Revision 10
System Configuring the operation mode
Figure 23: DoS prevention dialog
2 Configure the following and click Apply.

Syn Cookie Enable to detect TCP SYN flood attacks. Also configure Half Open
Threshold.
Half Open Threshold Enter the maximum number of TCP SYN packets, including retransmission,
that may be sent per second to a destination address. If this threshold is
exceeded, the FortiWeb unit determines a DoS attack is occurring and
ignores additional traffic from that source address.
Severity Select the severity level you want FortiWeb to use in the records and
reports generated when a DoS violation occurs. You can configure the
violation as either Low, Medium or High severity.
Trigger Policy Select the trigger policy you want FortiWeb to apply when a DoS violation
occurs.
Trigger policies determine who will be notified by email when the violation
occurs, and whether the log message associated with the violation are
recorded.
Configuring the operation mode

System > Config > Operation enables you to configure the operation mode of the
FortiWeb unit.
You will usually set the operation mode once, during installation. Exceptions include if you
install the FortiWeb unit in offline protection mode for evaluation purposes, before deciding
to switch to reverse proxy mode and actively begin filtering traffic. You can switch between
the two types of transparent mode without encountering problems.
The operation mode depends on network topology (see the FortiWeb Install and Setup
Guide for more information). FortiWeb units can operate in one of the following modes:
• Reverse proxy: Reverse proxy traffic is destined for a virtual server’s network interface
and IP address. The FortiWeb unit forwards it to a real server and applies the first
applicable policy. The FortiWeb unit logs, blocks, or modifies traffic according to the
matching policy and its protection profile. This mode supports user authentication.
• Offline protection: The FortiWeb unit monitors traffic received on the virtual server’s
network interface (regardless of the IP address) and applies the first applicable policy.
The FortiWeb unit logs or blocks traffic according to the matching policy and its
protection profile. In this mode, if FortiWeb detects a malicious request, it attempts to
reset the connection. It does not otherwise modify traffic. (It does not, for example,
apply SSL or load-balance connections.) This mode does not support user
authentication.

Revision 10 71
Configuring the operation mode System
Caution: Unlike in reverse proxy mode, actions other than Alert cannot be guaranteed to
be successful in offline protection mode. The FortiWeb unit will attempt to block traffic that
violates the policy by mimicking the client or server and requesting to reset the connection.
However, the client or server may receive the reset request after it receives the other traffic
due to possible differences in routing paths.
• True transparent proxy: This proxy traffic is destined for a real server. The FortiWeb
unit applies the first applicable policy. Traffic is received on a network port that belongs
to a Layer 2 bridge, and no changes to the IP address scheme of the network are
required. This mode supports user authentication via HTTP but not HTTPS. This mode
supports a v-zone bridge.
• Transparent inspection: This traffic is destined for a real server. The FortiWeb unit
asynchronously inspects traffic and applies the first applicable policy. The FortiWeb
unit logs or blocks traffic according to the matching policy and its protection profile, but
does not otherwise modify it. (It does not, for example, apply SSL or load-balance
connections.) Similar to offline protection mode, actions other than Alert cannot be
guaranteed to be successful. It is easy to switch between transparent inspection and
true transparent proxy without changing your network topology. This mode does not
support user authentication. This mode supports a v-zone bridge.
The default operation mode is reverse proxy.
Table 20: Supported features in different operation modes
Feature Reverse Offline True transparent proxy Transparent

proxy protection HTTP HTTPS inspection
Allow Method Yes Yes Yes Yes Yes

AMF3 Support Yes Yes Yes Yes Yes
Authentication Policy Yes No Yes No No
Auto-learning Yes Yes Yes Yes Yes
Brute Force Login Yes No Yes Yes No
Client Certificate Verify Yes No No No No
Cookie Poisoning Yes No Yes No No

72 Revision 10
System Configuring the operation mode
Table 20: Supported features in different operation modes
Feature Reverse Offline True transparent proxy Transparent

proxy protection HTTP HTTPS inspection
Custom Packet Log Filter Yes Yes Yes Yes Yes

Hidden Field Yes Yes Yes Yes Yes
HTTP Conversion Yes No Yes No No
HTTP Protocol Yes Yes Yes Yes Yes
Constraints
Information Disclosure Yes Yes Yes Yes Yes
(alert only) (alert only) (alert only)
IP List Yes No Yes Yes No
Page Access Rule Yes No Yes No No
Parameter Validation Yes Yes Yes Yes Yes
Robot Control Yes No Yes Yes No
Server Protection Rules Yes Yes Yes Yes Yes
Session Management Yes Yes Yes Yes Yes
SSLv2 Support Yes No N/A No No
Start Pages Yes No Yes No No
URL Access Rule Yes Yes Yes Yes Yes
URL Rewriting Yes No Yes No No
V-zone Bridge No No Yes Yes Yes
Web Anti-Defacement Yes Yes Yes Yes Yes
Web Vulnerability Scan Yes Yes Yes Yes Yes
X-Forwarded-For Yes No Yes No No
XML Protection Yes No No No No
Note: The physical topology must match the operation mode. For details, see the FortiWeb
Install and Setup Guide.
Caution: Back up your system before changing the operation mode. Changing modes
deletes the following: any policies not applicable to the new mode, all static routes, all v-
zone IPs, and all VLAN settings. You may also need to re-cable your network topology to
suit the operation mode.
To configure the operation mode

1 Go to System > Config > Operation.
Alternatively, go to System > Status > Status. In the Operation Mode row of the System
Information widget, click Change.

Revision 10 73
Viewing RAID status System
Figure 24: Configuring the operation mode
Figure 25: Configuring the operation mode (true transparent proxy mode)
2 From Operation Mode, select Reverse Proxy, Offline Protection, True Transparent
Proxy or Transparent Inspection.
If you are changing to true transparent proxy or transparent inspection mode, also
enter the gateway and the IP address of port1 (Management IP).
3 Click Apply.
If you have not yet adjusted the physical topology to suit the new operation mode, see
the FortiWeb Install and Setup Guide. You may also need to reconfigure IP addresses,
static routes, bridges, and virtual servers, and enable or disable SSL on your web
servers.
Viewing RAID status

System > Config > RAID enables you to view the RAID status of the FortiWeb unit.
Currently, only RAID level 1 is supported, and only on FortiWeb models 1000B, 1000C,
and 3000C shipped with version 4.1 or later. On older units that have been upgraded to
version 4.1, the RAID status is visible on the UI, but RAID is not activated. On these older
units, disk status is displayed as 'Not Present'.
To view the RAID status

1 Go to System > Config > RAID.

74 Revision 10
System Configuring administrator accounts
Figure 26: Viewing RAID
Note: Rebuilding RAID after a disk failure will result in some loss of data in packet logs.
Configuring administrator accounts

System > Admin displays a list of FortiWeb administrator accounts.
In its factory default configuration, a FortiWeb unit has one administrator account, named
admin. This administrator has permissions that grant full access to the FortiWeb
configuration and firmware. After connecting to the web-based manager or the CLI using
the admin administrator account, you can configure additional administrator accounts with
various levels of access to different parts of the FortiWeb configuration.
Administrators may access the web-based manager and the CLI through the network,
depending on administrator account’s trusted hosts, and the administrative access
protocols enabled for each of the FortiWeb unit’s network interfaces. For details, see
“Configuring the network and VLAN interfaces” on page 50 and “Configuring trusted
hosts” on page 78.
To determine which administrators are currently logged in, use the CLI command
get system logged-users. For details, see the FortiWeb CLI Reference.
Tip: To prevent multiple administrators from logging in simultaneously, which could allow
them to inadvertently overwrite each other’s changes, enable Security Settings. For details,
see “Configuring the web-based manager’s global settings” on page 82.
If you have not yet created an access profile and are relying on the default profile,
consider first creating one or more access profiles tailored to the responsibilities of the
new administrator accounts. See “Configuring access profiles” on page 78.
must have Read and Write permission to items in the Admin Users category. For details,
see “About permissions” on page 80.

Revision 10 75
Configuring administrator accounts System
Table 21: System > Admin > Administrators tab
Delete
Edit
Change Password

Create New Click to add an administrator account.
Name Displays the name of the administrator account.
Trusted Hosts Displays the IP addresses and netmasks of hosts from which the administrator
is permitted to log in.
Profile Displays the access profile assigned to the administrator account. Access
profiles determine which parts of the configuration that an administrator has
permission to access. For more information on access profiles, see
“Configuring access profiles” on page 78.
Type Displays the type of authentication for this administrator.
This version currently supports only authentication using a locally stored
password.
(No column Click the Delete icon to remove the administrator account. You cannot delete
heading.) the admin administrator account.
Click the Edit icon to view or modify the administrator account.
Click Change Password to change the password for the administrator account.
To change an administrator account’s password

1 If an administrator forgot their password or if you need to change an administrator
account’s password and you do not know its current password, log in as the admin
administrator. Otherwise, you may log in with any administrator account whose access
profile permits Read and Write access to items in the Admin Users category.
If you have forgotten the password of the admin administrator, you can restore the
firmware to reset the FortiWeb unit to its default state, including the default
administrator account and password. For details, see “Restoring firmware” on
page 391.
2 Go to System > Admin > Administrators.
3 In the row corresponding to the administrator account, click Change Password.
4 In the Old Password field, enter the current password for the account. (The admin
account does not have an old password initially.)
This field does not appear for other administrator accounts if you are logged in as the
admin administrator.

76 Revision 10
5 In the New Password and Confirm Password fields, enter the new password.
6 Click OK.
If you change the password for the admin administrator account, the FortiWeb unit logs
you out. To continue using the web-based manager, you must log in. The new
password takes effect the next time that administrator account logs in.
To configure an administrator account

1 Go to System > Admin > Administrators.
2 Click Create New to add an administrator account, or click the Edit icon to change an
existing administrator account.
3 Configure the following and click OK:

Administrator Enter the name of the administrator account, such as admin1.
Password Enter a password for the administrator account. For improved security,
the password should be at least six characters long, be sufficiently
complex, and be changed regularly.
Confirm Password Re-enter the password to confirm its spelling.
Trusted Host #1 Enter the IP address and netmask from which the administrator is
Trusted Host #2 allowed to log in to the FortiWeb unit. You can specify up to three
Trusted Host #3 trusted hosts.
To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0.
If you allow login from any IP address, consider choosing a longer and
more complex password, and limiting administrative access to secure
protocols to minimize the security risk. For information on administrative
access protocols, see “Configuring the network and VLAN interfaces”
on page 50.
For improved security, restrict all three trusted host addresses to the IP
addresses of computers from which only this administrator will log in.
For more information, see “Configuring trusted hosts” on page 78.
Access Profile Select either an existing access profile that indicates the permissions
for this administrator account, or select Create New to create a new
access profile in a pop-up window, without leaving the current page. For
more information on access profiles, see “Configuring access profiles”
on page 78.
You can select prof_admin, a special access profile used by the admin
administrator account. However, selecting this access profile will not
confer all permissions of the admin administrator. For example, the new
administrator could not reset lost administrator passwords.

Revision 10 77
Configuring trusted hosts

Configuring the trusted hosts of your administrator accounts increases the security of your
FortiWeb unit by further restricting administrative access. In addition to knowing the
password, an administrator must connect only from the subnet or subnets you specify. You
can even restrict an administrator to a single IP address if you enter only one trusted host
IP address in each of the three trusted host fields, each with a netmask of
255.255.255.255.
When you configure trusted hosts for all administrator accounts, the FortiWeb unit does
not respond to administrative access attempts from any other hosts. This provides the
greatest degree of security. If you leave even one administrator account unrestricted, the
FortiWeb unit accepts administrative access attempts for that account on any interface
that has administrative access enabled, potentially exposing the unit to attempts to gain
unauthorized access.
Trusted host definitions apply both to the web-based manager, and to the CLI when
accessed through Telnet or SSH. Local console access to the CLI is not affected by
trusted hosts, as local console access does not occur through the network.
Configuring access profiles

System > Admin > Access Profile displays the list of administrator access profiles.
Access profiles determine which parts of the configuration an administrator has
permission to access, and whether the administrator is permitted to view (Read), modify
(Write), or both.
When an administrator has only read access to a feature, the administrator can access
the web-based manager tab for that feature, and can use the get and show CLI
command for that feature, but cannot make changes to the configuration. There are no
Create or Apply buttons, or config CLI commands. Lists display only the View icon
instead of icons for Edit, Delete or other modification commands. Write access is required
for modification of any kind.
The prof_admin access profile, a special access profile assigned to the admin
administrator account and required by it, does not appear in the list of access profiles. It
exists by default and cannot be changed or deleted. If you create other administrator
accounts, you may want create other access profiles with different degrees and areas of
access.
For example, for an administrator whose only role is to audit the log messages, you might
make an access profile named log_access_only.
Table 22: System > Admin > Access Profile tab
Delete
Edit

Create New Click to add a new access profile.

78 Revision 10
Profile Name Displays the name of the access profile.

(No column Click the Delete icon to remove the access profile.
heading.) This option does not appear if this access profile is currently assigned to an
administrator account.
Click the Edit icon to modify the access profile.
To configure an access profile

1 Go to System > Admin > Access Profile.
2 Click Create New to add an access profile, or click the Edit icon to modify an existing
profile.
3 Configure the following by selecting or clearing the allow options:
4 Click OK

Profile Name Enter the name of the access profile.
Access Control For each row associated with an area of the configuration, mark either
(Maintenance, Admin or both the Read and/or Write check boxes to grant that type of
Users, and so on.) permission.
Unlike the other rows, whose scope is an area of the configuration, the
Maintenance row does not affect the configuration. Instead, it indicates
whether the administrator can do special system operations such as
changing the firmware.
Allow Read All Click to mark the Read check box in all Access Control categories.
Allow Write All Click to mark the Write check box in all Access Control categories.

Revision 10 79
About permissions
Depending on the account that you use to log in to the FortiWeb unit, you may not have
complete access to all areas of the web-based manager.
Access profiles control which commands and areas an administrator account can access.
Access profiles assign either read, write, or no access to each area of the FortiWeb
software. To view configurations, you must have read access. To make changes, you must
have write access. For more information on configuring the access profile for an
administrator account can use, see “Configuring access profiles” on page 78.
Table 23, “Administrator access control,” on page 81 identifies the specific commands and
areas of the web-based manager that each type of administrator account can access.
For complete access to all commands and abilities, you must log in with the administrator
account named admin.
Unlike other administrator accounts, the administrator account named admin exists by
default. The admin account cannot be deleted and its name and permissions cannot be
changed. The admin account always has full permission to view and change all FortiWeb
configuration options, including viewing and changing all other administrator accounts. It
is the only administrator account that can reset another administrator’s password without
being required to enter that administrator’s existing password.
Caution: Set a strong password for the admin administrator account, and change the
password regularly. By default, this administrator account has no password. Failure to
maintain the password of the admin administrator account could compromise the security
of your FortiWeb unit.
For a description of the access profiles related to CLI commands, see the FortiWeb CLI
Reference.

80 Revision 10
Table 23: Administrator access control
Menu Administrator account access profile

Submenu
Tab
Router Configuration
Scan Configuration
Web Vulnerability
XML Protection
Web Protection
admin (default)
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Log & Report
Server Policy
Maintenance
Admin Users
Defacement
Auth Users
Web Anti-
Autolearn
Network
System
System 9
Status 9
Network 9
Interface 9
V-zone 9
DNS 9
Config 9
Admin 9
Administrators 9
Access Profile 9
Settings 9
Certificates 9
Maintenance 9
Wizard 9
Router 9
User 9
Server Policy 9
XML Protection 9
Web Protection 9
Web Protection Profile 9
Inline Protection Profile 9
Offline Protection Profile 9
Auto Learning Profile 9
Auto Learn 9
Web Anti-Defacement 9
Web Vulnerability Scan 9
Log&Report 9
In Table 23 (above), a black check mark on a white background indicates that the account
can access an individual command. A white check mark on a black background indicates
that the account can access all commands associated with the specified area.

Revision 10 81
Configuring the web-based manager’s global settings System
Configuring the web-based manager’s global settings

System > Admin > Settings enables you to view and configure settings for the web-based
manager that apply regardless of which administrator account you use to log in.
Table 24: System > Admin > Settings tab

Web Administration Ports
HTTP Enter the TCP port number on which the FortiWeb unit will listen
for HTTP administrative access. The default is 80.
This setting has an effect only if HTTP is enabled as an
administrative access protocol on at least one network interface.
For details, see “Configuring the network and VLAN interfaces” on
page 50.
HTTPS Enter the TCP port number on which the FortiWeb unit will listen
for HTTPS administrative access. The default is 443.
This setting has an effect only if HTTPS is enabled as an
administrative access protocol on at least one network interface.
For details, see “Configuring the network and VLAN interfaces” on
page 50.

82 Revision 10
System Configuring the web-based manager’s global settings
Config-Sync If necessary, change the TCP port number on which the FortiWeb
unit will listen for configuration synchronization requests from the
peer/remote FortiWeb unit. The default is 8333.
For details, see “Synchronizing configurations” on page 59.
Timeout Settings
Idle Timeout Enter the number of minutes that a web-based manager
connection can be idle before the administrator must log in again.
The maximum is 480 minutes (8 hours). To maintain security, keep
the idle timeout at the default value of 5 minutes.
Language
Web Administration Select which language to use when displaying the web-based
manager.
Languages currently supported by the web-based manager are:
• English
• simplified Chinese
• traditional Chinese
• Japanese
The display’s web pages will use UTF-8 encoding, regardless of
which language you choose. UTF-8 supports multiple languages,
and allows them to display correctly, even when multiple
languages are used on the same web page.
For example, your organization could have web sites in both
English and simplified Chinese. Your FortiWeb administrators
prefer to work in the English version of the web-based manager.
They could use the web-based manager in English while writing
rules to match content in both English and simplified Chinese
without changing this setting. Both the rules and the web-based
manager will display correctly, as long as all rules were input using
UTF-8.
Usually, your text input method or your management computer’s
operating system should match the display by also using UTF-8. If
they do not, your input and the web-based manager may not
display correctly at the same time.
For example, your web browser’s or operating system’s default
encoding for simplified Chinese input may be GB2312. However,
you usually should switch it to be UTF-8 when using the web-
based manager, unless you are writing regular expressions that
must match HTTP client’s requests, and those requests use
GB2312 encoding.
For more information on language support in the web-based
manager and CLI, see “Appendix D: Language support & regular
expressions” on page 401.
Note: This setting does not affect the display of the CLI.

Revision 10 83
Managing certificates System
Security Settings
Enable Single Admin Enable to allow only one administrator account to be logged in at
User login any given time to prevent conflicts. If a second administrator
attempts to begin a session when another administrator is already
logged in, after the second administrator logs in but before they
can access the web-based manager, they must either cancel their
new session or disconnect the other currently logged-in
administrator.
This option may be useful to prevent administrators from
inadvertently overwriting each other’s changes.
When multiple administrators simultaneously modify the same part
of the configuration, they each edit a copy of the current, saved
state of the configuration. As each administrator makes changes,
FortiWeb does not update the other administrators’ working
copies. Each administrator may therefore make conflicting
changes without being aware of the other. The FortiWeb unit will
only use whichever administrator’s configuration is saved last.
If only one administrator can log in this problem cannot occur.
Disable to allow multiple administrators to be logged in. In this
case, administrators should communicate with each other to avoid
overwriting each other’s changes.
Enable Strong Enable to enforce strong password rules for administrator
Passwords accounts. If the password entered is not strong enough when a
new administrator account is created, an error message appears
and you are prompted to re-enter a stronger password.
Strong passwords have the following characteristics:
• are between 8 and 16 characters in length
• contain at least one upper case and one lower case letter
• contain at least one numeric
• contain at least one non-alphanumeric character
Managing certificates
The Certificates submenu enables you to generate, import, revoke, and manage other
aspects of certificates used by the FortiWeb unit.
This topic includes:
• Managing local and server certificates
• Managing OCSP server certificates
• Managing CA certificates
• Managing the certificate revocation list
• Configuring certificate verification rules
Managing local and server certificates

System > Certificates > Local displays the list of server certificates that are stored locally
on the FortiWeb unit.
FortiWeb units require these certificates to present when clients request secure
connections, including when:
• administrators connect to the web-based manager (HTTPS connections only)
• web clients use SSL or TLS to connect to a virtual server, if you have enabled SSL off
loading in the policy (HTTPS connections and reverse proxy mode only)
FortiWeb units also require certificates in order to decrypt and scan HTTPS connections
travelling through it if operating in any mode except reverse proxy.
Which certificate will be used, and how, depends on the purpose.

84 Revision 10
System Managing certificates
• For connections to the web-based manager, the FortiWeb unit presents its default
certificate.
Note: The FortiWeb unit’s default certificate does not appear in the list of local certificates.
It is used only for connections to the web-based manager and cannot be removed.
• For SSL off loading or SSL decryption, upload certificates that do not belong to the
FortiWeb unit, but instead belong to the protected servers. Then, select which one the
FortiWeb unit will use when configuring the SSL option in a policy or server farm. For
details, see “Uploading a certificate” on page 88.
Table 25: System > Certificates > Local tab
View Certificate Detail

Delete
Download
Edit Comments

Generate Click to generate a certificate signing request. For details, see “Generating
a certificate signing request” on page 86.
Import Click to upload a certificate. For details, see “Uploading a certificate” on
page 88.
Name Displays the name of the certificate.
Subject Displays the distinguished name (DN) located in the Subject field of the
certificate.
If the row contains a certificate request which has not yet been signed, this
field is empty.
Comments Displays the description of the certificate, if any. Click the Edit Comments
icon to add or modify the comment associated with the certificate or
certificate signing request.
Status Displays the status of the local certificate.
• OK: Indicates that the certificate was successfully imported. To use the
certificate, select it in a policy or server farm.
• PENDING: Indicates that the certificate request has been generated,
but must be downloaded, signed, and imported before it can be used as
a local certificate.
(No column heading.) Click the View Certificate Detail icon to view the certificate’s subject, range
of dates within which the certificate is valid, version number, serial number,
and extensions.
Click the Delete icon to remove the entry. This icon does not appear if the
entry is currently selected for use in a policy or server farm.
Click the Download icon to download the entry in certificate (.cer) or
certificate signing request (.csr) file format.
Click the Edit Comments icon to add or modify the comment associated
with the certificate.

Revision 10 85
Generating a certificate signing request

You can generate a certificate request file based on the information you enter to identify
the FortiWeb unit. Certificate request files can then be submitted for verification and
signing by a certificate authority (CA).
To generate a certificate request

1 Go to System > Certificates > Local.
2 Click Generate.
3 Configure the certificate signing request:
Table 26: Generate Local Certificate Request

Certification Name Enter a unique name for the certificate request, such as
fwlocal.
Subject Information Includes information that the certificate is required to contain in
order to uniquely identify the FortiWeb unit.

86 Revision 10
ID Type Select the type of identifier to use in the certificate to identify the
FortiWeb unit:
• Host IP
• Domain Name
• E-Mail
The type you should select varies by whether or not your
FortiWeb unit has a static IP address, a fully-qualified domain
name (FQDN), and by the primary intended use of the certificate.
For example, if your FortiWeb unit has both a static IP address
and a domain name, but you will primarily use the local certificate
for HTTPS connections to the web-based manager by the domain
name of the FortiWeb unit, you might prefer to generate a
certificate based upon the domain name of the FortiWeb unit,
rather than its IP address.
• Host IP requires that the FortiWeb unit have a static, public IP
address. It may be preferable if clients will be accessing the
FortiWeb unit primarily by its IP address.
• Domain Name requires that the FortiWeb unit have a FQDN. It
may be preferable if clients will be accessing the FortiWeb unit
primarily by its domain name.
• E-Mail does not require either a static IP address or a domain
name. It may be preferable if the FortiWeb unit does not have
a domain name or public IP address.
Depending on your choice, related options appear.
IP Enter the static IP address of the FortiWeb unit.
This option appears only if ID Type is Host IP.
Domain Name Type the FQDN of the FortiWeb unit.
The domain name must resolve to the static IP address of the
FortiWeb unit or protected server. For more information, see
This option appears only if ID Type is Domain Name.
e-mail Type the email address of the owner of the FortiWeb unit.
This option appears only if ID Type is E-Mail.
Optional Information Includes information that you may include in the certificate, but
which is not required.
Organization Type the name of your organizational unit, such as the name of
Unit your department. This is optional.
To enter more than one organizational unit name, click the + icon,
and enter each organizational unit separately in each field.
Organization Type the legal name of your organization. This is optional.
Locality(City) Type the name of the city or town where the FortiWeb unit is
located. This is optional.
State/Province Type the name of the state or province where the FortiWeb unit is
located. (This is optional.
Country Select the name of the country where the FortiWeb unit is located.
This is optional.
e-mail Type an email address that may be used for contact purposes.
This is optional.
Key Type Displays the type of algorithm used to generate the key.
This option cannot be changed, but appears in order to indicate
that only RSA is currently supported.

Revision 10 87
Key Size Select a security key size of 512 Bit, 1024 Bit, 1536 Bit or
2048 Bit. Larger keys are slower to generate, but provide better
security.
Enrollment Method Select either:
• File Based: You must manually download and submit the
resulting certificate request file to a certificate authority (CA)
for signing. Once signed, upload the local certificate.
• Online SCEP: The FortiWeb unit will automatically use HTTP
to submit the request to the simple certificate enrollment
protocol (SCEP) server of a CA, which will validate and sign
the certificate. For this selection, two options appear. Enter the
CA Server URL and the Challenge Password.
4 Click OK.
The certificate is generated. If you selected file-based enrollment, you must now
download and manually submit the resulting CSR to a CA. For details, see “Submitting
a certificate signing request” on page 88.
Submitting a certificate signing request

After you have generated a certificate request, you can download the request file to your
management computer in order to submit the request file to a certificate authority (CA) for
signing.
To download and submit a certificate request

2 Click the row that corresponds to the certificate request.
3 Click the Download icon, then select Open or Download one the window that appears.
Your web browser downloads the certificate request (.csr) file.
4 Submit the certificate request to your CA.
• Using the web browser on the management computer, browse to the web site for
your CA.
• Follow your CA’s instructions to place a Base64-encoded PKCS #10 certificate
request, uploading your certificate request.
• Follow your CA’s instructions to download their root certificate and Certificate
Revocation List (CRL), and then install the root certificate and CRL.
5 When you receive the signed certificate from the CA, install the certificate on the
FortiWeb unit. For more information, see “Uploading a certificate” on page 88.
Uploading a certificate
You can upload Base64-encoded server-type X.509 certificates or PKCS #12 RSA-
encrypted certificates and keys to the FortiWeb unit.
Note: DSA-encrypted certificates are not supported if the FortiWeb unit is operating in a
mode other than reverse proxy.
DSA
If a local certificate is signed by an intermediate certificate authority (CA) rather than a root
CA, before clients will trust the local certificate, you must demonstrate a link with trusted
root CAs, thereby proving that the local certificate is genuine. You can demonstrate this
chain of trust either by:
• installing each intermediate CA’s certificate in the client’s list of trusted CAs, or

88 Revision 10
• including a signing chain in the local certificate

To include a signing chain, before importing the local certificate to the FortiWeb unit:
• open the local certificate file in a plain text editor
• append the certificate of each intermediate CA in order from the intermediate CA who
signed the local certificate to the intermediate CA whose certificate was signed directly
by a trusted root CA
• save the certificate
For example, a local certificate that includes a signing chain might use the following
structure:
-----BEGIN CERTIFICATE-----
<FortiWeb unit’s local server certificate>
-----END CERTIFICATE-----
<certificate of intermediate CA 1, who signed the FortiWeb
certificate>
<certificate of intermediate CA 2, who signed the certificate of
intermediate CA 1 and whose certificate was signed by a
trusted root CA>
Note: The total file size of all certificates, schema, keys, WSDL, and any other uploaded
files may not exceed 12 MB.
To upload a certificate
2 Click Import.
Table 27: Importing a Certificate

Name Enter the name of the certificate.
Type Select the type of certificate file to upload, either Local Certificate,
Certificate (an unencrypted X.509 certificate) or PKCS12 Certificate (a
PKCS #12 encrypted certificate with key).
Certificate file Click Choose File to locate the X.509 certificate file that you want to
upload.
This option is available only if Type is Certificate or Local Certificate.

Revision 10 89
Key file Click Choose File to locate the key file that you want to upload with the
certificate.
This option is available only if Type is Certificate.
Certificate with key Click Choose File to locate the PKCS #12 certificate-with-key file that
file you want to upload.
This option is available only if Type is PKCS12 Certificate.
Password Enter the password that was used to encrypt the file, enabling the
FortiWeb unit to decrypt and install the certificate.
This option is available only if Type is Certificate or PKCS12 Certificate.
4 Click OK.
To use a certificate, you must select it in a policy or server farm. For details, see
“Configuring server policies” on page 118 or “Grouping physical and domain servers
into server farms” on page 135.
Managing OCSP server certificates

System > Certificates > Remote displays and imports the certificates of the online
certificate status protocol (OCSP) or HTTP CRL servers of your certificate authority (CA).
OCSP enables you to revoke or validate certificates by query, rather than by importing
certificate revocation lists (CRL). For information about importing CRLs, see “Managing
the certificate revocation list” on page 95.
Table 28: System > Certificates > Remote tab

Download

Import Click to import an OCSP server certificate.
Name Displays the name of the OCSP server certificate.
Subject Displays the distinguished name (DN) located in the Subject field of
the certificate.
OCSP Displays the URL of the OCSP server.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if
the entry is currently selected for use in a certificate verification
configuration.
Click the View Certificate Detail icon to view the certificate’s subject,
range of dates within which the certificate is valid, version number,
serial number, and extensions.
Click the Download icon to download the entry in certificate (.cer) file
format.
Managing CA certificates
System > Certificates > CA displays and enables you to import certificates for certificate
authorities (CA).

90 Revision 10
Certificate authorities validate and sign other certificates in order to indicate to third parties
that those other certificates are authentic.
CA certificates are required by connections that use SSL or transport layer security (TLS).
Tip: The FortiWeb unit does not use CA certificates directly. First, you must group them and
then add the group to a certificate verification rule. For details, see “Grouping CA
certificates” on page 91.
Table 29: System > Certificates > CA tab

Download

Import Click to import a CA certificate, then select whether you want to upload it
(Local PC), or provide the URL of a certificate on a simple certificate
enrollment protocol server (SCEP).
Name Displays the name of the CA certificate.
certificate.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the
entry is currently selected for use in a certificate verification configuration.
Click the View Certificate Detail icon to view the certificate’s subject, range of
dates within which the certificate is valid, version number, serial number, and
extensions.
Click the Download icon to download the entry in certificate (.cer) file format.
Grouping CA certificates
System > Certificates > CA Group enables you to group certificate authorities (CA).
CAs must belong to a group in order to be selected in a certificate verification rule. For
details, see “Configuring certificate verification rules” on page 95.
Table 30: System > Certificates > CA Group tab
Delete
Edit

Revision 10 91

# Displays the index number of the entry in the list.
Name Displays the name of the certificate authority (CA) group.
Count Displays the number of certificate authorities in the group.
entry is currently selected for use in a certificate verification configuration.
Click the Edit icon to modify the entry.
Before you can create a CA group, you must upload at least one of the certificate authority
(CA) certificates that you want to add to the group. For details, see “Managing CA
certificates” on page 90.
To add a CA group
1 Go to System > Certificates > CA Group.
2 Click Create New.
3 In Name, type a name for the certificate authority group.
4 Click OK.
5 Click Create New.
6 In ID, enter the index number of the host entry within the group, or keep the field’s
default value of auto to let the FortiWeb unit automatically assign the next available
index number.
7 In CA, select the name of a certificate authority’s certificate that you have previously
uploaded and want to add to the group.
8 Click OK.
9 Repeat the previous 3 steps for each CA that you want to add to the group.
To apply a CA group, select it in a certificate verification rule. For details, see
“Configuring certificate verification rules” on page 95.
Managing certificates for intermediate CAs

System > Certificates > Intermediate CA enables you to upload certificates belonging to
intermediate (non-root) certificate authorities.
If a server certificate is signed by an intermediate certificate authority rather than a root
CA, before the client will trust the server’s certificate, you must demonstrate a link with
trusted root CAs, thereby proving that the server’s certificate is genuine. Otherwise, the
server certificate may cause the client or browser to display certificate warnings.
You can demonstrate this chain of trust by doing one of the following:
• install each intermediate CA’s certificate in the client’s list of trusted CAs
• include a signing chain in the server’s certificate
• configure the FortiWeb unit to also provide the certificates of intermediate CAs when it
presents the server certificate
To include a signing chain:
• open the server’s certificate file in a plain text editor
• append the certificate of each intermediate CA in order from the intermediate CA who
signed the server’s certificate to the intermediate CA whose certificate was signed
directly by a trusted root CA
• save the certificate

92 Revision 10
For example, a server’s certificate that includes a signing chain might use the following
structure:
<server certificate>
<certificate of intermediate CA 1, who signed the server
certificate>
<certificate of intermediate CA 2, who signed the certificate of
intermediate CA 1 and whose certificate was signed by a
trusted root CA>
To configure the FortiWeb unit to provide the certificates of intermediate CAs when it
presents the server certificate:
1 Install the certificates of the intermediate CAs on the FortiWeb unit.
2 Group them to match the signing chain (see “Grouping certificates for intermediate
CAs” on page 94).
3 Select that group along with the server certificate in the policy (“Configuring server
policies” on page 118).
The FortiWeb unit will present both the server’s certificate and those of the intermediate
CAs when establishing a secure connection with the client.
Table 31: System > Certificates > Intermediate CA tab
Delete
Download

Import Click to import an intermediate CA certificate, then select whether you want
to upload it (Local PC), or provide the URL of a certificate on a simple
certificate enrollment protocol server (SCEP).
Name Displays the name of the CA certificate.

Revision 10 93
certificate.
entry is currently selected for use in an intermediate CA certificate group.
Click the View Certificate Detail icon to view the certificate’s subject, range of
dates within which the certificate is valid, version number, serial number, and
extensions.
Click the Download icon to download the entry in certificate (.cer) file format.
Grouping certificates for intermediate CAs

System > Certificates > Intermediate CA Group enables you to group certificates of
intermediate (non-root) certificate authorities (CA).
Tip: To use intermediate CAs in FortiWeb, first include them in an intermediate CA group
and then include the group in a server policy that uses an HTTPS service.
Table 32: System > Certificates > Intermediate CA Group tab
Delete
Edit

Name Displays the name of the intermediate certificate authority (CA) certificate
group.
Count Displays the number of intermediate CA certificates in the group.
entry is currently selected for use in a policy.
To add an intermediate CA group

Before you can create an intermediate CA certificate group, you must upload at least one
of the intermediate certificate authority certificates that you want to add to the group. For
details, see “Managing certificates for intermediate CAs” on page 92.
1 Go to System > Certificates > Intermediate CA Group.
2 Click Create New.
3 In Name, type a name for the intermediate CA certificate group.
4 Click OK.
5 Click Create New.
6 In ID, enter the index number of the host entry within the group, or keep the field’s
default value of auto to let the FortiWeb unit automatically assign the next available
index number.

94 Revision 10
7 In CA, select the name of an intermediate CA’s certificate that you have previously
uploaded and want to add to the group.
8 Click OK.
9 Repeat the previous 3 steps for each intermediate CA certificate that you want to add
to the group.
To apply an intermediate CA certificate group, select it in a policy with a server
certificate. For details, see “Configuring server policies” on page 118.
Managing the certificate revocation list

System > Certificates > CRL displays and enables you to import certificate revocation lists
(CRL).
To ensure that your FortiWeb unit validates only certificates that have not been revoked,
you should periodically upload a current certificate revocation list, which may be provided
by certificate authorities (CA). Alternatively, you can use HTTP or online certificate status
protocol (OCSP) to query for certificate status. For more information, see “Managing
OCSP server certificates” on page 90.
Table 33: System > Certificates > CRL tab

Download

Import Click to import a certificate revocation list.
Name Displays the name of the certificate revocation list.
Subject Displays the distinguished name (DN) located in the Subject field of the certificate
revocation list.
(No column Click the Delete icon to remove the entry. This icon does not appear if the entry is
heading.) currently selected for use in a certificate verification configuration.
Click the Edit icon to update the CRL by connecting to the URL of a new CRL on
either a simple certificate enrollment protocol (SCEP) or an HTTP server.
Click the View Certificate Detail icon to view the certificate’s subject, range of dates
within which the certificate is valid, version number, serial number, and extensions.
Click the Download icon to download the entry in certificate revocation list (.crl) file
format.
Configuring certificate verification rules

System > Certificates > Certificate Verify enables you to configure how the FortiWeb unit
will verify certificates presented by HTTP clients.
Tip: To use CA certificates in FortiWeb: include them in a CA group; add the group to a
certificate verification rule; and, then include the rule in a server policy that uses an HTTPS
service.

Revision 10 95
Backing up and restoring configurations System
Table 34: System > Certificates > Certificate Verify tab
Delete
Edit

Name Displays the name of the certificate revocation list.
CA Group Displays the name of the certificate authority (CA) group selected in the entry.
OCSP Displays the name of the remote certificate selected to use with online certificate
status protocol (OCSP) by this entry.
CRL Displays the name of the certificate revocation list selected in the entry.
heading.) currently selected for use in a policy.
To add a certificate verification rule

1 Go to System > Certificates > Certificate Verify.
2 Click Create New.
3 In Name, type a name for the certificate verification rule.
4 From CA Group, select the name of a CA group, if any, that you want to use to
authenticate client certificates.
5 From OCSP, select the name of an OCSP or HTTP (remote) server certificate, if any,
that you want to use to verify the revocation status of client certificates.
6 From CRL, select the name of a certificate revocation list, if any, to use to verify the
revocation status of client certificates.
7 Click OK.
To apply a certificate verification rule, select it in a server policy that includes an HTTPS
service. For details, see “Configuring server policies” on page 118.
Backing up and restoring configurations

System > Maintenance > Backup & Restore enables you to create backup files of the
system configuration and web protection profiles. You can restore the system
configuration or web protection profile from a previous backup, if necessary.
Backup & Restore also lets you change the firmware version used on the FortiWeb unit.
Note: Firmware can be installed, upgraded, changed and rebooted in multiple ways.
Firmware can also be tested before installing it. For information related to Firmware
changes, see “Installing new firmware” on page 385.

96 Revision 10
System Backing up and restoring configurations
Back up the FortiWeb unit's configuration regularly. If you accidently change something,
the backup can help you restore normal operation quickly and easily. Backups also can
aid in troubleshooting.
must have Read and Write permission to items in the Maintenance category. For details,
Table 35: System > Maintenance > Backup & Restore tab

System Configuration
Last Backup Displays the date and time of the last backup.
If the configuration has not yet been backed up, or you have
restored the firmware and therefore the time of any preceding
backup is not known, this field contains a hyphen ( - ).
Backup Select to back up a FortiWeb configuration. You can choose to
(option) back up the whole configuration or only the web protection
profiles:
• Backup entire configuration - Select if you want to back up all
FortiWeb configuration files currently in use. Backups should
be made on a regular basis, especially when making
significant configuration additions or changes. A backup
should also be done just prior to changing the firmware to
prevent loss of configuration information after the firmware
change.
• Backup Web Protection Profile related configuration - Select if
you want to back up only the web protection profiles currently
in use. For more information, see “Web protection” on
page 189.
Backup Appears only if the Backup option is selected.
(button) Click to start a backup of the selected configuration. If a File
Download dialog appears, select Save and choose a location for
the backup file.
Restore Select to restore a previously backed up configuration. You can
(option) choose the specific configuration file you want to restore:
Browse: Click to locate and select the configuration file that you
want to restore.
From File: Locate the full directory path and file name of the
selected configuration file.
You can use this feature to restore a CLI config FTP backup.

Revision 10 97
Configuring an FTP backup and schedule System
Restore Appears only if the Restore option is selected.

(button) Click to start the restoration of the selected configuration to a file.
Your web browser uploads the configuration file and the FortiWeb
unit restarts with the new configuration. The amount of time
required to restore varies by the size of the file and the speed of
your network connection. After the FortiWeb unit restarts, you
must log in to continue using the web-based manager.
Firmware
Caution: Back up the whole configuration before making any changes to the firmware.
The configuration can be restored after the firmware change is complete. Failure to make a
backup can result in loss of configuration for features that change between firmware
versions.
For information related to the firmware changes, see “Installing new firmware” on
page 385.
Partition Displays the index number of the partition. A partition can contain
only one version of the firmware and the system configuration.
One partition is active and the others are backups.
Active Indicates which partition the FortiWeb unit is currently configured
to use.
• Green check mark: The partition contains the configuration
and firmware that the FortiWeb unit will use when starting or
rebooting.
• Gray X mark: The partition contains a backup configuration
and firmware, which is not currently being used.
Last Upgrade Displays the date and time of the last update to this partition.
Firmware Version Displays the version and build number of the FortiWeb firmware.
On backup partitions, you can click Upload and Reboot to replace
the firmware on a partition and make the partition active. For more
information on changing firmware, see “Installing new firmware”
on page 385.
Caution: Back up the whole configuration before making any
changes to the firmware. You can restore the configuration after
the firmware change is complete. Failure to make a backup can
result in loss of configuration for features that change between
firmware versions.
Boot alternate If your upgrade is successful, this button enables you to have two
firmware firmware images available for downgrading or upgrading.
Configuring an FTP backup and schedule

System > Maintenance > FTP Backup enables you to create a backup of the system
configuration and web protection profiles on an FTP server. You can create an FTP
backup immediately or schedule it for later.
Table 36: System > Maintenance > FTP Backup tab

Name Displays the name of the FTP backup.

98 Revision 10
System Configuring an FTP backup and schedule
Backup Type Indicates whether the FTP backup is a full configuration backup (full config) or a CLI
configuration backup (CLI config).
A full config backup includes the CLI configuration file and other uploaded files,
such as certificates, XML schema, and XML WSDL files.
Note: You cannot restore a full config FTP backup using the web-based manager.
Use the execute restore command in the CLI interface.
A CLI config backup only includes the CLI configuration file.
Schedule Indicates whether the FTP backup is an immediate backup (Now) or a scheduled
Type backup (Daily).
heading.) currently selected for use.
To configure the FTP backup

1 Go to System > Maintenance > FTP Backup.
2 Click Create New, or, in the row corresponding to an entry that you want to modify, click
the Edit icon.
3 In Name, type the name of the FTP backup.
You cannot modify this field if you are editing an existing FTP backup. To modify the
name, delete the entry, then recreate it using the new name.

Name Type the name of the FTP backup.
FTP Server Type the IP address of the FTP server where the configuration is to be backed up.
FTP Directory Type the directory on the FTP server used to store the configuration backup files
FTP Select if you want to enforce user name and password authentication on the FTP
Authentication server.

Revision 10 99
Configuring system time System
FTP User Enter your FTP user name to identify yourself as a registered user of the FTP
server.
This field is visible only if you enable FTP Authentication.
FTP Password Enter your FTP password to authenticate yourself on the FTP server
This field is visible only if you enable FTP Authentication.
Backup Type Select the type of FTP backup you want to perform.
A full config backup includes the CLI configuration file and other uploaded files,
such as certificates, XML schema, and XML WSDL files.
Note: You cannot restore a full config FTP backup using the web-based manager.
Use the execute restore command in the CLI interface.
A CLI config backup only includes the CLI configuration file.
Schedule Type Select Now to initiate the FTP backup immediately.
Select Daily to schedule a recurring FTP backup for a specific day and time of the
week.
Days Select the specific days when you want the FTP backup to occur.
This field is visible only if you select Daily.
Time Select the specific hour and minute of the day when you want the FTP backup to
occur.
This field is visible only if you select Daily.
5 Click OK.
Restoring an FTP backup

You can only restore a full config FTP backup using the execute restore command in
the CLI interface. See the FortiWeb CLI Reference.
For a CLI config FTP backup, you can use either the execute restore command in
the CLI interface or the Restore feature at System > Maintenance > Backup & Restore.
See “Backing up and restoring configurations” on page 96.
Configuring system time

System > Maintenance > System Time enables you to configure the FortiWeb unit’s
system time.
You can either manually set the FortiWeb system time or configure the FortiWeb unit to
automatically keep its system time correct by synchronizing with a Network Time Protocol
(NTP) server.
Note: For many features to work, including scheduling, logging, and SSL-dependent
features, the FortiWeb system time must be accurate.
Note: FortiWeb units support daylight savings time (DST), including recent changes in the
USA, Canada and Western Australia.
To configure the date and time

1 Go to System > Maintenance > System Time.
Alternatively, go to System > Status > Status. In the System Information widget, in the
System Time row, click Change.

100 Revision 10
System Uploading signature updates
2 From Time Zone, select the time zone where the FortiWeb unit is located.
3 Configure the following to either manually configure the system time, or automatically
synchronize the FortiWeb unit’s clock with an NTP server:
Table 37: Setting System Time

System Time Displays the date and time according to the FortiWeb unit’s
clock at the time that this tab was loaded, or when you last
clicked the Refresh button.
Refresh Click to update the System Time field with the current time
according to the FortiWeb unit’s clock.
Time Zone Select the time zone where the FortiWeb unit is located.
Automatically adjust Select the check box to have the system time adjusted twice
clock for daylight annually to reflect changes between standard time daylight
saving changes savings time for your location. (Not all jurisdictions recognize
daylight savings time.)
Set Time Select this option to manually set the date and time of the
FortiWeb unit’s clock, then select the Hour, Minute, Second,
Year, Month and Day fields before you click OK.
Synchronize with NTP Server Select this option to automatically synchronize the date and
time of the FortiWeb unit’s clock with an NTP server, then
configure the Server and Sync Interval fields before you click
OK.
Server Enter the IP address or domain name of an NTP server. To find
an NTP server that you can use, go to http://www.ntp.org.
Sync Interval Enter how often in minutes the FortiWeb unit should
synchronize its time with the NTP server. For example, entering
1440 causes the FortiWeb unit to synchronize its time once a
day.
4 Click OK.
Uploading signature updates

System > Maintenance > Update Signature enables you to update the predefined robots,
data types, suspicious URLS, and attack signatures that your FortiWeb unit uses to detect
attacks such as:
• cross-site scripting (XSS)

Revision 10 101
Scheduling signature updates System
• SQL injection
• common exploits
Updating signatures ensures that your FortiWeb unit can detect recently discovered
variations of these attacks.
Tip: Alternatively, you can schedule automatic updates. For details, see “Scheduling
signature updates” on page 102.
After restoring the firmware of the FortiWeb unit, you should upload the most currently
available attack signatures. Restoring firmware installs the attack signatures that were
current at the time that the firmware image file was made: they may no longer be up-to-
date.
Before you can download signature update files to your management computer, you must
first register your FortiWeb unit with the Fortinet Technical Support web site,
https://support.fortinet.com/, and obtain a valid support contract. Signature update files will
then be available for download when you log in to the Fortinet Technical Support web site.
Note: Once the attack signature update is complete, you can continue using FortiWeb
without restarting the FortiWeb unit.
Figure 27: Update Signature tab
Scheduling signature updates

System > Maintenance > Auto Update enables you to configure how the FortiWeb unit will
retrieve predefined robots, data types, suspicious URLS, and attack signature updates
that your FortiWeb unit uses to detect attacks such as:
• cross-site scripting (XSS)
• SQL injection
• common exploits
Tip: Alternatively, you can manually upload update packages. For details, see “Uploading
signature updates” on page 101.
FortiWeb units receive updates from the FortiGuard Distribution Network (FDN). The FDN
is a world-wide network of FortiGuard Distribution Servers (FDS). Unless you override the
setting with a specific FDS address, FortiWeb units connect to the FDN by connecting to
the FDS nearest to the FortiWeb unit by its configured time zone.

102 Revision 10
System Scheduling signature updates
Note: If required, the FortiWeb unit can be configured to connect through a web proxy. For
details, see the FortiWeb CLI Reference.
In addition to manual update requests, FortiWeb units support automatic, scheduled

updates, where the FortiWeb unit periodically polls the FDN to determine if there are any
available updates.
Table 38: System > Maintenance > Auto Update tab
Registration Displays the registration status of the FortiWeb unit with the FortiGuard
Distribution Network (FDN). If it is unregistered, you must click Register
and complete the form on the Fortinet Technical Support web site in
order for the FortiWeb unit to retrieve updates.
FortiWeb Update Service Displays the current update license status, as well as the date, time,
and method of the previous update attempt. If the FortiWeb unit’s attack
signature update license has expired, click Renew to purchase a new
license.
Use override server Enable to override the default FortiGuard Distribution Server (FDS) to
address which the FortiWeb unit connects for updates, then enter the IP address
of the override public or private FDS.
Scheduled Update Enable to perform updates according to a schedule, then select one of
the following as the frequency of update requests.
• Every: Select to request to update once every 1 to 23 hours, then
select the number of hours between each update request.
• Daily: Select to request to update once a day, then select the hour of
the day to check for updates.
• Weekly: Select to request to update once a week, then select the
day of the week, the hour, and the minute of the day to check for
updates.
If you select 00 minutes, the update request occurs at a randomly
determined time within the selected hour.
When the FortiWeb unit requests an update at the scheduled time,
results appear in FortiWeb Update Service in the FortiGuard Information
widget. If event logging is enabled, and the FortiWeb unit cannot
successfully connect, it will record a log with the message update
failed, failed to connect any fds servers!

Revision 10 103
Accessing the Setup Wizard System
Apply Click to save configuration changes on this tab.

Update Now Click to manually initiate an update request.
Results will appear in FortiWeb Update Service in the FortiGuard
Information widget. The time required varies by the availability of
updates, size of the updates, and speed of the FortiWeb unit’s network
connection. If event logging is enabled, and the FortiWeb unit cannot
successfully connect, it will record a log with the message update
failed, failed to connect any fds servers!
Accessing the Setup Wizard

The System menu includes the Wizard option.
The Setup Wizard steps you through actions required for basic system configuration, web
protection, and log setup. Typically, you use the Setup Wizard just once when you initially
configure your FortiWeb unit for web protection after you install the FortiWeb unit
hardware.
See the FortiWeb Install and Setup Guide for instructions on using the Setup Wizard.

104 Revision 10
Router Configuring static routes
Router
This chapter describes the Router menu.
Static routes direct traffic that exits the FortiWeb unit—you can specify through which
network interface a packet will leave, and the IP address of a next-hop router that is
reachable from that network interface. The router is aware of which IP addresses are
reachable through various network pathways, and can forward those packets along
pathways capable of reaching the packets’ ultimate destinations.
A default route is a special type of static route. A default route matches all packets, and
defines a gateway router that can receive and route packets if no other, more specific
static route is defined for the packet’s destination IP address.
Configuring static routes

Router > Static > Static Route displays the list of static routes, including the default route.
You should configure at least one static route, a default route, that points to your gateway.
However, you may configure multiple static routes if you have multiple gateway routers
each should receive packets destined for a different subset of IP addresses.
For example, if a web server is directly attached to one of the network interfaces, but all
other destinations, such as connecting clients, are located on distant networks such as the
Internet, you might need to add only one route: a default route for the gateway router
through which the FortiWeb unit connects to the Internet.
The FortiWeb unit examines the packet’s destination IP address and compares it to those
of the static routes. If more than one route matches the packet, the FortiWeb unit will apply
the route with the smallest index number. For this reason, you should give more specific
routes a smaller index number than the default route.
When you add a static route through the web-based manager, the FortiWeb unit evaluates
the route to determine if it represents a different route compared to any other route already
present in the list of static routes. If no route having the same destination exists in the list
of static routes, the FortiWeb unit adds the static route, using the next unassigned route
index number.
Note: By default, the FortiWeb unit will forward only HTTP/HTTPS traffic to your protected
real servers. (That is, IP-based forwarding is disabled.) For information on enabling
forwarding of other protocols such as FTP, see the config router setting command
in the FortiWeb CLI Reference.
To access this part of the web-based manager, you must have Read and Write permission
in your administrator's account access profile to items in the Router Configuration

Revision 10 105
Configuring static routes Router
Table 39: Router > Static > Static Route tab
Delete
Edit
Create New Click to add a static route.
IP Displays the destination IP addresses of packets subject to the static route,
where 0.0.0.0 indicates that the route matches all destination IP addresses.
Mask Displays the network mask associated with the IP address, where 0.0.0.0
indicates that the route matches all subnet masks.
Gateway Displays the IP address of the next-hop router where packets subject to the
static route will be forwarded.
Device Displays the name of the network interface through which packets subject to the
static route will egress.
(No column Click the Delete icon to remove an entry.
heading.) Click the Edit icon to modify an entry.
To configure a static route

1 Go to Router > Static > Static Route.
2 Click Create New.

Destination IP/Mask Type the destination IP address and network mask of packets that will
be subject to this static route, separated by a slash ( / ).
The value 0.0.0.0/0.0.0.0 is reserved for the default route, which
matches all packets.
Gateway Type the IP address of the next-hop router where the FortiWeb unit will
forward packets subject to this static route. This router must know how
to route packets to the destination IP addresses that you have specified
in Destination IP/Mask. For an Internet connection, the next hop routing
gateway routes traffic to the Internet.
Warning: The gateway IP address must be in the same subnet as the
interface’s IP address. When you change the interface’s IP address
later on, the new IP address must also be in the same subnet as the
interface’s default gateway address; otherwise, all the static routes and
the default gateway information will be lost.
Interface Select the name of the network interface through which the packets
subject to the static route will egress towards the next-hop router.

106 Revision 10
Users and user groups
Users and user groups

This chapter describes the User menu.
You need to define users and user groups if you want the FortiWeb unit to protect web
sites that require user authentication, such as a shopping cart application. If the FortiWeb
unit's role is to protect a corporate information portal, where no user authentication is
required, there is no need to configure user access.
The FortiWeb authentication feature uses local users, LDAP queries, RADIUS queries,
and NTLM queries to authorize HTTP requests. For details, see “Configuring
authentication policy” on page 257.
Note: User authentication applies only when the FortiWeb unit is operating in reverse proxy
mode, or in true transparent proxy mode that does not use HTTPS.
You can create user groups for each user type or combine several user types in one group
for easy management of user authentication.
• Configuring local users
• Configuring LDAP user queries
• Configuring RADIUS user queries
• Configuring NTLM user queries
• Grouping users
User creation workflow

The following lists the steps to configure user authentication for your FortiWeb unit.
1 Define your FortiWeb users in one or more of the following ways:
• For local users, create a record for each user. See “Configuring local users” on
page 108.
• For user credentials stored on an LDAP server, configure access to that server. See
“Configuring LDAP user queries” on page 109.
• For users credentials stored on an RADIUS server, configure access to that server.
See “Configuring RADIUS user queries” on page 111.
• For user credentials accessed through an NT LAN Manager, configure NTLM
access. See “Configuring NTLM user queries” on page 113.
2 Optionally, if you want to use secure connections, you must upload the applicable
certificates, define a certificate verification rule, and possibly also an intermediate CA
certificate group. For example, to configure a secure connection to an LDAP server,
you must upload the certificate of the CA that signed the LDAP server’s certificate. See
“Managing certificates” on page 84.
3 Create one or more user groups and add users to the groups. See “Grouping users” on
page 114.
4 Add the user groups to an authentication rule. See “Configuring authentication rules”
on page 261.

Revision 10 107
Configuring local users Users and user groups
5 Add authentication rules to an authentication policy. See “Configuring authentication

rules” on page 261.
6 Select the authentication policy in an inline protection profile. See “Configuring an
inline protection profile” on page 269
7 Select the inline protection profile as the web protection profile in a server policy. See
“Configuring server policies” on page 118.
Configuring local users

User > Local User > Local User displays the list of locally defined user accounts.
The FortiWeb authentication feature uses local user entries to authorize HTTP requests.
For more information, see “Configuring authentication policy” on page 257.
Local user accounts are activated indirectly by selecting them in a user group that is
selected within an authentication rule. Then, select the rule within an authentication policy,
and ultimately select the policy within an inline protection profile. For details, see “User
creation workflow” on page 107.
Note: User passwords are not encrypted when downloading a FortiWeb configuration
backup file. If you configure local user accounts, be sure to store configuration backup files
in a safe location.
must have Read and Write permission to items in the Auth Users category. For details,
Table 40: User > Local User > Local User tab

Create New Click to add a user.
Name Displays the name of the entry.
User Name Displays the user name that the client must provide when authenticating.
entry is currently selected for use in a user group.
To configure a local user

1 Go to User > Local User > Local User.
the Edit icon.
3 In Name, type the name of the local user entry.
This field cannot be modified if you are editing an existing entry. To modify the name,
delete the entry, then recreate it using the new name. (You cannot delete a user if any
user group has it as a member.)

108 Revision 10
Users and user groups Configuring LDAP user queries

Name Type a display name for the user.
User Name Type the user name that the client must provide when authenticating.
Password Type the password for the local user account. The maximum length is
63 characters.
5 Click OK.
Configuring LDAP user queries

User > LDAP User > LDAP User displays the list of LDAP queries that can authenticate
users.
The FortiWeb authentication feature uses LDAP user queries to authorize HTTP requests.
LDAP user accounts are activated indirectly by selecting them in a user group that is
Table 41: User > LDAP User > LDAP User tab
Edit

Create New Click to add an LDAP user account query.
Only one LDAP user query can exist at any given time. If a query is already
configured, this button is grayed out.
Server IP Displays the IP address of the LDAP server that will be queried to
authenticate users.
Port Displays the TCP port number where the LDAP server listens for queries.

Revision 10 109
Configuring LDAP user queries Users and user groups
Common Name Displays the common name (CN) attribute, often cn, whose value is the
Identifier user name.
Distinguished Name Displays the distinguished name (DN) that, when prefixed with the common
name, forms the full path in the directory to the user account object.
entry is currently a member of a user group.
Before configuring the query, if you will configure a secure connection, you must upload
the certificate of the CA that signed the LDAP server’s certificate. For details, see
“Managing CA certificates” on page 90.
To configure the LDAP user query

1 Go to User > LDAP User > LDAP User.
the Edit icon.
3 In Name, type the name of the LDAP user query entry.
delete the entry, then recreate it using the new name.

Server IP Type the IP address of the LDAP server.
Server Port Type the port number where the LDAP server listens.
The default port number varies by your selection in Secure
Connection: port 389 is typically used for non-secure connections or
for STARTTLS-secured connections, and port 636 is typically used for
SSL-secured (LDAPS) connections.
Common Name Type the identifier, often cn, for the common name (CN) attribute
Identifier whose value is the user name.
Identifiers may vary by your LDAP directory’s schema.
Distinguished Name Type the distinguished name (DN) that, when prefixed with the
common name, forms the full path in the directory to the user account
objects.

110 Revision 10
Users and user groups Configuring RADIUS user queries
Bind Type Select one of the following LDAP query binding styles:
• Simple: Bind using the client-supplied password and a bind DN
assembled from the Common Name Identifier, Distinguished
Name, and the client-supplied user name.
• Regular: Bind using a bind DN and password that you configure in
User DN and Password.
• Anonymous: Do not provide a bind DN or password. Instead,
perform the query without authenticating. Select this option only if
the LDAP directory supports anonymous queries.
User DN Type the bind DN, such as cn=FortiWebA,dc=example,dc=com,
of an LDAP user account with permissions to query the Distinguished
Name.
This field may be optional if your LDAP server does not require the
FortiWeb unit to authenticate when performing queries, and does not
appear if Bind Type is Anonymous or Simple.
Password Type the password of the User DN.
This field may be optional if your LDAP server does not require the
FortiWeb unit to authenticate when performing queries, and does not
appear if Bind Type is Anonymous or Simple.
Secure Connection Enable to connect to the LDAP servers using an encrypted
connection, then select the style of the encryption in Protocol.
Protocol Select whether the LDAP query will be secured using LDAPS or
STARTTLS. You may need to reconfigure Server Port to correspond
to the change in protocol.
This option appears only if Secure Connection is enabled.
Test LDAP Click to test that the current settings are correct, and that the FortiWeb
unit can communicate with the LDAP server.
5 Click OK.
Configuring RADIUS user queries

User > RADIUS User > RADIUS User displays the list of RADIUS queries that can
authenticate users.
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication,
authorization, and accounting functions. The FortiWeb authentication feature uses
RADIUS user queries to authorize HTTP requests.
If you have configured RADIUS support and a user is required to authenticate using a
RADIUS server, the unit sends the user’s credentials to the RADIUS server for
authentication. If the RADIUS server can authenticate the user, the user is successfully
authenticated with the FortiWeb unit. If the RADIUS server cannot authenticate the user,
the FortiWeb unit refuses the connection. You can override the default authentication
scheme by selecting a specific authentication protocol or changing the default port for
RADIUS traffic. For details, see “Configuring authentication policy” on page 257.
RADIUS user accounts are activated indirectly, by selecting them in a user group that is

Revision 10 111
Configuring RADIUS user queries Users and user groups
Table 42: User > RADIUS User > RADIUS User tab

Create New Click to add an RADIUS user account query.
Server IP Displays the IP address of the RADIUS server that will be queried to
authenticate users.
To configure the RADIUS user query

Before configuring the query, if you will configure a secure connection, you must upload
the certificate of the CA that signed the RADIUS server’s certificate. For details, see
“Managing CA certificates” on page 90.
1 Go to User > RADIUS User > RADIUS User.
the Edit icon.
3 In Name, type the name of the RADIUS user query entry.

Name Enter a name for this RADIUS user query.
Server IP Type the IP address of the primary RADIUS server.

112 Revision 10
Users and user groups Configuring NTLM user queries
Server Port Type the port number where the RADIUS server listens.
The default port number is 1812.
Server Secret Enter the RADIUS server secret key for the primary RADIUS server.
The primary server secret key should be a maximum of 16 characters
in length.
Secondary Server IP Type the IP address of the secondary RADIUS server, if applicable.
Secondary Server Port Type the port number where the RADIUS server listens.
The default port number is 1812.
Secondary Server Enter the RADIUS server secret key for the secondary RADIUS
Secret server. The secondary server secret key should be a maximum of 16
characters in length.
Authentication Scheme Select Default to authenticate with the default method. The default
authentication scheme uses PAP, MS-CHAP-V2, and CHAP, in that
order.
Select Specify Authentication Protocol to override the default
authentication method, and choose the protocol from the list: MS-
CHAP-V2, CHAP, MS-CHAP, or PAP, depending on what your
RADIUS server needs.
NAS IP Enter the NAS IP address and Called Station ID (for more information
about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific
RADIUS Attributes). If you do not enter an IP address, the IP address
that the FortiWeb unit uses to communicate with the RADIUS server
will be applied.
Test Radius Click to test that the current settings are correct, and that the FortiWeb
unit can communicate with the RADIUS server .
5 Click OK.
Configuring NTLM user queries

User > NTLM User > NTLM User displays the list of NT LAN Manager (NTLM) user
account queries.
NTLM queries can be made to a Microsoft Windows or Active Directory server that is
configured for NTLM authentication. FortiWeb supports both NTLM v1 and NTLM v2.
The FortiWeb authentication feature uses NTLM user queries to authorize HTTP requests.
NTLM user account queries are used indirectly by selecting them in a user group that is
Table 43: User > NTLM User > NTLM User tab
Delete
Edit

Revision 10 113
Grouping users Users and user groups

Create New Click to add an NTLM user account query.
Server IP Displays the IP address of the NTLM server that will be queried.
Port Displays the TCP port number where the NTLM server listens for queries.
To configure an NTLM user query

1 Go to User > NTLM User > NTLM User.
the Edit icon.
3 In Name, type the name of the NTLM user entry.

Name Type a display name for the user.
Server IP Type the IP address of the NTLM server that will be queried.
Port Type the TCP port number where the NTLM server listens for queries.
5 Click OK.
Grouping users
User > User Group > User Group displays the list of user groups.
The FortiWeb authentication feature uses user groups to authorize HTTP requests. Any
group can include a mixture of local user accounts, LDAP user queries, RADIUS user
queries, and NTLM user queries.
User groups are used indirectly, by selecting them in within an authentication rule. Then,
select the rule within an authentication policy, and ultimately select the policy within an
inline protection profile. For details, see “User creation workflow” on page 107.
Tip: Before you can configure a user group, you must first configure one or more users.

114 Revision 10
Users and user groups Grouping users
Table 44: User > User Group > User Group tab
Edit
Delete

Create New Click to add an NTLM user account query.
Auth Type Displays one of the following:
Basic: Basic authentication is the original and most compatible
authentication scheme for HTTP. However, it is also the least secure as it
sends the user name and password unencrypted to the server. Groups with
this authentication type can include local users. LDAP queries, and
RADIUS queries.
Digest: Digest authentication encrypts the password and thus is more
secure than the basic authentication. Groups with this authentication type
can include local users only.
NTLM: NTLM is a proprietary protocol of Microsoft and is deemed to be
more secure. Groups with this authentication type can include NTLM users
only.
Count Displays the number of individual user accounts and/or user queries
contained in the entry.
entry is currently selected for use in an authentication rule.
To configure a user group

1 Go to User > User Group > User Group.
the Edit icon.
3 In Name, type the name of the user group.


Revision 10 115
Grouping users Users and user groups
4 Select an authentication type:

• Basic: This is the original and most compatible authentication scheme for HTTP.
However, it is also the least secure as it sends the user name and password
unencrypted to the server.
• Digest: Authentication encrypts the password and thus is more secure than the
basic authentication.
• NTLM: Authentication is a proprietary protocol of Microsoft and is deemed to be
more secure.
5 Click OK.
6 Click Create New, then configure the following:

ID Type the index number of the individual rule within the group of users, or keep
the field’s default value of auto to let the FortiWeb unit automatically assign the
next available index number.
User Type Select the type of user or user query you want to add to the group. The options
presented vary with the setting for the group’s Auth Type option.
Note: You can mix user types in the group. However, if the authentication rule’s
Auth Type does not support a given user type, all user accounts of that type will
be ignored, effectively disabling them.
User Name Select the name of user or user query. The list contents varies with your
selection User Type.
7 Repeat the previous step for each individual rule that you want to add to the group of
users.
8 If you need to modify an individual rule, click its Edit icon. To remove an individual user
or user query from the group of users, click its Delete icon. To remove all individual
users or user queries from the group of users, click the Clear icon.
9 Click OK.

116 Revision 10
Server policy
Server policy
This chapter describes the Server Policy menu and how to use all the features of a server
policy.
• Configuring server policies
• Configuring servers
• Configuring server health checks
• Configuring services
• Configuring protected servers
• Configuring predefined patterns
• Configuring custom patterns
• Configuring custom application policies
Server policy workflow requirements

The creation of server policy involves multiple steps. The number and sequence of steps
depends on what you wish to achieve. Some steps may be bypassed depending on your
requirements.
1 Optionally, if you want to use secure connections, you must upload the applicable
certificates, define a certificate verification rule, and possibly also an intermediate CA
certificate group. See “Managing certificates” on page 84.
2 Configure one or more virtual servers, physical servers, or domain servers. See
“Configuring virtual servers” on page 129, “Configuring physical servers” on page 131
and “Configuring domain servers” on page 133.
3 Configure one or more protected servers. See “Configuring protected servers” on
page 147.
4 Optionally, add two or more servers to a server farm. See “Grouping physical and
domain servers into server farms” on page 135.
5 Configure logging and trigger policy if you plan to include triggers in a web protection
profile used by the server policy. See “Log configuration workflow” on page 313.
6 Configure one or more XML, inline, or offline protection profiles. See:
• “XML protection profile workflow” on page 163 (reverse proxy mode only)
• “Inline protection profile workflow” on page 268 (any mode except offline protection)
• “Offline protection profile workflow” on page 274 (offline protection mode only)
7 If you want the FortiWeb unit to gather auto-learning data, configure an auto-learning
profile and its required components. See “Auto-learning profile workflow” on page 278.
8 If the policy is to include user authentication, you must configure users, user groups,
and an authentication policy, and include that policy as part of an inline protection
profile. See “HTTP authentication policy workflow” on page 259.
9 After you complete the applicable previous steps, you can configure or complete server
policies. See “Configuring server policies” on page 118.

Revision 10 117
Configuring server policies Server policy
Configuring server policies

Server Policy > Policy > Policy displays the list of policies.
Use FortiWeb policies to:
• determine which connections FortiWeb will allow or block
• apply a profile that specifies how FortiWeb will process the connections that it allows
• route traffic to specific destination real servers (if supported by the operation mode)
• use an auto-learning profile to gather additional information about your HTTP traffic for
use as guidance when modifying the policy or profiles
Note: There is a limit to the number of server policies you can create. The limit varies with
the model of your FortiWeb unit. For details, see “Appendix B: Maximum values” on
page 397.
When determining the policy to apply to a connection, FortiWeb units will consider the
operation mode:
• Reverse Proxy: Apply the policy whose virtual server and service match the
connection.
• Offline Protection: Apply the policy whose network interface in the virtual server
matches the connection. Do not consider the service or the IP address of the virtual
server.
• True Transparent Proxy: Apply the policy whose v-zone bridge) matches the
connection. Do not consider the IP address of the bridge.
• Transparent Inspection: Apply the policy whose v-zone bridge matches the
connection. Do not consider the IP address of the bridge.
The FortiWeb unit will apply only one policy to each connection. If an HTTP connection
does not match any of the policies, the FortiWeb unit will block the connection.
Policies are not used while they are disabled, as indicated by “Status” on page 121.
Policy behavior varies with the operation mode.

118 Revision 10
Server policy Configuring server policies
Table 45: Policy behavior by operation mode
Reverse Proxy Offline Protection True Transparent Transparent

Proxy Inspection
Matches by • Service Virtual server’s network V-zone (bridge), but V-zone (bridge), but
• Virtual server interface, but not its IP not its IP address. not its IP address.
address.
Violations Blocked or modified, Attempts to block by Blocked or modified, Attempts to block by
according to profile. mimicking the client or according to profile. mimicking the client
server and requesting to or server and
reset the connection; does requesting to reset
not modify otherwise. the connection; does
not modify
otherwise.
Profile support • Inline protection • Offline protection • Inline • Offline
profiles profiles protection protection
• Auto-learning profiles • Auto-learning profiles profiles profiles
• XML protection • Auto-learning • Auto-learning
profiles profiles profiles
SSL Certificate used to offload Certificate used to decrypt Certificate used to Certificate used to
SSL from the servers to and scan only; does not act decrypt and scan decrypt and scan
FortiWeb; can optionally re- as an SSL origin or only; does not act as only; does not act as
encrypt before forwarding terminator. an SSL origin or an SSL origin or
to the destination server. terminator. terminator.
Forwarding • Forwards to a single Lets the traffic pass through Forwards to a Lets the traffic pass
real server or member to a member of a server member of a server through to a member
of a server farm using farm, but does not load- farm (but allowing to of a server farm, but
the port number balance. pass through, does not load-
where it listens; without actively balance.
similar to a network redistributing
address translation connections) using
(NAT) policy on a the port number
general-purpose where it listens.
firewall.
• Can load-balance or
route connections to a
specific server based
upon XML content.
Note: When you switch the operation mode, policies will be deleted from the configuration
file if they are not applicable in the current operation mode.
Policies can be configured to detect URL-embedded attacks that are obfuscated using
recursive URL encoding (that is, multiple levels of URL encoding). For more information,
see the circulate-url-decode option of the config server-policy policy
command in the FortiWeb CLI Reference.
must have Read permission to items in the Server Policy Configuration category. For
Table 46: Server Policy > Policy > Policy tab
Edit
View
Cookies
Delete

Revision 10 119

Create New Click to add a policy.
On FortiWeb units, the index number of a policy indicates its alphabetical
order only. It does not indicate order of evaluation for matches with
connections. Instead, the FortiWeb unit will apply the one policy that
matches the connection, if any exists.
Policy Name Displays the name of the entry.
Policy Type Indicates whether the policy applies a web protection profile (either inline or
offline protection profile) or an XML protection profile.
Virtual Server Sets the virtual server or v-zone (bridge) where the policy will either apply a
or protection profile and route traffic to one or more real servers.
V-zone
HTTP Service Displays the service that defines the TCP port number where the virtual
server receives HTTP traffic.
HTTPS Service Displays the service that defines the TCP port number where the virtual
server receives HTTPS traffic.
Deployment Mode Displays the method of distribution that the FortiWeb unit will use when
forwarding connections accepted by this policy.
• Single Server: Forward connections to a single real server.
• Server Balance: Use a load-balancing algorithm when distributing
connections amongst the real servers in a server farm. If a real server is
unresponsive to the server health check, the FortiWeb unit forwards
subsequent connections to another real server in the server farm.
• HTTP Content Routing: Use HTTP Content Routing to route HTTP
requests to a specific real server in a server farm by specifying the host
or URL and the request file.
• XPath Content Routing: Use content routing rules defined as XPath
expressions in the server farm configuration when distributing
connections amongst the real servers in a server farm. If a real server is
unresponsive to the server health check, or if a request does not match
the XPath expression, the FortiWeb unit forwards connections to the
first real server in the server farm.
• WSDL Content Routing: Use WSDL content routing rules defined in the
server farm configuration when distributing connections amongst the
real servers in a server farm. If a real server is unresponsive to the
server health check, or if a request does not match the WSDL content
routing rules, the FortiWeb unit forwards connections to the first real
server in the server farm.
• Offline Protection: Allow connections to pass through the FortiWeb unit,
but instead of applying an inline protection profile, apply an offline
protection profile.
• Transparent Servers: Allow connections to pass through the FortiWeb
unit, and apply a protection profile.
You can use the Service Status widget to determine whether or not a real
server is currently responding to the server health check. For details, see
“Service Status widget” on page 49.
Enable Mark this check box to allow the policy to be used when evaluating traffic for
a matching policy.
For details, see “Enabling or disabling a policy” on page 128.
Note: You can use SNMP traps to notify you of changes to the policy’s
status. For details, see “Configuring an SNMP community” on page 68.

120 Revision 10
Status Indicates whether or not a policy will be used when evaluating traffic for a
matching policy.
• Green icon: The policy will be used when evaluating traffic for a
matching policy.
• Flashing yellow-to-red icon: The policy will not be used when evaluating
traffic for a matching policy.
To be used, a policy’s Enable option must be marked.
(No column heading.) Click the Edit icon to modify the entry. For details, see “Configuring server
Click the Delete icon to remove the entry. Policies may be automatically
deleted if you switch the Operation Mode and the policy’s type is not
supported by the new mode.
Caution: Deleting a policy also removes any auto-learning data it has
gathered using an auto-learning profile. To retain this data, instead either
deselect the auto-learning profile in the policy, or disable the policy. For
details, see “Enabling or disabling a policy” on page 128.
When available, click the View Cookies icon to display cookies that have
been observed in reply traffic from the server managed by this policy.
This icon appears only after cookies have been observed in the
Set-Cookie: HTTP header, and does not appear for cookies that may
have been set using client-side JavaScript.
Based upon whether or not the content of the cookies is sensitive, such as if
they are used for state tracking or database input, you may want to enable
Cookie Poison in the policy’s inline protection profile. For details, see
“Cookie Poison” on page 269.
To add or edit a policy

1 Go to Server Policy > Policy > Policy.
2 For a new policy, click Create New. Or, for an existing policy, click the Edit icon in the
applicable row.
A dialog appears.
Note: Available options vary by the operation mode and the deployment mode of the
FortiWeb unit.

Revision 10 121
Table 47: Editing a policy

Policy Name Type a name for the policy.
Policy Type Select whether you will apply an XML protection profile or a web
protection profile, then select the name of the protection profile from
Web Protection Profile or XML Protection Profile.
Depending on the types of profiles that the current operation mode
supports, not all policy types may be available. For details, see Table 45
on page 119.

122 Revision 10
Virtual Server, Select the name of a virtual server, data capture port or v-zone (bridge).
Data Capture Port The name and use of this option varies by operating mode:
or V-zone • Reverse proxy mode: Virtual Server identifies the IP address and
network interface of incoming traffic that will be routed and to which
the policy will apply a profile.
• Offline protection mode: Data Capture Port identifies the network
interface of incoming traffic that the policy to which it will attempt to
apply a profile. The IP address of the virtual server will be ignored.
• Either of the transparent modes: V-zone (bridge) indicates the
incoming traffic to which the policy will apply a profile.
Alternatively, you can select the Create New menu option to add a
virtual server in a pop-up window, without leaving the current page. For
details, see “Configuring virtual servers” on page 129 or “Configuring v-
zones (bridges)” on page 55.
Deployment Mode Select the method of distribution that the FortiWeb unit will use when
forwarding connections accepted by this policy.
• Single Server: Forward connections to a single physical server or
domain server. This option is available only if the FortiWeb unit is
operating in reverse proxy mode.
• Server Balance: Use a load-balancing algorithm when distributing
connections amongst the real servers in a server farm. If a real
server is unresponsive to the server health check, the FortiWeb unit
forwards subsequent connections to another real server in the
server farm. Also configure Load Balancing Algorithm, Persistence
Timeout, Server Health Check, and Server Farm. This option is
available only if the FortiWeb unit is operating in reverse proxy
mode.
• HTTP Content Routing: Use HTTP content routing to route HTTP
requests to a specific real server in a server farm by specifying the
host or URL and the request file
• XPath Content Routing: Use content routing rules defined as XPath
expressions in the server farm configuration when distributing
connections amongst the real servers in a server farm. If a real
server is unresponsive to the server health check, or if a request
does not match the XPath expression, the FortiWeb unit forwards
connections to the first real server in the server farm. Also configure
Server Health Check and Server Farm. This option is available only
if the FortiWeb unit is operating in reverse proxy mode and Policy
Type is XML Protection.
• WSDL Content Routing: Use WSDL content routing rules defined in
the server farm configuration when distributing connections amongst
the real servers in a server farm. If a real server is unresponsive to
the server health check, or if a request does not match the WSDL
content routing rules, the FortiWeb unit forwards connections to the
first real server in the server farm. Also configure Server Health
Check and Server Farm. This option is available only if the FortiWeb
unit is operating in reverse proxy mode and Policy Type is XML
Protection.
• Offline Protection: Allow connections to pass through the FortiWeb
unit, and apply an offline protection profile. Also configure Server
Health Check and Server Farm. This option is available only if the
FortiWeb unit is operating in offline protection mode.
• Transparent Servers: Allow connections to pass through the
FortiWeb unit, and apply a protection profile. Also configure Server
Farm. This option is available only if the FortiWeb unit is operating in
either of the transparent modes.
Depending on the types of network topologies that the current operation
mode supports, not all deployment modes may be available. For details,
see Table 45 on page 119.
Server Type If you select Single Server as the deployment mode, you must select
either a Physical Server or Domain Server. For details, see “Configuring
physical servers” on page 131 and “Configuring domain servers” on
page 133.

Revision 10 123
Physical Server Select the physical server to which to forward connections, or select
Create New to configure a new physical server in a pop-up window,
without leaving the current page. This option appears only when
selected as a server type. For details, see “Configuring physical
Domain Server Select the domain server to which to forward connections, or select
Create New to configure a new domain server in a pop-up window,
without leaving the current page. This option appears only when
selected as a server type. For details, see “Configuring domain servers”
on page 133.
Server's Port Enter the TCP port number where the physical/domain server listens for
web or web services connections, depending on whether you have
selected a web protection profile or an XML protection profile,
respectively. This option appears only when Server Type in visible.
This option appears only if Deployment Mode is Single Server.
Load Balancing Select the load-balancing algorithm to use when distributing new
Algorithm connections amongst real servers in the server farm. This option
appears only if Deployment Mode is Server Balance.
• Round Robin: Distributes new connections to the next real server in
the server farm, regardless of weight, response time, traffic load, or
number of existing connections. Unresponsive servers are avoided.
• Weighted Round Robin: Distributes new connections using the
round robin method, except that real servers with a higher weight
value will receive a larger percentage of connections.
• Least Connection: Distributes new connections to the real server
with the fewest number of existing, fully-formed connections.
• HTTP session based Round Robin: Distributes new connections, if
they are not associated with an existing HTTP session, to the next
real server in the server farm, regardless of weight, response time,
traffic load, or number of existing connections. Unresponsive servers
are avoided. Session management is enabled automatically when
you enable this feature, and it therefore does not require that you
enable Session Management in the web protection profile. This
option is available only if Policy Type is Web Protection.
Persistence Timeout Enter the timeout for inactive TCP sessions.
This option appears only if Deployment Mode is Server Balance or
Transparent Servers.
Server Health Check Select the server health check to use when determining responsiveness
of real servers in the server farm, or select Create New to add a server
health check in a pop-up window, without leaving the current page. For
details, see “Configuring server health checks” on page 143.
This option appears only if Deployment Mode is Server Balance,
Content Routing, or WSDL Content Routing.
Note: If a real server is unresponsive, wait until the server becomes
responsive again before disabling its server health check. Server health
checks record the up or down status of the server. If you deactivate the
server health check while the server is unresponsive, the server health
check will be unable to update the recorded status, and FortiWeb unit
will continue to regard the real server as if it were unresponsive. You
can determine the real server’s connectivity status using the Service
Status widget or an SNMP trap. For details, see “Service Status widget”
on page 49 or “Configuring an SNMP community” on page 68.
Server Farm Select the server farm whose real servers will receive the connections.
For details, see “Grouping physical and domain servers into server
farms” on page 135.
This option appears only if Deployment Mode is Server Balance, HTTP
Content Routing, WSDL Content Routing, Offline Protection, or
Transparent Servers.
Note: If Deployment Mode is Offline Protection or Transparent Servers,
you must select a server farm, even though the FortiWeb unit will allow
connections to pass through instead of actively distributing connections.
Therefore, if you want to govern connections for only a single real
server, rather than a group of servers, you must configure a server farm
with that single real server as its only member in order to select it in the
policy.

124 Revision 10
Protected Servers Select a protected servers group to allow or reject connections based
upon whether the Host: field in the HTTP header is empty or does or
does not match the protected hosts group. For details, see “Configuring
protected servers” on page 147.
If you do not select a protected servers group, connections will be
accepted or blocked based upon other criteria in the policy or protection
profile, but regardless of the Host: field in the HTTP header.
Attack log messages contain DETECT_ALLOW_HOST_FAILED when
this feature does not detect an allowed protected host name.
Note: Unlike HTTP 1.1, HTTP 1.0 does not require the Host: field.
The FortiWeb unit will not block HTTP 1.0 requests for lacking this field,
regardless of whether or not you have selected a protected servers
group.
Web Protection The name of this drop-down list varies by your selection in Policy Type.
Profile Select the profile to apply to the connections accepted by this policy, or
or select Create New to add a new profile in a pop-up window, without
leaving the current page.
XML Protection
Profile If you want to view the details of a profile, select the profile from the list
and click View Profile Details. A protection profile details window opens.
To return to the policy settings, click Back to Policy Settings.
For details on specific protection profiles, see “Configuring XML
protection profiles” on page 184, “Configuring inline protection profiles”
on page 268 or “Configuring offline protection profiles” on page 274.
Note: Depending on the profile types that the current operation mode
supports, not all profiles may be available. For details, see Table 45 on
page 119.
• XML protection profiles apply to reverse proxy mode only.
• Offline protection profiles apply to offline protection mode only.
• Inline protection profiles apply to any mode except offline protection.
Note: Clients with source IP addresses designated as a trusted IP are
exempt from being blocked by the protection profile. For details, see
“Configuring an IP list policy” on page 220.
WAF Auto Learning Select the auto-learning profile, if any, to use in order to discover
Profile attacks, URLs, and parameters in your web servers’ HTTP sessions, or
select Create New to add a new auto-learning profile in a pop-up
window, without leaving the current page. For details, see “Applying
auto-learning profiles” on page 278.
Data gathered using an auto-learning profile can be viewed in an auto-
learning report, and used to generate profiles. For details, see “Auto
learn” on page 281.
HTTP Service Select the custom or predefined service that defines the TCP port
number where the virtual server or bridge receives traffic, or select
Create New to a new service in a pop-up window, without leaving the
current page. For details, see “Configuring services” on page 145.
This option does not apply to true transparent proxy or transparent
inspection modes.
Note: This option only defines the port number. It does not specify
SSL/TLS. For example, it is possible to configure a web server to listen
on the well-known port number for HTTP (port 80), yet use SSL
(HTTPS). To specify SSL/TLS, see HTTPS Service.

Revision 10 125
HTTPS Service Select the custom or predefined service that defines the TCP port
number where the virtual server or bridge receives traffic, or select
Create New to create a new service in a pop-up window, without leaving
the current page. For details, see “Configuring services” on page 145.
Enable if connections from HTTP clients to the FortiWeb unit or
protected hosts use SSL. Also configure Certificate.
FortiWeb units contain specialized hardware to accelerate SSL
processing. Offloading SSL processing may improve the performance of
secure HTTP (HTTPS) connections.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
The FortiWeb unit handles SSL negotiations and encryption and
decryption, instead of the real servers, also known as offloading.
Connections between the client and the FortiWeb unit will be encrypted.
Connections between the FortiWeb unit and each web server will be
clear text or encrypted, depending on SSL Server.
This option appears only if the FortiWeb unit is operating in reverse
proxy mode.
Note: If the FortiWeb unit is operating in offline protection mode or
either of the transparent modes, you must enable SSL in the server
farm instead.
Caution: You must enable either this option or SSL, if the connection
uses SSL. Failure to enable an SSL option and provide a certificate for
HTTPS connections will result in the FortiWeb unit being unable to
decrypt connections, and therefore unable to scan HTML or XML
content.
Blocking Port Choose the specific blocking port interface (that is, port1, port2, and so
on) where TCP reset packets are sent.
This option appears only if the FortiWeb unit is operating in offline
protection mode.
Certificate Select the server certificate the FortiWeb unit will use when encrypting
or decrypting SSL-secured connections, or select Create New to upload
a new certificate in a pop-up window, without leaving the current page.
For more information, see “Uploading a certificate” on page 88.
This option appears only if HTTPS Service is enabled.

126 Revision 10
Certificate Select the name of a certificate verifier, if any, to use when an HTTP
Verification client presents their personal certificate. (If you do not select one, the
client is not required to present a personal certificate.)
If the client presents an invalid certificate, the FortiWeb unit will not
allow the connection.
To be valid, a client certificate must:
• not be expired
• not be revoked by either certificate revocation list (CRL) or, if
enabled, online certificate status protocol (OCSP) (see “Configuring
certificate verification rules” on page 95)
• be signed by a certificate authority (CA) whose certificate you have
imported into the FortiWeb unit (see “Managing CA certificates” on
page 90); if the certificate has been signed by a chain of
intermediate CAs, those certificates must be included in an
intermediate CA group (see Certificate Intermediate Group)
• contain a CA field whose value matches the CA certificate
• contain an Issuer field whose value matches the Subject field in
the CA certificate
Personal certificates, sometimes also called user certificates, establish
the identity of the person connecting to the web site.
You can require that clients present a certificate alternatively or in
addition to HTTP authentication. For more information, see “Configuring
This option appears only if HTTPS Service is enabled, and only applies
if the FortiWeb unit is operating in reverse proxy mode. SSL 3.0 or TLS
1.0 is required.
Note: If the connection fails when you have selected a certificate
verifier, verify that the certificate meets the web browser’s requirements.
Web browsers may have their own certificate validation requirements in
addition to FortiWeb's requirements. For example, personal certificates
for client authentication may be required to either:
• not be restricted in usage/purpose by the CA, or
• contain a Key Usage field that contains a Digital Signature or
have a ExtendedKeyUsage or EnhancedKeyUsage field whose
value contains Client Authentication
If the certificate does not satisfy browser requirements, although it may
be installed in the browser, when the FortiWeb unit requests the client’s
certificate, the browser may not present a certificate selection dialog to
the user, or the dialog may not contain that certificate. In that case,
verification will fail.
For browser requirements, see your web browser’s documentation.
Certificate Select the name of a group of intermediate certificate authority (CA)
Intermediate Group certificates, if any, that will be presented to clients in order for them to
validate the server certificate’s CA signature.
This can prevent clients from getting certificate warnings when the
server certificate configured in Certificate has been signed by an
intermediate CA, rather than directly by a root CA or other CA currently
trusted by the client.
Alternatively, you can include the entire signing chain in the server
certificate itself before uploading it to the FortiWeb unit, thereby
completing the chain of trust with a CA already known to the client.
This option appears only if HTTPS Service is enabled and the FortiWeb
unit is operating in reverse proxy mode.
SSL Server Enable to use SSL to encrypt connections from the FortiWeb unit to
protected web servers. Also configure Certificate.
Disable to pass traffic to protected web servers in clear text.
To test whether the web server supports SSL connections, click SSL
Support Test.
This option appears only in reverse proxy mode. (The FortiWeb unit
cannot act as an SSL terminator or initiator in offline protection mode or
either of the transparent modes.)
Note: Enable only if the protected host supports SSL.

Revision 10 127
Persistent Server Enter the maximum number of concurrent TCP client connections that
Sessions can be accepted by this policy.
The maximum number of HTTP sessions established with each server
depends on this field, and whether you have selected a single real
server or a server farm and the Load Balancing Algorithm.
For example, if you set the value of Persistent Server Sessions to
10 000 and there are 4 real servers in a server farm that uses Round
Robin-style load-balancing, up to 10 000 client connections would be
accepted, resulting in up to 2 500 HTTP sessions evenly distributed to
each of the 4 real servers.
Each model of FortiWeb units has a maximum allowed number of
persistent sessions. The Edit Policy dialog lists the minimum and
maximum for your FortiWeb model next to this field. For more
specifications, see “Appendix B: Maximum values” on page 397.
Monitor Mode When enabled, this mode treats all blocking actions (deny, redirect, and
so on) as if they were the Alert action.This enables FortiWeb to log
attacks and complete processing of the connection. This is needed to let
the auto-learning feature collect more information to build profiles of
attacks. If auto-learning is not enabled, clear this option. See “Tune up
alerts” on page 30.
URL Case Sensitivity Enable to differentiate uniform resource locators (URLs) according to
upper case and lower case letters for features that act upon the URLs in
the headers of HTTP requests, such as: start page rules, IP list rules,
and page access rules.
For example, when this option is enabled, an HTTP request involving
http://www.Example.com/ would not match profile features that
specify http://www.example.com (difference is lower case "e").
Comments Enter a description or other comment. The description may be up to 35
characters long.
Enabling or disabling a policy

You can individually enable and disable policies.
Caution: When the operation mode is reverse proxy, disabling a policy could all block
traffic if no remaining active policies match that traffic. That is, if no policies exist or none
are enabled, the FortiWeb unit will deny HTTP/HTTPS traffic..
must have Read and Write permission to items in the Server Policy Configuration
To enable or disable a policy

1 Go to Server Policy > Policy > Policy.
2 In the row corresponding to the policy that you want to enable, mark the check box in
the Enable column.
3 In the row corresponding to the policy that you want to disable, clear the check box in
the Enable column.
To determine whether the policy is applicable, see the column “Status” on page 121.

128 Revision 10
Server policy Configuring servers
Configuring servers
Server Policy > Server > enables you to configure various types of servers in your
network.
This section includes the following topics:
• Configuring virtual servers
• Configuring physical servers
• Configuring domain servers
• Grouping physical and domain servers into server farms
• Configuring HTTP content routing policy
• Configuring HTTP conversion policy
Configuring virtual servers

Server Policy > Server > Virtual Server displays the list of virtual servers.
Before you can create a policy, you must first configure a virtual server that defines the
network interface or bridge and IP address where traffic destined for an individual real
server or server farm will arrive.
When the FortiWeb unit receives traffic destined for a virtual server, it can then forward the
traffic to a real server or a server farm. The FortiWeb unit identifies traffic as being
destined for a specific virtual server if:
• the traffic arrives on the network interface or bridge associated with the virtual server
• for reverse proxy mode, the destination address is the IP address of a virtual server
(the destination IP address is ignored in other operation modes, except that it must
not be identical with the real server’s IP address)
Caution: Virtual servers can be on the same subnet as real servers. This configuration
creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could forward to
the real server 10.0.0.2.
However, this is not recommended. Unless your network’s routing configuration prevents it,
it could allow clients that are aware of the real server’s IP address to bypass the FortiWeb
unit by accessing the real server directly.
Virtual servers are applied by selecting them within a policy. For details, see “Configuring
Table 48: Server Policy > Server > Virtual Server tab
Delete
Edit

Revision 10 129
Configuring servers Server policy

Create New Click to add a virtual server.
IP Address Displays the IP address and subnet of the virtual server.
Interface Displays the network interface or bridge where traffic destined for the virtual
server will arrive.
Enable Mark the check box to enable use of the virtual server. For details, see
“Enabling or disabling a virtual server” on page 130.
To add a virtual server

1 Go to Server Policy > Server > Virtual Server.
2 Click Create New.
A dialog appears.

Name Type the name of the virtual server.
IP Address Type the IP address and subnet of the virtual server.
If the FortiWeb unit is operating in offline protection mode or either of
the transparent modes, this IP address will be ignored when deciding
whether or not to apply a policy to the connection, and can therefore be
any IP address, except that it must not be identical to the real server. If
the virtual server’s IP is identical to the real server, the configuration will
not function.
Interface Select the network interface or bridge to which the virtual server is
bound, and where traffic destined for the virtual server will arrive.
4 Click OK.
To define the listening port of the virtual server, create a custom service and select it in
the policy where the virtual server is also selected. For details, see “Configuring
services” on page 145.
To apply the virtual server, you must select it in a policy. For details, see “Configuring
Enabling or disabling a virtual server

You can individually enable and disable virtual servers. Disabled virtual servers can be
selected in a policy, but will result in a policy that is unable to forward traffic until the virtual
server is enabled.

130 Revision 10
By default, virtual servers are enabled, and the FortiWeb unit can forward traffic from
them.
Caution: Disabling a virtual server could block traffic matching policies in which you have
selected the virtual server. For details, see “Configuring server policies” on page 118.
To enable or disable a virtual server

1 Go to Server Policy > Server > Virtual Server.
2 In the row corresponding to the virtual server that you want to enable, in the Enable
column, mark the check box.
3 In the row corresponding to the virtual server that you want to disable, in the Enable
column, clear the check box.
Configuring physical servers

Server Policy > Server > Physical Server displays the list of physical servers.
Before you can create a policy, you must first configure one or more domain servers or
physical servers. Domain servers use domain names while physical servers use IP
addresses.
A physical server defines the IP address of an individual real server or a member of a
server farm that is the ultimate destination of traffic received by the FortiWeb unit at a
virtual server address, and where the FortiWeb unit will forward traffic after applying the
protection profile and other policy settings. You can also use domain names of the
protected real servers. For details, see “Configuring domain servers” on page 133.
Note: A physical server is usually not the same as a protected hosts group.
Physical servers versus protected hosts

Unlike a physical server, which is a single network IP, protected hosts group should
contain all network IPs, virtual IPs, and domain names that clients use in the Host: field
of the HTTP header to access the web server.
For example, clients often access a web server via a public network such as the Internet.
Therefore the protected hosts group contains domain names, public IP addresses and
public virtual IPs on a network edge router or firewall that are routable from that public
network. But the physical server is only the IP address that the FortiWeb unit uses to
forward traffic to the server and, therefore, is often a private network address, unless the
FortiWeb unit is operating in a mode other than reverse proxy.
Physical servers are applied either by selecting them within a policy, or grouping them into
a server farm that is selected in a policy.

Revision 10 131
Note: Server health checks cannot be used with an individual physical server. If you want
to monitor a server for responsiveness, you must group one or more physical servers into a
server farm.
For details, see “Configuring server policies” on page 118 or “Grouping physical and
Table 49: Server Policy > Server > Physical Server tab
Delete
Edit

Create New Click to add a physical server.
IP Address Displays the IP address of the physical server.
Enable Mark the check box to enable use of the physical server. For details, see
“Enabling or disabling a physical server” on page 133.
To add a physical server

1 Go to Server Policy > Server > Physical Server.
2 Click Create New.
A dialog appears.

Name Enter the name of the physical server.
IP Address Enter the IP address of the physical server.

132 Revision 10
4 Click OK.
To forward traffic from a virtual server to multiple physical servers, you must group the
physical servers into a server farm. For more information, see “Grouping physical and
To apply the physical server, you must select it in a policy, or group it into a server farm
that is selected in a policy. For details, see “Configuring server policies” on page 118.
Enabling or disabling a physical server

You can individually enable and disable physical servers. You can select disabled physical
servers for a server farm, but they will not be used when forwarding traffic.
By default, physical servers are enabled and the FortiWeb unit can forward traffic to them.
To prevent traffic from being forwarded to a physical server, such as when the server will
be unavailable for a long time due to repairs, you can disable it. If the disabled physical
server is a member of a load-balanced server farm, the FortiWeb unit will automatically
forward connections to other enabled physical servers in the server farm. For XPath or
WSDL content routed server farms, the FortiWeb unit will forward connections to the first
physical server in the server farm.
Note: If the physical server is a member of a server farm and will be unavailable only
temporarily, you can alternatively configure a server health check to automatically prevent
the FortiWeb unit from forwarding traffic to that physical server when it is unresponsive. For
Caution: Disabling a physical server could block traffic matching policies in which you have
selected the physical server, or selected a server farm in which the physical server is a
member. For details, see “Configuring server policies” on page 118.
To enable or disable a physical server

1 Go to Server Policy > Server > Physical Server.
2 In the row corresponding to the physical server that you want to enable, mark the
check box in the Enable column.
3 In the row corresponding to the physical server that you want to disable, clear the
Configuring domain servers

Server Policy > Server > Domain Server displays the list of domain servers.
Before you can create a policy, you must first configure one or more domain servers or
physical servers. Domain servers use domain names while physical servers use IP
addresses.

Revision 10 133
Domain servers define an individual server or a member of a server farm that is the
ultimate destination of traffic received by the FortiWeb unit at a virtual server address, and
where the FortiWeb unit will forward traffic after applying the protection profile and other
policy settings.
Domain servers are applied either by selecting them within a policy, or grouping them into
a server farm that is selected in a policy.
Note: Server health checks cannot be used with an individual domain server. If you want to
monitor a server for responsiveness, you must group one or more domain servers into a
server farm.
For details, see “Configuring server policies” on page 118 or “Grouping physical and
Table 50: Server Policy > Server > Domain Server tab

Create New Click to add a domain server.
Domain Displays the domain name of the domain server.
Enable Mark the check box to enable use of the domain server. For details, see
“Enabling or disabling a domain server” on page 135.
To add a domain server

1 Go to Server Policy > Server > Domain Server.
2 Click Create New.
A dialog appears.

134 Revision 10

Name Enter the name of the domain server.
Domain Enter the domain name of the domain server.
4 Click OK.
To forward traffic from a virtual server to multiple domain servers, you must group the
domain servers into a server farm. For more information, see “Grouping physical and
To apply the domain server, you must select it in a policy, or group it into a server farm
that is selected in a policy. For details, see “Configuring server policies” on page 118.
Enabling or disabling a domain server

You can individually enable and disable domain servers. Disabled domain servers can be
selected in a server farm, but will not be used when forwarding traffic.
By default, domain servers are enabled and the FortiWeb unit can forward traffic to them.
To prevent traffic from being forwarded to a domain server, such as when the server will be
unavailable for a long time due to repairs, you can disable the domain server. If the
disabled domain server is a member of a load-balanced server farm, the FortiWeb unit will
automatically forward connections to other enabled domain servers in the server farm. For
XPath or WSDL content routed server farms, the FortiWeb unit will forward connections to
the first domain server in the server farm.
Note: If the domain server is a member of a server farm and will be unavailable only
temporarily, you can alternatively configure a server health check to automatically prevent
the FortiWeb unit from forwarding traffic to that domain server when it is unresponsive. For
Caution: Disabling a domain server could block traffic matching policies in which you have
selected the domain server, or selected a server farm in which the domain server is a
member. For details, see “Configuring server policies” on page 118.
To enable or disable a domain server

1 Go to Server Policy > Server > Domain Server.
2 In the row corresponding to the domain server that you want to enable, mark the check
box in the Enable column.
3 In the row corresponding to the domain server that you want to disable, clear the
Grouping physical and domain servers into server farms

Server Policy > Server > Server Farm displays the list of server farms. You need to create
physical or domain servers before you can create a working server farm.
Server farms define a group of physical and domain servers (real servers) among which
the FortiWeb unit will distribute connections, or where the connections will pass through
to, depending on the FortiWeb unit’s operating mode. (Reverse proxy mode actively
distributes connections; offline protection and both transparent modes do not.)

Revision 10 135
• Reverse Proxy mode: When the FortiWeb unit receives traffic destined for a virtual
server, it can forward the traffic to a physical or domain server or a server farm. If you
have configured the policy to forward traffic to a server farm, the connection is routed
to one of the physical or domain servers in the server farm. Which of the physical or
domain servers receives the connection depends on your configuration of load-
balancing algorithm, weight, server health checking, or content routing by either XPath
expressions, HTTP content or WSDL content routing.
To prevent traffic from being forwarded to unavailable real servers, the availability of
physical and domain servers in a server farm can be verified using a server health
check. Whether the FortiWeb unit will redistribute or drop the connection when a
physical or domain server in a server farm is unavailable varies by the availability of
other members and by your configuration of the Deployment Mode option in the policy.
For details, see “Deployment Mode” on page 123.
• Offline protection/transparent modes: When the FortiWeb unit receives traffic
destined for a virtual server or passing through a bridge, it allows the traffic to pass
through to members of the server farm.
Server farms are applied by selecting them within a policy. For details, see “Configuring
Table 51: Server Policy > Server > Server Farm tab
Delete
Edit

Create New Click to add a server farm.
Server Farm Name Displays the name of the entry.
Physical Server Displays the number of physical and domain servers that are members of
Count the server farm.
Note: Before configuring a server farm, you must first configure the real servers that will be
members of the server farm. For details, see “Configuring physical servers” on page 131.
To configure a server farm

1 Go to Server Policy > Server > Server Farm.

136 Revision 10
the Edit icon.
A dialog appears.
Clear
Delete
Edit
4 In Server Farm Name, type a name for the server farm.

This field cannot be modified if you are editing an existing server farm. To modify the
5 In Comments, type a description for the server farm.
6 From the Type list, select the method of distribution that the FortiWeb unit will use
when forwarding connections to the real servers in this server farm.
If you select HTTP Content Routing from the Type list, continue with the next step.
Otherwise, go to step 8.
7 In some cases, HTTP host names and URLs must be converted before HTTP content
can be routed to a specific real server. For more information, see “Configuring HTTP
conversion policy” on page 141.
8 Click OK.
9 Click Create New.
A dialog appears.

Revision 10 137

ID Enter the index number of the real server entry within the server farm,
or keep the field’s default value of auto to let the FortiWeb unit
automatically assign the next available index number.
The first real server will receive connections if you have configured
XPath or WSDL content routing and the other server is unavailable. For
round robin-style load-balancing, the index number indicates the order
in which connections will be distributed.
Server Type Select either Physical Server or Domain Server. For details, see
“Configuring physical servers” on page 131 and “Configuring domain
Physical Server If the server type is physical, select the name of a physical server that
will be a member of the server farm.
Domain Server If the server type is domain, select the name of a domain server that will
be a member of the server farm.
Port Type the TCP port number where the real server listens for
connections.
Note: The remainder of the GUI items depend on the Type selected when initially creating the
server farm.
Weight If the server farm will be used with the weighted round-robin load-
balancing algorithm, type the numerical weight of the real server.
Real servers with a greater weight will received a greater proportion of
connections.
XPATH Expression Click the icon to display a pop-up window that enables you to enter an
XPath expression. HTTP requests with content matching this
expression will be routed to this real server.
Note: For web service connections, you can alternatively or additionally
configure the WSDL Content Routing option.
WSDL Content Select the name of the WSDL content routing group, if any, that defines
Routing web services that will be routed to this real server. For information on
configuring a WSDL content routing group, see “Configuring WSDL
content routing groups” on page 173.
Note: You can alternatively or additionally configure the XPATH
Expression option.
HTTP Content Select the HTTP content routing policy to use to route HTTP requests to
Routing a specific real server in a server farm. For more information, see
“Configuring HTTP content routing policy” on page 139.

138 Revision 10
SSL Enable if connections to the server use SSL, and if the FortiWeb unit is
operating in a mode other than reverse proxy. Also configure
Certificate File.
Unlike HTTPS Service in policies, when you enable this option, the
FortiWeb unit will not apply SSL. Instead, it will use the certificate to
decrypt and scan connections before passing the encrypted traffic
through to the web servers or clients.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
Caution: You must enable either this option or HTTPS Service if the
connection uses SSL. Failure to enable an SSL option and provide a
certificate will result in the FortiWeb unit being unable to decrypt
connections, and therefore unable to scan HTML or XML content.
Note: When this option is enabled, the web server must be configured
to apply SSL. The FortiWeb unit will use the certificate to decrypt and
scan traffic only. It will not apply SSL to the connections.
Note: Ephemeral (temporary key) Diffie-Hellman exchanges are not
supported if the FortiWeb unit is operating in offline protection mode.
Certificate File Select the real server’s certificate that the FortiWeb unit will use when
decrypting SSL-secured connections, or select Create New to upload a
new certificate in a pop-up window, without leaving the current page.
For more information, see “Uploading a certificate” on page 88.
This option appears only if SSL is enabled.
If the server farm will be used with a policy whose Deployment Mode is Content
Routing or WSDL Content Routing, place the real server that you want to be the
failover first in the list of real servers in the server farm. In content routing or WSDL
content routing, each server in the server farm may not host identical web services. If a
real server is unresponsive to the server health check, the FortiWeb unit will forward
subsequent connections to the first real server in the server farm, which will be
considered to be the failover. Make sure the first real server can act as a backup for
all other servers in the server farm.
11 Repeat the previous step for each real server that you want to add to the server farm.
12 If you need to modify a real server, click its Edit icon. To remove a single real server
from the server farm, click its Delete icon. To remove all real servers from the server
farm, click the Clear icon.
13 Click OK.
To monitor members of the server farm for responsiveness, configure a server health
check that will be used with the server farm. For details, see “Configuring server health
checks” on page 143.
To use a server farm as the destination for web or web services connections, select it
when configuring a policy. For details, see “Configuring server policies” on page 118.
Configuring HTTP content routing policy

Server Policy > Server > HTTP Content Routing Policy displays the HTTP Content
Routing Policy window.
An HTTP content routing policy protects the identify of internal host names or URLs used
in a server farm by routing connections to the appropriate real servers.
HTTP content routing is beneficial in cases where one virtual server provides the interface
for many physical web servers. With content routing enabled, you can route web traffic
according to URL or host.
In some cases, HTTP requests must be converted before HTTP content routing can occur.
For more information, see “Configuring HTTP conversion policy” on page 141.

Revision 10 139
Table 52: Server Policy > Server > HTTP Content Routing Policy tab
Delete
Edit

Create New Click to add an HTTP content routing policy.
Policy Name Displays the name of the policy.
entry is currently selected for use in a server farm or policy.
To configure an HTTP content routing policy

1 Go to Server Policy > Server > HTTP Content Routing Policy.
2 Click Create New.
A dialog appears.
3 In Name, type the name of the HTTP content routing policy.


Host status Select to enable the Host field.
Host Choose whether routing will be done based on a specific IP or Host.
Enter the IP address or host of the real server used to route HTTP
requests to. Leave this field empty if routing is to be done base only on
the URL.
Type Select the method used to match the URL upon which routing will take
place. If matching is done according to Host, choose Regular
Expression and add "\/" (a back slash and forward slash with no space
between) in the URL pattern, such as \/example.
URL pattern Enter the specific request file to be routed.
5 Click OK.

140 Revision 10
Below are two examples of how to use HTTP content routing.
Example 1 - HTTP content routing according to URL

Your network has one virtual server (front end) with three physical web servers (back end).
The front-end server has the URL www.example.com. Its back-end applications are
differentiated by directories, such as: /games, /school and /work.
The back-end servers were configured with the following IP addresses:
10.5.5.11 – games application
10.5.5.12 – school application
10.5.5.13 – work application
When HTTP content routing is enabled, HTTP requests to www.example.com/school are
automatically routed to the appropriate back-end web server, 10.5.5.12. Similarly,
requests for /games go to 10.5.5.11 and /work go to 10.5.5.13.
Example 2 - HTTP content routing according to Host

Your network has three different hosts (back end) that all terminate on the same virtual
server IP address (front end). Requests need to be routed to different hosts at the back
end.
The back-end hosts are configured as:
www.example1.com
www.example2.com
www.example3.com
When HTTP content routing is enabled, HTTP requests to www.example1.com are
automatically routed to the appropriate back-end host.
Configuring HTTP conversion policy

Server Policy > Server > HTTP Content Conversion Policy displays existing conversion
policies.
An HTTP conversion policy is used only in situations where HTTP requests received by
the FortiWeb unit include a host name or URL that needs to be converted before the
request is routed to a real server (forward conversion), or where the "Location" field in an
HTTP response needs to be converted to a host name or URL (reverse conversion).
This enables bidirectional conversion of URLs and host names for HTTP content routing.
For more information, see “Configuring HTTP content routing policy” on page 139.
The HTTP conversion policy is used as part of configuring a server farm, which is in turn
used as part of an overall server policy. For more information on server farm configuration,
see “Grouping physical and domain servers into server farms” on page 135.
Caution: When configuring HTTP conversion policy, check to see whether there are any
URL rewriting policies in use that might conflict with the HTTP conversion policy. If conflicts
occur, the URL rewriting policy takes priority over the HTTP conversion policy. For more
information on URL rewriting policy, see “Configuring URL rewriting policy” on page 244.

Revision 10 141
Table 53: Server Policy > Server > HTTP Content Conversion Policy tab
Delete
Edit

Create New Click to add an HTTP content conversion policy.
Policy Name Displays the name of the policy.
entry is currently selected for use in a server farm or policy.
To add an HTTP Content Conversion Policy

1 Go to Server Policy > Server > HTTP Content Conversion Policy.
the Edit icon.
A dialog appears.
3 In Name, type a name for the HTTP conversion policy.

This field cannot be modified if you are editing an existing HTTP conversion policy. To
modify the name, delete the entry, then recreate it using the new name.
4 Click OK.
the Edit icon.
A dialog appears.

142 Revision 10
Server policy Configuring server health checks

ID Enter the index number of the conversion policy, or keep the default
value of auto to let the FortiWeb unit automatically assign the next
available index number.
Conversion Method Select the HTTP conversion method.
The conversion method modifies the HTTP packet header information,
depending whether the packet is an HTTP request or an HTTP
response.
• With Forward Conversion, the FortiWeb unit converts the original
URL in the HTTP request packet to a specific destination URL on a
destination host.
• With Reverse Conversion, the FortiWeb unit modifies the HTTP
response packet to the original URL.
Original URL Enter the URL from the original HTTP request packet.
The original URL is part of the HTTP request packet. Depending on the
HTTP conversion method, the Original URL is converted to a
destination URL (forward conversion), or inserted as the location for
HTTP response packets (reverse conversion).
Destination URL Enter the URL to be used as the destination URL.
The FortiWeb unit converts the Original URL value to the Destination
URL.
Original Host Enter the host name from the original HTTP request packet.
The host name is contained in the Host: field in the HTTP request
packet.
Destination Host Enter the name of the destination host.
The FortiWeb unit converts the Original Host value to the Destination
Host.
7 Click OK.
Configuring server health checks

Server Policy > Server Health Check > Server Health Check displays the list of server
health checks.
To create a policy that will include a server farm whose servers are monitored for
responsiveness, you must first create a server health check to do the monitoring.

Revision 10 143
Configuring server health checks Server policy
Server health checks poll real servers that are members of the server farm to determine
their availability (that is, whether or not the server is responsive) before forwarding traffic.
Server health check configurations can specify TCP, HTTP, or ICMP ECHO (ping). A
health check occurs every number of seconds indicated by the interval. If a reply is not
received within the timeout period, and you have configured the health check to retry, it will
attempt a health check again; otherwise, the server is deemed unresponsive. The
FortiWeb unit will compensate by disabling traffic to that server until it becomes
responsive again.
Note: If a real server will be unavailable for a long period, such as when a server is
undergoing hardware repair or when you have removed a server from the server farm, you
may improve the performance of your FortiWeb unit by disabling the real server, rather than
allowing the server health check to continue to check for responsiveness. For details, see
“Configuring physical servers” on page 131.
Server health checks are applied by selecting them in a policy, for use with the entire
server farm. For details, see “Configuring server policies” on page 118.
To view the status currently being detected by server health checks, use the Service
Status widget on the dashboard. For details, see “Service Status widget” on page 49.
Table 54: Server Policy > Server Health Check > Server Health Check tab
Delete
Edit

Create New Click to add a server health check.
Type Displays the protocol that the server health check will use to contact the
real server.
• Disabled (the server health check is currently disabled)
• Ping
• TCP
• HTTP
Details Displays the URL that will be used in the HTTP GET request if the server
health check Type is HTTP. If the real server successfully returns this
content, it is considered to be responsive.
entry is currently selected for use in a server policy.
To add a server health check

1 Go to Server Policy > Server Health Check > Server Health Check.
2 Click Create New.
A dialog appears.

144 Revision 10
Server policy Configuring services
Figure 28: Adding a server health check
3 In Name, type the name of the server health check.

4 From Protocol Type, select the protocol that the server health check will use to contact
the real server, one of: Ping, CVP, or HTTP.

URL Path Enter the portion of the URL, such as /index.html, that follows the
URL’s domain name or IP address portion. This path will be used in the
HTTP GET request to verify the responsiveness of the server. If the real
server successfully returns this content, it is considered to be
responsive.
This option appears only if Protocol Type is HTTP.
Timeout Enter the number of seconds that must pass after the server health
check to indicate a failed health check.
Retry Times Enter the number of times, if any, a failed health check will be retried
before the server is considered unresponsive.
Interval Enter the number of seconds between each server health check.
6 Click OK.
To apply a server health check, select it when configuring a policy that uses a server farm.
For details, see “Configuring server policies” on page 118.
Configuring services
Server Policy > Service displays predefined and custom services.
Services define protocols and TCP port numbers and can be selected in a policy to define
the traffic that the policy will match.
While some predefined services are available (see“Viewing the list of predefined services”
on page 146), you may need to configure your own custom services if your virtual servers
will receive traffic on non-standard TCP port numbers.
Before or during creating a policy, you must configure a service that defines the TCP port
number where traffic destined for a virtual server will arrive. (Exceptions include policies
whose Deployment Mode is Offline Protection, which do not require that you define a TCP
port number using a service.) For details, see “Configuring server policies” on page 118.
Viewing the list of custom services

Server Policy > Service > Custom displays the list of custom services.

Revision 10 145
Configuring services Server policy
Custom services can be selected in a policy in order to define the protocol and listening
port of a virtual server.
Table 55: Server Policy > Service > Custom tab
Delete
Edit

Create New Click to add a custom service.
Service Name Displays the name of the entry.
Detail Displays the protocol and TCP port number of the service.
To add a custom service

1 Go to Server Policy > Service > Custom.
2 Click Create New.
A dialog appears.

Name Enter the name of the service.
Protocol Only TCP is available.
Port Enter the TCP port number of the service.
4 Click OK.
To use a custom service as the listening port of a virtual server, you must select it in a
policy. For details, see “Configuring server policies” on page 118.
Viewing the list of predefined services

Server Policy > Service > Predefined displays the list of predefined services.

146 Revision 10
Server policy Configuring protected servers
Predefined services can be selected in a policy in order to define the protocol and listening
port of a virtual server. For details, see “Configuring server policies” on page 118.
Table 56: Server Policy > Service > Predefined tab

Detail Displays the protocol and TCP port number of the service.
Configuring protected servers

Server Policy > Protected Servers > Protected Servers displays the list of protected
server groups (also called a protected host group).
A protected server group contains one or more IP addresses or fully qualified domain
names (FQDNs). Each entry in the protected server group defines a virtual or real web
host, according to the Host: field in the HTTP header of requests from clients that you
want the FortiWeb unit to protect.
For example, if your web servers receive requests with HTTP headers, such as
GET /index.php HTTP/1.1
Host: www.example.com
you might define a protected server group with an entry of www.example.com and select
it in the policy. This would reject requests that are not for that host.
Note: A protected hosts group is usually not the same as a real server.
Unlike a real server, which is a single IP at the network layer, a protected server group
should contain all network IPs, virtual IPs, and domain names that clients use to access
the web server at the application (HTTP) layer.
For example, clients often access a web server via a public network such as the Internet.
Therefore, the protected server group contains domain names, public IP addresses and
public virtual IPs on a network edge router or firewall that are routable from that public
network. But the physical server is only the IP address that the FortiWeb unit uses to
forward traffic to the server and, therefore, is often a private network address (unless the
FortiWeb unit is operating in offline protection or either of the transparent modes).
Protected server groups can be used by:
• policies
• input rules
• server protection exceptions
• start page rules
• page access rules
• IP list rules

Revision 10 147
Configuring protected servers Server policy
• allowed method exceptions

• HTTP authentication rules
• hidden fields rules
These rules can use protected host definitions to apply rules only to requests for a
protected host. If you do not specify a protected server group in the rule, the rule will be
applied based upon other criteria such as the URL, but regardless of the Host: field.
Policies can use protected host definitions to block connections that are not destined for a
protected host. If you do not select a protected server group in a policy, connections will be
accepted or blocked regardless of the Host: field.
Table 57: Server Policy > Protected Servers > Protected Servers tab
Delete
Edit

Create New Click to add a protected server group.
# Displays the index number of the protected server group.
Protected Server Displays the number of hosts contained in the protected server group.
Count
entry is currently selected for use in a policy or other item.
To add a protected server group

1 Go to Server Policy > Protected Servers > Protected Servers.
the Edit icon.
Clear
Edit
Delete

148 Revision 10
Server policy Configuring protected servers
3 In Name, type the name of the protected server group.

This field cannot be modified if you are editing an existing protected server group. To
4 From Default Action, select whether to Accept or Deny HTTP requests that do not
match any of the host definitions that you will add to this protected server group.
5 Click OK.
6 Click Create New
A dialog appears.

ID Enter the index number of the host entry within the protected server group, or
keep the field’s default value of auto to let the FortiWeb unit automatically
assign the next available index number.
Host Enter the IP address or FQDN of a real or virtual web host, according to the
Host: field in HTTP requests, that you want the FortiWeb unit to protect.
If clients connect to your web servers through the IP address of a virtual server
on the FortiWeb unit, this should be the IP address of that virtual server or any
domain name to which it resolves, not the actual IP address of the web server.
For example, if a virtual server 10.0.0.1/24 forwards traffic to the physical server
192.168.1.1, for protected hosts, you would enter:
• 10.0.0.1, the address of the virtual server
• www.example.com, the domain name that resolves to the virtual server
Action Select whether to Accept or Deny HTTP requests whose Host: field matches
this host entry.
8 Repeat the previous step for each host that you want to add to the protected server
group.
9 If you need to modify a host, click its Edit icon. To remove a single host from the
protected server group, click its Delete icon. To remove all hosts from the protected
server group, click the Clear icon.
10 Click OK.
To use a protected server group, you must select it in a policy, input rule, start page rule,
page access rule, trusted IP rule, or hidden field rule. For details, see:
• “Configuring server policies” on page 118
• “Configuring parameter validation input rules” on page 194
• “Configuring page access rules” on page 198
• “Configuring start page rules” on page 213
• “Configuring URL access rules” on page 218
• “Configuring URL access policy” on page 216

Revision 10 149
Configuring predefined patterns Server policy
• “Configuring allowed method exceptions” on page 237

• “Configuring hidden field rules” on page 241
Attack log messages contain DETECT_ALLOW_HOST_FAILED when this feature does not
detect an allowed protected host name.
Configuring predefined patterns

Predefined patterns are data types and rules that are used by input rules to define the data
type of an input, and by auto-learning profiles to detect valid input parameters.
• Grouping predefined data types
• Viewing the list of predefined data types
• Grouping suspicious URLs
• Viewing predefined URL rules
Grouping predefined data types

Server Policy > Predefined Pattern > Data Type Group displays the list of data type
groups.
A data type group defines which predefined data types (see “Viewing the list of predefined
data types” on page 152) the FortiWeb unit will attempt to detect and track in input
parameters when gathering data for an auto-learning report.
For example, if you include the Email data type in the data type group, auto-learning
profiles that use the data type group might discover that your web applications use a
parameter named username whose value is an email address.
Tip: If you know that your network’s HTTP sessions do not include a specific data type,
omit it from the data type group to improve performance. The FortiWeb unit will not expend
resources scanning traffic for that data type.
Data type groups are used by auto-learning profiles. For details, see “Applying auto-
learning profiles” on page 278.
Note: Alternatively, you can automatically configure a data type group that includes all
types by generating a default auto-learning profile. For details, see “Generating an auto-
learning profile and its components” on page 281.
Table 58: Server Policy > Predefined Pattern > Data Type Group tab
Delete
Edit

150 Revision 10
Server policy Configuring predefined patterns

Create New Click to add a data type group.
# Displays the index number of the data type group.
Count Displays the number of predefined data types included in this data type
group.
entry is currently selected for use in an auto-learning profile.
To add a data type group

1 Go to Server Policy > Predefined Pattern > Data Type Group.
the Edit icon.
A dialog appears.
3 In Name, type a name for the data type group.

This field cannot be modified if you are editing an existing data type group. To modify
the name, delete the entry, then recreate it using the new name.
4 For Type, enable the predefined data types that you want to include in the group.
To view the regular expressions for the types of patterns that each data type will detect,
see “Viewing the list of predefined data types” on page 152.
5 Click OK.

Revision 10 151
To use a data type group, select it when configuring an auto-learning profile. For details,
see “Applying auto-learning profiles” on page 278.
Viewing the list of predefined data types

Server Policy > Predefined Pattern > Predefined Data Type displays the list of predefined
data types.
You select predefined data types in data type groups, which are used by input rules to
define the data type of an input, and by auto-learning profiles to detect valid input
parameters. For details, see “Grouping predefined data types” on page 150.
Table 59: Server Policy > Predefined Pattern > Predefined Data Type tab

152 Revision 10

Name Select the blue arrow beside a pattern to expand the entry and display the
individual rules contained in the entry.
Displays the name of the data type.
• Address: Canadian postal codes and United States ZIP code and
ZIP + 4 codes.
• Canadian Post Code: Canadian postal codes such as K2H 7B8.
• CA Province Name and Abbrev: Modern and older names and
abbreviations of Canadian provinces in English, as well as some
abbreviations in French, such as Quebec, IPE, Sask, and Nunavut.
Does not detect province names in French.
• CA Social Insurance Nubmer: Canadian Social Insurance Numbers
(SIN) such as 123-456-789.
• China Post Code: Chinese postal codes such as 610000.
• Country Name and Abbrev: Country names, codes, and abbreviations
in English characters, such as CA, Cote d’Ivoire, Brazil, Russian
Federation, and Brunei.
• Credit Card Number: American Express, Carte Blanche, Diners Club,
enRoute, Japan Credit Bureau (JCB), Master Card, Novus, and Visa
credit card numbers.
• Date/Time: Dates and times in various formats such as +13:45 for time
zone offsets, 1:01 AM, 1am, 23:01:01, and 01.01.30 AM for times, and
31.01.2009, 31/01/2009, 01/31/2000, 2009-01-3, 31-01-2009, 1-31-
2009, 01 Jan 2009, 01 JAN 2009, 20-Jan-2009 and February 29, 2009
for dates.
• Email: Email addresses such as admin@example.com.
• Level 1 Password: A string of at least 6 characters, with one or more
each of lower-case characters, upper-case characters, and digits, such
as aBc123. Level 1 passwords are “weak” passwords, generally easier
to crack than level 2 passwords.
• Level 2 Password: A string of at least 8 characters, with one or more
each of lower-case characters, upper-case characters, digits, and
special characters, such as aBc123$%.
• Markup/Code: HTML comments, wiki code, hexadecimal HTML color
codes, quoted strings in VBScript and ANSI SQL, SQL statements, and
RTF bookmarks such as:
• #00ccff, 
• [link url="http://example.com/url?var=A&var2=B"]
• SELECT * FROM TABLE
• {\*\bkmkstart TagAmountText}
Does not match ANSI escape codes, which are instead detected as
strings.
• Numbers: Numbers in various monetary, decimal, comma-separated
value (CSV) and other formats such as 123, +1.23, $1,234,567.89,
1'235.140, and -123.45e-6. Does not detect hexadecimal numbers,
which are instead detected as strings or code, and social security
numbers, which are instead detected as strings.
• Phone: Australian, United States, and Indian phone numbers in
various formats such as (123)456-7890, 1.123.456.7890,
0732105432, and +919847444225.
• Strings: Character strings such as alphanumeric words, credit card
numbers, United States social security numbers (SSN), UK vehicle
registration numbers, ANSI escape codes, and hexadecimal
numbers in formats such as user1, 123-45-6789, ABC 123 A,
4125632152365, [32mHello, and 8ECCA04F.
• URI: Uniform resource identifiers (URI) such as
http://www.example.com, ftp://ftp.example.com, and
mailto:admin@example.com.
• US Social Security Number: United States social security numbers
(SSN) such as 123-45-6789.
• US State Name and Abbrev: United States state names and modern
postal abbreviations such as HI and Wyoming. Does not detect older
postal abbreviations such as Fl. or Wyo.
• US Zip Code: United States ZIP code and ZIP + 4 codes such as
34285-3210.

Revision 10 153
Pattern Displays the regular expression that is used to detect the presence of the
data type when you select the blue arrow beside a pattern. Parameter
values must match the regular expression in order for an auto-learning
profile to successfully detect the data type, or for an input rule to permit the
input.
Description Displays a description when you select the blue arrow beside a pattern that
may include examples of values that match the regular expression.
Grouping suspicious URLs

Server Policy > Predefined Pattern > Suspicious URL Rule displays the list of suspicious
URL groups.
A suspicious URL group selects a subset of one or more of the predefined suspicious
URLs (see “Viewing predefined URL rules” on page 155). It can also include existing
custom suspicious rules (see “Creating custom suspicious URLs” on page 157).
Each of those entries in the suspicious URL group defines a type of URL. The FortiWeb
unit considers HTTP requests for these administratively sensitive URLs to be possibly
malicious when gathering data for an auto-learning profile.
HTTP requests for URLs typically associated with administrative access to your web
applications or web server, for example, may be malicious if they originate from the
Internet instead of your management LAN. You may want to discover such requests for
the purpose of designing blacklist rules to protect your web server.
If you know that your network’s web servers are not vulnerable to a specific type of
suspicious URL, such as if the URL is associated with attacks on Microsoft IIS web
servers but all of your web servers are Apache web servers, omit it from the suspicious
URL group to improve performance. The FortiWeb unit will not expend resources
scanning traffic for that type of suspicious URL.
Suspicious URL groups are used by auto-learning profiles. For details, see “Applying auto-
Before creating an auto-learning profile for web protection, you must configure a
suspicious URL group that defines which suspicious URL types the FortiWeb unit will
attempt to detect.
Note: Alternatively, you can automatically configure a suspicious URL group that includes
all suspicious URL rules by generating a default auto-learning profile. For details, see
“Generating an auto-learning profile and its components” on page 281.
Table 60: Server Policy > Predefined Pattern > Suspicious URL Rule tab
Edit
Delete

Create New Click to add a suspicious URL group.
# Displays the index number of the suspicious URL group.

154 Revision 10

Count Displays the number of predefined suspicious URL types included in this
suspicious URL group. For details, see “Viewing predefined URL rules” on
page 155.
entry is currently selected for use in an auto-learning profile.
To add a suspicious URL group

1 Go to Server Policy > Predefined Pattern > Suspicious URL Rule.
the Edit icon.
A dialog appears.
3 In Name, type a name for the suspicious URL group.

This field cannot be modified if you are editing an existing suspicious URL group. To
4 Enable the predefined suspicious URL types that you want to detect:
• Apache
• IIS (Microsoft IIS)
• Tomcat (Apache Tomcat)
To view detailed descriptions of the types of patterns that each suspicious URL type
will detect, see “Viewing predefined URL rules” on page 155.
For better performance, clear the Server Type options that do not apply.
5 Optionally, from Custom Suspicious Rule, select an existing custom suspicious URL
rule.
For more information on creating custom suspicious URL rules, see “Creating custom
suspicious URL rules” on page 158.
6 Click OK.
To use a suspicious URL group, select it when configuring an auto-learning profile. For
details, see “Applying auto-learning profiles” on page 278.
Viewing predefined URL rules

Server Policy > Predefined Pattern > Predefined URL Rule displays the list of predefined
suspicious URL types.

Revision 10 155
Configuring custom patterns Server policy
Predefined suspicious URL types are selected in suspicious URL groups, which are used
by auto-learning profiles to detect malicious HTTP requests by URL. For details, see
“Grouping suspicious URLs” on page 154.
Table 61: Server Policy > Predefined Pattern > Predefined URL Rule tab

Name Displays the name of the suspicious URL type.
Select the blue arrow beside a pattern to expand the entry and display the
individual rules contained in the entry.
Pattern Displays the regular expression that is used to detect the presence of the
suspicious URL. The requested URL must match the regular expression in
order for an auto-learning profile to successfully detect the suspicious URL.
Description Displays a description that may include examples of values that match the
regular expression.
Configuring custom patterns

Go to Server Policy > Custom Pattern to configure the custom data types and custom
suspicious URL rules.
This section contains the following topics:
• Creating custom data types
• Creating custom suspicious URLs
• Creating custom suspicious URL rules
Creating custom data types

Server Policy > Custom Pattern > Custom Data Type displays defined custom data types.

156 Revision 10
Server policy Configuring custom patterns
You can add custom data types to input rules to define the data type of an input, and to
auto-learning profiles to detect valid input parameters. You can use both custom data
types and predefined data types. For details about predefined data types, see “Viewing
the list of predefined data types” on page 152.
Table 62: Server Policy > Custom Pattern > Custom Data Type tab

Create New Click to add a custom data type.
# Displays the index number of the custom data type.
To create a custom data type

1 Go to Server Policy > Custom Pattern > Custom Data Type.
the Edit icon.
A dialog appears.
3 In Name, type a name for the custom data type.

This field cannot be modified if you are editing an existing custom data type. To modify
4 In Expression, enter a regular expression that defines this data type.
To test the regular expression against sample text, click the >> (test) icon. This opens
the Regular Expression Validator window where you can fine-tune the expression.
5 Click OK.
To use a custom data type, select it when configuring an input rule. For details, see
“Configuring parameter validation input rules” on page 194.
Creating custom suspicious URLs

Server Policy > Custom Pattern > Custom Suspicious URL displays the list of custom
suspicious URL types.
Configure custom suspicious URLs to augment the list of predefined suspicious URLs.
You can add custom suspicious URLs to input rules, and to auto-learning profiles to detect
valid input parameters. For details, see “Grouping suspicious URLs” on page 154.

Revision 10 157
Configuring custom patterns Server policy
Table 63: Server Policy > Custom Pattern > Custom Suspicious URL tab

Create New Click to add a custom suspicious URL.
# Displays the index number of the suspicious URL.
To create a custom suspicious URL

1 Go to Server Policy > Custom Pattern > Custom Suspicious URL.
the Edit icon.
A dialog appears.
3 In Name, type a name for the custom suspicious URL.

This field cannot be modified if you are editing an existing custom suspicious URL. To
4 In Expression, enter a regular expression that defines this suspicious URL.
To test the regular expression against sample text, click the >> (test) icon. This opens
the Regular Expression Validator window where you can fine-tune the expression.
5 Click OK.
To use a custom suspicious URL, add it to a custom suspicious URL rule, add the rule to a
suspicious URL rule, and then select that rule when configuring an auto-learning profile.
For details, see “Applying auto-learning profiles” on page 278.
Creating custom suspicious URL rules

Server Policy > Custom Pattern > Custom Suspicious URL Rule displays the list of
custom suspicious URL rules.
Custom suspicious URL rules are selected in URL rules, which are used by auto-learning
profiles to detect malicious HTTP requests by URL. For details, see “Grouping suspicious
URLs” on page 154.

158 Revision 10
Server policy Configuring custom patterns
Tip: Before you can create a custom suspicious URL rule, you must first define one or more
custom suspicious URLs. See “Creating custom suspicious URLs” on page 157.
Table 64: Server Policy > Custom Pattern > Custom Suspicious URL Rule tab

Create New Click to add a custom suspicious URL rule.
# Displays the index number of the suspicious URL rule.
To create a custom suspicious URL rule

1 Go to Server Policy > Custom Pattern > Custom Suspicious URL Rule.
the Edit icon.
A dialog appears.
3 In Name, type a name for the custom suspicious URL.

This field cannot be modified if you are editing an existing custom suspicious URL. To
4 Click OK.
5 Click Create New to add custom suspicious URLs to the rule or click the Edit icon to
change an existing rule.
A dialog appears.
6 Select an existing suspicious URL name from the drop-down list.

Revision 10 159
Configuring custom application policies Server policy
7 Click OK.
To use a custom suspicious URL rule, add the rule to a suspicious URL rule, then select
that rule when configuring an auto-learning profile. For details, see “Applying auto-learning
profiles” on page 278.
Configuring custom application policies

Some web applications build URLs differently than expected by FortiWeb, which can
cause FortiWeb to create incorrect auto-learning profiles. These “non-standard” URLs will
cause several issues:
• You cannot generate security rules based on the auto-learning profile as it does not
represent the application's structure.
• Endless URL/parameter learning consumes unnecessary resources.
• Auto-learning profiles are presented incorrectly.
For example, with Outlook Web App (OWA), every user has their user name as part of the
URL. Thus FortiWeb auto-learning will continue to create new URLs as new users are
being added to the system. For this reason, auto-learning cannot create a true application
structure as these URLs will not produce enough hits. Example URLs:
www.example.com/owa/tom/index.html
www.example.com/owa/mark/index.html
To solve this kind of problem, FortiWeb lets you create application policy plug-ins that
recognize the non-standard, customized applications and modify the URL information so
that an auto-learning profile can work properly. In the above OWA case, you can extract
the user directory and add it as a parameter value.
Custom application workflow

1 Create the custom application plug-ins (URL replacers). See “Configuring URL
replacers” on page 160.
2 Add the application plug-ins to an application policy. See “Configuring application
3 Include the application policy in one or more auto-learning profiles. See “Applying auto-
4 Include the auto-learning profiles in server policies. See “Configuring server policies”
on page 118.
Configuring URL replacers

A URL replacer defines how to modify the non-standard request URLs. Use the replacer in
the custom application policies. See “Custom application workflow” on page 160.
To create a URL replacer

1 Go to Server Policy > Custom Application > URL Replacer.

160 Revision 10
Server policy Configuring custom application policies
the Edit icon.
A dialog appears.
3 In Name, enter a name for the plug-in.

4 Select one of the two types. For Predefined, only JSP is supported in the current
release. For Custom-Defined, enter the following information:
• In URL Path, enter the regular expression used to match the request URL in the
HTTP header. To test the regular expression against sample text, click the >> (test)
icon. This opens the Regular Expression Validator window where you can fine-tune
the expression.
• In New URL, enter the new URL string to be sent to the auto-learning module that
uses the plug-in.
• In Param Change, enter the new parameter’s value string.
• In New Param, enter the new parameter’s name string.
5 Click OK.
Two examples follow.
Example one
The HTTP request URL from a client is
/app/login.asp;jsessionid=xxx;p1=111;p2=123?p3=5555&p4=66aaaaa,
which is a JSP application type. When you create the URL replacer, if you select JSP as
the predefined application type, the JSP plug-in will change the URL to
/app/login.asp?p4=66aaaaa with 3 extra parameters: p1=111,p2=123 and
p3=5555.
Example two
If the HTTP request URL from a client is /tom/login.asp and you created the following
URL replacer:
Type: Custom-Defined
URL Path: ^/(.*)/(.*)$
New URL: /$1
Param Change: $0
New Param: username
Then the URL will be changed to /login.asp with an extra parameter: username=tom.
Configuring application policies

After you create a URL replacer (see “Configuring URL replacers” on page 160), you can
create an application policy that uses the replacer. In turn, include it in an auto-learning
profile. See “Custom application workflow” on page 160.

Revision 10 161
Configuring custom application policies Server policy
To create a custom application policy

1 Go to Server Policy > Custom Application > Application Policy.
the Edit icon.
3 Enter a name for the policy and click OK.
A dialog appears.
4 Click Create New to create an application rule.
5 Enter an ID for the rule or leave auto as default.

6 Set the priority level of the rule. Type the order of evaluation for this rule in the group,
starting from 0. To create an entry with the highest match priority, enter 0. For lower-
priority matches, enter higher numbers.
Note: Rule order affects URL replacer plug-in matching and behavior. The search
begins with the smallest priority number (greatest priority) rule in the list and
progresses in order towards the largest number in the list. Matching rules are
determined by comparing the rule and the connection’s content. If no rule matches, the
connection remains unchanged.
When the FortiWeb unit finds a matching rule, it applies the matching rule's specified
actions to the connection.
7 Select the rule type. Currently, you can only select URL Replacer.
8 Select a plug-in/URL replacer from the drop-down list. If there is no URL replacer in the
list, you must create one first.
9 Click OK.

162 Revision 10
XML protection Configuring protection schedules
XML protection
This chapter describes the XML protection menu. It contains features that act upon HTTP
requests with XML content, such as AJAX (JavaScript that uses the XMLHttpRequest
object), RSS, and SOAP connections.
• Configuring protection schedules
• Configuring content filter rules
• Configuring intrusion prevention rules
• Configuring WSDL content routing groups
• Managing XML signature and encryption keys
• Managing schema files
• Managing WSDL files
• Configuring XML protection profiles
Note: For information on the IETF RFC, W3C standards and IEEE standards supported by
this version of FortiWeb, see “Appendix A: Supported RFCs, W3C and IEEE standards” on
page 395.
XML protection profile workflow

The creation of an XML protection profile involves multiple activities. The number and
sequence of steps depends on what you wish to achieve. All steps are optional, though
some steps have dependencies on others.
• Create one or more schedules if you intend to include content filters in your profile. See
“Configuring protection schedules” on page 163.
• Create one or more content filters. See “Configuring content filter rules” on page 166.
• Create one or more intrusion filters. See “Configuring intrusion prevention rules” on
page 170.
• Load one or more schema files. See “Managing schema files” on page 178.
• Load one or more web service definition language (WSDL) files (see “Managing WSDL
files” on page 181). To configure protection for a web service, you also must configure
an XML web service group (see “Grouping WSDL files” on page 183). You can also
route the web service to a specific server in a server farm (see “Configuring WSDL
content routing groups” on page 173).
• Import a key file and then create a key management profile to add XML signature
validation, XML encryption, or XML decryption to your profile. See “Managing XML
signature and encryption keys” on page 175.
• After you complete the applicable previous activities, configure one or more XML
protection profiles. See “Configuring XML protection profiles” on page 184.
Configuring protection schedules

XML Protection > Schedule menu enables you to view and configure protection schedules
for one-time or recurring use.

Revision 10 163
Configuring protection schedules XML protection
Configure a schedules to define when a content filter rule will apply. For example, a
FortiWeb unit might be configured with a content filter rule that uses a one-time schedule
to block access to the web service during an emergency maintenance period.
For details, see “Configuring content filter rules” on page 166.
• Configuring one-time schedules
• Configuring recurring schedules
Configuring one-time schedules

XML Protection > Schedule > One Time displays the list of schedules that run once for a
specified period of time.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the XML Protection Configuration
Table 65: XML Protection > Schedule > One Time tab
Delete
Edit

Create New Click to add a one-time schedule.
Start Displays the time and date that the schedule will begin.
End Displays the time and date that the schedule will stop.
entry is currently selected for use in a content filter rule.
To create a one-time schedule

1 Go to XML Protection > Schedule > One Time.
2 Click Create New.
A dialog appears that enables you to specify the time and duration of the schedule.
3 In Name, type the name of the schedule.

164 Revision 10
XML protection Configuring protection schedules
4 In the Start row, select the date and time that the schedule will begin.
5 In the End row, select the date and time that the schedule will end.
6 Click OK.
To apply a schedule, select it as the period when configuring a content filter rule. For more
information, see “Configuring content filter rules” on page 166.
Configuring recurring schedules

XML Protection > Schedule > Recurring displays the list of schedules that run repeatedly
at the specified times and days of the week.
Table 66: XML Protection > Schedule > Recurring tab
Delete
Edit

Create New Click to add a recurring schedule.
Start Displays the time that the schedule will begin.
End Displays the time that the schedule will stop.
Day Displays the days of the week when the schedule runs.
entry is currently selected for use in a content filter rule.
To create a recurring schedule

1 Go to XML Protection > Schedule > Recurring.
2 Click Create New.
A dialog appears that enables you to specify the time and duration of the schedule, and
the days of the week during which the schedule will apply.

Revision 10 165
Configuring content filter rules XML protection
3 In Name, type the name of the schedule.

4 In the Start row, select the time that the schedule will begin.
Note: A recurring schedule with a stop time that occurs before the start time starts at the
start time and finishes at the stop time on the next day. You can use this technique to create
recurring schedules that run from one day to the next. To create a recurring schedule that
runs for 24 hours, set the start and stop times to the same time.
5 In the End row, select the time that the schedule will end.
6 In the Day row, select the days of the week when the schedule runs.
7 Click OK.
To apply a schedule, select it as the period when configuring a content filter rule. For more
information, see “Configuring content filter rules” on page 166.
Configuring content filter rules

XML Protection > Content Filter > Content Filter displays the list of filter rules that can be
applied to XML traffic.
Content filter rules contain one or more individual rules that each accept or block and/or
log specific XML content that matches their XPath expression and time schedule.
Tip: Before you can create an effective content filter, you must first define a schedule. See
“Configuring protection schedules” on page 163.
Table 67: XML Protection > Content Filter > Content Filter tab
Delete
Edit

Create New Click to add a content filter rule.
Select the blue arrow to expand the entry, displaying the individual rules
ID Displays the index number of the content filter. For details, see “How priority
affects content filter rule matching” on page 169.
Period Displays the schedule that defines when this content filter will apply. For
details, see “Configuring protection schedules” on page 163.
IP Range Lists the client IP address or IP address range that apply, if specified.

166 Revision 10
XML protection Configuring content filter rules
XPATH Expression Displays the XPath expression that matches web service content to which
the action is applied.
Action Displays the action that the FortiWeb unit will take when content matches
XPATH Expression. For details on how the action interacts with ID to
determine which content filter rules will be applied, see “How priority affects
content filter rule matching” on page 169.
• Accept: Accept the connection.
• Alert: Accept the connection and generate an alert and/or log message.
For more information on logging and alerts, see “Configuring and
enabling logging” on page 323.
• Deny: Block the connection.
• Alert & Deny: Block the connection and generate an alert and/or log
message. For more information on logging and alerts, see “Configuring
and enabling logging” on page 323.
Enable Mark the check box to enable use of the content filter rule. For details, see
“Enabling or disabling a content filter rule” on page 169.
entry is currently selected for use in a protection profile.
To create a content filter rule

1 Go to XML Protection > Content Filter > Content Filter.
2 Click Create New.
A dialog appears that enables you to specify the content filter rule.
Clear
Delete
Edit
3 In Name, type the name of the content filter rule.
This field cannot be modified if you are editing an existing content filter rule. To modify
4 In Comments, type a description for the content filter rule.
5 Click OK.

Revision 10 167
Configuring content filter rules XML protection
6 Click Create New.

A dialog appears.
Edit

ID Enter the index number of the content filter, or keep the field’s default
value of auto to let the FortiWeb unit automatically assign the next
available index number.
The number must be between 1 and 99,999 and must be unique for
each content filter.
Priority Enter the order of evaluation for this content filter, starting from 0.
To enter a content filter with the highest match priority, enter 0. For
lower-priority matches, enter higher numbers.
Note: Content filter rule order affects content filter rule matching and
behavior. For details, see “How priority affects content filter rule
matching” on page 169.
Period Select the existing schedule that defines when this content filter will be
applicable. For details, see “Configuring protection schedules” on
page 163.
IP Range If this content filter should not apply to all IP addresses, enter a client IP
address or IP address range.
XPATH Expression Click the Edit icon. A dialog appears. Enter an XPath expression that
matches web service content to which the action will be applied, or
enter the expression directly into this field.
The maximum length of the expression is 1000 characters.
Action Select the action that the FortiWeb unit will take when content matches
XPATH Expression. For details on how action interacts with ID to
determine which content filter rules will be applied, see “How priority
affects content filter rule matching” on page 169.
• Alert: Accept the connection and generate an alert and/or log
message. For more information on logging and alerts, see
“Configuring and enabling logging” on page 323.
8 Repeat the previous steps for each content filter that you want to add to the content
filter rule.
9 If you need to modify a content filter, click its Edit icon. To remove a single content filter
from the content filter rule, click its Delete icon. To remove all content filters from the
content filter rule, click the Clear icon.

168 Revision 10
XML protection Configuring content filter rules
10 Click OK.
To apply the content filter rule, select it in an XML protection profile that is selected in a
policy. For more information, see “Configuring XML protection profiles” on page 184.
How priority affects content filter rule matching

Each time a connection attempt matches a policy that uses an XML protection profile, the
FortiWeb unit searches that policy’s protection profile’s content filter rule list for a matching
content filter rule.
The search begins with the lowest priority number (greatest priority) content filter in the
content filter rule list and progresses in order towards the highest number in the list.
Matching content filter rules are determined by comparing the content filter rule and the
connection’s web service content. If no content filter rule matches, the connection is
dropped.
Note: Because match evaluation continues until either the content filter rule list is
exhausted or the connection is accepted or denied, multiple content filter rules can be
applied.
When the FortiWeb unit finds a matching content filter rule, it applies the matching content
filter rule's specified actions to the connection. If the action is:
• Alert: The FortiWeb unit applies the action, then evaluates the next content filter rule
for a match.
• Accept or Deny: The FortiWeb unit applies the action and disregards all lower priority
rules.
As a general rule, you should arrange the list content filter rules from most specific to
most general because only the first matching content filter rule is applied to the
connection. Once one is accepted or denied, subsequent possible matches would not
be considered or applied. Ordering content filter rules from most specific to most
general prevents content filter rules, which match a wide range of traffic and whose
action is Accept or Deny, from superseding and effectively masking other content filter
rules whose action is Alert, or that match exceptions.
Enabling or disabling a content filter rule

You can individually enable and disable content filter rules. Disabled content filter rules
can be selected in an XML protection profile, but will not be used when applying the
protection profile.
Caution: Disabling a content filter rule could allow traffic-matching policies in whose XML
protection profile you have selected the content filter rule. For details, see “Configuring
XML protection profiles” on page 184.

Revision 10 169
Configuring intrusion prevention rules XML protection
To enable or disable a content filter rule

1 Go to XML Protection > Content Filter > Content Filter.
2 In the row corresponding to the content filter rule that you want to enable, mark the
3 In the row corresponding to the content filter rule that you want to disable, clear the
Configuring intrusion prevention rules

XML Protection > Intrusion Filters > Intrusion Filters displays the list of intrusion
prevention rules.
Intrusion prevention rules define data constraints for XML elements, enabling you to
prevent use of element depths, data types, and lengths that could be used to execute
attacks such as oversized payloads, recursive payloads, and buffer overflows.
Intrusion prevention rules are applied by selecting them in an XML protection profile. For
details, see “Configuring XML protection profiles” on page 184.
Table 68: XML Protection > Intrusion Filters > Intrusion Filters tab
Delete
Edit

Create New Click to add an intrusion prevention rule.
Max Elements Displays the maximum number of XML elements to allow in a single
request.
Max Element Depth Displays the maximum depth of XML elements to allow in the tree of a
single request.
Max Name Length Displays the maximum length to allow for any XML element, attribute or
namespace.
Max Attributions Displays the maximum number of attributes to allow in a single request.

170 Revision 10
XML protection Configuring intrusion prevention rules
Max Attributions Per Displays the maximum number of attributes to allow for any XML element.
Element
Max Attribution Value Displays the maximum length of the value to allow for any attribute of any
Length XML element.
Allow DTDs Indicates whether or not use of document type definitions (DTDs) are
allowed.
Enable Mark the check box to enable use of the intrusion prevention rule. For
details, see “Enabling or disabling an intrusion prevention rule” on
page 172.
To create an intrusion prevention rule

1 Go to XML Protection > Intrusion Filters > Intrusion Filters.
2 Click Create New.
A dialog appears that enables you to enter constraints on the types and lengths of
allowed data.

Name Enter a name for the intrusion prevention rule.

Revision 10 171
Configuring intrusion prevention rules XML protection
Max Elements Enter the maximum number of XML elements to allow in a single
request.
Max Element Depth Enter the maximum depth of XML elements to allow in the tree of a
single request.
Max Name Length Enter the maximum length to allow for any XML element, attribute or
namespace.
Max Attributions Enter the maximum number of attributes to allow in a single request.
Max Attributions Per Enter the maximum number of attributes to allow for any XML element.
Element
Max Attribution Value Enter the maximum length of the allowed value of any attribute of any
Length XML element.
Max Namespace Enter the maximum number of XML namespace (XMLNS) declarations
Declarations to allow in a single request.
Max Namespace Enter the maximum number of XML namespace (XMLNS) declarations
Declarations per to allow for any XML element.
Element
Max Text Nodes Enter the maximum number of text nodes to allow in a single request.
Max Text Node Enter the maximum length to allow for any text node.
Length
Max Text Node Ratio Enter the maximum size ratio to allow for any text node, where the
maximum size ratio is:
T/(D-T)
where D is the total size of the request and T is the size of the text node.
Max CData Enter the maximum number of character data (CDATA) section to allow
in a single request.
Max CData Length Enter the maximum length of the value to allow for any character data
(CDATA) section in a single request.
Max Character Enter the maximum number of character entity references to allow in a
Reference single request.
Max PIs Enter the maximum number of processing instructions (PIs) to allow in a
single request.
Max Gen Entity Enter the maximum number of general entity references to allow in a
Reference single request.
Allow DTDs Enable to allow use of document type definitions (DTDs).
Unlike W3C XML schema scanning, DTD scanning is currently not
supported, and therefore inclusion of DTDs can only be specifically
allowed or denied.
Comments Enter a description for the intrusion prevention rule.
4 Click OK.
To apply the intrusion protection rule, select it in an XML protection profile that is
selected in a policy. For more information, see “Configuring XML protection profiles” on
page 184.
Enabling or disabling an intrusion prevention rule

You can individually enable and disable intrusion prevention rules. Disabled intrusion
prevention rules can be selected in an XML protection profile, but will not be used when
applying the protection profile.
Caution: Disabling an intrusion prevention rule could allow traffic-matching policies in

whose XML protection profile you have selected the intrusion prevention rule. For details,
see “Configuring XML protection profiles” on page 184.

172 Revision 10
XML protection Configuring WSDL content routing groups
To enable or disable an intrusion prevention rule

1 Go to XML Protection > Intrusion Filters > Intrusion Filters.
2 In the row corresponding to the intrusion prevention rule that you want to enable, mark
the check box in the Enable column.
3 In the row corresponding to the intrusion prevention rule that you want to disable, clear
Configuring WSDL content routing groups

XML Protection > WSDL Routing > WSDL Routing displays the list of WSDL content
routing groups.
WSDL content routing groups select a set of web service operations from WSDL files that
you can then route to a specific real server when configuring a server farm.
Tip: Before you can create an effective WSDL content routing group, you must first import a
web service definition file. See “Managing WSDL files” on page 181.
Table 69: XML Protection > WSDL Routing > WSDL Routing tab
Delete
Edit

Create New Click to add a WSDL content routing group.
Routing Table Count Displays the names of the WSDL files that are used by the WSDL content
routing group.
entry is currently selected for use in a server farm.

Revision 10 173
Configuring WSDL content routing groups XML protection
To create a WSDL content routing group

1 Go to XML Protection > WSDL Routing > WSDL Routing.
the Edit icon.
A dialog appears.
Clear
Delete
Edit
3 In Name, type the name of the content routing group.
This field cannot be modified if you are editing an existing content routing group. To
4 Click OK.
5 Click Create New.
A dialog appears.

ID Enter the index number of the WSDL operation within the content routing group,
or keep the field’s default value of auto to let the FortiWeb unit automatically
Web Service Select the name of a WSDL file that you uploaded.
Operation Select the name of an operation within the WSDL file you selected. HTTP
requests containing this WSDL operation will be routed to a real server in the
server farm using this WSDL content routing group.
7 Repeat the previous steps for each WSDL operation that you want to add to the
content routing group.
8 If you need to modify a WSDL operation, click its Edit icon. To remove a single WSDL
operation from the content routing group, click its Delete icon. To remove all WSDL
operations from the content routing group, click the Clear icon.
9 Click OK.

174 Revision 10
XML protection Managing XML signature and encryption keys
To apply a content routing group, select it as the content that will be destined for a specific
real server when configuring a server farm. For more information, see “Grouping physical
and domain servers into server farms” on page 135.
Managing XML signature and encryption keys

Key files contain a key, seed data that can be used with an algorithm to apply and verify
XML signatures and/or to encrypt or decrypt XML elements. Keys are not used directly,
but instead must first be added to a key management group in order to select it in an XML
protection profile. For details, see “Grouping keys into key management groups” on
page 176.
Uploading a key
XML Protection > XML Sig/Enc > Key File displays keys already uploaded to the FortiWeb
unit, and that may be used in a key management group.
If you want to configure XML protection profiles that will apply or validate XML signatures,
or apply XML encryption or decryption, you must first upload a key file.
must have Read permission to items in the XML Protection Configuration category. For
Table 70: XML Protection > XML Sig/Enc > Key File tab
Delete

Import Click to upload a key file. For details, see “Uploading a key” on page 175.
Comments Displays the description of the entry.
entry is currently selected for use in a key management group.
To upload a key file

1 Go to XML Protection > XML Sig/Enc > Key File.

Revision 10 175
Managing XML signature and encryption keys XML protection
2 Click Import.
A dialog appears.
3 In Name, enter a descriptive name.

4 In Key File, select the field or click Browse to locate and select the key file that you
want to upload.
5 In Comments, type a description for the key file.
6 Click OK.
The file is uploaded from your management computer. The time required varies by the
size of the file and the speed of your network connection.
7 After uploading key files, before you can use a key in a protection profile, you must first
add the key to a key management group. For details, see “Grouping keys into key
management groups” on page 176.
Grouping keys into key management groups

XML Protection > XML Sig/Enc > Key Management displays the list of key management
groups.
Key management groups pair cryptographic algorithms with keys, and may be selected
when configuring the FortiWeb unit to use of XML signatures, XML encryption or XML
decryption in an XML protection profile.
Tip: Before you can create a key management group, you must first upload one or more
key files. For details, see “Uploading a key” on page 175.
Table 71: XML Protection > XML Sig/Enc > Key Management tab
Delete
Edit

Create New Click to add a key management group.

176 Revision 10
XML protection Managing XML signature and encryption keys
Key File Count Displays the number of keys used by the key management group.
To create a key management group

1 Go to XML Protection > XML Sig/Enc > Key Management.
2 Click Create New.
An dialog appears that enables you to add members to the key management group.
Clear
Delete
Edit
3 In Name, type the name of the key management group.
This field cannot be modified if you are editing an existing key management group. To
4 In Comments, type a description for the key management group.
5 Click OK.
6 Click Create New.
A dialog appears.

ID Enter the index number of the key file and algorithm combination within the key
management group, or keep the field’s default value of auto to let the FortiWeb
unit automatically assign the next available index number.
Key File Select the name of a key file that you uploaded.
Algo Select the name of an encryption algorithm that you want to use with that key.
For algorithms that include the bit strength (for example, 128, 192, or 256), a
higher number indicates stronger security, but may increase load on the
FortiWeb unit.

Revision 10 177
Managing schema files XML protection
8 Repeat the previous steps for each key file and algorithm combination that you want to
add to the key management group.
9 If you need to modify an entry, click its Edit icon. To remove a single entry from the
group, click its Delete icon. To remove all entries from the group, click the Clear icon.
10 Click OK.
To apply a key management group, select it when configuring XML encryption or
decryption in an XML protection profile. For more information, see “Configuring XML
protection profiles” on page 184.
Managing schema files

XML Protection > Load Schema > Load Schema displays the list of XML schema files
already uploaded to the FortiWeb unit.
Schema files are used by the Schema Validation option in XML protection profiles. For
details, see “Schema Validation” on page 187.
Note: Failing to upload a schema file could block traffic-matching policies in the XML
protection profile where you enabled the Schema Validate option, because the FortiWeb
unit may not be able to do schema validation. For details, see “Schema Validation” on
page 187.
Table 72: XML Protection > Load Schema > Load Schema tab
View
Edit
Delete

Load New Click to upload an uncompressed XML schema file. For details, see
“Managing schema files” on page 178.
Load ZIP Click to upload a ZIP-compressed XML schema file. For details, see
Validated Indicates whether or not the schema file has been successfully validated. If
the schema has been uploaded but not yet been validated, you can click
the Edit icon in the right-most column to validate it.
Comments Displays the description of the entry.

178 Revision 10
XML protection Managing schema files
Enable Mark the check box to enable use of the schema file if you have enabled
Schema Validation. For details, see “Enabling or disabling a schema file” on
page 180.
(No column heading.) Click the Delete icon to remove the schema. This option does not appear
for the default schemas (RSS 2.0, UBL 1.0, and UBL 2.0).
Click the Edit icon to validate the schema. For details, see “Managing
schema files” on page 178. This option does not appear for the default
schemas.
Click the View icon to display the contents of the schema file in a pop-up
window.
To upload a schema file
1 Go to XML Protection > Load Schema > Load Schema.

2 Click either Load New to upload an uncompressed schema file, or Load ZIP to upload
a schema file that is compressed within a ZIP file.
An upload dialog appears whose appearance varies slightly by whether you are
uploading a compressed or uncompressed schema.
Figure 29: Uploading an uncompressed schema
Figure 30: Uploading a compressed schema
3 In Name, type the name of the schema.

4 In Schema File or Schema ZIP File, enter a file name in the field or click Browse to
locate and select the schema file that you want to upload.
5 In Comments, type a description for the schema.
6 Click OK.
The file is uploaded from your management computer. The time required varies by the
size of the file and the speed of your network connection.

Revision 10 179
Managing schema files XML protection
7 If you uploaded a compressed schema file, select the root file of the schema from the
Schema File List area, and click the right arrow.
8 Click OK.
The FortiWeb unit validates the root schema file and all child schema files. If a schema is
not successfully validated, such as if a compressed schema is too large, an error
message appears. You may select a different root schema file and attempt the validation
again immediately, or you may validate the schema at another time by clicking its Edit icon
in the list of schema files. However, the FortiWeb unit will not use the schema until it is
validated.
To use the schema to validate requests, you must enable the Schema Validation option in
an XML protection profile used by a policy. For details, see “Schema Validation” on
page 187.
Enabling or disabling a schema file

You can individually enable and disable schema files that you uploaded to the FortiWeb
unit. Disabled schema files will not be used when performing schema validation.
Note: Disabling a schema file could block traffic-matching policies in whose XML protection
profile you have enabled the Schema Validation option, because the FortiWeb unit may not
be able to do schema validation. For details, see “Schema Validation” on page 187.
To enable or disable a schema file

1 Go to XML Protection > Load Schema > Load Schema.
2 In the row corresponding to the schema file that you want to enable, mark the check

180 Revision 10
XML protection Managing WSDL files
3 In the row corresponding to the schema file that you want to disable, clear the check
Managing WSDL files

XML Protection > Load WSDL > Load WSDL displays the list of web service definition
language (WSDL) files that have been uploaded to the FortiWeb unit.
If you want to configure protection profiles that will prevent web services definition
language (WSDL) scans and/or validate web services actions, you should first upload the
WSDL file that defines the acceptable actions for your web services.
WSDL files cannot be used directly, but instead must be added to a XML web service
group in order to be either selected for use with the WSDL Verify option in an XML
protection profile, or added to a WSDL content routing group in order to be selected for
routing to a specific server in a server farm. For details, see “Grouping WSDL files” on
page 183 and “Configuring WSDL content routing groups” on page 173.
Caution: Failing to upload a WSDL file could allow traffic-matching policies in whose XML
protection profile you have enabled the WSDL Verify option, because the FortiWeb unit will
not be able to do WSDL verification. For details, see “WSDL Verify” on page 187.
Table 73: XML Protection > Load WSDL > Load WSDL tab
Delete
Edit

Import Click to upload a WSDL file.
Operations Displays the web service operations defined in the WSDL file.
entry is currently selected for use in a XML web service group.
Click the Edit icon to view details of the entry, or to individually enable or
disable web service operations defined in the WSDL file. For details, see
“Enabling and disabling operations in a WSDL file” on page 182.
To upload a WSDL file
1 Go to XML Protection > Load WSDL > Load WSDL.

Revision 10 181
Managing WSDL files XML protection
2 Click Import.
A dialog appears.
3 In Name, type the name of the WSDL file.

4 In WSDL File, enter a WSDL file name in the field or click Browse to locate and select
the WSDL file that you want to upload.
5 Click OK.
The FortiWeb unit validates the WSDL file. If valid, the file is uploaded from your
management computer. The time required varies by the size of the file and the speed
of your network connection.
After uploading WSDL files, you can use them in either:
• a WSDL content routing group (see “Configuring WSDL content routing groups” on
page 173)
• an XML protection profile
In order to use WSDL files in an XML protection profile, you must first create a XML web
service group. For more information, see “Grouping WSDL files” on page 183.
You can also individually enable or disable web service operations within each WSDL file.
For more information, see “Enabling and disabling operations in a WSDL file” on
page 182.
Enabling and disabling operations in a WSDL file

In addition to individually enabling or disabling WSDL files, you can individually enable or
disable web service operations that are defined within each WSDL file.
Caution: Disabling a web service operation could allow traffic-matching policies in whose
XML protection profile you enabled the WSDL Verify option, because the FortiWeb unit will
not be able to do full WSDL verification. For details, see “WSDL Verify” on page 187.
To enable or disable a web service operation

1 Go to XML Protection > Load WSDL > Load WSDL.

182 Revision 10
XML protection Managing WSDL files
2 In the row corresponding to the WSDL file that contains the web service operation that
you want to enable or disable, click the Edit icon.
A dialog appears that displays information about the schema namespace URL, web
service URL, and each web service operation that is defined in the WSDL file.
3 In each row corresponding to a web service operation that you want to enable, mark
4 In each row corresponding to a web service operation that you want to disable, clear
5 Click OK.
Grouping WSDL files

XML Protection > Load WSDL > XML Web Service Group displays the list of groups of
web service definition language (WSDL) files already uploaded to the FortiWeb unit.
XML web service groups are used by the WSDL Verify option in XML protection profiles.
For details, see “WSDL Verify” on page 187.
Tip: Before you can create a web service group, you must first import one or more WSDL
files. See “Managing WSDL files” on page 181.
Table 74: XML Protection > Load WSDL > XML Web Service Group tab
Edit
Delete

Create New Click to add a XML web service group.

Revision 10 183
Configuring XML protection profiles XML protection
Web Services Displays the WSDL files that are members of the group.
entry is currently selected for use in an XML protection profile.
To create a XML web service group

1 Go to XML Protection > Load WSDL > XML Web Service Group.
2 Click Create New.
A dialog appears that enables you to select WSDL files to be members of the XML web
service group.
3 In Name, type the name of the XML web service group.

4 In Comments, type a description for the XML web service group.
5 In the Web Services area, click Add.
6 From the Web Service drop-down list, select the name of a WSDL file that you want to
be a member of this group.
7 Repeat the previous two steps for each additional member.
8 Click OK.
To use the XML web service group to validate requests, you must enable the WSDL Verify
option when editing an XML protection profile, then select the web service group from the
drop-down list. Lastly, you must configure a server policy to include the profile. For details,
see “WSDL Verify” on page 187 and “Web Service” on page 187.
Configuring XML protection profiles

XML Protection > XML Protection Profile > XML Protection Profile displays a list of XML
protection profiles.
Protection profiles are a set of attack protection settings. When a connection matches a
policy, the FortiWeb unit applies the protection profile selected for that policy.
Protection profiles are applied by selecting them within a server policy. For details, see
Note: XML protection profiles can be configured at any time, but can be selected in a policy
only while the FortiWeb unit is operating in a mode that supports them. For details, see
Table 45, “Policy behavior by operation mode,” on page 119.

184 Revision 10
XML protection Configuring XML protection profiles
Use SNMP traps to notify you when an XML protection profile has been enforced. For
details, see “Configuring an SNMP community” on page 68.
Tip: Before you can create an effective profile, you need to configure one or more XML
protection features. See “XML protection profile workflow” on page 163.
Table 75: XML Protection > XML Protection Profile > XML Protection Profile tab
Delete
Edit

Create New Click to add an XML protection profile.
Intrusion Prevention Displays the name of the intrusion prevention rule used by this XML
Rule protection profile.
Filter Rule Displays the name of the content filter rule used by this XML protection
profile.
Schema Validation Indicates whether or not schema validation is enabled for traffic matching
the policy.
If you have disabled the schema file or have not uploaded it to the FortiWeb
unit, results of schema validation vary by whether you have also enabled
WSDL Verify.
• If this option is enabled, WSDL Verify is enabled, and the schema file
does not exist or is disabled, the schema validator will allow the
connection.
• If this option is enabled, WSDL Verify is disabled, and the schema file
does not exist or is disabled, the schema validator will block the
connection.
Schema Poisoning Indicates whether or not external schema reference prevention is enabled,
thereby preventing schema poisoning attacks for traffic matching the policy.
WSDL Scanning Indicates whether or not WSDL scanning prevention is enabled for traffic
Prevention matching the policy.
External Entity Attack Indicates whether or not external entity attack prevention is enabled for
Prevention traffic matching the policy.
entry is currently selected for use in a server policy.
To create an XML protection profile

1 Go to XML Protection > XML Protection Profile > XML Protection Profile.

Revision 10 185
2 Click Create New.

A dialog appears that enables you to configure the XML protection profile.

Name Enter the name of the XML protection profile.
Intrusion Prevention Select an existing intrusion prevention rule. For details, see “Configuring
Rule intrusion prevention rules” on page 170.
Filter Rule Select an existing content filter rule. For details, see “Configuring
content filter rules” on page 166.

186 Revision 10
XML protection Configuring XML protection profiles
Schema Validation Enable to validate the schema for traffic matching the policy.
This option may require that you first upload a schema file to the
FortiWeb unit, and enable it.
• If this option is enabled, and WSDL Verify is enabled, and the
schema file does not exist or is disabled, the schema validator will
allow the connection.
• If this option is enabled, and WSDL Verify is disabled, and the
schema file does not exist or is disabled, the schema validator will
block the connection.
For details on uploading a schema file, see “Managing schema files” on
page 178.
Schema Poisoning Enable to prevent external schema references, and thereby preventing
schema poisoning attacks, for traffic matching the policy.
This option does not permit schema referencing by URL for security
reasons, and requires that you upload a schema. For details, see
External Entity Attack Enable to prevent external entity attacks for traffic matching the policy.
Prevention
WSDL Scanning Enable to prevent WSDL scanning for traffic matching the policy.
Prevention
WSDL Verify Enable to verify that, for traffic matching the policy, the connection uses
web service operations that are valid for that web service according to
the WSDL file.
This option requires that you first upload a WSDL file to the FortiWeb
unit. See “Managing WSDL files” on page 181.
WSDL verify action This option appears only if WSDL Verify is enabled. Select which action
that the FortiWeb unit will take if the connection fails WSDL verification.
Web Service This option appears only if WSDL Verify is enabled. Select the XML web
service group to use for verification of the request, or select Create New
to create a new XML web service group in a pop-up window, without
leaving the current page. For details, see “Grouping WSDL files” on
page 183. To create a group, you first need to upload a WSDL file
uploading a WSDL file. See “Managing WSDL files” on page 181.
XML SIG Enable to validate XML signatures for forward traffic. Also configure
XML SIG action and Key Info. For the XML signature specification, see
http://www.w3.org/TR/xmldsig-core/.
XML SIG action This option appears only if XML SIG is enabled. Select the action that
the FortiWeb unit will take if the forward traffic fails XML signature
verification.
XML ENC Enable to decrypt XML for forward traffic. Also configure XML ENC
action and Key Info.
For the XML encryption/decryption specification, see
http://www.w3.org/TR/xmlenc-core/.

Revision 10 187
XML ENC action This option appears only if XML ENC is enabled. Select which action
the FortiWeb unit will take if the forward traffic fails XML decryption.
“Configuring and enabling logging” on page 323
Key Info This option appears only if XML SIG is enabled. Select an existing key
management group to use for XML signature verification and/or
decryption of forward traffic. For details, see “Grouping keys into key
management groups” on page 176.
XML reverse SIG Enable to sign reply traffic with XML signatures. Also configure XML
reverse SIG key and XML reverse SIG XPATH. For the XML signature
specification, see http://www.w3.org/TR/xmldsig-core/.
XML reverse SIG key Select which key management group will be used for XML signing of
reply traffic, or select Create New to upload a new key management
group in a pop-up window, without leaving the current page. For details,
see “Grouping keys into key management groups” on page 176.
This option appears only if XML reverse SIG is enabled.
XML reverse SIG Click the Edit icon and enter an XPath expression that matches XML
XPATH elements in reply traffic to which you want to apply XML signatures.
This option appears only if XML reverse SIG is enabled.
XML reverse ENC Enable to encrypt XML reply traffic. Also configure XML reverse ENC
key and XML reverse ENC XPATH.
For the XML encryption/decryption specification, see
http://www.w3.org/TR/xmlenc-core/.
XML reverse ENC key Select which key management group will be used for XML encryption of
reply traffic, or select Create New to upload a new key management
group in a pop-up window, without leaving the current page. For details,
see “Grouping keys into key management groups” on page 176.
This option appears only if XML reverse ENC is enabled.
XML reverse ENC Click the Edit icon and enter an XPath expression that matches XML
XPATH elements in reply traffic to which you want to apply XML encryption.
This option appears only if XML reverse ENC is enabled.
SQL Injection Enable to prevent SQL injection attacks by blocking requests that
Prevention contain SQL statements.
SQL Injection Select which action the FortiWeb unit will take if the connection contains
Prevention Action SQL statements.
This option appears only if SQL Injection Prevention is enabled.
Non-XML traffic Enable to accept HTTP requests that do not contain
Content-Type: text/xml in the HTTP header. This may be
required if the web service uses representational state transfer (REST)
instead of SOAP. Disable to reject non-XML HTTP requests.
Comments Enter a description for the XML protection profile.
4 Click OK.
To apply an XML protection profile, you must select it in a policy. For details, see

188 Revision 10
Web protection
Web protection
This chapter describes the Web Protection menu. It contains features that act upon HTTP
requests, HTTP headers, HTML documents, and cookies.
• Order of execution
• Responding to web protection rule violations
• Configuring HTTP parameter validation rules
• Configuring page access rules
• Configuring server protection rules
• Configuring start page rules
• Configuring URL access policy
• Configuring an IP list policy
• Configuring brute force login profiles
• Configuring robot control profiles
• Configuring allowed request method policy
• Configuring hidden field protection profiles
• Configuring URL rewriting policy
• Configuring HTTP protocol constraint profiles
• Configuring authentication policy
• Configuring file upload restriction policy
• Configuring inline protection profiles
• Configuring offline protection profiles
• Applying auto-learning profiles
Web protection profile workflow

Web protection profiles fall into two categories: inline and offline. (A related profile, auto-
learning, has distinctly different workflow. See “Auto-learning profile workflow” on
page 278.)
Creating a web protection profile involves multiple activities. The number and sequence of
steps depends on what you wish to achieve. All steps are optional, though some steps
have dependencies on others.
• Several web protection features include an option to include a trigger policy. To use this
option, first create one or more logging policies and trigger policies. See “Log
configuration workflow” on page 313.
• Configure one or more file upload restriction rules followed by one or more file upload
restriction policies for use in inline or offline protection profiles. See “Configuring file
upload restriction policy” on page 263.
• Configure one or more allow request method policies for use in inline or offline
protection profiles. See “Configuring allowed request method policy” on page 235.

Revision 10 189
Order of execution Web protection
• Configure one or more URL access rules followed by one or more URL access policies
for use in inline or offline protection profiles. See “Configuring URL access policy” on
page 216.
• Configure one or more server protection rules for use in inline or offline protection
profiles. See “Configuring server protection rules” on page 201.
• Configure one or more page access rules for use in an inline protection profile. See
“Configuring page access rules” on page 198.
• Configure one or more input rules followed by one or more parameter validation rules
for use in inline or offline protection profiles. See “Configuring HTTP parameter
validation rules” on page 192.
• Configure one or more hidden fields rules followed by one or more hidden fields
protection policies for use in inline or offline protection profiles. See “Configuring
hidden field protection profiles” on page 239.
• Configure one or more start page policies for use in an inline protection profile. See
“Configuring start page rules” on page 213.
• Configure one or more brute force login policies for use in an inline protection profile.
See “Configuring brute force login profiles” on page 224.
• Configure one or more robot control policies for use in inline or offline protection
profiles. See “Configuring robot control profiles” on page 227. Optionally, configure a
custom robot control to include in the policy. See “Configuring custom protection
groups” on page 209.
• Configure one or more IP list policies for use in inline or offline protection profiles. See
• Configure one or more URL rewriting rules followed by one or more URL rewriting
policies for use in an inline protection profile. See “Configuring URL rewriting policy” on
page 244.
• Configure one or more authentication rules followed by one or more authentication
policies for use in an inline protection profile. See “HTTP authentication policy
workflow” on page 259. Before you can create effective authentication rules, you must
first configure users and user groups. See “User creation workflow” on page 107.
• After you complete the applicable previous activities, configure one or more inline
protection profiles (see “Inline protection profile workflow” on page 268) or offline
protection profiles (see “Offline protection profile workflow” on page 274).
Order of execution
FortiWeb units perform each of the web protection profile scans and other actions in the
following sequence, from the top of the table towards the bottom. Disabled scans are
skipped.
Note: The blocking style varies by feature and configuration. For example, when detecting
cookie poisoning, instead of resetting the HTTP connection, you could log and remove the
offending cookie. For details, see each specific feature.
Table 76: Execution sequence of web protection techniques
Scan/action Involves
Request from client to server
IP (client IP list policy) Source IP address of the client

190 Revision 10
Web protection Responding to web protection rule violations
Table 76: Execution sequence of web protection techniques

Brute Force Login Source IP address of the client and URL in the HTTP
header
Standalone IP Access Limit / Share IP Source IP address of the client
Access Limit (malicious robot/client
rate limiting)
HTTP Authentication Policy Authorization:
HTTP Protocol Constraints Content-Length:, parameter length, body length,
header length, and header line length
Host (protected real or virtual host) Host:
Cookie Poison Cookie:
Start Pages Host:, URL in HTTP header, and session state
Page Access Rule Host:, URL in HTTP header, and session state
URL Access Policy Host:, URL in HTTP header
Allow Request Method Host:, URL in HTTP header, and request method in
HTTP header
Robot Control User-Agent:
Parameter Validation Rule Host:, URL in the HTTP header, and visible inputs’
name, data type, and length
Hidden Fields Protection Rule Host:, URL in the HTTP header, and invisible inputs’
name, data type, and length
Cross-Site Scripting, SQL Injection, Inputs
Common Exploits
URL Rewriting Policy Host: and URL in HTTP header
Reply from server to client
Information Disclosure Server-identifying custom HTTP headers and error
messages such as Server:
Credit Card Detection Credit card number in the body, and, if configured, Credit
Card Detection Threshold
Responding to web protection rule violations

The FortiWeb unit responses to web protection rule violations according to predefined
violation controls. The violation controls are associated with web protection rules using the
Action, Severity, and Trigger Policy or Trigger Action fields associated with each rule type.
See Table 77 on page 192 for a description.
While every violation is recorded by the FortiWeb unit in a log message, you can control
the specific response on a per-violation basis.

Revision 10 191
Configuring HTTP parameter validation rules Web protection
Table 77: Rule violation controls
GUI item Description Options

Action Defines the action FortiWeb Alert: Accept the connection and generate an alert
takes when a violation of the and/or log message.
rule occurs.
Alert & Deny: Block the connection and generate
The specific actions an alert and/or log message.
associated with a violation
depend on the type of Redirect: Redirect the request to the URL that you
violation. The Action drop- specify in the protection profile and generate an
down menu for each rule alert and/or log message. For details, see
includes only the actions that “Redirect URL” on page 273.
apply to that particular rule.
Select the specific action you Send 403 Forbidden: Reply with an HTTP 403
want FortiWeb to perform (Access Forbidden) error message and generate
when the associated violation an alert and/or log message.
occurs. Pass: Allow the request. Similar to alert but does
The default action for each not generate an alert and/or log message.
type of violation is Alert.
Continue: Allow the request, applying any
For more information on subsequent rules defined in the web protection
logging and alerts, see profile. See “Order of execution” on page 190.
“Configuring and enabling
logging” on page 323. Alert: Do not cloak, except for removing sensitive
headers. (Sensitive information in the body
remains unaltered.) Accept the connection and
generate an alert and/or log message.
Alert & Erase: Hide replies with sensitive
information (sometimes called “cloaking”). Block
the connection or remove the sensitive
information, and generate an alert and/or log
message.
Note: This option is not fully supported in offline
protection mode. Only an alert and/or log message
can be generated; sensitive information will not be
blocked or erased.
Severity Defines the severity level Each violation type has a configurable severity.
associated with the rule You can configure each violation type to be
violation. recorded and reported as either Low, Medium or
Select the severity level you High severity.
want to assign to the violation. The severity of the violation is recorded in the log
message associated with the violation.
Trigger Defines who gets notified Trigger Action or Trigger Policy lists predefined
Policy or when a violation of the rule trigger policies, if any exist. Select the appropriate
Trigger occurs. policy.
Action Select the trigger policy you Trigger policies contain email policies that
want FortiWeb to perform determine who will receive an alert email when the
when the associated rule violation occurs, and/or whether the log message
violation occurs. is recorded in a Syslog server or by FortiAnalyzer.
There is no default trigger For more information, see “Configuring trigger
action. policies” on page 322.
Configuring HTTP parameter validation rules

Web Protection > Parameter Validation Rule > Parameter Validation Rule displays the list
of parameter validation rules.
The parameter validation rules are composed of individual HTTP input rules. The HTTP
input rules define whether or not certain parameters are required in HTTP requests, and if
so, the maximum allowed length of the parameter. Each HTTP input rule can be
associated with specific URL and/or host name.
If a single HTTP request includes multiple identical parameters, the HTTP parameter
validation rules are enforced for all instances of the parameter within the HTTP request.

192 Revision 10
Web protection Configuring HTTP parameter validation rules
Parameter validation rules are applied by selecting them within an inline or offline
protection profile. For details, see “Configuring inline protection profiles” on page 268 or
“Configuring offline protection profiles” on page 274.
must have Read and Write permission to items in the Web Protection Configuration
Tip: Before you can configure an effective parameter validation rule, you must configure
one or more input rules. See “Configuring parameter validation input rules” on page 194.
Table 78: Web Protection > Parameter Validation Rule > Parameter Validation Rule tab
Edit
Delete

Create New Click to add a parameter validation rule.
Rule Count Displays the number of individual rules contained in the entry.
entry is currently selected for use in an inline or offline protection profile.
To configure a parameter validation rule

1 Go to Web Protection > Parameter Validation Rule > Parameter Validation Rule.
the Edit icon.
A dialog appears.
Clear
Edit
Delete
3 In Name, type the name of the parameter validation rule.
This field cannot be modified if you are editing an existing parameter validation rule. To
4 Click OK.
5 Click Create New.
A dialog appears.

Revision 10 193

ID Enter the index number of the input rule within the parameter validation rule, or
Input Rule Select the name of an input rule. For information on input rules, see
“Configuring parameter validation input rules” on page 194.
Note: If you want to view the information associated with the input rule used by
this parameter validation rule, select the Detail link beside the Input Rule list. A
read-only version of the Edit Input Rule window opens.
7 Repeat the previous steps for each input rule that you want to add to the parameter
validation rule.
8 To modify an input rule, click its Edit icon. To remove a single input rule from the
parameter validation rule, click its Delete icon. To remove all input rules from the
parameter validation rule, click the Clear icon.
9 Click OK.
To apply the parameter validation rule, select it in an inline or offline protection profile.
For details, see “Configuring inline protection profiles” on page 268 or “Configuring
offline protection profiles” on page 274.
Attack log messages contain DETECT_PARAM_RULE_FAILED when this feature
detects a parameter rule violation.
Tip: If you do not want sensitive inputs such as passwords to appear in the attack logs’
packet payloads, you can obscure them. For details, see “Obscuring sensitive data in the
logs” on page 329.
Configuring parameter validation input rules

Web Protection > Parameter Validation Rule > Input Rule displays the list of parameter
validation input rules.
Input rules define whether or not parameters are required, and their maximum allowed
length, for HTTP requests matching the Host: in the HTTP header and URL defined in
the input rule.
Unlike hidden field groups, input rules are for visible inputs only. For information on
constraining hidden inputs, see “Configuring hidden field rules” on page 241.
Each input rule contains one or more individual rules. This enables you to define, within
one input rule, all parameter restrictions that apply to HTTP requests matching that URL
and host name.

194 Revision 10
For example, one web page might have multiple inputs: a user name, password, and a
preference for whether or not to remember the login. Within the input rule for that web
page, you could define separate rules for each parameter in the HTTP request: one rule
for the user name parameter, one rule for the password parameter, and one rule for the
preference parameter.
Table 79: Web Protection > Parameter Validation Rule > Input Rule tab
Delete
Edit

Create New Click to add an input rule.
Host Displays the IP address or fully qualified domain name (FQDN) of the real
or virtual host as it appears in the Host: field of HTTP header of requests
to which the entry applies.
Request URL Displays the URL, such as /index.php, as it appears in the HTTP request
Action Displays the action taken by FortiWeb when a violation of the input rule
occurs. For information, see “Responding to web protection rule violations”
on page 191.
entry is currently selected for use in a parameter validation rule.
Before you configure an input rule, if you want to apply it only to HTTP requests for a
specific real or virtual host, you must first define the web host in a protected hosts group.
For details, see “Configuring protected servers” on page 147.
To configure an input rule

1 Go to Web Protection > Parameter Validation Rule > Input Rule.
the Edit icon.
A dialog appears.

Revision 10 195
3 In Name, type the name of the input rule.

This field cannot be modified if you are editing an existing input rule. To modify the
Clear
Edit
Delete

Host Status Enable to apply this input rule only to HTTP requests for specific web
hosts. Also configure Host.
Disable to match the input rule based upon the other criteria, such as
the URL, but regardless of the Host: field.
Host Select the IP address or FQDN of a protected host.
Request URL Depending on your selection in Request URL Type, type either:
• the literal URL, such as /index.php, that the HTTP request must
contain in order to match the input rule. The URL must begin with a
slash ( / ).
• a regular expression, such as ^/*.php, matching all and only the
URLs to which the input rule should apply. The pattern is not
required to begin with a slash ( / ). However, it must at least match
URLs that begin with a slash, such as /index.cfm.
Do not include the name of the web host, such as www.example.com,
which is configured separately in the Host drop-down list.
To create and test a regular expression, click the >> (test) icon. This
opens the Regular Expression Validator window where you can fine-
tune the expression.
Request URL Type Select whether the Request URL field will contain a literal URL (Simple
String), or a regular expression designed to match multiple URLs
(Regular Expression).

196 Revision 10
Action, Severity and The Action, Severity and Trigger Policy drop-down menus allow you to
Trigger Policy control what the FortiWeb unit will do when it detects a specific violation
such as an attack, suspicious request or other threat. Each violation can
be uniquely configured.
The following actions are available for this type of attack:
• Alert
• Alert & Deny
• Redirect
• Send 403 Forbidden
Note: If a WAF Auto Learning Profile will be selected in the policy with
profiles that use this rule, you should select Alert. If the Action is Alert &
Deny, the FortiWeb unit will reset the connection when it detects an
attack, resulting in incomplete session information for the auto-learning
feature.
For information on Action, Severity and Trigger Policy settings, see
“Responding to web protection rule violations” on page 191.
5 Click OK.
6 Click Create New.
A dialog appears.

ID Enter the index number of the individual rule within the group of input rules, or
Name Type the name of the input as it appears in the HTTP content, such as
username.
Max Length Type the maximum allowed length of the parameter value.
To disable the length limit, type 0.
Required Enable if the parameter is required for HTTP requests to this combination of
Host: field and URL.
Use Type Enable to display Argument Type and Data Type settings.
Check
Argument When Use Type Check is enabled, select one of:
Type • Data Type - use one of the predefined data types.
• Regular Expression - define a regular expression.
• Custom Data Type - use one of the custom data types.

Revision 10 197
Configuring page access rules Web protection
Data Type Select a predefined data type. For information on data types, see “Viewing the
list of predefined data types” on page 152.
This option is only available when the Argument Type is Data Type.
Regular Type a regular expression that matches all valid values, and no invalid values,
Expression for this input.
To create and test a regular expression, click the >> (test) icon. This opens the
Regular Expression Validator window where you can fine-tune the expression.
This option is only available when the Argument Type is Regular Expression.
Custom Data Select a custom data type. For information on custom data types, see “Creating
Type custom data types” on page 156.
This option is only available when the Argument Type is Custom Data Type.
8 Repeat the previous steps for each individual rule that you want to add to the group of
input rules.
9 To modify an individual rule, click its Edit icon. To remove an individual rule from the
group of input rules, click its Delete icon. To remove all individual rules from the group
of input rules, click the Clear icon.
10 Click OK.
To apply the input rule, select it in a parameter validation rule. For details, see
Configuring page access rules

Web Protection > Page Access Rule > Page Access Rule displays the list of page access
rules.
Page access rules define URLs that must be accessed in a specific order, such as to
enforce the business logic of a web application. Requests for other, non-ordered URLs
may interleave ordered URLs during the client’s session. Page access rules may be
specific to a web host.
For example, an e-commerce application might be designed to work properly in this order:
1 A client begins a session by adding an item to a shopping cart. (/addToCart.do?*)
2 The client either views and adds additional items to the shopping cart, or proceeds
directly to the checkout.
3 The client confirms the items to purchase. (/checkout.do)
4 The client provides shipping information. (/shipment.do)
5 The client pays for the items and shipment, completing the transaction.
(/payment.do)
Sessions that begin at the shipping or payment stage should therefore be invalid. If the
web application does not enforce this rule itself, it could be open to cross-site request
forgery (CSRF) attacks on the payment feature. To prevent such abuse, the FortiWeb unit
could enforce the rule itself using a page access rule set with the following order:
1 /addToCart.do?item=*
2 /checkout.do?login=*
3 /shipment.do
4 /payment.do
Attempts to request /payment.do before those other URLs during a session would be
denied, and generate an alert and/or attack log message (see “Configuring and enabling
logging” on page 323).

198 Revision 10
Web protection Configuring page access rules
Use SNMP traps to notify you when a page access rule has been enforced. For details,
see “Configuring an SNMP community” on page 68.
Table 80: Web Protection > Page Access Rule > Page Access Rule tab
Delete
Edit

Create New Click to add a page access rule.
entry is currently selected for use in an inline protection profile.
To configure a page access rule

Before you configure a page access rule, if you want to apply it only to HTTP requests for
a specific real or virtual host, you must first define the web host in a protected hosts group.
1 Go to Web Protection > Page Access Rule > Page Access Rule.
the Edit icon.
A dialog appear.
Clear
Edit
Delete
3 In Name, type the name of the page access rule.

This field cannot be modified if you are editing an existing page access rule. To modify

Revision 10 199
Configuring page access rules Web protection

reports generated when the a page access rule is violated.
You can configure the severity to be either Low, Medium or High.
Trigger Policy Select the trigger policy you want FortiWeb to apply when the a page
access rule is violated.
Trigger policies determine who will be notified by email when the
violation occurs, and whether a log message associated with the
violation is recorded in Syslog or FortiAnalyzer.
For more information, see “Configuring trigger policies” on page 322.
5 Click OK.
6 Click Create New.
A dialog appear.

ID Type the index number of the individual rule within the page access rule, or
Page access rules should be added to the set in the order which clients will be
permitted to access them.
For example, if a client must access /login.asp before /account.asp, add
the rule for /login.asp first.
Host Select the name of a protected host that the Host: field of an HTTP request
must be in order to match the page access rule.
This option is available only if Host Status is enabled.
Host Status Enable if you want the page access rule to apply only to HTTP requests for a
specific web host. Also configure Host.
URL Pattern Depending on your selection in Type, enter either:
• the literal URL, such as /cart.php, that the HTTP request must contain in
order to match the page access rule. The URL must begin with a slash ( / ).
• a regular expression, such as ^/*.php, matching all and only the URLs to
which the page access rule should apply. The pattern is not required to
begin with a slash ( / ). However, it must at least match URLs that begin with
a slash, such as /cart.cfm.
Do not include the name of the web host, such as www.example.com, which is
configured separately in the Host drop-down list.
Type Select whether URL Pattern is a Simple String (that is, a literal URL) or a
Regular Expression.

200 Revision 10
Web protection Configuring server protection rules
8 Repeat the previous steps for each individual rule that you want to add to the page
access rule.
page access rule, click its Delete icon. To remove all individual rules from the page
access rule, click the Clear icon.
10 Click OK.
To apply the page access rule, select it in an inline protection profile. For details, see
“Configuring inline protection profiles” on page 268.
Note: In order for page access rules to be enforced, you must also enable “Session
Management” on page 271 in the inline protection profile.
Attack log messages contain DETECT_PAGE_RULE_FAILED when this feature detects

a request for a URL that violates the required sequence of URLs within a session.
Configuring server protection rules

Web Protection > Server Protection Rule > Server Protection Rule displays the list of
server protection rules.
Server protection rules enable and configure actions for several security features
specifically designed to protect web servers, such as:
• cross-site scripting (XSS) attack prevention
• SQL injection prevention
• sensitive information disclosure prevention
• prevention of other injection attacks
• prevention of credit card data leaks
In addition to scanning standard requests, server protection rules can also scan action
message format 3.0 (AMF3) binary inputs used by Adobe Flash clients to communicate
with server-side software. For more information, see “Enable AMF3 Protocol Detection” on
page 274 (for inline protection profiles) or “Enable AMF3 Protocol Detection” on page 278
(for offline protection profiles).
Attack definitions can be updated. For information on uploading a new set of attack
definitions, see “Uploading signature updates” on page 101.
Tip: To extend the scope and versatility of a server protection rule, you can create and
incorporate exceptions (see “Configuring server protection exceptions” on page 207) and
custom protection groups (see “Configuring custom protection groups” on page 209).

Revision 10 201
Configuring server protection rules Web protection
Table 81: Web Protection > Server Protection Rule > Server Protection Rule tab
Clone
View
Edit

Create New Click to add a server protection rule.
Extended Signature Indicates whether or not to use an extended set of attack definitions, which
Set contains more attack definitions on top of the default set of attach
definitions.
• Basic: a basic set of signatures
• Enhanced: an enhanced set of signatures, which also includes the basic
set
• Full: a full set of signatures, which also includes the basic set and
enhanced set
• Disable: the extended signature set is not used
Click the View icon to view a predefined entry.
Click Clone to create a new entry based on a predefined entry.
Before you configure a server protection rule, if you want to apply any exceptions, you
must first define the server protection exception. For details, see “Configuring server
protection exceptions” on page 207.
Tip: Alternatively, you can automatically configure a server protection rule that detects all
attack types by generating a default auto-learning profile. For details, see “Generating an
auto-learning profile and its components” on page 281.
To configure a server protection rule

1 Go to Web Protection > Server Protection Rule > Server Protection Rule.
the Edit icon.
A new dialog appears.

202 Revision 10
Alternatively, click the Clone icon to create a new entry based on a predefined entry. In
this case, a dialog appears with just the Name field.
Tip: A blue pointer in front of an attack type means there are additional attack subtypes
associated with the main attack type. You must enable the main attack type in order to
select the subtypes. Once the main attack type is enabled, click the pointer to expand the
attack subtype list. You can then enable or disable individual attack subtypes, or select
All/None to enable or disable all subtypes associated with the main attack type. Disabling
the main attack type automatically disables all associated attack subtypes.

Name Type the name of the server protection rule. This field cannot be
modified if you are editing an existing server protection rule. To
modify the name, delete the entry, then recreate it using the new
name.
Action, Severity and The Action, Severity and Trigger Action drop-down menus allow you
Trigger Action to control what the FortiWeb unit will do when it detects a specific
violation such as an attack, suspicious request or other threat. Each
violation can be uniquely configured.
Note: If a WAF Auto Learning Profile will be selected in the policy
with profiles that use this rule, you should select the Alert action. If
you select Alert & Deny instead, the FortiWeb unit will reset the
connection when it detects an attack, resulting in incomplete session
information for the auto-learning feature.
For information on Action, Severity and Trigger Action settings, see

Revision 10 203
Cross-Site Scripting Enable to prevent cross-site scripting (XSS) attacks. Once enabled,
you can expand the list to see the individual subtypes associated
with this main type of attack, such as CSRF (cross-site request
forgery).
Attack log messages contain DETECT_XSS_ATTACK when this
feature detects a possible cross-site scripting attack.
• Alert
• Alert & Deny
• Redirect
SQL Injection Enable to prevent SQL injection attacks. Once enabled, you can
expand the list to see the individual subtypes associated with this
main type of attack, such as blind SQL injection.
Attack log messages contain DETECT_SQL_INJECTION when this
feature detects a possible SQL injection attack.
• Alert
• Alert & Deny
• Redirect
Common Exploits Enable to prevent common exploits. Once enabled, you can expand
the list to select individual subtypes of this type of attack, such as an
injection attack in a language other than SQL.
Attack log messages contain Common Exploits and the subtype
(for example, Common Exploits: Command Injection) when
this feature detects a possible common exploit attack.
• Alert
• Alert & Deny
• Redirect

204 Revision 10
Information Disclosure Enable to detect server errors and other sensitive messages in the
requested document and HTTP headers. Once enabled, you can
expand the list to select individual subtypes of this type of attack,
such as enabling CF Information Leakage (Adobe ColdFusion server
information).
Error messages, HTTP headers such as
Server: Microsoft-IIS/6.0, and other messages could inform
attackers of the vendor, product, and version numbers of software
running on your web servers, thereby advertising their specific
vulnerabilities.
Sensitive information is predefined according to fixed signatures.
Attack log messages contain DETECT RESPONSE INFORMATION
DISCLOSURE when this feature detects sensitive information.
• Alert
• Alert & Erase
Note: This option is not fully supported in offline protection mode.
Only an alert and/or log message can be generated; sensitive
information will not be blocked or erased.
• Redirect
Note: Because this feature can potentially require the FortiWeb unit
to rewrite the header and body of every request from a server, it can
result in a performance decrease. To minimize impact, Fortinet
recommends enabling this feature only to help you identify
information disclosure through logging, and until you can
reconfigure the server to omit such sensitive information.
Note: Some attackers use 4XX HTTP status codes to determine
information about a site (whether a page exists, has login failures,
and so on). Normally, the FortiWeb unit raises attack logs for this
type of attack, but too many 4xx HTTP status events may obfuscate
other information disclosure logs. You can turn off these types of logs
by disabling the HTTP Return Code 4XX option.
Note: Some attackers use 5XX HTTP status codes to determine
information about the HTTP server (Not Implemented, Service
Unavailable, and so on). Normally, the FortiWeb unit raises attack
logs for this type of attack, but too many 5XX HTTP status events
may obfuscate other information disclosure logs. You can turn off
these types of logs by disabling the HTTP Return Code 5XX option.
Remote File Inclusion Enable to prevent remote file inclusion. Once enabled, you can
expand the list to enable or disable detection of various remote file
inclusion signature.
• Alert
• Alert & Deny
• Redirect
Custom Protection Select a custom protection group to use, if any. For details, see
Group “Configuring custom protection groups” on page 209.
Note: If you want to view the information associated with the custom
protection group used by this server protection rule, select the Detail
link beside the Custom Protection Group list. A read-only version of
the Edit Custom Protection Group window opens.

Revision 10 205
Credit Card Detection Enable to detect credit card numbers in the response from the
server. Also configure Credit Card Detection Threshold.
Credit card numbers being sent from the server to the client could
constitute a violation of PCI DSS. In most cases, the client should
only receive mostly-obscured versions of their credit card number, if
they require it to confirm which card was used. This prevents
bystanders from viewing the number, but also reduces the number of
times that the actual credit card number could be observed by
network attackers. For example, a web page might confirm a
transaction by displaying a credit card number as:
XXXX XXXX XXXX 1234
This mostly-obscured version protects the credit card number from
unnecessary exposure and disclosure. It would not trigger the credit
card number detection feature.
However, if a web application does not obscure displays of credit
card numbers, or if an attacker has found a way to bypass the
application’s protection mechanisms and gain a list of customers’
credit card numbers, a web page might contain a list with many credit
card numbers in clear text. Such a web page would be considered a
data leak, and trigger credit card number disclosure detection.
Attack log messages contain DETECT RESPONSE INFORMATION
disclosure: credit card leakage when this feature detects
credit card number disclosure.
• Alert
• Alert & Deny
• Alert & Erase
Credit Card Detection Enter 0 to report any credit card number disclosures, or enter a
Threshold threshold if the web page must contain a number of credit cards that
equals or exceeds the threshold in order to trigger the credit card
number detection feature.
For example, to ignore web pages with only one credit card number,
but to detect when a web page containing two or more credit cards,
enter 2.
Extended Signature Set Clear Disable to enable the level of additional attack definitions you
want to use. The extended set of attack definitions contains more
attack definitions on top of the default set of attach definitions.
You can select checking against:
• Basic: a basic set of signatures
• Enhanced: an enhanced set of signatures, which also includes
the basic set
• Full: a full set of signatures, which also includes the basic set and
enhanced set
You can also disable checking against extended signature sets.
While the Full signature set can detect more attacks, it might also
cause false positives. Select a lower level of checking to reduce false
positives.
Exception Name Select which server protection exception to use, if any.
Note: If you want to view the information associated with the
Exception used by this server protection rule, select the Detail link
beside the Exception Name list. A read-only version of the Edit
Server Protection Exception window opens.
4 Click OK.
To apply the server protection rule, select it in an inline protection profile or an offline
protection profile. For details, see “Configuring inline protection profiles” on page 268
or “Configuring offline protection profiles” on page 274.

206 Revision 10
Configuring server protection exceptions

Web Protection > Server Protection Rule > Server Protection Exception displays the list of
server protection exceptions.
Exceptions may be useful if you know that some URLs, during normal use, will cause false
positives by matching an attack signature. Server protection exceptions define request
URLs that will not be subject to server protection rules.
For example, if the HTTP POST URL /pageupload should accept input that is PHP code,
but it is the only URL on the host that should do so, you would create an exception with
PHP Injection, then use that exception in the server protection rule that normally would
block all injection attacks.
Server protection exception rules can be created directly from the detail view for attack log
entries. A server protection exception must be created first.
Server protection exceptions are applied by selecting them within a server protection rule.
For details, see “Configuring server protection rules” on page 201.
Table 82: Web Protection > Server Protection Rule > Server Protection Exception tab
Edit

Create New Click to add a server protection exception.
Rule Count Displays the number of individual exceptions contained in the entry.
entry is currently selected for use in a server protection rule.
To configure a server protection exception

1 Go to Web Protection > Server Protection Rule > Server Protection Exception.
the Edit icon.
A dialog appears.

Revision 10 207
Clear
Edit
Delete
3 In Name, type the name of the server protection exception.
This field cannot be modified if you are editing an existing server protection exception.
To modify the name, delete the entry, then recreate it using the new name.
4 Click OK.
A dialog appears.
Tip: A pointer in front of an attack type means there are additional attack subtypes
associated with the main attack type. You must enable the main attack type in order to
select the subtypes. Once the main attack type is enabled, click the pointer to expand the
attack subtype list. You can then enable or disable individual attack subtypes, or select
All/None to enable or disable all subtypes associated with the main attack type. Disabling
the main attack type automatically disables all associated attack subtypes.

ID Enter the index number of the individual entry within the server
protection exception, or keep the field’s default value of auto to let
the FortiWeb unit automatically assign the next available index
number.
Host Select which protected hosts entry (either a web host name or IP
address) that the Host: field of the HTTP request must be in order
to match the server protection exception.

208 Revision 10
Host Status Enable to require that the Host: field of the HTTP request to match
a protected hosts entry in order to match the server protection
exception. Also configure Host.
Type Select whether URL Pattern is a Simple String (that is, a literal URL)
or a Regular Expression.
URL Pattern Depending on your selection in Type, type either:
• the literal URL, such as /causes-false-positives.php,
that the HTTP request must contain in order to match the server
protection exception. The URL must begin with a slash ( / ).
• a regular expression, such as ^/.*.php, matching all and only
the URLs to which the server protection exception should apply.
The pattern is not required to begin with a slash ( / ). However, it
must at least match URLs that begin with a slash, such as
/bbcode.cfm.
Do not include the name of the web host, such as
www.example.com, which is configured separately in the Host
drop-down list.
Note: For each of the attack types, select the blue arrow to expand
the entry and select or clear the individual rules contained in the
entry.
Cross-Site Scripting Enable to omit detection of cross-site scripting (XSS) attacks, then
disable individual attack subclasses that you do not want to omit, if
any.
SQL Injection Enable to omit detection of SQL injection attacks, then disable
individual attack subclasses that you do not want to omit, if any.
Common Exploits Enable to omit detection of common exploits, such as an injection
attack in a language other than SQL, then disable individual attack
subclasses that you do not want to omit, if any.
Information Disclosure Enable to omit detection of server errors and other sensitive
messages in the requested document and HTTP headers, then
disable individual information subclasses that you do not want to
omit, if any, from the Information Disclosure drop-down list.
Remote File Inclusion Enable to omit detection of remote file inclusion, then disable
individual remote file inclusion signatures that you do not want to
omit, if any.
Credit Card Detection Enable to omit detection of credit card numbers in the response from
the server.
6 Repeat the previous steps for each entry that you want to add to the server protection
exception.
7 To create exception rules from individual attack log entries, open the detail view for the
log entry, and click New Protection Exception. Select the name of an existing
protection exception to add the rule to. For more information on viewing attack log
details, see “Viewing log messages” on page 331.
8 To modify a server protection exception, click its Edit icon. To remove a single entry
from the exception, click its Delete icon. To remove all entries from the exception, click
the Clear icon.
9 Click OK.
To apply the server protection exception, select it in a server protection rule. For
details, see “Configuring server protection rules” on page 201.
Configuring custom protection groups

Web Protection > Server Protection Rule > Custom Protection Group displays the list of
custom protection groups.

Revision 10 209
Custom protection groups enable you to assemble individual custom protection rules into
groups.
Table 83: Web Protection > Server Protection Rule > Custom Protection Group tab
Delete
Edit

Create New Click to add a custom protection group.
Rule Count Displays the number of individual custom protection rules contained in the
group.
Tip: Before you can configure a custom protection group, you must first configure one or
more custom protection rules. For details, see “Configuring custom protection rules” on
page 211.
To configure a custom protection group

1 Go to Web Protection > Server Protection Rule > Custom Protection Group.
the Edit icon.
A dialog appears.
Clear
Delete
Edit

210 Revision 10
3 In Name, type the name of the custom protection group.

This field cannot be modified if you are editing an existing custom protection group. To
4 To modify the custom protection rules associated with a protection group, click its Edit
icon. To remove a single entry, click its Delete icon. To remove all entries, click the
Clear icon.
5 Click OK.
6 To associate specific custom protection rules with the custom protection group, click
Create New.
A dialog appears.

ID Number automatically assigned to the new protection group.
Custom Protection Rule Select the specific custom protection rule to be applied to the
protection group. For information on custom protection rules, see
“Configuring custom protection rules” on page 211.
Note: If you want to view the information associated with the custom
protection rule used by this custom protection group, select the
Detail link beside the custom protection rule list. A read-only version
of the Edit Custom Protection Rule window opens.
8 Click OK.
To apply the custom protection group, select it in a server protection rule. For details,
see “Configuring server protection rules” on page 201.
Configuring custom protection rules

Web Protection > Server Protection Rule > Custom Protection Rule displays the list of
custom protection rules that have been created.
Custom protection rules enable creation of custom signatures and custom data leakage
expressions, which can then be associated with custom protection groups and server
protection rules.

Revision 10 211
Table 84: Web Protection > Server Protection Rule > Custom Protection Rule tab
Edit

Create New Click to add a custom protection rule.
To configure a custom protection rule

1 Go to Web Protection > Server Protection Rule > Custom Protection Rule.
the Edit icon.
A dialog appears.
3 In Name, type the name of the custom protection rule.
This field cannot be modified if you are editing an existing server protection rule. To

Type Select the type of data that the rule applies to, Signature Creation or
Data Leakage.
Check Count Enter the threshold for the number of data leakage reports before
triggering the action specified for this rule. Appears only if Data
Leakage is selected.
Case Sensitive Select to specify that case sensitivity is used for rule checking.

212 Revision 10
Web protection Configuring start page rules
Expression Enter the string of text that defines the type of data the rule will
check.
Action, Severity and The Action, Severity and Trigger Policy drop-down menus allow you
Trigger Policy to control what the FortiWeb unit will do when it detects a specific
• Alert
• Alert & Deny
• Redirect
• Send 403 Forbidden (only if Type is Signature Creation)
• Alert & Erase (only if Type is Data Leakage)
with profiles that use this rule, you should select Alert. If the Action is
Alert & Deny, the FortiWeb unit will reset the connection when it
detects an attack, resulting in incomplete session information for the
auto-learning feature.
5 Click OK.
6 Repeat this procedure for each individual rule that you want to add to a custom
protection group.
To apply the custom protection rule, select it in a custom protection group. For details,
see “Configuring custom protection groups” on page 209.
Configuring start page rules

Web Protection > Start Pages > Start Pages displays the list of main web pages.
When you select a start page group in the inline protection profile, HTTP clients must
begin from a valid start page in order to initiate a valid session.
For example, you may wish to specify that HTTP clients of an e-commerce web site must
begin their session from either an item view or the first stage of the shopping cart
checkout, and cannot begin a valid session from the third stage of the shopping cart
checkout.
Table 85: Web Protection > Start Pages > Start Pages tab
Edit
Delete

Create New Click to add a group of start pages.

Revision 10 213
Configuring start page rules Web protection

Page Count Displays the number of individual URLs contained in the entry.
To configure a start page group

Before you configure a start page rule, if you want to apply it only to HTTP requests for a
1 Go to Web Protection > Start Pages > Start Pages.
the Edit icon.
A dialog appears.
3 In Name, type the name of the start page rule.
This field cannot be modified if you are editing an existing start page rule. To modify the
Clear
Edit
Delete

Action, Severity and The Action, Severity and Trigger Policy drop-down menus allow you
Trigger Policy to control what the FortiWeb unit will do when it detects a specific
• Alert
• Alert & Deny
• Redirect
with profiles that use this rule, you should select Alert. If the Action is
Alert & Deny, the FortiWeb unit will reset the connection when it
detects an attack, resulting in incomplete session information for the
5 Click OK.

214 Revision 10
Web protection Configuring start page rules
6 Click Create New.

A dialog appears.

ID Enter the index number of the start page within the group of start pages, or keep
the field’s default value of auto to let the FortiWeb unit automatically assign the
Host Select which protected hosts entry (either a web host name or IP address) that
the Host: field of the HTTP request must be in order to match a valid start
page.
Host Status Enable to require that the Host: field of the HTTP request to match a protected
hosts entry in order to match a valid start page. Also configure Host.
Regular Expression.
URL Pattern Depending on your selection in Type, type either:
• the literal URL, such as /index.php, that the HTTP request must contain
in order to match the start page rule. The URL must begin with a slash ( / ).
• a regular expression, such as ^/*.php, matching all and only the URLs to
which the start page rule should apply. The pattern is not required to begin
with a slash ( / ). However, it must at least match URLs that begin with a
slash, such as /index.cfm.
Default Select Yes to use the page as the default for HTTP requests that either:
• do not specify any URL
• do not specify the URL of a valid start page (only if you have selected
Redirect from Action)
8 Repeat the previous steps for each start page that you want to add to the group of start
pages.
9 To modify a start page, click its Edit icon. To remove a single start page from the group
of start pages, click its Delete icon. To remove all start pages from the group of start
pages, click the Clear icon.
10 Click OK.
To apply the group of start pages, select it in an inline protection profile. For details, see

Revision 10 215
Configuring URL access policy Web protection
Note: In order for start pages to be enforced, you must also enable “Session Management”
on page 271 in the inline protection profile.
Attack log messages contain DETECT_START_PAGE_FAILED when this feature

detects a start page violation.
Configuring URL access policy

Web Protection > URL Access Policy> URL Access Policy displays the list of URL access
policies.
URL access policies enable you to group individual URL access rules that define which
HTTP requests to allow or deny based upon their host name and URL.
Note: URL access rules are evaluated after some other rules. For details, see “Order of
execution” on page 190.
Tip: Before you can configure an effective URL access policy, you must configure one or
more URL access rules. See “Configuring URL access rules” on page 218.
Table 86: Web Protection > URL Access Policy> URL Access Policy tab
Edit
Delete

Create New Click to add a URL access policy.
URL Access Count Displays the number of individual URL access rules contained in the entry.
To configure a URL access policy

1 Go to Web Protection > URL Access Policy> URL Access Policy.

216 Revision 10
Web protection Configuring URL access policy
the Edit icon.
A dialog appears.
Clear
Edit
Delete
3 In Name, type the name of the policy.
This field cannot be modified if you are editing an existing URL access policy. To
4 Click OK.
5 Click Create New.
A dialog appears.

ID Enter the index number of the individual rule within the URL access policy, or
Priority Enter the priority for this rule in relation to other defined rules. Rules with lower
priority are applied first.
Access Rule Choose the name of a predefined URL access rule to add to the policy. See
Name “Configuring URL access rules” on page 218 for more information about
defining URL access rules.
Note: If you want to view the information associated with the URL Access Rule
used by this policy, select the Detail link beside the Access Rule Name list. A
read-only version of the URL Access Rule window opens.
7 Click OK.
8 Repeat the previous two steps for each individual rule that you want to add to the URL
access policy.
URL access policy, click its Delete icon. To remove all rules from the URL access
policy, click the Clear icon.

Revision 10 217
Configuring URL access policy Web protection
10 Click OK.
To apply the URL access policy, select it in an inline or offline protection profile. For
details, see “Configuring inline protection profiles” on page 268 or “Configuring offline
Configuring URL access rules

Web Protection > URL Access > URL Access Rule displays the list of URL access rules.
URL access rules define HTTP requests that will be accepted or denied based upon their
host name and URL.
Caution: IP trust policy rules only block initial requests from a client. They will not block
server-side redirects. For more information, see “Configuring an IP list policy” on page 220.
Note: URL access rules are evaluated after some other rules. For details, see “Order of
execution” on page 190.
Use SNMP traps to notify you when a URL access rule is enforced. For details, see
“Configuring an SNMP community” on page 68.
Table 87: Web Protection > URL Access Policy> URL Access Rule tab
Delete
Edit

Create New Click to add an URL access rule.
Count Displays the number of individual rules contained in the entry.
Host Displays the name of the host (either a web host name or IP address) in the
Host: field of an HTTP request that must match in order to pass the URL
access rule.
Action Displays the action taken by FortiWeb when a violation of the access rule
occurs.
For information, see “Responding to web protection rule violations” on
page 191.
entry is currently selected for use in an URL access policy.
Before you configure a URL access rule, if you want to apply it only to HTTP requests for
a specific real or virtual host, you must first define the web host in a protected hosts group.

218 Revision 10
Web protection Configuring URL access policy
To configure an URL access rule

1 Go to Web Protection > URL Access Policy > URL Access Rule.
the Edit icon.
A dialog appears.
3 In Name, type the name of the URL access rule.
This field cannot be modified if you are editing an existing black list rule. To modify the
Clear
Delete
Edit

hosts entry in order to match the URL access rule. Also configure Host.
the Host: field of the HTTP request must be in order to match the URL access
rule.
Action, The Action, Severity and Trigger Policy drop-down menus allow you to control
Severity and what the FortiWeb unit will do when it detects a violation, such as an attack,
Trigger Policy suspicious request or other threat. Each violation can be uniquely configured.
• Pass
• Alert & Deny
• Continue
5 Click OK.

Revision 10 219
Configuring an IP list policy Web protection
6 Click Create New.

A dialog appears.

ID Enter the index number of the individual rule within the URL access rule, or
URL Type Indicate whether the text entered is a regular expression or a simple text string.
URL Pattern Depending on your selection in URL Type, enter either:
• the literal URL, such as /index.php. The URL must begin with a slash ( / ).
• a regular expression, such as ^/*.php, matching all and only the desired
URLs. The pattern is not required to begin with a slash ( / ). However, it must
at least match URLs that begin with a slash, such as /index.cfm.
When you finish typing the regular expression, click the >> (test) icon. This
opens the Regular Expression Validator window where you can fine-tune the
expression.
configured separately in the Host drop-down list for the URL access rule.
Meet this Select whether the access condition is met when the HTTP request matches the
condition if: regular expression (or text string), or when it does not match the regular
expression (or text string).
8 Click OK.
9 Repeat the previous steps for each individual condition that you want to add to the URL
access rule.
10 Click OK.
To apply the URL access rule, select it in a URL access policy. For details, see
“Configuring URL access policy” on page 216.
Attack log messages contain DETECT_URLACCESS_PAGE when this feature detects a
suspicious HTTP request.
Configuring an IP list policy

Web Protection > IP List > IP List Policy displays the IP list policies. An IP list policy
enables you to define whether specific source IP addresses are trusted or not trusted:
• Trust IPs are source IP addresses for which you explicitly allow access to your web
servers because they are trusted.

220 Revision 10
Web protection Configuring an IP list policy
• Black IPs are source IP addresses for which you explicitly disallow and block access to
your web servers because they have failed web protection policy scans.
If a source IP address is not explicitly blacklisted in an IP list policy and it does not appear
on the IP Blacklist TOP10 tab (see “Viewing the top 10 IP blacklist candidates” on
page 223), the source IP has access to your web servers, pending additional web
protection scan techniques.
If a source IP addresses is explicitly designated as a trusted IP (that is, the IP address is
trusted by FortiWeb), that IP can connect to your web servers and is exempt from many of
the restrictions that would otherwise be applied by the web protection profile used by a
server policy.
For more information on the protection techniques performed by FortiWeb, and the scans
performed based on the IP address, see “Order of execution” on page 190.
Table 88: Web Protection > IP List > IP List Policy tab
Delete
Edit

Create New Click to add a new IP list policy.
Name Displays the name of the IP list policy.
IP List Count Displays the quantity of IP list policy members associated with the policy.
Each member identifies the type of client and the IP address of the client.
(No column heading.) Click the Delete icon to remove the entry.
To configure IP list policies and members

1 Go to Web Protection> IP List> IP List Policy.
the Edit icon.
A dialog appears.

Revision 10 221
Configuring an IP list policy Web protection
Clear
Edit
Delete
3 In Name, type the name of the policy.

This field cannot be modified if you are editing an existing IP list policy. To modify the
name, delete the entry, then recreate the policy using the new name.
4 Click OK.
5 Click Create New.
A dialog appears.

Type The first web protection technique that FortiWeb performs when it gets a
request to connect to your web servers is to check the source IP address
that originated the request. For more information, see “Order of execution”
on page 190.
Use the Type option to define whether the source IP address is a:
• a Trust IP, which is a source IP address that is trusted and allowed to
access your web servers, unless it fails some other web protection
technique
• a Black IP, which is associated with a source IP address that is not
trusted, and is permanently blocked from accessing your web servers
Note: Designating an IP address as a black IP will block all connections
from that source IP address. If multiple clients share the same source IP
address, such as when a group of clients is behind a firewall or router,
making the source IP address a black IP could block innocent clients that
share the same source IP address with an offending client. To detect a
shared source IP address, see “Viewing the top 10 IP blacklist candidates”
on page 223.

222 Revision 10
Web protection Configuring an IP list policy

IP The source IP address of the client that you want to add to the IP List
Policy. This IP address will be treated accordingly to the Type selection.
Use IP Blacklist This item appears only if Type is set to Black IP.
TOP10 FortiWeb keeps a list of source IP addresses that are blocked from your
web servers because they fail web protection configurations. These source
IP addresses are candidates for formal designation as a black IP. The
candidates are tracked on the IP Blacklist TOP10 tab. For more information,
see “Viewing the top 10 IP blacklist candidates” on page 223.
To add source IP addresses from the IP Blacklist TOP10 to the black list,
select Use IP Blacklist Top10 and then select an IP address from the drop-
down list.
Severity If Type is set to Black IP, select the severity level you want FortiWeb to use
in the records and reports generated when the specified IP address
attempts to access your web servers.
You can configure each violation type to be either Low, Medium or High
severity.
Trigger Policy Select the trigger policy you want FortiWeb to apply when the specified IP
address attempts to access your web servers.
Trigger policies determine who will be notified by email when the source IP
address attempts to access your web servers, and whether the log
message associated with the attempt is recorded in Syslog or
FortiAnalyzer.
7 Click OK.
8 Repeat the previous steps for each individual IP list policy member that you want to
add to the IP list policy.
9 To modify an individual policy, click its Edit icon. To remove an individual policy from the
IP list policy, click its Delete icon.
10 Click OK.
To apply the IP list policy, select it in an inline or offline protection profile. For details,
see “Configuring inline protection profiles” on page 268 or “Configuring offline
Viewing the top 10 IP blacklist candidates

Web Protection > IP List > IP Blacklist TOP10 displays the list of the top 10 candidates for
addition to the IP address black list. IPs appear automatically on the top 10 list when they
violate a protection setting, such as robot control. These are candidates for the black list
but at not yet on your black list. To add one to a black list, click the Edit icon. You can also
move IPs from the top 10 list using the IP List Policy tab (see “To configure IP list policies
and members” on page 221).
Blacklisted IP addresses define which source IP addresses are not permitted to connect to
your web servers. The list of top 10 candidates tracks the number of times each source IP
address is blocked. If an IP address is frequently the source of errors or attacks, it may be
a good candidate for the IP blacklist.

Revision 10 223
Configuring brute force login profiles Web protection
Table 89: Web Protection > IP List > IP Blacklist TOP 10 tab
Edit

# Displays the rank number of the entry in the top 10 list.
Count Displays the number of times that connections from the IP address have
been blocked due to a policy violation.
IP Displays the source IP address of blocked connections and the name of the
violated policy.
Type Indicates whether the source IP address is for a single client (Standalone
IP), or is shared by multiple clients behind a network address translation
(NAT) device such as a firewall or router (Shared IP).
Note: If the Type is Shared IP, blacklisting the IP could block innocent
clients that share the same source IP address with an offending client.
(No column heading.) Click the Edit icon. This opens the Edit IP List Policy Member dialog box.
You can then add the source IP to the black list. For details, see
Refresh Click to refresh the display of top 10 IP black list candidates.
Configuring brute force login profiles

Web Protection > Brute Force Login > Brute Force Login displays the list of brute force
login attack profiles.
Brute force attacks attempt to penetrate systems by the sheer number of clients, attempts,
or computational power, rather than by intelligent insight. For example, in brute force
attacks on authentication, multiple web clients may rapidly try one user name and
password combination after another in an attempt to eventually guess a correct login and
gain access to the system. In this way, behavior differs from web crawlers, which typically
do not focus on a single URL.
Brute force login attack profiles track the rate at which each source IP address makes
requests for specific URLs. If the source IP address exceeds the threshold, the FortiWeb
unit penalizes the source IP address by blocking additional requests for the time period
that you indicate in the profile.
Table 90: Web Protection > Brute Force Login > Brute Force Login tab
Edit
Delete

224 Revision 10
Web protection Configuring brute force login profiles

Create New Click to add a brute force login attack profile.
Before you configure a brute force login attack profile, if you want to apply it only to HTTP
requests for a specific real or virtual host, you must first define the web host in a protected
hosts group. For details, see “Configuring protected servers” on page 147.
To configure a brute force login attack profile

1 Go to Web Protection > Brute Force Login > Brute Force Login.
the Edit icon.
A dialog appears.
3 In Name, type the name of the brute force login profile.
This field cannot be modified if you are editing an brute force login profile. To modify
Clear
Edit
Delete

Severity Select the severity level you want FortiWeb to use in the records and reports
generated when a violation of the brute force login profile occurs. You can
configure the violation as either Low, Medium or High severity.
For information on Severity and Trigger Policy settings, see “Responding to
web protection rule violations” on page 191.
Trigger Policy Select the trigger policy you want FortiWeb to apply when a violation of the
brute force login profile occurs.
Trigger policies determine who will be notified by email when the profile
violation occurs, and whether the log message associated with the violation
are recorded.
For more information, see “Responding to web protection rule violations” on
page 191.
5 Click OK.

Revision 10 225
Configuring brute force login profiles Web protection
6 Click Create New.

A dialog appears.

ID Type the index number of the login page in the brute force login attack profile list.
The index number affects the order of display only, and does not affect match
order.
hosts entry in order to be included in the brute force login attack profile’s rate
calculations. Also configure Host.
the Host: field of the HTTP request must be in order to match the brute force
login attack profile.
Request File Type the URL that the HTTP request must match to be included in the brute
force login attack profile’s rate calculations.
When you have finished typing the regular expression, click the >> (test) icon.
This opens the Regular Expression Validator window where you can fine-tune
the expression.
Block Period Type the length of time in seconds for which the FortiWeb unit will block
additional requests after a source IP address exceeds a rate threshold.
The block period is shared by all clients whose traffic originates from the source
IP address. The limit is 10 000 seconds.
Standalone IP Type the rate threshold for source IP addresses that are single clients. Request
Access Limit rates exceeding the threshold will cause the FortiWeb unit to block additional
requests for the length of the time in the Block Period field.
To disable the rate limit, type 0.
Share IP Type the rate threshold for source IP addresses that are shared by multiple
Access Limit clients behind a network address translation (NAT) device such as a firewall or
router. Request rates exceeding the threshold will cause the FortiWeb unit to
block additional requests for the length of the time in the Block Period field.
Note: Blocking a shared source IP address could block innocent clients that
share the same source IP address with an offending client. In addition, the rate is
a total rate for all clients that use the same source IP address. For these
reasons, you should usually enter a greater value for this field than for
Standalone IP Access Limit.
8 Click OK.
9 Repeat the two previous steps for each individual login page that you want to add to
the brute force login attack profile.

226 Revision 10
Web protection Configuring robot control profiles
10 To modify a login page, click its Edit icon. To remove a single login page from the group
of login pages, click its Delete icon. To remove all login pages from the group of login
pages, click the Clear icon.
11 Click OK.
To apply the brute force login attack profile, select it in an inline protection profile. For
details, see “Configuring inline protection profiles” on page 268.
Attack log messages contain DETECT_BRUTE_FORCE_LOGIN when this feature
detects a brute force login attack.
Configuring robot control profiles

Web Protection > Robot Control > Robot Control displays the list of robot control profiles.
Search engines, link checkers, retrievals of entire web sites for a user’s offline use, and
other automated uses of the web (sometimes called robots, spiders, web crawlers, or
automated user agents) often access web sites at a more rapid rate than human users.
However, it would be unusual for them to request the same URL within that time frame.
Usually, web crawlers request many different URLs in rapid sequence. For example, while
indexing a web site, a search engine’s web crawler may rapidly request the web site’s
most popular URLs. If the URLs are web pages, it may also follow the hyperlinks by
requesting all URLs mentioned in those web pages. In this way, the behavior of web
crawlers differs from a typical brute force login attack, which focuses repeatedly on one
URL.
You can request that robots not index and/or follow links, and disallow their access to
specific URLs (see http://www.robotstxt.org/). However, misbehaving robots frequently
ignore the request, and there is no single standard way to rate-limit robots.
Robot control profiles can track the rate at which each source IP address makes requests.
If the source IP address exceeds the threshold, the FortiWeb unit penalizes the source IP
address by blocking additional requests for the time period that you indicate in the profile.
Robot control profiles can also use the User-Agent: field in the HTTP header to allow
legitimate robots or to block robots that are notorious for misbehaving.
Robot control profiles enable you to associate predefined and custom robot control groups
with rules that determine which specific robots are considered to be bad robots and which
robots are allowed access to your web servers without being rate controlled or subject to
parameter validation rules or server protection rules.
Table 91: Web Protection > Robot Control > Robot Control tab
View Clone Delete

Edit

Revision 10 227
Configuring robot control profiles Web protection

Create New Click to add a robot control profile.
Bad Robot Indicates whether the blocking feature for bad web crawlers (robots), those
known to ignore no-index, no-follow and other directives, is enabled or
disabled.
Bad Robot Action Displays the action taken by FortiWeb when a violation of the robot control
profile occurs.
Allow Robot Identifies well-known robots (for example, Google) that are allowed and will
not be rate-controlled or subject to parameter validation rules, server
protection rules, or Bad Robot blocking.
Standalone IP Access Displays the rate threshold for source IP addresses that are single clients.
Limit Request rates exceeding the threshold will cause the FortiWeb unit to block
additional requests for the length of the time in the Block Period column.
0 indicates that the rate is not limited.
Share IP Access Limit Displays the rate threshold for source IP addresses that are shared by
multiple clients behind a network address translation (NAT) device such as
a firewall or router. Request rates exceeding the threshold will cause the
FortiWeb unit to block additional requests for the length of the time in the
Block Period column.
0 indicates that the rate is not limited.
Block Period Displays the length of time for which the FortiWeb unit will block additional
requests after a source IP address exceeds a rate threshold.
entry is currently selected for use in an inline or offline protection profile, or
if the entry is a template entry.
Click the View icon to view a template entry.
Click the Clone icon to create a new entry that clones the settings from a
predefined robot control.
Before you configure a robot control profile, you must first create robot groups, which can
then be applied to the robot control profile. Robot groups are used by the profile to identify
the specific robots that are allowed access to your web servers without being rate
controlled or subject to parameter validation rules, server protection rules, or bad robot
detection. For details, see “Configuring predefined robot groups” on page 230 and
“Configuring custom robot groups” on page 232.
To configure a robot control profile
Note: Alternatively, you can automatically configure a robot control profile that allows all
predefined search engine types by generating a default auto-learning profile. For details,
see “Generating an auto-learning profile and its components” on page 281.
1 Go to Web Protection > Robot Control > Robot Control.

the Edit icon.

228 Revision 10
3 In Name, type the name of the robot control profile.

This field cannot be modified if you are editing an existing robot control profile. To

Bad Robot Enable to detect web crawlers that are known to ignore no-index,no-follow
and other directives, then select which action the FortiWeb unit will take when it
detects one.
Severity and what the FortiWeb unit will do when it detects a bad robot violation. Each
Trigger Policy violation can be uniquely configured.
The following actions can be performed for this type of attack:
• Alert
• Alert & Deny
• Redirect
For information on Action, Severity and Trigger Policy settings, see “Responding
to web protection rule violations” on page 191.
Note: If a WAF Auto Learning Profile will be selected in the policy with profiles
that use this rule, you should select Alert. If the Action is Alert & Deny, the
FortiWeb unit will reset the connection when it detects an attack, resulting in
incomplete session information for the auto-learning feature.
Allow Robot Select a group of well-known search engines’ web crawlers, if any, that will be
exempt from the rate limit of this robot control profile. For details about creating
robot groups, see “Configuring predefined robot groups” on page 230. The
FortiWeb unit will omit any subsequent intrusion detection features, including
parameter validation rules, server protection rules, or bad robot detection.
Note: If you want to view the information associated with the robot group, select
the Detail link beside the Allow Robot list. A read-only version of the Edit Robot
Group window opens.
Attack log messages contain log messages such as
DETECT_ALLOW_ROBOT_GOOGLE, DETECT_ALLOW_ROBOT_YAHOO, and
DETECT_ALLOW_ROBOT_MSN, when this feature detects an allowed predefined
robot. For details, see “Event Log Console widget” on page 48 or “Viewing log

Revision 10 229
Allow Custom Select a group of custom robots, if any, that will be exempt from the rate limit of
Robot this robot control profile. For details about creating custom robot groups, see
“Configuring custom robot groups” on page 232. The FortiWeb unit will omit any
subsequent intrusion detection features, including parameter validation rules,
server protection rules, or bad robot detection.
Note: If you want to view the information associated with the custom robot
group, select the Detail link beside the Allow Custom Robot list. A read-only
version of the Edit Custom Robot Group window opens.
Attack log messages contain log messages such as DETECT_ALLOW_ROBOT:
Custom-Robot-1 (where Custom-Robot-1 is the name that you configured
for the robot’s signature) when this feature detects an allowed custom robot. For
details, see “Event Log Console widget” on page 48 or “Viewing log messages”
on page 331.
Malicious Robot Prevention
Standalone IP Type the rate limit in number of requests per second for source IP addresses
Access Limit that are single clients. Request rates exceeding the threshold will cause the
FortiWeb unit to block additional requests for the length of the time set in the
Block Period field.
Share IP Type the rate limit in number of requests per second for source IP addresses
Access Limit that are shared by multiple clients behind a network address translation (NAT)
device such as a firewall or router. Request rates exceeding the threshold will
cause the FortiWeb unit to block additional requests for the length of the time set
in the Block Period field.
Note: Blocking a shared source IP address could block innocent clients that
share the same source IP address with an offending client. In addition, the rate
is a total rate for all clients that use the same source IP address. For these
reasons, you should usually enter a greater value for this field than for
Standalone IP Access Limit.
Block Period Type the length of time for which the FortiWeb unit will block additional requests
after a source IP address exceeds its rate threshold.
5 Click OK.
To apply the robot control profile, select it in an inline or offline protection profile. For
Attack log messages contain DETECT_MALICIOUS_ROBOT when this feature detects a
misbehaving robot or any other HTTP client that exceeds the rate limit.
Configuring predefined robot groups

Web Protection > Robot Control > Robot Group displays the list of groups of predefined
robots.
A robot group contains one or more of the predefined robot signatures. For information on
predefined robot signatures, see “Viewing the list of predefined robots” on page 234.

230 Revision 10
Table 92: Web Protection > Robot Control > Robot Group tab
View
Clone
Edit
Delete

Create New Click to add a known robot group.
Count Displays the number of known robots contained in the group.
entry is currently selected for use in a robot control profile.
Click the Clone icon to create a new entry based on a predefined entry.
To configure a predefined robot group

1 Go to Web Protection > Robot Control > Robot Group.
the Edit icon.
Clear
Delete Edit
3 In Name, type the name of the robot group.
This field cannot be modified if you are editing an existing robot group. To modify the
4 Click OK.
5 Click Create New.

Revision 10 231

ID Enter the index number of the robot entry within the robot group, or keep the
field’s default value of auto to let the FortiWeb unit automatically assign the
Robot Select the name of a robot. For the predefined list of well-known robots and their
defining patterns, see “Viewing the list of predefined robots” on page 234.
7 Click OK.
8 Repeat the previous steps for each robot that you want to add to the robot group.
9 To modify a robot, click its Edit icon. To remove a single robot from the robot group,
click its Delete icon. To remove all robots from the robot group, click the Clear icon.
10 Click OK.
To use a robot group, you must select it in a robot control profile. For details, see
“Configuring robot control profiles” on page 227.
Configuring custom robot groups

Web Protection > Robot Control > Custom Robot displays the list of custom robot groups.
Instead of using groups of predefined well-known robots, you can configure groups of
custom robot signatures. Each signature is a regular expression that the FortiWeb unit can
compare to the User-Agent: field in the HTTP header in order to determine whether or
not the HTTP client is a legitimate robot. Legitimate robots, such as search engine
indexers, usually should be exempt from attack detection. If your organization has written
its own search indexer, or uses a third-party spider not identified in the predefined list, you
may need to write a custom robot signature.
Table 93: Web Protection > Robot Control > Custom Robot tab
Delete
Edit

Create New Click to add a custom robot group.

232 Revision 10

Count Displays the number of custom robots contained in the group.
entry is currently selected for use in a robot control profile.
To configure a group of custom robot signatures

1 Go to Web Protection > Robot Control > Custom Robot.
the Edit icon.
A dialog appears.
Clear
Delete Edit
3 In Name, type the name of the custom robot signature set.
This field cannot be modified if you are editing an existing custom robot. To modify the
4 Click OK.
5 Click Create New.
A dialog appears.

ID Type the index number of the custom robot signature within the set, or keep the
field’s default value of auto to let the FortiWeb unit automatically assign the
Robot Type Type a name, such as Intranet-Indexer, for the signature. This name will
Name appear in log messages where the signature was used to detect a robot.

Revision 10 233
Robot Type a regular expression that matches all and only the User-Agent: fields in
Expression the HTTP header known to be produced by the custom robot.
For example, if a custom robot is either:
• User-Agent: happy-spider
• User-Agent: happy-spider2.0.
but not User-Agent: baiduspider, you would write a regular expression to
match the first two cases, but that would not match the third.
7 Click OK.
8 Repeat the previous steps for each custom robot signature that you want to add to the
custom robot group. Only one group may be selected per robot control profile, so you
may want to include multiple custom robots signatures in this group.
9 To modify a custom robot signature, click its Edit icon. To remove a single signature
from the group, click its Delete icon. To remove all signatures from the group, click the
Clear icon.
10 Click OK.
To use a custom robot group, you must select it in a robot control profile. For details,
see “Configuring robot control profiles” on page 227.
Viewing the list of predefined robots

Web Protection > Robot Control > Known Robot displays the predefined list of well-known
robots.
Select the blue arrow next to a robot name to expand the entry, displaying the pattern
Figure 31: Viewing the list of known robots
The pattern contains a regular expression that the FortiWeb unit uses to compare the
User-Agent: field in the HTTP header in order to determine whether or not the HTTP
client is a well-known, legitimate robot. Legitimate robots, such as search engine indexers,
should be included in a robot group and applied to a robot control profile to prevent attack
detection.
You apply predefined robots indirectly by first forming groups of robots, then selecting
those groups in a robot control profile. For details, see “Configuring predefined robot
groups” on page 230.

234 Revision 10
Web protection Configuring allowed request method policy
Configuring allowed request method policy

Web Protection > Allow Request Method > Allow Method Policy displays the list of
policies for allowed HTTP request methods.
The request method policy enables you to build specific combinations of allowed HTTP
request methods and specific exceptions to those combinations.
Tip: To extend the versatility of a request method policy, you can create and incorporate
exceptions (see “Configuring allowed method exceptions” on page 237).
Table 94: Web Protection > Allow Request Method > Allow Method Policy tab
Delete
Edit

Create New Click to add a new HTTP request method policy.
Name Displays the name of the allow method policy.
Severity Each policy is assigned a severity. When a policy violation occurs, the
violation is recorded and reported with the designated severity.
See “Responding to web protection rule violations” on page 191.
Trigger Policy Trigger policy contains information to identify who will receive an alert email
when a violation occurs, and how the log message associated with the
violation, if applicable, is recorded.
See “Responding to web protection rule violations” on page 191.
Allow Method Identifies the name of the HTTP method exception rules associated with the
Exceptions policy. For more information, see “Configuring allowed method exceptions”
on page 237.
To include method exceptions, create them first. For more information, see “Configuring
allowed method exceptions” on page 237.
To configure an HTTP request method policy

1 Go to Web Protection > Allow Request Method > Allow Method Policy.

Revision 10 235
Configuring allowed request method policy Web protection
the Edit icon.
A dialog appears.
3 In Name, type the name of the HTTP request method policy.

This field cannot be modified if you are editing an existing allowed method exception.

Name Enter the name of the allow method policy.
Allow Request Mark the check boxes for all HTTP request methods that you want to allow for
this specific policy.
Only the selected methods will be allowed on all web servers where this policy
is used, unless exceptions are defined for specific URL/hosts. For more
information, see “Configuring allowed method exceptions” on page 237.
Note: If a WAF Auto Learning Profile is used in the server policy where the
HTTP request method is applied (via the Web Protection Profile), you must
enable the HTTP request methods that will be used by sessions that you want
the FortiWeb unit to learn about. If a method is disabled, the FortiWeb unit will
reset the connection, and therefore cannot learn about the session.
Severity Select the severity level you want FortiWeb to use in the records and reports
generated when a violation of the HTTP request method policy occurs. You can
configure the violation as either Low, Medium or High severity.
For information on Severity and Trigger Policy settings, see “Responding to web
protection rule violations” on page 191.
Trigger Policy Select the trigger policy you want FortiWeb to apply when a violation of the
HTTP request method policy occurs.
Trigger policies determine who will be notified by email when the policy violation
occurs, and whether the log message associated with the violation are
recorded.
For more information, see “Responding to web protection rule violations” on
page 191.
Allow Method Select the HTTP request method exception to apply to the policy. The method
Exceptions exceptions define specific HTTP request methods that are allowed by specific
URLs and hosts.
Note: If you want to view the information associated with the HTTP request
method exceptions used by this policy, select the Detail link beside the Allow
Method Exceptions list. A read-only version of the Allow Method Exceptions
window opens.
For more information, see “Configuring allowed method exceptions” on
page 237.
5 Click OK.
To apply the allow method policy, select it in an inline or offline protection profile. For

236 Revision 10
Web protection Configuring allowed request method policy
Configuring allowed method exceptions

Web Protection > Allow Request Method > Allow Method Exceptions displays the list of
allowed method exceptions.
While most URL and host name combinations controlled by a profile may require similar
HTTP request methods, you may have some that require different methods. Instead of
forming separate policies and profiles for those requests, you can configure allowed
method exceptions. The method exceptions define specific HTTP request methods that
are allowed by specific URLs and hosts.
Table 95: Web Protection > Allow Request Method > Allow Method Exceptions tab
Edit
Delete

Create New Click to add an allowed method exception.
Allow Method Displays the number of individual rules contained in the entry.
Exception Count
Before you configure an allowed method exception, if you want to apply it only to HTTP
requests for a specific real or virtual host, you must first define the web host in a protected
hosts group. For details, see “Configuring protected servers” on page 147.
To configure an allowed method exception

1 Go to Web Protection > Allow Request Method > Allow Method Exceptions.
the Edit icon.
A dialog appears.

Revision 10 237
Configuring allowed request method policy Web protection
Clear
Edit
Delete
3 In Name, type the name of the allowed method exception.
This field cannot be modified if you are editing an existing allowed method exception.
4 Click OK.
5 Click Create New.
A dialog appears.

ID Enter the index number of the individual rule within the allowed method
exception, or keep the field’s default value of auto to let the FortiWeb unit
hosts entry in order to match the allowed method exception. Also configure
Host.
the Host: field of the HTTP request must be in order to match the allowed
method exception.
Regular Expression.

238 Revision 10
Web protection Configuring hidden field protection profiles
URL Pattern Depending on your selection in Type, enter either:

• the literal URL, such as /index.php, that is an exception to the generally
allowed HTTP request methods. The URL must begin with a slash ( / ).
• a regular expression, such as ^/*.php, matching all and only the URLs
which are exceptions to the generally allowed HTTP request methods. The
pattern is not required to begin with a slash ( / ). However, it must at least
match URLs that begin with a slash, such as /index.cfm.
For example, if multiple URLs on a host have identical HTTP request
method requirements, you would type a regular expression matching all of
and only those URLs.
Allow Method Select the check boxes for all HTTP request methods you want to allow.
Exception Note: If a WAF Auto Learning Profile will be selected in the policy with an offline
protection profile that uses this allowed method exception, you must enable the
HTTP request methods that will be used by sessions that you want the FortiWeb
unit to learn about. If a method is disabled, the FortiWeb unit will reset the
connection, and therefore cannot learn about the session.
7 Click OK.
8 Repeat the previous steps for each exception that you want to add to the allowed
method exceptions.
9 To modify an exception, click its Edit icon. To remove an exception, click its Delete icon.
To remove all exceptions, click the Clear icon.
10 Click OK.
To apply the allowed method exception, select it in an allow method policy. For details,
see “Configuring allowed request method policy” on page 235.
Configuring hidden field protection profiles

Web Protection > Hidden Fields Protection > Hidden Fields Protection displays the list of
hidden field protection profiles.
Hidden files are unlike other inputs, because they are not visible on a rendered web page.
As such, if hidden fields are tampered with, they could go undetected. Hidden field
protection profiles enable you to apply individual hidden field protection rules that
FortiWeb uses to detect hidden fields that have been tampered with.
Tip: To create a hidden fields protection profile, you must first configure one or more hidden
field rules. See “Configuring hidden field rules” on page 241.
Table 96: Web Protection > Hidden Fields Protection > Hidden Fields Protection tab

Create New Click to add a hidden field group.

Revision 10 239
Configuring hidden field protection profiles Web protection

Rule Count Displays the number of individual hidden fields rules contained in the
profile.
To configure a hidden field profile

1 Go to Web Protection > Hidden Fields Protection > Hidden Fields Protection.
the Edit icon.
A dialog appears.
Clear
3 In Name, type the name of the hidden field profile.

This field cannot be modified if you are editing an existing hidden field group. To modify
4 Click OK.
5 Click Create New.
A dialog appears.
6 Select the name of a hidden field rule that you want to apply to the hidden fields
protection profile from the Hidden Fields Rule drop-down list.
To view the information associated with a hidden fields rule, select the Detail link. A
read-only version appears.
7 Click OK.
8 Repeat the previous steps for each individual rule that you want to add to the hidden
field profile.

240 Revision 10
hidden field profile, click its Delete icon. To remove all individual rules from the hidden
field profile, click the Clear icon.
10 Click OK.
To apply the hidden field group, select it in an inline protection profile. For details, see
Note: In order for hidden field groups to be enforced, you must also enable “Session
Management” in the inline protection profile.
Configuring hidden field rules

Web Protection > Hidden Fields Protection > Hidden Fields Rule displays the list of
hidden field rules.
Like other types of parameters and inputs, hidden form inputs can be vulnerable to
tampering and can be used as a vector for other attacks.
Unlike other inputs, hidden form inputs are often written into an HTML page by the web
server when it serves that page to the client, and are not visible on the rendered web
page. As such, they are sometimes perceived as relatively safe.
Like other inputs, however, hidden fields are accessible through the JavaScript document
object model (DOM). As inputs, they can be used to inject invalid data into your databases
or attempt to tamper with the session state.
Hidden field rules prevent such tampering by caching the values of a session’s hidden
inputs as they pass to the HTTP client, and verifying that they remain unchanged when
the HTTP client submits a form.
Unlike visible inputs, hidden field rules are for hidden inputs only. For information on
constraining visible inputs, see “Configuring parameter validation input rules” on
page 194.
Table 97: Web Protection > Hidden Fields Protection > Hidden Fields Rule tab

Create New Click to add a hidden field constraint.
Edit Click the Edit icon to modify the entry.
Delete Click the Delete icon to remove the entry.

Revision 10 241
Configuring hidden field protection profiles Web protection
Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a
To configure a hidden field rule

1 Go to Web Protection > Hidden Fields Protection > Hidden Fields Rule.
the Edit icon.
A dialog appears.
3 In Name, type the name of the hidden field constraint.
This field cannot be modified if you are editing an existing hidden field rule. To modify

Host status Enable if you want the hidden field rule to apply only to HTTP requests for a
specific web host. Also configure Host.
Host Select the name of a protected host that the Host: field of an HTTP request
must be in order to match the hidden field rule.
This option is available only if Host status is enabled.

242 Revision 10
Request URL Type the exact URL that contains the hidden form for which you want to create a
hidden field rule.
The URL must begin with a slash ( / ). Do not include the web host name, such
as www.example.com. It is configured separately in the Host drop-down list.
Severity and what the FortiWeb unit will do when it detects a specific violation such as an
Trigger Policy attack, suspicious request or other threat. Each violation can be uniquely
configured.
• Alert
• Alert & Deny
• Redirect
Note: If a WAF Auto Learning Profile will be selected in the policy with profiles
that use this rule, you should select Alert. If the Action is Alert & Deny, the
FortiWeb unit will reset the connection when it detects an attack, resulting in
incomplete session information for the auto-learning feature.
5 Click OK.
6 Click Fetch URL, and then enter the following information in the pop-up dialog that
appears:

Pserver Select the IP address of the physical server that hosts the web site with the
hidden field.
Port Type the TCP port number on which the physical server listens for HTTP
connections.
• The pop-up dialog also includes a Fetch URL button. Click it to retrieve the web
page you specified in Request URL. Another pop-up dialog appears, displaying a list
of hidden inputs that the FortiWeb unit found in that web page, and the URLs to
which those hidden inputs will be posted when a client submits the form.
Figure 32: Fetch URL dialog

Revision 10 243
Configuring URL rewriting policy Web protection
Entries in the list are color-coded by the recommended course of action:

• Blue: The URL/hidden field exists in the requested URL, but you have not yet
configured it in the hidden field rule.You may want to add it to the hidden field
rule.
• Red: The URL/hidden field does not exist in the requested URL, yet it is
currently configured in the hidden field rule. You may want to remove it from the
hidden field rule.
• Black: The URL/hidden field exists in both the requested URL and your hidden
field rule.
• For each entry that you want to be in the hidden field rule, in the Status column,
select its check box.
Note: In addition to new items, select the check boxes of any previously configured items
that you want to keep in the hidden field rule. If you do not, they will be deleted.
• Click OK to save the entries in the dialog.

7 If there are any additional hidden fields or post URLs that you want to manually add to
the hidden field rule, click Create New. A dialog appears. Enter the name of the post
URL or hidden field.
8 Repeat the previous steps for each post URL or hidden field that you want to manually
add to the hidden field rule.
hidden field rule, click its Delete icon. To remove all individual rules from the hidden
field rule, click the Clear icon.
10 Click OK.
To apply the hidden field rule, select it in a hidden fields protection profile. For details,
see “Configuring hidden field protection profiles” on page 239.
Configuring URL rewriting policy

Web Protection > URL Rewriting Policy > URL Rewriting Policy displays the list of URL
rewriting policies.
Caution: When configuring URL rewriting policy, check to see whether there are any HTTP
conversion policies in use that might conflict with the URL rewriting policy. If conflicts occur,
the URL rewriting policy takes priority over the HTTP conversion policy. See “Configuring
HTTP conversion policy” on page 141.
Tip: To create an effective URL rewriting policy, you must first configure one or more URL
rewriting rules. See “Configuring URL rewriting rules” on page 246.

244 Revision 10
Web protection Configuring URL rewriting policy
Table 98: Web Protection > URL Rewriting Policy > URL Rewriting tab
Edit
Delete

Create New Click to add a URL rewriting group.
URL Rewriting Count Displays the number of individual rules contained in the entry.
Before you can configure a URL rewriting policy, you must first configure the URL rewriting
rules that you want to include in the policy. For details, see “Configuring URL rewriting
rules” on page 246.
To configure a URL rewriting policy

1 Go to Web Protection > URL Rewriting Policy > URL Rewriting Policy.
the Edit icon.
A dialog appears.
Clear
Edit
Delete
3 In Name, enter the name of the URL rewriting group.
This field cannot be modified if you are editing an existing URL rewriting group. To
4 Click OK.
5 Click Create New.
A dialog appears.

Revision 10 245

ID Type the index number of the entry, or keep the field’s default value of auto to let
the FortiWeb unit automatically assign the next available index number.
The number must be between 1 and 99,999 and must be unique for each entry
in the group.
Priority Type the order of evaluation for this rule in the group, starting from 0.
To create an entry with the highest match priority, enter 0. For lower-priority
matches, enter larger numbers.
Note: Rule order affects URL rewriting rule matching and behavior. The search
begins with the smallest Priority number (greatest priority) rule in the list and
progresses in order towards the largest number in the list. Matching rules are
determined by comparing the rule and the connection’s content. If no rule
matches, the connection remains unchanged.
When the FortiWeb unit finds a matching rule, it applies the matching rule's
specified actions to the connection.
Rewriting Select the name of an existing URL rewriting rule that you want to include in the
Rule Name group.
If you want to view the information associated with a URL rewriting rule, select
the Detail link. A read-only version appears.
7 Click OK.
8 Repeat the previous steps for each individual rule that you want to add to the URL
rewriting policy.
URL rewriting policy, click its Delete icon. To remove all individual rules from the URL
rewriting policy, click the Clear icon.
10 Click OK.
To apply the URL rewriting policy, select it in an inline protection profile. For details, see
Configuring URL rewriting rules

Web Protection > URL Rewriting Policy> URL Rewriting Rule displays the list of URL
rewriting rules.
URL rewriting rules can:
• rewrite the URL line or the Referer: field in the HTTP header
• redirect requests to another web site
Similar to error message cloaking, URL rewriting can be useful to prevent the disclosure of
underlying technology or web site structures to HTTP clients.
For example, when visiting a blog web page, its URL might be:
http://www.example.com/wordpress/?feed=rss2
Simply knowing the file name, that the blog uses PHP, its compatible database types, and
the names of parameters via the URL could help an attacker craft an appropriate attack for
that platform. By rewriting the URL to something more human-readable and less platform-
specific, the details can be hidden, such as:
http://www.example.com/rss2
Note: URLs in the HTML body are not rewritten.

246 Revision 10
Note: URL rewrites are applicable when the FortiWeb unit operates in reverse proxy mode
and true transparent proxy mode without HTTPS.
Table 99: Web Protection > URL Rewriting Policy > URL Rewriting Rule tab
Delete
Edit

Create New Click to add a URL rewriting rule.
URL Rewriting Count Displays the number of URL rewriting items contained in the entry.
entry is currently selected for use in a URL rewriting set.
To configure a URL rewrite rule

1 Go to Web Protection > URL Rewriting Policy> URL Rewriting Rule.
the Edit icon.
A dialog appears.
Clear
Edit
Delete

Revision 10 247
3 In Name, enter the name of the URL rewriting rule.

This field cannot be modified if you are editing an existing URL rewriting rule. To modify
4 From the Action list, select which of the following actions you want the FortiWeb unit to
take when it receives a matching request:
• Rewrite HTTP Header: Rewrite header fields (Host:, request URL, and Referer:
fields), as specified in the URL Rewriting Condition Table.
• Redirect: Send a 302 (Moved Temporarily) response to the client, with a new
Location: field in the HTTP header.
• Send 403 Forbidden: Send a 403 (Forbidden) response to the client.
• Rewrite HTTP Body: Rewrite URLs in body of responses.
The contents of the URL Rewriting Condition Table vary with the Action selection.
5 Click OK and configure the following information.
6 In the fields below the URL Rewriting Condition Table, enter the following information,
which varies depending on the selection made in the Action list:

Redirect Location
Type the value for the Location: field in the HTTP header for the 302
response.
Send 403 Forbidden No options available.
Rewrite HTTP Body Replacement
Type the replacement value for the specific HTTP content in the body of
responses. For an example, see “URL rewriting examples” on
page 250.

248 Revision 10

Rewrite HTTP Header Note: If a check box beside an option is available but you do not
configure it, the FortiWeb unit will preserve the value from the client’s
request when rewriting it.
Host
This is the replacement value for the Host: field.
Type the name of the host, such as store.example.com, to which
the request will be redirected.
This field supports back references such as $0 to the parts of the
original request that matched any capture groups that you entered in
Regular Expression for each object in the condition table. (A capture
group is a regular expression, or part of one, surrounded in
parentheses.)
Use $n (0 <= n <= 9) to invoke a substring, where n is the order of
appearance of the regular expression, from left to right, from outside to
inside, then from top to bottom.
For example, regular expressions in the condition table in this order:
(a)(b)(c(d))(e)(f)
would result in variables with the following values:
• $0: a
• $1: b
• $2: cd
• $3: d
• $4: e
• $5: f
For an example, see “URL rewriting examples” on page 250.
URL
This is the replacement value for the URL field.
Type the string, such as /catalog/item1, that will replace the
request URL.
Do not include the name of the web host, such as www.example.com,
nor the protocol.
Like Host, this field supports back references such as $0 to the parts of
the original request that matched any capture groups that you entered
in Regular Expression for each object in the condition table.
For an example, see “URL rewriting examples” on page 250.
Referer
This is the replacement value for the Referer: field.
Select the referer URL that will be used when rewriting the Referer:
field in the HTTP header.
This option is available only if Action is Rewrite HTTP Header.
7 Click OK.
8 Click Create New.
A dialog appears.

Revision 10 249

ID Type the index number of the individual entry in the URL rewriting condition
table. The index number is an identifier only, and does not affect the display
order or match order.
The number must be between 1 and 99,999 and must be unique for each entry.
Object Select which part of the HTTP request will be tested for a match:
• HTTP Host
• HTTP Request URL
• HTTP Referer
If the request must meet multiple conditions (for example, it must contain both a
matching Host: field and a matching URL), add each object match condition to
the condition table separately.
If no Referer Select either:
field in HTTP • Do not meet this condition
header • Meet this condition
Requests can lack a Referer: field for several reasons, such as if the user
manually types the URL, and the request does not result from a hyperlink from
another web site, or if the URL resulted from an HTTPS connection. (See the
RFC 2616 section on the Referer: field.) In those cases, the field cannot be
tested for a matching value.
This option appears only if Object is HTTP Referer.
Regular Depending on your selection in Object and Meet this condition, type a regular
Expression expression that defines either all matching or all non-matching Host: fields,
URLs, or Referer: fields. Then, also configure Meet this condition.
For example, for the URL rewriting rule to match all URLs that begin with
/wordpress, you could enter ^/wordpress, then, in Meet this condition,
select Match this condition.
The pattern is not required to begin with a slash ( / ).
When you have finished typing the regular expression, click the >> (test) icon.
This opens the Regular Expression Validator window where you can fine-tune
the expression.
Meet this Indicate how to use Regular Expression when determining whether or not this
condition if URL rewriting condition has been met.
• Object does not match the regular expression: If the regular expression does
not match the request object, the condition is met.
• Object matches the regular expression: If the regular expression does match
the request object, the condition is met.
If all conditions are met, the FortiWeb unit will do your selected Action.
10 Click OK.
11 Repeat the previous steps for each condition that you want to add to the URL rewriting
rule.
12 To modify an individual condition, click its Edit icon. To remove an individual condition
from the URL rewriting rule, click its Delete icon. To remove all individual conditions
from the URL rewriting rule, click the Clear icon.
13 Click OK.
To apply the URL rewrite rule, you must first add it to a URL Rewriting Policy. For
details, see “Configuring URL rewriting policy” on page 244.
URL rewriting examples

The following topics provide examples using regular expressions and variables to rewrite
URLs.
• Rewriting URLs using regular expressions
• Rewriting URLs using variables

250 Revision 10
Rewriting URLs using regular expressions

Example.edu is a large university. Professors of example.edu use a mixture of WordPress
and Movable Type software for their course web pages to keep students updated. In
addition, the campus bookstore and software store use custom shopping cart software.
The URLs of these web applications contain clues about the underlying vendors,
databases and scripting languages.
Because it is a large organization with many mobile users and guests, and an Internet
connection with large bandwidth, the university is therefore a frequent target of attacks. Its
network administrators want to hide the underlying technology to make it more difficult for
attackers to craft platform-specific attacks. Example.edu also wants to make clients’
bookmarked URLs more permanent, so that clients will not need to repair them if the
university switches software vendors.
Because it has so many URLs, the university uses regular expressions to rewrite sets of
similar URLs, rather than configuring rewrites for each URL individually. More specific
URL rewrite rules are selected first in the URL rewriting group, before general ones, due to
the affects of the matching order on which rewrite rule is applied.
Table 100: Example URL rewrites using regular expressions
Regular Expression in URL Example URL in Result

URL match condition client’s request
^/cgi/python/ustore/p /store/checkout /cgi/python/ustore/pa /store/checkout
ayment.html$ yment.html
^/ustore*$ /store/view /ustore/viewItem.asp /store/view
?id=1&img=2
/Wordpress/(.*) /blog/$0 /wordpress/10/11/24 /blog/10/11/24
/(.*)\.xml /$0 /index.xml /index
Rewriting URLs using variables

Example.com has a web site that uses ASP, but the administrator wants it to appear that
the web site uses PHP. To do this, she configures a rule that changes any requested file's
suffix which is ".asp" into ".php".
The condition table contains two match conditions, in this order:
1 The Host: may be anything.
2 The request URL must end in “.asp”.
If both of those are true, the request is rewritten.
The administrator does not want to rewrite matching requests into a single URL. Instead,
she wants each rewritten URL to re-use parts of the original request.
To assemble the rewritten URL by re-using the original request’s file path and Host:, the
administrator uses two variables: $0 and $1. Each variable refers to a part of the original
request. The parts are determined by which capture group was matched in the Regular
Expression field of each condition table object.
• $0: The text that matched the first capture group (.*). In this case, because the
object is the Host: field, the matching text is the host name, www.example.com.
• $1: The text that matched the second capture group, which is also (.*). In this case,
because the object is the request URL, the matching text is the file path, news/local.

Revision 10 251
Configuring HTTP protocol constraint profiles Web protection
Table 101: Example URL rewrite using regular expressions and variables
Example request URL Rewriting Condition Replacement URL Result

Table
www.example.com HTTP (.*) Host $0 www.example.com
Host
/news/local.asp HTTP /(.*)\.asp URL /$1.php /news/local.php
URL
Configuring HTTP protocol constraint profiles

Web Protection > HTTP Protocol Constraints > HTTP Protocol Constraints displays the
list of HTTP protocol constraint profiles.
Use HTTP protocol constraints to prevent vulnerability to attacks such as buffer overflows
in web servers that do not restrict elements of the HTTP protocol, such as its header lines,
to acceptable lengths.
Tip: If you plan to add HTTP constraints exceptions to your HTTP protocol constraints
profile, configure the exceptions first. See “Configuring HTTP protocol constraint
exceptions” on page 254
Table 102: Web Protection > HTTP Protocol Constraints > HTTP Protocol Constraints tab
View
Clone
Delete
Edit

Create New Click to add an HTTP protocol constraint.
Header Length Displays the maximum acceptable length in bytes of the HTTP header.
Content Length Displays the maximum acceptable length in bytes of the request body.
Length is determined by comparing this limit with the value of the
Content-Length: field in the HTTP header.
Body Length Displays the maximum acceptable length in bytes of the HTTP body.
Parameter Length Displays the maximum acceptable length in bytes of parameters in the URL
or, for HTTP POST requests, in the HTTP body. Question mark ( ? ),
ampersand ( & ), and equal ( = ) characters are not included.

252 Revision 10
Web protection Configuring HTTP protocol constraint profiles
Header Line Length Displays the maximum acceptable length in bytes of each line in the HTTP
header.
Click the View icon to view the predefined entry.
Click the Clone icon to create a new entry based on a predefined protocol
constraint.
To configure an HTTP protocol constraint

1 Go to Web Protection > HTTP Protocol Constraints > HTTP Protocol Constraints.
the Edit icon.
A dialog appears.
Alternatively, click the Clone icon to make a new entry based on a predefined entry. In
this case, a dialog appears with only a Name field.
3 In Name, type the name of the protocol constraint.
This field cannot be modified if you are editing an existing protocol restraint. To modify
Note: Enter 0 for any numerical parameter to disable that parameter check.

Revision 10 253

Name The name of the protocol constraint. This field cannot be modified if
you are editing an existing protocol constraint. To modify the name,
Action, Severity and The Action, Severity and Trigger Action drop-down menus allow you
Trigger Action to control what the FortiWeb unit will do when it detects a specific
HTTP protocol violation. Each violation can be uniquely configured.
Header Length Type the maximum acceptable length in bytes of the HTTP header.
Content Length Type the maximum acceptable length in bytes of the request body.
Body Length Type the maximum acceptable length in bytes of the HTTP body.
Parameter Length Type the maximum acceptable length in bytes of parameters in the
URL or, for HTTP POST requests, HTTP body. Question mark ( ? ),
Header Line Length Type the maximum acceptable length in bytes of each line in the
HTTP header.
HTTP Request Length Type the maximum acceptable length in bytes of the HTTP request.
URL Parameter Length Type the maximum acceptable length of an URL parameter (including
the name and value).
Illegal HTTP Version Enable to check for illegal HTTP version numbers. If the HTTP version
is not "HTTP/1.0" or "HTTP/1.1", it is considered illegal.
Number of Cookies In Type the maximum acceptable number of cookies in an HTTP
Request request.
Number of Header Type the maximum acceptable number of lines in the HTTP header.
Lines In Request
Illegal HTTP Request Enable to check for illegal HTTP version numbers.
Method
Number of URL Type the maximum number of URL parameters.
Parameters
Illegal Host Name Enable to check for illegal characters in the Host: line of the HTTP
header, such as NULL characters or encoded characters. For
example, characters such as "0x0" or "%00*" are considered illegal.
Exception Name Select the HTTP Constraints Exception that you want to apply to this
policy. For more information, see “Configuring HTTP protocol
constraint exceptions” on page 254.
If you want to view the information associated with a exception, select
the Detail link. A read-only version appears.
5 Click OK.
To apply the HTTP protocol constraint profile, select it in an inline or offline protection
profile. For details, see “Configuring inline protection profiles” on page 268 or
Configuring HTTP protocol constraint exceptions

Web Protection > HTTP Protocol Constraints > HTTP Constraints Exceptions displays the
list of HTTP protocol constraint exceptions.
Exceptions may be useful if you know that some HTTP protocol constraints, during normal
use, will cause false positives by matching an attack signature. Exceptions define HTTP
constraints that will not be subject to HTTP protocol constraint policy.

254 Revision 10
Web protection Configuring HTTP protocol constraint profiles
For example, if no exceptions are defined, FortiWeb executes the HTTP protocol
constraint policy as defined in “Configuring HTTP protocol constraint profiles” on
page 252. But, if you select Header Length Check as a HTTP protocol constraint
exception for a specific host, FortiWeb would ignore the HTTP header length check when
executing the web protection profile for that host.
Table 103: Web Protection > HTTP Protocol Constraints > HTTP Constraint Exception tab
Delete
Edit

Create New Click to add a server protection exception.
Exception Rule Count Displays the number of individual exceptions contained in the entry.
To configure a HTTP constraint exception

1 Go to Web Protection > HTTP Protocol Constraints > HTTP Constraints Exception.
the Edit icon.
A dialog appears.
3 In Name, type the name of the server protection exception.

This field cannot be modified if you are editing an existing server protection exception.
4 Click OK.

Revision 10 255
5 Click Create New.

A dialog appears.

ID Displays the index number of the entry in the list.
Host Status Enable to apply this HTTP constraint exception only to HTTP requests
for specific web hosts. Also configure Host.
Disable to apply the exceptions to all web hosts.
Host Select the IP address or fully qualified domain name (FQDN) of the
protected host to which this exception applies.
Request Type Select whether the URL Pattern field will contain a literal URL (Simple
String), or a regular expression designed to match multiple URLs
(Regular Expression).

256 Revision 10
Web protection Configuring authentication policy
URL Pattern Depending on your selection in the Request Type field, enter either:
• the literal URL, such as /index.php, that the HTTP request must
contain in order to match the input rule. The URL must begin with a
slash ( / ).
• a regular expression, such as ^/*.php, matching all and only the
URLs to which the input rule should apply. The pattern is not
required to begin with a slash ( / ). However, it must at least match
URLs that begin with a slash, such as /index.cfm.
Do not include the name of the web host, such as
www.example.com, which is configured separately in the Host drop-
down list.
Header Length Type the maximum acceptable length in bytes of the HTTP header.
Content Length Type the maximum acceptable length in bytes of the request body.
Body Length Type the maximum acceptable length in bytes of the HTTP body.
Parameter Length Type the maximum acceptable length in bytes of parameters in the
URL or, for HTTP POST requests, HTTP body. Question mark ( ? ),
Header Line Length Type the maximum acceptable length in bytes of each line in the
HTTP header.
HTTP Request Length Type the maximum acceptable length in bytes of the HTTP request.
URL Parameter Length Type the maximum acceptable length of an URL parameter (including
the name and value).
Number of Cookies In Type the maximum acceptable number of cookies in an HTTP
Request request.
Number of Header Type the maximum acceptable number of lines in the HTTP header.
Lines In Request
Illegal HTTP Request Enable to check for illegal HTTP version numbers.
Method
Number of URL Type the maximum number of URL parameters.
Parameters
Illegal Host Name Enable to check for illegal characters in the Host: line of the HTTP
header, such as NULL characters or encoded characters. For
example, characters such as "0x0" or "%00*" are considered illegal.
7 Click OK.
To apply the HTTP protocol constraint exception, select it in the HTTP Protocol
Constraint profile. For details, see “Configuring HTTP protocol constraint profiles” on
page 252.
Configuring authentication policy

If a web site does not support RFC 2617 HTTP authentication on its own and does not
provide HTML form-based authentication, you can use a FortiWeb unit to authenticate
HTTP clients before they are permitted to access a web page or web site.
Note: Authentication applies when the FortiWeb unit operates in reverse proxy mode or
true transparent proxy mode without HTTPS.
When HTTP authentication is configured:

Revision 10 257
Configuring authentication policy Web protection
• If the client’s initial request does not already include an Authorization: field in its
HTTP header, the FortiWeb unit replies with an HTTP 401 (Authorization Required)
response. The response includes a WWW-Authenticate: field in the HTTP header
that indicates which style of authentication to use (basic, digest, or NTLM) and the
name of the realm (usually the name, such as “Restricted Area”, of a set of URLs that
can be accessed using the same set of credentials).
The browser then prompts its user to enter a user name and password. (The prompt
may include the name of the realm, in order to indicate to the user which login is valid.)
The browser includes these in the Authorization: field of the HTTP header when
repeating its request.
Figure 33: An HTTP authentication prompt in the Google Chrome browser
• Valid user name formats vary by the authentication server. For example:
• For a local user, enter a user name in the format username.
• For LDAP authentication, enter a user name in the format required by the
directory’s schema.
• For NTLM authentication, enter a user name in the format DOMAIN/username.
• The FortiWeb unit compares the supplied credentials to:
• the locally defined set of user accounts
• a set of user objects on a lightweight directory access protocol (LDAP) directory
• user accounts on an NT LAN Manager (NTLM) server
• If the client authenticates successfully, the FortiWeb unit forwards the original request
to the server. If the client does not authenticate successfully, the FortiWeb unit repeats
its HTTP 401 response to the client, asking again for valid credentials.
• Once the client has authenticated with the FortiWeb unit, if the server applies no other
restrictions and the resource is found, it returns the requested resource to the client.
• If the client’s browser is configured to do so, it can cache the realm along with the
supplied credentials, automatically re-supplying the user name and password for each
request with a matching realm. This provides convenience to the user. Otherwise, the
user would have to re-enter their user name and password for every request.
Caution: Advise users to clear their cache and close their browser after an authenticated
session to ensure that no one else can access the web site using their credentials.
Browsers often cache credentials until manually cleared, or until cleared automatically by
closing a browser tab or window. This is because, without a web application with its own
notion of sessions, the HTTP protocol itself is essentially stateless, it relies only on these
cached credentials, and there is no other way to log out.

258 Revision 10
Caution: HTTP authentication is not secure. All user names and data (and, depending on
the authentication style, passwords) are sent in clear text. If you require encryption and
other security features in addition to authorization, use HTTP authentication with SSL/TLS.
Tip: Alternatively or in addition to HTTP authentication, with SSL connections, you can
require that clients present a valid personal certificate. For details, see “Certificate
Verification” on page 127.
HTTP authentication policy workflow

To configure HTTP authentication, you must at a minimum:
1 Configure users and user groups. See “User creation workflow” on page 107.
2 Configure an authentication rule to select the set of URLs that is the authentication
realm, the authorization type, and associate a user group. See “Configuring
authentication rules” on page 261.
3 Group sets of authentication rules into authentication profiles. See “Configuring
4 Select the authentication profile in an inline protection profile that is used by a server
policy. See “Configuring inline protection profiles” on page 268.
Configuring authentication policy

Web Protection > Authentication Policy > Authentication Policy displays the list of HTTP
authentication profiles.
Authentication policies are used by the HTTP authentication feature to authorize HTTP
requests.
Table 104: Web Protection > Authentication Policy > Authentication Policy tab
Delete
Edit

Create New Click to add an authentication policy.

Revision 10 259
Tip: Before you can configure an authentication policy, you must first configure the
authentication rules that you want to include in the policy. For details, see “Configuring
authentication rules” on page 261.
To configure an authentication policy

1 Go to Web Protection > Authentication Policy > Authentication Policy.
the Edit icon.
A dialog appears.
3 In Name, type the name of the authentication policy.
Clear
Delete
Edit

LDAP Cache Enable if you want the LDAP query result caching.
LDAP Cache Enter the LDAP cache timeout duration, in seconds. The default timeout is 300
Timeout seconds. This field appears only when you enable LDAP Cache.
Alert Type Select the instances when alerts will be issued for HTTP authentication
attempts:
• None: No alerts are issued for HTTP authentication.
• Failed Only: Alerts are issued only for HTTP authentication failures.
• Successful Only: Alerts are issued for successful HTTP authentication.
• All: Alerts are issued for all failed and successful HTTP authentication.
5 Click OK.
6 Click Create New.
A dialog appears.

260 Revision 10

ID Type the index number of the individual rule within the authentication policy, or
Auth Rule Select the name of an existing authentication rule.
8 Click OK.
9 Repeat the previous steps for each individual rule that you want to add to the
authentication policy.
authentication policy, click its Delete icon. To remove all individual rules from the
authentication policy, click the Clear icon.
11 Click OK.
To apply the authentication policy, select it in an inline protection profile. For details,
see “Configuring inline protection profiles” on page 268.
Configuring authentication rules

Web Protection > Authentication Policy > Authentication Rule displays the list of
authentication rules.
Authentication rules are used by the HTTP authentication policy to define sets of request
URLs that will be authorized for each user group.
Tip: Before you can configure an authentication rule set, you must first configure any user
groups that you want to include. For details, see “Grouping users” on page 114.
If you want to apply rules only to HTTP requests for a specific real or virtual host, you must
first define the web host in a protected hosts group. For details, see “Configuring protected
Table 105: Web Protection > Authentication Policy > Authentication Rule tab
Edit
Delete

Create New Click to add an authentication rule.
entry is currently selected for use in an authentication policy.

Revision 10 261
To configure an authentication rule

1 Go to Web Protection > Authentication Policy > Authentication Rule.
the Edit icon.
A dialog appears.
Clear
Delete
Edit
3 In Name, type the name of the authentication rule.
4 If you want to require that the Host: field of the HTTP request to match a protected
hosts entry in order to match the HTTP authentication rule, enable Host Status, then,
from Host, select which protected hosts entry (either a web host name or IP address)
the Host: field of the HTTP request must be.
5 Click OK.
6 Click Create New.
A dialog appears.

ID Type the index number of the individual rule within the group of authentication
rules, or keep the field’s default value of auto to let the FortiWeb unit

262 Revision 10
Web protection Configuring file upload restriction policy
Auth Type Select which type of HTTP authentication to use:

• Basic: Clear text, Base64-encoded user name and password. Supports all
user queries except NTLM. NTLM users will be ignored if included in the
user group.
• Digest: Hashed user name, realm, and password. Only local users are
supported. Other types are ignored if included in the user group.
• NTLM: Encrypted user name and password. Only NTLM queries are
supported. Other types are ignored if included in the user group.
For more information on available user types, see “User Type” on page 116.
User Group Select the name of a user group that is authorized to use the URL in Auth Path.
User Realm Type the realm, such as Restricted Area, to which the Auth Path belongs.
The realm is often used by users’ browsers:
• It may appear in the browser’s prompt for the user’s credentials. Especially if
a user has multiple logins, and only one login is valid for that specific realm,
displaying the realm helps to indicate which user name and password should
be supplied.
• After authenticating once, the browser may cache the authentication
credentials for the duration of the browser session. If the user requests
another URL from the same realm, the browser often will automatically re-
supply the cached user name and password, rather than asking the user to
enter them again for each request.
The realm may be the same for multiple authentication rules, if all of those URLs
permit the same user group to authenticate.
For example, the user group All_Employees could have access to the Auth
Path URLs /wiki/Main and /wiki/ToDo. These URLs both belong to the
realm named Intranet Wiki. Because they use the same realm name, users
authenticating to reach /wiki/Main usually will not have to authenticate again
to reach /wiki/ToDo, as long as both requests are within the same browser
session.
This field does not appear if Auth Type is NTLM, which does not support HTTP-
style realms.
Auth Path Type the literal URL, such as /employees/holidays.html, that a request
must match in order to trigger HTTP authentication.
8 Click OK.
9 Repeat the previous steps for each individual rule that you want to add to the group of
authentication rules.
group of authentication rules, click its Delete icon. To remove all individual rules from
the group of authentication rules, click the Clear icon.
11 Click OK.
To apply the authentication rule, select it in an authentication policy. For details, see
“Configuring authentication policy” on page 259.
Configuring file upload restriction policy

Web Protection > File Upload Restriction > File Upload Restriction Policy displays the list
of file upload restriction policies that the FortiWeb unit uses to limit the types of files that
can be uploaded to your web servers.
The file upload restriction policies are composed of individual rules. The rules identify the
host and/or URL to which the restriction applies and the specific types of files that are
allowed.
Tip: To create an effective file upload restriction policy, you must first configure one or more
file upload restriction rules. See “Configuring file upload restriction rules” on page 265.

Revision 10 263
Configuring file upload restriction policy Web protection
Table 106: Web Protection > File Upload Restriction > File Upload Restriction Policy tab
Delete
Edit

Create New Click to add a file upload restriction policy.
Count Displays the number of file upload restriction rules used by the policy.
To configure a file upload restriction policy

1 Go to Web Protection > File Upload Restriction > File Upload Restriction Policy.
the Edit icon.
A dialog appears.
Clear
Edit
Delete
3 In Name, type the name of the file upload restriction rule.

This field cannot be modified if you are editing an existing policy. To modify the name,

264 Revision 10

Action Select the action you want FortiWeb to perform when the policy is violated:
• Alert: Accept the file upload and generate an alert and/or log message.
• Alert & Deny: Block the file upload and generate an alert and/or log
message.
For more information on logging and alerts, see “Configuring and enabling
logging” on page 323.
reports generated when the specified policy is violated.
You can configure each violation to be either Low, Medium or High severity.
Trigger Policy Select the trigger policy you want FortiWeb to apply when the specified
policy is violated.
Trigger policies determine who will be notified by email when the policy is
violated, and whether the log message associated with the violation is
recorded in Syslog or FortiAnalyzer.
5 Click OK.
6 Click Create New.
A dialog appears.
ID Displays the index number of the rule associated with the policy.
File Upload Select an existing file upload restriction rule that you want to use in the
Restriction Rule policy.
If you are unsure what specific file types are allowed by the rule, select the
Detail link next to the rule name.
8 Click OK.
The new file upload restriction rules appear in the list.
9 Repeat the previous steps for each rule that you want to add to the file upload
restriction policy.
group of rules, click its Delete icon. To remove all individual rules from the group of
rules, click the Clear icon.
11 Click OK.
To apply the file upload restriction policy, select it in an inline or offline protection
profile. For details, see “Configuring inline protection profiles” on page 268.
Configuring file upload restriction rules

Web Protection > File Upload Restriction > File Upload Restriction Rule displays the list of
file upload restriction rules. The rules define the specific host and request URL for which
upload restrictions apply, and define the specific file types that are allowed to be uploaded
to that host or URL.

Revision 10 265
Configuring file upload restriction policy Web protection
Detection and restriction is performed by scanning HTTP PUT and POST URL request
methods submitted to your web servers.
For example, if you want to allow only specific types of files to be uploaded to a host or a
URL called /fileuploads (for example, MP3 audio files, PDF text files and GIF and JPG
picture files), you can create a file upload restriction policy that contains rules that define
only those specific file types. When FortiWeb receives an HTTP PUT or POST request for
the host or /fileuploads URL, it scans the HTTP request and allows only the specified file
types to be uploaded. FortiWeb will block file uploads for any HTTP request that contains
a file type other than those specified in the upload restriction policy.
Table 107: Web Protection > File Upload Restriction > File Upload Restriction Rule tab
Edit

Create New Click to add a file upload restriction rule.
Name Displays the name of the file upload restriction rule.
Host Displays the IP address or fully qualified domain name (FQDN) of the real
or virtual host as it appears in the Host: field of HTTP header of requests
Request URL Displays the URL, such as /fileuploads, as it appears in the HTTP PUT
or POST request to which the entry applies.
Count Displays the number of individual file types allowed by the rule.
entry is currently selected for use in a parameter validation rule.
To configure a file upload restriction rule

1 Go to Web Protection > File Upload Restriction > File Upload Restriction Rule.
the Edit icon.

266 Revision 10
A dialog appears.
Clear
Delete
3 In Name, type the name of the file upload restriction rule.

This field cannot be modified if you are editing an existing rule. To modify the name,

Host Status Enable to apply this file upload restriction rule only to HTTP requests for
specific web hosts. Also configure Host.
Disable to match the file upload restriction rule based upon the other
criteria, such as the URL, but regardless of the Host: field.
Host Select the IP address or FQDN of a protected host.
Request URL Enter the literal URL, such as /fileupload, to which the file upload
restriction applies. The URL must begin with a slash ( / ).
Do not include the name of the host, such as www.example.com, which is
5 Click OK.
6 Click Add File Types.
A dialog appears.

Revision 10 267
Configuring inline protection profiles Web protection

File Types This column lists the common file types that could be uploaded to a web server.
Allow File This column lists the specific file types that selected for the upload restriction
Types rule. FortiWeb will allow uploading the file types in this column to a web server,
once the upload restriction rule is applied. Uploading of file types not included in
this column will not be allow by FortiWeb.
Right and left The selection arrows enable you to move file types between the File Types and
selection Allow File Types columns.
arrows Select a file type in the left column and click the right arrow to move the selected
file type to the Allow File Types column. Repeat as required for the file upload
restriction rule you are creating.
8 Click OK.
The selected file types appear in the list at the bottom of the rule window.
ID Displays the index number of the entry in the list.

Allow File Displays the list of file types associated with the file upload restriction rule.
Types These are the file types that FortiWeb will allow to be uploaded to the Request
URL and Host (if specified).
(No column Click the Delete icon to remove the entry in the associated row. Click Clear to
heading.) remove all file types from the rule.
9 Click OK.
To add the file upload restriction rule to a policy, select it in a file upload restriction
policy. The policies are then used by web protection policies to detect and restrict
specific file uploads based on the specified file types and host or URL. For more
information, see “Configuring file upload restriction policy” on page 263.
Configuring inline protection profiles

Inline protection profiles are a set of attack protection settings. The FortiWeb unit applies
the profile when a connection matches a server policy that includes the protection profile.
You can use inline protection profiles in server policies for any mode except offline
protection.
Inline protection profile workflow

Before configuring an inline protection profile, first configure any of the following that you
want to include in the profile:
• a file upload restriction policy (see “Configuring file upload restriction policy” on
page 263)
• an allowed method policy (see “Configuring allowed request method policy” on
page 235)
• a URL access policy (see “Configuring URL access policy” on page 216)
• a server protection rule (see “Configuring server protection rules” on page 201)
• a page access rule (see “Configuring page access rules” on page 198)
• a parameter validation rule (see “Configuring HTTP parameter validation rules” on
page 192)
• a hidden fields group (see “Configuring hidden field protection profiles” on page 239)
• a start pages policy (see “Configuring start page rules” on page 213)

268 Revision 10
Web protection Configuring inline protection profiles
• a brute force login attack profile (see “Configuring brute force login profiles” on
page 224)
• a robot control profile (see “Configuring robot control profiles” on page 227)
• an IP list policy (see “Configuring an IP list policy” on page 220)
• a URL rewriting rule (see “Configuring URL rewriting rules” on page 246)
• an HTTP authentication policy (see “Configuring authentication policy” on page 257)
• lastly, select the inline protection policy in a server policy
Configuring an inline protection profile

Web Protection > Web Protection Profile > Inline Protection Profile displays the list of web
protection profiles that can be included in server policies when the FortiWeb unit is
operating in any mode except offline protection.
Note: Inline web protection profiles can be configured at any time, but can be selected in a
policy only while the FortiWeb unit is operating in a mode that supports them. For details,
see Table 45, “Policy behavior by operation mode,” on page 119.
Tip: To increase the scope of an inline protection rule, first configure the policies and rules
used by the inline rule. See “Web protection profile workflow” on page 189.
Table 108: Web Protection > Web Protection Profile > Inline Protection Profile tab
View Clone Delete

Edit

Create New Click to add an inline protection profile.
Session Management Indicates whether session management by the FortiWeb unit is enabled or
disabled. For more information about session management, see “Session
Management” on page 271.
HTTP Conversion Indicates whether the FortiWeb unit will translate the IP addresses in the
Host:, Referer: and Location: fields of HTTP requests and
responses, replacing the virtual server’s IP address with that of the real
server, and vice versa. For details, see “HTTP Conversion” on page 272.
Cookie Poison Indicates whether cookie poisoning prevention is enabled or disabled.

Revision 10 269
Cookie Poison Action Displays the action that the FortiWeb unit will take when cookie poisoning is
detected.
message.
• Remove Cookie: Accept the connection, but remove the poisoned
cookie from the datagram, preventing it from reaching the web server,
and generate an alert and/or log message.
For more information on logging and alerts, see “Configuring and enabling
Server Protection Displays the name of the server protection rule that will be applied to
Rule matching HTTP requests. For details on server protection rules, see
“Configuring server protection rules” on page 201.
Page Access Rule Displays the name of the page access rule that will be applied to matching
HTTP requests. For details on page access rules, see “Configuring page
access rules” on page 198.
Parameter Validation Displays the name of the parameter validation rule that will be applied to
Rule matching HTTP requests. For details on parameter validation rules, see
Start Pages Displays the name of the start pages that HTTP requests must use in order
to initiate a valid session. For details on start pages, see “Configuring start
page rules” on page 213.
Click the Clone icon to create a new entry based on a predefined entry. You
can clone global protection profiles as well as custom protection profiles.
To configure an inline protection profile

1 Go to Web Protection > Web Protection Profile > Inline Protection Profile.
the Edit icon.
A dialog appears.
Alternatively, click the Clone icon to create an entry populated with settings from a
predefined profile. In this case, a dialog opens with just the Name field.

270 Revision 10

Name Type the name of the inline protection profile. This field cannot be
modified if you are editing an existing inline protection profile. To modify
Session Management Enable to track the states of HTTP sessions using a cookie named
FORTIWAFSID. Also configure Session Timeout.
This feature requires that the client support cookies.
Note: You must enable this option:
• to enforce the Start Pages, Page Access Rule, and Hidden Fields
Protection Rule features, if any of those options are enabled.
• if you want to include this profile’s traffic in the traffic log, in addition
to enabling traffic logs in general. For more information, see
“Enabling logging” on page 327.
Note: Session management is automatically enabled for policies whose
Load Balancing Algorithm is HTTP session based Round Robin. If only
those types of policies use this protection profile, session management
will already be enabled, and therefore you do not need to enable this
option.

Revision 10 271

Session Timeout Type the HTTP session timeout in seconds.
This option appears only if Session Management is enabled.
HTTP Conversion Enable to:
• For forward traffic from clients, replace the virtual server’s IP
address in the Host: and Referer: field in the HTTP header with
that of the real server’s IP address.
• For reply traffic from servers, including traffic that has been
redirected, replace the real server’s IP address in the Location:
field with that of the virtual server’s IP address.
This may be useful if your real servers reject HTTP requests whose
Host: and Referer: field does not match their own IP address. It is
also useful if the real server is behind network address translation (NAT)
and redirects requests to its private network IP address, which clients
cannot directly access. However, it increases load on the FortiWeb unit,
and should not be enabled unless required.
Note: Do not enable this option if the real server has multiple virtual
hosts.
Note: The FortiWeb unit does not support this option if the operation
mode is offline protection, true transparent proxy mode with HTTPS, or
transparent inspection mode.
X-Forwarded-for Enable to include the X-Forwarded-For: HTTP header on
Support connections forwarded to your web servers. Behavior varies by the
header already provided by the HTTP client or web proxy, if any:
• Header absent: Add the header, using the source IP address of the
connection.
• Header present: Verify that the source IP address of the connection
is present in this header’s list of IP addresses. If it is not, append it.
This option can be useful, for example, for web servers that log or
analyze clients’ IP addresses, and support the X-Forwarded-For:
header. When this option is disabled, from the web server’s perspective,
all connections appear to be coming from the FortiWeb unit, which
performs network address translation (NAT). But when enabled, the
web server can instead analyze this header to determine the source and
path of the original client connection.
Cookie Poison Enable to detect cookie poisoning, then select which of the following
actions the FortiWeb unit will take if cookie poisoning is detected:
message.
message.
• Remove Cookie: Accept the connection, but remove the poisoned
cookie from the datagram before it reaches the web server, and
For more information on logging and alerts, see “Configuring and
enabling logging” on page 323.
When enabled, each cookie is accompanied by a cookie named
<cookie_name>_fortinet_waf_auth, which tracks the cookie’s
original value when set by the web server. If the cookie returned by the
client does not match this digest, the FortiWeb unit will detect cookie
poisoning.
File Upload Select an existing file upload restriction policy, if any, that will be applied
Restriction to matching HTTP requests.
Allow Request Select an existing allow method policy, if any, that will be applied to
Method matching HTTP requests.
Attack log messages contain DETECT_ALLOW_METHOD_FAILED when
this feature detects a non-allowed HTTP request method.
URL Access Policy Select the name of the URL access policy, if any, that will be applied to
matching HTTP requests.
Attack log messages contain DETECT_URL_ACCESS_ALERT_DENY
when this feature detects a URL matched by this policy.

272 Revision 10

Server Protection Select the name of the server protection rule, if any, that will be applied
Rule to matching HTTP requests.
If enabled, server protection rules can scan AMF3 requests. For more
information, see “Enable AMF3 Protocol Detection” on page 274.
Attack log messages for this feature vary by which type of attack was
detected. For a list, see “Configuring server protection rules” on
page 201.
Page Access Rule Select the name of the page access rule, if any, that will be applied to
Attack log messages contain DETECT_PAGE_RULE_FAILED when this
feature detects a request for a URL that violates the required sequence
of URLs within a session.
Parameter Validation Select the name of the parameter validation rule, if any, that will be
Rule applied to matching HTTP requests.
Attack log messages contain DETECT_PARAM_RULE_FAILED when
this feature detects a parameter rule violation.
Hidden Fields Select the name of a hidden fields group, if any, that will be applied to
Protection Rule matching HTTP requests.
Start Pages Select the name of the start page group, if any, that HTTP requests
must use in order to initiate a valid session.
Attack log messages contain DETECT_START_PAGE_FAILED when
this feature detects a start page violation.
Brute Force Login Select the name of a brute force login attack profile, if any, that will be
applied to matching HTTP requests.
Attack log messages contain DETECT_BRUTE_FORCE_LOGIN when
this feature detects a brute force login attack.
Robot Control Select the name of a robot control profile, if any, that will be applied to
Attack log messages contain DETECT_MALICIOUS_ROBOT when this
feature detects a misbehaving robot or any other HTTP client that
exceeds the rate limit.
URL Rewriting Policy Select the name of a URL rewriting rule set, if any, that will be applied to
HTTP Protocol Select the name of an HTTP parameter constraint, if any, that will be
Constraints applied to matching HTTP requests.
Attack log messages contain HTTP_HEADER_LEN_OVERFLOW or
HTTP_HEADER_LINE_LEN_OVERFLOW when this feature detects an
HTTP request that does not comply with the constraints.
IP List Select the name of an IP list policy, if any, that will be applied to
HTTP Authentication Select the name of an HTTP authentication rule, if any, that will be
Policy applied to matching HTTP requests. If the HTTP client fails to
authenticate, it will receive an HTTP 403 (Access Forbidden) error
message.
Redirect URL Type a URL including the FQDN/IP and path, if any, to which an HTTP
client will be redirected if their HTTP request violates any of the rules in
this profile.
For example, you could enter www.example.com/products/.
If you do not enter a URL, depending on the type of violation and the
configuration, the FortiWeb unit will log the violation, may attempt to
remove the offending parts, and could either reset the connection or
return an HTTP 403 (Access Forbidden) or 404 (File Not Found) error
message.

Revision 10 273
Configuring offline protection profiles Web protection

Redirect URL With Enable to include the reason for redirection as a parameter in the URL,
Reason such as reason=DETECT_PARAM_RULE_FAILED, when traffic has
been redirected using Redirect URL. The FortiWeb unit also adds
fortiwaf=1 to the URL to detect and cancel a redirect loop (when the
redirect action recursively triggers an attack event).
Caution: If you specify a redirect URL that is protected by the FortiWeb
unit, you should enable this option to prevent infinite redirect loops.
By default, this option is disabled.
Enable AMF3 Enable to scan requests that use action message format 3.0 (AMF3) for:
Protocol Detection • cross-site scripting (XSS) attacks
• SQL injection attacks
• common exploits
if you have enabled those in your selected server protection rule.
AMF3 is a binary format that can be used by Adobe Flash clients to
send input to server-side software.
Caution: To scan for attacks or enforce input rules on AMF3, you must
enable this option. Failure to enable the option will cause the FortiWeb
unit to be unable to scan AMF3 requests for attacks.
URL Rewriting Policy Select the name of a URL rewriting rule set, if any, that will be applied to
For details, see “Configuring URL rewriting policy” on page 244.
HTTP Authentication Select the name of an HTTP authentication rule, if any, that will be
Policy applied to matching HTTP requests. For details, see “Configuring
If the HTTP client fails to authenticate, it will receive an HTTP 403
(Access Forbidden) error message.
Tip: Click Detail beside any field to open a dialog that lets you view and modify the
associated policy.
4 Click OK.
If you will use this offline protection profile in conjunction with an auto-learning profile in
order to indicate which attacks and other aspects should be discovered, also configure
the auto-learning profile. For details, see “Applying auto-learning profiles” on page 278.
To apply the inline protection profile, select it in a server policy. For details, see
Configuring offline protection profiles

Use offline protection profiles when you want to preview the effects of some web
protection features without affecting traffic or network topology. Offline protection profiles
in server policies apply only when the FortiWeb unit is operating in offline protection mode.
Offline protection profile workflow

Before configuring an offline protection profile, first configure any of the following that you
• a file upload restriction policy (see “Configuring file upload restriction policy” on
page 263)
• an allowed method policy (see “Configuring allowed request method policy” on
page 235)
• a URL access policy (see “Configuring URL access policy” on page 216)

274 Revision 10
Web protection Configuring offline protection profiles
• a server protection rule (see “Configuring server protection rules” on page 201)
• a parameter validation rule (see “Configuring HTTP parameter validation rules” on
page 192)
• a robot control profile (see “Configuring robot control profiles” on page 227)
• an IP list policy (see “Configuring an IP list policy” on page 220)
• lastly, select the offline protection policy in a server policy
Configuring an offline protection profile

Web Protection > Web Protection Profile > Offline Protection Profile displays the list of
offline protection profiles.
An offline protection profile is designed for use only in offline protection mode. Offline
protection profiles cannot be guaranteed to block attacks. They attempt to reset the
connection, but due to variable speeds of different routing paths, the reset request may
arrive after the attack has finished. Their primary purpose is to detect attacks, especially
for use in conjunction with auto-learning profiles. In fact, if used in conjunction with auto-
learning profiles, you should configure the offline protection profile to log but not block
attacks in order to gather complete session statistics for the auto-learning feature.
Unlike inline protection profiles, offline protection profiles do not support HTTP conversion,
cookie poisoning detection, start page rules, and page access rules.
Note: Offline web protection profiles can be configured at any time, but can only be
selected in a policy while the FortiWeb unit is operating in a offline mode. For details, see
Table 45, “Policy behavior by operation mode,” on page 119.
Table 109: Web Protection > Web Protection Profile > Offline Protection Profile tab
Clone View Delete Edit

Create New Click to add an offline protection profile.
Session Management Indicates whether session management by the FortiWeb unit is enabled or
disabled. For more information about session management, see
Server Protection Displays the name of the server protection rule that will be applied to
Rule matching HTTP requests. For details on server protection rules, see

Revision 10 275
Configuring offline protection profiles Web protection
Parameter Validation Displays the name of the parameter validation rule that will be applied to
Rule matching HTTP requests. For details on parameter validation rules, see
Click the Clone icon to create a new entry based on a predefined entry. You
can clone global protection profiles as well as custom protection profiles.
To configure an offline protection profile

1 Go to Web Protection > Web Protection Profile > Offline Protection Profile.
the Edit icon.
A dialog appears.

Name Type the name of the offline protection profile. This field cannot be
modified if you are editing an existing offline protection profile. To modify
Session Enable to track the states of HTTP sessions using a cookie named
Management FORTIWAFSID, which is required if you will select a WAF Auto Learning
Profile in the policy with this offline protection profile. Also configure
Session Timeout.
This feature requires that the client support cookies.
Note: You must enable this option if you want to include the profile’s traffic
in the traffic log, in addition to enabling traffic logs in general. For more
information, see “Enabling logging” on page 327.

276 Revision 10
Web protection Configuring offline protection profiles
Session Timeout Enter the HTTP session timeout in seconds.

Session Key Word Enter the name of the session ID cookie, if any, that will be used by the
application to track the session when working in offline or either of the
transparent modes. By default, FortiWeb tracks the following session ID
cookies: ASPSESSIONID, PHPSESSIONID and JSESSIONID. Use this
field to create your own unique session ID tracking key word.
File Upload Select an existing file upload restriction policy, if any, that will be applied to
Restriction Policy matching HTTP requests.
Allow Request Select an existing allow request method policy, if any, that will be applied to
Method Policy matching HTTP requests.
Attack log messages contain DETECT_ALLOW_METHOD_FAILED when
this feature detects a non-allowed HTTP request method.
Note: If a WAF Auto Learning Profile will be selected in the policy with this
profile, you must enable the HTTP request methods that will be used by
sessions that you want the FortiWeb unit to learn about. If a method is
disabled, the FortiWeb unit will reset the connection, and therefore cannot
learn about the session.
URL Access Policy Select the name of the URL access policy, if any, that will be applied to
Attack log messages contain DETECT_URL_ACCESS_ALERT_DENY when
this feature detects an URL that matches this policy.
Note: Do not select an URL access policy if this offline protection profile
will be used in a policy with WAF Auto Learning Profile. Selecting an URL
access policy will cause the FortiWeb unit to reset the connection when it
detects a request with a blocked URL and Host: field combination,
resulting in incomplete session information for the auto-learning feature.
Server Protection Select the name of the server protection rule, if any, that will be applied to
Rule matching HTTP requests.
Attack log messages for this feature vary by which type of attack was
detected. For a list, see “Configuring server protection rules” on page 201.
profile, you should select a server protection rule whose Action is Alert. If
the Action is Alert & Deny, the FortiWeb unit will reset the connection when
it detects an attack, resulting in incomplete session information for the
Parameter Select the name of the parameter validation rule, if any, that will be applied
Validation Rule to matching HTTP requests.
Attack log messages contain DETECT_PARAM_RULE_FAILED when this
feature detects a parameter rule violation.
profile, you should select a parameter validation rule whose Action is Alert.
If the Action is Alert & Deny, the FortiWeb unit will reset the connection
when it detects an attack, resulting in incomplete session information for
the auto-learning feature.
Hidden Fields Select the name of a hidden fields group, if any, that will be applied to
Protection Rule matching HTTP requests.
Robot Control Select the name of a robot control profile, if any, that will be applied to
Attack log messages contain DETECT_MALICIOUS_ROBOT when this
feature detects a misbehaving robot or any other HTTP client that exceeds
the rate limit.
profile, you should select a robot control rule whose Action is Alert. If the
Action is Alert & Deny, the FortiWeb unit will reset the connection when it
detects an attack, resulting in incomplete session information for the auto-
learning feature.
HTTP Protocol Select the name of an HTTP protocol constraint, if any, that will be applied
Constraints to matching HTTP requests.

Revision 10 277
Applying auto-learning profiles Web protection
IP List Policy Select the name of an IP list policy, if any, that will be applied to matching
HTTP requests.
Enable AMF3 Enable to scan requests that use action message format 3.0 (AMF3) for:
Protocol Detection • cross-site scripting (XSS) attacks
• SQL injection attacks
• common exploits
if you have enabled those in your selected server protection rule.
AMF3 is a binary format that can be used by Adobe Flash clients to send
input to server-side software.
Caution: To scan for attacks or enforce input rules on AMF3, you must
enable this option. Failure to enable the option will cause the FortiWeb unit
to be unable to scan AMF3 requests for attacks.
Tip: Click Detail beside any field to open a dialog that lets you view and modify the policy.
4 Click OK.
If you will use this offline protection profile in conjunction with an auto-learning profile in
order to indicate which attacks and other aspects should be discovered, also configure
the auto-learning profile. For details, see “Applying auto-learning profiles” on page 278.
To apply the offline protection profile, select it in a policy. For details, see “Configuring
Applying auto-learning profiles

Auto-learning profiles are designed to be used in conjunction with an inline or offline
protection profile. Those profiles detect attacks. Only if attacks are detected can the auto-
learning profile accumulate auto-learning data and generate its report. As a result, when
you create a server policy, you must include an auto-learning profile as well as an inline or
offline protection profile.
Auto-learning profiles are useful when you want to collect information about the HTTP
sessions on your unique network in order to design inline or offline protection profiles
suited for them.
Auto-learning profiles gather data on the HTTP requests that your FortiWeb unit is
handling. They track your web servers’ response to each request, such as
401 Unauthorized or 500 Internal Server Error, to learn about whether the
request is legitimate or a potential attack attempt.
Such data is used for auto-learning reports, and can serve as the basis for generating
inline protection profiles or offline protection profiles (see “Generating a profile from auto-
learning data” on page 289). This reduces much of the research and guesswork about
what HTTP request methods, data types, and other types of content that your web sites
and web applications use when designing an appropriate defense. Also, see “Viewing
auto-learning reports” on page 282.
Auto-learning profile workflow

Before configuring an auto-learning profile, first configure any of the following that you
• a data type group (see “Grouping predefined data types” on page 150)
• a suspicious URL rule (see “Grouping suspicious URLs” on page 154)

278 Revision 10
Web protection Applying auto-learning profiles
• one or more URL replacers and a custom application policy (see “Custom application
workflow” on page 160)
• lastly, select the auto-learning profile in a server policy
Configuring auto-learning profiles

Web Protection > Web Protection Profile > Auto Learning Profile displays the list of auto-
learning profiles.
must have Read and Write permission to items in the Auto Learn Configuration category.
Note: Use auto-learning profiles with profiles whose Action is Alert.
If Action is Alert & Deny, the FortiWeb unit will reset the connection, preventing the auto-
learning feature from gathering complete data on the session.
Table 110: Web Protection > Web Protection Profile > Auto Learning Profile tab
Clone
Delete
Edit

Create New Click to add an auto-learning profile.
Data Type Group Displays the name of a data type group. The auto-learning profile will learn
about the names, length, and required presence of these types of
parameter inputs. For details, see “Grouping predefined data types” on
page 150.
Suspicious URL Rule Displays the name of a suspicious URL rule. The auto-learning profile will
learn about attempts to access these types of URLs that may indicate an
attempt to gain administrative or other unauthorized access to the web
server or web application. For details, see “Grouping suspicious URLs” on
page 154.
To configure an auto-learning profile
Note: Alternatively, you could generate a default auto-learning profile and its required
components, and then modify them. For details, see “Generating an auto-learning profile
and its components” on page 281.
1 Go to Web Protection > Web Protection Profile > Auto Learning Profile.
the Edit icon.
A dialog appears.

Revision 10 279
Applying auto-learning profiles Web protection

Name Type the name of the auto-learning profile. This field cannot be modified if
you are editing an existing auto-learning profile. To modify the name,
Data Type Group Select the name of a data type group to use, if any. The auto-learning
profile will learn about the names, length, and required presence of these
types of parameter inputs. For details, see “Grouping predefined data
types” on page 150.
Suspicious URL Select the name of a suspicious URL rule to use, if any. The auto-learning
Rule profile will learn about attempts to access URLs that are typically used for
web server or web application administrator login, such as /admin.php.
Requests from clients for these types of URLs are considered a possible
attempt at either vulnerability scanning or administrative login attacks, and
therefore potentially malicious. For details, see “Grouping suspicious
Server Protection Enter the threshold for the number of attacks of each type over which the
Threshold auto-learning profile will not add the attack to the server protection rules
(see “Configuring server protection rules” on page 201). This means that, if
the attach is higher than the threshold, FortiWeb deems this behavior as
normal to the web application’s behavior.
Server Protection Enter the threshold of the percentage of attacks to total hits over which the
Exception auto-learning profile adds the attack to the server protection exceptions
Threshold (see “Configuring server protection exceptions” on page 207).
Application Policy Select an existing application policy from the drop-down list. For details,
see “Configuring custom application policies” on page 160.
4 Click OK.
To apply the auto-learning profile, select it in a policy with an inline or offline protection
profile. For details, see “Configuring server policies” on page 118.
Note: Use auto-learning profiles with offline protection profiles whose Action is Alert.
If Action is Alert & Deny, the FortiWeb unit will reset the connection, preventing the auto-
learning feature from gathering complete data on the session.
Once the policy has begun to match connections and accumulate data, you can view
the current statistics any time by displaying the auto-learning report. For details, see
“Viewing auto-learning reports” on page 282.

280 Revision 10
Auto learn Generating an auto-learning profile and its components
Auto learn
This chapter describes the Auto Learn menu and explains how to generate a default auto-
learning profile and its required components, and how to use reports generated from auto-
learning.
Auto-learning gathers information about the URLs and other characteristics of HTTP
sessions that the FortiWeb unit frequently sees passing to your real servers. It tracks your
web servers’ response to each request, such as 401 Unauthorized or
500 Internal Server Error, to learn about whether the request is legitimate or a
potential attack attempt. It then generates reports based upon this information. By learning
about your typical traffic, the FortiWeb unit can help you to quickly make profiles designed
specifically for your unique HTTP traffic.
• Generating an auto-learning profile and its components
• Viewing auto-learning reports
• Generating a profile from auto-learning data
Generating an auto-learning profile and its components

The auto-learning feature enables you to generate an auto-learning profile and all of its
required components.
must have Read and Write permission to items in the Autolearn Configuration category.
Generated auto-learning profile components include:
• data type groups
• suspicious URL rules groups
• server protection rule
• robot control profile and robot groups
• inline or offline protection profile
To generate an auto-learning profile

1 Go to Auto Learn > Default Auto Learn Profile > Default Auto Learn Profile.
Figure 34: Generating a default auto-learning profile
2 In Profile Name, type a name prefix, such as gen-autolearn.

Revision 10 281
Viewing auto-learning reports Auto learn
3 Select an operation mode option from the drop-down list.

4 Click Generate Profile.
The FortiWeb unit will automatically suffix a dash ( - ) to the profile name followed by a
number indicating the year, month, day, and time on which the profile and its associated
components were generated. All associated components thereby have identical suffixes,
and can be easily identified for modification.
In the generated components, all options are enabled that are required to guarantee a
complete data set for the purpose of the report generated by the auto-learning profile. This
is regardless of whether the web server is Apache, IIS, or Apache Tomcat, and assumes
that you want to learn about all parameters and allow web crawlers from the popular
search engines Google, Yahoo!, and MSN. The server protection rule will use only attack
definitions that do not cause false positives (that is, they do not use the extended rule set).
The offline protection or inline protection profile will track all HTTP request methods, and
apply a session timeout of 1 200 seconds. The FortiWeb unit will log, but not block,
detected attacks.
To improve performance, you can modify the generated groups and profiles. For example,
if you only operate one type of web server, or if you know that you do not need to watch for
a specific data type, you could modify the generated data type group and suspicious URL
rule group. The FortiWeb unit would then not expend resources to look for those things.
For details, see “Grouping predefined data types” on page 150 and “Grouping suspicious
To use all attack definitions, or if you want to make one of the search engines’ crawlers
subject to attack detection, you could modify the generated robot control profile and server
protection rule. For details, see “Configuring robot control profiles” on page 227 and
To apply a generated auto-learning profile, select it and its associated inline or offline
protection profile in a policy. For details, see “Configuring server policies” on page 118.
Viewing auto-learning reports

Auto Learn > Auto Learn Report > Auto Learn Report displays the list of reports that the
FortiWeb unit has generated from information gathered by auto-learning profiles. For
information on configuring auto-learning profiles, see “Applying auto-learning profiles” on
page 278.
Reports generated from auto-learning profile data can help you to learn about the nature
of your network. They can also help you to know whether or not the auto-learning profile
has collected sufficient amounts of data. When the auto-learning feature has gathered a
satisfactory amount of information, you can use the data to generate web profiles as a
basis for configuration of your FortiWeb unit.
Auto-learning reports may also serve to inform you about the types of normal HTTP
requests and attacks occurring on your network.
Note: Auto-learning reports require that your web browser have the Adobe Flash Player
plug-in.

282 Revision 10
Auto learn Viewing auto-learning reports
Table 111: Auto Learn > Auto Learn Report > Auto Learn Report tab

Name Display the name of the auto-learning profile whose gathered information was
used to generate the report.
Detail Click to view the report, to create a PDF version of the report, or to generate a
web profile based upon the data gathered for the report.
Purge Data Click to remove data gathered by this auto-learning profile. Subsequent reports
and any profiles generated from them will include only data gathered by the
auto-learning profile after you click this icon.
Note. When a report is open, you can clear data for individual nodes by right-
clicking the node in the left-hand pane and selecting Clear Data. Data is also
cleared automatically if you delete the policy that uses the auto-learning profile.
To view a report generated from auto-learning data

1 Go to Auto Learn > Auto Learn Report > Auto Learn Report.
2 In the row corresponding to the auto-learning profile whose data you want to view, click
the Detail icon.
The report page appears with two panes:
• The left-hand pane lets you navigate through the web sites and URLs that are the
subjects of the report.
• The right-hand pane includes tabs that display report, charts, and buttons that
enable you to adjust any profile generated from the data.
If a tab contains multiple pages of results, click the arrows at the bottom of the tab,
such as next > and << first, to move forward or backwards through the pages of
results.

Revision 10 283
Figure 35: Parts of auto-learning reports
Display pane
Navigation pane
}
}
Expansion icons
Click to collapse this pane.
Host
Requested file
Common part of URL
Auto-learning profile
Using the navigation pane

You can change the display and content of data in the left-hand navigation pane. To do so,
right-click the name of an item, then click a pop-up menu option:
Pop-up option name Description

Refresh the Tree Select to update the display in the navigation pane.
Filter the Tree Select to show or hide HTTP sessions in the report by their HTTP
request method and/or other attributes. A pop-up dialog appears. See
Figure 36.
Expand Current Node Select to expand the item and all of its subitems.
This option has no effect when right-clicking the name of the auto-
learning profile.
Stop Learning Each URL on an auto-learning report includes the right-click menu
option Stop Learning. By selecting this option for a URL that you know
is complex and hard to track effectively or that may generate
inaccurate data, you reduce processing resources. FortiWeb not
longer gathers report data for a stopped URL.
Right-click the URL again and select Start Learning to reverse the
stop action.
Clean Data Select to empty auto-learning data for this item. This may be useful if
you know that the inputs required by a specific page have changed
since you initially began learning about a web site’s parameters, and
you want to eliminate obsolete data from the auto-learning report and
any profiles that are generated from it.
If you select Filter the Tree, the following dialog appears.

284 Revision 10
Figure 36: Filtering an auto-learning report
To show only specific nodes in the URL tree and hide the rest, select which attributes that
a node or its subnode must satisfy in order to be included.
For example, to include only parts of the URL tree pertaining to HTTP POST requests to
Java server pages (JSP files), you would enter .jsp in the Search field under URL and
enable POST under HTTP Method.
In the navigation pane, to view statistics for a subset of sessions with specific hosts and
their URLs, click the expand icon ( + ) next to an item to expand it, then click the name of
the subitem whose statistics you want to view. Depending on the level in the navigation
tree, an item may be either an auto-learning profile observing multiple hosts, a single host,
a common part of a path contained in multiple URLs, or a single requested file. This
enables you to view:
• statistics specific to each requested URL
• totals for a group of URLs with a common path
• totals for all requested URLs on the host
• totals for all requests on all hosts observed by the auto-learning profile
Using the report display pane

Tabs, statistics and charts appear on the report display (right-hand) pane. Their
appearance varies depending on which level you selected in the navigation tree.
Note: If URL rewriting is configured, the tree’s URL is the one requested by the client, not
the one to which it was rewritten before passing to the server.
The report display pane contains several feature buttons above the report.
• Click Refresh in the right-hand pane to update the display with current statistics.

Revision 10 285
• Click Generate Config in the right-hand pane to generate a web protection policy from
the auto-learn profile.
For information on editing the auto-learn profile before generating a new web
protection policy, see “Generating a profile from auto-learning data” on page 289.
• Click Generate PDF in the right-hand pane to get a PDF copy of the report.
A pop-up dialog appears. Enter the PDF a name and click OK.
Overview tab
The Overview tab provides a statistical summary for all sessions established with the host
during the use of the auto-learning profile, or since its auto-learning data was last cleared,
whichever is shorter.
Figure 37: Overview tab
Under Item in the table, the Hits Count link opens Visits tab. The Attack Count opens the
Attacks tab.
The Overview tab includes several buttons that can edit the generated report. (Also see
“Generating a profile from auto-learning data” on page 289.)
• The Edit Allow Method button appears only when you select a profile in the navigation
pane. It opens a pop-up dialog where you can select which HTTP request methods to
allow in the generated profile. Select the Off or On options in the Status drop-down list.
• The Edit Protected Servers button appears only when you select the auto-learn profile
in the navigation pane. It opens a dialog where you can select or deselect IP
addresses and/or domain names that will be members of the generated protected
servers group.

286 Revision 10
• The Edit URL Page button appears only when you select a URL in the navigation pane.
It opens a dialog where you can specify that the currently selected URL will be included
in start pages and IP list rules in the generated profile. You can also select an action to
take if there is a rule violation. The choices are:
Alert & Deny: Block the connection and generate an alert and/or log message.
Continue: Allow the request, applying any subsequent rules defined in the web
protection profile.
Pass: Allow the request. Similar to alert but does not generate an alert and/or log
message.
Attacks tab
The Attacks tab provides statistics in both tabular and graphical format on sessions that
contained one of the types of attacks that the web profile selected in the associated policy
was configured to detect.
Sometimes, auto-learning reports may contain fewer attacks than you see in the FortiWeb
unit’s attack logs. For details, see “About the attack count” on page 289.
Figure 38: Auto-learning report Attacks tab
The inclusion of the Action and Enable columns varies with the level of the item selected
in the navigation pane.
Use the Enable drop-down lists to turn auto-learning on or off for a specific attack type.
The default is on.
Use the Action drop-down lists to change how the FortiWeb units reacts to a specific
attack type. The choices are:

Revision 10 287
• Alert & Deny: Block the connection and generate an alert and/or log message.
• Send 403 Forbidden: Reply with an HTTP 403 (Access Forbidden) error message and
• Redirect: Redirect the request to the URL that you specify in the protection profile and
Visits tab
The Visits tab provides statistics in both tabular and graphical format on the HTTP request
methods used.
When you select an auto-learning profile in the navigation pane, this tab includes a set of
bar charts that give statistics about the most used and least used URLs, plus suspicious
URLs.
When you select a host IP in the navigation pane, the report includes a set of tables that
give statistics on HTTP return codes in the 400 and 500 series.
The Visits tab includes several buttons that can edit the generated report. (Also see
“Generating a profile from auto-learning data” on page 289.)
• The Edit Allow Method button appears only when you select a profile in the navigation
allow in the generated profile. Select the Off or On options in the Status drop-down list.
• The Edit URL Access button appears only when you select a profile in the navigation
pane.It opens a pop-up dialog where you can choose the start pages related to a
protected server.
• The Edit Start Page button appears only when you select a profile in the navigation
pane. It opens a pop-up dialog where you can choose the URL access rules related to
a protected server.
• The Edit Exception Method button appears when you select a URL in the navigation
treat as exceptions for that URL. Select the Off or On options in the Status drop-down
list.
Parameters tab
The Parameters tab provides tabular statistics on the parameters and their values as they
appeared in HTTP requests, as well as applicable URL replacements.
This tab appears only for items that are leaf nodes in the navigation tree; that is, they
represent a single complete URL as it appeared in a real HTTP request, and therefore
could have had those exact associated parameters.
Percentages in the TypeMatch and Required columns indicate how likely the parameter
with that name is of that exact data type, and whether or not the web application requires
that input for that URL. The MinLen and MaxLen columns indicate the likely valid range of
length for that input’s value. Together the columns provide information on what is likely the
correct configuration of a profile for that URL.
Cookies tab
The Cookies tab provides tabular statistics on the name, value, expiry date, and path of
each cookie crumb that appeared in HTTP requests. This tab appears only for hosts that
use cookies.
This tab does not appear at the policy level of the navigation tree.

288 Revision 10
Auto learn Generating a profile from auto-learning data
About the attack count

Sometimes, auto-learning reports may contain fewer attacks than you see in the FortiWeb
unit’s attack logs. Possible causes include:
• The attack was attempted, but was targeted towards a URL that did not actually exist
on the server (that is, it resulted in an HTTP 404 File Not Found reply code).
Because the URL did not exist, the auto-learning report does not include it in its tree of
requested URLs.
In other words, the attack was not counted in the report because it did not result in an
actual page hit.
• The attack was attempted, and the URL existed, but the FortiWeb unit was configured
to block the attack (Alert & Deny), resulting in an unsuccessful connection attempt.
Unsuccessful connections do not result in an actual page hit and have incomplete
session data, and therefore are not included in auto-learning reports.
To ensure that auto-learning reports have complete session data, you should log but not
block attacks (that is, select Alert instead) while gathering auto-learning data.
Generating a profile from auto-learning data

When viewing a report generated from auto-learning data, you can generate an inline
protection profile or an offline protection profile suitable for the HTTP sessions observed. If
some observed sessions are not indicative of typical traffic and you do not want to include
elements in the generated profile, or you want to select an action other than the default for
a type of observed attack, you can selectively change the action for that type of attack.
In addition to the generated profile itself, the FortiWeb unit also generates all rules and
other auxiliary configurations that the profile depends upon.
For example, if the FortiWeb unit observed HTTP PUT requests with required parameters
of a password and a user name that is an email address, when generating a profile, it
would also generate the parameter validation rules and input rules that the profile
requires, using the data types and maximum lengths of the arguments observed in the
HTTP sessions.
Generated profiles and auxiliary configurations are editable. They can be adjusted or used
as the basis for additional configuration.
To configure a profile using auto-learning data

1 Go to Auto Learn > Auto Learn Report > Auto Learn Report.
2 In the row corresponding to the auto-learning profile whose data you want to view, click
Detail. The report appears.

Revision 10 289
Generating a profile from auto-learning data Auto learn
Figure 39: Viewing an auto-learning report
Display pane
Navigation pane
}
}
Expansion icons
Click to collapse this pane.
Host
Requested file
Common part of URL
Auto-learning profile
3 In the left-hand pane, if you want to adjust the actions that will appear in the generated
profile for the subset of sessions handled for specific web hosts and their URLs, click
the expand icon ( + ) next to an item to expand the item, then click the name of the
subitem whose actions you want to affect.
Statistics and charts appear on the right-hand pane. The content of the report and the
available buttons varies depending on the selected node in the navigation tree.
If a tab contains multiple pages of results, click the arrows at the bottom of the tab,
such as next > and << first, to move forward or backwards through the pages of
results.
4 For most selected items in the left-hand navigation pane, the report provides buttons
and drop-down lists to help you configure a profile for generation. Select the following
as applicable:
Table 112: Auto Learn report features

Overview tab
Edit Protected Click to open a pop-up dialog. Enable or disable the IP
Servers addresses and/or domain names that will be members of the
generated protected servers group. For details, see
“Configuring protected servers” on page 147.
This appears only if you have selected the name of the auto-
learning profile in the navigation pane.

290 Revision 10
Auto learn Generating a profile from auto-learning data
Edit URL Page Click to open a pop-up dialog. Enable or disable whether the
currently selected URL will be included in start pages and IP list
rules in the generated profile. This appears only if you have
selected a URL in the navigation pane.
For more information on those rule types, see “Configuring start
page rules” on page 213, “Configuring URL access policy” on
page 216 and “Configuring URL access rules” on page 218.
Attacks
Action and Select from the Enable drop-down list to enable or disable
Enable detection of each type of attack, and select from Action which
action that the generated profile will take. The availability of
these lists varies with the level of the item selected in the
navigation pane.
For details, see “Configuring inline protection profiles” on
page 268 or “Configuring offline protection profiles” on
page 274.
Visits
Edit Allow Click to open a pop-up dialog. Change the Status option to
Method select which HTTP request methods to allow in the generated
profile. This appears only if you have selected a profile in the
navigation pane.
For details, see “Configuring inline protection profiles” on
page 268 or “Configuring offline protection profiles” on
page 274.
Edit URL AccessClick to open a pop-up dialog. This appears only if you have
selected a profile in the navigation pane.
For details, see “Configuring URL access policy” on page 216.
Edit Start Page Click to open a pop-up dialog. This appears only if you have
selected a profile in the navigation pane.
For details, see “Configuring start page rules” on page 213.
Edit Exception Click to open a pop-up dialog. This appears only if you have
Method selected a URL in the navigation pane.
For details, see “Configuring allowed method exceptions” on
page 237.
Parameters
Set Type the data type and maximum length of the parameter, and
indicate whether or not the parameter is required input. These
settings will appear in the generated parameter validation rule
and input rules. For details, see “Configuring parameter
validation input rules” on page 194 and “Configuring HTTP
parameter validation rules” on page 192.
5 In the right-hand pane, click Generate Config. The following pop-up dialog appears:
Figure 40: Generating an inline or offline profile from auto-learning data
6 In Profile Name, type a name prefix, such as generated-profile.

The FortiWeb unit will automatically add a dash ( - ) to the profile name followed by a
number indicating the year, month, day, and time on which the profile was generated in
order to indicate the data on which the profile was based.

Revision 10 291
Generating a profile from auto-learning data Auto learn
7 From Profile Type, select which type of web profile you want to generate, either Inline
(to generate an inline protection profile) or Offline (to generate an offline protection
profile).
8 Click OK.
The generated profile appears in the list of either inline or offline protection profiles,
depending on its type. Adjust it if necessary. For details, see “Configuring inline protection
profiles” on page 268 or “Configuring offline protection profiles” on page 274.
Note: You may also need to adjust configuration items used by the generated profile, such
as input rules. The generated configuration items will be based upon auto-learning data
current at the time that the profile is generated, which may have changed while you were
reviewing the auto-learning report.
If you do not configure any settings, by default, the FortiWeb unit will generate a profile
that allows the HTTP GET method and any other methods whose usage exceeded the
threshold, and will add the remaining methods to an allowed method exception. It will also
create start page rules and trust IP rules for the top 10 most commonly requested URLs,
and create black IP rules for the top 10 most commonly requested suspicious URLs.
To apply the generated profile, select it in a policy. For details, see “Configuring server
If you are done collecting auto-learning data, for performance reasons, you may also want
to deselect the auto-learning profile in all policies.

292 Revision 10
Web anti-defacement Configuring anti-defacement
Web anti-defacement
This chapter describes the Web Anti-Defacement menu, which configures the FortiWeb
unit to monitor web sites for defacement attacks and to fix attack damage.
• Configuring anti-defacement
• Reverting a web site to a backup revision
Configuring anti-defacement
Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-Defacement displays
the list of web sites for which you have configured anti-defacement protection.
Anti-defacement monitors a web site’s files for any changes at specified time intervals. If it
detects a change that could indicate a defacement attack, the FortiWeb unit can notify you
and quickly react by automatically restoring the web site contents to the previous backup
revision.
Caution: When you intentionally modify the web site, you must disable the Enable Monitor
and Restore Changed Files Automatically options; otherwise, the FortiWeb unit sees your
changes as a defacement attempt and undoes them.
must have Read and Write permission to items in the Web Anti-Defacement Management
Table 113: Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-Defacement tab
View
Edit
Delete
Revert site

Create New Click to add a web site that the FortiWeb unit will monitor for defacement.
Refresh Click to refresh the tab’s display, including the current Connected status.
ID The index number of the entry in the list.
Name A descriptive name for the web site.
Hostname/IP The IP address or fully qualified domain name (FQDN) of the real server on
which the web site is hosted.
Monitor Indicates whether or not anti-defacement is currently enabled for the web site.
• Green icon: Anti-defacement is enabled.
• Flashing yellow-to-red icon: Anti-defacement is disabled.

Revision 10 293
Configuring anti-defacement Web anti-defacement
Connected Indicates the connection results of the FortiWeb unit’s most recent attempt to
connect to the web site’s server.
• Green check mark icon: The connection was successful.
• Red X mark icon: The FortiWeb unit was unable to connect. Verify the IP
address/FQDN and login credentials of your anti-defacement configuration.
If these are valid, verify that connectivity has not been interrupted by
dislodged cables, routers, or firewalls.
Total Files Displays the total number of files on the web site.
Total Backup Displays the total number of files that have been backed up onto the FortiWeb
unit for recovery purposes. Those files that you choose not to monitor will not be
backed up.
Total Changed Displays the total number of files that have changed.
(No column Click the View icon display the web site’s anti-defacement configuration and
heading.) backup statistics, including disk usage.
Click the Edit icon to modify an entry.
Click the Delete icon to remove an entry.
Click the Revert site icon to revert the web site to a backup revision. See
“Reverting a web site to a backup revision” on page 297.
Before configuring a web site for anti-defacement protection, you must have the following
information ready:
• FQDN or IP address of the web site’s server
• root folder of the web site
• connection type (FTP, SSH, or Windows Share) and the credentials you use to
access the root folder of the web site
• alert email address
To configure anti-defacement
1 Go to Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-
Defacement.
2 Click Create New to add a new entry, or click the Edit icon to edit an existing entry.
A dialog appears.

294 Revision 10
Web anti-defacement Configuring anti-defacement
3 Configure the following settings:

Web Site Name Type a name for the web site.
This name will not be used when monitoring the web site, nor will it be
referenced in any other part of the configuration, and therefore can be any
identifier that is useful to you. It does not need to be the web site’s FQDN or
virtual host name.
Description Enter a comment. The comment may be up to 63 characters long.
This field is optional.
Enable Monitor Enable to monitor the web site’s files for changes, and to download backup
revisions that can be used to revert the web site to its previous revision if the
FortiWeb unit detects a change attempt.
Note: While you are intentionally modifying the web site, you must turn off this
option and Restore Changed Files Automatically. Otherwise, the FortiWeb unit
will detect your changes as a defacement attempt, and undo them.
Hostname/IP Type the IP address or FQDN of the real server on which the web site is hosted.
This will be used when connecting by SSH or FTP to the web site to monitor its
contents and download backup revisions, and therefore could be different from
the real or virtual web host name that may appear in the Host: field of HTTP
headers.
Connect Type Select which protocol (FTP, SSH, or Windows Share) to use when connecting to
the web site in order to monitor its contents and download web site backups.
FTP/SSH Port Enter the TCP port number on which the web site’s real server listens. The
standard port number for FTP is 21; the standard port number for SSH is 22.
This field appears only if Connect Type is FTP or SSH.
Windows Share Type the name of the shared folder on the web server.
Name This field appears only if Connect Type is Windows Share.

Revision 10 295
Configuring anti-defacement Web anti-defacement
Folder of Web Type the path to the web site’s folder, such as public_html, on the real
Site server. The path is relative to the initial location when logging in with the user
name that you specify in User Name.
User Name Enter the user name, such as fortiweb, that the FortiWeb unit will use to log
in to the web site’s real server.
Password Enter the password for the user name you entered in User Name.
Alert Email Type the recipient email address (MAIL TO:) to which the FortiWeb unit will
Address send an email when it detects that the web site has changed.
Monitor Interval Enter the time interval in seconds between each monitoring connection from the
for Root Folder FortiWeb unit to the web server. During this connection, the FortiWeb unit
examines Folder of Web Site (but not its subfolders) to see if any files have
been changed by comparing the files with the latest backup.
If it detects any file changes, the FortiWeb unit will download a new backup
revision. If you have enabled Restore Changed Files Automatically, the
FortiWeb unit will revert the files to their previous version.
For details, see “About web site backups” on page 297.
Monitor Interval Enter the time interval in seconds between each monitoring connection from the
for Other Folder FortiWeb unit to the web server. During this connection, the FortiWeb unit
examines subfolders to see if any files have been changed by comparing the
files with the latest backup.
If any file change is detected, the FortiWeb unit will download a new backup
revision. If you have enabled Restore Changed Files Automatically, the
FortiWeb unit will revert the files to their previous version.
For details, see “About web site backups” on page 297.
Maximum Depth Type how many folder levels deep to monitor for changes to the web site’s files.
of Monitored Files in subfolders deeper than this level will not be backed up.
Folders
Skip Files Larger Type a file size limit in kilobytes (KB) to indicate which files will be included in
Than the web site backup. Files exceeding this size will not be backed up. The default
file size limit is 10 240 KB.
Note: Backing up large files can impact performance.
Skip Files With Type zero or more file extensions, such as iso, avi, to exclude from the web
These Extensions site backup. Separate each file extension with a comma.
Note: Backing up large files, such as video and audio, can impact performance.
Restore Changed Enable to automatically restore the web site to the previous revision number
Files when it detects that the web site has been changed.
Automatically Disable to do nothing. In this case, you must manually restore the web site to a
previous revision when the FortiWeb unit detects that the web site has been
changed. See “Reverting a web site to a backup revision” on page 297.
Note: While you are intentionally modifying the web site, you must turn off this
option and Enable Monitor. Otherwise, the FortiWeb unit will detect your
changes as a defacement attempt, and undo them.
4 Click Test Connection to test the connection between the FortiWeb unit and the web
server.
5 Click OK.
The FortiWeb unit connects to the web site and downloads the first backup copy revision.
(It may subsequently download additional revisions. See “About web site backups” on
page 297.)
When a defacement attack occurs, the damaged/changed files will be restored
automatically if you enabled Restore Changed Files Automatically. Otherwise, when the
FortiWeb unit notifies you of the attack, you must manually revert the web site to one of
the backup revisions. For details, see “Reverting a web site to a backup revision” on
page 297.

296 Revision 10
Web anti-defacement Reverting a web site to a backup revision
About web site backups

When a FortiWeb unit is configured to protect a web site using the web anti-defacement
feature, it will periodically download a backup copy of that web site’s files automatically. It
will create a new backup revision in the following cases:
• When the FortiWeb unit initiates monitoring for the first time, the FortiWeb unit will
download a backup copy of the web site’s files and store it as the first revision.
Note: Backup copies will omit files exceeding the file size limit and/or matching the file
extensions that you have configured the FortiWeb unit to omit. See “Configuring anti-
defacement” on page 293.
• If the FortiWeb unit could not successfully connect during a monitor interval, it will
create a new revision the next time that it re-establishes the connection.
Reverting a web site to a backup revision

If you do not enable automatic recovery of changed files (see Restore Changed Files
Automatically), after a defacement attack, you can still manually revert the defaced web
site to any known good backup revision that the FortiWeb unit has downloaded.
FortiWeb units automatically make backups of web sites periodically that they have been
configured to protect using the anti-defacement feature. For details about web site
backup, see “About web site backups” on page 297.
To revert a web site to a backup revision

1 Go to Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-
Defacement.
Revert site
2 In the row corresponding to the web site you want to revert, click the Revert site icon.
A dialog appears listing previous site backup copies.
Revert to this time
3 In the row corresponding to the copy that you want to restore, click the Revert to this
time icon.
4 Click OK.

Revision 10 297
Reverting a web site to a backup revision Web anti-defacement

298 Revision 10
Web vulnerability scans
Web vulnerability scans

Web vulnerability scanning can detect known vulnerabilities on your web servers and web
applications, helping you to design protection profiles that are an efficient use of
processing resources. Vulnerability scans may also be required for compliance with some
regulations and certifications.
The vulnerability scan is configured and controlled through web vulnerability scan policies.
The vulnerability scan policy determines which servers/applications to scan, what specific
vulnerabilities to scan for and when to perform the scan.
When a policy is applied, the vulnerability scan starts from an initial directory,
authenticates if enabled to do so, then scans for vulnerabilities in web pages located in the
same directory or subdirectory as the initial URL. After performing the scan, the FortiWeb
unit generates a report from the scan results.
• Preparing for the vulnerability scan
• Configuring web vulnerability scan policies
• Configuring web vulnerability scan profiles
• Configuring web vulnerability scan schedules
• Viewing scan history and reports
Web vulnerability scan workflow

The following is the sequence of steps to prepare, define, run, and obtain a report for a
web vulnerability scan.
1 Optionally, configure an email policy in advance so that you can include it in the scan
profile. This way, scan reports are sent to recipients automatically. See “Log
configuration workflow” on page 313.
2 Prepare for the scan. See “Preparing for the vulnerability scan” on page 300.
3 Create a scan profile. The profile defines the specific vulnerabilities to scan. See
“Configuring web vulnerability scan profiles” on page 303.
4 Create a scan schedule, unless you plan to execute the scan immediately. The
schedule defines the frequency the scan will be run. See “Configuring web vulnerability
scan schedules” on page 308.
5 Create a scan policy. The policy integrates a scan profile and schedule, which enables
pre-configuration of multiple scan scenarios. See “Configuring web vulnerability scan
6 Start a vulnerability scan manually, or wait for a scheduled vulnerability scan to run
automatically. See “Starting and stopping a web vulnerability scan” on page 302.
7 View or download a vulnerability scan report. The report provides details and analysis
of the scan results. See “Viewing scan history and reports” on page 309.
Tip: Create and run web vulnerability scans early in the configuration of your FortiWeb unit.
Use the reports to locate vulnerabilities and fine tune your protection settings.

Revision 10 299
Preparing for the vulnerability scan Web vulnerability scans
Preparing for the vulnerability scan

For best results, before running a vulnerability scan, you should prepare the network and
target hosts for the vulnerability scan.
Live web sites

Fortinet strongly recommends that you do not scan for vulnerabilities on live web sites.
Instead, duplicate the web site and its database in a test environment and perform the
scan in that environment. For more information, see “Scan Mode” on page 306
Network accessibility
You may need to configure each target host and any intermediate NAT or security devices
to allow the vulnerability scan to properly reach the target hosts.
Traffic load
If you do not plan to rate limit the vulnerability scan, be aware that some web servers
could perceive its rapid rate of requests as a denial of service (DoS) attack. You may need
to configure the web server to omit rate limiting for connections originating from the IP
address of the FortiWeb unit. Rapid access also can result in degraded network
performance during the scan. For more information, see “Delay Between Each Request”
on page 307
Scheduling
You should work with the owners of target hosts to schedule an appropriate time to run the
vulnerability scan. For example, you might schedule to avoid peak traffic hours, to restrict
unrelated network access, and to ensure that the target hosts will not be powered off
during the vulnerability scan.
Configuring web vulnerability scan policies

Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy
enables you to configure web vulnerability scan (WVS) policies. The WVS policies define
the type of scan to perform (an immediate scan or a scheduled scan), the WVS profile to
use (the scan details), the format of the WVS report and who is to receive a copy of the
report.
must have Read and Write permission to items in the Web Vulnerability Scan
Configuration category. For details, see “About permissions” on page 80.
Tip: Before you can create an effective web vulnerability scan policy, you must first
configure a web vulnerability scan profile. See “Configuring web vulnerability scan profiles”
on page 303. If the scan will run on a set schedule, first create a web vulnerability scan
schedule. See “Configuring web vulnerability scan schedules” on page 308.

300 Revision 10
Web vulnerability scans Configuring web vulnerability scan policies
Table 114: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy tab
Status
Delete
Edit
Start/Stop

Create New Click to add a new web vulnerability scan policy.
Name Displays the name of the policy.
Click the blue arrow beside the policy name to expand the entry and display
a summary of the scan associated with the policy.
Schedule Displays the type of schedule used by the policy. If the policy uses a WVS
schedule the name of the schedule is shown, otherwise Run Now is shown.
Profile Displays the name of the scan profile used by the policy.
(No column heading.) Status indicates whether the scan is idle (the status indicator is solid green)
or running (the status indicator is flashing red and yellow).
Click the Delete icon to remove the entry.
The Start/Stop icon appears only if the policy is configured as Run Now. If
so, the icon changes depending on the current status of the scan:
• Stop appears if the scan associated with the policy is in progress.
• Start appears if the scan associated with the policy is not in progress.
For more information on starting and stopping a scan, see “Starting and
stopping a web vulnerability scan” on page 302.
To configure a web vulnerability scan policy

1 Go to Web Vulnerability Scan > Web Vulnerability Scan >
Web Vulnerability Scan Policy.
the Edit icon.
A dialog appears.

Revision 10 301
Configuring web vulnerability scan policies Web vulnerability scans

Name Type the name of the policy.
This field cannot be modified if you are editing an existing WVS policy. To
Type Select the type of WVS scan to be performed by this policy.
Run Now - The scan can be manually started at any time by the user. For more
information, see “Starting and stopping a web vulnerability scan” on page 302
Schedule - The scan is performed according to the schedule defined in the
Schedule field below.
Schedule Displayed only if Schedule is selected as the Type. Select the predefined
schedule to use for the scan. For more information on configuring WVS
schedules, see “Configuring web vulnerability scan schedules” on page 308.
Profile Select the predefined profile to associate with the policy. The profile defines the
specific details of the web vulnerability scan. For more information on
configuring WVS profiles, see “Configuring web vulnerability scan profiles” on
page 303.
Report Format Select the file formats for the WVS report. You can choose to generate reports
in the following formats:
• HTML
• MHT (MIME HTML, which can be included in email)
• PDF
• RTF (Rich Text Format)
• TXT (plain text)
Email Select the predefined email policy to associate with the WVS Policy. The email
policy determines who receives the WVS report via email.
For more information on configuring email policy, see “Configuring email
4 Click OK.
Starting and stopping a web vulnerability scan

You can manually start and stop a scan if the schedule type associated with the WVS
Policy is set to Run Now. You cannot manually start a scan that has a set schedule.
To start a scan

302 Revision 10
Web vulnerability scans Configuring web vulnerability scan profiles
2 In the WVS policy list, choose a policy and verify the Schedule column says Run Now
and the status indicator is green (idle).
If Schedule is not set to Run Now, the WVS scan runs on a set schedule. You cannot
manually start a scan that has a set schedule. For more information, see “Configuring
web vulnerability scan policies” on page 300.
3 Click the Start icon associated with the WVS policy.
The vulnerability scan connects to the starting point configured in the WVS Profile and,
if enabled to do so, authenticates. The status indicator flashes red and yellow while the
scan is running.
4 When the scan is finished the status indicator returns to green (idle).
5 Click the blue arrow beside the policy name to expand the scan results.
If an email policy is defined for the scan, a detailed scan report is distributed
accordingly.
6 If required, view or download a full report of the scan results. For more information, see
“Viewing scan history and reports” on page 309.
To stop a scan
2 Verify the status indicator is running (flashing red and yellow).
3 Click the Stop icon associated with the WVS policy.
4 The vulnerability scan stops.
The status indicator returns to green (idle). You can expand the policy name to view a
summary of the scan results to the point where the scan was stopped.
Configuring web vulnerability scan profiles

Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Profile
enables you to configure web vulnerability scan (WVS) profiles. A WVS profile defines the
web server to scan, as well as the specific vulnerabilities to scan for. The WVS profiles are
associated with WVS policies, which determine when to perform the scan and how to
publish the results of the scan defined by the profile.
You can define multiple profiles, depending on scanning requirements, and apply the
profiles to WVS policies as required. For more information, see “Configuring web
vulnerability scan policies” on page 300.
Table 115: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Profile tab
Edit

Revision 10 303
Configuring web vulnerability scan profiles Web vulnerability scans

Create New Click to add a new web vulnerability scan profile.
Name Displays the name of the profile.
Target Server Displays the hostname/IP or URL to be scanned.
Scan Mode Indicates whether the scan used Basic Mode (use HTTP GET only and omit
both user-defined and predefined sensitive URLs) or Enhanced Mode (use
both HTTP POST and GET, excluding only user-defined URLs).
(No column heading.) Click the Delete icon to remove the entry. Click the Edit icon to modify the
entry.
To configure a vulnerability scan profile

1 Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Profile.
the Edit icon.
3 A dialog appears.

304 Revision 10

Name Type the name of the profile.
This field cannot be modified if you are editing an existing WVS
profile. To modify the name, delete the entry, then recreate it using
the new name.

Revision 10 305
Configuring web vulnerability scan profiles Web vulnerability scans
Hostname/IP or URL Type the fully qualified domain name (FQDN), IP address, or full
URL to indicate which directory of the web site you want to scan.
Behavior of the scan varies by the type of the entry:
• A FQDN/IP such as www.example.com. Assume HTTP and
scan the entire web site located on this host.
• A partial URL such as https://webmail.example.com/dir1/. Use
the protocol specified in the URL, and scan the web pages
located in this directory of the web site. Other directories will
be ignored.
• A full URL such as http://example.com/dir1/start.jsp. Use the
protocol specified in the URL, starting from the web page in
the URL, and scan all local URLs reachable via links from this
web page that are located within the same subdirectory.
Links to external web sites and redirects using HTTP 301 (Moved
Permanently) or 302 (Moved Temporarily or Found) will not be
followed.
Unless you will enter an IP address for the host, you must have
configured a DNS server that the FortiWeb unit can use to query
for the FQDN. For details, see “Configuring the DNS settings” on
page 58.
Note: This starting point for the scan can be overridden if the web
server automatically redirects the request after authentication.
See “Login with HTTP Authentication” and “Login with specified
URL/data” on page 307.
Scan Enable detection of any of the following vulnerabilities that you
want to include in the scan report:
• Common Web Server Vulnerability (outdated software and
software with known memory leaks, buffer overflows, and
other problems)
• XSS (Cross-site Scripting)
• SQL Injection
• Source-code Disclosure
• OS Commanding
For a description of vulnerabilities, see “Configuring server
protection rules” on page 201.
Scan Mode Select whether the scan job will use Basic Mode (use HTTP GET
only and omit both user-defined and predefined sensitive URLs)
or Enhanced Mode (use both HTTP POST and GET, excluding only
user-defined URLs).
Also configure Exclude scanning following URLs.
Basic Mode will avoid alterations to the web site’s databases, but
only if all inputs always uses POST requests. It also omits testing
of the following URLs, which could be sensitive:
• /formathd
• /formatdisk
• /shutdown
• /restart
• /reboot
• /reset
Caution: Fortinet strongly recommends that you do not scan for
vulnerabilities on live web sites, even if you use Basic Mode.
Instead, duplicate the web site and its database into a test
environment, and then use Enhanced Mode with that test
environment.
Basic Mode cannot be guaranteed to be non-destructive. Many
web sites accept input through HTTP GET requests, and so it is
possible that a vulnerability scan could result in database
changes, even though it does not use POST. In addition, Basic
Mode cannot test for vulnerabilities that are only discoverable
through POST, and therefore may not find all vulnerabilities.
Request Timeout Type the number of seconds for the vulnerability scanner to wait
for a response from the web site before it assumes that the
request will not successfully complete, and continues with the
next request in the scan. It will not retry requests that time out.

306 Revision 10
Delay Between Each Type the number of seconds to wait between each request.
Request Some web servers may rate limit the number of requests, or black
list clients that issue continuous requests and therefore appear to
be a web site harvester or denial of service (DoS) attacker.
Introducing a delay can be useful to prevent the vulnerability
scanner from being blacklisted or rate limited, and therefore slow
or unable to complete its scan.
Login Option
Login with HTTP Enable to use basic HTTP authentication if the web server returns
Authentication HTTP 401 (Unauthorized) to request authorization. Also configure
User and Password.
Alternatively, configure Login with specified URL/data.
After authentication, if the web server redirects the request (HTTP
302), the FortiWeb unit will use this new web page as its starting
point for the scan, replacing the URL that you configured in
Hostname/IP or URL.
Note: If a web site requires authentication and you do not
configure the vulnerability scan to authenticate, the scan results
will be incomplete.
User Enter the user name to provide to the web site if it requests HTTP
authentication.
Password Enter the password of the user name.
Login with Enable to authenticate if the web server does not use HTTP 401,
specified but instead provides a web page with a form that allows the user
URL/data to authenticate using HTTP POST. Also configure Authenticate
URL and Authenticate Data.
After authentication, if the web server redirects the request (HTTP
302), the FortiWeb unit will use this new web page as its starting
point for the scan, replacing the URL that you configured in
Hostname/IP or URL.
Note: If a web site requires authentication and you do not
configure the vulnerability scan to authenticate, the scan results
will be incomplete.
Authenticate Type the URL, such as /login.jsp, that the vulnerability scan
URL will use to authenticate before beginning the scan.
Authenticate Type the parameters, such as
Data userid=admin&password=Re2b8WyUI, that will be
accompany the HTTP POST request to the authentication URL,
and contains the values necessary to authenticate. Typically, this
string will include user name and password parameters, but may
contain other variables, depending on the web page.
Scan Website URLs Option
Crawl entire Select this option to automatically follow links leading from the
website initial starting point that you configured in Hostname/IP or URL.
automatically The vulnerability scanner will stop following links when it has
scanned the number of URLs configured in Crawl URLs Limit.
Alternatively, select Specify URLs for scanning.
Crawl URLs Type the maximum number of URLs to scan for vulnerabilities
Limit while automatically crawling links leading from the initial starting
point.
Note: The actual number of URLs scanned could exceed this limit
if the vulnerability scanner reaches the limit but has not yet
finished crawling all links on a page that it has already started to
scan.

Revision 10 307
Configuring web vulnerability scan schedules Web vulnerability scans
Specify URLs Select this option to manually specify which URLs to scan, such
for scanning as /login.do, rather than having the vulnerability scanner
automatically crawl the web site. Enter each URL on a separate
line in the text box.
You can enter up to 10 000 URLs.
Exclude Enable to exclude specific URLs, such as /addItem.cfm, from
scanning the vulnerability scan. Enter each URL on a separate line in the
following URLs text box.
This may be useful to accelerate the scan if you know that some
URLs do not need scanning. It could also be useful if you are
scanning a live web site and wish to prevent the scanner from
inadvertently adding information to your databases.
You can enter up to 1 000 URLs.
5 Click OK.
You can now apply the WVS Profile to a WVS Policy. For more information, see
“Configuring web vulnerability scan policies” on page 300.
Configuring web vulnerability scan schedules

Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Schedule
enables you to configure web vulnerability scan (WVS) schedules. A WVS schedule
defines when the scan will occur and whether the scan is a one time or a recurring event.
You can define multiple schedules, depending on scanning requirements, and apply the
schedules to WVS policies as required. For more information, see “Configuring web
vulnerability scan policies” on page 300.
Table 116: Web Vulnerability Scan > Web Vulnerability Scan >Web Vulnerability Scan Schedule tab
Edit

Create New Click to add a new web vulnerability scan schedule.
Name Displays the name of the schedule.
Type Displays the type of schedule: One Time or Recurring.
Time Displays the time that the scan is scheduled to run.
Date Displays a value only when the schedule type is One Time. Identifies the
date on which the one time vulnerability scan is scheduled to run.
Day Displays values only when the schedule type is Recurring. Identifies the
days of the week on which the recurring vulnerability scan is scheduled to
run.
(No column heading.) Click the Delete icon to remove the entry. Click the Edit icon to modify the
entry.

308 Revision 10
Web vulnerability scans Viewing scan history and reports
To configure a vulnerability scan schedule

1 Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Schedule.
the Edit icon.
A dialog appears.

Name Displays the name of the schedule.
This field cannot be modified if you are editing an existing WVS
schedule. To modify the name, delete the entry, then recreate it using
the new name.
Type Select the type of schedule.
One Time: the vulnerability scan will be run one time only at the time
and date specified below.
Recurring: the vulnerability scan will be run on the days of the week and
the time specified below.
Time Displays the time that the scan is scheduled to run.
Date This field displays values only if Type is set to One Time. Identifies the
date on which the one time vulnerability scan is scheduled to run.
Day This field displays values only if Type is set to Recurring. Identifies one
or more days of the week on which the recurring vulnerability scan is
scheduled to run.
4 Click OK.
You can now apply the WVS Schedule to a WVS Policy. For more information, see
“Configuring web vulnerability scan policies” on page 300.
Viewing scan history and reports

After a web vulnerability scan completes, the FortiWeb unit generates a report
summarizing and analyzing the results of the scan.
Web Vulnerability Scan > Web Vulnerability Scan > Scan History enables you to view an
historical archive of WVS reports. You can choose a WVS report from the archive and
view the report or download and save the report.

Revision 10 309
Viewing scan history and reports Web vulnerability scans
Table 117: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan History tab
View the scan report

Download report file
Delete the scan report

Target Server Displays the base URL that was scanned for vulnerabilities. Click to view
the scan report associated with this server.
URLs Found Displays the number of URLs below the base URL that were scanned for
vulnerabilities.
Alerts Found Displays the total number of vulnerabilities discovered during the scan.
Scan Time Displays the date and time that the scan was performed.
Scan Mode Indicates whether the scan job used Basic Mode (use HTTP GET only and
omit both user-defined and predefined sensitive URLs) or Enhanced Mode
(use both HTTP POST and GET, excluding only user-defined URLs).
(No column heading.) Click the View the scan report icon to view a report that summarizes and
analyzes the results of the associated vulnerability scan. For more
information, see “About web vulnerability scan reports” on page 310.
Click the Download report file icon to open or save the associated report.
Click the Delete the scan report icon to remove the report.
About web vulnerability scan reports

The web vulnerability scan report is divided into sections for a summary, vulnerabilities
and server information.
While viewing the Application Vulnerabilities section of the report, if any vulnerabilities are
detected, such as cross-site scripting or SQL injection, the vulnerability is described for
each URL on which it is detected. The report provides the following information for each
vulnerability:
• type
• severity
• URI
• method
• response header
• response body
To view the web server’s response to the request for that part of the scan, click View.

310 Revision 10
Web vulnerability scans Viewing scan history and reports
If after viewing the response you determine that the result is a false positive, click False
Positive. The false positive status will be saved and visible in any subsequent printout or
view of the report, helping to remind you that particular item should be ignored.
Figure 41: Viewing a vulnerability report
http://www.example.com/

Revision 10 311
Viewing scan history and reports Web vulnerability scans

312 Revision 10
Logs and reports About logging
Logs and reports

Use the Log & Report menu to configure logging, reports, and alert email. It also enables
you to view locally stored log messages using the web-based manager, to download log
messages for further processing or analysis and to generate reports.
FortiWeb units provide extensive logging capabilities for traffic, system and network
protection functions. Detailed log information enables you to analyze network activity to
identify security issues and reduce network misuse and abuse.
• About logging
• Log message field descriptions
• Configuring and enabling logging
• Viewing log messages
• Downloading log messages
• Configuring and generating reports.
• Viewing and downloading reports
Log configuration workflow

The following lists steps to configure log policy, settings, and reports.
1 Set log policies. See “Configuring log alert policies” on page 316.
2 Create one or more trigger policies. See “Configuring trigger policies” on page 322.
3 Set global log options. See “Configuring and enabling logging” on page 323.
Once you complete the above steps, you can begin viewing attack, event, and traffic logs,
and creating custom reports.
Tip: Consider creating log alert and trigger policies early in the configuration of your
FortiWeb unit. A web vulnerability scan policy, and many XML protection and web
protection rules can reference these policies and alert to key personnel to problems.
About logging
FortiWeb units can log many different network activities and traffic including:
• overall network traffic
• system-related events including system restarts and HA activity
• matches of policies whose Action include Alert
For more information about log types, see “Log types” on page 314.
You can select a priority level that log messages must meet in order to be recorded. For
more information, see “Log priority levels” on page 314.
A FortiWeb unit can save log messages to its memory, or to a remote location such as a
Syslog server or FortiAnalyzer unit. For more information, see “Configuring and enabling
logging” on page 323. The FortiWeb unit can also use log messages as the basis for
reports. For more information, see “Configuring and generating reports” on page 344.

Revision 10 313
Log message field descriptions Logs and reports
Event and attack log messages are also displayed in the system status dashboard. For
more information, see “Viewing system status” on page 41.
Log types
FortiWeb units can record the following categories of log messages:
Table 118: Log types
Log file type Description

Event Displays administration events such as downloading a backup copy of the
configuration.
Traffic Displays traffic flow information such as HTTP requests and, if a reply was
permitted by the policy, HTTP responses.
Attack Displays attack and intrusion attempt events.
Caution: Avoid recording highly frequent log types such as traffic logs to the local hard disk
for an extended period of time. Excessive logging frequency can cause undue wear on the
hard disk and may cause premature failure.
Log priority levels

Each log message contains a field that indicates the priority of the log message, such as
pri=warning.
Table 119: Log severity levels
Levels Description
0 - Emergency The system has become unusable.
1 - Alert Immediate action is required.
2 - Critical Functionality is affected.
3 - Error An error condition exists and functionality could be affected.
4 - Warning Functionality could be affected.
5 - Notification Information about normal events.
6 - Information General information about system operations.
For each location where the FortiWeb unit can store log files (disk, memory, Syslog or
FortiAnalyzer), you can define a priority threshold. The FortiWeb unit will store all log
messages equal to or exceeding the log priority level you select.
Caution: Avoid recording log messages using low log priority thresholds such as
information or notification to the local hard disk for an extended period of time. A low log
priority threshold is one possible cause of frequent logging. Excessive logging frequency
can cause undue wear on the hard disk and may cause premature failure.
For example, if you select Error, the FortiWeb unit will store log messages whose log
priority level is Error, Critical, Alert, or Emergency.
For more information, see “Configuring global log settings” on page 324.
Log message field descriptions

Table 120, “Log message fields,” on page 315 describes the fields that are available for
each type of log message. The specific fields that appear in a log message depends on
selections you make. For more information, see “Viewing log messages” on page 331.

314 Revision 10
Logs and reports Log message field descriptions
For a detailed description of each FortiWeb log message, see the FortiWeb Log Message
Reference.
Table 120: Log message fields
Log message Description Used with log type: Sample content

field Event Attack Traffic
Date Displays the date that the log message was x x x 2010-11-28
recorded.
Time Displays the time that the log message was x x x 15:38:01
recorded.
ID Displays a 10-digit number that identifies the x x x 0116080121
log message. The log message number
consists of:
• the first two digits represent the log type.
• the second two digits represent the log
subtype.
• the fifth digit is reserved for future use and
is always set to 0 (zero)
• the last five digits is a static identifier
assigned to each individual log message.
MSG ID A unique 12-digit number assigned to each x x x 000044866169
individual log message generated by the
FortiWeb unit.
Type Displays the type of log that occurred: event, x x x event
attack or traffic. attack
traffic
Subtype Displays the log subtype, which provides x x x Subtype identify the area in
additional information to identify the cause of which activity occurred.
the log message. Numerous Subtypes are
defined for events,
protection rule violations
(attacks) or traffic. For more
information, see the
FortiWeb Log Message
Reference.
Level Displays the log priority level (log level) x x x emergency
associated with the situation for which the log alert
message was created. critical
error
warning
notice
information
debug
Device ID Displays the identification number of the x x x FV-1AA2B34567890
device from which the log message originated.
Time Zone Displays the timezone in which the device is x x x (GMT-5:00)Eastern Time
located. (US & Canada)"
User Displays the login name of the user that x admin
performed the action that caused the event log
to be created.
User Interface Displays the type of user interface used when x GUI(10.0.0.22)
the log was created.
Action Displays the action associated with the log. x login
monitor
backup
download
upgrade

Revision 10 315
Configuring log alert policies Logs and reports
Table 120: Log message fields
Log message Description Used with log type: Sample content

field Event Attack Traffic
Status Displays the result of the action. x alert
succeed
failure
Reason Displays the reason for the status. x name_invalid
Protocol The protocol used by the web traffic x x TCP
Service The IP network service that defines the TCP x x HTTP
port number on which the virtual server HTTPS
receives traffic.
Source The web traffic source IP address. x x 10.0.0.0
Source Port The web traffic source port number. x x 3471
Destination The web traffic destination IP address. x x 10.0.0.1
Destination Port The web traffic destination port number. x x 8080
Policy The name of the policy in use when the log x x server policy name
was created.
HTTP method The http request method which are allowed to x get
pass through the FortiWeb unit.
URL The URL address for the HTTP request. x x /image/example
HTTP Host The host home page of the HTTP request. x x example.com
HTTP Agent The web browser used for the HTTP request. x x web_browser_information
HTTP Session ID The serial number of the session associated x 1ABC123ABC123
with the HTTP request (if known). unknown
Action The action that was specified within the policy. x x alert
deny
return 403 error
redirect
Severity Level The severity level associated with an attack. x high
Severity level is user-defined per violation. medium
low
Trigger Policy The name of the trigger policy used for email x trigger policy name
alerts and Syslog.
Message The detail message describing the reason that x x x descriptive text
the log message was created.
Configuring log alert policies

To stay aware of problems and track activities, you can configure log-based alerts in the
form of system email, Syslog messages, and FortiAnalyzer messages, combined with
email triggers.
• Configuring email policies
• Configuring Syslog policies
• Configuring FortiAnalyzer policies
• Configuring trigger policies

316 Revision 10
Logs and reports Configuring log alert policies
Configuring email policies

Log&Report > Log Policy > Email Policy enables you to create policies that are used by
protection rules to alert specific administrators or other personnel when an alert condition
occurs, such as a system failure or network attack. An email policy includes email address
information for selected recipients and it sets the frequency that emails will be sent to
those recipients.
The email policies are attached to FortiWeb protection policies that monitor for
occurrences of certain violations. When the protection policy detects a violation, an alert
email is distributed if the violation control conditions are met.
For example, you might configure a server protection rule to monitor for SQL-injection
violations and take specific actions if those types of violations occur. The specific actions
can include sending an alert email, in which case the email is sent to the individuals
identified in the email policy attached to the trigger policy used for the SQL-injection
violation. The trigger policy could also include recording the violation in Syslog or
FortiAnalyzer according to the policies attached to the trigger policy used for the SQL
violation. For more information on Syslog or FortiAnalyzer policy, see “Configuring Syslog
policies” on page 319 and “Configuring FortiAnalyzer policies” on page 321.
The alert email policy also enables you to define the interval that emails are sent if the
same alert condition persists following the initial occurrence.
For example, you might configure the FortiWeb unit to send only one alert message for
each 15-minute interval after warning-level log messages begin to be recorded. In that
case, if the alert condition continues to occur for 35 minutes after the first warning-level log
message, the FortiWeb unit would send a total of three alert email messages, no matter
how many warning-level log messages were recorded during that period of time.
Intervals are configured separately for each severity level of log messages. For more
information on the severity levels of log messages, see “Log priority levels” on page 314.
Before you can send alerts, you must enable alert email for the log type that you want to
use as a trigger. For details, see “Enabling logging” on page 327.
must have Read and Write permission to items in the Log & Report category. For details,
Table 121: Log&Report > Log Policy > Email Policy tab
Delete
Edit

Create New Click to add a new email policy.
Policy Name Displays the name of the email policy.

Revision 10 317
To configure email policies

1 Go to Log&Report > Log Policy > Email Policy
the Edit icon.
A dialog appears.

Policy Name Type the name of the email policy. This field cannot be modified if you
are editing an existing email policy. To modify the name, delete the
entry, then recreate it using the new name.
SMTP server Enter the fully qualified domain name (FQDN) or IP address of the
SMTP relay or server that the FortiWeb unit will use to send alerts and
generated reports.
Caution: If you enter a domain name, you must also configure the
FortiWeb unit with at least one DNS server. Failure to configure a DNS
server may cause the FortiWeb unit to be unable to resolve the domain
name, and therefore unable to send the alert. For information on
configuring use of a DNS server, see “Configuring the DNS settings” on
page 58.
Email from Enter the sender email address that the FortiWeb unit will use when
sending alert email messages.
Email to Enter one to three recipient email addresses, one per field.
Authentication Enable to authenticate with the SMTP relay when sending alerts.

318 Revision 10
SMTP user Enter the user name of the account on the SMTP relay that will be used
to send alerts.
This option is available only if Authentication is enabled.
Password Enter the password of the account on the SMTP relay that will be used
to send alerts.
This option is available only if Authentication is enabled.
Apply & Test Click to save the alert configuration and send a sample alert to the
recipient.
Log Level Select the priority threshold that log messages must meet or exceed in
order to cause an alert. For more information on log levels, see “Log
priority levels” on page 314.
Emergency Enter the number of minutes between each alert if an alert condition of
severity level Emergency continues to occur after the initial alert.
Alert Enter the number of minutes between each alert if an alert condition of
severity level Alert continues to occur after the initial alert.
Critical Enter the number of minutes between each alert if an alert condition of
severity level Critical continues to occur after the initial alert.
Error Enter the number of minutes between each alert if an alert condition of
severity level Error continues to occur after the initial alert.
Warning Enter the number of minutes between each alert if an alert condition of
severity level Warning continues to occur after the initial alert.
Notification Enter the number of minutes between each alert if an alert condition of
severity level Notification continues to occur after the initial alert.
Information Enter the number of minutes between each alert if an alert condition of
severity level Information continues to occur after the initial alert.
Debug Enter the number of minutes between each alert if an alert condition of
severity level Debug continues to occur after the initial alert.
4 Click OK.
The FortiWeb unit saves the configuration and returns to the Email Policy tab.
Configuring Syslog policies

Log&Report > Log Policy > Syslog Policy enables you to create policies that are used by
protection rules to store log messages remotely on a Syslog server.
For example, once you create a Syslog policy, it can be used by a trigger policy, which in
turn can be applied to a trigger action in a protection rule.
Note: Logs stored remotely cannot be viewed from the FortiWeb web-based manager. If
you require the ability to view logs from the web-based manager, also enable local storage.
For details, see “Enabling logging” on page 327.
Before you can log remotely, you must enable alert email for the log type that you want to

Revision 10 319
Table 122: Log&Report > Log Policy > Syslog Policy tab
Edit

Create New Click to add a new Syslog policy.
Policy Name Displays the name of the Syslog policy.
To configure Syslog policies

1 Go to Log&Report > Log Policy > Syslog Policy.
the Edit icon.
A dialog appears.

Policy Name Type the name of the Syslog policy. This field cannot be modified if you
are editing an existing Syslog policy. To modify the name, delete the
Name/IP Enter the IP address of the remote Syslog server.
Port Enter the listening port number of the Syslog server. The default is 514.
Enable CSV format Enable to send log messages in comma-separated value (CSV) format.
4 Click OK.
5 To verify logging connectivity, from the FortiWeb unit, trigger a log message that
matches the types and severity levels that you have chosen to store on the remote
host. Then, on the remote host, confirm that it has received that log message.
If the remote host does not receive the log messages, verify the FortiWeb unit’s
network interfaces (see “Configuring the network and VLAN interfaces” on page 50)
and static routes (see “Configuring static routes” on page 105), and the policies on any
intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host,
try using the execute traceroute command to determine the point where
connectivity fails. For details, see the FortiWeb CLI Reference.

320 Revision 10
Configuring FortiAnalyzer policies

Log&Report > Log Policy > FortiAnalyzer Policy enables you to create policies that are
used by protection rules to store log messages remotely on a FortiAnalyzer unit.
For example, once you create a FortiAnalyzer policy, it can be used by a trigger policy,
which in turn can be applied to a trigger action in a protection rule.
Note: Logs stored remotely cannot be viewed from the web-based manager of the
FortiWeb unit. If you require the ability to view logs from the web-based manager, also
enable local storage. For details, see “Enabling logging” on page 327.
Before you can log remotely, you must enable alert email for the log type that you want to
Table 123: Log&Report > Log Policy > FortiAnalyzer Policy tab
Delete
Edit

Create New Click to add a new FortiAnalyzer policy.
Policy Name Displays the name of the FortiAnalyzer policy.
To configure FortiAnalyzer policies

1 Go to Log&Report > Log Policy > FortiAnalyzer Policy.
the Edit icon.
A dialog appears.

Revision 10 321

Policy Name Type the name of the FortiAnalyzer policy. This field cannot be modified
if you are editing an existing FortiAnalyzer policy. To modify the name,
IP Address Enter the IP address of the remote FortiAnalyzer unit.
4 Click OK.
5 Confirm with the FortiAnalyzer administrator that the FortiWeb unit has been added to
the FortiAnalyzer unit’s device list, allocated sufficient disk space quota, and assigned
permission to transmit logs to the FortiAnalyzer unit. For details, see the FortiAnalyzer
Administration Guide.
6 To verify logging connectivity, from the FortiWeb unit, trigger a log message that
matches the types and severity levels that you have chosen to store on the remote
host. Then, on the remote host, confirm that it has received that log message.
If the remote host does not receive the log messages, verify the FortiWeb unit’s
network interfaces (see “Configuring the network and VLAN interfaces” on page 50)
and static routes (see “Configuring static routes” on page 105), and the policies on any
intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host,
try using the execute traceroute command to determine the point where
connectivity fails. For details, see the FortiWeb CLI Reference.
Configuring trigger policies

Log&Report > Log Policy > Trigger Policy enables you to create policies that are used by
protection rules to trigger alert emails and to generate Syslog and FortiAnalyzer records.
For example, if you create a trigger policy that uses an email policy and a Syslog policy,
that trigger policy can be applied as a trigger action to specific violations in a protection
rule. Alert email and Syslog records will be created according to the trigger policy when a
rule violation occurs.
Table 124: Log&Report > Log Policy > Trigger Policy tab
Delete
Edit

Create New Click to add a new Syslog policy.
Policy Name Displays the name of the trigger policy.
To configure trigger policies

1 Go to Log&Report > Log Policy > Trigger Policy.

322 Revision 10
Logs and reports Configuring and enabling logging
the Edit icon.
A dialog appears.

Policy Name Type the name of the trigger policy. This field cannot be modified if you
are editing an existing Syslog policy. To modify the name, delete the
Email Policy Select the email policy that you want to associate with the trigger action
policy. This email policy will be used by all protection rule violations
when applied to the protection rule trigger action.
Syslog Policy Select the Syslog policy that you want to associate with the trigger
action policy. This Syslog policy will be used by all protection rule
violations when applied to the protection rule trigger action.
FortiAnalyzer Policy Select the FortiAnalyzer policy that you want to associate with the
trigger action policy. This FortiAnalyzer policy will be used by all
protection rule violations when applied to the protection rule trigger
action.
4 Click OK.
Configuring and enabling logging

To diagnose problems or track actions that the FortiWeb unit performs as it receives and
processes traffic, configure the FortiWeb unit to record log messages.
You can configure the FortiWeb unit to store log messages either locally (that is, in RAM or
to the hard disk) and or remotely (that is, on a Syslog server or FortiAnalyzer unit). Your
choice of storage location may be affected by several factors, including the following.
• Rebooting the FortiWeb unit clears logs stored in memory.
• Logging only locally may not satisfy your requirements for off-site log storage.
• Attack logs and traffic logs cannot be logged to local memory.
• Very frequent logging may cause undue wear when stored on the local hard drive. A
low severity threshold is one possible cause of frequent logging. For more information
on severity levels, see “Log priority levels” on page 314.
• Very frequent logging, such as when the severity level is low, may rapidly consume all
available log space when stored in memory. If the available space is consumed, and if
the FortiWeb unit is configured to do so, it may store any new log message by
overwriting the oldest log message. For high traffic volumes, this may occur so rapidly
that you cannot view old log messages before they are replaced. For more information
on severity levels, see “Log priority levels” on page 314.

Revision 10 323
Configuring and enabling logging Logs and reports
• Usually, fewer log messages can be stored in memory. Logging to a Syslog server or
FortiAnalyzer unit may provide you with additional log storage space.
For information on viewing locally stored log messages, see “Viewing log messages” on
page 331.
• Configuring global log settings
• Enabling logging
• Obscuring sensitive data in the logs
Configuring global log settings

Log&Report > Log Config > Global Log Settings displays the settings used to store log
information and alert users that logs have occurred.
Depending on the type of log, log messages can be stored on local hard disk, local
memory, Syslog server or FortiAnalyzer unit as show in Table 125.
Table 125: Log storage
Storage area Log type

Event logs Traffic logs Attack logs
Local disk yes yes yes
Local memory yes no no
Syslog server yes yes yes
FortiAnalyzer yes yes yes
Use alert emails to notify users when problems occur. Distribution of alert emails is
managed though email policies that define who receives the alert emails and the
frequency that the alert emails are sent.
Caution: Avoid recording highly frequent log types such as traffic logs to the local hard disk
for an extended period of time. Excessive logging frequency can cause undue wear on the
hard disk and may cause premature failure.
To configure log settings

1 Go to Log&Report > Log Config > Global Log Settings.

324 Revision 10
Table 126: Global Log Settings

Disk Enable to record log messages to the local hard disk on the FortiWeb unit.
If the FortiWeb unit is logging to its hard disk, you can use the web-based
manager to view log messages that are stored locally on the FortiWeb unit. For
details, see “Viewing log messages” on page 331.
Before you can log to the hard disk, you must first enable logging. For details,
see “Enabling logging” on page 327. For logging accuracy, you should also verify
that the FortiWeb unit’s system time is accurate. For details, see “Configuring
system time” on page 100.
Expand the disk storage configuration to display additional options:
Log Level: Select the severity level that a log message must equal or exceed in
order to be recorded to this storage location.
Caution: Avoid recording log messages using low severity thresholds such as
information or notification to the local hard disk for an extended period of time. A
low log severity threshold is one possible cause of frequent logging. Excessive
logging frequency can cause undue wear on the hard disk and may cause
premature failure.
For information about severity levels, see “Log priority levels” on page 314.
When log disk is full: Select what the FortiWeb unit will do when the local disk is
full and a new log message occurs, either:
• Do not log: discards the new log message.
• Overwrite oldest logs: deletes the oldest log file in order to free disk space,
and store the new log message.
Log rolling settings: Enter the maximum file size of the current log file.
When a log file reaches the size limit, the FortiWeb unit will rotate the current log
file: that is, it renames the current log file (elog.log) with a file name indicating its
sequential relationship to other log files of that type (elog2.log, and so on.), then
creates a new current log file.
The log file size limit must be between 10 MB and 1 000 MB

Revision 10 325
Memory Enable to record log messages in the local random access memory (RAM) of the
FortiWeb unit.
Note: Only event logs can be stored in the local memory. Attack and traffic logs
cannot be stored in memory
If the FortiWeb unit is logging to memory, you can use the web-based manager to
view log messages that are stored locally on the FortiWeb unit. For details, see
“Viewing log messages” on page 331.
Caution: Log messages stored in memory should not be regarded as
permanent. All log entries stored in memory are cleared when the FortiWeb unit
restarts. When available memory space for log messages is full, the FortiWeb
unit will store any new log message by overwriting the oldest log message.
Before you can record event logs to the local memory, you must first enable
logging. For details, see “Enabling logging” on page 327. For logging accuracy,
you should also verify that the FortiWeb unit’s system time is accurate. For
details, see “Configuring system time” on page 100.
Expand the memory storage configuration to display additional options:
Syslog Enable to store log messages remotely, on a Syslog server.
Warning: Enabling Syslog could result in excessive log messages being
recorded in Syslog.
Syslog entries are controlled by Syslog policies and trigger actions associated
with various types of violations. If the Syslog option is enabled, but a trigger
action has not been selected for a specific type of violation, every occurrence of
that violation will be recorded in Syslog and transmitted to the Syslog server. For
more information, see “Responding to web protection rule violations” on
page 191.
Note: Logs stored remotely cannot be viewed from the FortiWeb web-based
manager.
Before you can store logs on a remote location you must first enable logging. For
details, see “Enabling logging” on page 327. For logging accuracy, you should
also verify that the FortiWeb unit’s system time is accurate. For details, see
“Configuring system time” on page 100.
Expand the Syslog storage configuration to display additional options:
Syslog Policy: Select the policy to use when storing log information remotely. The
Syslog policy includes the address information for the remote Syslog server For
more information see “Configuring Syslog policies” on page 319.
Facility: Select the facility identifier that the FortiWeb unit will use to identify itself
when sending log messages to the first Syslog server.
To easily identify log messages from the FortiWeb unit when they are stored on
the Syslog server, enter a unique facility identifier, and verify that no other
network devices use the same facility identifier

326 Revision 10
Alert Mail Enable to generate alert email when log messages are created.
Warning: Enabling Alert Email could result in excessive alert email.
Distribution of alert emails is controlled by email policies and trigger actions
associated with various types of violations. If the Alert Mail option is enabled, but
a trigger action has not been selected for a specific type of violation, every
occurrence of that violation will result in an alert email to the individuals
associated with the policy selected in the Email Policy field. For more
information, see “Responding to web protection rule violations” on page 191.
Expand the Alert Mail configuration to display additional options:
Email Policy: Select the email policy to use for alert emails. For more information
see “Configuring email policies” on page 317.
Alert Mail is not available for the traffic logs.
FortiAnalyzer Enable to store log messages remotely, on a FortiAnalyzer unit.
Warning: Enabling FortiAnalyzer could result in excessive log messages being
recorded in FortiAnalyzer.
FortiAnalyzer entries are controlled by FortiAnalyzer policies and trigger actions
associated with various types of violations. If the FortiAnalyzer option is enabled,
but a trigger action has not been selected for a specific type of violation, every
occurrence of that violation will be recorded in FortiAnalyzer. For more
information, see “Responding to web protection rule violations” on page 191.
Note: Logs stored remotely cannot be viewed from the FortiWeb web-based
manager.
Before you can store logs on a remote location you must first enable logging. For
details, see “Enabling logging” on page 327. For logging accuracy, you should
also verify that the FortiWeb unit’s system time is accurate. For details, see
“Configuring system time” on page 100.
Expand the FortiAnalyzer storage configuration to display additional options:
FortiAnalyzer Policy: Select the policy to use when storing log information
remotely. The FortiAnalyzer policy includes the address information for the
remote Syslog server. For more information see “Configuring FortiAnalyzer
3 Click Apply.
Enabling logging
Log&Report > Log Config > Other Log Settings allows you to enable or disable logging for
each log type.
For more information on log types, see “Log types” on page 314.
To enable logging
1 Go to Log&Report > Log Config > Other Log Settings.

Revision 10 327
2 Enable one or more of the following:
Table 127: Configuring Other Log Settings

Enable Attack Log Enable to log violations of attack policies, such as server protection
rules.
Retain Packet Under Retain Packet Payload For, mark the corresponding check box
Payload For for each of the attack types or validation failures that are detected using
a regular expression, such as XSS Attack Detection or Parameter Rule
Violation, if you want to retain the offending packet payload with its log
message. Packet retention is enabled by default for all message types,
except custom signature detection.
Packet payloads supplement the log message by providing the actual
data that triggered the regular expression, which may help you to fine-
tune your regular expressions to prevent false positives, or to examine
changes to attack behavior for subsequent forensic analysis.
The FortiWeb unit retains only the first 4 KB of data from the offending
HTTP request payload that triggered the log message.
Packet payloads are accessible from the Packet Log column when
viewing an attack log using the web-based manager. For details, see
If packet payloads could contain sensitive information, you may need to
obscure those elements. For details, see “Obscuring sensitive data in
the logs” on page 329.
Enable Event Log Enable to log system events, such as user activity or rebooting the
FortiWeb unit.

328 Revision 10
Persistent Server Select a threshold level that will trigger an event log when the actual
Session Threshold number of persistent server sessions reaches the defined percentage
(50% to 90%) of the total number of persistent server sessions allowed
for the FortiWeb unit. The default setting is 80%.
For example, if Persistent Server Session Threshold is set to 50%, and
the allowed number of persistent server sessions is 15,000, an event
log is triggered when the actual number of persistent sessions reaches
50% of the allowed number, or 7,500 persistent server sessions.
For more information on the total persistent server sessions, see
“Appendix B: Maximum values” on page 397.
Enable Traffic Log Enable to log traffic events such as HTTP requests and responses, and
the expiration of HTTP sessions. If you do not need traffic data, disable
this feature to increase system performance.
Enable Packet Log If you want to retain regular traffic packet payloads, mark Enable Packet
Log. Unlike attack packet payloads, only request direction traffic packets
are retained, and only the first 4 KB of the payload if it is larger.
Note: Retaining traffic packet payloads is resource intensive. Only
enable this option when absolutely necessary.
Packet payloads are accessible from the Packet Log column when
viewing a log using the web-based manager. For details, see “Viewing
packet log details” on page 336.
3 Click Apply.
Obscuring sensitive data in the logs

If enabled to do so, a FortiWeb unit will hide some predefined data types, including user
names and passwords, that could appear in the packet payloads accompanying a log
message. You can also define your own sensitive data types, such as ages or other
identifying numbers, using regular expressions.
Note: Sensitive data definitions are not retroactive. They will hide strings in subsequent log
messages, but will not affect existing ones.
To exclude custom sensitive data from log packet payloads

1 Go to Log&Report > Log Config > Log Custom Sensitive Rule.
Delete
Edit
2 On the right side of the tab, select one or both of the following:
• Enable Predefined Rules: Use the predefined credit card number and password
data types.
• Enable Custom Rules: Use your own regular expressions to define sensitive data.
3 Click Create New.
A dialog appears.

Revision 10 329
4 Give the rule a name.

5 Select either General Mask (a regular expression that will match any substring in the
packet payload) or Field Mask (a regular expression that will match only the value of a
specific form input).
• In the field next to General Mask, type a regular expression that matches all the
strings or numbers that you want to obscure in the packet payloads.
For example, to hide a parameter that contains the age of users under 14, you could
enter:
age\=[1-13]
Valid expressions must not start with an asterisk ( * ). The maximum length is 21
characters.
• For Field Mask, in the left-hand field (Field Name), type a regular expression that
matches all and only the input names whose values you want to obscure. (The input
name itself will not be obscured. If you wish to do this, use General Mask instead.)
Then, in the right hand field (Field Value), type a regular expression that matches all
input values that you want to obscure. Valid expressions must not start with an
asterisk ( * ). The maximum length is 22 characters.
For example, to hide a parameter that contains the age of users under 14, for Field
Name, you would enter age, and for Field Value, you could enter [1-13].
Caution: Field masks using asterisks are greedy: a match for the parameter’s value will
obscure it, but will also obscure the rest of the parameters in the line. To avoid this, enter
an expression whose match terminates with, but does not consume, the parameter
separator.
For example, if parameters are separated with an ampersand ( & ), and you want to
obscure the value of the Field Name username but not any of the parameters that follow it,
you could enter the Field Value:
.*?(?=\&)
This would result in:
username****&age=13&origurl=%2Flogin

330 Revision 10
Logs and reports Viewing log messages
Tip: To create and test a regular expression, click the >> (test) icon. This opens the Regular
Expression Validator window where you can fine-tune the expression.
6 Click OK.
The expression appears in the list of regular expressions that define sensitive data that
will be obscured in the logs.
When viewing new log messages, data types matching your expression will be
replaced with a string of * characters equal in length to the sensitive data.
Viewing log messages

If you have configured the FortiWeb unit to store log messages locally (that is, to memory
or the hard disk), you can view the log messages currently stored in each file.
Log messages are in human-readable format, where each log’s name, such as Source
(src in Raw view), indicates its contents.
Exceptions include the attack log’s Message (msg) field, which contains a code such as
DETECT_PARAM_RULE_FAILED that indicates which feature detected the attack. For
each feature’s attack detection code, see the feature’s description located in applicable
chapters of this Administration Guide.
Note: Not all detected attacks may be blocked, redirected, or sanitized.
For example, while using auto-learning, you can configure protection profiles with an action
of Alert (log but not deny), allowing the connection to complete in order to gather full auto-
learning data.
To determine whether or not an attack attempt was permitted to reach a web server, show
the Action column. For details, see “Displaying and arranging log columns” on page 338.
When viewing log messages, you can customize aspects of the display to focus on log
messages and fields that match your criteria. For more information, see “Customizing the
log view” on page 337.
For attack logs and traffic logs, you can view detailed information about each log and the
packet payload. For more information, see “Viewing log message details” on page 335.
For attack logs, you can perform a quick or advanced search for specific logs. For more
information, see “Searching attack logs” on page 341.
The logs associated with attacks that are blocked by FortiWeb are highlighted to
distinguish them from other attacks that are not blocked.
• Selecting a log type to view
• Viewing log message details
• Viewing packet log details
• Customizing the log view
• Searching attack logs

Revision 10 331
Viewing log messages Logs and reports
Selecting a log type to view

Log&Report > Log Access enables you to select the type of log message to view, if log
messages are stored locally on the hard disk or in the local random access memory
(RAM) of the FortiWeb unit.
Note: In addition to locally stored log messages, event log messages and attack log
messages can also be viewed in the system status dashboard. For more information, see
“Viewing system status” on page 41.
Table 128: Log&Report > Log Access > Event tab
Refresh
Log Search
Log Message Aggregation
Clear All Filters
Previous page Raw (or Formatted)
Next page Column Settings
Note: The columns and type of information displayed depends on which log type tab is
selected.

Data Source (not Visible only when the Event tab is selected. Data Source enables you to
shown) view event logs that are stored in the FortiWeb unit’s random access
memory (RAM), or event log files stored on the FortiWeb unit’s hard disk.
Select either Memory to display the most recent logs stored in the FortiWeb
unit’s memory, or Disk to display a list of the historical log files that are
stored on the FortiWeb unit’s hard disk.
For information on configuring event log storage location, see “Configuring
global log settings” on page 324.
FortiWeb always stores attack and traffic logs on disk, so there is no data
source selection on the Attack or Traffic tabs.
Previous page Click to view the previous page.
Next page Click to view the next page.
View n per page Click the black arrow to changed the number of rows of log entries to
display per page.
Line Enter a log entry number, then press Enter to go to that entry. The number
following the slash ( / ) is the total number of entries in the log file.
Column Settings Click this icon to display or hide the columns that correspond to log fields,
or change the order in which they appear on the page. For more
information, see “Displaying and arranging log columns” on page 338.

332 Revision 10
Raw These icons let you to toggle between a Raw and Formatted view of the log
or information. The raw view displays the log message as it actually appears
in the log file. The formatted view displays the log message in a columnar
Formatted format.
Click to switch the log information view to that opposite of what is currently
displayed.
For details on both view types, see “Customizing the log view” on page 337.
Clear All Filters Click this icon to clear all log view filters. For details on log view filters, see
“Filtering log messages” on page 339.
Log Message Visible only when the Attack tab is selected. Enables you to view only the
Aggregation attack logs associated with specific categories, including: HTTP Host, URL,
Source IP or Subtype. For more information, see “Grouping similar attack
log messages” on page 340.
Log Search Visible only when the Attack tab is selected. Enables you to perform
searches for attack logs using advanced search criteria. For more
information, see “Searching attack logs” on page 341.
Refresh Visible only when the Attack tab is selected. Enables you to update the
attack log list by adding any new logs that were created since the log list
was opened.
To view log messages

1 Go to Log&Report > Log Access.
2 Click the tab corresponding to the type of log file that you want to view (Event, Attack,
or Traffic).
• For Attack logs, go to step 3
• For Event logs, go to step 6
• For Traffic logs, go to step 10
For more information on log types, see “Log types” on page 314.
Tip: If there are no traffic logs, verify that you have enabled Session Management in the
profiles whose traffic you want to log.
3 To view Attack logs, select Log&Report > Log Access > Attack. Log messages
associated with attacks that have been blocked by FortiWeb are highlighted to
distinguish them from other attacks that are not blocked.
Blocked attack
4 If you want to view the historical attack log files that are stored on local hard disk,
select the Log Management link at the top-right of the attack log list.
5 Go to step .

Revision 10 333
6 To view Event log messages, select Log&Report > Log Access > Event.
For Event logs only, you can select the log data storage location (disk or memory) and
then select from which data source location you want to view the log information. For
more information on configuring the FortiWeb unit to store log messages locally, see
Note: Only event logs are stored in local memory. Attack and traffic logs are stored on disk.
7 To view event log messages stored in local random access memory (RAM), select
Memory as the Data Source.
Data Source: Memory

Event log messages
8 If you want to view historical event log files stored on the local hard disk, select Disk as
the Data Source.
9 Go to step .
10 To view Traffic logs, select Log&Report > Log Access > Traffic.

334 Revision 10
11 If you want to view the historical traffic log files that are stored on local hard disk, select
the Log Management link at the top-right of the traffic log list.
Historical log files are stored on the local hard disk. You can view the log messages
associated with any historical log file, download the entire log file or clear the log file
from the disk.
View log messages

Download log file
Historical log file Clear Log file
12 Click one of:

• View to display all log messages associated with a specific log file.
• Download to download the log file to your management computer, then select either
Normal format (raw, plain text logs) or CSV format (comma-separated value). If you
would like to password-encrypt the log files before downloading them, enable
Encryption and type a password in Password. Click OK to begin the download to
your management computer.
Raw, unencrypted logs can be viewed with a plain text editor. CSV-formatted,
unencrypted logs can be viewed with a spreadsheet application, such as Microsoft
Excel or OpenOffice Calc.
• Clear to remove the log file from the local hard disk.
13 If you want to download log messages that were generated within a specific date
range, select the Download tab. For more information, see “Downloading log
Viewing log message details

When viewing attack log messages or traffic log messages, you can view detailed
information about each message directly within the web-based manager window. You can
then use this detailed information to create new protection exceptions based on an attack
log entry.

Revision 10 335
Table 129: Viewing log message details
Log message detail display Log message detail

Detail icon This item is available only when accessing attack and traffic logs. There are
no details associated with event logs.
Select Detail to display all recorded information about a specific log stored
in the FortiWeb unit’s hard disk. To download the log information, see
Detail display area Provides detailed information about the selected log message.
Viewing packet log details

If you have enabled retention of attack and traffic logs in log configuration, you can view
detailed information about each packet log directly within the web-based manager
window.
Packet logs display decoded packet payload information. This information supplements
the log message by providing the actual data that triggered the regular expression, which
may help you to fine-tune your regular expressions to prevent false positives, or aid in
forensic analysis.
For information on enabling attack and traffic logs, see “Enabling logging” on page 327.

336 Revision 10
Table 130: Viewing Packet Log details
Packet Log detail display Packet Log icon

Packet Log This icon is available only when accessing event and traffic logs.
Select Packet Log to display all recorded information about the packet
payload for a specific log stored in the FortiWeb unit’s hard disk. To
download the log information, see “Viewing log messages” on page 331.
Packet Log display Provides detailed packet information about the selected log message.
area
Customizing the log view

Log messages can be displayed in either raw or formatted view:
• Raw view displays log messages exactly as they appear in the log file.
• Formatted view displays log messages in a columnar format. Each log field in a log
message appears in its own column, aligned with the same field in other log messages,
for rapid visual comparison. When displaying log messages in formatted view, you can
customize the log view by hiding, displaying and arranging columns and/or by filtering
columns, refining your view to include only those log messages and fields that you
want to see.
To display logs in raw or formatted view

1 Go to the tab corresponding to the type of log file that you want to view, such as
Log&Report > Log Access > Event.
2 Click the Formatted or Raw icon, depending on which log information view is currently
displayed.
If you click the Formatted icon, options appear that enable you to display and arrange
log columns and/or filter log columns.
Figure 42: Viewing log messages (formatted)

Revision 10 337
Figure 43: Viewing log messages (raw)
Displaying and arranging log columns

When viewing logs in Formatted view, you can display, hide and re-order columns to
display only relevant categories of information in your preferred order.
For most columns, you can also filter data within the columns to include or exclude log
messages which contain your specified text in that column. For more information, see
“Filtering log messages” on page 339.
Figure 44: Displaying and arranging log columns
To display or hide columns

2 Click the Column Settings icon.
Lists of available and displayed columns for the log type appear.
3 Select which columns to hide or display:
• In the Available fields area, select the names of individual columns you want to
display, then click the single right arrow to move them to the Show these fields in
this order area.
• In the Show these fields in this order area, select the names of individual columns
you want to hide, then click the single left arrow to move them to the Available fields
area.
4 Click OK.
To change the order of the columns

2 Click the Column Settings icon.
Lists of available and displayed columns for the log type appear.

338 Revision 10
3 In the Show these fields in this order area, select a column name whose order of
appearance you want to change.
4 Click Move Up or Move Down to move the column in the ordered list.
Placing a column name towards the top of the Show these fields in this order list will
move the column to the left side of the Formatted log view.
5 Click OK.
Filtering log messages

When viewing log messages in formatted view, you can filter columns to display only
those log messages that do or do not contain your specified content in that column. By
default, most column headings contain a gray filter icon, which becomes green when a
filter is configured and enabled.
Note: Filters do not appear in Raw view.
Figure 45: Filter icons
Filter in use (green-color icon) Filter not in use
To filter log messages by column contents

1 In the heading of the column that you want to filter, click the Filter icon. The applicable
filter window appears.
2 If you want to exclude log messages with matching content in this column, mark the
check box named NOT.
If you want to include log messages with matching content in this column, clear the
check box named NOT.
3 Enter the value that matching log messages must contain. The value type varies with
the filter you select, such as date values, time values, and so on.
Matching log messages will be excluded or included in your view based upon whether
you have marked or cleared NOT.
4 For date and time filters, you can specify a range. Select the From and To check boxes
and enter a value in the associated field.
5 Click OK.
A column’s filter icon is green when the filter is currently enabled.
To clear a filter
1 In the heading of the column whose filter you want to clear, click the Filter icon. The
filter window appears.
A column’s filter icon is green when the filter is currently enabled.

Revision 10 339
2 To disable the filter on this column, click Clear Filter.

Alternatively, to clear the filters on all columns, click the Clear All Filters icon.
3 Click OK.
A column’s filter icon is gray when the filter is currently disabled.
Grouping similar attack log messages

When viewing attack log messages, especially if there are many attacks of the same kind,
to the same URL, or to the same web host, you may find it easier to view the log
messages when these log messages are grouped by one of those similarities, rather than
by sequential order. This action is called log message aggregation.
To group similar attack log messages

1 Go to Log&Report > Log Access > Attack.
2 Click the Log Message Aggregation icon.
A dialog appears.
Figure 46: Selecting the log message grouping type
3 In Available fields, select which aspect you want to use when grouping the log
messages, then click the right arrow to move it to the Aggregate log by these fields
area.
4 Click OK.
Attack log messages are no longer in sequential order, but are instead grouped by the
similar aspect you selected. To view log messages in a group, click the arrow in that
column to expand the set.
Figure 47: Attack log messages viewed when grouped by attack subtype
See “Aggregate attack types” on page 34 for example uses of aggregation.

340 Revision 10
Searching attack logs

When viewing attack logs, you may find it easier to locate a specific log using the attack
log search function. You can perform an attack log quick search or an advanced search.
Figure 48: Initiating an attack log search
Search icon
Table 131: Setting up an attack log search
Search results
Back
Reset search
Generate Log Detail PDF
Advanced search
Log search
Keyword

Quick search Enter the keywords you want to search for. These keywords will be used for
keywords a quick search or an advanced search.
You can enter one keyword or multiple keywords. If a keyword consists of
multiple words separated by a space, use quotation marks (“ ”) to
encapsulate the words as one keyword. If quotation marks are not used,
the search will treat each word as an individual keyword.
A quick search returns all results that include the specified keyword. For
example, entering allow as a keyword will provide results such as:
allow_host and waf_allow_method.
Quick log search Select the Log Search icon to initiate a quick search for the specified
keywords. A quick search is very broad, searching for the keyword in attack
log fields, including: subtype, source, destination, source port, destination
port, HTTP method, action, policy, service, HTTP host, URL and message.
To obtain more precise search results, use the Advanced search option.
Advanced Search Select Advanced Search to open the Search Dialog. Click the blue expand
arrow to see all the criteria parameters. An advanced search enables you
to search for precise terms. It provides results for exact keyword matches,
and allows you to search for terms within specific fields of an attack log,
including: time and date, sub type, source, destination, source port,
destination port, HTTP method, action, policy, service and HTTP host.
Generate Log Detail Displayed only after a search is complete.
PDF Select to generate a PDF file with details of the selected attack logs. You
can generate PDF only for attack logs shown on the current page
(maximum of 30 per page). Once the PDF is generated for the current
page, if required, proceed to the next pages and select additional logs for
PDF generation.
Reset search Select to clear the quick search keyword field.
Back Select to return to the full list of attack logs.
Search results Displays the list of the attack logs that match the search parameters.

Revision 10 341
To search for an attack log

1 At the top of the Attack log window, click the Log Search icon.
2 To perform a quick search, go to step 3. To perform an advanced search, go to step 5.
3 Enter the term you want to search in the Keyword box.
4 Select the Log Search icon to initiate the quick search. Continue with step 9.
5 Select Advanced Search to open the Search Dialog.
6 Click the blue arrow to expand the list of search parameters.

7 Enter the advanced search parameters:

Keyword(s) Keywords are optional for an advanced search.
Enter the exact keywords you want to search for. Unlike a quick search,
an advanced search returns only the results that exactly match the
specified keywords. For example, entering allow as a keyword will not
provide results such as allow_host and waf_allow_method. You must
enter the exact terms.
If a keyword consists of multiple words separated by a space, use
quotation marks (“ ”) to encapsulate the words as one keyword. If
quotation marks are not used, the search will treat each word as an
individual keyword.
Note: If you entered keywords in the quick search field before opening
the advanced Search Dialog, those keywords are retained when the
dialog opens, and will be used as part of the parameters for the
advanced search. Remove the keyword if it does not apply to your
advanced search.

342 Revision 10
Logs and reports Downloading log messages
From/To Select the date and time range that contains the attack log that you are
Hour searching for.
Minute Note: The date fields default to the current date. Ensure the date fields
are set to the actual date range that you want to search.
all/any Select all if you want to search for all terms specified in the fields
shown below the all/any options. For example, if terms are entered in
Sub Type and Action, the search results display only the attack logs
matching both of those terms.
Select any if you want to search for any one of the terms specified in the
fields shown below the all/any options. For example, if terms are
entered in Sub Type, Source, Action and Policy, the search results
display the attack logs that match any of those terms.
not Select not if you want to search for conditions that exclude a specific
term. For example, if an IP address is entered in the Source field, and
not is selected, the search results exclude all attack logs with that
source IP address.
Log fields Lists the fields of an attack log that can be searched for specific terms.
Enter the exact terms the appropriate log fields:
• Sub Type
• Source
• Destination
• Source Port
• Destination Port
• HTTP Method
• Action
• Policy
• Service
• HTTP Host
To exclude log records that match a criterion, mark its Not check box,
Note: Search results include only exact matches for keywords and terms entered in the
advanced Search Dialog. Ensure that the keywords and terms are accurate and relevant to
the search and that the date and time fields cover the actual range you want to search.
8 Select OK to initiate the search.

9 The results that match the given search criteria appear in the Search Results.
10 To generate a detailed report of the attack log search results in PDF format, select the
Generate Log Detail PDF icon.
Note: A Log Detail report can be generated only for one page of results (30 logs) at a time.
After generating a report for one page of results, move to the next page and generate
another report, if required.
11 Select Back to return to the full list of attack logs.
Downloading log messages

Log&Report > Log Access >Download enables you to download a specific range of event,
attack or traffic logs from the FortiWeb hard disk to your local computer. You can select the
log type to download, the start date and time, and the end date and time.
Note: If you want to download an entire event log file (elog), attack log file (alog) or traffic
log file (tlog) stored on the FortiWeb hard disk, see “Viewing log messages” on page 331.

Revision 10 343
Configuring and generating reports Logs and reports
To download log messages

1 Go to Log&Report > Log Access >Download.

Log Type Select the type of logs to download.
System Time Displays the date and time according to the FortiWeb unit’s clock at the time
that this tab was loaded, or when you last clicked the Refresh button.
Time Zone Select the time zone in which the FortiWeb unit is located.
Automatically adjust Select the check box to have the system time adjusted twice annually to
clock for daylight reflect changes between standard time daylight savings time. (Not all
saving changes jurisdictions recognize daylight savings time.)
Start Time Choose the starting point for the log download by selecting the year, month
and day as well as the hour, minute and second that defines the first of the
log messages to download.
End Time Choose the end point for the log download by selecting the year, month and
day as well as the hour, minute and second that defines the last of the log
messages to download.
3 Click Download.
4 If a file download dialog appears, click Save and then choose the directory where you
want to save the downloaded log file.
The log files are downloaded to the specified directory in a compressed file format (TGZ).
You can use commercial file compression and text editing tools to extract and open the
compressed log file.
Configuring and generating reports

Log&Report > Report Config > Report Config enables you to configure and generate
reports.

344 Revision 10
Logs and reports Configuring and generating reports
When generating a report, FortiWeb units collate information collected from log files and
present the information in tabular and graphical format.
In addition to log files, FortiWeb units require a report profile in order to generate a report.
A report profile is a group of settings that contains the report name, file format, subject
matter, and other aspects that the FortiWeb unit considers when generating the report.
FortiWeb units can generate reports automatically, according to the schedule that you
configure in the report profile, or manually, when you click the Run now icon in the report
profile list. You may want to create one report profile for each type of report that you will
generate on demand or periodically, by schedule.
Note: Generating reports can be resource intensive. To avoid email processing

performance impacts, you may want to generate reports during times with low traffic
volume, such as at night or weekends. For more information on scheduling the generation
of reports, see “Configuring the schedule of a report profile” on page 351.
Before you generate a report, collect log data that will be the basis of the report. For
information on enabling logging to the local hard disk, see “Configuring and enabling
Table 132: Log&Report > Report Config > Report Config tab
Delete
Edit
Run now

Create New Click to add a new report profile. For more information, see “Configuring a report
profile” on page 346.
Delete In the left column, mark the check boxes of the report profiles that you want to
remove, then click the Delete icon. Alternatively, click the Delete icon in the row
corresponding to each report profile that you want to remove.
(Check box in To remove all report profiles, mark the check box in the column heading to select all
column report profiles, then click the Delete icon.
heading.) To remove individual report profiles, mark the check box corresponding to each
report profile that you want to remove, then click the Delete icon.
Report Displays the name of the report profile.
Title Displays the title of this report.

Revision 10 345
Schedule Displays the scheduled frequency when the FortiWeb unit generates the report.
If this report is not scheduled to be periodically generated according to the
schedule configured in the report profile, but instead will be generated only on
demand, when you manually click the Run now icon, None appears in this column.
Action Click the Delete icon it to remove the report profile.
Click the Edit icon to modify the report profile. For more information, see
“Configuring a report profile” on page 346.
Click the Run now icon to immediately generate a report using this report profile.
This option can be used with both scheduled and on demand report profiles, and
occurs independently of any automatic report generation schedules you may have
configured. For more information, see “Configuring the schedule of a report profile”
on page 351. To view the resulting report, see “Viewing and downloading reports”
on page 353.
Configuring a report profile

You can create report profiles to define what information will appear in generated reports.
To configure a report profile

1 Go to Log&Report > Report Config > Report Config.
2 Click Create New to add a report profile, or click the Edit icon to modify an existing
report profile.
A multisection dialog appears.
Figure 49: New report dialog
3 In Report Name, enter a name for the report profile.

Report names cannot include spaces.
4 If you are creating or cloning a new report profile, select from Type either to run the
report immediately after configuration (On Demand) or run the report at configured
intervals (On Schedule).
Note: For on-demand reports, the FortiWeb unit does not save the report profile after the
generating the report. If you want to save the report profile, but do not want to generate the
report at regular intervals, select On Schedule, but then in the Schedule section, select Not
Scheduled.

346 Revision 10
Note: You cannot change the Type when editing a report profile. To change the
scheduled/on demand Type, create a new report profile instead.
5 In Report Title, enter a name that will appear in the title area of the report. The title may
include spaces.
6 In Description, enter a comment or other description.
7 Click the blue expand arrow next to each section, and configure the following:
Name of the section Description

Properties Select to add logos, headers, footers and company information to
customize the report. For more information, see “Configuring the
headers, footers, and logo of a report profile” on page 347.
Report Scope Select the time span of log messages from which to generate the report.
You can also create a data filter to include in the report only those logs
that match a set of criteria.For more information, see “Configuring the
time period and log filter of a report profile” on page 348.
Report Types Select one or more subject matters to include in the report. For more
information, see “Configuring the query selection of a report profile” on
page 349.
Report Format Select the number of top items to include in ranked report subtypes, and
other advanced features. For more information, see “Configuring the
advanced options of a report profile” on page 350.
Schedule Select when the FortiWeb unit will run the report, such as weekly or
monthly. For more information, see “Configuring the schedule of a
report profile” on page 351.
This section is available only if Type is On Schedule.
Output Select the file formats and destination email addresses, if any, of reports
generated from this report profile. For more information, see
“Configuring the output of a report profile” on page 352.
8 Click OK when you complete the applicable sections.

On-demand reports are generated immediately; scheduled reports, if you have configured
a schedule, are generated at those intervals. For information on viewing generated
reports, see “Viewing and downloading reports” on page 353.
Configuring the headers, footers, and logo of a report profile

When configuring a report profile, you can provide text and logos to customize the
appearance of reports generated from the profile.
Table 133: Properties section of a report profile

Company Name Enter the name of your company or other organization.
Header Comment Enter a title or other information to include in the header.

Revision 10 347
Footer Comment Select which information to include in the footer:

• Report Title: Use the text from Report Name.
• Custom: Use other text that you type into the field to the right of
this option.
Title Page Logo Select either No Logo to omit the title page logo. Select Custom to
include a logo, then click Select to locate the logo file, and click
Upload to save it to the FortiWeb unit’s hard disk for use in the report
title page.
Header Logo Select either No Logo to omit the header logo. Select Custom to
include a logo, then click Select to locate the logo file, and click
Upload to save it to the FortiWeb unit’s hard disk for use in the report
header. The header logo will appear on every page in PDF- and
Microsoft Word (RTF)-formatted reports, and at the top of the page in
HTML-formatted reports.
When adding a logo to the report, select a logo file format that is compatible with your
selected file format outputs. If you select a logo that is not supported for a file format, the
logo will not appear in that output. For example, if you provide a logo graphic in WMF
format, it will not appear in PDF or HTML output.
Table 134: Report file formats and their supported logo file formats
PDF reports JPG, PNG, GIF

RTF reports JPG, PNG, GIF, WMF
HTML reports JPG, PNG, GIF
Configuring the time period and log filter of a report profile

When configuring a report profile, you can select the time span of log messages from
which to generate the report. You can also filter out log messages that you do not want to
include in the report.
Table 135: Time Period section of a report profile

Time Period Select the time span of the report, such as This Month or Last N
Days.
Alternatively, select and configure From Date and To Date.
Past N Hours Enter the number N of the unit of time.
Past N Days This option appears only when you have selected Last N Hours, Last
Past N Weeks N Days, or Last N Weeks from Time Period, and therefore must
define N.
From Date Select and configure the beginning of the time span. For example,
Hour you may want the report to include log messages starting from
May 5, 2006 at 6 PM. You must also configure To Date.
To Date Select to configure the end of the time span. For example, you may
Hour want the report to include log messages up to May 6, at 12 AM. You
must also select and configure From Date.

348 Revision 10
Table 136: Data Filter section of a report profile

None Select this option to include all log messages within the time span.
Include logs that match the Select this option to include only the log messages within the time
following criteria span whose values match your filter criteria, then select whether log
messages must meet every configured criteria (all) or if meeting any
one of them is sufficient (any), and configure the following criteria.
• Priority: Mark the check box to filter by log severity threshold (in
raw logs, the pri field), then select the name of the severity and
whether to include logs that are greater than or equal to (>=),
equal to (=), or less than or equal to (<=) that severity.
• Source(s): Type the source IP address (in raw logs, the src field)
that log messages must match.
• Destination(s): Type the destination IP address (in raw logs, the
dst field) that log messages must match.
• Http Method(s): Type the HTTP method (in raw logs, the
http_method field) that log messages must match.
• User(s): Type the administrator account name (in raw logs, the
user field) that log messages must match.
• Action(s): Type the firewall action (in raw logs, the action field)
• Subtype(s): Type the subtype (in raw logs, the subtype field)
• Policy(s): Type the policy name (in raw logs, the policy field)
• Service(s): Type the source IP address (in raw logs, the src
field) that log messages must match.
• Message(s): Type the message (in raw logs, the msg field) that
log messages must match.
• Day of Week: Mark the check boxes for the days of the week
whose log messages you want to include.
To exclude the log messages which match a criterion, mark its not
check box, located on the right-hand side of the criterion.
Configuring the query selection of a report profile

When configuring a report profile, you can select one or more queries or query groups that
define the subject matter of the report.

Revision 10 349
Each query group contains multiple individual queries, each of which correspond to a
chart that will appear in the generated report. You can select all queries within the group
by marking the check box of the query group, or you can expand the query group and then
individually select each query that you want to include.
For example:
• If you want the report to include charts about both normal traffic and attacks, you might
enable both of the query groups Attack Activity and Event Activity.
• If you want the report to specifically include only a chart about top system event types,
you might expand the query group Event Activity, then enable only the individual query
Top Event Types.
Figure 50: Report Type(s) section of a report profile
Configuring the advanced options of a report profile

When configuring a report profile, you can configure various advanced options that affect
how many log messages are used to formulate ranked report subtypes, and how results
will be displayed.
Table 137: Report Format section of a report profile

Include reports with no matching Enable to include reports for which there is no data. In this
data instance, a blank report appears in the summary. You might
enable this option to verify inclusion of report types selected
in the report profile when filter criteria or absent logs would
normally cause the report type to be omitted.

350 Revision 10
Ranked Reports Ranked reports (top x, or top y of top x) can include a

different number of results per cross-section, then combine
remaining results under “Others.” For example, in Top
Sources By Top Destination, the report includes the top x
destination IP addresses, and their top y source IP
addresses, then groups the remaining results. You can
configure both x and y in the Advanced section of Report
Format
In Ranked Reports, (“top n” report types, such as Top Attack
Type), you can specify how many items from the top rank will
be included in the report. For example, you could set the Top
Attack URLs report to include up to 30 of the top n denied
URLs by entering 30 for values of the first variable 1.. 30.
Some ranked reports rank not just one aspect, but two, such
as Top Sources By Top Destination: this report ranks top
source IP addresses for each of the top destination IP
addresses. For these double ranked reports, you can also
configure the rank threshold of the second aspect by entering
the second threshold in values of the second variable for
each value of the first variable 1..30.
Include Summary Information Enable to include a summary of the report profile settings.
Include Table of Contents Enable to include a table of contents for the report.
Note: Reports that do not include “Top” in their name display all results. Changing the
Ranked Reports values will not affect these reports.
Configuring the schedule of a report profile

When configuring a report profile, you can select whether the FortiWeb unit will generate
the report on demand or according to the schedule that you configure.
Note: Generating reports can be resource-intensive. To improve performance, schedule

reports during times when traffic volume is low, such as at night or during weekends.
Table 138: Schedule section of a report profile

Schedules
Not Scheduled Select if you do not want the FortiWeb unit to generate the report
automatically according to a schedule.
If you select this option, the report will only be generated on demand,
when you manually click the Run now icon from the report profile list.
For more information, see “Configuring and generating reports” on
page 344.
Daily Select to generate the report each day. Also configure Time.
These Days Select to generate the report on specific days of each week, then
mark the check boxes for those days. Also configure Time.

Revision 10 351
These Dates Select to generate the report on specific date of each month, then
enter those date numbers. Separate multiple date numbers with a
comma. Also configure Time.
For example, to generate a report on the first and 30th day of every
month, enter 1,30.
Time Select the time of the day when the report will be generated.
This option does not apply if you have selected Not Scheduled.
Configuring the output of a report profile

When configuring a report profile, you can select one or more file formats in which to save
reports generated from the profile. You can also configure the FortiWeb unit to email the
reports to specific recipients.
Table 139: Output section of a report profile

File Output Enable file formats that you want to generate and store on the
FortiWeb unit’s hard drive.
HTML file format reports will always be generated (indicated by the
permanently enabled check box), but you may also choose to
generate reports in:
• PDF
• MS Word
• plain text (Text), and
• MIME HTML (MHT, which can be included in email)
Email Output Enable file formats that you want to generate for an email that will be
mailed to the recipients defined by the email policy.
Email Policy Select the predefined email policy that you want to associate with
the report output. This email policy determines who receives the
report email.
For more information on configuring email policy, see “Configuring
email policies” on page 317.
Email Subject Type the subject line of the email.
Email Body Type the message body of the email.
Email Type a file name that will be used for the attached reports.
Attachment
Name
Compress Enable to enclose the generated report formats in a compressed
Report Files archive, as a single attachment.

352 Revision 10
Logs and reports Viewing and downloading reports
Viewing and downloading reports

Log&Report > Report Browse > Report Browse displays a list of reports that have been
generated from the report profiles. You can view, delete, and/or download generated
reports.
FortiWeb units can generate reports automatically, according to the schedule that you
configure in the report profile, and/or manually, when you click the Run now icon the
Log&Report > Report Browse > Report Config tab. For more information, see “Configuring
and generating reports” on page 344.
Table 140: Log&Report > Report Browse > Report Browse tab
Go to the last page

Go to next page
Go to previous page
Go to the first page
Rename
Delete

Refresh Click to refresh the display with the current list of completed, generated
reports.
Delete In the column containing check boxes, in each row corresponding to a
report that you want to delete, mark the check box, then click the Delete
icon.
Go to first page Click to display the first page in the list of generated reports.
This icon is gray and disabled if you are currently on the first page.
Go to next page Click to display the previous page.
This icon is gray and disabled if you are currently on the last page.
(Text field with no label.) Type a page number, then press Enter to display in the list of generated
reports.
This field cannot be modified if there is only one page in the list of
generated reports.
Go to previous page Click to display the next page.
This icon is gray and disabled if you are currently on the first page.
Go to the last page Click to display the last page in the list of generated reports.
This icon is gray and disabled if you are currently on the last page.
(Check box with no In the column containing check boxes, in each row corresponding to a
column heading.) report that you want to delete, mark the check box, then click the Delete
icon.

Revision 10 353
Viewing and downloading reports Logs and reports
Report Files Displays the name of the generated report, the date and time at which it
was generated, and, if necessary to distinguish it from other reports
generated at that time, a sequence number.
For example, Report_1-2008-03-31-2112_018 is a report named
“Report_1”, generated on March 31, 2008 at 9:12 PM. It was the
nineteenth report generated at that date and time (the first report
generated at that time did not have a sequence number).
To view the report in HTML format, click the name of the report. The report
appears in a pop-up window.
To view only an individual section of the report in HTML format, click the
blue triangle next to the report name to expand the list of HTML files that
comprise the report, then click one of the file names.
Started Displays the data and time when the FortiWeb unit started to generate the
report.
Finished Displays the date and time when the FortiWeb unit completed the
generated report.
Size (bytes) Displays the file size in bytes of each of the HTML files that comprise an
HTML-formatted report.
This column is empty for the overall report, and contains sizes only for its
component files.
Other Formats Click the name of an alternative file format, if any were configured to be
generated by the report profile, to download the report in that file format.
Action Click the Delete icon to remove the report.
Click Rename to rename a generated report.
Note: To reduce the amount of hard disk space consumed by reports,
regularly download then delete generated reports from the FortiWeb unit.

354 Revision 10
Fine tuning and best practices Avoiding problems
Fine tuning and best practices

This chapter is a collection of fine-tuning and best practice tips and guidelines to help you
configure the most secure and reliable operation of your FortiWeb units.
• Avoiding problems
• Tuning security
• Tuning high availability (HA)
• Tuning policy
• Tuning performance
Avoiding problems
As you configure your FortiWeb unit and integrate it effectively into your network, take
care not to create problems and setbacks. FortiWeb includes powerful commands and
options—features needed for efficient management—that, if misused or mistimed, can
undo your hard work.
Here is a list of tips to avoid problems:
Set operation mode

Once the FortiWeb unit is setup and integrated with your network, there is little reason to
change its operation mode. Do not do so unless you have a compelling reason. If you
must change the mode, first back up your configuration. Changing between very different
modes deletes any policies not applicable to the new mode, all static routes, all v-zone IPs
and all VLAN settings. (You can switch between the two types of transparent mode without
encountering these problems.) See “Configuring the operation mode” on page 71.
Perform backups
Perform backups before executing potential configuration altering actions:
• Before upgrading the firmware, always perform a full backup, including configurations.
• Back up your configuration before running CLI commands that can change your
settings, such as execute factoryreset and execute restore.
• Back up your configuration before clicking the Reset button in the System Information
console on the dashboard.
• Back up your configuration before changing operation mode.
There are two backup methods available:
• manual as shown in Figure 51 (see “Backing up and restoring configurations” on
page 96.)
• via FTP as shown in Figure 52 (see “Configuring an FTP backup and schedule” on
page 98)
To lessen the impact on performance, set the FTP backup time to off-peak hours or
weekends.

Revision 10 355
Avoiding problems Fine tuning and best practices
Figure 51: Backup & Restore under System > Maintenance
Figure 52: FTP Backup under System > Maintenance
Download log messages

Event log messages stored in memory are cleared when the FortiWeb unit shuts down.
Use the log download feature to save the log before shutting down. See “Downloading log

356 Revision 10
Fine tuning and best practices Tuning security
Disable web anti-defacement

If you use the web anti-defacement feature, make sure you turn it off before you change
your site during updates; otherwise, the feature may undo all your changes. On the
Web Site with Anti-Defacement tab, select the Edit icon next to the applicable web site.
On the edit dialog, clear the check box next to Enable Monitor and Restore Changed Files
Automatically. Enable this option later when you complete your site updates. (See
“Configuring anti-defacement” on page 293.)
Tuning security
FortiWeb is designed to enhance the security of your web sites and web servers, and
when fully configured, it can automatically plug holes commonly used by attackers to
compromise a system.
This section lists tips for further enhancing security.
Administrator security
• As soon as possible during initial FortiWeb setup, give the default administrator, admin,
a password. This administrator has the highest level of permissions available and
access to this administrator should be limited to as few people as possible.
• Change all administrator passwords regularly. Set a policy—such as every 60 days—
and follow it. (To see the dialog in Figure 53, click the Edit Password icon to reveal the
password dialog.)
Figure 53: Edit Password under System > Admin > Administrator
• Instead of allowing administrative access to the FortiWeb unit from any source, restrict
it to trusted internal hosts. See Figure 54 and “Configuring trusted hosts” on page 78.

Revision 10 357
Tuning security Fine tuning and best practices
Figure 54: Edit Administrator under System > Admin > Administrators
• Do not use the default administrator access profile for all new administrators. Create
one or more access profiles with limited permissions tailored to the responsibilities of
the new administrator accounts. See “Configuring access profiles” on page 78.
• By default, an administrator login that is idle for more than five minutes times out. You
can change this to a longer period on the Administrators Settings dialog shown in
Figure 55, but Fortinet does not recommend it. A web-based manager GUI or CLI
session left unattended lets anyone change your settings.
• Administrator passwords should be at least six characters long and include both
numbers and letters. For additional security, select the Enable Strong Passwords
option on the Administrators Settings dialog, shown in Figure 55, to force the use of
stronger passwords. See “Configuring the web-based manager’s global settings” on
page 82.

358 Revision 10
Fine tuning and best practices Tuning security
Figure 55: Settings under System > Admin
• Restrict the interface used for administrative access (usually port1) to just the access
protocols needed, as shown in Figure 56.
Figure 56: Edit Interface under System > Network
Use only the most secure protocols. Disable Telnet. Disable ping except during
troubleshooting. Use HTTP only if the network interface connects to a trusted private
network. See “Configuring the network and VLAN interfaces” on page 50.

Revision 10 359
Tuning security Fine tuning and best practices
Data security
• To protect your web servers, install the FortiWeb unit or units between the web servers
and a general purpose firewall. FortiWeb units do not replace firewalls.
• Make sure web traffic cannot bypass the FortiWeb unit in a complex network
environment.
• Restrict the interfaces used for non-administrative access to just the access protocols
your applications need, as shown in Figure 56. For example, disable Telnet: it is
insecure and rarely needed. Disable ping except during troubleshooting. See
• If enabled to do so, a FortiWeb unit will hide selected data types, including user names
and passwords, that could appear in the packet payloads accompanying a log
message. You can also define your own sensitive data types, such as ages or other
identifying numbers, using regular expressions and hide them too. See “Obscuring
sensitive data in the logs” on page 329.
• FortiWeb does not encrypt or obfuscate user passwords when downloading a
configuration backup file. If you have local user accounts, the passwords will be in plain
text. Store configuration backup files in a secure location.
• Upgrade to the latest available firmware to take advantage of new definitions for
predefined robots, data types, suspicious URLS, and attack signatures.
There are two methods available:
• manual, as shown in Figure 57 (see “Uploading signature updates” on page 101)
• scheduled, as shown in Figure 58 (see “Scheduling signature updates” on
page 102)
Figure 57: Update Signature under System > Maintenance

360 Revision 10
Fine tuning and best practices Tuning high availability (HA)
Figure 58: Auto Update under System > Maintenance
Tuning high availability (HA)

To enhance availability, set up two FortiWeb units to act as an active-passive high
availability (HA) pair. If your primary FortiWeb unit fails, the backup FortiWeb unit can
continue processing web traffic with only a minor interruption. For details, see “Configuring
high availability (HA)” on page 61.
Figure 59: HA-Config under System > Config
Keep these points in mind when setting up an HA pair:

Revision 10 361
Tuning policy Fine tuning and best practices
• Isolate HA interface connections from your overall network.

Heartbeat and synchronization packets contain sensitive configuration information and
can consume considerable network bandwidth. For best results, directly connect the
two HA interfaces using a crossover cable. If your system uses switches instead of
crossover cables to connect the HA heartbeat interfaces, those interfaces must be
reachable by Layer2 Multicast. For details, see the FortiWeb Install and Setup Guide.
• When configuring an HA pair, pay close attention to the options ARP packets numbers
and ARP packet interval as shown in Figure 59.
The FortiWeb unit broadcasts ARP packets to the network to ensure timely failover.
This broadcast can slow performance; so, set the value of ARP packets numbers no
higher than needed.
When the FortiWeb unit broadcasts ARP packets, it does so at regular intervals. For
performance reasons, set the value for ARP packet interval no greater than required.
Some experimentation may be needed to set these options at their optimum value.
See “Configuring high availability (HA)” on page 61.
Set an SNMP HA heartbeat alert

Use SNMP to generate a message if the HA heartbeat fails.
Figure 60: SNMP community setting under System > Config > SNMP
• Configure an SNMP community and select the HA heartbeat failed option in the SNMP
Event list, as shown in Figure 60. For details, see “Configuring the SNMP agent” on
page 66.
Tuning policy
The backbone of a FortiWeb unit's web site protection is the application of server policies.
Here are a few tips to help avoid problems and increase performance:
• Disable or delete policies and policy settings with care. Any changes made to policies
take effect immediately.
• Verify that all physical web servers are covered by a policy.
If a server has no associated policy or all policies for it are disabled, FortiWeb will not
monitor web traffic to that web server. In reverse proxy mode, FortiWeb will block traffic
to servers without an enabled policy.
• The FortiWeb unit applies the many types of rules, policies and data scans in a set
order. (See “Order of execution” on page 190.) Within certain policies, such as URL
access policy, FortiWeb executes the rules in the priority you assign. Review the logic
of your web protection policies to make sure they deliver the web protection you
expect.

362 Revision 10
Fine tuning and best practices Tuning performance
• When you have multiple policies or rules that apply to one configuration item (for
example, a server), make sure they are processed in order from the most specific to
most general.
For example, arrange to have specific server policies at the top of the list. Policy
matches are checked from the top of the list, downward. For example, a very general
policy matches all connection attempts. But if you create a policy that contains
exceptions, you want it processed before the general policy.
For example, when creating a content filter for XML protection profiles, arrange the
priority of content filter rules from most specific to most general, as shown in Figure 61,
because only the first matching content filter rule is applied. This prevents general
content filter rules, which match a wide range of traffic and whose action is Accept or
Deny, from superseding and effectively masking other content filter rules whose action
is Alert. See “Configuring content filter rules” on page 166.
Figure 61: Edit Content Filter under XML Protection > Content Filter
Tuning performance
When configuring your FortiWeb unit and its features, there are many settings and
practices that can yield better performance.
System performance
• Verify that the system time and time zone are correct. Many features rely on a correct
system time. See “Configuring system time” on page 100.
• To reduce latency associated with DNS queries, use a DNS server on your local
network as your primary DNS. See “Configuring the DNS settings” on page 58.
• Where applicable, create one or more VLAN interfaces. VLANs reduce the size of a
broadcast domain and the amount of broadcast traffic received by network hosts, thus
improving network performance. See “Adding a VLAN subinterface” on page 53.
Log and report performance

• If you do not need a traffic log, turn off that feature to reduce the use of system
resources. See “Enabling logging” on page 327.
• Reduce repetitive log messages. Use the alert email policy, as shown in Figure 62, to
define the interval that emails are sent if the same condition persists following the initial
occurrence. See “Configuring email policies” on page 317.

Revision 10 363
Tuning performance Fine tuning and best practices
Figure 62: Email Policy under Log&Report > Log Policy
• Avoid recording log messages using low severity thresholds, such as information or
notification, to the local hard disk for an extended period of time. Excessive logging
frequency saps system resources and can cause undue wear on the hard disk and
may cause premature failure. See “Configuring global log settings” on page 324.
• Generating reports can be resource intensive. To avoid performance impacts, consider
scheduling report generation during times with low traffic volume, such as at night and
on weekends. See Figure 63 and “Configuring the schedule of a report profile” on
page 351.

364 Revision 10
Figure 63: Report Config under Log&Report
Feature configuration performance

• Each URL on an auto-learning report includes the right-click menu option Stop
Learning. By selecting this option for a URL that you know is complex and hard to track
effectively or that may generate inaccurate data, you reduce processing resources.
See “Viewing auto-learning reports” on page 282. FortiWeb not longer gathers report
data for a stopped URL.
• Once you have collected enough auto-learning data for generating protection profiles,
consider turning off the auto-learning function to save resources. To do so, deselect the
auto-learning profile in applicable server policies. See “Configuring server policies” on
page 118.
• If you have enabled the server health check feature as part of a server farm and one of
the servers is down for an extended period, you may improve the performance of your
FortiWeb unit by disabling the physical server, rather than allowing the server health
check to continue to checking for the server's responsiveness. See “Configuring server
health checks” on page 143.
• Tune the list of predefined data type groups to include just those the FortiWeb unit is
likely to encounter when gathering data for an auto-learning report. By pruning the list
shown in Figure 64, you reduce the resources used by the FortiWeb unit. See
“Grouping predefined data types” on page 150.

Revision 10 365
Figure 64: Data Type Group under Server Policy > Predefined Pattern
• When configuring a suspicious URL rule, clear one or more server type options if you
do not operate all three web servers, as shown in Figure 65. By pruning the list, you
reduce the resources used by the FortiWeb unit when applying the rule. See “Grouping
suspicious URLs” on page 154.
Figure 65: Suspicious URL Rule under Server Policy > Predefined Pattern
• When you configure a server protection rule as part of a web protection profile,
consider limiting the scope and application of the Information Disclosure options shown
in Figure 66. (Click the blue arrow next to Information Disclosure to see the list.)
Do you need to watch for all the information types? If not, clear applicable options to
increase performance. See “Configuring server protection rules” on page 201.

366 Revision 10
Figure 66: Server Protection Rule under Web Protection > Server protection Rule
The the Information Disclosure feature can potentially require the FortiWeb unit to
rewrite the header and body of every request from a server, resulting in reduced
performance. Fortinet recommends enabling this feature only to help you identify
information disclosure through logging, and until you can reconfigure the server to omit
such sensitive information. Clear the All / None option to disable the feature.
• If you use the web anti-defacement feature, tune your configuration to avoid backing
up overly large files. See Figure 67 and “Configuring anti-defacement” on page 293.

Revision 10 367
Figure 67: Web Anti-Defacement under Web Anti-Defacement
Unless you need to back up large files, reduce the setting for the Skip Files Larger
Than option from the default of 10 240 KB.
Use the Skip Files With These Extensions option to exclude specific types of large
files, such as compressed files and video clips.
Troubleshooting tip
• Packet capture can be useful for troubleshooting but can be resource intensive. (See
“Debug the packet flow” on page 378.) To minimize the performance impact on your
FortiWeb unit, use packet capture only during periods of minimal traffic. Use a serial
console CLI connection rather than a Telnet or SSH CLI connection, and be sure to
stop the command when you are finished.

368 Revision 10
Troubleshooting Establish a system baseline
Troubleshooting
This chapter provides guidelines to help you determine why your FortiWeb unit is
behaving unexpectedly. It includes general troubleshooting methods and specific
troubleshooting tips using both the command line interface (CLI) and the web-based
manager.
Some CLI commands provide troubleshooting information not available through the web-
based manager. The web-based manager is better suited for viewing large amounts of
information on screen, reading logs and archives, and viewing status through the
dashboard.
• Establish a system baseline
• Check traffic flow
• Define the problem
• Search for a known solution
• Create a troubleshooting plan
• Gather system information
• Troubleshoot connectivity issues
• Troubleshoot resource issues
• Troubleshoot user and admin login issues
• Troubleshoot bootup issues
• Contact Fortinet customer support for assistance
Establish a system baseline

Before you can clearly define an abnormal operation, you need to know what the normal
operating status is. You can create a repository of this baseline information by keeping
logs, and by regularly running information gathering commands and saving the output.
When there is a problem, this regular operation data helps you determine what has
changed.
It is a good idea to back up the FortiWeb unit's configuration regularly. If you accidently
change something, the backup can help you restore normal operation quickly and easily.
Backups also can aid in troubleshooting. For details, see “Backing up and restoring
configurations” on page 96.
Check traffic flow

One of your first tests should be to establish if the FortiWeb unit is actually monitoring or
inspecting web traffic on your web servers. Before going further, make these basic
configuration and traffic flow checks:
• Is there a server policy applied to the web server or servers FortiWeb was installed to
protect? Your FortiWeb unit will not allow traffic to a web server without a server policy
for that server if the operation mode is reverse proxy.

Revision 10 369
Define the problem Troubleshooting
• If a server policy exists for the web server, does the server policy reference an auto-
learning profile?
If yes, check your auto-learning report to see if the profile is gathering data. Go to Auto
Learn > Auto Learn Report and click the Detail icon to view the report.
If no, create an auto-learning profile and see if it gathers data. When an auto-learning
profile is in effect, it should gather data if you have web traffic.
• If your system utilizes secure connections (HTTPS and SSL) and there is no traffic
flow, is there a problem with your certificate?
• If you run a test attack from a browser aimed at your web site, does it show up in the
attack log?
To execute a simple attack, append the cmd.exe command to your site's URL, for
example
www.example.com/cmd.exe
Under normal circumstances, you should see a new common exploit entry, such as a
start page violation, in the Attack Log widget of the system dashboard.
If your server policies are correct and your certificate, if applicable, is valid, then move on
to “Define the problem” on page 370, and be sure to look for connectivity problems as
described in “Troubleshoot connectivity issues” on page 373.
Define the problem

Before you can solve a problem, you need to understand it. Often this step can be the
longest in this process. Before starting to troubleshoot a problem, answer these questions:
• Where and when did the problem occur?
• Has it ever worked before?
If the unit never worked properly, you may not want to spend time troubleshooting
something that could well be defective.
• Does your configuration rely on HTTPS or SSL?
If yes, make sure your certificate is loaded and valid.
• Where does the problem lie?
Be specific. Do not assume the problem being experienced is the actual problem. First
determine if the FortiWeb unit's problem lies elsewhere before starting to troubleshoot
the unit.
• Is it a connectivity issue? Can your FortiWeb unit communicate with your network and
the Internet? Is there connection to a DNS server?
• Is there more than one thing not working?
Make a list.
• Is it partly working? If so, what parts are working?
Make a list.
• Can the problem be reproduced at will or is it intermittent?
An intermittent problem can be difficult to troubleshoot due to the difficulty reproducing
the issue.
• Are the servers covered by server policy working? Has a policy been disabled?
Check the Server Status widget on the dashboard.

370 Revision 10
Troubleshooting Search for a known solution
• Is your system overloaded?

View the Resource Monitor on the dashboard. View the traffic log. (If there is no traffic
log, someone likely turned that feature off. See “Enabling logging” on page 327.)
• Is your system under attack?
View the Attack Event History on the dashboard. View the attack log.
• What has changed?
Do not assume that nothing has changed in the network. Use the FortiWeb event log to
see if something changed in the configuration. If something did change, see what the
effect is when you roll back the change.
• After determining the scope of the problem and isolating it, what servers does if affect?
Once the problem is defined, you can search for a solution and then create a
troubleshooting plan to solve it.
Search for a known solution

You can save time and effort during the troubleshooting process by checking if other
FortiWeb administrators experienced a similar problem before. First check within your
organization. Next, access the Fortinet online resources that provide valuable information
about FortiWeb technical issues.
Technical documentation
FortiWeb installation guides, administration guides, quick start guides, and other technical
documents are available online at:
http://docs.fortinet.com/fweb.html
Also check the release notes for your FortiWeb unit.
Knowledge Base
The Fortinet Knowledge Base includes a variety of articles, white papers, and other
documentation providing technical insight into a range of Fortinet products at:
http://kb.fortinet.com
Fortinet technical discussion forums

Administrators can exchange experiences and tips related to their Fortinet products
through an online technical forum at:
http://support.fortinet.com/forum
Fortinet training services online campus

The Fortinet Online Campus hosts a collection of tutorials and training materials which can
help increase your knowledge of the Fortinet products at:
http://campus.training.fortinet.com
Create a troubleshooting plan

Once you fully define the problem or problems, begin creating a troubleshooting plan. The
plan should list all possible causes of the problems that you can think of, and how to test
for each cause.

Revision 10 371
Gather system information Troubleshooting
The plan will act as a checklist so that you know what you have tried and what is left to
check. The checklist is helpful if more than one person will be troubleshooting: without a
written plan, people can become easily confused and steps skipped. Also, if you have to
pass the problem-solving to someone else, providing a detailed list of what data you
gathered and what solutions you tried demonstrates professionalism.
Be ready to add steps to your plan as needed. After you are part way through, you may
discover that you forgot some tests, or a test you performed discovered new information.
This is normal.
Check your access

Make sure your administrator account has the permissions you need to run all diagnostic
tests and to make configuration changes. Also, you may need access to other networking
equipment such as switches, routers, and servers to help you test. If you do not normally
have access to this equipment, contact your network administrator for assistance.
Tip: Check to make sure the FortiWeb unit’s attack signature update license has not
expired. You should be working with the latest attack signatures and other updates.
Gather system information

Your FortiWeb unit provides many features to aid in troubleshooting and performance
monitoring.
Use the web-based manager's dashboard and the CLI commands to define the scope and
details of your problem. Keep track of the information you gather—Fortinet customer
support may request it if you contact them for assistance.
Table 141: Web-based manager information gathering features
System > Status > Status Displays the firmware version, serial number, host name, HA
status, and up-time in the System Information widget.
Displays CPU usage and memory usage in the System
Resources widget.
Shows server connectivity status in the Server Status column.
System > Network > Interface Displays details about each configured system interface (port).
Router > Static > Static Route Displays a list of configured static routes including their IPs,
masks, and gateways.
Server Policy > Policy > Policy Show server status in the Enable and Status columns.
Logs&Report >Log Access Provides access to the event, traffic, and attack logs.
For the attack and traffic logs, use the Packet Log and Detail
icons to drill in to any entry for greater detail.
Logs&Report >Report Browse Provides access to preconfigured log reports.
Table 142: CLI information gathering features

diagnose debug crashlog Displays details on application proxies that have backtraces,
show traps, and registration dumps.
diagnose debug flow Traces the flow of packets through the FortiWeb unit.
<params>
diagnose hardware cpu list Displays a list of specifications and settings for each CPU in
the unit.
diagnose hardware Displays a list of specifications and settings for all interrupts for
interrupts list each CPU.
diagnose hardware mem list Displays memory usage details.

372 Revision 10
Troubleshooting Troubleshoot connectivity issues
diagnose hardware nic list Displays a list of specifications and settings for the specified
<interface> network interface port.
diagnose network arp list Displays the contents of the address resolution protocol (ARP)
table.
diagnose network route Displays all routes in the routing table including their type,
list source, and other data.
diagnose network sniffer Performs a packet trace on a specified network interface.
packet <params>
diagnose system top Displays a list of the most system-intensive processes.
<params>
execute ping <dest> Tests connectively to other devices on your network or
elsewhere.
execute time Displays the system time.
execute traceroute <dest> Traces the route of packets between your FortiWeb unit and a
specified server.
get log <log-type> Retrieves the log type specified: event-log, traffic-log,
attack-log.
get log reports <name> Provides access to the named log report.
get router all Displays a list of configured static routes including their IPs,
masks, and gateways.
get system interface Displays details about each configured system interface (port).
get system performance Displays CPU usage, memory usage, and up-time.
get system status Provides the firmware version, serial number, bios, host name,
and HA status.
The above CLI commands explain how to display data. Many of these commands also
have options for modifying data. For CLI command syntax details for these and other
commands, see the FortiWeb CLI Reference.
Before using a diagnose debug command, make sure to enable the debug feature by
entering:
diagnose debug enable
Check port assignments

There are 65 535 ports available for each of the TCP and UDP stacks that applications
can use when communicating with each other. If someone recently changed a FortiWeb or
network port, that may be part of your problem. For a list of ports used by FortiWeb, see
“Appendix E: Ports used by FortiWeb” on page 403.
In addition, some ports may be assigned to other Fortinet appliances on your network.
See the Fortinet Knowledge Base article, "Traffic Types and TCP/UDP Ports used by
Fortinet Products" at:
Troubleshoot connectivity issues

This section includes troubleshooting questions related to connectivity issues.
• Are all cables and interfaces connected properly?
See “Check hardware connections” on page 374.
• Are you experiencing packet loss or device connectivity problems?
See “Run ping and traceroute” on page 374.

Revision 10 373
Troubleshoot connectivity issues Troubleshooting
• Are there routes in the routing table for default and static routes? Do all connected
subnets have a route in the routing table?
See “Verify the contents of the routing table” on page 377.
• Are the ARP table entries correct for the next-hop destination?
See “Verify the contents of the ARP table” on page 377.
• Is traffic entering the FortiWeb unit and, if so, does it arrive on the expected interface?
Is the traffic exiting the FortiWeb unit to the expected destination? Is the traffic being
sent back to the originator?
Perform a sniffer trace. See “Perform a sniffer trace” on page 377.
Debug the packet flow. See “Debug the packet flow” on page 378.
Check hardware connections

If there is no traffic flowing from the FortiWeb unit, it may be a hardware problem.
To check hardware connections

• Ensure the network cables are properly plugged in to the interfaces on the FortiWeb
unit.
• Ensure there are connection lights for the network cables on the unit.
• Change the cable if the cable or its connector are damaged or you are unsure about
the cable’s type or quality.
• Connect the FortiWeb unit to different hardware to see if that makes a difference.
• In the web-based manager, select Status > Network > Interface and ensure the link
status is up (up arrow on green circle) for the interface.
If the status is down (down arrow on red circle), click Bring Up next to it in the Status
column.
You can also enable an interface in CLI, for example:
config system interface
edit port2
set status up
end
If any of these checks solve the problem, it was a hardware connection issue. You should
still perform some basic software tests to ensure complete connectivity.
If the hardware connections are correct and the unit is powered on but you cannot connect
using the CLI or web-based manager, you may be experiencing bootup problems. See
“Troubleshoot bootup issues” on page 381.
Run ping and traceroute

Ping and traceroute are useful tools in network troubleshooting. Both tools accept either IP
addresses or fully-qualified domain names as parameters. This can help you determine
why particular services, such as email or web browsing, are not working properly.
Note: If ping does not work, you likely have it disabled on at least one of the interface
settings, and firewall policies for that interface.
Both ping and traceroute require particular ports to be open on firewalls to function. Since
you typically use these tools to troubleshoot, you can allow them in the firewall policies
and on interfaces only when you need them, and otherwise keep the ports disabled for
added security.

374 Revision 10
Check connections with ping

The ping command sends a small data packet to the destination and waits for a response.
The response has a timer that may expire, indicating the destination is unreachable.
Ping is part of Layer-3 on the OSI Networking Model. Ping sends Internet Control
Message Protocol (ICMP) “echo request” packets to the destination, and listens for “echo
response” packets in reply. However, many public networks block ICMP packets because
ping can be used in a denial of service (DoS) attack, or by an attacker to find active
locations on the network. By default, FortiWeb units have ping enabled.
If ping does not work from your FortiWeb unit, make sure it was not disabled. Go to
System >Network >Interface. Examine the list of allowed protocols in the Access column
for the port used by the web-based manager (usually port1). If ping is not in the list, add it.
To enable ping
1 Go to System >Network >Interface.
2 Click the Edit icon in the applicable row. A dialog appears.
3 Select PING on the Edit Interface dialog.
4 Click OK.
What ping can tell you

Beyond the basic connectivity information, ping tells you the amount of packet loss (if
any), how long it takes the packet to make the round trip, and the variation in that time
from packet to packet.
If ping shows any packet loss, you should investigate:
• possible ECMP, split horizon, or network loops
• cabling to ensure no loose connections
If ping shows total packet loss, you should investigate:
• hardware to ensure cabling is correct
• all equipment between the two locations to determine they are properly connected
• addresses and routes to ensure all IP addresses and routing information along the
route is configured as expected
• firewalls to ensure they are set to allow ping to pass through
How to use ping

You can ping from the FortiWeb unit in the CLI Console widget of the web-based manager
or through CLI. For example:
execute ping 172.20.120.169
See the execute ping command in the FortiWeb CLI Reference for an explanation of
the command output and see execute ping-options for a description of the many
options to tailor the ping response to your needs.
If the FortiWeb web-based manager and CLI are not available, you can run ping on a
Windows or Linux PC.

Revision 10 375
Troubleshoot connectivity issues Troubleshooting
To ping a device from a Windows PC

1 Open a command window.
• In Windows XP, select Start > Run, enter cmd, and select OK.
• In Windows 7, select the Start icon, enter cmd in the search box, and select
cmd.exe from the list.
2 In the command window, enter the ping command and an IP address, for example:
ping 172.20.120.169
Ping options include:
• -t, to send packets until you press Control-C
• -a, to resolve addresses to domain names where possible
• -n x, where x is an integer stating the number of packets to send
To ping a device from a Linux PC

1 Go to a command line prompt.
2 Enter:
“/bin/etc/ping 172.20.120.169”
Check routes with traceroute

Traceroute sends ICMP packets to test each hop along the route. It sends three packets,
and then increases the time to live (TTL) setting by one each time. This effectively allows
the packets to go one hop farther along the route. This explains why most traceroute
commands display their maximum hop count before they start tracing the route—that is
the maximum number of steps it will take before declaring the destination unreachable.
Also the TTL setting may result in steps along the route timing out due to slow responses.
There are many possible reasons for this to occur.
Traceroute by default uses UDP with destination ports numbered from 33434 to 33534.
The traceroute utility usually has an option to specify use of ICMP echo request (type 8)
instead, as used by the Windows tracert utility. If you have a firewall and you want
traceroute to work from both machines (Unix-like systems and Windows) you will need to
allow both protocols inbound through your firewall (UDP with ports from 33434 to 33534
and ICMP type 8).
What traceroute can tell you

Where ping only tells you if the signal reached its destination and came back successfully,
traceroute shows each step of its journey to its destination and how long each step takes.
If ping finds an outage between two points, use traceroute to locate exactly where the
problem is. The traceroute output can identify other problems, such as an inability to
connect to a DNS server.
How to use traceroute

You can run a route trace from the FortiWeb unit in the CLI Console widget of the web-
based manager or through CLI, for example:
execute traceroute docs.fortinet.com
See the execute traceroute command in the FortiWeb CLI Reference for an
explanation of the command output.
If the FortiWeb web-based manager and CLI are not available, you can trace a route on a
Windows or Linux PC.

376 Revision 10
To use traceroute on a Windows PC

1 Open a command window.
• In Windows XP, select Start > Run, enter cmd, and select OK.
• In Windows 7, select the Start icon, enter cmd in the search box, and select
cmd.exe from the list.
2 Enter the tracert command to trace the route from the host PC to the destination web
site, for example:
tracert fortinet.com
In the tracert output, the first, or left column, is the hop count, which cannot go over 30
hops. The second, third, and fourth columns are how long each of the three packets takes
to reach this stage of the route. These values are in milliseconds and normally vary quite a
bit. Typically a value of <1ms indicates a local connection.
The fifth, or far right column, is the domain name of that device and its IP address or
possibly just the IP address.
To use traceroute on a Linux PC

1 Go to a command line prompt.
2 Enter:
“/bin/etc/traceroute fortinet.com”
The Linux traceroute output is very similar to the MS Windows tracert output.
Verify the contents of the routing table

When you have little connectivity, a good place to look for information is the routing table.
The routing table is where the FortiWeb unit stores currently used static routes. If a route
is in the routing table, it saves the time and resources of a lookup. If a route was not used
for a while and a new route needs to be added, the oldest, least-used route is bumped if
the routing table is full. This ensures the most recently used routes stay in the table.
To check the routing table in the CLI, enter:
diagnose network route list
Verify the contents of the ARP table

When you have poor connectivity, another good place to look for information is the
address resolution protocol (ARP) table. A functioning ARP is especially important in high-
availability configurations.
To check the ARP table in the CLI, enter:
diagnose network arp list
Perform a sniffer trace

When troubleshooting networks and routing in particular, it helps to look inside the
headers of packets to determine if they are traveling along the route you expect. Packet
sniffing is also called a network tap, packet capture, or logic analyzing.

Revision 10 377
Troubleshoot resource issues Troubleshooting
What can sniffing packets tell you

Packet sniffing can tell you if the traffic is reaching its destination, what the port of entry is
on the FortiWeb unit, if the ARP resolution is correct, and if the traffic is being sent back to
the source as expected. Packet sniffing can also tell you if the FortiWeb unit is silently
dropping packets.
Note: If you configure virtual IP addresses on your FortiWeb unit, it will use those
addresses in preference to the physical IP addresses. You will notice this when you are
sniffing packets because all traffic will use the virtual IP addresses. This is due to the ARP
update that is sent out when the virtual IP address is configured.
To sniff packets
The general form of the internal FortiWeb packet sniffer command is:
diagnose network sniffer packet <interface_name> <filter_str>

<verbose-level> <count_int>
This example checks network traffic on port1, with no filter, and captures 10 packets:
diagnose network sniffer packet port1 none 1 10
See the FortiWeb CLI Reference for an explanation of the command and its parameters.
Debug the packet flow

If you have determined that network traffic is not entering and leaving the FortiWeb unit as
expected, debug the packet flow using CLI. This operation requires you to enter several
debug commands to set the policy to use and then to set the server IP to apply the policy
to, for example:
diagnose debug enable
diagnose debug flow filter policy policy-name Policy1
diagnose debug flow filter policy source-ip 172.20.120.27
See the FortiWeb CLI Reference for an explanation of the command and its parameters.
Troubleshoot resource issues

This section includes troubleshooting questions related to sluggish or stalled performance.
• Is a process hogging system resources?
Check for a misbehaving process. See “Look for system-intensive processes” on
page 378.
• Is a server under attack?
See “Prepare for attacks” on page 379.
• Has there been a sustained spike in HTTP traffic related to a specific policy?
See “Monitor traffic” on page 379.
Look for system-intensive processes

Use the CLI to view a list of the most system-intensive processes. This may show
processes that are hogging resources. For example:
diagnose system top 10
The above command generates a report of processes every 10 seconds. The report
provides the process names, their process ID (pid), status, CPU usage, and memory
usage.

378 Revision 10
Troubleshooting Troubleshoot user and admin login issues
The report continues to refresh and display in the CLI window until you enter q (quit).
Monitor traffic
Heavy or unusual traffic loads can cause problems.
In the FortiWeb unit's web-based manager, you can view traffic two ways:
• Monitor current HTTP traffic on the dashboard. Go to System >Status > Status and
examine the graphs in the Policy Summary widget.
• Examine traffic history in the traffic log. Go to Logs&Report >Log Access >Traffic.
Prepare for attacks

A prolonged denial of service (DoS) or brute-force login attack (to name just a few attack
types) can bring a system to a standstill, if your unit is not prepared for it.
In the FortiWeb unit's web-based manager, you can watch for attacks in two ways:
• Monitor current HTTP traffic on the dashboard. Go to System >Status > Status and
examine the attack event history graph in the Policy Summary widget.
• Examine attack history in the traffic log. Go to Logs&Report >Log Access >Attack.
If attacks occur, use the FortiWeb unit's rich feature set to configure attack defenses. For a
list of attack types and suggested defenses, see “Characteristics of XML threats” on
page 15 and “Characteristics of HTTP threats” on page 16.
Troubleshoot user and admin login issues

A common problem is the inability of users or administrators to log in. There are a number
of potential reasons for these problems. Once the source of the problem is found, the
administrator should follow the appropriate policies to resolve the problems, notifying
affected users if warranted.
Use correct user name and password combination for user

This may be obvious, but it should be the first thing to check. While there are valid reasons
for users to forget login information or enter the wrong information, it may actually be
someone trying to use someone else's credentials to gain illegal access to the company
network. If this is the case, you do not want to waste time on any additional
troubleshooting. Also if this is the case, it will generally be a single user with problems
instead of a group of users.
Check user authentication policies

In FortiWeb, users and organized into groups. Groups are part of authentication policies. If
several users have authentication problems, it is possible someone changed
authentication policy or user group memberships. If a user is legitimately having an
authentication policy, you need to find out where the problem lies.
To troubleshoot user access

1 In the web-based manager, go to User > User Group and examine each group to
locate the name of the problem user.
2 Note the user group to which the affected users belong, especially if multiple affected
users are part of one group. If the user is not a group member, there is no access.

Revision 10 379
Troubleshoot user and admin login issues Troubleshooting
3 Go to Web Protection > Authentication Policy > Authentication Rule and determine
which rule contains the problem user group. If the user group is not part of a rule, there
is no access.
4 Go to Web Protection > Authentication Policy > Authentication Policy and locate the
policy that contains the rule governing the problem user group. If the rule is not part of
a policy, there is no access.
5 Go to Web Protection > Web Protection Profile > Inline Protection Profile and
determine which profile contains the related authentication policy. If the policy is not
part of a profile, there is no access.
6 Make sure that inline protection profile is included in the server policy that applies to
the server the user is trying to access. If the profile is not part of the server policy, there
is no access.
Authentication involves user groups, authentication rules and policy, inline protection
policy, and finally, server policy. If a user is not in a user group used in the policy for a
specific server, the user will have no access.
Change an administrator's password

Any manager with write privileges to Admin Users in their access profile (admingrp in the
CLI) can reset an administrator password, if they know the current password.
Sometimes administrators forget their passwords. There is just one administrator with the
authority to reset other administrators’ passwords without knowing their current password.
That is the default administrator, admin.
Trusted hosts for admin account will not allow current IP

A trusted host is a secure location where an administrator logs in. For example, on a
secure network an administrator can to log in from an internal subnet but not from the
Internet.
If an external administrator login is required, a secure VPN tunnel can be established with
a set IP address or range of addresses that are entered as a trusted host address.
Trusted host login issues occur when an administrator attempts to log in from an IP
address that is not included in the trusted host list.
To verify trusted host login issues

1 Record the IP address where the administrator is attempting to log in to the FortiWeb
unit.
2 Log in to the web-based manager and go to System > Admin> Administrators.
3 Select the administrator account in question and click the Edit icon.
4 Compare the list of trusted hosts to the problem IP address. If there is a match, the
problem is not due to trusted hosts.
5 If there is no match and the new address is valid (secure), add it to the list of trusted
hosts.
6 Select OK.
If the problem was due to trusted hosts, the administrator can now log in.

380 Revision 10
Troubleshooting Troubleshoot bootup issues
Troubleshoot bootup issues

This section addresses problems you may experience in rare cases when powering on
your FortiWeb unit. If you continue to have problems, please contact customer support for
assistance.
Note: It is rare that units experience any of the symptoms listed here. Fortinet hardware is
reliable with a long expected operation life.
When you cannot connect to the FortiWeb unit through the network using CLI or the web-
based manager, connect a PC directly to the FortiWeb unit's management console using a
serial connection. (The cable varies with the FortiWeb model. See the model's Quick Start
Guide for details.)
Open a terminal emulation interface, such as HyperTerminal, to act as the console. The
issues covered in this section all refer to various potential bootup issues. Once you have a
direct cable link to the FortiWeb unit, work through the following steps and keep a copy of
the console's output messages.
If you have multiple problems, go the problem closest to the top of the list first, and work
your way down.
• A. Do you see the boot options menu
• B. Do you have problems with the console text
• C. Do you have visible power problems
• D. You have a suspected defective FortiWeb unit
A. Do you see the boot options menu

1 Do you see the boot options menu?
• If no, ensure your serial communication parameters are set to no flow control,
check that the correct baud rate is correctly set (usually 9600, data bits 8, parity
none, stop bits 1), and reboot the FortiWeb unit by powering off and on.
• If that fixes your problem, you are done.
• If it does not fix your problem, go to C. Do you have visible power problems.
B. Do you have problems with the console text

1 Do you see any console messages?
• If no, go to C. Do you have visible power problems.
• If yes, continue.
2 Are there console messages but text is garbled on the screen?
• If yes, ensure your console communication settings are correct for your unit (such
as, baud rate 9600, data bits 8, parity none, stop bits 1). Check the FortiWeb Quick
Start Guide for settings specific to your model.
• If that fixes the problem, you are done.
3 Do the console messages stop before the prompt: Press Any Key to Download
Boot Image?
• If yes, go to D. You have a suspected defective FortiWeb unit.
• If no, follow the console instruction Press any key to Download Boot Image
and go to the next step.
4 When pressing a key, do you see one of the following messages?

Revision 10 381
Contact Fortinet customer support for assistance Troubleshooting
[G] Get Firmware image from TFTP server

[F] Format boot device
[B] Boot with backup firmware and act as default
[Q] Quit menu and continue to boot with default firmware
[H] Display this list of options
• If yes, go to D. You have a suspected defective FortiWeb unit.
• If no, ensure you serial communication parameters are set to no flow control,
check that the correct baud rate is set.
To find the unit's current baud rate using CLI, enter these commands:
config system console
get
Change settings if needed and reboot the FortiWeb unit by powering off and on.
5 Did the reboot fix the problem?
• If that fixes your problem, you are done.
• If that does not fix your problem, go to D. You have a suspected defective FortiWeb
unit.
C. Do you have visible power problems

1 Is there any LED on the FortiWeb unit?
• If no, ensure power is on. If that fixes the problem you are done. If not, continue.
• If yes, continue.
2 Do you have an external power adapter?
• If no, go to D. You have a suspected defective FortiWeb unit.
• If yes, try replacing the power adapter.
3 Is the power supply defective?
• If no, go to D. You have a suspected defective FortiWeb unit.
• If yes, replace the power supply and begin the tests again at A. Do you see the boot
options menu.
D. You have a suspected defective FortiWeb unit

If you followed the previous steps and determined there is a good chance your unit is
defective, contact Fortinet customer support.
Contact Fortinet customer support for assistance

After you define your problem, researched a solution, created a plan, and executed that
plan, and if you have not solved the problem, it is time to contact Fortinet customer
support for assistance.
To receive technical support and service updates, your Fortinet product must be
registered. Registration, support programs, assistance, and regional phone contacts are
available at the following URL:
https://support.fortinet.com

382 Revision 10
Troubleshooting Contact Fortinet customer support for assistance
When you are registered and ready to contact support:

1 Prepare the following information first:
• your contact information
• the firmware version
• a recent server policy configuration
• access to recent event, traffic and attack logs
• a network topology diagram and IP addresses
• a list of troubleshooting steps performed so far and the results
For bootup problems:
• provide all console messages and output
• if you suspect a hard disk issue, provide your evidence
2 Document the problem and the steps you took to define the problem.
3 Open a support ticket.
For details on using the Fortinet support portal and providing the best information, see the
Knowledge Base article, "Fortinet Support Portal for Product Registration, Contract
Registration, Ticket Management, and Account Management" at:

Revision 10 383
Contact Fortinet customer support for assistance Troubleshooting

384 Revision 10
Installing new firmware Testing new firmware before installing it
Installing new firmware

Fortinet periodically releases FortiWeb firmware updates to include enhancements and
address issues. After you have registered your FortiWeb unit, FortiWeb firmware is
available for download at http://support.fortinet.com.
Installing new firmware can overwrite attack signature packages using the versions of the
packages that were current at the time that the firmware image was built. To avoid repeat
updates, update the firmware before updating your FortiGuard packages.
New firmware can also introduce new features which you must configure for the first time.
For late-breaking information specific to the firmware release version, see the Release
Notes available with that release.
Note: In addition to major releases that contain new features, Fortinet releases patch
releases that resolve specific issues without containing new features and/or changes to
existing features. It is recommended to download and install patch releases as soon as
they are available.
Note: Before you can download firmware updates for your FortiWeb unit, you must first
register your FortiWeb unit with Fortinet Technical Support. For details, go to
http://support.fortinet.com/ or contact Fortinet Technical Support.

• Testing new firmware before installing it
• Installing firmware
• Installing backup firmware
• Restoring firmware
Testing new firmware before installing it

You can test a new firmware image by temporarily running it from memory, without saving
it to disk. By keeping your existing firmware on disk, if the evaluation fails, you do not have
to re-install your previous firmware. Instead, you can quickly revert to your existing
firmware by simply rebooting the FortiWeb unit.
To test a new firmware image

1 Download the firmware file from the Fortinet Technical Support web site,
https://support.fortinet.com/.
2 Connect your management computer to the FortiWeb console port using a RJ-45-to-
DB-9 serial cable or a null-modem cable.
3 Initiate a connection from your management computer to the CLI of the FortiWeb unit.
For details, see the FortiWeb Install and Setup Guide.
4 Connect port1 of the FortiWeb unit directly or to the same subnet as a TFTP server.
5 Copy the new firmware image file to the root directory of the TFTP server.

Revision 10 385
Testing new firmware before installing it Installing new firmware
6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach
the TFTP server.
To use the FortiWeb CLI to verify connectivity, enter the following command:
where 192.168.1.168 is the IP address of the TFTP server.
7 Enter the following command to restart the FortiWeb unit:
execute reboot
8 As the FortiWeb units starts, a series of system startup messages appear.
Press any key to display configuration menu........
9 Immediately press a key to interrupt the system startup.
Note: You have only three seconds to press a key. If you do not press a key soon enough,
the FortiWeb unit reboots and you must log in and repeat the execute reboot
command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
Please connect TFTP server to Ethernet port "1".

10 Type G to get the firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
11 Type the IP address of the TFTP server and press Enter.
Enter local address [192.168.1.188]:
12 Type a temporary IP address that can be used by the FortiWeb unit to connect to the
TFTP server.
Enter firmware image file name [image.out]:
13 Type the firmware image file name and press Enter.
The FortiWeb unit downloads the firmware image file from the TFTP server and
displays a message similar to the following:
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]?
14 Type R.
The FortiWeb image is loaded into memory and uses the current configuration,
without saving the new firmware image to disk.
15 To verify that the new firmware image has been loaded, log in to the CLI and type:
get system status

386 Revision 10
Installing new firmware Installing firmware
16 Test the new firmware image.

• If the new firmware image operates successfully, you can install it to disk,
overwriting the existing firmware, using the procedure “Installing firmware” on
page 387.
• If the new firmware image does not operate successfully, reboot the FortiWeb unit
to discard the temporary firmware and resume operation using the existing
firmware.
Installing firmware
You can use either the web-based manager or the CLI to upgrade or downgrade the
firmware of the FortiWeb unit.
Firmware changes are either:
• an upgrade to a newer version
• a reversion to an earlier version
The firmware version number is used to determine if you are upgrading or reverting your
firmware image.
For example, if your current firmware version is
FortiWeb-1000B 4.00,build0194,100119, changing to
FortiWeb-1000B 4.00,build0192,091210, an earlier build number and date,
indicates that you are reverting.
Caution: Back up your configuration before beginning this procedure.

Reverting to an earlier firmware version could reset the configuration, including the IP
addresses of network interfaces. For information on backups, see “Backing up and
restoring configurations” on page 96. For information on reconnecting to a FortiWeb unit
whose network interface configuration has been reset, see the FortiWeb Install and Setup
Guide.
If you are installing a firmware version that requires a different size of system partition, you
may be required to format the boot device before installing the firmware by re-imaging the
boot device. In that case, do not install the firmware using this procedure. Instead, see
“Restoring firmware” on page 391.
To install firmware using the web-based manager

2 Log in to the web-based manager of the FortiWeb unit as the admin administrator, or
an administrator account whose access profile contains Read and Write permissions in
the Maintenance category.
3 Go to System > Status > Status.

Revision 10 387
Installing firmware Installing new firmware
Figure 68: System Information widget
4 In the System Information widget, in the Firmware Version row, click Update. A browse
window appears.
5 Click Browse to locate and select the firmware file that you want to install, then click
OK.
6 Click OK.
Your management computer uploads the firmware image to the FortiWeb unit. The
FortiWeb unit installs the firmware and restarts. The time required varies by the size of
the file and the speed of your network connection.
If you are downgrading the firmware to a previous version, the FortiWeb unit reverts
the configuration to default values for that version of the firmware. Either reconfigure
the FortiWeb unit or restore the configuration file. For details, see the FortiWeb Install
and Setup Guide and “Backing up and restoring configurations” on page 96.
7 Clear the cache of your web browser and restart it to ensure that it reloads the web-
based manager and correctly displays all interface changes. For details, see your
browser's documentation.
8 To verify that the firmware was successfully installed, log in to the web-based manager
and go to System > Status > Status. Text appearing in the Firmware Version row
indicates the currently installed firmware version.
9 Update the attack definitions.
Note: Installing firmware replaces the current attack definitions with those included with the
firmware release that you are installing. After you install the new firmware, make sure that
your attack definitions are up-to-date. For more information, see “Uploading signature
updates” on page 101.
To install firmware using the CLI

3 Initiate a connection from your management computer to the CLI of the FortiWeb unit,
and log in as the admin administrator, or an administrator account whose access
profile contains Read and Write permissions in the Maintenance category.

388 Revision 10
Installing new firmware Installing backup firmware
the TFTP server.
7 Enter the following command to download the firmware image from the TFTP server to
the FortiWeb unit:
execute restore image tftp <name_str> <tftp_ipv4>
where <name_str> is the name of the firmware image file and <tftp_ipv4> is the
IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
One of the following message appears:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
or:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
8 Type y.
The FortiWeb unit downloads the firmware image file from the TFTP server. The
If you are downgrading the firmware to a previous version, the FortiWeb unit reverts
the configuration to default values for that version of the firmware. Either reconfigure
the FortiWeb unit or restore the configuration file. For details, see the FortiWeb Install
and Setup Guide and “Backing up and restoring configurations” on page 96.
9 To verify that the firmware was successfully installed, log in to the CLI and type:
get system status
The firmware version number is displayed.
Installing backup firmware

You can install backup firmware which can be loaded if the primary firmware fails.
To install backup firmware


Revision 10 389
Installing backup firmware Installing new firmware
the TFTP server.
execute reboot
Note: You have only 3 seconds to press a key. If you do not press a key soon enough, the
FortiWeb unit reboots and you must log in and repeat the execute reboot command.
Enter G,F,B,Q,or H:

TFTP server.
13 Type the firmware image file name and press Enter.
saving:[D/B/R]?

390 Revision 10
Installing new firmware Restoring firmware
14 Type B.
The FortiWeb unit saves the backup firmware image and restarts. When the FortiWeb
unit restarts, it is running the primary firmware.
To use backup firmware as the primary firmware

execute reboot
Immediately press a key to interrupt the system startup.
Enter G,F,B,Q,or H:

5 Type B to reboot and use the backup firmware.
Restoring firmware
Restoring the firmware can be useful if:
• you are unable to connect to the FortiWeb unit using the web-based manager or the
CLI
• you want to install firmware without preserving any existing configuration
• a firmware version that you want to install requires a different size of system partition
(see the Release Notes accompanying the firmware)
• a firmware version that you want to install requires that you format the boot device (see
the Release Notes accompanying the firmware)
Unlike installing firmware, restoring firmware re-images the boot device, including the
signatures that were current at the time that the firmware image file was created.Also,
restoring firmware can only be done during a boot interrupt, before network connectivity is
available, and therefore requires a local console connection to the CLI. It cannot be done
through a network connection.

Revision 10 391
Restoring firmware Installing new firmware
Caution: Back up your configuration before beginning this procedure, if possible. Restoring
firmware resets the configuration, including the IP addresses of network interfaces. For
information on backups, see “Backing up and restoring configurations” on page 96. For
information on reconnecting to a FortiWeb unit whose network interface configuration has
been reset, see the FortiWeb Install and Setup Guide.
To restore the firmware

3 Initiate a local console connection from your management computer to the CLI of the
FortiWeb unit, and log in as the admin administrator, or an administrator account
whose access profile contains Read and Write permissions in the Maintenance
category.
the TFTP server.
execute reboot
Enter G,F,B,Q,or H:

10 If the firmware version requires that you first format the boot device before installing
firmware, type F. Format the boot disk before continuing.

392 Revision 10
Installing new firmware Restoring firmware

TFTP server.
14 Type the file name of the firmware image and press Enter.
saving:[D/B/R]?
15 Type D.
The FortiWeb unit downloads the firmware image file from the TFTP server. The
The FortiWeb unit reverts the configuration to default values for that version of the
firmware.
16 To verify that the firmware was successfully installed, log in to the CLI and type:
get system status
The firmware version number is displayed.
17 Either reconfigure the FortiWeb unit or restore the configuration file. For details, see
FortiWeb Install and Setup Guide and “Backing up and restoring configurations” on
page 96.

Revision 10 393
Restoring firmware Installing new firmware

394 Revision 10
Appendix A: Supported RFCs, W3C and IEEE standards
Appendix A: Supported RFCs, W3C

and IEEE standards
The current release of FortiWeb supports the following IETF RFC, W3C standards and
IEEE standards.
RFC
RFC 1213
Management Information Base for Network Management of TCP/IP-based internets: MIB-
II - see reference 1
RFC 2616
Hypertext Transfer Protocol -- HTTP/1.1 - see reference 1, reference 2
RFC 2617
HTTP Authentication: Basic and Digest Access Authentication - see reference 1
RFC 2665
Definitions of Managed Objects for the Ethernet-like Interface Types - see reference 1
W3C standards
extensible markup language (XML) 1.0 (Third Edition)
• XML Current Status:
http://www.w3.org/standards/techs/xml#w3c_all
• W3C Recommendation 04 February 2004:
http://www.w3.org/TR/2004/REC-xml-20040204
see reference 1, reference 2
XML Schema v1.0
• XML Schema Current Status:
http://www.w3.org/standards/techs/xmlschema#w3c_all)
see reference 1
• XML Schema Part 0: Primer Second Edition, W3C Recommendation 28 October 2004:
http://www.w3.org/TR/2004/REC-xmlschema-0-20041028/
• XML Schema Part 1: Structures Second Edition, W3C Recommendation 28 October
2004:
• XML Schema Part 2: Datatypes Second Edition, W3C Recommendation 28 October
2004:
simple object access protocol (SOAP) 1.1
• W3C Note 08 May 2000
http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
see reference 1
web services description language (WSDL) 1.0

Revision 10 395
Appendix A: Supported RFCs, W3C and IEEE standards
• W3C Note 15 March 2001

http://www.w3.org/TR/wsdl
see reference 1
XML encryption
• XML Encryption Current Status
http://www.w3.org/standards/techs/xmlenc#w3c_all
see reference 1
• XML Encryption Syntax and Processing
http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/
XML signature
• XML Signature Current Status
http://www.w3.org/standards/techs/xmlsig#w3c_all
see reference 1
• XML Signature Syntax and Processing
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
IEEE standards
spanning tree protocol IEEE 802.1d
see reference 1
virtual LANs IEEE 802.1q
see reference 1

396 Revision 10
Appendix B: Maximum values Interpreting maximum values
Appendix B: Maximum values

This table shows maximum configurable values for FortiWeb Version 4.0 MR2. All
performance values are assumed to mean ”up to” and depend on your configuration. The
maximum number of persistent server sessions per policy is limited by the unit’s RAM.
Table 143: Maximum configurable values
FortiWeb model
FortiWeb-400B FortiWeb-1000B FortiWeb-1000C FortiWeb-3000C
Maximum policies per unit 20 40 60 100
Default RAM 1 GB 2 GB 3 GB 6 GB
Maximum persistent server 8 000 15 000 20 000 50 000
sessions per policy
Maximum persistent server 20 000 40 000 60 000 100 000
sessions per unit
Maximum HTTP 10 000 22 000 27 000 40 000
transactions per second
Network Interfaces (ports) 4 4 4 6
VLAN Interfaces 32 32 32 32
Maximum servers per 20 20 20 20
server farm
FortiWeb-VM
For a FortiWeb-VM virtual appliance running in a VMware image, the maximum number of
server sessions varies with the amount of memory available to FortiWeb-VM on the
VMware server.
To see the maximum allowed sessions, do the following:
1 Open the web-based manager.
2 Go to Server Policy > Policy.
3 Either click Create New or edit an existing policy.
4 Look at the minimum-maximum range indicator next to the Persistent Server Sessions
option. That number tells you the maximum server sessions for your installation.
The number of network interfaces (ports) for FortiWeb-VM is 4. For installation
instructions, see the FortiWeb-VM Install Guide.
Interpreting maximum values

Some of the values in Table 143 need explanation to fully understand their application.

Revision 10 397
Interpreting maximum values Appendix B: Maximum values
Persistent server sessions

You can set the value of maximum persistent server sessions per policy to a lower number
(to a fixed minimum) when configuring a server policy by using the Persistent Server
Sessions option. FortiWeb distributes the number of persistent server sessions evenly
across the physical servers protected by the server policy. For details, see “Configuring
You cannot maximize both the number of allowed policies and the number of persistent
server sessions per policy. The maximum persistent server sessions per unit sets the
overall limit. For example, the FortiWeb-400B allows 20 server policies and up to 8 000
persistent server sessions per policy. That does not mean you can have 160 000
persistent server sessions running at one time. The upper limit is 20 000.
Network and VLAN interfaces

You can set up VLAN interfaces across the network interfaces in any arrangement. For
example, on a unit with four network interfaces you could distribute them evenly at 8 per
interface or apply all 32 to one network interface.

398 Revision 10
Appendix C: SNMP MIB support

The FortiWeb SNMP agent supports the following management information blocks (MIBs):
Table 144: FortiWeb MIBs
MIB or RFC Description

Fortinet Core MIB This Fortinet-proprietary MIB enables your SNMP manager to query for
system information and to receive traps that are common to multiple
Fortinet devices.
FortiWeb MIB This Fortinet-proprietary MIB enables your SNMP manager to query for
FortiWeb-specific information and to receive FortiWeb-specific traps.
RFC-1213 (MIB II) The FortiWeb SNMP agent supports MIB II groups, except:
• There is no support for the EGP group from MIB II (RFC 1213,
section 3.11 and 6.10).
• Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP,
and so on.) do not accurately capture all FortiWeb traffic activity. More
accurate information can be obtained from the information reported
by the FortiWeb MIB.
RFC-2665 (Ethernet- The FortiWeb SNMP agent supports Ethernet-like MIB information,
like MIB) except the dot3Tests and dot3Errors groups.
You can obtain these MIB files from the Fortinet Technical Support web site,
To communicate with your FortiWeb unit’s SNMP agent, you must first compile these MIBs
into your SNMP manager. If the standard MIBs used by the SNMP agent are already
compiled into your SNMP manager, you do not have to compile them again.
To view a trap or query’s name, object identifier (OID), and description, open its MIB file in
a plain text editor.
All traps sent include the message, the FortiWeb unit’s serial number, and host name.
For instructions on how to configure traps and queries, see “Configuring the SNMP agent”
on page 66.

Revision 10 399

400 Revision 10
Appendix D: Language support & regular expressions
Appendix D: Language support &

regular expressions
Languages currently supported by the web-based manager are:
• English
• simplified Chinese
• Japanese
• traditional Chinese
Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input.
Support varies by the nature of the item being configured.
For example, the host name must not contain special characters, and so the web-based
manager and CLI will not accept most symbols and non-ASCII encoded characters as
input when configuring the host name. This means that languages other than English
often are not supported. However, some configuration items, such as names and
comments, may use the language of your choice.
To use other languages in those cases, you must use an encoding that supports it.
Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings
into UTF-8 before it is stored. If your input method encodes some characters differently
than in UTF-8, your configured items may not display or operate as expected.
Regular expressions are especially impacted. The matching feature uses the UTF-8
character values. If you enter a regular expression using another encoding, or if an HTTP
client sends a request in an encoding other than UTF-8, matches may not be what you
expect.
For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as yen
symbols ( ¥ ) and vice versa. A regular expression intended to match HTTP requests
containing money values with a yen symbol therefore may not work if the symbol is
entered using the wrong encoding.
For best results, you should:
• use UTF-8 encoding, or
• use only the characters whose numerically encoded values are the same in UTF-8,
such as the US-ASCII characters that are also encoded using the same values in
ISO 8859-1, Windows code page 1252, Shift-JIS and other encodings, or
• for regular expressions that must match HTTP requests, use the same encoding as
your HTTP clients
Note: HTTP clients may send requests in encodings other than UTF-8. Encodings usually
vary by the client’s operating system or input language. If you cannot predict the client’s
encoding, only English portions of the request may match, because regardless of the
encoding, the values for English characters tend to be encoded identically. For example,
English words may be legible regardless of interpreting a web page as either ISO 8859-1 or
as GB2312, whereas simplified Chinese characters might only be legible if the page is
interpreted as GB2312.

Revision 10 401
Appendix D: Language support & regular expressions
In order to configure your FortiWeb unit using other encodings, you may need to switch
language settings on your management computer, including for your web browser or
Telnet/SSH client. For instructions on how to configure your management computer’s
operating system language, locale, or input method, see its documentation.
Note: If you choose to configure parts of the FortiWeb unit using non-ASCII characters,
verify that all systems interacting with the FortiWeb unit also support the same encodings.
You should also use the same encoding throughout the configuration if possible in order to
avoid needing to switch the language settings of your web browser or Telnet/SSH client
while you work.
In a similar fashion, your web browser or CLI client should usually interpret display output
as encoded using UTF-8. If it does not, your configured items may not display correctly in
the web-based manager or CLI. Exceptions include items such as regular expressions
that you may have configured using other encodings in order to match the encoding of
HTTP requests that the FortiWeb unit receives.
For information on configuring the display language of the web-based manager, see
“Configuring the web-based manager’s global settings” on page 82.

402 Revision 10
Appendix E: Ports used by FortiWeb

The following tables list the default port assignments used by FortiWeb.
Table 145: Default ports used by FortiWeb for outgoing traffic
Port number Port type Default uses

21 TCP Web anti-defacement backup (Windows share)
25 TCP SMTP
53 UDP/TCP DNS
69 UDP Back up, restore, update during bootup
123 UDP NTP synchronization
137, 138, 139 UDP Web site anti-defacement backup
162 UDP SNMP traps
389 TCP LDAP
443 TCP FDS firmware updates
445 TCP NTLM, web site anti-defacement backup
514 UDP Syslog
636 TCP LDAPS
1812 UDP RADIUS
5055 UDP HA heartbeat
5056 UDP HA configuration synchronization
Table 146: Default ports FortiWeb uses for incoming traffic and listening
Port number Port type Default uses

22 TCP SSH administrative access, CLI access
23 TCP Telnet administrative access
80 TCP HTTP administrative access, predefined HTTP service
161 UDP SNMP queries
443 TCP HTTPS administrative access, predefined HTTPS service
8333 TCP FortiWeb conf-sync remote connection
Take care when reassigning ports. Many UDP and TCP port numbers have internationally
recognized IANA port assignments and are commonly associated with specific
applications or protocols.

Revision 10 403

404 Revision 10
Index
Index
Symbols alert email, 313, 316
enabling, 296, 317
_email, 21 algorithm, 176
_fortinet_waf_auth, 272 allow method exception, 237
_fqdn, 21 alphanumeric, 153
_index, 21 anonymous, 111
_int, 21 ANSI, 153
_ipv4, 21 ANSI escape code, 153
_ipv4/mask, 21 anti-defacement, 293, 294
_ipv4mask, 21 performance, 367
_ipv6, 21 Apache, 155, 282
_ipv6mask, 21 Tomcat, 155, 282
_name, 21 ARP, 377
_pattern, 21 packets, 362
_str, 21 ASCII, 401, 402
_url, 21 attack
_v4mask, 21 count in auto-learning report, 289
_v6mask, 21 log, 33, 289, 328
log aggregation, 34
Numerics log search, 341
protection, 184
301 Moved Permanently, 306 signatures, 101, 360
302 Moved Temporarily, 248, 306, 307 attacks, 29
401 Authorization Required, 258 Attacks tab, 287
401 Unauthorized, 278, 281, 307 attributes, XML, 170, 172
403 Forbidden, 192, 248, 273, 288 authentication, 257, 259, 261, 307
404 File Not Found, 273, 289 supporting modes, 71
500 Internal Server Error, 278, 281 Authorization, 191, 258
5055, 65 auto-learning, 281
5056, 65 performance, 284, 365
profile, 278, 279
A reports, 282
access profile, 77, 78, 80 B

access protocols, 359
action message format (AMF), 274, 278 back up web site, 297
actions, 31 backup, 96, 98, 355
firmware, 389
Active Directory, 113
partition, 98
active-passive, 61
Backup HA unit, 61
address resolution protocol (ARP), 64
Base64, 88
administrative access, 82
Basic Mode, 306
interface settings, 52
restricting, 51, 52, 75, 77, 78 bind DN, 111
administrator black IP, 221, 292
"admin" account, 387, 390, 392 Block Period, 230
password, 77 boot interrupt, 391
trusted host, 77 bootup, 381
Adobe Flash, 25 bridge, 55, 119, 120, 123
aggregation, 34 bridge protocol data unit (BPDU), 57
AJAX, 163 broadcast, 64
alert, 167, 168, 187, 188, 192, 270, 272, 287 browser, 25, 92, 127
false positives, 31 brute force login attack, 224
tuning, 31 buffer overflow, 170, 252, 306
bypass, 129

Revision 10 405
Index
C cross-site request forgery (CSRF), 198, 204

cross-site scripting (XSS), 101, 102, 201, 204, 209, 274,
certificate, 84, 126, 139 278, 306
default, 85 CSR
local, 85 submit, 88
operation modes, 88
custom robot
personal, 127
signature, 232
server, 85
signing chain, 89, 92, 127 customize dashboard, 42
signing request, 85, 86
trust, 89, 92, 127 D
user, 127 dashboard, 28, 41
warning, 92, 127 customize, 42
certificate authority (CA), 86, 88, 90, 92, 95, 96, 127 data constraints, 170
certificate revocation list (CRL), 90, 95, 127 data leak, 201, 206
chain of trust, 127 dates, 153
character data (CDATA), 172 daylight savings time (DST), 100
character entity references, 172 debug command, 378
Chinese, 83 decrypt, 126
CIDR, 21 defacement, web site, 293
Cisco discovery protocol (CDP), 54 default
CLI, 42, 45, 75, 78 administrator account, 80, 387, 390, 392
commands, 372 route, 105
Console widget, 43, 45 delete items, 15
prompt, 45
denial of service (DoS), 70, 300, 307
CLI commands
deployment mode, 37
debug, 378
diagnose, 377 DETECT_ALLOW_HOST_FAILED, 125, 150
network, 377 DETECT_ALLOW_METHOD_FAILED, 272, 277
packet, 378 DETECT_ALLOW_ROBOT, 230
sniffer, 378 DETECT_ALLOW_ROBOT_GOOGLE, 229
cloaking, 192 DETECT_ALLOW_ROBOT_MSN, 229
clock, 44, 101 DETECT_ALLOW_ROBOT_YAHOO, 229
cluster, 135 DETECT_BLACK_PAGE, 220, 273, 277
ColdFusion, 205 DETECT_BRUTE_FORCE_LOGIN, 227, 273
color code, 153 DETECT_MALICIOUS_ROBOT, 230, 273, 277
column view DETECT_PAGE_RULE_FAILED, 201, 273
logs, 338 DETECT_PARAM_RULE_FAILED, 194, 273, 277
command line interface (CLI), 14, 20 DETECT_RESPONSE_INFORMATION_DISCLOSURE, 205
command prompt, 45 DETECT_RESPONSE_INFORMATION_disclosure credit
comma-separated value (CSV), 153, 320, 335 card leakage, 206
Common Exploits, 204 DETECT_SQL_INJECTION, 204
community, 66, 67, 68 DETECT_START_PAGE_FAILED, 216, 273
compliance, 299 DETECT_URL_ACCESS_ALERT_DENY, 272, 277
configure DoS, 70 DETECT_XSS_ATTACK, 204
connectivity, 373 diagnose command, 377
contact information, SNMP, 67 Diffie-Hellman exchange, 139
content filter, 363 digital certificate requests, 84
content routing, 120, 123, 136 distinguished name (DN), 85, 90, 91, 94, 95
examples, 141 DNS server, 59, 318
HTTP, 120, 123, 136 test connection, 376
WSDL, 136 document object model (DOM), 241
XPath, 136 document type description (DTD), 171, 172
Content-Length, 191, 252, 254, 257 documentation
Content-Type, 188 conventions, 19
conventions, 19 Release Notes, 391
cookie, 121, 189, 191, 271, 272, 276 domain name
country code, 153 local, 45, 58, 59
cp1252, 401 DoS, 70
CPU usage, 47, 69 dotted decimal, 21
credit card number, 153, 206, 209 down, 51

406 Revision 10
Index
down time, 66 FTP, 98, 105, 294

downgrade, 387 backup, 355
DSA, 88 FTP backup, 98
fully qualified domain name (FQDN), 21, 87
E
G
elements, XML, 170, 172
email alert, 296, 317 gateway, 105, 106
encoding, 83, 401 GB2312, 401
encrypt, 126 general entity reference, 172
Enhanced Mode, 306 Google, 282
escape codes, 153 graphical user interface (GUI), 25
Ethernet, 399 gratuitous ARP, 64
event log, 328 greedy, 330
console, 42 group ID, 63
event, SNMP, 69 group name
expected input, 20 HA, 64
extended signature set, 31
external entity attack, 185, 187 H
external schema reference, 185, 187 HA
Backup, 61
F group name, 64
fail-open, 58 heartbeat interface, 65
interface monitoring, 65
false positive, 31, 206, 207, 254, 311, 328, 336
Master, 61
file size mode setting, 63
limit, 179
Master, 63
files
Slave, 63
extensions, 368
large, 367 Standalone, 63
pair, 61
filter
port monitor, 65
clear, 339
icon, 339 hard disk, 334
logs, 339 logging to, 325
firewall, 360 hardware
problems, 374
firmware
backup, 389 health check, server, 132, 134, 136, 144
change, 43 heartbeat
downgrade, 387 interface, 65
install, backup firmware image, 389 heartbeat, HA, 64
restore, 391 interface, 65
test, 385 hexadecimal, 153
upgrade, 387 high availability (HA), 61, 313
version, 42, 44 mode, 43
Flash, 274, 278 status, 43
forensic analysis, 328, 336 hit, 289
forgotten password, 76 Host, 125, 147, 148, 149, 191, 242, 246, 250, 269
formatted view, logs, 338 host name, 42, 45, 399
formatting the boot device, 391 HTTP, 52, 144, 145
FortiAnalyzer, 323, 327 headers, 147
FortiGuard Distribution Network (FDN), 102, 103 port number, 82
FortiGuard Distribution Server (FDS), 103 HTTP authentication, 257, 259, 261
Fortinet HTTP Content Routing, 120, 123, 136
Knowledge Base, 18 HTTP_HEADER_LEN_OVERFLOW, 273
Technical Documentation, 18 HTTP_HEADER_LINE_LEN_OVERFLOW, 273
comments, 19 HTTPS, 51, 52, 84, 87
conventions, 19 port number, 82
Technical Support, 18, 399 hypertext markup language (HTML), 153
Training Services, 18
FORTIWAFSID, 271, 276 I
FortiWeb-VM, 397
ICMP, 52, 56, 58, 399

407 Revision 10
Index
ICMP ECHO, 144, 320, 322 log, 100

idle, 83 attack log, 328
IEEE 802.1d, 56, 396 column view, 338
IEEE 802.1q, 53, 55, 396 event log, 328
IIS, 155 filter, 339
formatted view, 338
index number, 21
level, 314
information disclosure, 366 message aggregation, 340
injection attack, 204, 209 message details, 335
input constraints, 20 messages cleared, 356
input method, 402 packet log details, 336
installation, 14 raw view, 339
interface rotate, 325
administrative access, 52 storing, 323
monitoring, HA, 65 Syslog, 326
interval to memory, 326
health check, 145 to the hard disk, 325
inter-VLAN routing, 53, 55 traffic log, 329
IP address, 78 types, 314, 327
IP-based forwarding, 105 log details, 336
ISO 8859-1, 401 log filter
clear, 339
log in
J problems, 379
Japanese, 83 log level, 314
JavaScript, 45, 121, 163, 241 loop, 56, 57
lost password, 76
K
key, 176
M
file, 175 MAIL TO, 296
management group, 188 management information block (MIB), 66, 399
key size, certificate, 88 manager, SNMP, 66, 68, 69, 399
key type, certificate, 87 markup, 153
Master HA unit, 61
L maximum transmission unit (MTU), 53
language, 26, 83, 401, 402 maximum values, 397
web-based manager, 83 media access control (MAC) address, 52, 56, 57
Layer 2, 53, 56, 57 memory leak, 306
Layer 3, 53 memory usage, 47, 69
LDAP memory, log to, 326
bind, 111 MIB
password, 111 RFC 1213, 399
LDAPS, 110 RFC 2665, 399
lightweight directory access protocol (LDAP), 258 Microsoft
limit Active Directory, 113
file size, 179 Excel, 335
rate, 227 IIS, 154, 155
link checker, 227 Internet Explorer, 25
Linux, 377 minimum cost path, 56
load balancing, 120, 123 mode
algorithm, 136 deployment, 37
deployment mode, 37 HA, 63
weight, 136 monitor, 38
offline protection, 71, 119
local console access, 45, 78
reverse proxy, 53, 71, 119
local domain name, 45, 58, 59 transparent inspection, 72, 119
locale, 402 true transparent proxy, 58, 72, 119
Location, 248, 269, 272 monitor mode, 38
Mozilla Firefox, 25
MS Windows, 377
MSN, 282

408 Revision 10
Index
multicast, 65 policy
maximum number, 398
N server, 117
port
navigation pane, 284 monitor, HA, 65
netmask number, 26, 65, 69, 82, 120, 124, 125, 126
administrator account, 77 numbers, 373
network address translation (NAT), 56, 119, 224, 226, 228, SNMP, 69
230 UDP ports 33434-33534, 376
network interface postal code, 153
status, 51 power interruption, 58
Network Time Protocol (NTP), 100 power on, 381
next-hop router, 105, 106 predefined
no-follow, 228 data type, 365
no-index, 228 primary heartbeat interface, 65
notification, 293, 296, 317 processing flow, 190
NT LAN Manager (NTLM), 113, 258 processing instruction (PI), 172
prompt, 46
O protocol, 359, 360
object identifier (OID), 399 proxy, 272
offline protection mode, 44, 71, 119, 125
switching from, 35 Q
offloading, 85, 126 query
one-arm, 129 anonymous, 111
online certificate status protocol (OCSP), 90, 96, 127 DNS, 58
operation mode, 43, 44, 126, 355 report, 349
supported features in, 72 SNMP, 66, 69, 399
switching, 35, 71
order of execution, 190 R
oversized payload, 170
RAID, 74
Overview tab, 286
random access memory (RAM), 47, 326, 332, 334
rapid spanning tree protocol (RTSP), 56
P rate limit, 227, 307
packet, 336 raw view, logs, 339
packet capture, 368 reachable, 105
packet command, 378 read & write
packet payload, 32, 328 administrator, 103
pair, 61 really simple syndication (RSS), 163
partition, 98, 387, 391 recursive payload, 170
password, 77, 380 redirect, 246, 248
encrypt log files, 335 Referer, 246, 249, 250, 269, 272
forgotten, 76 regular expression, 21, 151, 154, 156, 196, 198, 200, 209,
LDAP bind, 111 215, 220, 226, 232, 234, 239, 250, 328
lost, 80 GB2312 encoding, 83
plain, 360 tuning, 31
reset, 76, 80 validator, 31
strong, 358 Release Notes, 391
weak, 153 remove items, 15
pattern, 21 report
payload, 336 download, 353, 354
PCI DSS, 206 HTML format, 352
PDF report, 352 MS Word format, 352
performance, 41, 150, 205, 363 on demand, 345, 351
permissions, 77, 78, 80 PDF format, 352
access, 372 periodically generated, 345
persistent server sessions, 398 query, 349
phone number, 153 schedule, 351
time span, 348
ping, 52, 56, 58, 144, 320, 322, 374
view, 353
PKCS #10, 88 vulnerability scan, 299, 309
PKCS #12, 88

409 Revision 10
Index
representational state transfer (REST), 188 severity

reset level, 349
password, 80 levels, 30
resolution, 25 rule violation, 191
retry Shift-JIS, 401
health check, 145 signature set, 31
reverse proxy, 44 signing chain, 89, 92, 127
reverse proxy mode, 44, 53, 71, 119, 125 simple certificate enrollment protocol (SCEP), 88, 91, 93, 95
reverting web site, 297 simple network management protocol (SNMP), 52, 66, 68, 69
rewrite, 246 Agent, 67
RFC agent, 399
1213, 399 community, 67
2616, 250 contact information, 67
2617, 257 OID, 399
2665, 399 query, 69
robot, 227 RFC 12123, 399
RFC 2665, 399
root
system name, 45
folder of a web site, 296
Schema file, 180 simple object access protocol (SOAP), 163
route sniffer command, 378
by web service operations, 136, 173 Social Insurance Number (SIN), 153
by XPath, 136 Social Security Number (SSN), 153
content, 136 source code disclosure, 306
default, 105 spanning tree protocol (STP), 56, 57
static, 74, 105 special characters, 45, 401
RSA, 88 spider, 227
RTF bookmarks, 153 SQL
RTF report, 352 injection, 102, 188, 201, 204, 209, 274, 278, 306
rule violation injection, blind, 204
severity, 191 statements, 153
SSL, 13, 38, 85, 100, 110, 126, 139
S certificate, 126, 139
hardware accelerated, 126
scheduling, 100, 164, 165 offload, 126
schema on the web servers, 74
compressed, 179 Start Learning, 284
file, 178 STARTTLS, 110, 111
poisoning attack, 185, 187 state name, 153
verification, 178
static route, 74, 105
search
status
attack log, 341
FortiWeb, 41
search engine, 227 server, 132, 134, 136, 144
secondary heartbeat interface, 65 storing logs, 323
Secure Shell (SSH), 45, 51, 52, 78, 294 STP, 56
security, 357 string, 21
sensitive information, 201 subject information, certificate, 86
sequence of scans, 190 submit
serial number, 44, 399 CSR, 88
certificate, 85, 90, 91, 94, 95 subnet, 52, 55
serial port parameters, 381 SYN flood, 70
server, 191, 205 sync interval, 101
farm, 119, 135
syntax, 20
health check, 132, 134, 136, 144, 365
maximum sessions, 398 Syslog, 323, 326
protection rules, 201 system resource usage, 42
status, 132, 134, 136, 144 system time, 42, 44, 100
server farm, 50
status, 50 T
session timeout, 124 TCP, 144
Session-Id, 277 session timeout, 124
Set-Cookie, 121 SYN flood, 70
Setup Wizard, 104

410 Revision 10
Index
Telnet, 45, 53, 78, 359 virtual host, 149

text node, 172 virtual LAN, 53
text/xml, 188 virtual MAC, 64
TFTP, 385, 392 virtual network interface, 56, 58
throughput, 47 virtual server, 119, 120, 123
time, 44, 100, 153 VLAN, 50, 53
time to live (TTL), 376 VLAN trunk, 55
timeout, 124, 306 vulnerability scan, 299
health check, 144, 145 false positive, 311
idle, 83 preparation, 300
TLS, 126, 139 rate limit, 307
Tomcat, 155 report, 299, 309
traceroute, 320, 322, 374, 376 timeout, 306
tracert, 377 v-zone, 55, 119, 120, 123
traffic flow, 379
traffic log, 329 W
delay, 333 W3C
traffic volume, 47 SOAP, 163
transparent inspection mode, 44, 72, 119 WSDL, 181, 183
transport layer security (TLS), 91 XML, 163
trap, 66, 69, 399 XML encryption, 188
SNMP, 399 XML Schema, 172
triggers, 30 XML signatures, 187
troubleshooting, 369 web anti-defacement, 367
bootup, 381 web browser, 25
connectivity, 373 web crawler, 227
debug packet flow, 378 web proxy, 103
hardware, 374 web service definition language (WSDL), 136, 181, 183
packet sniffing, 377 content routing, 120, 123, 173
plan, 371 file, 181
resources, 378 scan, 181
routing table, 377 scanning attack, 185, 187
Syslog, 320, 322 verification, 187
traffic flow, 369 web traffic, 369
true transparent proxy mode, 44, 58, 72, 119 web-based manager
trust IP, 220, 292 language, 83
trusted client, 221 widget, 28, 41
trusted host, 77, 78, 357, 380 wiki code, 153
tunneling, 103 wild cards, 21
WSDL
U verification, 187
UDP, 65 WVS report
format, 302
UK vehicle registration, 153
WWW-Authenticate, 258
Unicode, 401
uniform resource identifier (URI), 153
up, 51
X
upgrade, 387 X.509, 88
uptime, 42 X-Forwarded-For, 272
US-ASCII, 45, 401, 402 XML, 163
user authentication attributes, 170, 172
supporting modes, 71 decryption, 187, 188
User-Agent, 191, 227, 232, 234 elements, 170, 172
UTF-8, 83, 401 encryption, 188
namespace (XMLNS), 172
signature, 187, 188
V XMLHttpRequest, 163
validator, 31 XPath, 120, 123, 136, 188
value parse error, 21 content filter rule, 166, 167, 168
VBScript, 153 expression, 138

Revision 10 411
Index
Y Z
Yahoo!, 282 ZIP code, 153

412 Revision 10
www.fortinet.com
www.fortinet.com

FortiWeb™ Web Application Firewall (PDFDrive)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiWeb™ Web Application Firewall (PDFDrive)

Uploaded by

Copyright:

Available Formats

FortiWeb™ Web

What’s new ............................................................................................. 23

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Phase 5: Prepare for full operation ............................................................................. 37

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Grouping CA certificates .................................................................................... 91

Users and user groups ........................................................................ 107

Server policy......................................................................................... 117

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Configuring protected servers................................................................................... 147

XML protection ..................................................................................... 163

Web protection ..................................................................................... 189

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Configuring page access rules.................................................................................. 198

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Auto learn ............................................................................................. 281

Web anti-defacement ........................................................................... 293

Web vulnerability scans ...................................................................... 299

Logs and reports.................................................................................. 313

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Viewing log messages................................................................................................ 331

Fine tuning and best practices ........................................................... 355

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Troubleshoot connectivity issues ............................................................................. 373

Installing new firmware ....................................................................... 385

Appendix A: Supported RFCs, W3C and IEEE standards................ 395

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Appendix C: SNMP MIB support......................................................... 399

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Registering your Fortinet product

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Characteristics of XML threats

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Table 1: XML-related threats

Attack Description Protection FortiWeb Solution

Characteristics of HTTP threats

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Table 2: Web-related threats

Attack Description Protection FortiWeb Solution

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Table 2: Web-related threats

Attack Description Protection FortiWeb Solution

Customer service & technical support

Fortinet Knowledge Base

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Fortinet Tools and Documentation CD

Comments on Fortinet technical documentation

Cautions, Notes, & Tips

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Table 3: Typographical conventions in Fortinet technical documentation

Command syntax conventions

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Table 4: Command syntax notation

Angle brackets < > A word constrained by data type.

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

Table 4: Command syntax notation

Options delimited Mutually exclusive options. For example:

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide

About the web-based manager