Professional Documents
Culture Documents
FortiWeb™ Web Application Firewall (PDFDrive)
FortiWeb™ Web Application Firewall (PDFDrive)
Application Firewall
Version 4.0 MR2
Administration Guide
FortiWeb™ Web Application Firewall Administration Guide
Version 4.0 MR2
Revision 10
16 June 2011
© Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
Contents
Contents
Introduction ............................................................................................ 13
Scope ............................................................................................................................. 14
Workflow ........................................................................................................................ 14
Deleting entries ............................................................................................................. 15
Characteristics of XML threats .................................................................................... 15
Characteristics of HTTP threats .................................................................................. 16
Customer service & technical support ....................................................................... 18
Documentation Conventions ....................................................................................... 19
IP addresses............................................................................................................. 19
Cautions, Notes, & Tips ............................................................................................ 19
Typographical conventions ....................................................................................... 19
Command syntax conventions.................................................................................. 20
System .................................................................................................... 41
Viewing system status.................................................................................................. 41
System Information widget ....................................................................................... 43
Changing the FortiWeb unit’s host name ........................................................... 45
CLI Console widget................................................................................................... 45
System Resources widget ........................................................................................ 47
Policy Summary widget ............................................................................................ 47
Attack Log Console widget ....................................................................................... 48
Event Log Console widget ........................................................................................ 48
Service Status widget ............................................................................................... 49
Policy Sessions widget ............................................................................................. 50
Configuring the network and VLAN interfaces .......................................................... 50
Adding a VLAN subinterface..................................................................................... 53
Configuring v-zones (bridges)................................................................................... 55
Configuring fail-open................................................................................................. 58
Configuring the DNS settings ...................................................................................... 58
Synchronizing configurations ..................................................................................... 59
Configuring high availability (HA) ............................................................................... 61
About the heartbeat and synchronization ................................................................. 65
Configuring the SNMP agent ....................................................................................... 66
Configuring an SNMP community............................................................................. 68
Configuring DoS protection ......................................................................................... 70
Configuring the operation mode ................................................................................. 71
Viewing RAID status ..................................................................................................... 74
Configuring administrator accounts ........................................................................... 75
Configuring trusted hosts.......................................................................................... 78
Configuring access profiles....................................................................................... 78
About permissions .................................................................................................... 80
Configuring the web-based manager’s global settings ............................................ 82
Managing certificates ................................................................................................... 84
Managing local and server certificates ..................................................................... 84
Generating a certificate signing request............................................................. 86
Submitting a certificate signing request.............................................................. 88
Uploading a certificate........................................................................................ 88
Managing OCSP server certificates.......................................................................... 90
Managing CA certificates.......................................................................................... 90
Router.................................................................................................... 105
Configuring static routes ........................................................................................... 105
Troubleshooting................................................................................... 369
Establish a system baseline ...................................................................................... 369
Check traffic flow ........................................................................................................ 369
Define the problem...................................................................................................... 370
Search for a known solution ...................................................................................... 371
Technical documentation........................................................................................ 371
Knowledge Base..................................................................................................... 371
Fortinet technical discussion forums....................................................................... 371
Fortinet training services online campus ................................................................ 371
Create a troubleshooting plan ................................................................................... 371
Check your access ................................................................................................. 372
Gather system information ........................................................................................ 372
Check port assignments ......................................................................................... 373
Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
FortiWeb units are designed specifically to protect web servers.
Note: Any reference to a FortiWeb unit also applies to FortiWeb-VM, unless specifically
noted otherwise. Both versions perform the same tasks and you configure them the same
way. Only their installation differs.
The FortiWeb family of web application firewalls provides specialized, layered application
threat protection. FortiWeb’s integrated web application and XML firewalls protect your
web-based applications and internet-facing data from attack and data loss. Using
advanced techniques to provide bidirectional protection against sophisticated threats like
SQL injection and cross-site scripting, FortiWeb helps you prevent identity theft, financial
fraud and corporate espionage. FortiWeb delivers the technology you need to monitor and
enforce government regulations, industry best practices, and internal policies.
FortiWeb significantly reduces deployment costs by consolidating a web application
firewall, XML filtering, web traffic acceleration, and application traffic balancing into a
single device. It drastically reduces the time required to protect your internet-facing data
and eases the challenges associated with policy enforcement and regulatory compliance.
Its intelligent, application-aware, load-balancing engine:
• increases application performance
• improves resource utilization
• improves application stability
• reduces server response times.
In addition to providing application content-based routing and in-depth protection for many
HTTP/HTTPS- and XML-specific attacks, FortiWeb units contain specialized hardware to
accelerate SSL processing, and can thereby enhance both the security and the
performance of connections to your web servers.
This chapter introduces you to the following topics:
• Registering your Fortinet product
• Scope
• Workflow
• Deleting entries
• Characteristics of XML threats
• Characteristics of HTTP threats
• Customer service & technical support
• Documentation
• Documentation Conventions
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Base article Registration Frequently
Asked Questions.
Scope
This document describes how to use the web-based manager of the FortiWeb unit. It
assumes you have already successfully installed the FortiWeb unit by following the
instructions in the FortiWeb Install and Setup Guide.
At this stage:
• The FortiWeb unit is integrated into your network and is powered on.
• You have completed firmware updates, if applicable.
• You configured a port on the FortiWeb unit during installation. You must configure at
least one port to access the web-based manager or CLI. If not, consult the FortiWeb
Install and Setup Guide.
• You have administrative access to the web-based manager through a browser, and
you can log in successfully. If not, consult the FortiWeb Install and Setup Guide.
• You have given the default administrator a password. If not, consult the FortiWeb
Install and Setup Guide or refer to “Configuring administrator accounts” on page 75.
• You have set the operation mode. If not, consult the FortiWeb Install and Setup Guide
or refer to “Configuring the operation mode” on page 71.
• You have configured additional network interfaces. If not, consult the FortiWeb Install
and Setup Guide or refer to “Configuring the network and VLAN interfaces” on
page 50.
• You have configured the system time. If not, consult the FortiWeb Install and Setup
Guide or refer to “Configuring system time” on page 100.
• You have configured the DNS. If not, consult the FortiWeb Install and Setup Guide or
refer to “Configuring the DNS settings” on page 58.
• You have configured a default gateway. If not, consult the FortiWeb Install and Setup
Guide or refer to “Configuring static routes” on page 105.
• You have configured basic logging. If not, consult the FortiWeb Install and Setup Guide
or refer to “Configuring log alert policies” on page 316.
• You have created at least one server policy. If not, consult the FortiWeb Install and
Setup Guide or refer to “Server policy workflow requirements” on page 117.
This document does not cover commands for the command line interface (CLI). For
information on the CLI, see the FortiWeb CLI Reference.
Workflow
There is a logical order to follow during the setup and configuration of your FortiWeb unit.
Make sure you have followed the workflow steps documented in the FortiWeb Install and
Setup Guide. That workflow guides you through installation, setup, and the creation of a
basic system.
This document explains how to develop more comprehensive server policies and other
protection features for your web sites and web servers.
For a first-time FortiWeb user, read the chapter on deployment guidelines before going
further. See “Deployment guidelines” on page 27.
You can find targeted workflow information throughout this guide:
• Look for a workflow topic on the opening page of several chapters.
• Within some chapters, complicated topics also have a workflow section.
• Within feature descriptions, look for a brief tip on recommended workflow.
Since server policies provide most of FortiWeb's protection features. When you begin to
expand existing server policies or create new ones, review “Server policy workflow
requirements” on page 117. This topic gives the highest level workflow. The creation of
server policy involves multiple steps. You can drill down into workflow topics in other
chapters.
Deleting entries
As you configure your FortiWeb unit, you create entries in the tables on tabs accessed by
the menu. The ability to delete entries on any table is limited—you cannot delete or
remove an item that is a component of something else. A few examples are:
• You cannot delete a user on one of the user tabs if that user is a member of a group,
unless you first remove the user from the group.
• You cannot delete a group if that group is used by an authentication rule, unless you
first remove the group from the rule.
• You cannot remove an XML protection schedule item if it is used in the Period option of
a content filter rule, unless you first remove the schedule reference from the rule.
• You cannot delete a web protection parameter validation rule if it is used by in an inline
or offline protection profile, unless you first remove the rule reference from the profile.
The Delete icon does not appear next to a table item if the delete operation is not allowed.
Training
Fortinet Training Services provides classes that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://training.fortinet.com, or email them at training@fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Base.
Documentation Conventions
Fortinet technical documentation uses the conventions described in this section.
• IP addresses
• Cautions, Notes, & Tips
• Typographical conventions
• Command syntax conventions
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Note: Presents useful information, usually focused on an alternative, optional method, such
as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Convention Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input config system dns
set primary <address_ipv4>
end
CLI output FGT-602803030703 # get system settings
comments : (null)
opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by
a third party.
File content <HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiGate Administration Guide.
Convention Description
Square brackets [ ] A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and
its accompanying option, such as:
verbose 3
What’s new
The list below contains the new features or major changes in the current v4.2 FortiWeb
release.
IP List Policy - A new method to define source IPs that are trusted (trust IP) and not
trusted (black IP) was added to the Web protection IP List Policy. See “Configuring an IP
list policy” on page 220.
File Upload Restriction - Provides a new web protection technique to specify the exact
file types that are permitted to be uploaded to selected hosts or URLs. See “Configuring
file upload restriction policy” on page 263.
FortiAnalyzer support - FortiWeb now supports storage of log messages remotely on a
FortiAnalyzer unit. See “Configuring FortiAnalyzer policies” on page 321.
Event and Attack Log Console - The system status display now includes an Event Log
console widget and an Attack Log console widget. The Alert console widget was removed.
See“Attack Log Console widget” on page 48 and “Event Log Console widget” on page 48.
Rewrite URLs in HTTP body - URLs in the body of HTTP responses can now be
rewritten, similar to rewriting URLs in HTTP headers. See “Configuring URL rewriting
policy” on page 244.
Allow Request Method - The Allow Method Exceptions feature was changed to the Allow
Request Method. It includes Allow Method Policy and Allow Method Exceptions. See
“Configuring allowed request method policy” on page 235.
HTTP Protocol Constraints Exceptions - HTTP protocol exception settings were added
to HTTP protocol constraints. See “Configuring HTTP protocol constraint profiles” on
page 252.
Severity and trigger policy - Settings for severity level and trigger policy are now
available in all web protection rules, where appropriate. For example, see “Configuring
page access rules” on page 198
Policy item details link - The ability to view a read-only version of the details for a
specific rule associated with a policy is available, where appropriate, without leaving the
policy view. For example, see Detail link in “Configuring URL access policy” on page 216.
Support for HTTP and HTTPS in same policy - HTTPS service is now configurable in
the same policy as HTTP. See “Configuring server policies” on page 118.
Persistent server session values- The values for persistent server settings in server
policy were updated. See “Configuring server policies” on page 118 and “Appendix B:
Maximum values” on page 397.
Extended signature set granularity- The granularity of extended signature sets is now
selectable, with a range of none (disable), basic, enhanced or full. See “Configuring server
protection rules” on page 201.
Validation of multiple identical parameters in a single request - HTTP validation rules
now validate all instances of multiple identical parameters in a single request. See
“Configuring HTTP parameter validation rules” on page 192.
Cloning custom protection profiles - You can now clone customer protection profiles
and use as a base for new profiles. See “Configuring inline protection profiles” on
page 268 and “Configuring offline protection profiles” on page 274.
Persistent Server Session Threshold - You can now define a threshold that triggers a
persistent server session event log. See “Enabling logging” on page 327.
Log message download - You can now download a specific range of event, attack or
traffic logs from the FortiWeb hard disk to your local computer. See “Downloading log
messages” on page 343.
Back up and Restore Web Protection Profile - In addition to system configuration files,
you can now back up and restore web protection profiles. See “Backing up and restoring
configurations” on page 96.
FTP configuration backup and schedule - You can now back up configurations to an
FTP server. See “Configuring an FTP backup and schedule” on page 98.
Severity information in log message - A severity level (high, medium, low) was added
to log messages. See “Responding to web protection rule violations” on page 191.
Configuration synchronization - You can synchronize configuration information on the
local FortiWeb unit to a peer (remote) FortiWeb unit, even if the unit is not part of a high-
availability (HA) pair. See “Synchronizing configurations” on page 59.
Signature update without restart - FortiWeb no longer requires a restart and login after a
signature update. See “Uploading signature updates” on page 101.
Brute force login - The GUI has been reorganized and PCRE regular expression
checking was added. See “Configuring brute force login profiles” on page 224.
Custom Application Policy - You can now create application policy plug-ins that
recognize non-standard, customized applications, and modify the URL information so that
an auto-learning profile can work more effectively. See “Configuring custom application
policies” on page 160.
System requirements
The management computer that you use to access the web-based manager must have:
• a compatible web browser, such as Microsoft Internet Explorer 6.0 or greater, or
• Mozilla Firefox 3.0 or greater
• Adobe Flash Player 10 or greater plug-in
To minimize scrolling, the computer’s screen should have a resolution that is a minimum of
1280 x 1024 pixels.
Note: If the URL is correct and you still cannot access the web-based manager, you may
also need to configure from which hosts the FortiWeb unit will accept login attempts for your
administrator account (that is, trusted hosts), and/or static routes. For details, see
“Configuring administrator accounts” on page 75 and “Configuring static routes” on
page 105.
Settings
Some settings for the web-based manager apply regardless of which administrator
account you use to log in. Global settings include the idle timeout, TCP port number on
which the web-based manager listens for connection attempts, the network interfaces on
which it listens, the language of its display, and whether or not more than one
administrator can log in simultaneously.
For details, see “Configuring the web-based manager’s global settings” on page 82.
Deployment guidelines
Integrating FortiWeb into your network and configuring it to protect your web assets is not
an overnight process. Nor is it a linear process. Be prepared to roll out FortiWeb in phases
over several weeks with tests and configuration edits part of each stage.
These deployment guidelines apply to each web application you choose to protect with
FortiWeb. That is, for each server you protect with a server policy, go through these
phases. You can deploy multiple applications in sequence or in parallel.
Deployment prerequisites
This chapter assumes you have completed the following steps:
• You have installed and partly configured FortiWeb as described in the FortiWeb Install
and Setup Guide or the FortiWeb-VM Install Guide.
• A basic auto-learning profile is in place. (If not, see “Generating an auto-learning profile
and its components” on page 281).
• You have chosen your final operation mode, one of reverse proxy, true transparent
proxy, or transparent inspection. If you chose offline protection, that is fine for now. You
can switch to your final operation mode later.
• You can access the web-based manager and your administrator account profile has
read and write access to all relevant features. For details, see “About permissions” on
page 80.
Server policy
To begin deployment, you must have at least one active server policy monitoring at least
one real web server. If not, see “Configuring policies” in the FortiWeb Install and Setup
Guide for instructions on creating a basic server policy that you can start with.
The backbone of a FortiWeb unit's web site protection is the server policies that apply to
your web sites and web applications. Here are a few tips to remember as you deploy:
• Change policy settings with care. Any changes take effect immediately.
• When you change a server policy that has already been tested, you should retest it.
• The FortiWeb unit applies rules, policies and data scans in a set order. (See “Order of
execution” on page 190.) Review the logic of your server policies to make sure they
deliver the web protection you expect.
• By the end of your FortiWeb deployment, make sure that all physical web servers are
covered by a policy.
If a server has no associated policy or all policies for it are disabled, FortiWeb will not
monitor traffic to that web server. In reverse proxy mode, FortiWeb will block traffic to
servers without an enabled policy.
Deployment workflow
This chapter takes you through four or five phases, depending on your initial operation
mode. Those phases progress from a bare-bones, untested web server protection
configuration to the end of the deployment period several weeks later.
This chapter includes the following sections:
Do a visual check
Access the FortiWeb web-based manager (see “URL for access” on page 25) and look for
obvious problems.
• If you cannot access the web-based manager or access seems incomplete, your
installation may not be correct. Review the FortiWeb Install and Setup Guide to make
sure you installed the unit correctly. If there is still a problem, see “Troubleshoot
connectivity issues” on page 373.
• Does the web-based manager’s URL, or the text or data on the dashboard contain odd
characters? If so, you may be using the wrong character set. See “Appendix D:
Language support & regular expressions” on page 401.)
• Examine the Service Status widget on the dashboard (go to System > Status > Status),
as shown in Figure 2. Does it list at least one policy and a real server. If not, you have
not created a valid server policy yet and FortiWeb has nothing to work with. Create at
least one server policy before going further. See “Configuring policies” in the FortiWeb
Install and Setup Guide. (Do not be concerned that nothing appears in the Server
Status column at this point. That column applies to servers in server farms.)
• Also examine the Policy Sessions widget on the dashboard. Are there active sessions
related to your policies. If not, it may mean that policy is not being applied to an active
web resource.
• Examine the Attack Event History. If you have a large number of attacks, it may mean
some aspect of your policy configuration is generating false positives. If you have no
attacks, but you have reasonable levels of traffic, it may mean the protection profile
used by your server policy is incomplete.
• Examine the Attack Log widget. If the list includes many identical entries, it likely
indicates false positives (unless it is a DoS assault). If there are many entries of a
different nature, it likely indicates real attacks. If there are no attack log entries but the
Attack Event History shows attacks, it likely means you have not correctly configured
logging. See “Configuring and enabling logging” on page 323.
• If your server policy includes an auto-learning profile, check that it is gathering data. Go
to Auto Learn > Auto Learn Report and click the Detail icon to see the report. If the
report shows few or zero hits, the profile is not gathering data. (No data could also be a
result of no traffic.)
Stay diligent
Each day, check the dashboard for obvious problems.
Examine the auto-learn report for each server in your system (see “Check your auto-
learning data” on page 29). If an auto-learning profile is returning many URLs that do not
make sense, such as URLs with complex session IDs like this
/app/login.asp;jsessionid=xxx;p1=111;p2=123?p3=5555&p4=66aaaaa
you need to configure a custom application policy and a URL replacer; otherwise such
URLs reduce the value of the auto-learning profile. See “Configuring custom application
policies” on page 160.
Tune up alerts
When you configure protection profiles, many of their components include an action option
that sets the response to a detected violation. Actions also combine with severity levels
and trigger responses, as shown in Figure 6 on page 31.
The available actions vary with the protection feature. See “Responding to web protection
rule violations” on page 191 for a list of all actions and their uses.
When you select many action items, such as Alert & Deny or Redirect, the auto-learning
feature stops gathering auto-learning data for the applicable connection, resulting in
incomplete session information for the auto-learning profile. During the deployment phase,
you want each connection processed completely.
To get complete connection processing, without having to change all your actions, enable
the Monitor Mode option on each server policy. Go to Server Policy > Server Policy. Edit
each policy and select Monitor Mode. When enabled, this mode treats all actions as if they
were the Alert action.
Alerts show up on the dashboard and may generate email if you configured email policy
for use in triggers. (If you are not getting email, see “Define logs, reports and email alerts”
on page 32.)
Since many of the rules and policies that make up protection profiles are based, at least in
part, on regular expressions or data ranges whose values are hard to predict, many of
your initial alerts will not be real attacks or violations. They will be false positives.
If the dashboard indicates you are getting dozens or hundreds of nearly identical alerts,
you need to search for and fix false positives. Here are some tips:
• Examine your web protection profile (go to Web Protection > Web Protection Profile
and view the settings in the applicable offline or inline protection profile). Does it
include a server protection rule that seems to be causing alerts for valid URLs. If so,
create and use exceptions to reduce false positives. See “Configuring server protection
exceptions” on page 207.
• If your web protection profile includes a server protection rule where the Extended
Signature Set option is set to Full, reduce it to Basic to see if that reduces false
positives. See “Configuring server protection rules” on page 201.
• If your web protection profile includes HTTP protocol constraints that seem to be
causing alerts for legitimate HTTP requests, create and use exceptions to reduce false
positives. See “Configuring HTTP protocol constraint exceptions” on page 254.
• Most dialog boxes that accept regular expressions include the >> (test) icon. This
opens the Regular Expression Validator window, as shown in Figure 8 on page 32,
where you can fine-tune the expression to eliminate false positives.
• To learn more about the behavior of regular expressions that generate alerts, enable
the Retain Packet Payload options in the logging configuration. Packet payloads
provide the actual data that triggered the alert, which may help you to fine tune your
regular expressions to reduce false positives. See “Enabling logging” on page 327 and
“Viewing log message details” on page 335.
Stay diligent
Continue your regular daily checks and expand them.
• Each day, check the dashboard for obvious problems (see “Check dynamic data on the
dashboard” on page 28)
• Continue to examine the auto-learn report for each server in your system (see “Check
your auto-learning data” on page 29).
• Review the attack log.
• Review alerts and fix those that represent false positives.
• Begin monitoring the third-party cookies FortiWeb observes in traffic to your web
servers. When cookies are found, an icon appears on the Server Policy > Policy >
Policy tab for each affected server. If cookies are threats, such as if they are used for
state tracking or database input, consider enabling the Cookie Poison option on the
inline protection profiles for those servers. See “Cookie Poison” on page 272.
• Go to Web Vulnerability Scan > Web Vulnerability Scan > Scan History to locate
vulnerabilities. Click the View scan report icon next to a report. It opens an HTML
report that lists vulnerabilities, as shown in Figure 12 on page 35. If you find a false
positive in the report, click the False Positive button to remove it from the current and
subsequent reports.
• Create XML protection rules and policies to protect against the discovered
vulnerabilities. See “XML protection profile workflow” on page 163.
• Create web protection rules and policies to protect against the discovered
vulnerabilities. See .“Web protection profile workflow” on page 189
Once you have tested for vulnerabilities and set policies to guard against the threats,
move to the next phase.
If you plan to deploy multiple web applications, you can change the operation mode once
you deploy and test all servers and applications in offline protection mode, or change
modes after you deploy just the first one. In that case, the subsequent applications must
be deployed in the new mode.
The fields presented in the dialog vary with the operation mode you select.
• Go to Server Policy > Policy > Policy. Edit your existing server policies to reference the
new inline protection profiles instead of the offline protection profiles. See “Configuring
server policies” on page 118.
Before going any further, let your reconfigured FortiWeb unit run and gather data. Watch
the monitors on the dashboard to make sure traffic is flowing through your unit in the new
mode.
Remain diligent
Each day, check the dashboard for obvious problems (see “Check dynamic data on the
dashboard” on page 28) and examine the auto-learn report for each server in your system
(see “Check your auto-learning data” on page 29).
Review the attack log (go to Go to Log&Report > Log Access > Attack tab) daily to find
vulnerabilities in your system.
Review alerts and fix those that represent false positives.
• If your operation mode is reverse proxy, you can enable SSL to encrypt connections
from the FortiWeb unit to protected web servers. To do so, first download a certificate
(see “Uploading a certificate” on page 88) and then enable the SSL Server and
Certificate options on the server policy.
• Depending on your chosen operation mode, you can add other rules and policies to
your inline protection profiles, such as:
• page access rules (see “Configuring page access rules” on page 198)
• start page rules (see “Configuring start page rules” on page 213)
• brute force login profiles (see “Configuring brute force login profiles” on page 224)
• URL rewriting policy (see “Configuring URL rewriting policy” on page 244)
• Review the list of top candidates for your IP blacklist and add them, as applicable. See
“Viewing the top 10 IP blacklist candidates” on page 223.
Remain diligent
Make sure you locate and solve any problems created by new configuration settings made
in this phase.
Each day, check the dashboard for obvious problems (see “Check dynamic data on the
dashboard” on page 28) and examine the auto-learn report for each server in your system
(see “Check your auto-learning data” on page 29).
Review the attack log (go to Go to Log&Report > Log Access > Attack tab) daily to find
vulnerabilities in your system.
Review alerts and fix those that represent false positives.
System
This chapter describes the System menu. Using its options you can view and configure a
wide variety of system settings.
This chapter includes:
• Viewing system status
• Configuring the network and VLAN interfaces
• Configuring the DNS settings
• Synchronizing configurations
• Configuring high availability (HA)
• Configuring the SNMP agent
• Configuring DoS protection
• Configuring the operation mode
• Viewing RAID status
• Configuring administrator accounts
• Configuring the web-based manager’s global settings
• Managing certificates
• Backing up and restoring configurations
• Configuring an FTP backup and schedule
• Configuring system time
• Uploading signature updates
• Scheduling signature updates
• Accessing the Setup Wizard
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the System Configuration category. For
details, see “About permissions” on page 80.
In the default dashboard setup, widgets display the serial number and current system
status of the FortiWeb unit, including uptime, system resource usage, event log
messages, host name, firmware version, system time, and status of connected web
servers and policy sessions. The dashboard also contains a CLI widget that enables you
to use the command line interface through the web-based manager.
To customize the dashboard, select which widgets to display, where they are located on
the tab, and whether they are minimized or maximized.
To move a widget, position your mouse cursor on the widget’s title bar, then click and drag
the widget to its new location.
To display any of the widgets not currently shown on the Status tab, click Add Content.
Any widgets currently already displayed on the Status tab will be grayed out in the Add
Content menu, as you can only have one of each display on the Status tab.
To display the default set of widgets on the dashboard, select Back to Default.
To see the available options for a widget, position your mouse cursor over the icons in the
widget’s title bar. Options vary slightly from widget to widget, but always include options to
close, minimize or maximize the widget.
ShutDown Click to halt the operating system of the FortiWeb unit, preparing its hardware
to be powered off.
Reset Click to revert the configuration of the FortiWeb unit to the default values for its
currently installed firmware version.
Caution: Back up the configuration before selecting Reset. This operation
cannot be undone. Configuration changes made since the last backup will be
lost. For instructions on backing up the configuration, see “Backing up and
restoring configurations” on page 96.
Note: You can also configure the local domain name of the FortiWeb unit. For details, see
“Configuring the DNS settings” on page 58.
Note: The CLI Console widget requires that your web browser support JavaScript.
To use the console, first click within the console area. Doing so automatically logs you in
using the same administrator account you used to access the web-based manager. You
can then type commands into the CLI Console widget. Alternatively, you can copy and
paste commands from or into the console.
Note: The prompt, by default the model number such as FortiWeb-1000B #, contains
the host name of the FortiWeb unit. To change the host name, see “Changing the FortiWeb
unit’s host name” on page 45.
Close
Edit
Use external Select to display a command input field below the normal console
command input box emulation area. When this option is enabled, you can enter commands by
typing them into either the console emulation area or the external command
input field.
Console buffer length Enter the number of lines the console buffer keeps in memory. The valid
range is from 20 to 9999.
Font Select a font from the list to change the display font of the CLI Console.
Size Select the size in points of the font. The default size is 10 points.
Event logs help you track system events on your FortiWeb unit such as firmware changes,
and network events such as changes to policies. Each message shows the date and time
that the event occurred. For more information, see “Viewing log messages” on page 331.
Tip: Event log messages can also be delivered by email, Syslog, FortiAnalyzer or SNMP.
For more information, see “Enabling logging” on page 327,“Configuring and enabling
logging” on page 323,and “Configuring the SNMP agent” on page 66.
Close
Refresh
Close
Refresh
Server Status For servers that are part of a server farm, shows the connectivity status.
There may be multiple icons in this column.To determine which real server is
associated with an icon, hover your mouse cursor over the icon. The name of
the real server then appears in a tool tip.
• Green icon: The server health check is currently detecting that the real
server is responsive to connections.
• Flashing yellow-to-red icon: The server health check is currently
detecting that the real server is not responsive to connections. The
method that the FortiWeb unit will use to reroute connections to an
available server varies by your configuration of Deployment Mode.
For information on server health checks, see “Configuring server health
checks” on page 143.
Note: For a single server, there is no associated server health check, and
therefore no icon in this column. To make server health checks for a single
server, instead of configuring the policy with a Deployment Mode of Single
Server, create a server farm and add that real server as the sole member,
then select that server farm in the policy.
Close Click to hide the widget. It no longer appears on the dashboard unless you
add it again by clicking Add Content.
Refresh Click to refresh the information displayed on the widget.
Close
Refresh
Note: When the FortiWeb unit operates in true transparent proxy or transparent inspection
mode and you configured a v-zone (bridge), do not configure any physical network
interfaces other than port1. For details, see “Configuring v-zones (bridges)” on page 55.
Depending on your network topology and other considerations, you may need to configure
one or more of the FortiWeb unit’s other network interfaces to enable the FortiWeb unit to
connect to your network and to the web servers it protects. You can configure each
network interface separately, with its own IP address, netmask, and accepted
administrative access protocols.
Note: You can restrict which IP addresses are permitted to log in as a FortiWeb
administrator through the network interfaces. For details, see “Configuring administrator
accounts” on page 75.
To change settings in this part of the web-based manager, your administrator's account
access profile must have Write permission to items in the Network Configuration category.
For details, see “About permissions” on page 80.
TELNET Enable to allow Telnet connections to the CLI through this network
interface.
Caution: Telnet connections are not secure, and can be
intercepted by a third party. If possible, enable this option only for
network interfaces connected to a trusted private network, or
directly to your management computer. Failure to restrict
administrative access through this protocol could compromise the
security of your FortiWeb unit.
Description Type a comment. The comment may be up to 63 characters long.
This field is optional.
4 Click OK.
If you were connected to the web-based manager through this network interface and
you changed the IP, you are now disconnected from it.
5 To access the web-based manager again, in your web browser, modify the URL to
match the new IP address of the network interface. For example, if you configured the
network interface with the IP address 10.10.10.5, you would browse to
https://10.10.10.5.
If the new IP address is on a different subnet than the previous IP address, and your
computer is directly connected to the FortiWeb unit, you may also need to modify the
IP address and subnet of your computer to match the FortiWeb unit’s new IP address.
Note: When the FortiWeb unit operates in either of the transparent modes, VLAN
subinterfaces do not support Cisco discovery protocol (CDP).
4 Click OK.
• you want to deploy FortiWeb between incoming connections and the web server it is
protecting, without changing your IP address scheme or performing routing or network
address translation (NAT)
In that case, do not assign IP addresses to the ports that you will connect to either the
web server or to the overall network. Instead, group the two physical network ports by
adding their associated network interfaces to a bridge.
Bridges on the FortiWeb unit support IEEE 802.1d spanning tree protocol (STP) and,
therefore, do not require that you manually test the bridged network for Layer 2 loops.
Bridges are also capable of electing a root switch and designing a tree on their own that
uses the minimum cost path to the root switch; although, you may prefer to do so manually
for design and performance reasons.
Note: If you prefer to disable STP, see the config system v-zone command in the
FortiWeb CLI Reference.
True bridges typically have no IP address of their own. They use only media access
control (MAC) addresses to describe the location of physical ports within the scope of their
network and do network switching at Layer 2 of the OSI model. However, if you require the
ability to use an IP address to use ICMP ECHO requests (ping) to test connectivity with
the physical ports comprising the bridge, you can assign an IP address to the bridge and
thereby create a virtual network interface that will respond.
To configure a bridge in the web-based manager, your administrator's account access
profile must have Read and Write permission to items in the Network Configuration
category. For details, see “About permissions” on page 80.
Edit
Interface name Displays the name and current status (in parentheses) of each network port
that belongs to the bridge, such as port4 (forwarding). Possible states include:
• listening: The port is up and, by using the spanning tree protocol (STP), has
determined that it will participate in forwarding frames. It is receiving bridge
protocol data units (BPDUs) that tell it about its distance from the root
switch, but it is not yet transmitting BPDUs about itself or forwarding frames,
and is not yet learning.
• learning: The port is building a database of media access control (MAC)
addresses of the network nodes that are connected on the Ethernet
network in order to discover which links in the tree are functional. It
continues to receive BPDUs, but now it is also transmitting BPDUs to allow
the spanning tree to learn about its existence in preparation for forwarding.
The time required to learn the spanning tree varies by the size of the
network, but can be many seconds.
• forwarding: Learning is sufficient for the port to be capable of forwarding
frames. It continues to receive and forward BPDUs and update its database
of MAC addresses, and, therefore, may leave this state if STP detects a
topology change that requires this port to, for example, block instead of
forward frames in order to maintain a valid, non-looping tree. This is the
usual state during normal operation.
• disabled: The port was automatically disabled. Its network cable may be
disconnected or the link is otherwise broken. The cause must be corrected
before the port can function in the bridge.
• blocked: The port was automatically disabled in order to prevent a Layer 2
loop in the spanning tree, because its link is redundant with another part of
the tree. It is on standby and could be automatically enabled in failover
scenarios, if the redundant part of the tree fails. If you do not want this port
to remain disabled, you must remove the redundant part of the tree that
causes this port to be blocked.
(No column Click the Edit icon to view or modify the settings of the bridge. For details, see
heading.) “Configuring the network and VLAN interfaces” on page 50.
Configuring fail-open
If your unit supports fail-open, selecting System > Network > Fail-open enables you to
configure fail-to-wire behavior in the event that the FortiWeb unit is shut down, rebooted,
or unexpectedly loses power.
Note: Fail-open is supported only when the FortiWeb unit operates in true transparent
proxy (TTP) mode or transparent inspection (TI) mode, and only for models with a CP7
processor, such as the FortiWeb-1000C and FortiWeb-3000C.
Fail-open is disabled if the FortiWeb unit is configured as a high availability master or
backup.
For FortiWeb units and operation modes that support fail-open, this feature allows
connections to pass through unfiltered when powered off. This may be useful if you are
required by contract to provide uninterrupted connectivity, or if you consider connectivity
interruption to be a greater risk than being open to attack during the power interruption.
Select either:
• PowerOff-Bypass: Behave as a wire when powered off, allowing connections to pass
through, bypassing policy and profile filtering.
• PowerOff-Cutoff: Interrupt connectivity when powered off.
Note: For improved performance, use DNS servers on your local network.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Network Configuration category. For
details, see “About permissions” on page 80.
Synchronizing configurations
System > Config > Config-Synchronization enables you to synchronize the configuration
information on the local FortiWeb unit with a peer (remote) FortiWeb unit. As a result, the
configuration information on the peer FortiWeb unit is updated with that of the local
FortiWeb unit.
This type of configuration synchronization is useful in the following scenario:
• two FortiWeb units are used in an environment where high availability (HA) or load-
balancing is performed by the gateway or the router
• the two FortiWeb units are not part of a high availability (HA) pair, but the units are
required to have the same security policies
Essentially, synchronization relieves you of the need to update policies on two FortiWeb
units whenever policies or settings change. The second unit updates its settings
automatically from the other.
Note: Full synchronization option is not available in the reverse proxy operation mode.
Full synchronization updates all configuration files on the peer FortiWeb unit, except for
the following:
• Network interfaces define the physical connection of the FortiWeb unit to the network
(management IP) and must remain unchanged. For more information, see “Configuring
the network and VLAN interfaces” on page 50.
• Configuration data for administrator accounts, access profiles and administrator
settings must remain unchanged. For more information, see “Configuring administrator
accounts” on page 75.
Partial synchronization updates all configuration files on the peer FortiWeb unit, with the
exception of:
• All configurations on the System menu. For more information, see “System” on
page 41.
• Router > Static configurations. For more information, see “Router” on page 105
• Server Policy > Policy configurations. For more information, see “Configuring server
policies” on page 118.
• Server Policy > Server configurations. For more informations, see “Configuring
servers” on page 129.
• Server Policy > Server Health Check configurations. For more information, see
“Configuring server health checks” on page 143.
• Server Policy > Service configurations. For more information, see “Configuring
services” on page 145.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Network Configuration category. For
details, see “About permissions” on page 80.
Note: If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must
be reachable by Layer2 Multicast.
For more information on heartbeat and synchronization, see “About the heartbeat and
synchronization” on page 65.
You can have more than one HA pair on the same network as long as each pair has a
different group ID.
Each unit in the HA pair also has an Effective HA mode attribute. This mode defines
whether the HA unit is the main working unit or a backup unit. The main working unit is
responsible for scanning web traffic. The backup unit does not scan web traffic but is
ready to take over if a failure occurs in the main working unit.
The main and backup units synchronize and detect failures by communicating through a
heartbeat interface that connects the two units in the HA pair. Failure is assumed when the
main unit is unresponsive to a heartbeat signal from the backup unit for a configured
amount of time (Detection interval x Heartbeat lost threshold).
If the main working unit fails, the two units in the HA pair switch their effective HA modes:
standby becomes main, and main becomes a standby. The IP address carrying web traffic
is transferred automatically to the unit whose effective HA mode is the main working unit.
The master and backup HA modes do not change.
In a failure situation, the amount of time that it takes the backup unit to take over from the
main unit varies by your network’s responsiveness to changeover notification and by your
configuration (ARP packet numbers x ARP packet interval).
Figure 21 shows an example HA network topology with IP address transfer from the main
unit to the backup unit upon failover. In this example, the heartbeat interfaces are
connected with crossover Ethernet cables.
Figure 21: HA topology and failover - Ethernet cable connection for heartbeat
FortiWeb
HA pair
Web
Master Server 1
(main)
Client
port1 port2 192.168.1.2/24
10.0.0.1 192.168.1.1
Firewall
Switch
Internet Heartbeat
Interface
Primary Secondary
192.168.1.3/24
IP addresses transfer
Web
upon failover
Server 2
port1 port2
Backup
(standby)
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the System Configuration category. For
details, see “About permissions” on page 80.
HA synchronize Enter a number that identifies the HA pair. Both members of the HA pair must
group ID have the same group ID. If you have more than one HA pair on the same
network, each HA pair must have a different group ID.
Changing the group ID changes the cluster’s virtual MAC address.
The default value is 0. The valid range is 0 to 63.
Detection Enter the number of 100-millisecond intervals between each heartbeat packet
interval that the FortiWeb unit sends to the other FortiWeb unit in the HA pair. This is also
the amount of time that a FortiWeb unit waits before expecting to receive a
heartbeat packet from the other unit.
This part of the configuration is synchronized between the main unit and backup
unit.
The default value is 1 (that is, 100 milliseconds). The valid range is 1 to 20 (that
is, between 100 and 2 000 milliseconds).
Note: Although this setting is synchronized between the main unit and the
backup unit, you should initially configure both units with the same Detection
interval to prevent inadvertent failover from occurring before the initial
synchronization.
Heartbeat lost Enter the number of heartbeat intervals that one of the HA units retries the
threshold heartbeat and waits to receive HA heartbeat packets from the other HA unit
before assuming that the other unit has failed.
This part of the configuration is synchronized between the main unit and backup
unit.
Normally, you do not need to change this setting. Exceptions include:
• Increase the failure detection threshold if a failure is detected when none has
actually occurred. For example, during peak traffic times, if the main unit is
very busy, it might not respond to heartbeat packets in time, and the backup
unit may assume that the main unit has failed.
• Reduce the failure detection threshold or detection interval if administrators
and HTTP clients have to wait too long before being able to connect through
the main unit, resulting in noticeable down time.
The default value is 1. The valid range is from 1 to 60.
Note: Although this setting is synchronized between the main unit and the
backup unit, you should initially configure both units with the same Heartbeat lost
threshold to prevent inadvertent failover from occurring before the initial
synchronization.
ARP packet Enter the number of times that the FortiWeb unit will broadcast address
numbers resolution protocol (ARP) packets when it takes on the main role in order to notify
the network that a new physical port has become associated with the HA pair IP
address and virtual MAC. This is sometimes called “using gratuitous ARP
packets to train the network,” and can occur when the main unit is starting up, or
during a failover. Also configure ARP packet interval.
Normally, you do not need to change this setting. Exceptions include:
• Increase the number of times the main unit sends gratuitous ARP packets if
your HA pair takes a long time to fail over or to train the network. Sending
more gratuitous ARP packets may help the failover to happen faster.
• Decrease the number of times the main unit sends gratuitous ARP packets if
your HA pair has a large number of VLAN interfaces and virtual domains.
Because gratuitous ARP packets are broadcast, sending gratuitous ARP
packets may generate a large amount of network traffic. As long as the HA
pair still fails over successfully, you could reduce the number of times
gratuitous ARP packets are sent to reduce the amount of traffic produced by a
failover.
The default value is 3. The valid range is 1 to 16.
ARP packet Enter the number of seconds to wait between each time that the FortiWeb unit
interval broadcasts ARP packets.
Normally, you do not need to change this setting. Exceptions include:
• Decrease the interval if your HA pair takes a long time to fail over or to train
the network. Sending ARP packets more frequently may help the failover to
happen faster.
• Increase the interval if your HA pair has a large number of VLAN interfaces
and virtual domains. Because gratuitous ARP packets are broadcast, sending
gratuitous ARP packets may generate a large amount of network traffic. As
long as the HA pair still fails over successfully, you could increase the interval
between when gratuitous ARP packets are sent to reduce the rate of traffic
produced by a failover.
The default value is 1. The valid range is from 1 to 20.
Port Monitor Enable to monitor for link failure the network interfaces that correlate directly to a
physical port.
Port monitoring (also called interface monitoring) monitors physical network ports
to verify that they are functioning properly and connected to their networks. If the
physical port fails or becomes disconnected, a failover will occur.
Note: To prevent unintentional failover, do not configure port monitoring until you
have configured HA on both units in the HA pair, and connected the physical
network ports that will be monitored .
Heartbeat Select the ports on the FortiWeb unit that the main unit and backup unit will use to
Interface send heartbeat signals between each other. The heartbeat interface must be
defined on each unit in the HA pair. Port matching is not necessary.
If enough ports are available, you can select a primary heartbeat interface and a
secondary heartbeat interface on each unit in the HA pair for redundancy.
You cannot use the same port for both the primary and secondary heartbeat
interface on the same unit. Ports that currently have an IP address assigned for
other purposes (that is, virtual servers or bridges) are disabled.
Note: Heartbeat interfaces can be connected through Ethernet crossover cables
or through switches. If a switch is used to connect the heartbeat interfaces, the
heartbeat interfaces must be reachable by Layer2 Multicast.
Note: If an HA pair is not configured, you can still synchronize the configuration between
the local FortiWeb unit and its peers. For more information, see “Synchronizing
configurations” on page 59
Only the FortiWeb unit currently acting as the main unit (scanning web traffic) is
configured with IP addresses on its network interface. The backup unit will only use the
configured IP addresses if a failover occurs, and the backup unit therefore must assume
the role of the main unit.
Note: Since backup units do not have IP addresses, the backup unit can only be accessed
through the local console. For more information on using the local console’s CLI, see the
FortiWeb CLI Reference.
Heartbeat and synchronization traffic occur over the network interface ports that you have
configured in Heartbeat Interface. Heartbeat and synchronization are performed through
multicast UDP on port numbers 5055 (heartbeat) and 5056 (synchronization). The
multicast IP address 224.0.0.1 is hard-coded, and cannot be configured.
Note: If switches are used to connect heartbeat interfaces between an HA pair, the
heartbeat interfaces must be reachable by Layer2 Multicast.
Failover is triggered by any interruption to either the heartbeat or a port monitored network
interface whose length of time exceeds your configured limits (Detection interval x
Heartbeat lost threshold). While the main unit is unresponsive, the backup unit does the
following:
1 modifies the network that the IP addresses are now associated with its virtual MAC
addresses
2 performs the role of the main unit and scans network traffic
The HA units will not change roles when the failed unit resumes responsiveness to the
heartbeat. Instead, a second failover must occur to cause the HA units to change roles
again. You can manually switch over the roles if desired.
Because log messages are not synchronized, after a failover, you may notice that there is
a gap in the master log files that corresponds to the period of its down time. Log files are
stored on the backup during the time when the backup is acting as the main unit
subsequent to a failover.
Caution: Failure to configure the SNMP manager as a host in a community to which the
FortiWeb unit belongs, or to supply it with required MIBs, will make the SNMP monitor
unable to query or receive traps from the FortiWeb unit.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the System Configuration category. For
details, see “About permissions” on page 80.
Delete
Edit
Hosts
IP Address Enter the IP address of the SNMP manager that, if traps or queries are
enabled in this community:
• will receive traps from the FortiWeb unit
• will be permitted to query the FortiWeb unit
SNMP managers have read-only access.
To allow any IP address using this SNMP community name to query the
FortiWeb unit, enter 0.0.0.0.
Note: Entering 0.0.0.0 effectively disables traps if there are no other host IP
entries, because there is no specific destination for trap packets. If you do not
want to disable traps, you must add at least one other entry that specifies the
IP address of an SNMP manager.
Interface Select either ANY or the name of the network interface from which the
FortiWeb unit will send traps and reply to queries.
Note: You must select a specific network interface if the SNMP manager is not
on the same subnet as the FortiWeb unit. This can occur if the SNMP
manager is on the Internet or behind a router.
Note: This option only configures which network interface will send SNMP
traffic. To configure which network interface will receive queries, see
“Configuring the network and VLAN interfaces” on page 50.
Delete Click to remove an SNMP manager from the SNMP community configuration.
Add Click to add an SNMP manager entry. You can add up to eight SNMP
managers to each community.
Queries Enter the port number (161 by default) on which the FortiWeb unit listens for
SNMP queries from the SNMP managers in this community, then enable
queries for either or both SNMP v1 and SNMP v2c.
Traps Enter the port number (162 by default) that will be the source (Local) port
number and destination (Remote) port number for trap packets sent to SNMP
managers in this community, then enable traps for either or both SNMP v1 and
SNMP v2c.
SNMP Event Enable the types of SNMP traps that you want the FortiWeb unit to send to the
SNMP managers in this community. (See Figure 22 on page 70.)
While most trap events are described by their names, the following events
occur when a threshold has been exceeded:
• CPU Overusage: CPU usage has exceeded 80%.
• Memory Low: Memory (RAM) usage has exceeded 80%.
For more information on supported traps and queries, see “Appendix C:
SNMP MIB support” on page 399.
Caution: Unlike in reverse proxy mode, actions other than Alert cannot be guaranteed to
be successful in offline protection mode. The FortiWeb unit will attempt to block traffic that
violates the policy by mimicking the client or server and requesting to reset the connection.
However, the client or server may receive the reset request after it receives the other traffic
due to possible differences in routing paths.
• True transparent proxy: This proxy traffic is destined for a real server. The FortiWeb
unit applies the first applicable policy. Traffic is received on a network port that belongs
to a Layer 2 bridge, and no changes to the IP address scheme of the network are
required. This mode supports user authentication via HTTP but not HTTPS. This mode
supports a v-zone bridge.
• Transparent inspection: This traffic is destined for a real server. The FortiWeb unit
asynchronously inspects traffic and applies the first applicable policy. The FortiWeb
unit logs or blocks traffic according to the matching policy and its protection profile, but
does not otherwise modify it. (It does not, for example, apply SSL or load-balance
connections.) Similar to offline protection mode, actions other than Alert cannot be
guaranteed to be successful. It is easy to switch between transparent inspection and
true transparent proxy without changing your network topology. This mode does not
support user authentication. This mode supports a v-zone bridge.
The default operation mode is reverse proxy.
Note: The physical topology must match the operation mode. For details, see the FortiWeb
Install and Setup Guide.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the System Configuration category. For
details, see “About permissions” on page 80.
Caution: Back up your system before changing the operation mode. Changing modes
deletes the following: any policies not applicable to the new mode, all static routes, all v-
zone IPs, and all VLAN settings. You may also need to re-cable your network topology to
suit the operation mode.
Figure 25: Configuring the operation mode (true transparent proxy mode)
2 From Operation Mode, select Reverse Proxy, Offline Protection, True Transparent
Proxy or Transparent Inspection.
If you are changing to true transparent proxy or transparent inspection mode, also
enter the gateway and the IP address of port1 (Management IP).
3 Click Apply.
If you have not yet adjusted the physical topology to suit the new operation mode, see
the FortiWeb Install and Setup Guide. You may also need to reconfigure IP addresses,
static routes, bridges, and virtual servers, and enable or disable SSL on your web
servers.
Note: Rebuilding RAID after a disk failure will result in some loss of data in packet logs.
Tip: To prevent multiple administrators from logging in simultaneously, which could allow
them to inadvertently overwrite each other’s changes, enable Security Settings. For details,
see “Configuring the web-based manager’s global settings” on page 82.
If you have not yet created an access profile and are relying on the default profile,
consider first creating one or more access profiles tailored to the responsibilities of the
new administrator accounts. See “Configuring access profiles” on page 78.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Admin Users category. For details,
see “About permissions” on page 80.
Delete
Edit
Change Password
4 In the Old Password field, enter the current password for the account. (The admin
account does not have an old password initially.)
This field does not appear for other administrator accounts if you are logged in as the
admin administrator.
5 In the New Password and Confirm Password fields, enter the new password.
6 Click OK.
If you change the password for the admin administrator account, the FortiWeb unit logs
you out. To continue using the web-based manager, you must log in. The new
password takes effect the next time that administrator account logs in.
Delete
Edit
4 Click OK
About permissions
Depending on the account that you use to log in to the FortiWeb unit, you may not have
complete access to all areas of the web-based manager.
Access profiles control which commands and areas an administrator account can access.
Access profiles assign either read, write, or no access to each area of the FortiWeb
software. To view configurations, you must have read access. To make changes, you must
have write access. For more information on configuring the access profile for an
administrator account can use, see “Configuring access profiles” on page 78.
Table 23, “Administrator access control,” on page 81 identifies the specific commands and
areas of the web-based manager that each type of administrator account can access.
For complete access to all commands and abilities, you must log in with the administrator
account named admin.
Unlike other administrator accounts, the administrator account named admin exists by
default. The admin account cannot be deleted and its name and permissions cannot be
changed. The admin account always has full permission to view and change all FortiWeb
configuration options, including viewing and changing all other administrator accounts. It
is the only administrator account that can reset another administrator’s password without
being required to enter that administrator’s existing password.
Caution: Set a strong password for the admin administrator account, and change the
password regularly. By default, this administrator account has no password. Failure to
maintain the password of the admin administrator account could compromise the security
of your FortiWeb unit.
For a description of the access profiles related to CLI commands, see the FortiWeb CLI
Reference.
Router Configuration
Scan Configuration
Web Vulnerability
XML Protection
Web Protection
admin (default)
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Log & Report
Server Policy
Maintenance
Admin Users
Defacement
Auth Users
Web Anti-
Autolearn
Network
System
System 9
Status 9
Network 9
Interface 9
V-zone 9
DNS 9
Config 9
Admin 9
Administrators 9
Access Profile 9
Settings 9
Certificates 9
Maintenance 9
Wizard 9
Router 9
User 9
Server Policy 9
XML Protection 9
Web Protection 9
Web Protection Profile 9
Inline Protection Profile 9
Offline Protection Profile 9
Auto Learning Profile 9
Auto Learn 9
Web Anti-Defacement 9
Web Vulnerability Scan 9
Log&Report 9
In Table 23 (above), a black check mark on a white background indicates that the account
can access an individual command. A white check mark on a black background indicates
that the account can access all commands associated with the specified area.
Config-Sync If necessary, change the TCP port number on which the FortiWeb
unit will listen for configuration synchronization requests from the
peer/remote FortiWeb unit. The default is 8333.
For details, see “Synchronizing configurations” on page 59.
Timeout Settings
Idle Timeout Enter the number of minutes that a web-based manager
connection can be idle before the administrator must log in again.
The maximum is 480 minutes (8 hours). To maintain security, keep
the idle timeout at the default value of 5 minutes.
Language
Web Administration Select which language to use when displaying the web-based
manager.
Languages currently supported by the web-based manager are:
• English
• simplified Chinese
• traditional Chinese
• Japanese
The display’s web pages will use UTF-8 encoding, regardless of
which language you choose. UTF-8 supports multiple languages,
and allows them to display correctly, even when multiple
languages are used on the same web page.
For example, your organization could have web sites in both
English and simplified Chinese. Your FortiWeb administrators
prefer to work in the English version of the web-based manager.
They could use the web-based manager in English while writing
rules to match content in both English and simplified Chinese
without changing this setting. Both the rules and the web-based
manager will display correctly, as long as all rules were input using
UTF-8.
Usually, your text input method or your management computer’s
operating system should match the display by also using UTF-8. If
they do not, your input and the web-based manager may not
display correctly at the same time.
For example, your web browser’s or operating system’s default
encoding for simplified Chinese input may be GB2312. However,
you usually should switch it to be UTF-8 when using the web-
based manager, unless you are writing regular expressions that
must match HTTP client’s requests, and those requests use
GB2312 encoding.
For more information on language support in the web-based
manager and CLI, see “Appendix D: Language support & regular
expressions” on page 401.
Note: This setting does not affect the display of the CLI.
Security Settings
Enable Single Admin Enable to allow only one administrator account to be logged in at
User login any given time to prevent conflicts. If a second administrator
attempts to begin a session when another administrator is already
logged in, after the second administrator logs in but before they
can access the web-based manager, they must either cancel their
new session or disconnect the other currently logged-in
administrator.
This option may be useful to prevent administrators from
inadvertently overwriting each other’s changes.
When multiple administrators simultaneously modify the same part
of the configuration, they each edit a copy of the current, saved
state of the configuration. As each administrator makes changes,
FortiWeb does not update the other administrators’ working
copies. Each administrator may therefore make conflicting
changes without being aware of the other. The FortiWeb unit will
only use whichever administrator’s configuration is saved last.
If only one administrator can log in this problem cannot occur.
Disable to allow multiple administrators to be logged in. In this
case, administrators should communicate with each other to avoid
overwriting each other’s changes.
Enable Strong Enable to enforce strong password rules for administrator
Passwords accounts. If the password entered is not strong enough when a
new administrator account is created, an error message appears
and you are prompted to re-enter a stronger password.
Strong passwords have the following characteristics:
• are between 8 and 16 characters in length
• contain at least one upper case and one lower case letter
• contain at least one numeric
• contain at least one non-alphanumeric character
Managing certificates
The Certificates submenu enables you to generate, import, revoke, and manage other
aspects of certificates used by the FortiWeb unit.
This topic includes:
• Managing local and server certificates
• Managing OCSP server certificates
• Managing CA certificates
• Managing the certificate revocation list
• Configuring certificate verification rules
• For connections to the web-based manager, the FortiWeb unit presents its default
certificate.
Note: The FortiWeb unit’s default certificate does not appear in the list of local certificates.
It is used only for connections to the web-based manager and cannot be removed.
• For SSL off loading or SSL decryption, upload certificates that do not belong to the
FortiWeb unit, but instead belong to the protected servers. Then, select which one the
FortiWeb unit will use when configuring the SSL option in a policy or server farm. For
details, see “Uploading a certificate” on page 88.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Admin Users category. For details,
see “About permissions” on page 80.
ID Type Select the type of identifier to use in the certificate to identify the
FortiWeb unit:
• Host IP
• Domain Name
• E-Mail
The type you should select varies by whether or not your
FortiWeb unit has a static IP address, a fully-qualified domain
name (FQDN), and by the primary intended use of the certificate.
For example, if your FortiWeb unit has both a static IP address
and a domain name, but you will primarily use the local certificate
for HTTPS connections to the web-based manager by the domain
name of the FortiWeb unit, you might prefer to generate a
certificate based upon the domain name of the FortiWeb unit,
rather than its IP address.
• Host IP requires that the FortiWeb unit have a static, public IP
address. It may be preferable if clients will be accessing the
FortiWeb unit primarily by its IP address.
• Domain Name requires that the FortiWeb unit have a FQDN. It
may be preferable if clients will be accessing the FortiWeb unit
primarily by its domain name.
• E-Mail does not require either a static IP address or a domain
name. It may be preferable if the FortiWeb unit does not have
a domain name or public IP address.
Depending on your choice, related options appear.
IP Enter the static IP address of the FortiWeb unit.
This option appears only if ID Type is Host IP.
Domain Name Type the FQDN of the FortiWeb unit.
The domain name must resolve to the static IP address of the
FortiWeb unit or protected server. For more information, see
“Configuring the network and VLAN interfaces” on page 50.
This option appears only if ID Type is Domain Name.
e-mail Type the email address of the owner of the FortiWeb unit.
This option appears only if ID Type is E-Mail.
Optional Information Includes information that you may include in the certificate, but
which is not required.
Organization Type the name of your organizational unit, such as the name of
Unit your department. This is optional.
To enter more than one organizational unit name, click the + icon,
and enter each organizational unit separately in each field.
Organization Type the legal name of your organization. This is optional.
Locality(City) Type the name of the city or town where the FortiWeb unit is
located. This is optional.
State/Province Type the name of the state or province where the FortiWeb unit is
located. (This is optional.
Country Select the name of the country where the FortiWeb unit is located.
This is optional.
e-mail Type an email address that may be used for contact purposes.
This is optional.
Key Type Displays the type of algorithm used to generate the key.
This option cannot be changed, but appears in order to indicate
that only RSA is currently supported.
Key Size Select a security key size of 512 Bit, 1024 Bit, 1536 Bit or
2048 Bit. Larger keys are slower to generate, but provide better
security.
Enrollment Method Select either:
• File Based: You must manually download and submit the
resulting certificate request file to a certificate authority (CA)
for signing. Once signed, upload the local certificate.
• Online SCEP: The FortiWeb unit will automatically use HTTP
to submit the request to the simple certificate enrollment
protocol (SCEP) server of a CA, which will validate and sign
the certificate. For this selection, two options appear. Enter the
CA Server URL and the Challenge Password.
4 Click OK.
The certificate is generated. If you selected file-based enrollment, you must now
download and manually submit the resulting CSR to a CA. For details, see “Submitting
a certificate signing request” on page 88.
Uploading a certificate
You can upload Base64-encoded server-type X.509 certificates or PKCS #12 RSA-
encrypted certificates and keys to the FortiWeb unit.
Note: DSA-encrypted certificates are not supported if the FortiWeb unit is operating in a
mode other than reverse proxy.
DSA
If a local certificate is signed by an intermediate certificate authority (CA) rather than a root
CA, before clients will trust the local certificate, you must demonstrate a link with trusted
root CAs, thereby proving that the local certificate is genuine. You can demonstrate this
chain of trust either by:
• installing each intermediate CA’s certificate in the client’s list of trusted CAs, or
Note: The total file size of all certificates, schema, keys, WSDL, and any other uploaded
files may not exceed 12 MB.
To upload a certificate
1 Go to System > Certificates > Local.
2 Click Import.
3 Configure the following:
Key file Click Choose File to locate the key file that you want to upload with the
certificate.
This option is available only if Type is Certificate.
Certificate with key Click Choose File to locate the PKCS #12 certificate-with-key file that
file you want to upload.
This option is available only if Type is PKCS12 Certificate.
Password Enter the password that was used to encrypt the file, enabling the
FortiWeb unit to decrypt and install the certificate.
This option is available only if Type is Certificate or PKCS12 Certificate.
4 Click OK.
To use a certificate, you must select it in a policy or server farm. For details, see
“Configuring server policies” on page 118 or “Grouping physical and domain servers
into server farms” on page 135.
Managing CA certificates
System > Certificates > CA displays and enables you to import certificates for certificate
authorities (CA).
Certificate authorities validate and sign other certificates in order to indicate to third parties
that those other certificates are authentic.
CA certificates are required by connections that use SSL or transport layer security (TLS).
Tip: The FortiWeb unit does not use CA certificates directly. First, you must group them and
then add the group to a certificate verification rule. For details, see “Grouping CA
certificates” on page 91.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Admin Users category. For details,
see “About permissions” on page 80.
Grouping CA certificates
System > Certificates > CA Group enables you to group certificate authorities (CA).
CAs must belong to a group in order to be selected in a certificate verification rule. For
details, see “Configuring certificate verification rules” on page 95.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Admin Users category. For details,
see “About permissions” on page 80.
Delete
Edit
Before you can create a CA group, you must upload at least one of the certificate authority
(CA) certificates that you want to add to the group. For details, see “Managing CA
certificates” on page 90.
To add a CA group
1 Go to System > Certificates > CA Group.
2 Click Create New.
3 In Name, type a name for the certificate authority group.
4 Click OK.
5 Click Create New.
6 In ID, enter the index number of the host entry within the group, or keep the field’s
default value of auto to let the FortiWeb unit automatically assign the next available
index number.
7 In CA, select the name of a certificate authority’s certificate that you have previously
uploaded and want to add to the group.
8 Click OK.
9 Repeat the previous 3 steps for each CA that you want to add to the group.
To apply a CA group, select it in a certificate verification rule. For details, see
“Configuring certificate verification rules” on page 95.
For example, a server’s certificate that includes a signing chain might use the following
structure:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 1, who signed the server
certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 2, who signed the certificate of
intermediate CA 1 and whose certificate was signed by a
trusted root CA>
-----END CERTIFICATE-----
Note: The total file size of all certificates, schema, keys, WSDL, and any other uploaded
files may not exceed 12 MB.
To configure the FortiWeb unit to provide the certificates of intermediate CAs when it
presents the server certificate:
1 Install the certificates of the intermediate CAs on the FortiWeb unit.
2 Group them to match the signing chain (see “Grouping certificates for intermediate
CAs” on page 94).
3 Select that group along with the server certificate in the policy (“Configuring server
policies” on page 118).
The FortiWeb unit will present both the server’s certificate and those of the intermediate
CAs when establishing a secure connection with the client.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Admin Users category. For details,
see “About permissions” on page 80.
Delete
View Certificate Detail
Download
Subject Displays the distinguished name (DN) located in the Subject field of the
certificate.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the
entry is currently selected for use in an intermediate CA certificate group.
Click the View Certificate Detail icon to view the certificate’s subject, range of
dates within which the certificate is valid, version number, serial number, and
extensions.
Click the Download icon to download the entry in certificate (.cer) file format.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Admin Users category. For details,
see “About permissions” on page 80.
Delete
Edit
7 In CA, select the name of an intermediate CA’s certificate that you have previously
uploaded and want to add to the group.
8 Click OK.
9 Repeat the previous 3 steps for each intermediate CA certificate that you want to add
to the group.
To apply an intermediate CA certificate group, select it in a policy with a server
certificate. For details, see “Configuring server policies” on page 118.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Admin Users category. For details,
see “About permissions” on page 80.
Delete
Edit
Note: Firmware can be installed, upgraded, changed and rebooted in multiple ways.
Firmware can also be tested before installing it. For information related to Firmware
changes, see “Installing new firmware” on page 385.
Back up the FortiWeb unit's configuration regularly. If you accidently change something,
the backup can help you restore normal operation quickly and easily. Backups also can
aid in troubleshooting.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Maintenance category. For details,
see “About permissions” on page 80.
Table 35: System > Maintenance > Backup & Restore tab
Backup Type Indicates whether the FTP backup is a full configuration backup (full config) or a CLI
configuration backup (CLI config).
A full config backup includes the CLI configuration file and other uploaded files,
such as certificates, XML schema, and XML WSDL files.
Note: You cannot restore a full config FTP backup using the web-based manager.
Use the execute restore command in the CLI interface.
A CLI config backup only includes the CLI configuration file.
Schedule Indicates whether the FTP backup is an immediate backup (Now) or a scheduled
Type backup (Daily).
(No column Click the Delete icon to remove the entry. This icon does not appear if the entry is
heading.) currently selected for use.
Click the Edit icon to modify the entry.
FTP User Enter your FTP user name to identify yourself as a registered user of the FTP
server.
This field is visible only if you enable FTP Authentication.
FTP Password Enter your FTP password to authenticate yourself on the FTP server
This field is visible only if you enable FTP Authentication.
Backup Type Select the type of FTP backup you want to perform.
A full config backup includes the CLI configuration file and other uploaded files,
such as certificates, XML schema, and XML WSDL files.
Note: You cannot restore a full config FTP backup using the web-based manager.
Use the execute restore command in the CLI interface.
A CLI config backup only includes the CLI configuration file.
Schedule Type Select Now to initiate the FTP backup immediately.
Select Daily to schedule a recurring FTP backup for a specific day and time of the
week.
Days Select the specific days when you want the FTP backup to occur.
This field is visible only if you select Daily.
Time Select the specific hour and minute of the day when you want the FTP backup to
occur.
This field is visible only if you select Daily.
5 Click OK.
Note: For many features to work, including scheduling, logging, and SSL-dependent
features, the FortiWeb system time must be accurate.
Note: FortiWeb units support daylight savings time (DST), including recent changes in the
USA, Canada and Western Australia.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Maintenance category. For details,
see “About permissions” on page 80.
2 From Time Zone, select the time zone where the FortiWeb unit is located.
3 Configure the following to either manually configure the system time, or automatically
synchronize the FortiWeb unit’s clock with an NTP server:
4 Click OK.
• SQL injection
• common exploits
Updating signatures ensures that your FortiWeb unit can detect recently discovered
variations of these attacks.
Tip: Alternatively, you can schedule automatic updates. For details, see “Scheduling
signature updates” on page 102.
After restoring the firmware of the FortiWeb unit, you should upload the most currently
available attack signatures. Restoring firmware installs the attack signatures that were
current at the time that the firmware image file was made: they may no longer be up-to-
date.
Before you can download signature update files to your management computer, you must
first register your FortiWeb unit with the Fortinet Technical Support web site,
https://support.fortinet.com/, and obtain a valid support contract. Signature update files will
then be available for download when you log in to the Fortinet Technical Support web site.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Maintenance category. For details,
see “About permissions” on page 80.
Note: Once the attack signature update is complete, you can continue using FortiWeb
without restarting the FortiWeb unit.
Tip: Alternatively, you can manually upload update packages. For details, see “Uploading
signature updates” on page 101.
FortiWeb units receive updates from the FortiGuard Distribution Network (FDN). The FDN
is a world-wide network of FortiGuard Distribution Servers (FDS). Unless you override the
setting with a specific FDS address, FortiWeb units connect to the FDN by connecting to
the FDS nearest to the FortiWeb unit by its configured time zone.
Note: If required, the FortiWeb unit can be configured to connect through a web proxy. For
details, see the FortiWeb CLI Reference.
Registration Displays the registration status of the FortiWeb unit with the FortiGuard
Distribution Network (FDN). If it is unregistered, you must click Register
and complete the form on the Fortinet Technical Support web site in
order for the FortiWeb unit to retrieve updates.
FortiWeb Update Service Displays the current update license status, as well as the date, time,
and method of the previous update attempt. If the FortiWeb unit’s attack
signature update license has expired, click Renew to purchase a new
license.
Use override server Enable to override the default FortiGuard Distribution Server (FDS) to
address which the FortiWeb unit connects for updates, then enter the IP address
of the override public or private FDS.
Scheduled Update Enable to perform updates according to a schedule, then select one of
the following as the frequency of update requests.
• Every: Select to request to update once every 1 to 23 hours, then
select the number of hours between each update request.
• Daily: Select to request to update once a day, then select the hour of
the day to check for updates.
• Weekly: Select to request to update once a week, then select the
day of the week, the hour, and the minute of the day to check for
updates.
If you select 00 minutes, the update request occurs at a randomly
determined time within the selected hour.
When the FortiWeb unit requests an update at the scheduled time,
results appear in FortiWeb Update Service in the FortiGuard Information
widget. If event logging is enabled, and the FortiWeb unit cannot
successfully connect, it will record a log with the message update
failed, failed to connect any fds servers!
Router
This chapter describes the Router menu.
Static routes direct traffic that exits the FortiWeb unit—you can specify through which
network interface a packet will leave, and the IP address of a next-hop router that is
reachable from that network interface. The router is aware of which IP addresses are
reachable through various network pathways, and can forward those packets along
pathways capable of reaching the packets’ ultimate destinations.
A default route is a special type of static route. A default route matches all packets, and
defines a gateway router that can receive and route packets if no other, more specific
static route is defined for the packet’s destination IP address.
Note: By default, the FortiWeb unit will forward only HTTP/HTTPS traffic to your protected
real servers. (That is, IP-based forwarding is disabled.) For information on enabling
forwarding of other protocols such as FTP, see the config router setting command
in the FortiWeb CLI Reference.
To access this part of the web-based manager, you must have Read and Write permission
in your administrator's account access profile to items in the Router Configuration
category. For details, see “About permissions” on page 80.
Delete
Edit
GUI item Description
Create New Click to add a static route.
# Displays the index number of the entry in the list.
IP Displays the destination IP addresses of packets subject to the static route,
where 0.0.0.0 indicates that the route matches all destination IP addresses.
Mask Displays the network mask associated with the IP address, where 0.0.0.0
indicates that the route matches all subnet masks.
Gateway Displays the IP address of the next-hop router where packets subject to the
static route will be forwarded.
Device Displays the name of the network interface through which packets subject to the
static route will egress.
(No column Click the Delete icon to remove an entry.
heading.) Click the Edit icon to modify an entry.
Note: User authentication applies only when the FortiWeb unit is operating in reverse proxy
mode, or in true transparent proxy mode that does not use HTTPS.
You can create user groups for each user type or combine several user types in one group
for easy management of user authentication.
This chapter includes the following topics:
• Configuring local users
• Configuring LDAP user queries
• Configuring RADIUS user queries
• Configuring NTLM user queries
• Grouping users
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Auth Users category. For details,
see “About permissions” on page 80.
Table 40: User > Local User > Local User tab
5 Click OK.
Table 41: User > LDAP User > LDAP User tab
Edit
Common Name Displays the common name (CN) attribute, often cn, whose value is the
Identifier user name.
Distinguished Name Displays the distinguished name (DN) that, when prefixed with the common
name, forms the full path in the directory to the user account object.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the
entry is currently a member of a user group.
Click the Edit icon to modify the entry.
Before configuring the query, if you will configure a secure connection, you must upload
the certificate of the CA that signed the LDAP server’s certificate. For details, see
“Managing CA certificates” on page 90.
Bind Type Select one of the following LDAP query binding styles:
• Simple: Bind using the client-supplied password and a bind DN
assembled from the Common Name Identifier, Distinguished
Name, and the client-supplied user name.
• Regular: Bind using a bind DN and password that you configure in
User DN and Password.
• Anonymous: Do not provide a bind DN or password. Instead,
perform the query without authenticating. Select this option only if
the LDAP directory supports anonymous queries.
User DN Type the bind DN, such as cn=FortiWebA,dc=example,dc=com,
of an LDAP user account with permissions to query the Distinguished
Name.
This field may be optional if your LDAP server does not require the
FortiWeb unit to authenticate when performing queries, and does not
appear if Bind Type is Anonymous or Simple.
Password Type the password of the User DN.
This field may be optional if your LDAP server does not require the
FortiWeb unit to authenticate when performing queries, and does not
appear if Bind Type is Anonymous or Simple.
Secure Connection Enable to connect to the LDAP servers using an encrypted
connection, then select the style of the encryption in Protocol.
Protocol Select whether the LDAP query will be secured using LDAPS or
STARTTLS. You may need to reconfigure Server Port to correspond
to the change in protocol.
This option appears only if Secure Connection is enabled.
Test LDAP Click to test that the current settings are correct, and that the FortiWeb
unit can communicate with the LDAP server.
5 Click OK.
Table 42: User > RADIUS User > RADIUS User tab
Server Port Type the port number where the RADIUS server listens.
The default port number is 1812.
Server Secret Enter the RADIUS server secret key for the primary RADIUS server.
The primary server secret key should be a maximum of 16 characters
in length.
Secondary Server IP Type the IP address of the secondary RADIUS server, if applicable.
Secondary Server Port Type the port number where the RADIUS server listens.
The default port number is 1812.
Secondary Server Enter the RADIUS server secret key for the secondary RADIUS
Secret server. The secondary server secret key should be a maximum of 16
characters in length.
Authentication Scheme Select Default to authenticate with the default method. The default
authentication scheme uses PAP, MS-CHAP-V2, and CHAP, in that
order.
Select Specify Authentication Protocol to override the default
authentication method, and choose the protocol from the list: MS-
CHAP-V2, CHAP, MS-CHAP, or PAP, depending on what your
RADIUS server needs.
NAS IP Enter the NAS IP address and Called Station ID (for more information
about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific
RADIUS Attributes). If you do not enter an IP address, the IP address
that the FortiWeb unit uses to communicate with the RADIUS server
will be applied.
Test Radius Click to test that the current settings are correct, and that the FortiWeb
unit can communicate with the RADIUS server .
5 Click OK.
Table 43: User > NTLM User > NTLM User tab
Delete
Edit
5 Click OK.
Grouping users
User > User Group > User Group displays the list of user groups.
The FortiWeb authentication feature uses user groups to authorize HTTP requests. Any
group can include a mixture of local user accounts, LDAP user queries, RADIUS user
queries, and NTLM user queries.
User groups are used indirectly, by selecting them in within an authentication rule. Then,
select the rule within an authentication policy, and ultimately select the policy within an
inline protection profile. For details, see “User creation workflow” on page 107.
Tip: Before you can configure a user group, you must first configure one or more users.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Auth Users category. For details,
see “About permissions” on page 80.
Table 44: User > User Group > User Group tab
Edit
Delete
7 Repeat the previous step for each individual rule that you want to add to the group of
users.
8 If you need to modify an individual rule, click its Edit icon. To remove an individual user
or user query from the group of users, click its Delete icon. To remove all individual
users or user queries from the group of users, click the Clear icon.
9 Click OK.
Server policy
This chapter describes the Server Policy menu and how to use all the features of a server
policy.
This chapter includes the following topics:
• Configuring server policies
• Configuring servers
• Configuring server health checks
• Configuring services
• Configuring protected servers
• Configuring predefined patterns
• Configuring custom patterns
• Configuring custom application policies
When determining the policy to apply to a connection, FortiWeb units will consider the
operation mode:
• Reverse Proxy: Apply the policy whose virtual server and service match the
connection.
• Offline Protection: Apply the policy whose network interface in the virtual server
matches the connection. Do not consider the service or the IP address of the virtual
server.
• True Transparent Proxy: Apply the policy whose v-zone bridge) matches the
connection. Do not consider the IP address of the bridge.
• Transparent Inspection: Apply the policy whose v-zone bridge matches the
connection. Do not consider the IP address of the bridge.
The FortiWeb unit will apply only one policy to each connection. If an HTTP connection
does not match any of the policies, the FortiWeb unit will block the connection.
Policies are not used while they are disabled, as indicated by “Status” on page 121.
Policy behavior varies with the operation mode.
Note: When you switch the operation mode, policies will be deleted from the configuration
file if they are not applicable in the current operation mode.
Policies can be configured to detect URL-embedded attacks that are obfuscated using
recursive URL encoding (that is, multiple levels of URL encoding). For more information,
see the circulate-url-decode option of the config server-policy policy
command in the FortiWeb CLI Reference.
To access this part of the web-based manager, your administrator's account access profile
must have Read permission to items in the Server Policy Configuration category. For
details, see “About permissions” on page 80.
Edit
View
Cookies
Delete
Status Indicates whether or not a policy will be used when evaluating traffic for a
matching policy.
• Green icon: The policy will be used when evaluating traffic for a
matching policy.
• Flashing yellow-to-red icon: The policy will not be used when evaluating
traffic for a matching policy.
To be used, a policy’s Enable option must be marked.
(No column heading.) Click the Edit icon to modify the entry. For details, see “Configuring server
policies” on page 118.
Click the Delete icon to remove the entry. Policies may be automatically
deleted if you switch the Operation Mode and the policy’s type is not
supported by the new mode.
Caution: Deleting a policy also removes any auto-learning data it has
gathered using an auto-learning profile. To retain this data, instead either
deselect the auto-learning profile in the policy, or disable the policy. For
details, see “Enabling or disabling a policy” on page 128.
When available, click the View Cookies icon to display cookies that have
been observed in reply traffic from the server managed by this policy.
This icon appears only after cookies have been observed in the
Set-Cookie: HTTP header, and does not appear for cookies that may
have been set using client-side JavaScript.
Based upon whether or not the content of the cookies is sensitive, such as if
they are used for state tracking or database input, you may want to enable
Cookie Poison in the policy’s inline protection profile. For details, see
“Cookie Poison” on page 269.
Note: Available options vary by the operation mode and the deployment mode of the
FortiWeb unit.
Virtual Server, Select the name of a virtual server, data capture port or v-zone (bridge).
Data Capture Port The name and use of this option varies by operating mode:
or V-zone • Reverse proxy mode: Virtual Server identifies the IP address and
network interface of incoming traffic that will be routed and to which
the policy will apply a profile.
• Offline protection mode: Data Capture Port identifies the network
interface of incoming traffic that the policy to which it will attempt to
apply a profile. The IP address of the virtual server will be ignored.
• Either of the transparent modes: V-zone (bridge) indicates the
incoming traffic to which the policy will apply a profile.
Alternatively, you can select the Create New menu option to add a
virtual server in a pop-up window, without leaving the current page. For
details, see “Configuring virtual servers” on page 129 or “Configuring v-
zones (bridges)” on page 55.
Deployment Mode Select the method of distribution that the FortiWeb unit will use when
forwarding connections accepted by this policy.
• Single Server: Forward connections to a single physical server or
domain server. This option is available only if the FortiWeb unit is
operating in reverse proxy mode.
• Server Balance: Use a load-balancing algorithm when distributing
connections amongst the real servers in a server farm. If a real
server is unresponsive to the server health check, the FortiWeb unit
forwards subsequent connections to another real server in the
server farm. Also configure Load Balancing Algorithm, Persistence
Timeout, Server Health Check, and Server Farm. This option is
available only if the FortiWeb unit is operating in reverse proxy
mode.
• HTTP Content Routing: Use HTTP content routing to route HTTP
requests to a specific real server in a server farm by specifying the
host or URL and the request file
• XPath Content Routing: Use content routing rules defined as XPath
expressions in the server farm configuration when distributing
connections amongst the real servers in a server farm. If a real
server is unresponsive to the server health check, or if a request
does not match the XPath expression, the FortiWeb unit forwards
connections to the first real server in the server farm. Also configure
Server Health Check and Server Farm. This option is available only
if the FortiWeb unit is operating in reverse proxy mode and Policy
Type is XML Protection.
• WSDL Content Routing: Use WSDL content routing rules defined in
the server farm configuration when distributing connections amongst
the real servers in a server farm. If a real server is unresponsive to
the server health check, or if a request does not match the WSDL
content routing rules, the FortiWeb unit forwards connections to the
first real server in the server farm. Also configure Server Health
Check and Server Farm. This option is available only if the FortiWeb
unit is operating in reverse proxy mode and Policy Type is XML
Protection.
• Offline Protection: Allow connections to pass through the FortiWeb
unit, and apply an offline protection profile. Also configure Server
Health Check and Server Farm. This option is available only if the
FortiWeb unit is operating in offline protection mode.
• Transparent Servers: Allow connections to pass through the
FortiWeb unit, and apply a protection profile. Also configure Server
Farm. This option is available only if the FortiWeb unit is operating in
either of the transparent modes.
Depending on the types of network topologies that the current operation
mode supports, not all deployment modes may be available. For details,
see Table 45 on page 119.
Server Type If you select Single Server as the deployment mode, you must select
either a Physical Server or Domain Server. For details, see “Configuring
physical servers” on page 131 and “Configuring domain servers” on
page 133.
Physical Server Select the physical server to which to forward connections, or select
Create New to configure a new physical server in a pop-up window,
without leaving the current page. This option appears only when
selected as a server type. For details, see “Configuring physical
servers” on page 131.
Domain Server Select the domain server to which to forward connections, or select
Create New to configure a new domain server in a pop-up window,
without leaving the current page. This option appears only when
selected as a server type. For details, see “Configuring domain servers”
on page 133.
Server's Port Enter the TCP port number where the physical/domain server listens for
web or web services connections, depending on whether you have
selected a web protection profile or an XML protection profile,
respectively. This option appears only when Server Type in visible.
This option appears only if Deployment Mode is Single Server.
Load Balancing Select the load-balancing algorithm to use when distributing new
Algorithm connections amongst real servers in the server farm. This option
appears only if Deployment Mode is Server Balance.
• Round Robin: Distributes new connections to the next real server in
the server farm, regardless of weight, response time, traffic load, or
number of existing connections. Unresponsive servers are avoided.
• Weighted Round Robin: Distributes new connections using the
round robin method, except that real servers with a higher weight
value will receive a larger percentage of connections.
• Least Connection: Distributes new connections to the real server
with the fewest number of existing, fully-formed connections.
• HTTP session based Round Robin: Distributes new connections, if
they are not associated with an existing HTTP session, to the next
real server in the server farm, regardless of weight, response time,
traffic load, or number of existing connections. Unresponsive servers
are avoided. Session management is enabled automatically when
you enable this feature, and it therefore does not require that you
enable Session Management in the web protection profile. This
option is available only if Policy Type is Web Protection.
Persistence Timeout Enter the timeout for inactive TCP sessions.
This option appears only if Deployment Mode is Server Balance or
Transparent Servers.
Server Health Check Select the server health check to use when determining responsiveness
of real servers in the server farm, or select Create New to add a server
health check in a pop-up window, without leaving the current page. For
details, see “Configuring server health checks” on page 143.
This option appears only if Deployment Mode is Server Balance,
Content Routing, or WSDL Content Routing.
Note: If a real server is unresponsive, wait until the server becomes
responsive again before disabling its server health check. Server health
checks record the up or down status of the server. If you deactivate the
server health check while the server is unresponsive, the server health
check will be unable to update the recorded status, and FortiWeb unit
will continue to regard the real server as if it were unresponsive. You
can determine the real server’s connectivity status using the Service
Status widget or an SNMP trap. For details, see “Service Status widget”
on page 49 or “Configuring an SNMP community” on page 68.
Server Farm Select the server farm whose real servers will receive the connections.
For details, see “Grouping physical and domain servers into server
farms” on page 135.
This option appears only if Deployment Mode is Server Balance, HTTP
Content Routing, WSDL Content Routing, Offline Protection, or
Transparent Servers.
Note: If Deployment Mode is Offline Protection or Transparent Servers,
you must select a server farm, even though the FortiWeb unit will allow
connections to pass through instead of actively distributing connections.
Therefore, if you want to govern connections for only a single real
server, rather than a group of servers, you must configure a server farm
with that single real server as its only member in order to select it in the
policy.
Protected Servers Select a protected servers group to allow or reject connections based
upon whether the Host: field in the HTTP header is empty or does or
does not match the protected hosts group. For details, see “Configuring
protected servers” on page 147.
If you do not select a protected servers group, connections will be
accepted or blocked based upon other criteria in the policy or protection
profile, but regardless of the Host: field in the HTTP header.
Attack log messages contain DETECT_ALLOW_HOST_FAILED when
this feature does not detect an allowed protected host name.
Note: Unlike HTTP 1.1, HTTP 1.0 does not require the Host: field.
The FortiWeb unit will not block HTTP 1.0 requests for lacking this field,
regardless of whether or not you have selected a protected servers
group.
Web Protection The name of this drop-down list varies by your selection in Policy Type.
Profile Select the profile to apply to the connections accepted by this policy, or
or select Create New to add a new profile in a pop-up window, without
leaving the current page.
XML Protection
Profile If you want to view the details of a profile, select the profile from the list
and click View Profile Details. A protection profile details window opens.
To return to the policy settings, click Back to Policy Settings.
For details on specific protection profiles, see “Configuring XML
protection profiles” on page 184, “Configuring inline protection profiles”
on page 268 or “Configuring offline protection profiles” on page 274.
Note: Depending on the profile types that the current operation mode
supports, not all profiles may be available. For details, see Table 45 on
page 119.
• XML protection profiles apply to reverse proxy mode only.
• Offline protection profiles apply to offline protection mode only.
• Inline protection profiles apply to any mode except offline protection.
Note: Clients with source IP addresses designated as a trusted IP are
exempt from being blocked by the protection profile. For details, see
“Configuring an IP list policy” on page 220.
WAF Auto Learning Select the auto-learning profile, if any, to use in order to discover
Profile attacks, URLs, and parameters in your web servers’ HTTP sessions, or
select Create New to add a new auto-learning profile in a pop-up
window, without leaving the current page. For details, see “Applying
auto-learning profiles” on page 278.
Data gathered using an auto-learning profile can be viewed in an auto-
learning report, and used to generate profiles. For details, see “Auto
learn” on page 281.
HTTP Service Select the custom or predefined service that defines the TCP port
number where the virtual server or bridge receives traffic, or select
Create New to a new service in a pop-up window, without leaving the
current page. For details, see “Configuring services” on page 145.
This option does not apply to true transparent proxy or transparent
inspection modes.
Note: This option only defines the port number. It does not specify
SSL/TLS. For example, it is possible to configure a web server to listen
on the well-known port number for HTTP (port 80), yet use SSL
(HTTPS). To specify SSL/TLS, see HTTPS Service.
HTTPS Service Select the custom or predefined service that defines the TCP port
number where the virtual server or bridge receives traffic, or select
Create New to create a new service in a pop-up window, without leaving
the current page. For details, see “Configuring services” on page 145.
Enable if connections from HTTP clients to the FortiWeb unit or
protected hosts use SSL. Also configure Certificate.
FortiWeb units contain specialized hardware to accelerate SSL
processing. Offloading SSL processing may improve the performance of
secure HTTP (HTTPS) connections.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
The FortiWeb unit handles SSL negotiations and encryption and
decryption, instead of the real servers, also known as offloading.
Connections between the client and the FortiWeb unit will be encrypted.
Connections between the FortiWeb unit and each web server will be
clear text or encrypted, depending on SSL Server.
This option appears only if the FortiWeb unit is operating in reverse
proxy mode.
Note: If the FortiWeb unit is operating in offline protection mode or
either of the transparent modes, you must enable SSL in the server
farm instead.
Caution: You must enable either this option or SSL, if the connection
uses SSL. Failure to enable an SSL option and provide a certificate for
HTTPS connections will result in the FortiWeb unit being unable to
decrypt connections, and therefore unable to scan HTML or XML
content.
Blocking Port Choose the specific blocking port interface (that is, port1, port2, and so
on) where TCP reset packets are sent.
This option appears only if the FortiWeb unit is operating in offline
protection mode.
Certificate Select the server certificate the FortiWeb unit will use when encrypting
or decrypting SSL-secured connections, or select Create New to upload
a new certificate in a pop-up window, without leaving the current page.
For more information, see “Uploading a certificate” on page 88.
This option appears only if HTTPS Service is enabled.
Certificate Select the name of a certificate verifier, if any, to use when an HTTP
Verification client presents their personal certificate. (If you do not select one, the
client is not required to present a personal certificate.)
If the client presents an invalid certificate, the FortiWeb unit will not
allow the connection.
To be valid, a client certificate must:
• not be expired
• not be revoked by either certificate revocation list (CRL) or, if
enabled, online certificate status protocol (OCSP) (see “Configuring
certificate verification rules” on page 95)
• be signed by a certificate authority (CA) whose certificate you have
imported into the FortiWeb unit (see “Managing CA certificates” on
page 90); if the certificate has been signed by a chain of
intermediate CAs, those certificates must be included in an
intermediate CA group (see Certificate Intermediate Group)
• contain a CA field whose value matches the CA certificate
• contain an Issuer field whose value matches the Subject field in
the CA certificate
Personal certificates, sometimes also called user certificates, establish
the identity of the person connecting to the web site.
You can require that clients present a certificate alternatively or in
addition to HTTP authentication. For more information, see “Configuring
authentication policy” on page 257.
This option appears only if HTTPS Service is enabled, and only applies
if the FortiWeb unit is operating in reverse proxy mode. SSL 3.0 or TLS
1.0 is required.
Note: If the connection fails when you have selected a certificate
verifier, verify that the certificate meets the web browser’s requirements.
Web browsers may have their own certificate validation requirements in
addition to FortiWeb's requirements. For example, personal certificates
for client authentication may be required to either:
• not be restricted in usage/purpose by the CA, or
• contain a Key Usage field that contains a Digital Signature or
have a ExtendedKeyUsage or EnhancedKeyUsage field whose
value contains Client Authentication
If the certificate does not satisfy browser requirements, although it may
be installed in the browser, when the FortiWeb unit requests the client’s
certificate, the browser may not present a certificate selection dialog to
the user, or the dialog may not contain that certificate. In that case,
verification will fail.
For browser requirements, see your web browser’s documentation.
Certificate Select the name of a group of intermediate certificate authority (CA)
Intermediate Group certificates, if any, that will be presented to clients in order for them to
validate the server certificate’s CA signature.
This can prevent clients from getting certificate warnings when the
server certificate configured in Certificate has been signed by an
intermediate CA, rather than directly by a root CA or other CA currently
trusted by the client.
Alternatively, you can include the entire signing chain in the server
certificate itself before uploading it to the FortiWeb unit, thereby
completing the chain of trust with a CA already known to the client.
This option appears only if HTTPS Service is enabled and the FortiWeb
unit is operating in reverse proxy mode.
SSL Server Enable to use SSL to encrypt connections from the FortiWeb unit to
protected web servers. Also configure Certificate.
Disable to pass traffic to protected web servers in clear text.
To test whether the web server supports SSL connections, click SSL
Support Test.
This option appears only in reverse proxy mode. (The FortiWeb unit
cannot act as an SSL terminator or initiator in offline protection mode or
either of the transparent modes.)
Note: Enable only if the protected host supports SSL.
Persistent Server Enter the maximum number of concurrent TCP client connections that
Sessions can be accepted by this policy.
The maximum number of HTTP sessions established with each server
depends on this field, and whether you have selected a single real
server or a server farm and the Load Balancing Algorithm.
For example, if you set the value of Persistent Server Sessions to
10 000 and there are 4 real servers in a server farm that uses Round
Robin-style load-balancing, up to 10 000 client connections would be
accepted, resulting in up to 2 500 HTTP sessions evenly distributed to
each of the 4 real servers.
Each model of FortiWeb units has a maximum allowed number of
persistent sessions. The Edit Policy dialog lists the minimum and
maximum for your FortiWeb model next to this field. For more
specifications, see “Appendix B: Maximum values” on page 397.
Monitor Mode When enabled, this mode treats all blocking actions (deny, redirect, and
so on) as if they were the Alert action.This enables FortiWeb to log
attacks and complete processing of the connection. This is needed to let
the auto-learning feature collect more information to build profiles of
attacks. If auto-learning is not enabled, clear this option. See “Tune up
alerts” on page 30.
URL Case Sensitivity Enable to differentiate uniform resource locators (URLs) according to
upper case and lower case letters for features that act upon the URLs in
the headers of HTTP requests, such as: start page rules, IP list rules,
and page access rules.
For example, when this option is enabled, an HTTP request involving
http://www.Example.com/ would not match profile features that
specify http://www.example.com (difference is lower case "e").
Comments Enter a description or other comment. The description may be up to 35
characters long.
Caution: When the operation mode is reverse proxy, disabling a policy could all block
traffic if no remaining active policies match that traffic. That is, if no policies exist or none
are enabled, the FortiWeb unit will deny HTTP/HTTPS traffic..
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
2 In the row corresponding to the policy that you want to enable, mark the check box in
the Enable column.
3 In the row corresponding to the policy that you want to disable, clear the check box in
the Enable column.
To determine whether the policy is applicable, see the column “Status” on page 121.
Configuring servers
Server Policy > Server > enables you to configure various types of servers in your
network.
This section includes the following topics:
• Configuring virtual servers
• Configuring physical servers
• Configuring domain servers
• Grouping physical and domain servers into server farms
• Configuring HTTP content routing policy
• Configuring HTTP conversion policy
Caution: Virtual servers can be on the same subnet as real servers. This configuration
creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could forward to
the real server 10.0.0.2.
However, this is not recommended. Unless your network’s routing configuration prevents it,
it could allow clients that are aware of the real server’s IP address to bypass the FortiWeb
unit by accessing the real server directly.
Virtual servers are applied by selecting them within a policy. For details, see “Configuring
server policies” on page 118.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 48: Server Policy > Server > Virtual Server tab
Delete
Edit
4 Click OK.
To define the listening port of the virtual server, create a custom service and select it in
the policy where the virtual server is also selected. For details, see “Configuring
services” on page 145.
To apply the virtual server, you must select it in a policy. For details, see “Configuring
server policies” on page 118.
By default, virtual servers are enabled, and the FortiWeb unit can forward traffic from
them.
Caution: Disabling a virtual server could block traffic matching policies in which you have
selected the virtual server. For details, see “Configuring server policies” on page 118.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
2 In the row corresponding to the virtual server that you want to enable, in the Enable
column, mark the check box.
3 In the row corresponding to the virtual server that you want to disable, in the Enable
column, clear the check box.
Note: A physical server is usually not the same as a protected hosts group.
Note: Server health checks cannot be used with an individual physical server. If you want
to monitor a server for responsiveness, you must group one or more physical servers into a
server farm.
For details, see “Configuring server policies” on page 118 or “Grouping physical and
domain servers into server farms” on page 135.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 49: Server Policy > Server > Physical Server tab
Delete
Edit
4 Click OK.
To forward traffic from a virtual server to multiple physical servers, you must group the
physical servers into a server farm. For more information, see “Grouping physical and
domain servers into server farms” on page 135.
To apply the physical server, you must select it in a policy, or group it into a server farm
that is selected in a policy. For details, see “Configuring server policies” on page 118.
Note: If the physical server is a member of a server farm and will be unavailable only
temporarily, you can alternatively configure a server health check to automatically prevent
the FortiWeb unit from forwarding traffic to that physical server when it is unresponsive. For
details, see “Configuring server health checks” on page 143.
Caution: Disabling a physical server could block traffic matching policies in which you have
selected the physical server, or selected a server farm in which the physical server is a
member. For details, see “Configuring server policies” on page 118.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
2 In the row corresponding to the physical server that you want to enable, mark the
check box in the Enable column.
3 In the row corresponding to the physical server that you want to disable, clear the
check box in the Enable column.
Domain servers define an individual server or a member of a server farm that is the
ultimate destination of traffic received by the FortiWeb unit at a virtual server address, and
where the FortiWeb unit will forward traffic after applying the protection profile and other
policy settings.
Domain servers are applied either by selecting them within a policy, or grouping them into
a server farm that is selected in a policy.
Note: Server health checks cannot be used with an individual domain server. If you want to
monitor a server for responsiveness, you must group one or more domain servers into a
server farm.
For details, see “Configuring server policies” on page 118 or “Grouping physical and
domain servers into server farms” on page 135.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 50: Server Policy > Server > Domain Server tab
4 Click OK.
To forward traffic from a virtual server to multiple domain servers, you must group the
domain servers into a server farm. For more information, see “Grouping physical and
domain servers into server farms” on page 135.
To apply the domain server, you must select it in a policy, or group it into a server farm
that is selected in a policy. For details, see “Configuring server policies” on page 118.
Note: If the domain server is a member of a server farm and will be unavailable only
temporarily, you can alternatively configure a server health check to automatically prevent
the FortiWeb unit from forwarding traffic to that domain server when it is unresponsive. For
details, see “Configuring server health checks” on page 143.
Caution: Disabling a domain server could block traffic matching policies in which you have
selected the domain server, or selected a server farm in which the domain server is a
member. For details, see “Configuring server policies” on page 118.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
• Reverse Proxy mode: When the FortiWeb unit receives traffic destined for a virtual
server, it can forward the traffic to a physical or domain server or a server farm. If you
have configured the policy to forward traffic to a server farm, the connection is routed
to one of the physical or domain servers in the server farm. Which of the physical or
domain servers receives the connection depends on your configuration of load-
balancing algorithm, weight, server health checking, or content routing by either XPath
expressions, HTTP content or WSDL content routing.
To prevent traffic from being forwarded to unavailable real servers, the availability of
physical and domain servers in a server farm can be verified using a server health
check. Whether the FortiWeb unit will redistribute or drop the connection when a
physical or domain server in a server farm is unavailable varies by the availability of
other members and by your configuration of the Deployment Mode option in the policy.
For details, see “Deployment Mode” on page 123.
• Offline protection/transparent modes: When the FortiWeb unit receives traffic
destined for a virtual server or passing through a bridge, it allows the traffic to pass
through to members of the server farm.
Server farms are applied by selecting them within a policy. For details, see “Configuring
server policies” on page 118.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 51: Server Policy > Server > Server Farm tab
Delete
Edit
Note: Before configuring a server farm, you must first configure the real servers that will be
members of the server farm. For details, see “Configuring physical servers” on page 131.
2 Click Create New, or, in the row corresponding to an entry that you want to modify, click
the Edit icon.
A dialog appears.
3 Configure the following:
Clear
Delete
Edit
SSL Enable if connections to the server use SSL, and if the FortiWeb unit is
operating in a mode other than reverse proxy. Also configure
Certificate File.
Unlike HTTPS Service in policies, when you enable this option, the
FortiWeb unit will not apply SSL. Instead, it will use the certificate to
decrypt and scan connections before passing the encrypted traffic
through to the web servers or clients.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
Caution: You must enable either this option or HTTPS Service if the
connection uses SSL. Failure to enable an SSL option and provide a
certificate will result in the FortiWeb unit being unable to decrypt
connections, and therefore unable to scan HTML or XML content.
Note: When this option is enabled, the web server must be configured
to apply SSL. The FortiWeb unit will use the certificate to decrypt and
scan traffic only. It will not apply SSL to the connections.
Note: Ephemeral (temporary key) Diffie-Hellman exchanges are not
supported if the FortiWeb unit is operating in offline protection mode.
Certificate File Select the real server’s certificate that the FortiWeb unit will use when
decrypting SSL-secured connections, or select Create New to upload a
new certificate in a pop-up window, without leaving the current page.
For more information, see “Uploading a certificate” on page 88.
This option appears only if SSL is enabled.
If the server farm will be used with a policy whose Deployment Mode is Content
Routing or WSDL Content Routing, place the real server that you want to be the
failover first in the list of real servers in the server farm. In content routing or WSDL
content routing, each server in the server farm may not host identical web services. If a
real server is unresponsive to the server health check, the FortiWeb unit will forward
subsequent connections to the first real server in the server farm, which will be
considered to be the failover. Make sure the first real server can act as a backup for
all other servers in the server farm.
11 Repeat the previous step for each real server that you want to add to the server farm.
12 If you need to modify a real server, click its Edit icon. To remove a single real server
from the server farm, click its Delete icon. To remove all real servers from the server
farm, click the Clear icon.
13 Click OK.
To monitor members of the server farm for responsiveness, configure a server health
check that will be used with the server farm. For details, see “Configuring server health
checks” on page 143.
To use a server farm as the destination for web or web services connections, select it
when configuring a policy. For details, see “Configuring server policies” on page 118.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 52: Server Policy > Server > HTTP Content Routing Policy tab
Delete
Edit
5 Click OK.
Caution: When configuring HTTP conversion policy, check to see whether there are any
URL rewriting policies in use that might conflict with the HTTP conversion policy. If conflicts
occur, the URL rewriting policy takes priority over the HTTP conversion policy. For more
information on URL rewriting policy, see “Configuring URL rewriting policy” on page 244.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 53: Server Policy > Server > HTTP Content Conversion Policy tab
Delete
Edit
7 Click OK.
Server health checks poll real servers that are members of the server farm to determine
their availability (that is, whether or not the server is responsive) before forwarding traffic.
Server health check configurations can specify TCP, HTTP, or ICMP ECHO (ping). A
health check occurs every number of seconds indicated by the interval. If a reply is not
received within the timeout period, and you have configured the health check to retry, it will
attempt a health check again; otherwise, the server is deemed unresponsive. The
FortiWeb unit will compensate by disabling traffic to that server until it becomes
responsive again.
Note: If a real server will be unavailable for a long period, such as when a server is
undergoing hardware repair or when you have removed a server from the server farm, you
may improve the performance of your FortiWeb unit by disabling the real server, rather than
allowing the server health check to continue to check for responsiveness. For details, see
“Configuring physical servers” on page 131.
Server health checks are applied by selecting them in a policy, for use with the entire
server farm. For details, see “Configuring server policies” on page 118.
To view the status currently being detected by server health checks, use the Service
Status widget on the dashboard. For details, see “Service Status widget” on page 49.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 54: Server Policy > Server Health Check > Server Health Check tab
Delete
Edit
6 Click OK.
To apply a server health check, select it when configuring a policy that uses a server farm.
For details, see “Configuring server policies” on page 118.
Configuring services
Server Policy > Service displays predefined and custom services.
Services define protocols and TCP port numbers and can be selected in a policy to define
the traffic that the policy will match.
While some predefined services are available (see“Viewing the list of predefined services”
on page 146), you may need to configure your own custom services if your virtual servers
will receive traffic on non-standard TCP port numbers.
Before or during creating a policy, you must configure a service that defines the TCP port
number where traffic destined for a virtual server will arrive. (Exceptions include policies
whose Deployment Mode is Offline Protection, which do not require that you define a TCP
port number using a service.) For details, see “Configuring server policies” on page 118.
Custom services can be selected in a policy in order to define the protocol and listening
port of a virtual server.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Delete
Edit
4 Click OK.
To use a custom service as the listening port of a virtual server, you must select it in a
policy. For details, see “Configuring server policies” on page 118.
Predefined services can be selected in a policy in order to define the protocol and listening
port of a virtual server. For details, see “Configuring server policies” on page 118.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Note: A protected hosts group is usually not the same as a real server.
Unlike a real server, which is a single IP at the network layer, a protected server group
should contain all network IPs, virtual IPs, and domain names that clients use to access
the web server at the application (HTTP) layer.
For example, clients often access a web server via a public network such as the Internet.
Therefore, the protected server group contains domain names, public IP addresses and
public virtual IPs on a network edge router or firewall that are routable from that public
network. But the physical server is only the IP address that the FortiWeb unit uses to
forward traffic to the server and, therefore, is often a private network address (unless the
FortiWeb unit is operating in offline protection or either of the transparent modes).
Protected server groups can be used by:
• policies
• input rules
• server protection exceptions
• start page rules
• page access rules
• IP list rules
Table 57: Server Policy > Protected Servers > Protected Servers tab
Delete
Edit
Clear
Edit
Delete
8 Repeat the previous step for each host that you want to add to the protected server
group.
9 If you need to modify a host, click its Edit icon. To remove a single host from the
protected server group, click its Delete icon. To remove all hosts from the protected
server group, click the Clear icon.
10 Click OK.
To use a protected server group, you must select it in a policy, input rule, start page rule,
page access rule, trusted IP rule, or hidden field rule. For details, see:
• “Configuring server policies” on page 118
• “Configuring parameter validation input rules” on page 194
• “Configuring page access rules” on page 198
• “Configuring start page rules” on page 213
• “Configuring URL access rules” on page 218
• “Configuring URL access policy” on page 216
Tip: If you know that your network’s HTTP sessions do not include a specific data type,
omit it from the data type group to improve performance. The FortiWeb unit will not expend
resources scanning traffic for that data type.
Data type groups are used by auto-learning profiles. For details, see “Applying auto-
learning profiles” on page 278.
Note: Alternatively, you can automatically configure a data type group that includes all
types by generating a default auto-learning profile. For details, see “Generating an auto-
learning profile and its components” on page 281.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 58: Server Policy > Predefined Pattern > Data Type Group tab
Delete
Edit
To use a data type group, select it when configuring an auto-learning profile. For details,
see “Applying auto-learning profiles” on page 278.
Table 59: Server Policy > Predefined Pattern > Predefined Data Type tab
Pattern Displays the regular expression that is used to detect the presence of the
data type when you select the blue arrow beside a pattern. Parameter
values must match the regular expression in order for an auto-learning
profile to successfully detect the data type, or for an input rule to permit the
input.
Description Displays a description when you select the blue arrow beside a pattern that
may include examples of values that match the regular expression.
Note: Alternatively, you can automatically configure a suspicious URL group that includes
all suspicious URL rules by generating a default auto-learning profile. For details, see
“Generating an auto-learning profile and its components” on page 281.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 60: Server Policy > Predefined Pattern > Suspicious URL Rule tab
Edit
Delete
Predefined suspicious URL types are selected in suspicious URL groups, which are used
by auto-learning profiles to detect malicious HTTP requests by URL. For details, see
“Grouping suspicious URLs” on page 154.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 61: Server Policy > Predefined Pattern > Predefined URL Rule tab
You can add custom data types to input rules to define the data type of an input, and to
auto-learning profiles to detect valid input parameters. You can use both custom data
types and predefined data types. For details about predefined data types, see “Viewing
the list of predefined data types” on page 152.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 62: Server Policy > Custom Pattern > Custom Data Type tab
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
Table 63: Server Policy > Custom Pattern > Custom Suspicious URL tab
To access this part of the web-based manager, your administrator's account access profile
must have Read permission to items in the Server Policy Configuration category. For
details, see “About permissions” on page 80.
Tip: Before you can create a custom suspicious URL rule, you must first define one or more
custom suspicious URLs. See “Creating custom suspicious URLs” on page 157.
Table 64: Server Policy > Custom Pattern > Custom Suspicious URL Rule tab
7 Click OK.
To use a custom suspicious URL rule, add the rule to a suspicious URL rule, then select
that rule when configuring an auto-learning profile. For details, see “Applying auto-learning
profiles” on page 278.
2 Click Create New, or, in the row corresponding to an entry that you want to modify, click
the Edit icon.
A dialog appears.
Example one
The HTTP request URL from a client is
/app/login.asp;jsessionid=xxx;p1=111;p2=123?p3=5555&p4=66aaaaa,
which is a JSP application type. When you create the URL replacer, if you select JSP as
the predefined application type, the JSP plug-in will change the URL to
/app/login.asp?p4=66aaaaa with 3 extra parameters: p1=111,p2=123 and
p3=5555.
Example two
If the HTTP request URL from a client is /tom/login.asp and you created the following
URL replacer:
Type: Custom-Defined
URL Path: ^/(.*)/(.*)$
New URL: /$1
Param Change: $0
New Param: username
Then the URL will be changed to /login.asp with an extra parameter: username=tom.
To access this part of the web-based manager, your administrator's account access profile
must have Read and Write permission to items in the Server Policy Configuration
category. For details, see “About permissions” on page 80.
2 Click Create New, or, in the row corresponding to an entry that you want to modify, click
the Edit icon.
3 Enter a name for the policy and click OK.
A dialog appears.
XML protection
This chapter describes the XML protection menu. It contains features that act upon HTTP
requests with XML content, such as AJAX (JavaScript that uses the XMLHttpRequest
object), RSS, and SOAP connections.
This chapter includes the following topics:
• Configuring protection schedules
• Configuring content filter rules
• Configuring intrusion prevention rules
• Configuring WSDL content routing groups
• Managing XML signature and encryption keys
• Managing schema files
• Managing WSDL files
• Configuring XML protection profiles
Note: For information on the IETF RFC, W3C standards and IEEE standards supported by
this version of FortiWeb, see “Appendix A: Supported RFCs, W3C and IEEE standards” on
page 395.
Configure a schedules to define when a content filter rule will apply. For example, a
FortiWeb unit might be configured with a content filter rule that uses a one-time schedule
to block access to the web service during an emergency maintenance period.
For details, see “Configuring content filter rules” on page 166.
This section includes the following topics:
• Configuring one-time schedules
• Configuring recurring schedules
Table 65: XML Protection > Schedule > One Time tab
Delete
Edit
4 In the Start row, select the date and time that the schedule will begin.
5 In the End row, select the date and time that the schedule will end.
6 Click OK.
To apply a schedule, select it as the period when configuring a content filter rule. For more
information, see “Configuring content filter rules” on page 166.
Delete
Edit
Note: A recurring schedule with a stop time that occurs before the start time starts at the
start time and finishes at the stop time on the next day. You can use this technique to create
recurring schedules that run from one day to the next. To create a recurring schedule that
runs for 24 hours, set the start and stop times to the same time.
5 In the End row, select the time that the schedule will end.
6 In the Day row, select the days of the week when the schedule runs.
7 Click OK.
To apply a schedule, select it as the period when configuring a content filter rule. For more
information, see “Configuring content filter rules” on page 166.
Table 67: XML Protection > Content Filter > Content Filter tab
Delete
Edit
XPATH Expression Displays the XPath expression that matches web service content to which
the action is applied.
Action Displays the action that the FortiWeb unit will take when content matches
XPATH Expression. For details on how the action interacts with ID to
determine which content filter rules will be applied, see “How priority affects
content filter rule matching” on page 169.
• Accept: Accept the connection.
• Alert: Accept the connection and generate an alert and/or log message.
For more information on logging and alerts, see “Configuring and
enabling logging” on page 323.
• Deny: Block the connection.
• Alert & Deny: Block the connection and generate an alert and/or log
message. For more information on logging and alerts, see “Configuring
and enabling logging” on page 323.
Enable Mark the check box to enable use of the content filter rule. For details, see
“Enabling or disabling a content filter rule” on page 169.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the
entry is currently selected for use in a protection profile.
Click the Edit icon to modify the entry.
Clear
Delete
Edit
3 In Name, type the name of the content filter rule.
This field cannot be modified if you are editing an existing content filter rule. To modify
the name, delete the entry, then recreate it using the new name.
4 In Comments, type a description for the content filter rule.
5 Click OK.
Edit
8 Repeat the previous steps for each content filter that you want to add to the content
filter rule.
9 If you need to modify a content filter, click its Edit icon. To remove a single content filter
from the content filter rule, click its Delete icon. To remove all content filters from the
content filter rule, click the Clear icon.
10 Click OK.
To apply the content filter rule, select it in an XML protection profile that is selected in a
policy. For more information, see “Configuring XML protection profiles” on page 184.
When the FortiWeb unit finds a matching content filter rule, it applies the matching content
filter rule's specified actions to the connection. If the action is:
• Alert: The FortiWeb unit applies the action, then evaluates the next content filter rule
for a match.
• Accept or Deny: The FortiWeb unit applies the action and disregards all lower priority
rules.
As a general rule, you should arrange the list content filter rules from most specific to
most general because only the first matching content filter rule is applied to the
connection. Once one is accepted or denied, subsequent possible matches would not
be considered or applied. Ordering content filter rules from most specific to most
general prevents content filter rules, which match a wide range of traffic and whose
action is Accept or Deny, from superseding and effectively masking other content filter
rules whose action is Alert, or that match exceptions.
Caution: Disabling a content filter rule could allow traffic-matching policies in whose XML
protection profile you have selected the content filter rule. For details, see “Configuring
XML protection profiles” on page 184.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the XML Protection Configuration
category. For details, see “About permissions” on page 80.
2 In the row corresponding to the content filter rule that you want to enable, mark the
check box in the Enable column.
3 In the row corresponding to the content filter rule that you want to disable, clear the
check box in the Enable column.
Table 68: XML Protection > Intrusion Filters > Intrusion Filters tab
Delete
Edit
Max Attributions Per Displays the maximum number of attributes to allow for any XML element.
Element
Max Attribution Value Displays the maximum length of the value to allow for any attribute of any
Length XML element.
Allow DTDs Indicates whether or not use of document type definitions (DTDs) are
allowed.
Enable Mark the check box to enable use of the intrusion prevention rule. For
details, see “Enabling or disabling an intrusion prevention rule” on
page 172.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the
entry is currently selected for use in a protection profile.
Click the Edit icon to modify the entry.
Max Elements Enter the maximum number of XML elements to allow in a single
request.
Max Element Depth Enter the maximum depth of XML elements to allow in the tree of a
single request.
Max Name Length Enter the maximum length to allow for any XML element, attribute or
namespace.
Max Attributions Enter the maximum number of attributes to allow in a single request.
Max Attributions Per Enter the maximum number of attributes to allow for any XML element.
Element
Max Attribution Value Enter the maximum length of the allowed value of any attribute of any
Length XML element.
Max Namespace Enter the maximum number of XML namespace (XMLNS) declarations
Declarations to allow in a single request.
Max Namespace Enter the maximum number of XML namespace (XMLNS) declarations
Declarations per to allow for any XML element.
Element
Max Text Nodes Enter the maximum number of text nodes to allow in a single request.
Max Text Node Enter the maximum length to allow for any text node.
Length
Max Text Node Ratio Enter the maximum size ratio to allow for any text node, where the
maximum size ratio is:
T/(D-T)
where D is the total size of the request and T is the size of the text node.
Max CData Enter the maximum number of character data (CDATA) section to allow
in a single request.
Max CData Length Enter the maximum length of the value to allow for any character data
(CDATA) section in a single request.
Max Character Enter the maximum number of character entity references to allow in a
Reference single request.
Max PIs Enter the maximum number of processing instructions (PIs) to allow in a
single request.
Max Gen Entity Enter the maximum number of general entity references to allow in a
Reference single request.
Allow DTDs Enable to allow use of document type definitions (DTDs).
Unlike W3C XML schema scanning, DTD scanning is currently not
supported, and therefore inclusion of DTDs can only be specifically
allowed or denied.
Comments Enter a description for the intrusion prevention rule.
4 Click OK.
To apply the intrusion protection rule, select it in an XML protection profile that is
selected in a policy. For more information, see “Configuring XML protection profiles” on
page 184.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the XML Protection Configuration
category. For details, see “About permissions” on page 80.
2 In the row corresponding to the intrusion prevention rule that you want to enable, mark
the check box in the Enable column.
3 In the row corresponding to the intrusion prevention rule that you want to disable, clear
the check box in the Enable column.
Table 69: XML Protection > WSDL Routing > WSDL Routing tab
Delete
Edit
Clear
Delete
Edit
3 In Name, type the name of the content routing group.
This field cannot be modified if you are editing an existing content routing group. To
modify the name, delete the entry, then recreate it using the new name.
4 Click OK.
5 Click Create New.
A dialog appears.
7 Repeat the previous steps for each WSDL operation that you want to add to the
content routing group.
8 If you need to modify a WSDL operation, click its Edit icon. To remove a single WSDL
operation from the content routing group, click its Delete icon. To remove all WSDL
operations from the content routing group, click the Clear icon.
9 Click OK.
To apply a content routing group, select it as the content that will be destined for a specific
real server when configuring a server farm. For more information, see “Grouping physical
and domain servers into server farms” on page 135.
Uploading a key
XML Protection > XML Sig/Enc > Key File displays keys already uploaded to the FortiWeb
unit, and that may be used in a key management group.
If you want to configure XML protection profiles that will apply or validate XML signatures,
or apply XML encryption or decryption, you must first upload a key file.
To access this part of the web-based manager, your administrator’s account access profile
must have Read permission to items in the XML Protection Configuration category. For
details, see “About permissions” on page 80.
Table 70: XML Protection > XML Sig/Enc > Key File tab
Delete
Note: The total file size of all certificates, schema, keys, WSDL, and any other uploaded
files may not exceed 12 MB.
2 Click Import.
A dialog appears.
Table 71: XML Protection > XML Sig/Enc > Key Management tab
Delete
Edit
Key File Count Displays the number of keys used by the key management group.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the
entry is currently selected for use in a protection profile.
Click the Edit icon to modify the entry.
Clear
Delete
Edit
3 In Name, type the name of the key management group.
This field cannot be modified if you are editing an existing key management group. To
modify the name, delete the entry, then recreate it using the new name.
4 In Comments, type a description for the key management group.
5 Click OK.
6 Click Create New.
A dialog appears.
8 Repeat the previous steps for each key file and algorithm combination that you want to
add to the key management group.
9 If you need to modify an entry, click its Edit icon. To remove a single entry from the
group, click its Delete icon. To remove all entries from the group, click the Clear icon.
10 Click OK.
To apply a key management group, select it when configuring XML encryption or
decryption in an XML protection profile. For more information, see “Configuring XML
protection profiles” on page 184.
Note: Failing to upload a schema file could block traffic-matching policies in the XML
protection profile where you enabled the Schema Validate option, because the FortiWeb
unit may not be able to do schema validation. For details, see “Schema Validation” on
page 187.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the XML Protection Configuration
category. For details, see “About permissions” on page 80.
Table 72: XML Protection > Load Schema > Load Schema tab
View
Edit
Delete
Enable Mark the check box to enable use of the schema file if you have enabled
Schema Validation. For details, see “Enabling or disabling a schema file” on
page 180.
(No column heading.) Click the Delete icon to remove the schema. This option does not appear
for the default schemas (RSS 2.0, UBL 1.0, and UBL 2.0).
Click the Edit icon to validate the schema. For details, see “Managing
schema files” on page 178. This option does not appear for the default
schemas.
Click the View icon to display the contents of the schema file in a pop-up
window.
Note: The total file size of all certificates, schema, keys, WSDL, and any other uploaded
files may not exceed 12 MB.
7 If you uploaded a compressed schema file, select the root file of the schema from the
Schema File List area, and click the right arrow.
8 Click OK.
The FortiWeb unit validates the root schema file and all child schema files. If a schema is
not successfully validated, such as if a compressed schema is too large, an error
message appears. You may select a different root schema file and attempt the validation
again immediately, or you may validate the schema at another time by clicking its Edit icon
in the list of schema files. However, the FortiWeb unit will not use the schema until it is
validated.
To use the schema to validate requests, you must enable the Schema Validation option in
an XML protection profile used by a policy. For details, see “Schema Validation” on
page 187.
Note: Disabling a schema file could block traffic-matching policies in whose XML protection
profile you have enabled the Schema Validation option, because the FortiWeb unit may not
be able to do schema validation. For details, see “Schema Validation” on page 187.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the XML Protection Configuration
category. For details, see “About permissions” on page 80.
2 In the row corresponding to the schema file that you want to enable, mark the check
box in the Enable column.
3 In the row corresponding to the schema file that you want to disable, clear the check
box in the Enable column.
Caution: Failing to upload a WSDL file could allow traffic-matching policies in whose XML
protection profile you have enabled the WSDL Verify option, because the FortiWeb unit will
not be able to do WSDL verification. For details, see “WSDL Verify” on page 187.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the XML Protection Configuration
category. For details, see “About permissions” on page 80.
Table 73: XML Protection > Load WSDL > Load WSDL tab
Delete
Edit
Note: The total file size of all certificates, schema, keys, WSDL, and any other uploaded
files may not exceed 12 MB.
2 Click Import.
A dialog appears.
Caution: Disabling a web service operation could allow traffic-matching policies in whose
XML protection profile you enabled the WSDL Verify option, because the FortiWeb unit will
not be able to do full WSDL verification. For details, see “WSDL Verify” on page 187.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the XML Protection Configuration
category. For details, see “About permissions” on page 80.
2 In the row corresponding to the WSDL file that contains the web service operation that
you want to enable or disable, click the Edit icon.
A dialog appears that displays information about the schema namespace URL, web
service URL, and each web service operation that is defined in the WSDL file.
3 In each row corresponding to a web service operation that you want to enable, mark
the check box in the Enable column.
4 In each row corresponding to a web service operation that you want to disable, clear
the check box in the Enable column.
5 Click OK.
Table 74: XML Protection > Load WSDL > XML Web Service Group tab
Edit
Delete
Web Services Displays the WSDL files that are members of the group.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the
entry is currently selected for use in an XML protection profile.
Click the Edit icon to modify the entry.
Note: XML protection profiles can be configured at any time, but can be selected in a policy
only while the FortiWeb unit is operating in a mode that supports them. For details, see
Table 45, “Policy behavior by operation mode,” on page 119.
Use SNMP traps to notify you when an XML protection profile has been enforced. For
details, see “Configuring an SNMP community” on page 68.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the XML Protection Configuration
category. For details, see “About permissions” on page 80.
Tip: Before you can create an effective profile, you need to configure one or more XML
protection features. See “XML protection profile workflow” on page 163.
Table 75: XML Protection > XML Protection Profile > XML Protection Profile tab
Delete
Edit
Schema Validation Enable to validate the schema for traffic matching the policy.
This option may require that you first upload a schema file to the
FortiWeb unit, and enable it.
• If this option is enabled, and WSDL Verify is enabled, and the
schema file does not exist or is disabled, the schema validator will
allow the connection.
• If this option is enabled, and WSDL Verify is disabled, and the
schema file does not exist or is disabled, the schema validator will
block the connection.
For details on uploading a schema file, see “Managing schema files” on
page 178.
Schema Poisoning Enable to prevent external schema references, and thereby preventing
schema poisoning attacks, for traffic matching the policy.
This option does not permit schema referencing by URL for security
reasons, and requires that you upload a schema. For details, see
“Managing schema files” on page 178.
External Entity Attack Enable to prevent external entity attacks for traffic matching the policy.
Prevention
WSDL Scanning Enable to prevent WSDL scanning for traffic matching the policy.
Prevention
WSDL Verify Enable to verify that, for traffic matching the policy, the connection uses
web service operations that are valid for that web service according to
the WSDL file.
This option requires that you first upload a WSDL file to the FortiWeb
unit. See “Managing WSDL files” on page 181.
WSDL verify action This option appears only if WSDL Verify is enabled. Select which action
that the FortiWeb unit will take if the connection fails WSDL verification.
• Accept: Accept the connection.
• Alert: Accept the connection and generate an alert and/or log
message. For more information on logging and alerts, see
“Configuring and enabling logging” on page 323.
• Deny: Block the connection.
• Alert & Deny: Block the connection and generate an alert and/or log
message. For more information on logging and alerts, see
“Configuring and enabling logging” on page 323.
Web Service This option appears only if WSDL Verify is enabled. Select the XML web
service group to use for verification of the request, or select Create New
to create a new XML web service group in a pop-up window, without
leaving the current page. For details, see “Grouping WSDL files” on
page 183. To create a group, you first need to upload a WSDL file
uploading a WSDL file. See “Managing WSDL files” on page 181.
XML SIG Enable to validate XML signatures for forward traffic. Also configure
XML SIG action and Key Info. For the XML signature specification, see
http://www.w3.org/TR/xmldsig-core/.
XML SIG action This option appears only if XML SIG is enabled. Select the action that
the FortiWeb unit will take if the forward traffic fails XML signature
verification.
• Accept: Accept the connection.
• Alert: Accept the connection and generate an alert and/or log
message. For more information on logging and alerts, see
“Configuring and enabling logging” on page 323.
• Deny: Block the connection.
• Alert & Deny: Block the connection and generate an alert and/or log
message. For more information on logging and alerts, see
“Configuring and enabling logging” on page 323.
XML ENC Enable to decrypt XML for forward traffic. Also configure XML ENC
action and Key Info.
For the XML encryption/decryption specification, see
http://www.w3.org/TR/xmlenc-core/.
XML ENC action This option appears only if XML ENC is enabled. Select which action
the FortiWeb unit will take if the forward traffic fails XML decryption.
• Accept: Accept the connection.
• Alert: Accept the connection and generate an alert and/or log
message. For more information on logging and alerts, see
“Configuring and enabling logging” on page 323.
• Deny: Block the connection.
• Alert & Deny: Block the connection and generate an alert and/or log
message. For more information on logging and alerts, see
“Configuring and enabling logging” on page 323
Key Info This option appears only if XML SIG is enabled. Select an existing key
management group to use for XML signature verification and/or
decryption of forward traffic. For details, see “Grouping keys into key
management groups” on page 176.
XML reverse SIG Enable to sign reply traffic with XML signatures. Also configure XML
reverse SIG key and XML reverse SIG XPATH. For the XML signature
specification, see http://www.w3.org/TR/xmldsig-core/.
XML reverse SIG key Select which key management group will be used for XML signing of
reply traffic, or select Create New to upload a new key management
group in a pop-up window, without leaving the current page. For details,
see “Grouping keys into key management groups” on page 176.
This option appears only if XML reverse SIG is enabled.
XML reverse SIG Click the Edit icon and enter an XPath expression that matches XML
XPATH elements in reply traffic to which you want to apply XML signatures.
This option appears only if XML reverse SIG is enabled.
XML reverse ENC Enable to encrypt XML reply traffic. Also configure XML reverse ENC
key and XML reverse ENC XPATH.
For the XML encryption/decryption specification, see
http://www.w3.org/TR/xmlenc-core/.
XML reverse ENC key Select which key management group will be used for XML encryption of
reply traffic, or select Create New to upload a new key management
group in a pop-up window, without leaving the current page. For details,
see “Grouping keys into key management groups” on page 176.
This option appears only if XML reverse ENC is enabled.
XML reverse ENC Click the Edit icon and enter an XPath expression that matches XML
XPATH elements in reply traffic to which you want to apply XML encryption.
This option appears only if XML reverse ENC is enabled.
SQL Injection Enable to prevent SQL injection attacks by blocking requests that
Prevention contain SQL statements.
SQL Injection Select which action the FortiWeb unit will take if the connection contains
Prevention Action SQL statements.
• Accept: Accept the connection.
• Alert: Accept the connection and generate an alert and/or log
message. For more information on logging and alerts, see
“Configuring and enabling logging” on page 323.
• Deny: Block the connection.
• Alert & Deny: Block the connection and generate an alert and/or log
message. For more information on logging and alerts, see
“Configuring and enabling logging” on page 323.
This option appears only if SQL Injection Prevention is enabled.
Non-XML traffic Enable to accept HTTP requests that do not contain
Content-Type: text/xml in the HTTP header. This may be
required if the web service uses representational state transfer (REST)
instead of SOAP. Disable to reject non-XML HTTP requests.
Comments Enter a description for the XML protection profile.
4 Click OK.
To apply an XML protection profile, you must select it in a policy. For details, see
“Configuring server policies” on page 118.
Web protection
This chapter describes the Web Protection menu. It contains features that act upon HTTP
requests, HTTP headers, HTML documents, and cookies.
This chapter includes the following topics:
• Order of execution
• Responding to web protection rule violations
• Configuring HTTP parameter validation rules
• Configuring page access rules
• Configuring server protection rules
• Configuring start page rules
• Configuring URL access policy
• Configuring an IP list policy
• Configuring brute force login profiles
• Configuring robot control profiles
• Configuring allowed request method policy
• Configuring hidden field protection profiles
• Configuring URL rewriting policy
• Configuring HTTP protocol constraint profiles
• Configuring authentication policy
• Configuring file upload restriction policy
• Configuring inline protection profiles
• Configuring offline protection profiles
• Applying auto-learning profiles
• Configure one or more URL access rules followed by one or more URL access policies
for use in inline or offline protection profiles. See “Configuring URL access policy” on
page 216.
• Configure one or more server protection rules for use in inline or offline protection
profiles. See “Configuring server protection rules” on page 201.
• Configure one or more page access rules for use in an inline protection profile. See
“Configuring page access rules” on page 198.
• Configure one or more input rules followed by one or more parameter validation rules
for use in inline or offline protection profiles. See “Configuring HTTP parameter
validation rules” on page 192.
• Configure one or more hidden fields rules followed by one or more hidden fields
protection policies for use in inline or offline protection profiles. See “Configuring
hidden field protection profiles” on page 239.
• Configure one or more start page policies for use in an inline protection profile. See
“Configuring start page rules” on page 213.
• Configure one or more brute force login policies for use in an inline protection profile.
See “Configuring brute force login profiles” on page 224.
• Configure one or more robot control policies for use in inline or offline protection
profiles. See “Configuring robot control profiles” on page 227. Optionally, configure a
custom robot control to include in the policy. See “Configuring custom protection
groups” on page 209.
• Configure one or more IP list policies for use in inline or offline protection profiles. See
“Configuring an IP list policy” on page 220.
• Configure one or more URL rewriting rules followed by one or more URL rewriting
policies for use in an inline protection profile. See “Configuring URL rewriting policy” on
page 244.
• Configure one or more authentication rules followed by one or more authentication
policies for use in an inline protection profile. See “HTTP authentication policy
workflow” on page 259. Before you can create effective authentication rules, you must
first configure users and user groups. See “User creation workflow” on page 107.
• After you complete the applicable previous activities, configure one or more inline
protection profiles (see “Inline protection profile workflow” on page 268) or offline
protection profiles (see “Offline protection profile workflow” on page 274).
Order of execution
FortiWeb units perform each of the web protection profile scans and other actions in the
following sequence, from the top of the table towards the bottom. Disabled scans are
skipped.
Note: The blocking style varies by feature and configuration. For example, when detecting
cookie poisoning, instead of resetting the HTTP connection, you could log and remove the
offending cookie. For details, see each specific feature.
Scan/action Involves
Request from client to server
IP (client IP list policy) Source IP address of the client
Parameter validation rules are applied by selecting them within an inline or offline
protection profile. For details, see “Configuring inline protection profiles” on page 268 or
“Configuring offline protection profiles” on page 274.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Tip: Before you can configure an effective parameter validation rule, you must configure
one or more input rules. See “Configuring parameter validation input rules” on page 194.
Table 78: Web Protection > Parameter Validation Rule > Parameter Validation Rule tab
Edit
Delete
Clear
Edit
Delete
3 In Name, type the name of the parameter validation rule.
This field cannot be modified if you are editing an existing parameter validation rule. To
modify the name, delete the entry, then recreate it using the new name.
4 Click OK.
5 Click Create New.
A dialog appears.
7 Repeat the previous steps for each input rule that you want to add to the parameter
validation rule.
8 To modify an input rule, click its Edit icon. To remove a single input rule from the
parameter validation rule, click its Delete icon. To remove all input rules from the
parameter validation rule, click the Clear icon.
9 Click OK.
To apply the parameter validation rule, select it in an inline or offline protection profile.
For details, see “Configuring inline protection profiles” on page 268 or “Configuring
offline protection profiles” on page 274.
Attack log messages contain DETECT_PARAM_RULE_FAILED when this feature
detects a parameter rule violation.
Tip: If you do not want sensitive inputs such as passwords to appear in the attack logs’
packet payloads, you can obscure them. For details, see “Obscuring sensitive data in the
logs” on page 329.
For example, one web page might have multiple inputs: a user name, password, and a
preference for whether or not to remember the login. Within the input rule for that web
page, you could define separate rules for each parameter in the HTTP request: one rule
for the user name parameter, one rule for the password parameter, and one rule for the
preference parameter.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 79: Web Protection > Parameter Validation Rule > Input Rule tab
Delete
Edit
Before you configure an input rule, if you want to apply it only to HTTP requests for a
specific real or virtual host, you must first define the web host in a protected hosts group.
For details, see “Configuring protected servers” on page 147.
Clear
Edit
Delete
Action, Severity and The Action, Severity and Trigger Policy drop-down menus allow you to
Trigger Policy control what the FortiWeb unit will do when it detects a specific violation
such as an attack, suspicious request or other threat. Each violation can
be uniquely configured.
The following actions are available for this type of attack:
• Alert
• Alert & Deny
• Redirect
• Send 403 Forbidden
Note: If a WAF Auto Learning Profile will be selected in the policy with
profiles that use this rule, you should select Alert. If the Action is Alert &
Deny, the FortiWeb unit will reset the connection when it detects an
attack, resulting in incomplete session information for the auto-learning
feature.
For information on Action, Severity and Trigger Policy settings, see
“Responding to web protection rule violations” on page 191.
5 Click OK.
6 Click Create New.
A dialog appears.
7 Configure the following:
Data Type Select a predefined data type. For information on data types, see “Viewing the
list of predefined data types” on page 152.
This option is only available when the Argument Type is Data Type.
Regular Type a regular expression that matches all valid values, and no invalid values,
Expression for this input.
To create and test a regular expression, click the >> (test) icon. This opens the
Regular Expression Validator window where you can fine-tune the expression.
This option is only available when the Argument Type is Regular Expression.
Custom Data Select a custom data type. For information on custom data types, see “Creating
Type custom data types” on page 156.
This option is only available when the Argument Type is Custom Data Type.
8 Repeat the previous steps for each individual rule that you want to add to the group of
input rules.
9 To modify an individual rule, click its Edit icon. To remove an individual rule from the
group of input rules, click its Delete icon. To remove all individual rules from the group
of input rules, click the Clear icon.
10 Click OK.
To apply the input rule, select it in a parameter validation rule. For details, see
“Configuring HTTP parameter validation rules” on page 192.
Use SNMP traps to notify you when a page access rule has been enforced. For details,
see “Configuring an SNMP community” on page 68.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 80: Web Protection > Page Access Rule > Page Access Rule tab
Delete
Edit
Clear
Edit
Delete
5 Click OK.
6 Click Create New.
A dialog appear.
8 Repeat the previous steps for each individual rule that you want to add to the page
access rule.
9 To modify an individual rule, click its Edit icon. To remove an individual rule from the
page access rule, click its Delete icon. To remove all individual rules from the page
access rule, click the Clear icon.
10 Click OK.
To apply the page access rule, select it in an inline protection profile. For details, see
“Configuring inline protection profiles” on page 268.
Note: In order for page access rules to be enforced, you must also enable “Session
Management” on page 271 in the inline protection profile.
Table 81: Web Protection > Server Protection Rule > Server Protection Rule tab
Clone
View
Edit
Before you configure a server protection rule, if you want to apply any exceptions, you
must first define the server protection exception. For details, see “Configuring server
protection exceptions” on page 207.
Tip: Alternatively, you can automatically configure a server protection rule that detects all
attack types by generating a default auto-learning profile. For details, see “Generating an
auto-learning profile and its components” on page 281.
Alternatively, click the Clone icon to create a new entry based on a predefined entry. In
this case, a dialog appears with just the Name field.
Tip: A blue pointer in front of an attack type means there are additional attack subtypes
associated with the main attack type. You must enable the main attack type in order to
select the subtypes. Once the main attack type is enabled, click the pointer to expand the
attack subtype list. You can then enable or disable individual attack subtypes, or select
All/None to enable or disable all subtypes associated with the main attack type. Disabling
the main attack type automatically disables all associated attack subtypes.
Cross-Site Scripting Enable to prevent cross-site scripting (XSS) attacks. Once enabled,
you can expand the list to see the individual subtypes associated
with this main type of attack, such as CSRF (cross-site request
forgery).
Attack log messages contain DETECT_XSS_ATTACK when this
feature detects a possible cross-site scripting attack.
The following actions are available for this type of attack:
• Alert
• Alert & Deny
• Redirect
• Send 403 Forbidden
For information on Action, Severity and Trigger Action settings, see
“Responding to web protection rule violations” on page 191.
SQL Injection Enable to prevent SQL injection attacks. Once enabled, you can
expand the list to see the individual subtypes associated with this
main type of attack, such as blind SQL injection.
Attack log messages contain DETECT_SQL_INJECTION when this
feature detects a possible SQL injection attack.
The following actions are available for this type of attack:
• Alert
• Alert & Deny
• Redirect
• Send 403 Forbidden
For information on Action, Severity and Trigger Action settings, see
“Responding to web protection rule violations” on page 191.
Common Exploits Enable to prevent common exploits. Once enabled, you can expand
the list to select individual subtypes of this type of attack, such as an
injection attack in a language other than SQL.
Attack log messages contain Common Exploits and the subtype
(for example, Common Exploits: Command Injection) when
this feature detects a possible common exploit attack.
The following actions are available for this type of attack:
• Alert
• Alert & Deny
• Redirect
• Send 403 Forbidden
For information on Action, Severity and Trigger Action settings, see
“Responding to web protection rule violations” on page 191.
Information Disclosure Enable to detect server errors and other sensitive messages in the
requested document and HTTP headers. Once enabled, you can
expand the list to select individual subtypes of this type of attack,
such as enabling CF Information Leakage (Adobe ColdFusion server
information).
Error messages, HTTP headers such as
Server: Microsoft-IIS/6.0, and other messages could inform
attackers of the vendor, product, and version numbers of software
running on your web servers, thereby advertising their specific
vulnerabilities.
Sensitive information is predefined according to fixed signatures.
Attack log messages contain DETECT RESPONSE INFORMATION
DISCLOSURE when this feature detects sensitive information.
The following actions are available for this type of attack:
• Alert
• Alert & Erase
Note: This option is not fully supported in offline protection mode.
Only an alert and/or log message can be generated; sensitive
information will not be blocked or erased.
• Redirect
For information on Action, Severity and Trigger Action settings, see
“Responding to web protection rule violations” on page 191.
Note: Because this feature can potentially require the FortiWeb unit
to rewrite the header and body of every request from a server, it can
result in a performance decrease. To minimize impact, Fortinet
recommends enabling this feature only to help you identify
information disclosure through logging, and until you can
reconfigure the server to omit such sensitive information.
Note: Some attackers use 4XX HTTP status codes to determine
information about a site (whether a page exists, has login failures,
and so on). Normally, the FortiWeb unit raises attack logs for this
type of attack, but too many 4xx HTTP status events may obfuscate
other information disclosure logs. You can turn off these types of logs
by disabling the HTTP Return Code 4XX option.
Note: Some attackers use 5XX HTTP status codes to determine
information about the HTTP server (Not Implemented, Service
Unavailable, and so on). Normally, the FortiWeb unit raises attack
logs for this type of attack, but too many 5XX HTTP status events
may obfuscate other information disclosure logs. You can turn off
these types of logs by disabling the HTTP Return Code 5XX option.
Remote File Inclusion Enable to prevent remote file inclusion. Once enabled, you can
expand the list to enable or disable detection of various remote file
inclusion signature.
The following actions are available for this type of attack:
• Alert
• Alert & Deny
• Redirect
• Send 403 Forbidden
For information on Action, Severity and Trigger Action settings, see
“Responding to web protection rule violations” on page 191.
Custom Protection Select a custom protection group to use, if any. For details, see
Group “Configuring custom protection groups” on page 209.
Note: If you want to view the information associated with the custom
protection group used by this server protection rule, select the Detail
link beside the Custom Protection Group list. A read-only version of
the Edit Custom Protection Group window opens.
Credit Card Detection Enable to detect credit card numbers in the response from the
server. Also configure Credit Card Detection Threshold.
Credit card numbers being sent from the server to the client could
constitute a violation of PCI DSS. In most cases, the client should
only receive mostly-obscured versions of their credit card number, if
they require it to confirm which card was used. This prevents
bystanders from viewing the number, but also reduces the number of
times that the actual credit card number could be observed by
network attackers. For example, a web page might confirm a
transaction by displaying a credit card number as:
XXXX XXXX XXXX 1234
This mostly-obscured version protects the credit card number from
unnecessary exposure and disclosure. It would not trigger the credit
card number detection feature.
However, if a web application does not obscure displays of credit
card numbers, or if an attacker has found a way to bypass the
application’s protection mechanisms and gain a list of customers’
credit card numbers, a web page might contain a list with many credit
card numbers in clear text. Such a web page would be considered a
data leak, and trigger credit card number disclosure detection.
Attack log messages contain DETECT RESPONSE INFORMATION
disclosure: credit card leakage when this feature detects
credit card number disclosure.
The following actions are available for this type of attack:
• Alert
• Alert & Deny
• Alert & Erase
For information on Action, Severity and Trigger Action settings, see
“Responding to web protection rule violations” on page 191.
Credit Card Detection Enter 0 to report any credit card number disclosures, or enter a
Threshold threshold if the web page must contain a number of credit cards that
equals or exceeds the threshold in order to trigger the credit card
number detection feature.
For example, to ignore web pages with only one credit card number,
but to detect when a web page containing two or more credit cards,
enter 2.
Extended Signature Set Clear Disable to enable the level of additional attack definitions you
want to use. The extended set of attack definitions contains more
attack definitions on top of the default set of attach definitions.
You can select checking against:
• Basic: a basic set of signatures
• Enhanced: an enhanced set of signatures, which also includes
the basic set
• Full: a full set of signatures, which also includes the basic set and
enhanced set
You can also disable checking against extended signature sets.
While the Full signature set can detect more attacks, it might also
cause false positives. Select a lower level of checking to reduce false
positives.
For information on Action, Severity and Trigger Action settings, see
“Responding to web protection rule violations” on page 191.
Exception Name Select which server protection exception to use, if any.
Note: If you want to view the information associated with the
Exception used by this server protection rule, select the Detail link
beside the Exception Name list. A read-only version of the Edit
Server Protection Exception window opens.
4 Click OK.
To apply the server protection rule, select it in an inline protection profile or an offline
protection profile. For details, see “Configuring inline protection profiles” on page 268
or “Configuring offline protection profiles” on page 274.
Table 82: Web Protection > Server Protection Rule > Server Protection Exception tab
Edit
Clear
Edit
Delete
3 In Name, type the name of the server protection exception.
This field cannot be modified if you are editing an existing server protection exception.
To modify the name, delete the entry, then recreate it using the new name.
4 Click OK.
A dialog appears.
Tip: A pointer in front of an attack type means there are additional attack subtypes
associated with the main attack type. You must enable the main attack type in order to
select the subtypes. Once the main attack type is enabled, click the pointer to expand the
attack subtype list. You can then enable or disable individual attack subtypes, or select
All/None to enable or disable all subtypes associated with the main attack type. Disabling
the main attack type automatically disables all associated attack subtypes.
Host Status Enable to require that the Host: field of the HTTP request to match
a protected hosts entry in order to match the server protection
exception. Also configure Host.
Type Select whether URL Pattern is a Simple String (that is, a literal URL)
or a Regular Expression.
URL Pattern Depending on your selection in Type, type either:
• the literal URL, such as /causes-false-positives.php,
that the HTTP request must contain in order to match the server
protection exception. The URL must begin with a slash ( / ).
• a regular expression, such as ^/.*.php, matching all and only
the URLs to which the server protection exception should apply.
The pattern is not required to begin with a slash ( / ). However, it
must at least match URLs that begin with a slash, such as
/bbcode.cfm.
Do not include the name of the web host, such as
www.example.com, which is configured separately in the Host
drop-down list.
To create and test a regular expression, click the >> (test) icon. This
opens the Regular Expression Validator window where you can fine-
tune the expression.
Note: For each of the attack types, select the blue arrow to expand
the entry and select or clear the individual rules contained in the
entry.
Cross-Site Scripting Enable to omit detection of cross-site scripting (XSS) attacks, then
disable individual attack subclasses that you do not want to omit, if
any.
SQL Injection Enable to omit detection of SQL injection attacks, then disable
individual attack subclasses that you do not want to omit, if any.
Common Exploits Enable to omit detection of common exploits, such as an injection
attack in a language other than SQL, then disable individual attack
subclasses that you do not want to omit, if any.
Information Disclosure Enable to omit detection of server errors and other sensitive
messages in the requested document and HTTP headers, then
disable individual information subclasses that you do not want to
omit, if any, from the Information Disclosure drop-down list.
Remote File Inclusion Enable to omit detection of remote file inclusion, then disable
individual remote file inclusion signatures that you do not want to
omit, if any.
Credit Card Detection Enable to omit detection of credit card numbers in the response from
the server.
6 Repeat the previous steps for each entry that you want to add to the server protection
exception.
7 To create exception rules from individual attack log entries, open the detail view for the
log entry, and click New Protection Exception. Select the name of an existing
protection exception to add the rule to. For more information on viewing attack log
details, see “Viewing log messages” on page 331.
8 To modify a server protection exception, click its Edit icon. To remove a single entry
from the exception, click its Delete icon. To remove all entries from the exception, click
the Clear icon.
9 Click OK.
To apply the server protection exception, select it in a server protection rule. For
details, see “Configuring server protection rules” on page 201.
Custom protection groups enable you to assemble individual custom protection rules into
groups.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 83: Web Protection > Server Protection Rule > Custom Protection Group tab
Delete
Edit
Tip: Before you can configure a custom protection group, you must first configure one or
more custom protection rules. For details, see “Configuring custom protection rules” on
page 211.
Clear
Delete
Edit
8 Click OK.
To apply the custom protection group, select it in a server protection rule. For details,
see “Configuring server protection rules” on page 201.
Table 84: Web Protection > Server Protection Rule > Custom Protection Rule tab
Edit
Expression Enter the string of text that defines the type of data the rule will
check.
To create and test a regular expression, click the >> (test) icon. This
opens the Regular Expression Validator window where you can fine-
tune the expression.
Action, Severity and The Action, Severity and Trigger Policy drop-down menus allow you
Trigger Policy to control what the FortiWeb unit will do when it detects a specific
violation such as an attack, suspicious request or other threat. Each
violation can be uniquely configured.
The following actions are available for this type of attack:
• Alert
• Alert & Deny
• Redirect
• Send 403 Forbidden (only if Type is Signature Creation)
• Alert & Erase (only if Type is Data Leakage)
Note: If a WAF Auto Learning Profile will be selected in the policy
with profiles that use this rule, you should select Alert. If the Action is
Alert & Deny, the FortiWeb unit will reset the connection when it
detects an attack, resulting in incomplete session information for the
auto-learning feature.
For information on Action, Severity and Trigger Policy settings, see
“Responding to web protection rule violations” on page 191.
5 Click OK.
6 Repeat this procedure for each individual rule that you want to add to a custom
protection group.
To apply the custom protection rule, select it in a custom protection group. For details,
see “Configuring custom protection groups” on page 209.
Table 85: Web Protection > Start Pages > Start Pages tab
Edit
Delete
Clear
Edit
Delete
4 Configure the following:
5 Click OK.
8 Repeat the previous steps for each start page that you want to add to the group of start
pages.
9 To modify a start page, click its Edit icon. To remove a single start page from the group
of start pages, click its Delete icon. To remove all start pages from the group of start
pages, click the Clear icon.
10 Click OK.
To apply the group of start pages, select it in an inline protection profile. For details, see
“Configuring inline protection profiles” on page 268.
Note: In order for start pages to be enforced, you must also enable “Session Management”
on page 271 in the inline protection profile.
Note: URL access rules are evaluated after some other rules. For details, see “Order of
execution” on page 190.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Tip: Before you can configure an effective URL access policy, you must configure one or
more URL access rules. See “Configuring URL access rules” on page 218.
Table 86: Web Protection > URL Access Policy> URL Access Policy tab
Edit
Delete
2 Click Create New, or, in the row corresponding to an entry that you want to modify, click
the Edit icon.
A dialog appears.
Clear
Edit
Delete
3 In Name, type the name of the policy.
This field cannot be modified if you are editing an existing URL access policy. To
modify the name, delete the entry, then recreate it using the new name.
4 Click OK.
5 Click Create New.
A dialog appears.
7 Click OK.
8 Repeat the previous two steps for each individual rule that you want to add to the URL
access policy.
9 To modify an individual rule, click its Edit icon. To remove an individual rule from the
URL access policy, click its Delete icon. To remove all rules from the URL access
policy, click the Clear icon.
10 Click OK.
To apply the URL access policy, select it in an inline or offline protection profile. For
details, see “Configuring inline protection profiles” on page 268 or “Configuring offline
protection profiles” on page 274.
Caution: IP trust policy rules only block initial requests from a client. They will not block
server-side redirects. For more information, see “Configuring an IP list policy” on page 220.
Note: URL access rules are evaluated after some other rules. For details, see “Order of
execution” on page 190.
Use SNMP traps to notify you when a URL access rule is enforced. For details, see
“Configuring an SNMP community” on page 68.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 87: Web Protection > URL Access Policy> URL Access Rule tab
Delete
Edit
Before you configure a URL access rule, if you want to apply it only to HTTP requests for
a specific real or virtual host, you must first define the web host in a protected hosts group.
For details, see “Configuring protected servers” on page 147.
Clear
Delete
Edit
4 Configure the following:
5 Click OK.
8 Click OK.
9 Repeat the previous steps for each individual condition that you want to add to the URL
access rule.
10 Click OK.
To apply the URL access rule, select it in a URL access policy. For details, see
“Configuring URL access policy” on page 216.
Attack log messages contain DETECT_URLACCESS_PAGE when this feature detects a
suspicious HTTP request.
• Black IPs are source IP addresses for which you explicitly disallow and block access to
your web servers because they have failed web protection policy scans.
If a source IP address is not explicitly blacklisted in an IP list policy and it does not appear
on the IP Blacklist TOP10 tab (see “Viewing the top 10 IP blacklist candidates” on
page 223), the source IP has access to your web servers, pending additional web
protection scan techniques.
If a source IP addresses is explicitly designated as a trusted IP (that is, the IP address is
trusted by FortiWeb), that IP can connect to your web servers and is exempt from many of
the restrictions that would otherwise be applied by the web protection profile used by a
server policy.
For more information on the protection techniques performed by FortiWeb, and the scans
performed based on the IP address, see “Order of execution” on page 190.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 88: Web Protection > IP List > IP List Policy tab
Delete
Edit
Clear
Edit
Delete
Table 89: Web Protection > IP List > IP Blacklist TOP 10 tab
Edit
Table 90: Web Protection > Brute Force Login > Brute Force Login tab
Edit
Delete
Before you configure a brute force login attack profile, if you want to apply it only to HTTP
requests for a specific real or virtual host, you must first define the web host in a protected
hosts group. For details, see “Configuring protected servers” on page 147.
Clear
Edit
Delete
5 Click OK.
8 Click OK.
9 Repeat the two previous steps for each individual login page that you want to add to
the brute force login attack profile.
10 To modify a login page, click its Edit icon. To remove a single login page from the group
of login pages, click its Delete icon. To remove all login pages from the group of login
pages, click the Clear icon.
11 Click OK.
To apply the brute force login attack profile, select it in an inline protection profile. For
details, see “Configuring inline protection profiles” on page 268.
Attack log messages contain DETECT_BRUTE_FORCE_LOGIN when this feature
detects a brute force login attack.
Table 91: Web Protection > Robot Control > Robot Control tab
Before you configure a robot control profile, you must first create robot groups, which can
then be applied to the robot control profile. Robot groups are used by the profile to identify
the specific robots that are allowed access to your web servers without being rate
controlled or subject to parameter validation rules, server protection rules, or bad robot
detection. For details, see “Configuring predefined robot groups” on page 230 and
“Configuring custom robot groups” on page 232.
Note: Alternatively, you can automatically configure a robot control profile that allows all
predefined search engine types by generating a default auto-learning profile. For details,
see “Generating an auto-learning profile and its components” on page 281.
Allow Custom Select a group of custom robots, if any, that will be exempt from the rate limit of
Robot this robot control profile. For details about creating custom robot groups, see
“Configuring custom robot groups” on page 232. The FortiWeb unit will omit any
subsequent intrusion detection features, including parameter validation rules,
server protection rules, or bad robot detection.
Note: If you want to view the information associated with the custom robot
group, select the Detail link beside the Allow Custom Robot list. A read-only
version of the Edit Custom Robot Group window opens.
Attack log messages contain log messages such as DETECT_ALLOW_ROBOT:
Custom-Robot-1 (where Custom-Robot-1 is the name that you configured
for the robot’s signature) when this feature detects an allowed custom robot. For
details, see “Event Log Console widget” on page 48 or “Viewing log messages”
on page 331.
Malicious Robot Prevention
Standalone IP Type the rate limit in number of requests per second for source IP addresses
Access Limit that are single clients. Request rates exceeding the threshold will cause the
FortiWeb unit to block additional requests for the length of the time set in the
Block Period field.
To disable the rate limit, type 0.
Share IP Type the rate limit in number of requests per second for source IP addresses
Access Limit that are shared by multiple clients behind a network address translation (NAT)
device such as a firewall or router. Request rates exceeding the threshold will
cause the FortiWeb unit to block additional requests for the length of the time set
in the Block Period field.
To disable the rate limit, type 0.
Note: Blocking a shared source IP address could block innocent clients that
share the same source IP address with an offending client. In addition, the rate
is a total rate for all clients that use the same source IP address. For these
reasons, you should usually enter a greater value for this field than for
Standalone IP Access Limit.
Block Period Type the length of time for which the FortiWeb unit will block additional requests
after a source IP address exceeds its rate threshold.
5 Click OK.
To apply the robot control profile, select it in an inline or offline protection profile. For
details, see “Configuring inline protection profiles” on page 268 or “Configuring offline
protection profiles” on page 274.
Attack log messages contain DETECT_MALICIOUS_ROBOT when this feature detects a
misbehaving robot or any other HTTP client that exceeds the rate limit.
Table 92: Web Protection > Robot Control > Robot Group tab
View
Clone
Edit
Delete
Clear
Delete Edit
3 In Name, type the name of the robot group.
This field cannot be modified if you are editing an existing robot group. To modify the
name, delete the entry, then recreate it using the new name.
4 Click OK.
5 Click Create New.
7 Click OK.
8 Repeat the previous steps for each robot that you want to add to the robot group.
9 To modify a robot, click its Edit icon. To remove a single robot from the robot group,
click its Delete icon. To remove all robots from the robot group, click the Clear icon.
10 Click OK.
To use a robot group, you must select it in a robot control profile. For details, see
“Configuring robot control profiles” on page 227.
Table 93: Web Protection > Robot Control > Custom Robot tab
Delete
Edit
Clear
Delete Edit
3 In Name, type the name of the custom robot signature set.
This field cannot be modified if you are editing an existing custom robot. To modify the
name, delete the entry, then recreate it using the new name.
4 Click OK.
5 Click Create New.
A dialog appears.
Robot Type a regular expression that matches all and only the User-Agent: fields in
Expression the HTTP header known to be produced by the custom robot.
For example, if a custom robot is either:
• User-Agent: happy-spider
• User-Agent: happy-spider2.0.
but not User-Agent: baiduspider, you would write a regular expression to
match the first two cases, but that would not match the third.
To create and test a regular expression, click the >> (test) icon. This opens the
Regular Expression Validator window where you can fine-tune the expression.
7 Click OK.
8 Repeat the previous steps for each custom robot signature that you want to add to the
custom robot group. Only one group may be selected per robot control profile, so you
may want to include multiple custom robots signatures in this group.
9 To modify a custom robot signature, click its Edit icon. To remove a single signature
from the group, click its Delete icon. To remove all signatures from the group, click the
Clear icon.
10 Click OK.
To use a custom robot group, you must select it in a robot control profile. For details,
see “Configuring robot control profiles” on page 227.
The pattern contains a regular expression that the FortiWeb unit uses to compare the
User-Agent: field in the HTTP header in order to determine whether or not the HTTP
client is a well-known, legitimate robot. Legitimate robots, such as search engine indexers,
should be included in a robot group and applied to a robot control profile to prevent attack
detection.
You apply predefined robots indirectly by first forming groups of robots, then selecting
those groups in a robot control profile. For details, see “Configuring predefined robot
groups” on page 230.
Table 94: Web Protection > Allow Request Method > Allow Method Policy tab
Delete
Edit
To include method exceptions, create them first. For more information, see “Configuring
allowed method exceptions” on page 237.
2 Click Create New, or, in the row corresponding to an entry that you want to modify, click
the Edit icon.
A dialog appears.
5 Click OK.
To apply the allow method policy, select it in an inline or offline protection profile. For
details, see “Configuring inline protection profiles” on page 268 or “Configuring offline
protection profiles” on page 274.
Table 95: Web Protection > Allow Request Method > Allow Method Exceptions tab
Edit
Delete
Before you configure an allowed method exception, if you want to apply it only to HTTP
requests for a specific real or virtual host, you must first define the web host in a protected
hosts group. For details, see “Configuring protected servers” on page 147.
Clear
Edit
Delete
3 In Name, type the name of the allowed method exception.
This field cannot be modified if you are editing an existing allowed method exception.
To modify the name, delete the entry, then recreate it using the new name.
4 Click OK.
5 Click Create New.
A dialog appears.
Table 96: Web Protection > Hidden Fields Protection > Hidden Fields Protection tab
Clear
6 Select the name of a hidden field rule that you want to apply to the hidden fields
protection profile from the Hidden Fields Rule drop-down list.
To view the information associated with a hidden fields rule, select the Detail link. A
read-only version appears.
7 Click OK.
8 Repeat the previous steps for each individual rule that you want to add to the hidden
field profile.
9 To modify an individual rule, click its Edit icon. To remove an individual rule from the
hidden field profile, click its Delete icon. To remove all individual rules from the hidden
field profile, click the Clear icon.
10 Click OK.
To apply the hidden field group, select it in an inline protection profile. For details, see
“Configuring inline protection profiles” on page 268.
Note: In order for hidden field groups to be enforced, you must also enable “Session
Management” in the inline protection profile.
Table 97: Web Protection > Hidden Fields Protection > Hidden Fields Rule tab
Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a
specific real or virtual host, you must first define the web host in a protected hosts group.
For details, see “Configuring protected servers” on page 147.
Request URL Type the exact URL that contains the hidden form for which you want to create a
hidden field rule.
The URL must begin with a slash ( / ). Do not include the web host name, such
as www.example.com. It is configured separately in the Host drop-down list.
Action, The Action, Severity and Trigger Policy drop-down menus allow you to control
Severity and what the FortiWeb unit will do when it detects a specific violation such as an
Trigger Policy attack, suspicious request or other threat. Each violation can be uniquely
configured.
The following actions are available for this type of attack:
• Alert
• Alert & Deny
• Redirect
• Send 403 Forbidden
For information on Action, Severity and Trigger Policy settings, see
“Responding to web protection rule violations” on page 191.
Note: If a WAF Auto Learning Profile will be selected in the policy with profiles
that use this rule, you should select Alert. If the Action is Alert & Deny, the
FortiWeb unit will reset the connection when it detects an attack, resulting in
incomplete session information for the auto-learning feature.
5 Click OK.
6 Click Fetch URL, and then enter the following information in the pop-up dialog that
appears:
• The pop-up dialog also includes a Fetch URL button. Click it to retrieve the web
page you specified in Request URL. Another pop-up dialog appears, displaying a list
of hidden inputs that the FortiWeb unit found in that web page, and the URLs to
which those hidden inputs will be posted when a client submits the form.
Note: In addition to new items, select the check boxes of any previously configured items
that you want to keep in the hidden field rule. If you do not, they will be deleted.
Caution: When configuring URL rewriting policy, check to see whether there are any HTTP
conversion policies in use that might conflict with the URL rewriting policy. If conflicts occur,
the URL rewriting policy takes priority over the HTTP conversion policy. See “Configuring
HTTP conversion policy” on page 141.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Tip: To create an effective URL rewriting policy, you must first configure one or more URL
rewriting rules. See “Configuring URL rewriting rules” on page 246.
Table 98: Web Protection > URL Rewriting Policy > URL Rewriting tab
Edit
Delete
Before you can configure a URL rewriting policy, you must first configure the URL rewriting
rules that you want to include in the policy. For details, see “Configuring URL rewriting
rules” on page 246.
Clear
Edit
Delete
3 In Name, enter the name of the URL rewriting group.
This field cannot be modified if you are editing an existing URL rewriting group. To
modify the name, delete the entry, then recreate it using the new name.
4 Click OK.
5 Click Create New.
A dialog appears.
7 Click OK.
8 Repeat the previous steps for each individual rule that you want to add to the URL
rewriting policy.
9 To modify an individual rule, click its Edit icon. To remove an individual rule from the
URL rewriting policy, click its Delete icon. To remove all individual rules from the URL
rewriting policy, click the Clear icon.
10 Click OK.
To apply the URL rewriting policy, select it in an inline protection profile. For details, see
“Configuring inline protection profiles” on page 268.
Note: URL rewrites are applicable when the FortiWeb unit operates in reverse proxy mode
and true transparent proxy mode without HTTPS.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 99: Web Protection > URL Rewriting Policy > URL Rewriting Rule tab
Delete
Edit
Clear
Edit
Delete
URL
This is the replacement value for the URL field.
Type the string, such as /catalog/item1, that will replace the
request URL.
Do not include the name of the web host, such as www.example.com,
nor the protocol.
Like Host, this field supports back references such as $0 to the parts of
the original request that matched any capture groups that you entered
in Regular Expression for each object in the condition table.
For an example, see “URL rewriting examples” on page 250.
Referer
This is the replacement value for the Referer: field.
Select the referer URL that will be used when rewriting the Referer:
field in the HTTP header.
This option is available only if Action is Rewrite HTTP Header.
7 Click OK.
8 Click Create New.
A dialog appears.
10 Click OK.
11 Repeat the previous steps for each condition that you want to add to the URL rewriting
rule.
12 To modify an individual condition, click its Edit icon. To remove an individual condition
from the URL rewriting rule, click its Delete icon. To remove all individual conditions
from the URL rewriting rule, click the Clear icon.
13 Click OK.
To apply the URL rewrite rule, you must first add it to a URL Rewriting Policy. For
details, see “Configuring URL rewriting policy” on page 244.
Table 101: Example URL rewrite using regular expressions and variables
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 102: Web Protection > HTTP Protocol Constraints > HTTP Protocol Constraints tab
View
Clone
Delete
Edit
Header Line Length Displays the maximum acceptable length in bytes of each line in the HTTP
header.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the
entry is currently selected for use in an inline or offline protection profile.
Click the Edit icon to modify the entry.
Click the View icon to view the predefined entry.
Click the Clone icon to create a new entry based on a predefined protocol
constraint.
Note: Enter 0 for any numerical parameter to disable that parameter check.
5 Click OK.
To apply the HTTP protocol constraint profile, select it in an inline or offline protection
profile. For details, see “Configuring inline protection profiles” on page 268 or
“Configuring offline protection profiles” on page 274.
For example, if no exceptions are defined, FortiWeb executes the HTTP protocol
constraint policy as defined in “Configuring HTTP protocol constraint profiles” on
page 252. But, if you select Header Length Check as a HTTP protocol constraint
exception for a specific host, FortiWeb would ignore the HTTP header length check when
executing the web protection profile for that host.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 103: Web Protection > HTTP Protocol Constraints > HTTP Constraint Exception tab
Delete
Edit
URL Pattern Depending on your selection in the Request Type field, enter either:
• the literal URL, such as /index.php, that the HTTP request must
contain in order to match the input rule. The URL must begin with a
slash ( / ).
• a regular expression, such as ^/*.php, matching all and only the
URLs to which the input rule should apply. The pattern is not
required to begin with a slash ( / ). However, it must at least match
URLs that begin with a slash, such as /index.cfm.
Do not include the name of the web host, such as
www.example.com, which is configured separately in the Host drop-
down list.
To create and test a regular expression, click the >> (test) icon. This
opens the Regular Expression Validator window where you can fine-
tune the expression.
Header Length Type the maximum acceptable length in bytes of the HTTP header.
Content Length Type the maximum acceptable length in bytes of the request body.
Length is determined by comparing this limit with the value of the
Content-Length: field in the HTTP header.
Body Length Type the maximum acceptable length in bytes of the HTTP body.
Parameter Length Type the maximum acceptable length in bytes of parameters in the
URL or, for HTTP POST requests, HTTP body. Question mark ( ? ),
ampersand ( & ), and equal ( = ) characters are not included.
Header Line Length Type the maximum acceptable length in bytes of each line in the
HTTP header.
HTTP Request Length Type the maximum acceptable length in bytes of the HTTP request.
URL Parameter Length Type the maximum acceptable length of an URL parameter (including
the name and value).
Number of Cookies In Type the maximum acceptable number of cookies in an HTTP
Request request.
Number of Header Type the maximum acceptable number of lines in the HTTP header.
Lines In Request
Illegal HTTP Request Enable to check for illegal HTTP version numbers.
Method
Number of URL Type the maximum number of URL parameters.
Parameters
Illegal Host Name Enable to check for illegal characters in the Host: line of the HTTP
header, such as NULL characters or encoded characters. For
example, characters such as "0x0" or "%00*" are considered illegal.
7 Click OK.
To apply the HTTP protocol constraint exception, select it in the HTTP Protocol
Constraint profile. For details, see “Configuring HTTP protocol constraint profiles” on
page 252.
Note: Authentication applies when the FortiWeb unit operates in reverse proxy mode or
true transparent proxy mode without HTTPS.
• If the client’s initial request does not already include an Authorization: field in its
HTTP header, the FortiWeb unit replies with an HTTP 401 (Authorization Required)
response. The response includes a WWW-Authenticate: field in the HTTP header
that indicates which style of authentication to use (basic, digest, or NTLM) and the
name of the realm (usually the name, such as “Restricted Area”, of a set of URLs that
can be accessed using the same set of credentials).
The browser then prompts its user to enter a user name and password. (The prompt
may include the name of the realm, in order to indicate to the user which login is valid.)
The browser includes these in the Authorization: field of the HTTP header when
repeating its request.
• Valid user name formats vary by the authentication server. For example:
• For a local user, enter a user name in the format username.
• For LDAP authentication, enter a user name in the format required by the
directory’s schema.
• For NTLM authentication, enter a user name in the format DOMAIN/username.
• The FortiWeb unit compares the supplied credentials to:
• the locally defined set of user accounts
• a set of user objects on a lightweight directory access protocol (LDAP) directory
• user accounts on an NT LAN Manager (NTLM) server
• If the client authenticates successfully, the FortiWeb unit forwards the original request
to the server. If the client does not authenticate successfully, the FortiWeb unit repeats
its HTTP 401 response to the client, asking again for valid credentials.
• Once the client has authenticated with the FortiWeb unit, if the server applies no other
restrictions and the resource is found, it returns the requested resource to the client.
• If the client’s browser is configured to do so, it can cache the realm along with the
supplied credentials, automatically re-supplying the user name and password for each
request with a matching realm. This provides convenience to the user. Otherwise, the
user would have to re-enter their user name and password for every request.
Caution: Advise users to clear their cache and close their browser after an authenticated
session to ensure that no one else can access the web site using their credentials.
Browsers often cache credentials until manually cleared, or until cleared automatically by
closing a browser tab or window. This is because, without a web application with its own
notion of sessions, the HTTP protocol itself is essentially stateless, it relies only on these
cached credentials, and there is no other way to log out.
Caution: HTTP authentication is not secure. All user names and data (and, depending on
the authentication style, passwords) are sent in clear text. If you require encryption and
other security features in addition to authorization, use HTTP authentication with SSL/TLS.
Tip: Alternatively or in addition to HTTP authentication, with SSL connections, you can
require that clients present a valid personal certificate. For details, see “Certificate
Verification” on page 127.
Table 104: Web Protection > Authentication Policy > Authentication Policy tab
Delete
Edit
Tip: Before you can configure an authentication policy, you must first configure the
authentication rules that you want to include in the policy. For details, see “Configuring
authentication rules” on page 261.
Clear
Delete
Edit
4 Configure the following:
5 Click OK.
6 Click Create New.
A dialog appears.
8 Click OK.
9 Repeat the previous steps for each individual rule that you want to add to the
authentication policy.
10 To modify an individual rule, click its Edit icon. To remove an individual rule from the
authentication policy, click its Delete icon. To remove all individual rules from the
authentication policy, click the Clear icon.
11 Click OK.
To apply the authentication policy, select it in an inline protection profile. For details,
see “Configuring inline protection profiles” on page 268.
If you want to apply rules only to HTTP requests for a specific real or virtual host, you must
first define the web host in a protected hosts group. For details, see “Configuring protected
servers” on page 147.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 105: Web Protection > Authentication Policy > Authentication Rule tab
Edit
Delete
Clear
Delete
Edit
3 In Name, type the name of the authentication rule.
This field cannot be modified if you are editing an existing entry. To modify the name,
delete the entry, then recreate it using the new name.
4 If you want to require that the Host: field of the HTTP request to match a protected
hosts entry in order to match the HTTP authentication rule, enable Host Status, then,
from Host, select which protected hosts entry (either a web host name or IP address)
the Host: field of the HTTP request must be.
5 Click OK.
6 Click Create New.
A dialog appears.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 106: Web Protection > File Upload Restriction > File Upload Restriction Policy tab
Delete
Edit
Clear
Edit
Delete
5 Click OK.
6 Click Create New.
A dialog appears.
ID Displays the index number of the rule associated with the policy.
File Upload Select an existing file upload restriction rule that you want to use in the
Restriction Rule policy.
If you are unsure what specific file types are allowed by the rule, select the
Detail link next to the rule name.
8 Click OK.
The new file upload restriction rules appear in the list.
9 Repeat the previous steps for each rule that you want to add to the file upload
restriction policy.
10 To modify an individual rule, click its Edit icon. To remove an individual rule from the
group of rules, click its Delete icon. To remove all individual rules from the group of
rules, click the Clear icon.
11 Click OK.
To apply the file upload restriction policy, select it in an inline or offline protection
profile. For details, see “Configuring inline protection profiles” on page 268.
Detection and restriction is performed by scanning HTTP PUT and POST URL request
methods submitted to your web servers.
For example, if you want to allow only specific types of files to be uploaded to a host or a
URL called /fileuploads (for example, MP3 audio files, PDF text files and GIF and JPG
picture files), you can create a file upload restriction policy that contains rules that define
only those specific file types. When FortiWeb receives an HTTP PUT or POST request for
the host or /fileuploads URL, it scans the HTTP request and allows only the specified file
types to be uploaded. FortiWeb will block file uploads for any HTTP request that contains
a file type other than those specified in the upload restriction policy.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 107: Web Protection > File Upload Restriction > File Upload Restriction Rule tab
Edit
A dialog appears.
Clear
Delete
5 Click OK.
6 Click Add File Types.
A dialog appears.
8 Click OK.
The selected file types appear in the list at the bottom of the rule window.
9 Click OK.
To add the file upload restriction rule to a policy, select it in a file upload restriction
policy. The policies are then used by web protection policies to detect and restrict
specific file uploads based on the specified file types and host or URL. For more
information, see “Configuring file upload restriction policy” on page 263.
• a brute force login attack profile (see “Configuring brute force login profiles” on
page 224)
• a robot control profile (see “Configuring robot control profiles” on page 227)
• an IP list policy (see “Configuring an IP list policy” on page 220)
• a URL rewriting rule (see “Configuring URL rewriting rules” on page 246)
• an HTTP authentication policy (see “Configuring authentication policy” on page 257)
• lastly, select the inline protection policy in a server policy
Note: Inline web protection profiles can be configured at any time, but can be selected in a
policy only while the FortiWeb unit is operating in a mode that supports them. For details,
see Table 45, “Policy behavior by operation mode,” on page 119.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Tip: To increase the scope of an inline protection rule, first configure the policies and rules
used by the inline rule. See “Web protection profile workflow” on page 189.
Table 108: Web Protection > Web Protection Profile > Inline Protection Profile tab
Cookie Poison Action Displays the action that the FortiWeb unit will take when cookie poisoning is
detected.
• Alert: Accept the connection and generate an alert and/or log message.
• Alert & Deny: Block the connection and generate an alert and/or log
message.
• Remove Cookie: Accept the connection, but remove the poisoned
cookie from the datagram, preventing it from reaching the web server,
and generate an alert and/or log message.
For more information on logging and alerts, see “Configuring and enabling
logging” on page 323.
Server Protection Displays the name of the server protection rule that will be applied to
Rule matching HTTP requests. For details on server protection rules, see
“Configuring server protection rules” on page 201.
Page Access Rule Displays the name of the page access rule that will be applied to matching
HTTP requests. For details on page access rules, see “Configuring page
access rules” on page 198.
Parameter Validation Displays the name of the parameter validation rule that will be applied to
Rule matching HTTP requests. For details on parameter validation rules, see
“Configuring HTTP parameter validation rules” on page 192.
Start Pages Displays the name of the start pages that HTTP requests must use in order
to initiate a valid session. For details on start pages, see “Configuring start
page rules” on page 213.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the
entry is currently selected for use in a policy.
Click the Edit icon to modify the entry.
Click the View icon to view a predefined entry.
Click the Clone icon to create a new entry based on a predefined entry. You
can clone global protection profiles as well as custom protection profiles.
Tip: Click Detail beside any field to open a dialog that lets you view and modify the
associated policy.
4 Click OK.
If you will use this offline protection profile in conjunction with an auto-learning profile in
order to indicate which attacks and other aspects should be discovered, also configure
the auto-learning profile. For details, see “Applying auto-learning profiles” on page 278.
To apply the inline protection profile, select it in a server policy. For details, see
“Configuring server policies” on page 118.
• a server protection rule (see “Configuring server protection rules” on page 201)
• a parameter validation rule (see “Configuring HTTP parameter validation rules” on
page 192)
• a robot control profile (see “Configuring robot control profiles” on page 227)
• an IP list policy (see “Configuring an IP list policy” on page 220)
• lastly, select the offline protection policy in a server policy
Note: Offline web protection profiles can be configured at any time, but can only be
selected in a policy while the FortiWeb unit is operating in a offline mode. For details, see
Table 45, “Policy behavior by operation mode,” on page 119.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Protection Configuration
category. For details, see “About permissions” on page 80.
Table 109: Web Protection > Web Protection Profile > Offline Protection Profile tab
Parameter Validation Displays the name of the parameter validation rule that will be applied to
Rule matching HTTP requests. For details on parameter validation rules, see
“Configuring HTTP parameter validation rules” on page 192.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the
entry is currently selected for use in a policy.
Click the Edit icon to modify the entry.
Click the View icon to view a predefined entry.
Click the Clone icon to create a new entry based on a predefined entry. You
can clone global protection profiles as well as custom protection profiles.
IP List Policy Select the name of an IP list policy, if any, that will be applied to matching
HTTP requests.
Enable AMF3 Enable to scan requests that use action message format 3.0 (AMF3) for:
Protocol Detection • cross-site scripting (XSS) attacks
• SQL injection attacks
• common exploits
if you have enabled those in your selected server protection rule.
AMF3 is a binary format that can be used by Adobe Flash clients to send
input to server-side software.
Caution: To scan for attacks or enforce input rules on AMF3, you must
enable this option. Failure to enable the option will cause the FortiWeb unit
to be unable to scan AMF3 requests for attacks.
Tip: Click Detail beside any field to open a dialog that lets you view and modify the policy.
4 Click OK.
If you will use this offline protection profile in conjunction with an auto-learning profile in
order to indicate which attacks and other aspects should be discovered, also configure
the auto-learning profile. For details, see “Applying auto-learning profiles” on page 278.
To apply the offline protection profile, select it in a policy. For details, see “Configuring
server policies” on page 118.
• one or more URL replacers and a custom application policy (see “Custom application
workflow” on page 160)
• lastly, select the auto-learning profile in a server policy
Table 110: Web Protection > Web Protection Profile > Auto Learning Profile tab
Clone
Delete
Edit
Note: Alternatively, you could generate a default auto-learning profile and its required
components, and then modify them. For details, see “Generating an auto-learning profile
and its components” on page 281.
1 Go to Web Protection > Web Protection Profile > Auto Learning Profile.
2 Click Create New, or, in the row corresponding to an entry that you want to modify, click
the Edit icon.
A dialog appears.
Alternatively, click the Clone icon to create an entry populated with settings from a
predefined profile. In this case, a dialog opens with just the Name field.
Application Policy Select an existing application policy from the drop-down list. For details,
see “Configuring custom application policies” on page 160.
4 Click OK.
To apply the auto-learning profile, select it in a policy with an inline or offline protection
profile. For details, see “Configuring server policies” on page 118.
Note: Use auto-learning profiles with offline protection profiles whose Action is Alert.
If Action is Alert & Deny, the FortiWeb unit will reset the connection, preventing the auto-
learning feature from gathering complete data on the session.
Once the policy has begun to match connections and accumulate data, you can view
the current statistics any time by displaying the auto-learning report. For details, see
“Viewing auto-learning reports” on page 282.
Auto learn
This chapter describes the Auto Learn menu and explains how to generate a default auto-
learning profile and its required components, and how to use reports generated from auto-
learning.
Auto-learning gathers information about the URLs and other characteristics of HTTP
sessions that the FortiWeb unit frequently sees passing to your real servers. It tracks your
web servers’ response to each request, such as 401 Unauthorized or
500 Internal Server Error, to learn about whether the request is legitimate or a
potential attack attempt. It then generates reports based upon this information. By learning
about your typical traffic, the FortiWeb unit can help you to quickly make profiles designed
specifically for your unique HTTP traffic.
This chapter includes the following topics:
• Generating an auto-learning profile and its components
• Viewing auto-learning reports
• Generating a profile from auto-learning data
Note: Auto-learning reports require that your web browser have the Adobe Flash Player
plug-in.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Autolearn Configuration category.
For details, see “About permissions” on page 80.
Table 111: Auto Learn > Auto Learn Report > Auto Learn Report tab
Display pane
Navigation pane
}
}
Expansion icons
Click to collapse this pane.
Host
Requested file
Common part of URL
Auto-learning profile
To show only specific nodes in the URL tree and hide the rest, select which attributes that
a node or its subnode must satisfy in order to be included.
For example, to include only parts of the URL tree pertaining to HTTP POST requests to
Java server pages (JSP files), you would enter .jsp in the Search field under URL and
enable POST under HTTP Method.
In the navigation pane, to view statistics for a subset of sessions with specific hosts and
their URLs, click the expand icon ( + ) next to an item to expand it, then click the name of
the subitem whose statistics you want to view. Depending on the level in the navigation
tree, an item may be either an auto-learning profile observing multiple hosts, a single host,
a common part of a path contained in multiple URLs, or a single requested file. This
enables you to view:
• statistics specific to each requested URL
• totals for a group of URLs with a common path
• totals for all requested URLs on the host
• totals for all requests on all hosts observed by the auto-learning profile
Note: If URL rewriting is configured, the tree’s URL is the one requested by the client, not
the one to which it was rewritten before passing to the server.
The report display pane contains several feature buttons above the report.
• Click Refresh in the right-hand pane to update the display with current statistics.
• Click Generate Config in the right-hand pane to generate a web protection policy from
the auto-learn profile.
For information on editing the auto-learn profile before generating a new web
protection policy, see “Generating a profile from auto-learning data” on page 289.
• Click Generate PDF in the right-hand pane to get a PDF copy of the report.
A pop-up dialog appears. Enter the PDF a name and click OK.
Overview tab
The Overview tab provides a statistical summary for all sessions established with the host
during the use of the auto-learning profile, or since its auto-learning data was last cleared,
whichever is shorter.
Under Item in the table, the Hits Count link opens Visits tab. The Attack Count opens the
Attacks tab.
The Overview tab includes several buttons that can edit the generated report. (Also see
“Generating a profile from auto-learning data” on page 289.)
• The Edit Allow Method button appears only when you select a profile in the navigation
pane. It opens a pop-up dialog where you can select which HTTP request methods to
allow in the generated profile. Select the Off or On options in the Status drop-down list.
• The Edit Protected Servers button appears only when you select the auto-learn profile
in the navigation pane. It opens a dialog where you can select or deselect IP
addresses and/or domain names that will be members of the generated protected
servers group.
• The Edit URL Page button appears only when you select a URL in the navigation pane.
It opens a dialog where you can specify that the currently selected URL will be included
in start pages and IP list rules in the generated profile. You can also select an action to
take if there is a rule violation. The choices are:
Alert & Deny: Block the connection and generate an alert and/or log message.
Continue: Allow the request, applying any subsequent rules defined in the web
protection profile.
Pass: Allow the request. Similar to alert but does not generate an alert and/or log
message.
Attacks tab
The Attacks tab provides statistics in both tabular and graphical format on sessions that
contained one of the types of attacks that the web profile selected in the associated policy
was configured to detect.
Sometimes, auto-learning reports may contain fewer attacks than you see in the FortiWeb
unit’s attack logs. For details, see “About the attack count” on page 289.
The inclusion of the Action and Enable columns varies with the level of the item selected
in the navigation pane.
Use the Enable drop-down lists to turn auto-learning on or off for a specific attack type.
The default is on.
Use the Action drop-down lists to change how the FortiWeb units reacts to a specific
attack type. The choices are:
• Alert: Accept the connection and generate an alert and/or log message.
• Alert & Deny: Block the connection and generate an alert and/or log message.
• Send 403 Forbidden: Reply with an HTTP 403 (Access Forbidden) error message and
generate an alert and/or log message.
• Redirect: Redirect the request to the URL that you specify in the protection profile and
generate an alert and/or log message.
Visits tab
The Visits tab provides statistics in both tabular and graphical format on the HTTP request
methods used.
When you select an auto-learning profile in the navigation pane, this tab includes a set of
bar charts that give statistics about the most used and least used URLs, plus suspicious
URLs.
When you select a host IP in the navigation pane, the report includes a set of tables that
give statistics on HTTP return codes in the 400 and 500 series.
The Visits tab includes several buttons that can edit the generated report. (Also see
“Generating a profile from auto-learning data” on page 289.)
• The Edit Allow Method button appears only when you select a profile in the navigation
pane. It opens a pop-up dialog where you can select which HTTP request methods to
allow in the generated profile. Select the Off or On options in the Status drop-down list.
• The Edit URL Access button appears only when you select a profile in the navigation
pane.It opens a pop-up dialog where you can choose the start pages related to a
protected server.
• The Edit Start Page button appears only when you select a profile in the navigation
pane. It opens a pop-up dialog where you can choose the URL access rules related to
a protected server.
• The Edit Exception Method button appears when you select a URL in the navigation
pane. It opens a pop-up dialog where you can select which HTTP request methods to
treat as exceptions for that URL. Select the Off or On options in the Status drop-down
list.
Parameters tab
The Parameters tab provides tabular statistics on the parameters and their values as they
appeared in HTTP requests, as well as applicable URL replacements.
This tab appears only for items that are leaf nodes in the navigation tree; that is, they
represent a single complete URL as it appeared in a real HTTP request, and therefore
could have had those exact associated parameters.
Percentages in the TypeMatch and Required columns indicate how likely the parameter
with that name is of that exact data type, and whether or not the web application requires
that input for that URL. The MinLen and MaxLen columns indicate the likely valid range of
length for that input’s value. Together the columns provide information on what is likely the
correct configuration of a profile for that URL.
Cookies tab
The Cookies tab provides tabular statistics on the name, value, expiry date, and path of
each cookie crumb that appeared in HTTP requests. This tab appears only for hosts that
use cookies.
This tab does not appear at the policy level of the navigation tree.
Display pane
Navigation pane
}
}
Expansion icons
Click to collapse this pane.
Host
Requested file
Common part of URL
Auto-learning profile
3 In the left-hand pane, if you want to adjust the actions that will appear in the generated
profile for the subset of sessions handled for specific web hosts and their URLs, click
the expand icon ( + ) next to an item to expand the item, then click the name of the
subitem whose actions you want to affect.
Statistics and charts appear on the right-hand pane. The content of the report and the
available buttons varies depending on the selected node in the navigation tree.
If a tab contains multiple pages of results, click the arrows at the bottom of the tab,
such as next > and << first, to move forward or backwards through the pages of
results.
4 For most selected items in the left-hand navigation pane, the report provides buttons
and drop-down lists to help you configure a profile for generation. Select the following
as applicable:
Table 112: Auto Learn report features
Edit URL Page Click to open a pop-up dialog. Enable or disable whether the
currently selected URL will be included in start pages and IP list
rules in the generated profile. This appears only if you have
selected a URL in the navigation pane.
For more information on those rule types, see “Configuring start
page rules” on page 213, “Configuring URL access policy” on
page 216 and “Configuring URL access rules” on page 218.
Attacks
Action and Select from the Enable drop-down list to enable or disable
Enable detection of each type of attack, and select from Action which
action that the generated profile will take. The availability of
these lists varies with the level of the item selected in the
navigation pane.
For details, see “Configuring inline protection profiles” on
page 268 or “Configuring offline protection profiles” on
page 274.
Visits
Edit Allow Click to open a pop-up dialog. Change the Status option to
Method select which HTTP request methods to allow in the generated
profile. This appears only if you have selected a profile in the
navigation pane.
For details, see “Configuring inline protection profiles” on
page 268 or “Configuring offline protection profiles” on
page 274.
Edit URL AccessClick to open a pop-up dialog. This appears only if you have
selected a profile in the navigation pane.
For details, see “Configuring URL access policy” on page 216.
Edit Start Page Click to open a pop-up dialog. This appears only if you have
selected a profile in the navigation pane.
For details, see “Configuring start page rules” on page 213.
Edit Exception Click to open a pop-up dialog. This appears only if you have
Method selected a URL in the navigation pane.
For details, see “Configuring allowed method exceptions” on
page 237.
Parameters
Set Type the data type and maximum length of the parameter, and
indicate whether or not the parameter is required input. These
settings will appear in the generated parameter validation rule
and input rules. For details, see “Configuring parameter
validation input rules” on page 194 and “Configuring HTTP
parameter validation rules” on page 192.
5 In the right-hand pane, click Generate Config. The following pop-up dialog appears:
7 From Profile Type, select which type of web profile you want to generate, either Inline
(to generate an inline protection profile) or Offline (to generate an offline protection
profile).
8 Click OK.
The generated profile appears in the list of either inline or offline protection profiles,
depending on its type. Adjust it if necessary. For details, see “Configuring inline protection
profiles” on page 268 or “Configuring offline protection profiles” on page 274.
Note: You may also need to adjust configuration items used by the generated profile, such
as input rules. The generated configuration items will be based upon auto-learning data
current at the time that the profile is generated, which may have changed while you were
reviewing the auto-learning report.
If you do not configure any settings, by default, the FortiWeb unit will generate a profile
that allows the HTTP GET method and any other methods whose usage exceeded the
threshold, and will add the remaining methods to an allowed method exception. It will also
create start page rules and trust IP rules for the top 10 most commonly requested URLs,
and create black IP rules for the top 10 most commonly requested suspicious URLs.
To apply the generated profile, select it in a policy. For details, see “Configuring server
policies” on page 118.
If you are done collecting auto-learning data, for performance reasons, you may also want
to deselect the auto-learning profile in all policies.
Web anti-defacement
This chapter describes the Web Anti-Defacement menu, which configures the FortiWeb
unit to monitor web sites for defacement attacks and to fix attack damage.
This chapter includes:
• Configuring anti-defacement
• Reverting a web site to a backup revision
Configuring anti-defacement
Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-Defacement displays
the list of web sites for which you have configured anti-defacement protection.
Anti-defacement monitors a web site’s files for any changes at specified time intervals. If it
detects a change that could indicate a defacement attack, the FortiWeb unit can notify you
and quickly react by automatically restoring the web site contents to the previous backup
revision.
Caution: When you intentionally modify the web site, you must disable the Enable Monitor
and Restore Changed Files Automatically options; otherwise, the FortiWeb unit sees your
changes as a defacement attempt and undoes them.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Web Anti-Defacement Management
category. For details, see “About permissions” on page 80.
Table 113: Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-Defacement tab
View
Edit
Delete
Revert site
Connected Indicates the connection results of the FortiWeb unit’s most recent attempt to
connect to the web site’s server.
• Green check mark icon: The connection was successful.
• Red X mark icon: The FortiWeb unit was unable to connect. Verify the IP
address/FQDN and login credentials of your anti-defacement configuration.
If these are valid, verify that connectivity has not been interrupted by
dislodged cables, routers, or firewalls.
Total Files Displays the total number of files on the web site.
Total Backup Displays the total number of files that have been backed up onto the FortiWeb
unit for recovery purposes. Those files that you choose not to monitor will not be
backed up.
Total Changed Displays the total number of files that have changed.
(No column Click the View icon display the web site’s anti-defacement configuration and
heading.) backup statistics, including disk usage.
Click the Edit icon to modify an entry.
Click the Delete icon to remove an entry.
Click the Revert site icon to revert the web site to a backup revision. See
“Reverting a web site to a backup revision” on page 297.
Before configuring a web site for anti-defacement protection, you must have the following
information ready:
• FQDN or IP address of the web site’s server
• root folder of the web site
• connection type (FTP, SSH, or Windows Share) and the credentials you use to
access the root folder of the web site
• alert email address
To configure anti-defacement
1 Go to Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-
Defacement.
2 Click Create New to add a new entry, or click the Edit icon to edit an existing entry.
A dialog appears.
Folder of Web Type the path to the web site’s folder, such as public_html, on the real
Site server. The path is relative to the initial location when logging in with the user
name that you specify in User Name.
User Name Enter the user name, such as fortiweb, that the FortiWeb unit will use to log
in to the web site’s real server.
Password Enter the password for the user name you entered in User Name.
Alert Email Type the recipient email address (MAIL TO:) to which the FortiWeb unit will
Address send an email when it detects that the web site has changed.
Monitor Interval Enter the time interval in seconds between each monitoring connection from the
for Root Folder FortiWeb unit to the web server. During this connection, the FortiWeb unit
examines Folder of Web Site (but not its subfolders) to see if any files have
been changed by comparing the files with the latest backup.
If it detects any file changes, the FortiWeb unit will download a new backup
revision. If you have enabled Restore Changed Files Automatically, the
FortiWeb unit will revert the files to their previous version.
For details, see “About web site backups” on page 297.
Monitor Interval Enter the time interval in seconds between each monitoring connection from the
for Other Folder FortiWeb unit to the web server. During this connection, the FortiWeb unit
examines subfolders to see if any files have been changed by comparing the
files with the latest backup.
If any file change is detected, the FortiWeb unit will download a new backup
revision. If you have enabled Restore Changed Files Automatically, the
FortiWeb unit will revert the files to their previous version.
For details, see “About web site backups” on page 297.
Maximum Depth Type how many folder levels deep to monitor for changes to the web site’s files.
of Monitored Files in subfolders deeper than this level will not be backed up.
Folders
Skip Files Larger Type a file size limit in kilobytes (KB) to indicate which files will be included in
Than the web site backup. Files exceeding this size will not be backed up. The default
file size limit is 10 240 KB.
Note: Backing up large files can impact performance.
Skip Files With Type zero or more file extensions, such as iso, avi, to exclude from the web
These Extensions site backup. Separate each file extension with a comma.
Note: Backing up large files, such as video and audio, can impact performance.
Restore Changed Enable to automatically restore the web site to the previous revision number
Files when it detects that the web site has been changed.
Automatically Disable to do nothing. In this case, you must manually restore the web site to a
previous revision when the FortiWeb unit detects that the web site has been
changed. See “Reverting a web site to a backup revision” on page 297.
Note: While you are intentionally modifying the web site, you must turn off this
option and Enable Monitor. Otherwise, the FortiWeb unit will detect your
changes as a defacement attempt, and undo them.
4 Click Test Connection to test the connection between the FortiWeb unit and the web
server.
5 Click OK.
The FortiWeb unit connects to the web site and downloads the first backup copy revision.
(It may subsequently download additional revisions. See “About web site backups” on
page 297.)
When a defacement attack occurs, the damaged/changed files will be restored
automatically if you enabled Restore Changed Files Automatically. Otherwise, when the
FortiWeb unit notifies you of the attack, you must manually revert the web site to one of
the backup revisions. For details, see “Reverting a web site to a backup revision” on
page 297.
Note: Backup copies will omit files exceeding the file size limit and/or matching the file
extensions that you have configured the FortiWeb unit to omit. See “Configuring anti-
defacement” on page 293.
• If the FortiWeb unit could not successfully connect during a monitor interval, it will
create a new revision the next time that it re-establishes the connection.
Revert site
2 In the row corresponding to the web site you want to revert, click the Revert site icon.
A dialog appears listing previous site backup copies.
3 In the row corresponding to the copy that you want to restore, click the Revert to this
time icon.
4 Click OK.
Network accessibility
You may need to configure each target host and any intermediate NAT or security devices
to allow the vulnerability scan to properly reach the target hosts.
Traffic load
If you do not plan to rate limit the vulnerability scan, be aware that some web servers
could perceive its rapid rate of requests as a denial of service (DoS) attack. You may need
to configure the web server to omit rate limiting for connections originating from the IP
address of the FortiWeb unit. Rapid access also can result in degraded network
performance during the scan. For more information, see “Delay Between Each Request”
on page 307
Scheduling
You should work with the owners of target hosts to schedule an appropriate time to run the
vulnerability scan. For example, you might schedule to avoid peak traffic hours, to restrict
unrelated network access, and to ensure that the target hosts will not be powered off
during the vulnerability scan.
Table 114: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy tab
Status
Delete
Edit
Start/Stop
4 Click OK.
To start a scan
1 Go to Web Vulnerability Scan > Web Vulnerability Scan >
Web Vulnerability Scan Policy.
2 In the WVS policy list, choose a policy and verify the Schedule column says Run Now
and the status indicator is green (idle).
If Schedule is not set to Run Now, the WVS scan runs on a set schedule. You cannot
manually start a scan that has a set schedule. For more information, see “Configuring
web vulnerability scan policies” on page 300.
3 Click the Start icon associated with the WVS policy.
The vulnerability scan connects to the starting point configured in the WVS Profile and,
if enabled to do so, authenticates. The status indicator flashes red and yellow while the
scan is running.
4 When the scan is finished the status indicator returns to green (idle).
5 Click the blue arrow beside the policy name to expand the scan results.
If an email policy is defined for the scan, a detailed scan report is distributed
accordingly.
6 If required, view or download a full report of the scan results. For more information, see
“Viewing scan history and reports” on page 309.
To stop a scan
1 Go to Web Vulnerability Scan > Web Vulnerability Scan >
Web Vulnerability Scan Policy.
2 Verify the status indicator is running (flashing red and yellow).
3 Click the Stop icon associated with the WVS policy.
4 The vulnerability scan stops.
The status indicator returns to green (idle). You can expand the policy name to view a
summary of the scan results to the point where the scan was stopped.
Table 115: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Profile tab
Edit
Hostname/IP or URL Type the fully qualified domain name (FQDN), IP address, or full
URL to indicate which directory of the web site you want to scan.
Behavior of the scan varies by the type of the entry:
• A FQDN/IP such as www.example.com. Assume HTTP and
scan the entire web site located on this host.
• A partial URL such as https://webmail.example.com/dir1/. Use
the protocol specified in the URL, and scan the web pages
located in this directory of the web site. Other directories will
be ignored.
• A full URL such as http://example.com/dir1/start.jsp. Use the
protocol specified in the URL, starting from the web page in
the URL, and scan all local URLs reachable via links from this
web page that are located within the same subdirectory.
Links to external web sites and redirects using HTTP 301 (Moved
Permanently) or 302 (Moved Temporarily or Found) will not be
followed.
Unless you will enter an IP address for the host, you must have
configured a DNS server that the FortiWeb unit can use to query
for the FQDN. For details, see “Configuring the DNS settings” on
page 58.
Note: This starting point for the scan can be overridden if the web
server automatically redirects the request after authentication.
See “Login with HTTP Authentication” and “Login with specified
URL/data” on page 307.
Scan Enable detection of any of the following vulnerabilities that you
want to include in the scan report:
• Common Web Server Vulnerability (outdated software and
software with known memory leaks, buffer overflows, and
other problems)
• XSS (Cross-site Scripting)
• SQL Injection
• Source-code Disclosure
• OS Commanding
For a description of vulnerabilities, see “Configuring server
protection rules” on page 201.
Scan Mode Select whether the scan job will use Basic Mode (use HTTP GET
only and omit both user-defined and predefined sensitive URLs)
or Enhanced Mode (use both HTTP POST and GET, excluding only
user-defined URLs).
Also configure Exclude scanning following URLs.
Basic Mode will avoid alterations to the web site’s databases, but
only if all inputs always uses POST requests. It also omits testing
of the following URLs, which could be sensitive:
• /formathd
• /formatdisk
• /shutdown
• /restart
• /reboot
• /reset
Caution: Fortinet strongly recommends that you do not scan for
vulnerabilities on live web sites, even if you use Basic Mode.
Instead, duplicate the web site and its database into a test
environment, and then use Enhanced Mode with that test
environment.
Basic Mode cannot be guaranteed to be non-destructive. Many
web sites accept input through HTTP GET requests, and so it is
possible that a vulnerability scan could result in database
changes, even though it does not use POST. In addition, Basic
Mode cannot test for vulnerabilities that are only discoverable
through POST, and therefore may not find all vulnerabilities.
Request Timeout Type the number of seconds for the vulnerability scanner to wait
for a response from the web site before it assumes that the
request will not successfully complete, and continues with the
next request in the scan. It will not retry requests that time out.
Delay Between Each Type the number of seconds to wait between each request.
Request Some web servers may rate limit the number of requests, or black
list clients that issue continuous requests and therefore appear to
be a web site harvester or denial of service (DoS) attacker.
Introducing a delay can be useful to prevent the vulnerability
scanner from being blacklisted or rate limited, and therefore slow
or unable to complete its scan.
Login Option
Login with HTTP Enable to use basic HTTP authentication if the web server returns
Authentication HTTP 401 (Unauthorized) to request authorization. Also configure
User and Password.
Alternatively, configure Login with specified URL/data.
After authentication, if the web server redirects the request (HTTP
302), the FortiWeb unit will use this new web page as its starting
point for the scan, replacing the URL that you configured in
Hostname/IP or URL.
Note: If a web site requires authentication and you do not
configure the vulnerability scan to authenticate, the scan results
will be incomplete.
User Enter the user name to provide to the web site if it requests HTTP
authentication.
Password Enter the password of the user name.
Login with Enable to authenticate if the web server does not use HTTP 401,
specified but instead provides a web page with a form that allows the user
URL/data to authenticate using HTTP POST. Also configure Authenticate
URL and Authenticate Data.
After authentication, if the web server redirects the request (HTTP
302), the FortiWeb unit will use this new web page as its starting
point for the scan, replacing the URL that you configured in
Hostname/IP or URL.
Note: If a web site requires authentication and you do not
configure the vulnerability scan to authenticate, the scan results
will be incomplete.
Authenticate Type the URL, such as /login.jsp, that the vulnerability scan
URL will use to authenticate before beginning the scan.
Authenticate Type the parameters, such as
Data userid=admin&password=Re2b8WyUI, that will be
accompany the HTTP POST request to the authentication URL,
and contains the values necessary to authenticate. Typically, this
string will include user name and password parameters, but may
contain other variables, depending on the web page.
Scan Website URLs Option
Crawl entire Select this option to automatically follow links leading from the
website initial starting point that you configured in Hostname/IP or URL.
automatically The vulnerability scanner will stop following links when it has
scanned the number of URLs configured in Crawl URLs Limit.
Alternatively, select Specify URLs for scanning.
Crawl URLs Type the maximum number of URLs to scan for vulnerabilities
Limit while automatically crawling links leading from the initial starting
point.
Note: The actual number of URLs scanned could exceed this limit
if the vulnerability scanner reaches the limit but has not yet
finished crawling all links on a page that it has already started to
scan.
Specify URLs Select this option to manually specify which URLs to scan, such
for scanning as /login.do, rather than having the vulnerability scanner
automatically crawl the web site. Enter each URL on a separate
line in the text box.
You can enter up to 10 000 URLs.
Exclude Enable to exclude specific URLs, such as /addItem.cfm, from
scanning the vulnerability scan. Enter each URL on a separate line in the
following URLs text box.
This may be useful to accelerate the scan if you know that some
URLs do not need scanning. It could also be useful if you are
scanning a live web site and wish to prevent the scanner from
inadvertently adding information to your databases.
You can enter up to 1 000 URLs.
5 Click OK.
You can now apply the WVS Profile to a WVS Policy. For more information, see
“Configuring web vulnerability scan policies” on page 300.
Table 116: Web Vulnerability Scan > Web Vulnerability Scan >Web Vulnerability Scan Schedule tab
Edit
4 Click OK.
You can now apply the WVS Schedule to a WVS Policy. For more information, see
“Configuring web vulnerability scan policies” on page 300.
Table 117: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan History tab
If after viewing the response you determine that the result is a false positive, click False
Positive. The false positive status will be saved and visible in any subsequent printout or
view of the report, helping to remind you that particular item should be ignored.
http://www.example.com/
About logging
FortiWeb units can log many different network activities and traffic including:
• overall network traffic
• system-related events including system restarts and HA activity
• matches of policies whose Action include Alert
For more information about log types, see “Log types” on page 314.
You can select a priority level that log messages must meet in order to be recorded. For
more information, see “Log priority levels” on page 314.
A FortiWeb unit can save log messages to its memory, or to a remote location such as a
Syslog server or FortiAnalyzer unit. For more information, see “Configuring and enabling
logging” on page 323. The FortiWeb unit can also use log messages as the basis for
reports. For more information, see “Configuring and generating reports” on page 344.
Event and attack log messages are also displayed in the system status dashboard. For
more information, see “Viewing system status” on page 41.
Log types
FortiWeb units can record the following categories of log messages:
Table 118: Log types
Caution: Avoid recording highly frequent log types such as traffic logs to the local hard disk
for an extended period of time. Excessive logging frequency can cause undue wear on the
hard disk and may cause premature failure.
Levels Description
0 - Emergency The system has become unusable.
1 - Alert Immediate action is required.
2 - Critical Functionality is affected.
3 - Error An error condition exists and functionality could be affected.
4 - Warning Functionality could be affected.
5 - Notification Information about normal events.
6 - Information General information about system operations.
For each location where the FortiWeb unit can store log files (disk, memory, Syslog or
FortiAnalyzer), you can define a priority threshold. The FortiWeb unit will store all log
messages equal to or exceeding the log priority level you select.
Caution: Avoid recording log messages using low log priority thresholds such as
information or notification to the local hard disk for an extended period of time. A low log
priority threshold is one possible cause of frequent logging. Excessive logging frequency
can cause undue wear on the hard disk and may cause premature failure.
For example, if you select Error, the FortiWeb unit will store log messages whose log
priority level is Error, Critical, Alert, or Emergency.
For more information, see “Configuring global log settings” on page 324.
For a detailed description of each FortiWeb log message, see the FortiWeb Log Message
Reference.
Delete
Edit
SMTP user Enter the user name of the account on the SMTP relay that will be used
to send alerts.
This option is available only if Authentication is enabled.
Password Enter the password of the account on the SMTP relay that will be used
to send alerts.
This option is available only if Authentication is enabled.
Apply & Test Click to save the alert configuration and send a sample alert to the
recipient.
Log Level Select the priority threshold that log messages must meet or exceed in
order to cause an alert. For more information on log levels, see “Log
priority levels” on page 314.
Emergency Enter the number of minutes between each alert if an alert condition of
severity level Emergency continues to occur after the initial alert.
Alert Enter the number of minutes between each alert if an alert condition of
severity level Alert continues to occur after the initial alert.
Critical Enter the number of minutes between each alert if an alert condition of
severity level Critical continues to occur after the initial alert.
Error Enter the number of minutes between each alert if an alert condition of
severity level Error continues to occur after the initial alert.
Warning Enter the number of minutes between each alert if an alert condition of
severity level Warning continues to occur after the initial alert.
Notification Enter the number of minutes between each alert if an alert condition of
severity level Notification continues to occur after the initial alert.
Information Enter the number of minutes between each alert if an alert condition of
severity level Information continues to occur after the initial alert.
Debug Enter the number of minutes between each alert if an alert condition of
severity level Debug continues to occur after the initial alert.
4 Click OK.
The FortiWeb unit saves the configuration and returns to the Email Policy tab.
Note: Logs stored remotely cannot be viewed from the FortiWeb web-based manager. If
you require the ability to view logs from the web-based manager, also enable local storage.
For details, see “Enabling logging” on page 327.
Before you can log remotely, you must enable alert email for the log type that you want to
use as a trigger. For details, see “Enabling logging” on page 327.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Log & Report category. For details,
see “About permissions” on page 80.
Table 122: Log&Report > Log Policy > Syslog Policy tab
Edit
4 Click OK.
5 To verify logging connectivity, from the FortiWeb unit, trigger a log message that
matches the types and severity levels that you have chosen to store on the remote
host. Then, on the remote host, confirm that it has received that log message.
If the remote host does not receive the log messages, verify the FortiWeb unit’s
network interfaces (see “Configuring the network and VLAN interfaces” on page 50)
and static routes (see “Configuring static routes” on page 105), and the policies on any
intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host,
try using the execute traceroute command to determine the point where
connectivity fails. For details, see the FortiWeb CLI Reference.
Note: Logs stored remotely cannot be viewed from the web-based manager of the
FortiWeb unit. If you require the ability to view logs from the web-based manager, also
enable local storage. For details, see “Enabling logging” on page 327.
Before you can log remotely, you must enable alert email for the log type that you want to
use as a trigger. For details, see “Enabling logging” on page 327.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Log & Report category. For details,
see “About permissions” on page 80.
Table 123: Log&Report > Log Policy > FortiAnalyzer Policy tab
Delete
Edit
4 Click OK.
5 Confirm with the FortiAnalyzer administrator that the FortiWeb unit has been added to
the FortiAnalyzer unit’s device list, allocated sufficient disk space quota, and assigned
permission to transmit logs to the FortiAnalyzer unit. For details, see the FortiAnalyzer
Administration Guide.
6 To verify logging connectivity, from the FortiWeb unit, trigger a log message that
matches the types and severity levels that you have chosen to store on the remote
host. Then, on the remote host, confirm that it has received that log message.
If the remote host does not receive the log messages, verify the FortiWeb unit’s
network interfaces (see “Configuring the network and VLAN interfaces” on page 50)
and static routes (see “Configuring static routes” on page 105), and the policies on any
intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host,
try using the execute traceroute command to determine the point where
connectivity fails. For details, see the FortiWeb CLI Reference.
Table 124: Log&Report > Log Policy > Trigger Policy tab
Delete
Edit
2 Click Create New, or, in the row corresponding to an entry that you want to modify, click
the Edit icon.
A dialog appears.
4 Click OK.
• Usually, fewer log messages can be stored in memory. Logging to a Syslog server or
FortiAnalyzer unit may provide you with additional log storage space.
For information on viewing locally stored log messages, see “Viewing log messages” on
page 331.
This section includes the following topics:
• Configuring global log settings
• Enabling logging
• Obscuring sensitive data in the logs
Use alert emails to notify users when problems occur. Distribution of alert emails is
managed though email policies that define who receives the alert emails and the
frequency that the alert emails are sent.
Caution: Avoid recording highly frequent log types such as traffic logs to the local hard disk
for an extended period of time. Excessive logging frequency can cause undue wear on the
hard disk and may cause premature failure.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Log & Report category. For details,
see “About permissions” on page 80.
Memory Enable to record log messages in the local random access memory (RAM) of the
FortiWeb unit.
Note: Only event logs can be stored in the local memory. Attack and traffic logs
cannot be stored in memory
If the FortiWeb unit is logging to memory, you can use the web-based manager to
view log messages that are stored locally on the FortiWeb unit. For details, see
“Viewing log messages” on page 331.
Caution: Log messages stored in memory should not be regarded as
permanent. All log entries stored in memory are cleared when the FortiWeb unit
restarts. When available memory space for log messages is full, the FortiWeb
unit will store any new log message by overwriting the oldest log message.
Before you can record event logs to the local memory, you must first enable
logging. For details, see “Enabling logging” on page 327. For logging accuracy,
you should also verify that the FortiWeb unit’s system time is accurate. For
details, see “Configuring system time” on page 100.
Expand the memory storage configuration to display additional options:
Log Level: Select the severity level that a log message must equal or exceed in
order to be recorded to this storage location.
For information about severity levels, see “Log priority levels” on page 314.
Syslog Enable to store log messages remotely, on a Syslog server.
Warning: Enabling Syslog could result in excessive log messages being
recorded in Syslog.
Syslog entries are controlled by Syslog policies and trigger actions associated
with various types of violations. If the Syslog option is enabled, but a trigger
action has not been selected for a specific type of violation, every occurrence of
that violation will be recorded in Syslog and transmitted to the Syslog server. For
more information, see “Responding to web protection rule violations” on
page 191.
Note: Logs stored remotely cannot be viewed from the FortiWeb web-based
manager.
Before you can store logs on a remote location you must first enable logging. For
details, see “Enabling logging” on page 327. For logging accuracy, you should
also verify that the FortiWeb unit’s system time is accurate. For details, see
“Configuring system time” on page 100.
Expand the Syslog storage configuration to display additional options:
Syslog Policy: Select the policy to use when storing log information remotely. The
Syslog policy includes the address information for the remote Syslog server For
more information see “Configuring Syslog policies” on page 319.
Log Level: Select the severity level that a log message must equal or exceed in
order to be recorded to this storage location.
For information about severity levels, see “Log priority levels” on page 314.
Facility: Select the facility identifier that the FortiWeb unit will use to identify itself
when sending log messages to the first Syslog server.
To easily identify log messages from the FortiWeb unit when they are stored on
the Syslog server, enter a unique facility identifier, and verify that no other
network devices use the same facility identifier
Alert Mail Enable to generate alert email when log messages are created.
Warning: Enabling Alert Email could result in excessive alert email.
Distribution of alert emails is controlled by email policies and trigger actions
associated with various types of violations. If the Alert Mail option is enabled, but
a trigger action has not been selected for a specific type of violation, every
occurrence of that violation will result in an alert email to the individuals
associated with the policy selected in the Email Policy field. For more
information, see “Responding to web protection rule violations” on page 191.
Expand the Alert Mail configuration to display additional options:
Email Policy: Select the email policy to use for alert emails. For more information
see “Configuring email policies” on page 317.
Alert Mail is not available for the traffic logs.
FortiAnalyzer Enable to store log messages remotely, on a FortiAnalyzer unit.
Warning: Enabling FortiAnalyzer could result in excessive log messages being
recorded in FortiAnalyzer.
FortiAnalyzer entries are controlled by FortiAnalyzer policies and trigger actions
associated with various types of violations. If the FortiAnalyzer option is enabled,
but a trigger action has not been selected for a specific type of violation, every
occurrence of that violation will be recorded in FortiAnalyzer. For more
information, see “Responding to web protection rule violations” on page 191.
Note: Logs stored remotely cannot be viewed from the FortiWeb web-based
manager.
Before you can store logs on a remote location you must first enable logging. For
details, see “Enabling logging” on page 327. For logging accuracy, you should
also verify that the FortiWeb unit’s system time is accurate. For details, see
“Configuring system time” on page 100.
Expand the FortiAnalyzer storage configuration to display additional options:
FortiAnalyzer Policy: Select the policy to use when storing log information
remotely. The FortiAnalyzer policy includes the address information for the
remote Syslog server. For more information see “Configuring FortiAnalyzer
policies” on page 321.
Log Level: Select the severity level that a log message must equal or exceed in
order to be recorded to this storage location.
For information about severity levels, see “Log priority levels” on page 314.
3 Click Apply.
Enabling logging
Log&Report > Log Config > Other Log Settings allows you to enable or disable logging for
each log type.
For more information on log types, see “Log types” on page 314.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Log & Report category. For details,
see “About permissions” on page 80.
To enable logging
1 Go to Log&Report > Log Config > Other Log Settings.
Persistent Server Select a threshold level that will trigger an event log when the actual
Session Threshold number of persistent server sessions reaches the defined percentage
(50% to 90%) of the total number of persistent server sessions allowed
for the FortiWeb unit. The default setting is 80%.
For example, if Persistent Server Session Threshold is set to 50%, and
the allowed number of persistent server sessions is 15,000, an event
log is triggered when the actual number of persistent sessions reaches
50% of the allowed number, or 7,500 persistent server sessions.
For more information on the total persistent server sessions, see
“Appendix B: Maximum values” on page 397.
Enable Traffic Log Enable to log traffic events such as HTTP requests and responses, and
the expiration of HTTP sessions. If you do not need traffic data, disable
this feature to increase system performance.
Enable Packet Log If you want to retain regular traffic packet payloads, mark Enable Packet
Log. Unlike attack packet payloads, only request direction traffic packets
are retained, and only the first 4 KB of the payload if it is larger.
Note: Retaining traffic packet payloads is resource intensive. Only
enable this option when absolutely necessary.
Packet payloads are accessible from the Packet Log column when
viewing a log using the web-based manager. For details, see “Viewing
packet log details” on page 336.
3 Click Apply.
Note: Sensitive data definitions are not retroactive. They will hide strings in subsequent log
messages, but will not affect existing ones.
Delete
Edit
2 On the right side of the tab, select one or both of the following:
• Enable Predefined Rules: Use the predefined credit card number and password
data types.
• Enable Custom Rules: Use your own regular expressions to define sensitive data.
3 Click Create New.
A dialog appears.
Caution: Field masks using asterisks are greedy: a match for the parameter’s value will
obscure it, but will also obscure the rest of the parameters in the line. To avoid this, enter
an expression whose match terminates with, but does not consume, the parameter
separator.
For example, if parameters are separated with an ampersand ( & ), and you want to
obscure the value of the Field Name username but not any of the parameters that follow it,
you could enter the Field Value:
.*?(?=\&)
username****&age=13&origurl=%2Flogin
Tip: To create and test a regular expression, click the >> (test) icon. This opens the Regular
Expression Validator window where you can fine-tune the expression.
6 Click OK.
The expression appears in the list of regular expressions that define sensitive data that
will be obscured in the logs.
When viewing new log messages, data types matching your expression will be
replaced with a string of * characters equal in length to the sensitive data.
For example, while using auto-learning, you can configure protection profiles with an action
of Alert (log but not deny), allowing the connection to complete in order to gather full auto-
learning data.
To determine whether or not an attack attempt was permitted to reach a web server, show
the Action column. For details, see “Displaying and arranging log columns” on page 338.
When viewing log messages, you can customize aspects of the display to focus on log
messages and fields that match your criteria. For more information, see “Customizing the
log view” on page 337.
For attack logs and traffic logs, you can view detailed information about each log and the
packet payload. For more information, see “Viewing log message details” on page 335.
For attack logs, you can perform a quick or advanced search for specific logs. For more
information, see “Searching attack logs” on page 341.
The logs associated with attacks that are blocked by FortiWeb are highlighted to
distinguish them from other attacks that are not blocked.
This section includes the following topics:
• Selecting a log type to view
• Viewing log message details
• Viewing packet log details
• Customizing the log view
• Searching attack logs
Note: In addition to locally stored log messages, event log messages and attack log
messages can also be viewed in the system status dashboard. For more information, see
“Viewing system status” on page 41.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Log & Report category. For details,
see “About permissions” on page 80.
Table 128: Log&Report > Log Access > Event tab
Refresh
Log Search
Log Message Aggregation
Clear All Filters
Previous page Raw (or Formatted)
Next page Column Settings
Note: The columns and type of information displayed depends on which log type tab is
selected.
Raw These icons let you to toggle between a Raw and Formatted view of the log
or information. The raw view displays the log message as it actually appears
in the log file. The formatted view displays the log message in a columnar
Formatted format.
Click to switch the log information view to that opposite of what is currently
displayed.
For details on both view types, see “Customizing the log view” on page 337.
Clear All Filters Click this icon to clear all log view filters. For details on log view filters, see
“Filtering log messages” on page 339.
Log Message Visible only when the Attack tab is selected. Enables you to view only the
Aggregation attack logs associated with specific categories, including: HTTP Host, URL,
Source IP or Subtype. For more information, see “Grouping similar attack
log messages” on page 340.
Log Search Visible only when the Attack tab is selected. Enables you to perform
searches for attack logs using advanced search criteria. For more
information, see “Searching attack logs” on page 341.
Refresh Visible only when the Attack tab is selected. Enables you to update the
attack log list by adding any new logs that were created since the log list
was opened.
Tip: If there are no traffic logs, verify that you have enabled Session Management in the
profiles whose traffic you want to log.
3 To view Attack logs, select Log&Report > Log Access > Attack. Log messages
associated with attacks that have been blocked by FortiWeb are highlighted to
distinguish them from other attacks that are not blocked.
Blocked attack
4 If you want to view the historical attack log files that are stored on local hard disk,
select the Log Management link at the top-right of the attack log list.
5 Go to step .
6 To view Event log messages, select Log&Report > Log Access > Event.
For Event logs only, you can select the log data storage location (disk or memory) and
then select from which data source location you want to view the log information. For
more information on configuring the FortiWeb unit to store log messages locally, see
“Configuring and enabling logging” on page 323.
Note: Only event logs are stored in local memory. Attack and traffic logs are stored on disk.
7 To view event log messages stored in local random access memory (RAM), select
Memory as the Data Source.
8 If you want to view historical event log files stored on the local hard disk, select Disk as
the Data Source.
9 Go to step .
10 To view Traffic logs, select Log&Report > Log Access > Traffic.
11 If you want to view the historical traffic log files that are stored on local hard disk, select
the Log Management link at the top-right of the traffic log list.
Historical log files are stored on the local hard disk. You can view the log messages
associated with any historical log file, download the entire log file or clear the log file
from the disk.
3 In the Show these fields in this order area, select a column name whose order of
appearance you want to change.
4 Click Move Up or Move Down to move the column in the ordered list.
Placing a column name towards the top of the Show these fields in this order list will
move the column to the left side of the Formatted log view.
5 Click OK.
To clear a filter
1 In the heading of the column whose filter you want to clear, click the Filter icon. The
filter window appears.
A column’s filter icon is green when the filter is currently enabled.
3 In Available fields, select which aspect you want to use when grouping the log
messages, then click the right arrow to move it to the Aggregate log by these fields
area.
4 Click OK.
Attack log messages are no longer in sequential order, but are instead grouped by the
similar aspect you selected. To view log messages in a group, click the arrow in that
column to expand the set.
Figure 47: Attack log messages viewed when grouped by attack subtype
Search icon
Search results
Back
Reset search
Generate Log Detail PDF
Advanced search
Log search
Keyword
From/To Select the date and time range that contains the attack log that you are
Hour searching for.
Minute Note: The date fields default to the current date. Ensure the date fields
are set to the actual date range that you want to search.
all/any Select all if you want to search for all terms specified in the fields
shown below the all/any options. For example, if terms are entered in
Sub Type and Action, the search results display only the attack logs
matching both of those terms.
Select any if you want to search for any one of the terms specified in the
fields shown below the all/any options. For example, if terms are
entered in Sub Type, Source, Action and Policy, the search results
display the attack logs that match any of those terms.
not Select not if you want to search for conditions that exclude a specific
term. For example, if an IP address is entered in the Source field, and
not is selected, the search results exclude all attack logs with that
source IP address.
Log fields Lists the fields of an attack log that can be searched for specific terms.
Enter the exact terms the appropriate log fields:
• Sub Type
• Source
• Destination
• Source Port
• Destination Port
• HTTP Method
• Action
• Policy
• Service
• HTTP Host
To exclude log records that match a criterion, mark its Not check box,
Note: Search results include only exact matches for keywords and terms entered in the
advanced Search Dialog. Ensure that the keywords and terms are accurate and relevant to
the search and that the date and time fields cover the actual range you want to search.
Note: A Log Detail report can be generated only for one page of results (30 logs) at a time.
After generating a report for one page of results, move to the next page and generate
another report, if required.
Note: If you want to download an entire event log file (elog), attack log file (alog) or traffic
log file (tlog) stored on the FortiWeb hard disk, see “Viewing log messages” on page 331.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Log & Report category. For details,
see “About permissions” on page 80.
Start Time Choose the starting point for the log download by selecting the year, month
and day as well as the hour, minute and second that defines the first of the
log messages to download.
End Time Choose the end point for the log download by selecting the year, month and
day as well as the hour, minute and second that defines the last of the log
messages to download.
3 Click Download.
4 If a file download dialog appears, click Save and then choose the directory where you
want to save the downloaded log file.
The log files are downloaded to the specified directory in a compressed file format (TGZ).
You can use commercial file compression and text editing tools to extract and open the
compressed log file.
When generating a report, FortiWeb units collate information collected from log files and
present the information in tabular and graphical format.
In addition to log files, FortiWeb units require a report profile in order to generate a report.
A report profile is a group of settings that contains the report name, file format, subject
matter, and other aspects that the FortiWeb unit considers when generating the report.
FortiWeb units can generate reports automatically, according to the schedule that you
configure in the report profile, or manually, when you click the Run now icon in the report
profile list. You may want to create one report profile for each type of report that you will
generate on demand or periodically, by schedule.
Before you generate a report, collect log data that will be the basis of the report. For
information on enabling logging to the local hard disk, see “Configuring and enabling
logging” on page 323.
To access this part of the web-based manager, your administrator’s account access profile
must have Read and Write permission to items in the Log & Report category. For details,
see “About permissions” on page 80.
Table 132: Log&Report > Report Config > Report Config tab
Delete
Edit
Run now
Schedule Displays the scheduled frequency when the FortiWeb unit generates the report.
If this report is not scheduled to be periodically generated according to the
schedule configured in the report profile, but instead will be generated only on
demand, when you manually click the Run now icon, None appears in this column.
Action Click the Delete icon it to remove the report profile.
Click the Edit icon to modify the report profile. For more information, see
“Configuring a report profile” on page 346.
Click the Run now icon to immediately generate a report using this report profile.
This option can be used with both scheduled and on demand report profiles, and
occurs independently of any automatic report generation schedules you may have
configured. For more information, see “Configuring the schedule of a report profile”
on page 351. To view the resulting report, see “Viewing and downloading reports”
on page 353.
Note: For on-demand reports, the FortiWeb unit does not save the report profile after the
generating the report. If you want to save the report profile, but do not want to generate the
report at regular intervals, select On Schedule, but then in the Schedule section, select Not
Scheduled.
Note: You cannot change the Type when editing a report profile. To change the
scheduled/on demand Type, create a new report profile instead.
5 In Report Title, enter a name that will appear in the title area of the report. The title may
include spaces.
6 In Description, enter a comment or other description.
7 Click the blue expand arrow next to each section, and configure the following:
Each query group contains multiple individual queries, each of which correspond to a
chart that will appear in the generated report. You can select all queries within the group
by marking the check box of the query group, or you can expand the query group and then
individually select each query that you want to include.
For example:
• If you want the report to include charts about both normal traffic and attacks, you might
enable both of the query groups Attack Activity and Event Activity.
• If you want the report to specifically include only a chart about top system event types,
you might expand the query group Event Activity, then enable only the individual query
Top Event Types.
Note: Reports that do not include “Top” in their name display all results. Changing the
Ranked Reports values will not affect these reports.
These Dates Select to generate the report on specific date of each month, then
enter those date numbers. Separate multiple date numbers with a
comma. Also configure Time.
For example, to generate a report on the first and 30th day of every
month, enter 1,30.
Time Select the time of the day when the report will be generated.
This option does not apply if you have selected Not Scheduled.
Table 140: Log&Report > Report Browse > Report Browse tab
Rename
Delete
Report Files Displays the name of the generated report, the date and time at which it
was generated, and, if necessary to distinguish it from other reports
generated at that time, a sequence number.
For example, Report_1-2008-03-31-2112_018 is a report named
“Report_1”, generated on March 31, 2008 at 9:12 PM. It was the
nineteenth report generated at that date and time (the first report
generated at that time did not have a sequence number).
To view the report in HTML format, click the name of the report. The report
appears in a pop-up window.
To view only an individual section of the report in HTML format, click the
blue triangle next to the report name to expand the list of HTML files that
comprise the report, then click one of the file names.
Started Displays the data and time when the FortiWeb unit started to generate the
report.
Finished Displays the date and time when the FortiWeb unit completed the
generated report.
Size (bytes) Displays the file size in bytes of each of the HTML files that comprise an
HTML-formatted report.
This column is empty for the overall report, and contains sizes only for its
component files.
Other Formats Click the name of an alternative file format, if any were configured to be
generated by the report profile, to download the report in that file format.
Action Click the Delete icon to remove the report.
Click Rename to rename a generated report.
Note: To reduce the amount of hard disk space consumed by reports,
regularly download then delete generated reports from the FortiWeb unit.
Avoiding problems
As you configure your FortiWeb unit and integrate it effectively into your network, take
care not to create problems and setbacks. FortiWeb includes powerful commands and
options—features needed for efficient management—that, if misused or mistimed, can
undo your hard work.
Here is a list of tips to avoid problems:
Perform backups
Perform backups before executing potential configuration altering actions:
• Before upgrading the firmware, always perform a full backup, including configurations.
• Back up your configuration before running CLI commands that can change your
settings, such as execute factoryreset and execute restore.
• Back up your configuration before clicking the Reset button in the System Information
console on the dashboard.
• Back up your configuration before changing operation mode.
There are two backup methods available:
• manual as shown in Figure 51 (see “Backing up and restoring configurations” on
page 96.)
• via FTP as shown in Figure 52 (see “Configuring an FTP backup and schedule” on
page 98)
To lessen the impact on performance, set the FTP backup time to off-peak hours or
weekends.
Tuning security
FortiWeb is designed to enhance the security of your web sites and web servers, and
when fully configured, it can automatically plug holes commonly used by attackers to
compromise a system.
This section lists tips for further enhancing security.
Administrator security
• As soon as possible during initial FortiWeb setup, give the default administrator, admin,
a password. This administrator has the highest level of permissions available and
access to this administrator should be limited to as few people as possible.
• Change all administrator passwords regularly. Set a policy—such as every 60 days—
and follow it. (To see the dialog in Figure 53, click the Edit Password icon to reveal the
password dialog.)
Figure 53: Edit Password under System > Admin > Administrator
• Instead of allowing administrative access to the FortiWeb unit from any source, restrict
it to trusted internal hosts. See Figure 54 and “Configuring trusted hosts” on page 78.
Figure 54: Edit Administrator under System > Admin > Administrators
• Do not use the default administrator access profile for all new administrators. Create
one or more access profiles with limited permissions tailored to the responsibilities of
the new administrator accounts. See “Configuring access profiles” on page 78.
• By default, an administrator login that is idle for more than five minutes times out. You
can change this to a longer period on the Administrators Settings dialog shown in
Figure 55, but Fortinet does not recommend it. A web-based manager GUI or CLI
session left unattended lets anyone change your settings.
• Administrator passwords should be at least six characters long and include both
numbers and letters. For additional security, select the Enable Strong Passwords
option on the Administrators Settings dialog, shown in Figure 55, to force the use of
stronger passwords. See “Configuring the web-based manager’s global settings” on
page 82.
• Restrict the interface used for administrative access (usually port1) to just the access
protocols needed, as shown in Figure 56.
Use only the most secure protocols. Disable Telnet. Disable ping except during
troubleshooting. Use HTTP only if the network interface connects to a trusted private
network. See “Configuring the network and VLAN interfaces” on page 50.
Data security
• To protect your web servers, install the FortiWeb unit or units between the web servers
and a general purpose firewall. FortiWeb units do not replace firewalls.
• Make sure web traffic cannot bypass the FortiWeb unit in a complex network
environment.
• Restrict the interfaces used for non-administrative access to just the access protocols
your applications need, as shown in Figure 56. For example, disable Telnet: it is
insecure and rarely needed. Disable ping except during troubleshooting. See
“Configuring the network and VLAN interfaces” on page 50.
• If enabled to do so, a FortiWeb unit will hide selected data types, including user names
and passwords, that could appear in the packet payloads accompanying a log
message. You can also define your own sensitive data types, such as ages or other
identifying numbers, using regular expressions and hide them too. See “Obscuring
sensitive data in the logs” on page 329.
• FortiWeb does not encrypt or obfuscate user passwords when downloading a
configuration backup file. If you have local user accounts, the passwords will be in plain
text. Store configuration backup files in a secure location.
• Upgrade to the latest available firmware to take advantage of new definitions for
predefined robots, data types, suspicious URLS, and attack signatures.
There are two methods available:
• manual, as shown in Figure 57 (see “Uploading signature updates” on page 101)
• scheduled, as shown in Figure 58 (see “Scheduling signature updates” on
page 102)
Figure 60: SNMP community setting under System > Config > SNMP
• Configure an SNMP community and select the HA heartbeat failed option in the SNMP
Event list, as shown in Figure 60. For details, see “Configuring the SNMP agent” on
page 66.
Tuning policy
The backbone of a FortiWeb unit's web site protection is the application of server policies.
Here are a few tips to help avoid problems and increase performance:
• Disable or delete policies and policy settings with care. Any changes made to policies
take effect immediately.
• Verify that all physical web servers are covered by a policy.
If a server has no associated policy or all policies for it are disabled, FortiWeb will not
monitor web traffic to that web server. In reverse proxy mode, FortiWeb will block traffic
to servers without an enabled policy.
• The FortiWeb unit applies the many types of rules, policies and data scans in a set
order. (See “Order of execution” on page 190.) Within certain policies, such as URL
access policy, FortiWeb executes the rules in the priority you assign. Review the logic
of your web protection policies to make sure they deliver the web protection you
expect.
• When you have multiple policies or rules that apply to one configuration item (for
example, a server), make sure they are processed in order from the most specific to
most general.
For example, arrange to have specific server policies at the top of the list. Policy
matches are checked from the top of the list, downward. For example, a very general
policy matches all connection attempts. But if you create a policy that contains
exceptions, you want it processed before the general policy.
For example, when creating a content filter for XML protection profiles, arrange the
priority of content filter rules from most specific to most general, as shown in Figure 61,
because only the first matching content filter rule is applied. This prevents general
content filter rules, which match a wide range of traffic and whose action is Accept or
Deny, from superseding and effectively masking other content filter rules whose action
is Alert. See “Configuring content filter rules” on page 166.
Figure 61: Edit Content Filter under XML Protection > Content Filter
Tuning performance
When configuring your FortiWeb unit and its features, there are many settings and
practices that can yield better performance.
System performance
• Verify that the system time and time zone are correct. Many features rely on a correct
system time. See “Configuring system time” on page 100.
• To reduce latency associated with DNS queries, use a DNS server on your local
network as your primary DNS. See “Configuring the DNS settings” on page 58.
• Where applicable, create one or more VLAN interfaces. VLANs reduce the size of a
broadcast domain and the amount of broadcast traffic received by network hosts, thus
improving network performance. See “Adding a VLAN subinterface” on page 53.
• Avoid recording log messages using low severity thresholds, such as information or
notification, to the local hard disk for an extended period of time. Excessive logging
frequency saps system resources and can cause undue wear on the hard disk and
may cause premature failure. See “Configuring global log settings” on page 324.
• Generating reports can be resource intensive. To avoid performance impacts, consider
scheduling report generation during times with low traffic volume, such as at night and
on weekends. See Figure 63 and “Configuring the schedule of a report profile” on
page 351.
Figure 64: Data Type Group under Server Policy > Predefined Pattern
• When configuring a suspicious URL rule, clear one or more server type options if you
do not operate all three web servers, as shown in Figure 65. By pruning the list, you
reduce the resources used by the FortiWeb unit when applying the rule. See “Grouping
suspicious URLs” on page 154.
Figure 65: Suspicious URL Rule under Server Policy > Predefined Pattern
• When you configure a server protection rule as part of a web protection profile,
consider limiting the scope and application of the Information Disclosure options shown
in Figure 66. (Click the blue arrow next to Information Disclosure to see the list.)
Do you need to watch for all the information types? If not, clear applicable options to
increase performance. See “Configuring server protection rules” on page 201.
Figure 66: Server Protection Rule under Web Protection > Server protection Rule
The the Information Disclosure feature can potentially require the FortiWeb unit to
rewrite the header and body of every request from a server, resulting in reduced
performance. Fortinet recommends enabling this feature only to help you identify
information disclosure through logging, and until you can reconfigure the server to omit
such sensitive information. Clear the All / None option to disable the feature.
• If you use the web anti-defacement feature, tune your configuration to avoid backing
up overly large files. See Figure 67 and “Configuring anti-defacement” on page 293.
Unless you need to back up large files, reduce the setting for the Skip Files Larger
Than option from the default of 10 240 KB.
Use the Skip Files With These Extensions option to exclude specific types of large
files, such as compressed files and video clips.
Troubleshooting tip
• Packet capture can be useful for troubleshooting but can be resource intensive. (See
“Debug the packet flow” on page 378.) To minimize the performance impact on your
FortiWeb unit, use packet capture only during periods of minimal traffic. Use a serial
console CLI connection rather than a Telnet or SSH CLI connection, and be sure to
stop the command when you are finished.
Troubleshooting
This chapter provides guidelines to help you determine why your FortiWeb unit is
behaving unexpectedly. It includes general troubleshooting methods and specific
troubleshooting tips using both the command line interface (CLI) and the web-based
manager.
Some CLI commands provide troubleshooting information not available through the web-
based manager. The web-based manager is better suited for viewing large amounts of
information on screen, reading logs and archives, and viewing status through the
dashboard.
This chapter includes:
• Establish a system baseline
• Check traffic flow
• Define the problem
• Search for a known solution
• Create a troubleshooting plan
• Gather system information
• Troubleshoot connectivity issues
• Troubleshoot resource issues
• Troubleshoot user and admin login issues
• Troubleshoot bootup issues
• Contact Fortinet customer support for assistance
• If a server policy exists for the web server, does the server policy reference an auto-
learning profile?
If yes, check your auto-learning report to see if the profile is gathering data. Go to Auto
Learn > Auto Learn Report and click the Detail icon to view the report.
If no, create an auto-learning profile and see if it gathers data. When an auto-learning
profile is in effect, it should gather data if you have web traffic.
• If your system utilizes secure connections (HTTPS and SSL) and there is no traffic
flow, is there a problem with your certificate?
• If you run a test attack from a browser aimed at your web site, does it show up in the
attack log?
To execute a simple attack, append the cmd.exe command to your site's URL, for
example
www.example.com/cmd.exe
Under normal circumstances, you should see a new common exploit entry, such as a
start page violation, in the Attack Log widget of the system dashboard.
If your server policies are correct and your certificate, if applicable, is valid, then move on
to “Define the problem” on page 370, and be sure to look for connectivity problems as
described in “Troubleshoot connectivity issues” on page 373.
Technical documentation
FortiWeb installation guides, administration guides, quick start guides, and other technical
documents are available online at:
http://docs.fortinet.com/fweb.html
Also check the release notes for your FortiWeb unit.
Knowledge Base
The Fortinet Knowledge Base includes a variety of articles, white papers, and other
documentation providing technical insight into a range of Fortinet products at:
http://kb.fortinet.com
The plan will act as a checklist so that you know what you have tried and what is left to
check. The checklist is helpful if more than one person will be troubleshooting: without a
written plan, people can become easily confused and steps skipped. Also, if you have to
pass the problem-solving to someone else, providing a detailed list of what data you
gathered and what solutions you tried demonstrates professionalism.
Be ready to add steps to your plan as needed. After you are part way through, you may
discover that you forgot some tests, or a test you performed discovered new information.
This is normal.
diagnose hardware nic list Displays a list of specifications and settings for the specified
<interface> network interface port.
diagnose network arp list Displays the contents of the address resolution protocol (ARP)
table.
diagnose network route Displays all routes in the routing table including their type,
list source, and other data.
diagnose network sniffer Performs a packet trace on a specified network interface.
packet <params>
diagnose system top Displays a list of the most system-intensive processes.
<params>
execute ping <dest> Tests connectively to other devices on your network or
elsewhere.
execute time Displays the system time.
execute traceroute <dest> Traces the route of packets between your FortiWeb unit and a
specified server.
get log <log-type> Retrieves the log type specified: event-log, traffic-log,
attack-log.
get log reports <name> Provides access to the named log report.
get router all Displays a list of configured static routes including their IPs,
masks, and gateways.
get system interface Displays details about each configured system interface (port).
get system performance Displays CPU usage, memory usage, and up-time.
get system status Provides the firmware version, serial number, bios, host name,
and HA status.
The above CLI commands explain how to display data. Many of these commands also
have options for modifying data. For CLI command syntax details for these and other
commands, see the FortiWeb CLI Reference.
Before using a diagnose debug command, make sure to enable the debug feature by
entering:
diagnose debug enable
• Are there routes in the routing table for default and static routes? Do all connected
subnets have a route in the routing table?
See “Verify the contents of the routing table” on page 377.
• Are the ARP table entries correct for the next-hop destination?
See “Verify the contents of the ARP table” on page 377.
• Is traffic entering the FortiWeb unit and, if so, does it arrive on the expected interface?
Is the traffic exiting the FortiWeb unit to the expected destination? Is the traffic being
sent back to the originator?
Perform a sniffer trace. See “Perform a sniffer trace” on page 377.
Debug the packet flow. See “Debug the packet flow” on page 378.
Note: If ping does not work, you likely have it disabled on at least one of the interface
settings, and firewall policies for that interface.
Both ping and traceroute require particular ports to be open on firewalls to function. Since
you typically use these tools to troubleshoot, you can allow them in the firewall policies
and on interfaces only when you need them, and otherwise keep the ports disabled for
added security.
To enable ping
1 Go to System >Network >Interface.
2 Click the Edit icon in the applicable row. A dialog appears.
3 Select PING on the Edit Interface dialog.
4 Click OK.
To sniff packets
The general form of the internal FortiWeb packet sniffer command is:
This example checks network traffic on port1, with no filter, and captures 10 packets:
diagnose network sniffer packet port1 none 1 10
See the FortiWeb CLI Reference for an explanation of the command and its parameters.
The report continues to refresh and display in the CLI window until you enter q (quit).
Monitor traffic
Heavy or unusual traffic loads can cause problems.
In the FortiWeb unit's web-based manager, you can view traffic two ways:
• Monitor current HTTP traffic on the dashboard. Go to System >Status > Status and
examine the graphs in the Policy Summary widget.
• Examine traffic history in the traffic log. Go to Logs&Report >Log Access >Traffic.
3 Go to Web Protection > Authentication Policy > Authentication Rule and determine
which rule contains the problem user group. If the user group is not part of a rule, there
is no access.
4 Go to Web Protection > Authentication Policy > Authentication Policy and locate the
policy that contains the rule governing the problem user group. If the rule is not part of
a policy, there is no access.
5 Go to Web Protection > Web Protection Profile > Inline Protection Profile and
determine which profile contains the related authentication policy. If the policy is not
part of a profile, there is no access.
6 Make sure that inline protection profile is included in the server policy that applies to
the server the user is trying to access. If the profile is not part of the server policy, there
is no access.
Authentication involves user groups, authentication rules and policy, inline protection
policy, and finally, server policy. If a user is not in a user group used in the policy for a
specific server, the user will have no access.
Note: It is rare that units experience any of the symptoms listed here. Fortinet hardware is
reliable with a long expected operation life.
When you cannot connect to the FortiWeb unit through the network using CLI or the web-
based manager, connect a PC directly to the FortiWeb unit's management console using a
serial connection. (The cable varies with the FortiWeb model. See the model's Quick Start
Guide for details.)
Open a terminal emulation interface, such as HyperTerminal, to act as the console. The
issues covered in this section all refer to various potential bootup issues. Once you have a
direct cable link to the FortiWeb unit, work through the following steps and keep a copy of
the console's output messages.
If you have multiple problems, go the problem closest to the top of the list first, and work
your way down.
• A. Do you see the boot options menu
• B. Do you have problems with the console text
• C. Do you have visible power problems
• D. You have a suspected defective FortiWeb unit
Note: In addition to major releases that contain new features, Fortinet releases patch
releases that resolve specific issues without containing new features and/or changes to
existing features. It is recommended to download and install patch releases as soon as
they are available.
Note: Before you can download firmware updates for your FortiWeb unit, you must first
register your FortiWeb unit with Fortinet Technical Support. For details, go to
http://support.fortinet.com/ or contact Fortinet Technical Support.
6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach
the TFTP server.
To use the FortiWeb CLI to verify connectivity, enter the following command:
execute ping 192.168.1.168
where 192.168.1.168 is the IP address of the TFTP server.
7 Enter the following command to restart the FortiWeb unit:
execute reboot
8 As the FortiWeb units starts, a series of system startup messages appear.
Press any key to display configuration menu........
9 Immediately press a key to interrupt the system startup.
Note: You have only three seconds to press a key. If you do not press a key soon enough,
the FortiWeb unit reboots and you must log in and repeat the execute reboot
command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
Installing firmware
You can use either the web-based manager or the CLI to upgrade or downgrade the
firmware of the FortiWeb unit.
Firmware changes are either:
• an upgrade to a newer version
• a reversion to an earlier version
The firmware version number is used to determine if you are upgrading or reverting your
firmware image.
For example, if your current firmware version is
FortiWeb-1000B 4.00,build0194,100119, changing to
FortiWeb-1000B 4.00,build0192,091210, an earlier build number and date,
indicates that you are reverting.
If you are installing a firmware version that requires a different size of system partition, you
may be required to format the boot device before installing the firmware by re-imaging the
boot device. In that case, do not install the firmware using this procedure. Instead, see
“Restoring firmware” on page 391.
4 In the System Information widget, in the Firmware Version row, click Update. A browse
window appears.
5 Click Browse to locate and select the firmware file that you want to install, then click
OK.
6 Click OK.
Your management computer uploads the firmware image to the FortiWeb unit. The
FortiWeb unit installs the firmware and restarts. The time required varies by the size of
the file and the speed of your network connection.
If you are downgrading the firmware to a previous version, the FortiWeb unit reverts
the configuration to default values for that version of the firmware. Either reconfigure
the FortiWeb unit or restore the configuration file. For details, see the FortiWeb Install
and Setup Guide and “Backing up and restoring configurations” on page 96.
7 Clear the cache of your web browser and restart it to ensure that it reloads the web-
based manager and correctly displays all interface changes. For details, see your
browser's documentation.
8 To verify that the firmware was successfully installed, log in to the web-based manager
and go to System > Status > Status. Text appearing in the Firmware Version row
indicates the currently installed firmware version.
9 Update the attack definitions.
Note: Installing firmware replaces the current attack definitions with those included with the
firmware release that you are installing. After you install the new firmware, make sure that
your attack definitions are up-to-date. For more information, see “Uploading signature
updates” on page 101.
6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach
the TFTP server.
To use the FortiWeb CLI to verify connectivity, enter the following command:
execute ping 192.168.1.168
where 192.168.1.168 is the IP address of the TFTP server.
7 Enter the following command to download the firmware image from the TFTP server to
the FortiWeb unit:
execute restore image tftp <name_str> <tftp_ipv4>
where <name_str> is the name of the firmware image file and <tftp_ipv4> is the
IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
One of the following message appears:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
or:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
8 Type y.
The FortiWeb unit downloads the firmware image file from the TFTP server. The
FortiWeb unit installs the firmware and restarts. The time required varies by the size of
the file and the speed of your network connection.
If you are downgrading the firmware to a previous version, the FortiWeb unit reverts
the configuration to default values for that version of the firmware. Either reconfigure
the FortiWeb unit or restore the configuration file. For details, see the FortiWeb Install
and Setup Guide and “Backing up and restoring configurations” on page 96.
9 To verify that the firmware was successfully installed, log in to the CLI and type:
get system status
The firmware version number is displayed.
10 Update the attack definitions.
Note: Installing firmware replaces the current attack definitions with those included with the
firmware release that you are installing. After you install the new firmware, make sure that
your attack definitions are up-to-date. For more information, see “Uploading signature
updates” on page 101.
3 Initiate a connection from your management computer to the CLI of the FortiWeb unit,
and log in as the admin administrator, or an administrator account whose access
profile contains Read and Write permissions in the Maintenance category.
For details, see the FortiWeb Install and Setup Guide.
4 Connect port1 of the FortiWeb unit directly or to the same subnet as a TFTP server.
5 Copy the new firmware image file to the root directory of the TFTP server.
6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach
the TFTP server.
To use the FortiWeb CLI to verify connectivity, enter the following command:
execute ping 192.168.1.168
where 192.168.1.168 is the IP address of the TFTP server.
7 Enter the following command to restart the FortiWeb unit:
execute reboot
8 As the FortiWeb units starts, a series of system startup messages appear.
Press any key to display configuration menu........
9 Immediately press a key to interrupt the system startup.
Note: You have only 3 seconds to press a key. If you do not press a key soon enough, the
FortiWeb unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
14 Type B.
The FortiWeb unit saves the backup firmware image and restarts. When the FortiWeb
unit restarts, it is running the primary firmware.
Note: You have only 3 seconds to press a key. If you do not press a key soon enough, the
FortiWeb unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
Restoring firmware
Restoring the firmware can be useful if:
• you are unable to connect to the FortiWeb unit using the web-based manager or the
CLI
• you want to install firmware without preserving any existing configuration
• a firmware version that you want to install requires a different size of system partition
(see the Release Notes accompanying the firmware)
• a firmware version that you want to install requires that you format the boot device (see
the Release Notes accompanying the firmware)
Unlike installing firmware, restoring firmware re-images the boot device, including the
signatures that were current at the time that the firmware image file was created.Also,
restoring firmware can only be done during a boot interrupt, before network connectivity is
available, and therefore requires a local console connection to the CLI. It cannot be done
through a network connection.
Caution: Back up your configuration before beginning this procedure, if possible. Restoring
firmware resets the configuration, including the IP addresses of network interfaces. For
information on backups, see “Backing up and restoring configurations” on page 96. For
information on reconnecting to a FortiWeb unit whose network interface configuration has
been reset, see the FortiWeb Install and Setup Guide.
Note: You have only 3 seconds to press a key. If you do not press a key soon enough, the
FortiWeb unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
Note: Installing firmware replaces the current attack definitions with those included with the
firmware release that you are installing. After you install the new firmware, make sure that
your attack definitions are up-to-date. For more information, see “Uploading signature
updates” on page 101.
RFC
RFC 1213
Management Information Base for Network Management of TCP/IP-based internets: MIB-
II - see reference 1
RFC 2616
Hypertext Transfer Protocol -- HTTP/1.1 - see reference 1, reference 2
RFC 2617
HTTP Authentication: Basic and Digest Access Authentication - see reference 1
RFC 2665
Definitions of Managed Objects for the Ethernet-like Interface Types - see reference 1
W3C standards
extensible markup language (XML) 1.0 (Third Edition)
• XML Current Status:
http://www.w3.org/standards/techs/xml#w3c_all
• W3C Recommendation 04 February 2004:
http://www.w3.org/TR/2004/REC-xml-20040204
see reference 1, reference 2
XML Schema v1.0
• XML Schema Current Status:
http://www.w3.org/standards/techs/xmlschema#w3c_all)
see reference 1
• XML Schema Part 0: Primer Second Edition, W3C Recommendation 28 October 2004:
http://www.w3.org/TR/2004/REC-xmlschema-0-20041028/
• XML Schema Part 1: Structures Second Edition, W3C Recommendation 28 October
2004:
http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/
• XML Schema Part 2: Datatypes Second Edition, W3C Recommendation 28 October
2004:
http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/
simple object access protocol (SOAP) 1.1
• W3C Note 08 May 2000
http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
see reference 1
web services description language (WSDL) 1.0
IEEE standards
spanning tree protocol IEEE 802.1d
see reference 1
virtual LANs IEEE 802.1q
see reference 1
FortiWeb model
FortiWeb-400B FortiWeb-1000B FortiWeb-1000C FortiWeb-3000C
Maximum policies per unit 20 40 60 100
Default RAM 1 GB 2 GB 3 GB 6 GB
Maximum persistent server 8 000 15 000 20 000 50 000
sessions per policy
Maximum persistent server 20 000 40 000 60 000 100 000
sessions per unit
Maximum HTTP 10 000 22 000 27 000 40 000
transactions per second
Network Interfaces (ports) 4 4 4 6
VLAN Interfaces 32 32 32 32
Maximum servers per 20 20 20 20
server farm
FortiWeb-VM
For a FortiWeb-VM virtual appliance running in a VMware image, the maximum number of
server sessions varies with the amount of memory available to FortiWeb-VM on the
VMware server.
To see the maximum allowed sessions, do the following:
1 Open the web-based manager.
2 Go to Server Policy > Policy.
3 Either click Create New or edit an existing policy.
4 Look at the minimum-maximum range indicator next to the Persistent Server Sessions
option. That number tells you the maximum server sessions for your installation.
The number of network interfaces (ports) for FortiWeb-VM is 4. For installation
instructions, see the FortiWeb-VM Install Guide.
You can obtain these MIB files from the Fortinet Technical Support web site,
https://support.fortinet.com/.
To communicate with your FortiWeb unit’s SNMP agent, you must first compile these MIBs
into your SNMP manager. If the standard MIBs used by the SNMP agent are already
compiled into your SNMP manager, you do not have to compile them again.
To view a trap or query’s name, object identifier (OID), and description, open its MIB file in
a plain text editor.
All traps sent include the message, the FortiWeb unit’s serial number, and host name.
For instructions on how to configure traps and queries, see “Configuring the SNMP agent”
on page 66.
Note: HTTP clients may send requests in encodings other than UTF-8. Encodings usually
vary by the client’s operating system or input language. If you cannot predict the client’s
encoding, only English portions of the request may match, because regardless of the
encoding, the values for English characters tend to be encoded identically. For example,
English words may be legible regardless of interpreting a web page as either ISO 8859-1 or
as GB2312, whereas simplified Chinese characters might only be legible if the page is
interpreted as GB2312.
In order to configure your FortiWeb unit using other encodings, you may need to switch
language settings on your management computer, including for your web browser or
Telnet/SSH client. For instructions on how to configure your management computer’s
operating system language, locale, or input method, see its documentation.
Note: If you choose to configure parts of the FortiWeb unit using non-ASCII characters,
verify that all systems interacting with the FortiWeb unit also support the same encodings.
You should also use the same encoding throughout the configuration if possible in order to
avoid needing to switch the language settings of your web browser or Telnet/SSH client
while you work.
In a similar fashion, your web browser or CLI client should usually interpret display output
as encoded using UTF-8. If it does not, your configured items may not display correctly in
the web-based manager or CLI. Exceptions include items such as regular expressions
that you may have configured using other encodings in order to match the encoding of
HTTP requests that the FortiWeb unit receives.
For information on configuring the display language of the web-based manager, see
“Configuring the web-based manager’s global settings” on page 82.
Table 146: Default ports FortiWeb uses for incoming traffic and listening
Take care when reassigning ports. Many UDP and TCP port numbers have internationally
recognized IANA port assignments and are commonly associated with specific
applications or protocols.
Index
Symbols alert email, 313, 316
enabling, 296, 317
_email, 21 algorithm, 176
_fortinet_waf_auth, 272 allow method exception, 237
_fqdn, 21 alphanumeric, 153
_index, 21 anonymous, 111
_int, 21 ANSI, 153
_ipv4, 21 ANSI escape code, 153
_ipv4/mask, 21 anti-defacement, 293, 294
_ipv4mask, 21 performance, 367
_ipv6, 21 Apache, 155, 282
_ipv6mask, 21 Tomcat, 155, 282
_name, 21 ARP, 377
_pattern, 21 packets, 362
_str, 21 ASCII, 401, 402
_url, 21 attack
_v4mask, 21 count in auto-learning report, 289
_v6mask, 21 log, 33, 289, 328
log aggregation, 34
Numerics log search, 341
protection, 184
301 Moved Permanently, 306 signatures, 101, 360
302 Moved Temporarily, 248, 306, 307 attacks, 29
401 Authorization Required, 258 Attacks tab, 287
401 Unauthorized, 278, 281, 307 attributes, XML, 170, 172
403 Forbidden, 192, 248, 273, 288 authentication, 257, 259, 261, 307
404 File Not Found, 273, 289 supporting modes, 71
500 Internal Server Error, 278, 281 Authorization, 191, 258
5055, 65 auto-learning, 281
5056, 65 performance, 284, 365
profile, 278, 279
A reports, 282
multicast, 65 policy
maximum number, 398
N server, 117
port
navigation pane, 284 monitor, HA, 65
netmask number, 26, 65, 69, 82, 120, 124, 125, 126
administrator account, 77 numbers, 373
network address translation (NAT), 56, 119, 224, 226, 228, SNMP, 69
230 UDP ports 33434-33534, 376
network interface postal code, 153
status, 51 power interruption, 58
Network Time Protocol (NTP), 100 power on, 381
next-hop router, 105, 106 predefined
no-follow, 228 data type, 365
no-index, 228 primary heartbeat interface, 65
notification, 293, 296, 317 processing flow, 190
NT LAN Manager (NTLM), 113, 258 processing instruction (PI), 172
prompt, 46
O protocol, 359, 360
object identifier (OID), 399 proxy, 272
offline protection mode, 44, 71, 119, 125
switching from, 35 Q
offloading, 85, 126 query
one-arm, 129 anonymous, 111
online certificate status protocol (OCSP), 90, 96, 127 DNS, 58
operation mode, 43, 44, 126, 355 report, 349
supported features in, 72 SNMP, 66, 69, 399
switching, 35, 71
order of execution, 190 R
oversized payload, 170
RAID, 74
Overview tab, 286
random access memory (RAM), 47, 326, 332, 334
rapid spanning tree protocol (RTSP), 56
P rate limit, 227, 307
packet, 336 raw view, logs, 339
packet capture, 368 reachable, 105
packet command, 378 read & write
packet payload, 32, 328 administrator, 103
pair, 61 really simple syndication (RSS), 163
partition, 98, 387, 391 recursive payload, 170
password, 77, 380 redirect, 246, 248
encrypt log files, 335 Referer, 246, 249, 250, 269, 272
forgotten, 76 regular expression, 21, 151, 154, 156, 196, 198, 200, 209,
LDAP bind, 111 215, 220, 226, 232, 234, 239, 250, 328
lost, 80 GB2312 encoding, 83
plain, 360 tuning, 31
reset, 76, 80 validator, 31
strong, 358 Release Notes, 391
weak, 153 remove items, 15
pattern, 21 report
payload, 336 download, 353, 354
PCI DSS, 206 HTML format, 352
PDF report, 352 MS Word format, 352
performance, 41, 150, 205, 363 on demand, 345, 351
permissions, 77, 78, 80 PDF format, 352
access, 372 periodically generated, 345
persistent server sessions, 398 query, 349
phone number, 153 schedule, 351
time span, 348
ping, 52, 56, 58, 144, 320, 322, 374
view, 353
PKCS #10, 88 vulnerability scan, 299, 309
PKCS #12, 88
Y Z
Yahoo!, 282 ZIP code, 153