Download - Fortiweb Admin 40 Mr2

FortiWeb™ WebApplication Firewall

Version 4.0 MR2Administration Guide

FortiWeb™ Web Application Firewall Administration GuideVersion 4.0 MR2Revision 1016 June 2011

© Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Regulatory complianceFCC Class A Part 15 CSA/CUS

Contents

FRh

ContentsIntroduction ............................................................................................ 13Scope ............................................................................................................................. 14

Workflow ........................................................................................................................ 14

Deleting entries ............................................................................................................. 15

Characteristics of XML threats .................................................................................... 15

Characteristics of HTTP threats .................................................................................. 16

Customer service & technical support ....................................................................... 18

Documentation Conventions ....................................................................................... 19IP addresses............................................................................................................. 19Cautions, Notes, & Tips ............................................................................................ 19Typographical conventions ....................................................................................... 19Command syntax conventions.................................................................................. 20

What’s new ............................................................................................. 23

About the web-based manager............................................................. 25

Deployment guidelines.......................................................................... 27Deployment prerequisites ......................................................................................... 27

Server policy ...................................................................................................... 27Deployment workflow................................................................................................ 27

Phase 1: Examine the initial configuration................................................................. 28Do a visual check...................................................................................................... 28Check dynamic data on the dashboard .................................................................... 28Check your auto-learning data.................................................................................. 29

Phase 2: Monitor and tune the configuration............................................................. 30Stay diligent .............................................................................................................. 30Tune up alerts........................................................................................................... 30Define logs, reports and email alerts ........................................................................ 32

Phase 3: Test for vulnerabilities .................................................................................. 33Stay diligent .............................................................................................................. 33Aggregate attack types ............................................................................................. 34Search for vulnerabilities .......................................................................................... 34

Phase 4: Switch from offline protection mode (if applicable)................................... 35Prepare to switch operation mode ............................................................................ 36Change operation mode ........................................................................................... 36Reconfigure your system.......................................................................................... 36Retest your system................................................................................................... 37Remain diligent ......................................................................................................... 37

ortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guideevision 10 3ttp://docs.fortinet.com/ • Feedback

http://docs.fortinet.com/

http://docs.fortinet.com/surveyredirect.html

Contents

Phase 5: Prepare for full operation ............................................................................. 37Extend your server configuration .............................................................................. 37Remain diligent ......................................................................................................... 38Make final deployment settings ................................................................................ 38

What else can you do? ................................................................................................. 39

System .................................................................................................... 41Viewing system status.................................................................................................. 41

System Information widget ....................................................................................... 43Changing the FortiWeb unit’s host name ........................................................... 45

CLI Console widget................................................................................................... 45System Resources widget ........................................................................................ 47Policy Summary widget ............................................................................................ 47Attack Log Console widget ....................................................................................... 48Event Log Console widget ........................................................................................ 48Service Status widget ............................................................................................... 49Policy Sessions widget ............................................................................................. 50

Configuring the network and VLAN interfaces .......................................................... 50Adding a VLAN subinterface..................................................................................... 53Configuring v-zones (bridges)................................................................................... 55Configuring fail-open................................................................................................. 58

Configuring the DNS settings ...................................................................................... 58

Synchronizing configurations ..................................................................................... 59

Configuring high availability (HA) ............................................................................... 61About the heartbeat and synchronization ................................................................. 65

Configuring the SNMP agent ....................................................................................... 66Configuring an SNMP community............................................................................. 68

Configuring DoS protection ......................................................................................... 70

Configuring the operation mode ................................................................................. 71

Viewing RAID status ..................................................................................................... 74

Configuring administrator accounts ........................................................................... 75Configuring trusted hosts.......................................................................................... 78Configuring access profiles....................................................................................... 78About permissions .................................................................................................... 80

Configuring the web-based manager’s global settings ............................................ 82

Managing certificates ................................................................................................... 84Managing local and server certificates ..................................................................... 84

Generating a certificate signing request............................................................. 86Submitting a certificate signing request.............................................................. 88Uploading a certificate........................................................................................ 88

Managing OCSP server certificates.......................................................................... 90Managing CA certificates.......................................................................................... 90

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide4 Revision 10

http://docs.fortinet.com/ • Feedback



Contents

FRh

Grouping CA certificates .................................................................................... 91Managing certificates for intermediate CAs........................................................ 92Grouping certificates for intermediate CAs......................................................... 94

Managing the certificate revocation list..................................................................... 95Configuring certificate verification rules .................................................................... 95

Backing up and restoring configurations................................................................... 96

Configuring an FTP backup and schedule ................................................................. 98Restoring an FTP backup ....................................................................................... 100

Configuring system time ............................................................................................ 100

Uploading signature updates..................................................................................... 101

Scheduling signature updates................................................................................... 102

Accessing the Setup Wizard ...................................................................................... 104

Router.................................................................................................... 105Configuring static routes ........................................................................................... 105

Users and user groups ........................................................................ 107User creation workflow ........................................................................................... 107

Configuring local users .............................................................................................. 108

Configuring LDAP user queries................................................................................. 109

Configuring RADIUS user queries............................................................................. 111

Configuring NTLM user queries ................................................................................ 113

Grouping users ........................................................................................................... 114

Server policy......................................................................................... 117Server policy workflow requirements ...................................................................... 117

Configuring server policies........................................................................................ 118Enabling or disabling a policy ................................................................................. 128

Configuring servers .................................................................................................... 129Configuring virtual servers ...................................................................................... 129

Enabling or disabling a virtual server ............................................................... 130Configuring physical servers................................................................................... 131

Enabling or disabling a physical server ............................................................ 133Configuring domain servers.................................................................................... 133

Enabling or disabling a domain server ............................................................. 135Grouping physical and domain servers into server farms....................................... 135Configuring HTTP content routing policy ................................................................ 139Configuring HTTP conversion policy ...................................................................... 141

Configuring server health checks ............................................................................. 143

Configuring services .................................................................................................. 145Viewing the list of custom services ......................................................................... 145Viewing the list of predefined services.................................................................... 146




Contents

Configuring protected servers................................................................................... 147

Configuring predefined patterns ............................................................................... 150Grouping predefined data types ............................................................................. 150Viewing the list of predefined data types ................................................................ 152Grouping suspicious URLs ..................................................................................... 154Viewing predefined URL rules ................................................................................ 155

Configuring custom patterns..................................................................................... 156Creating custom data types .................................................................................... 156Creating custom suspicious URLs.......................................................................... 157Creating custom suspicious URL rules................................................................... 158

Configuring custom application policies.................................................................. 160Custom application workflow .................................................................................. 160Configuring URL replacers ..................................................................................... 160Configuring application policies .............................................................................. 161

XML protection ..................................................................................... 163XML protection profile workflow.............................................................................. 163

Configuring protection schedules............................................................................. 163Configuring one-time schedules ............................................................................. 164Configuring recurring schedules ............................................................................. 165

Configuring content filter rules ................................................................................. 166How priority affects content filter rule matching ...................................................... 169Enabling or disabling a content filter rule................................................................ 169

Configuring intrusion prevention rules .................................................................... 170Enabling or disabling an intrusion prevention rule .................................................. 172

Configuring WSDL content routing groups.............................................................. 173

Managing XML signature and encryption keys........................................................ 175Uploading a key ...................................................................................................... 175Grouping keys into key management groups ......................................................... 176

Managing schema files............................................................................................... 178Enabling or disabling a schema file ........................................................................ 180

Managing WSDL files.................................................................................................. 181Enabling and disabling operations in a WSDL file .................................................. 182Grouping WSDL files .............................................................................................. 183

Configuring XML protection profiles......................................................................... 184

Web protection ..................................................................................... 189Web protection profile workflow.............................................................................. 189

Order of execution ...................................................................................................... 190

Responding to web protection rule violations ......................................................... 191

Configuring HTTP parameter validation rules.......................................................... 192Configuring parameter validation input rules .......................................................... 194





Contents

FRh

Configuring page access rules.................................................................................. 198

Configuring server protection rules.......................................................................... 201Configuring server protection exceptions ............................................................... 207Configuring custom protection groups .................................................................... 209Configuring custom protection rules ....................................................................... 211

Configuring start page rules ...................................................................................... 213

Configuring URL access policy ................................................................................. 216Configuring URL access rules ................................................................................ 218

Configuring an IP list policy....................................................................................... 220Viewing the top 10 IP blacklist candidates.............................................................. 223

Configuring brute force login profiles ...................................................................... 224

Configuring robot control profiles ............................................................................ 227Configuring predefined robot groups ...................................................................... 230Configuring custom robot groups............................................................................ 232Viewing the list of predefined robots....................................................................... 234

Configuring allowed request method policy ............................................................ 235Configuring allowed method exceptions ................................................................. 237

Configuring hidden field protection profiles ............................................................ 239Configuring hidden field rules ................................................................................. 241

Configuring URL rewriting policy.............................................................................. 244Configuring URL rewriting rules.............................................................................. 246URL rewriting examples.......................................................................................... 250

Rewriting URLs using regular expressions ...................................................... 251Rewriting URLs using variables ....................................................................... 251

Configuring HTTP protocol constraint profiles........................................................ 252Configuring HTTP protocol constraint exceptions .................................................. 254

Configuring authentication policy............................................................................. 257HTTP authentication policy workflow...................................................................... 259Configuring authentication policy............................................................................ 259Configuring authentication rules ............................................................................. 261

Configuring file upload restriction policy................................................................. 263Configuring file upload restriction rules................................................................... 265

Configuring inline protection profiles....................................................................... 268Inline protection profile workflow............................................................................. 268Configuring an inline protection profile ................................................................... 269

Configuring offline protection profiles ..................................................................... 274Offline protection profile workflow........................................................................... 274Configuring an offline protection profile .................................................................. 275

Applying auto-learning profiles ................................................................................. 278Auto-learning profile workflow................................................................................. 278Configuring auto-learning profiles........................................................................... 279




Contents

Auto learn ............................................................................................. 281Generating an auto-learning profile and its components ....................................... 281

Viewing auto-learning reports ................................................................................... 282Using the navigation pane ...................................................................................... 284Using the report display pane ................................................................................. 285

Overview tab .................................................................................................... 286Attacks tab ....................................................................................................... 287Visits tab........................................................................................................... 288Parameters tab................................................................................................. 288Cookies tab ...................................................................................................... 288

About the attack count ............................................................................................ 289

Generating a profile from auto-learning data ........................................................... 289

Web anti-defacement ........................................................................... 293Configuring anti-defacement ..................................................................................... 293

About web site backups.......................................................................................... 297

Reverting a web site to a backup revision................................................................ 297

Web vulnerability scans ...................................................................... 299Web vulnerability scan workflow............................................................................. 299

Preparing for the vulnerability scan.......................................................................... 300

Configuring web vulnerability scan policies ............................................................ 300Starting and stopping a web vulnerability scan....................................................... 302

Configuring web vulnerability scan profiles ............................................................ 303

Configuring web vulnerability scan schedules........................................................ 308

Viewing scan history and reports.............................................................................. 309About web vulnerability scan reports ...................................................................... 310

Logs and reports.................................................................................. 313Log configuration workflow ..................................................................................... 313

About logging.............................................................................................................. 313Log types ................................................................................................................ 314Log priority levels.................................................................................................... 314

Log message field descriptions ................................................................................ 314

Configuring log alert policies .................................................................................... 316Configuring email policies....................................................................................... 317Configuring Syslog policies..................................................................................... 319Configuring FortiAnalyzer policies .......................................................................... 321Configuring trigger policies ..................................................................................... 322

Configuring and enabling logging............................................................................. 323Configuring global log settings................................................................................ 324Enabling logging ..................................................................................................... 327Obscuring sensitive data in the logs ....................................................................... 329





Contents

FRh

Viewing log messages................................................................................................ 331Selecting a log type to view .................................................................................... 332Viewing log message details .................................................................................. 335Viewing packet log details ...................................................................................... 336Customizing the log view........................................................................................ 337

Displaying and arranging log columns ............................................................. 338Filtering log messages ..................................................................................... 339Grouping similar attack log messages ............................................................. 340

Searching attack logs ............................................................................................. 341

Downloading log messages....................................................................................... 343

Configuring and generating reports.......................................................................... 344Configuring a report profile ..................................................................................... 346

Configuring the headers, footers, and logo of a report profile .......................... 347Configuring the time period and log filter of a report profile ............................. 348Configuring the query selection of a report profile............................................ 349Configuring the advanced options of a report profile........................................ 350Configuring the schedule of a report profile ..................................................... 351Configuring the output of a report profile.......................................................... 352

Viewing and downloading reports............................................................................. 353

Fine tuning and best practices ........................................................... 355Avoiding problems...................................................................................................... 355

Tuning security ........................................................................................................... 357

Tuning high availability (HA)...................................................................................... 361Set an SNMP HA heartbeat alert............................................................................ 362

Tuning policy............................................................................................................... 362

Tuning performance ................................................................................................... 363Troubleshooting tip ................................................................................................. 368

Troubleshooting................................................................................... 369Establish a system baseline ...................................................................................... 369

Check traffic flow ........................................................................................................ 369

Define the problem...................................................................................................... 370

Search for a known solution ...................................................................................... 371Technical documentation........................................................................................ 371Knowledge Base..................................................................................................... 371Fortinet technical discussion forums....................................................................... 371Fortinet training services online campus ................................................................ 371

Create a troubleshooting plan ................................................................................... 371Check your access ................................................................................................. 372

Gather system information ........................................................................................ 372Check port assignments ......................................................................................... 373




Contents

Troubleshoot connectivity issues ............................................................................. 373Check hardware connections ................................................................................. 374Run ping and traceroute ......................................................................................... 374

Check connections with ping............................................................................ 375Check routes with traceroute ........................................................................... 376

Verify the contents of the routing table ................................................................... 377Verify the contents of the ARP table....................................................................... 377Perform a sniffer trace ............................................................................................ 377

What can sniffing packets tell you.................................................................... 378Debug the packet flow ............................................................................................ 378

Troubleshoot resource issues................................................................................... 378Look for system-intensive processes...................................................................... 378Monitor traffic .......................................................................................................... 379Prepare for attacks ................................................................................................. 379

Troubleshoot user and admin login issues.............................................................. 379Use correct user name and password combination for user .................................. 379Check user authentication policies ......................................................................... 379Change an administrator's password ..................................................................... 380Trusted hosts for admin account will not allow current IP....................................... 380

Troubleshoot bootup issues...................................................................................... 381A. Do you see the boot options menu..................................................................... 381B. Do you have problems with the console text...................................................... 381C. Do you have visible power problems ................................................................. 382D. You have a suspected defective FortiWeb unit.................................................. 382

Contact Fortinet customer support for assistance.................................................. 382

Installing new firmware ....................................................................... 385Testing new firmware before installing it ................................................................. 385

Installing firmware ...................................................................................................... 387

Installing backup firmware......................................................................................... 389

Restoring firmware ..................................................................................................... 391

Appendix A: Supported RFCs, W3C and IEEE standards................ 395

Appendix B: Maximum values ............................................................ 397FortiWeb-VM........................................................................................................... 397

Interpreting maximum values .................................................................................... 397Persistent server sessions...................................................................................... 398Network and VLAN interfaces................................................................................. 398





Contents

FRh

Appendix C: SNMP MIB support......................................................... 399

Appendix D: Language support & regular expressions................... 401

Appendix E: Ports used by FortiWeb................................................. 403

Index...................................................................................................... 405




Contents





Introduction

FRh

IntroductionWelcome and thank you for selecting Fortinet products for your network protection.FortiWeb units are designed specifically to protect web servers.

The FortiWeb family of web application firewalls provides specialized, layered application threat protection. FortiWeb’s integrated web application and XML firewalls protect your web-based applications and internet-facing data from attack and data loss. Using advanced techniques to provide bidirectional protection against sophisticated threats like SQL injection and cross-site scripting, FortiWeb helps you prevent identity theft, financial fraud and corporate espionage. FortiWeb delivers the technology you need to monitor and enforce government regulations, industry best practices, and internal policies.FortiWeb significantly reduces deployment costs by consolidating a web application firewall, XML filtering, web traffic acceleration, and application traffic balancing into a single device. It drastically reduces the time required to protect your internet-facing data and eases the challenges associated with policy enforcement and regulatory compliance.Its intelligent, application-aware, load-balancing engine:• increases application performance• improves resource utilization• improves application stability• reduces server response times.In addition to providing application content-based routing and in-depth protection for many HTTP/HTTPS- and XML-specific attacks, FortiWeb units contain specialized hardware to accelerate SSL processing, and can thereby enhance both the security and the performance of connections to your web servers.This chapter introduces you to the following topics:• Registering your Fortinet product• Scope• Workflow• Deleting entries• Characteristics of XML threats• Characteristics of HTTP threats• Customer service & technical support• Documentation• Documentation Conventions

Registering your Fortinet productBefore you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.

Note: Any reference to a FortiWeb unit also applies to FortiWeb-VM, unless specifically noted otherwise. Both versions perform the same tasks and you configure them the same way. Only their installation differs.




https://support.fortinet.com

Scope Introduction

Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.For more information, see the Fortinet Knowledge Base article Registration Frequently Asked Questions.

ScopeThis document describes how to use the web-based manager of the FortiWeb unit. It assumes you have already successfully installed the FortiWeb unit by following the instructions in the FortiWeb Install and Setup Guide.At this stage:• The FortiWeb unit is integrated into your network and is powered on.• You have completed firmware updates, if applicable. • You configured a port on the FortiWeb unit during installation. You must configure at

least one port to access the web-based manager or CLI. If not, consult the FortiWeb Install and Setup Guide.

• You have administrative access to the web-based manager through a browser, and you can log in successfully. If not, consult the FortiWeb Install and Setup Guide.

• You have given the default administrator a password. If not, consult the FortiWeb Install and Setup Guide or refer to “Configuring administrator accounts” on page 75.

• You have set the operation mode. If not, consult the FortiWeb Install and Setup Guide or refer to “Configuring the operation mode” on page 71.

• You have configured additional network interfaces. If not, consult the FortiWeb Install and Setup Guide or refer to “Configuring the network and VLAN interfaces” on page 50.

• You have configured the system time. If not, consult the FortiWeb Install and Setup Guide or refer to “Configuring system time” on page 100.

• You have configured the DNS. If not, consult the FortiWeb Install and Setup Guide or refer to “Configuring the DNS settings” on page 58.

• You have configured a default gateway. If not, consult the FortiWeb Install and Setup Guide or refer to “Configuring static routes” on page 105.

• You have configured basic logging. If not, consult the FortiWeb Install and Setup Guide or refer to “Configuring log alert policies” on page 316.

• You have created at least one server policy. If not, consult the FortiWeb Install and Setup Guide or refer to “Server policy workflow requirements” on page 117.

This document does not cover commands for the command line interface (CLI). For information on the CLI, see the FortiWeb CLI Reference.

WorkflowThere is a logical order to follow during the setup and configuration of your FortiWeb unit. Make sure you have followed the workflow steps documented in the FortiWeb Install and Setup Guide. That workflow guides you through installation, setup, and the creation of a basic system.This document explains how to develop more comprehensive server policies and other protection features for your web sites and web servers.





http://kb.fortinet.com/kb/documentLink.do?externalID=FD31329


http://docs.fortinet.com/fweb.html




















Introduction Deleting entries

FRh

For a first-time FortiWeb user, read the chapter on deployment guidelines before going further. See “Deployment guidelines” on page 27.You can find targeted workflow information throughout this guide:• Look for a workflow topic on the opening page of several chapters. • Within some chapters, complicated topics also have a workflow section. • Within feature descriptions, look for a brief tip on recommended workflow.Since server policies provide most of FortiWeb's protection features. When you begin to expand existing server policies or create new ones, review “Server policy workflow requirements” on page 117. This topic gives the highest level workflow. The creation of server policy involves multiple steps. You can drill down into workflow topics in other chapters.

Deleting entriesAs you configure your FortiWeb unit, you create entries in the tables on tabs accessed by the menu. The ability to delete entries on any table is limited—you cannot delete or remove an item that is a component of something else. A few examples are:• You cannot delete a user on one of the user tabs if that user is a member of a group,

unless you first remove the user from the group.• You cannot delete a group if that group is used by an authentication rule, unless you

first remove the group from the rule.• You cannot remove an XML protection schedule item if it is used in the Period option of

a content filter rule, unless you first remove the schedule reference from the rule.• You cannot delete a web protection parameter validation rule if it is used by in an inline

or offline protection profile, unless you first remove the rule reference from the profile.The Delete icon does not appear next to a table item if the delete operation is not allowed.

Characteristics of XML threatsXML messages can be relatively large: many megabytes and thousands of packets. Unstructured matching of elements in those messages is both CPU and memory-intensive. Because of the complexity of XML content, it is often not practical to develop signatures for XML-specific attacks on a traditional firewall or UTM. This leads to “zero day” vulnerabilities before attacks can be characterized and signatures developed.FortiWeb units understand the XML protocol and only allow XML operations that you specifically allow. Table 1 lists several XML-related threats and describes how FortiWeb units protect against them.




Characteristics of HTTP threats Introduction

Characteristics of HTTP threatsWeb applications are increasingly being targeted by exploits such as SQL injection and cross-site scripting attacks. These attacks aim to compromise the target web server, either to steal information or to post malicious files on a trusted site to further exploit visitors to the site. The types of attacks that web servers are vulnerable to are numerous and varied. FortiWeb units offer several options for preventing web-related attacks. Table 2 lists several Web-related threats and describes how FortiWeb units protect against them.

Table 1: XML-related threats

Attack Technique

Description Protection FortiWeb Solution

Schema Poisoning

Manipulating the XML schema to alter processing information

Protect against schema poisoning by relying on trusted WSDL documents and XML schemas

Schema Poisoning option in protection profile prevents external schemas references to be used

XML ParameterTampering

Injection of malicious scripts or content into request parameters

Validation of parameter values to ensure they are consistent with WSDL and XML schema specifications

Schema validation in protection profile

Inadvertent XML DoS

Poorly encoded SOAP messages causing the application to fail

Content inspection ensures SOAP messages are constructed properly according to WSDL, XML schema and intrusion prevention rules

Schema validation and WSDL verification and intrusion prevention rule in protection profile

WSDL Scanning

Scanning the WSDL interface can reveal sensitive information about invocation patterns, underlying technology and associated vulnerabilities

Web services cloaking hides the web services true location from consumers

WSDL scanning option and ability to filter services from WSDL on a per IP / Time basis

Oversized Payload

Sending oversized messages to create an XDoS attack

Inspect the payload and enforce element, document, and other maximum payload thresholds

XML documents are checked with schema and intrusion prevention rule

Recursive Payload

Sending mass amounts of nested data to create an XDoS attack against the XML parser

Content inspection ensures SOAP messages are constructed properly according to WSDL, XML schema, and other security specifications

Intrusion prevention definition

SQL Injection

SQL Injection allows commands to be executed directly against the database for unauthorized disclosure and modification of data

Rely on dirty word searches, restrictive context-sensitive filtering and data validation techniques

XML Profile option to filter SQL transactions from XML documents

External Entity Attack

An attack on an application that parses XML input from un-trusted sources (DTD internal subset)

Suppress external URI references to protect against malicious data sources and instructions; rely on well-known and certified URIs

Similar to schema poisoning





Introduction Characteristics of HTTP threats

FRh

Table 2: Web-related threats

Attack Technique


Cross-site request forgery (CSRF)

A script causes a browser to access a web site on which the browser has already been authenticated, giving a third party access to a user’s session on that site.

Enforce web application business logic to prevent random access to URLs.

Apply age access rules.

Cross-site scripting (XSS)

Attackers cause a browser to execute a client-side script, allowing them to bypass security.

Content filtering, cookie security, disable client-side scripts.

Apply XSS signature scanning in server protection rules.

SQL injection SQL Injection allows commands to be executed directly against the database for unauthorized disclosure and modification of data.

Rely on dirty word searches, restrictive context-sensitive filtering and data validation techniques.

Apply parameter validation rules, hidden fields protection features, and SQL injection signature scanning.

Attacks via Flash AMF binary protocol

Attackers attempt XSS, SQL injection or other common exploits through a flash client.

Actively scan Flash action message format binary data for known exploits.

Apply AMF3 protocol scanning for known exploits.

Information leakage

A web server reveals details (such as its OS, server software and installed modules) in responses or error messages. An attacker can leverage this information to craft exploits for a specific system or configuration.

Configure server software to minimize information leakage.

Information disclosure detection in server protection rules can alert when leakage happens, or block it altogether. URL re-writing can hide underlying implementation details.

Credit card theft

Attackers use exploits to obtain users’ credit card information from a secure server.

Detect and block credit card disclosure.

Credit card detection in server protection rules can detect and block disclosure of credit card numbers on web pages.

SYN Flood DoS Attack

An attacker sends multiple SYN messages to a host without responding to an ACK reply, leaving connections half open and consuming resources on the server. This may cause the server to ignore SYN messages from legitimate users and reduce service.

Detect increased SYN activity, close half open connections before resources are exhausted.

Use a configurable threshold to detect a flood of SYN messages.

Brute force login attack

An attacker attempts to gain authorization by repeatedly trying ID and password combinations until one works.

Require strong passwords for users, and throttle login attempts.

Brute force login policies can throttle the number of login attempts per standalone or shared IP for specific resources.




Customer service & technical support Introduction

Customer service & technical supportFortinet Technical Support provides services designed to make sure that you can install your Fortinet products quickly, configure them easily, and operate them reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com.You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article Technical Support Requirements.

TrainingFortinet Training Services provides classes that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide.To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://training.fortinet.com, or email them at [email protected].

Fortinet Knowledge BaseThe Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.

DocumentationThe Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Base.

Bad robots Misbehaving web crawlers ignore the robots.txt file, and consume server resources and bandwidth on a site.

Ban bad robots by source IP or User Agent field.

Robot control can throttle requests per IP, and block robots identified by the User Agent field.

HTTP protocol attack

Attackers use specially crafted HTTP requests to target web server vulnerabilities (such as a buffer overflow) to execute malicious code.

Limit the length of HTTP protocol fields.

HTTP protocol constraint policies enforce configurable limits on the length of HTTP headers, bodies, and parameters.

Table 2: Web-related threats

Attack Technique






http://campus.training.fortinet.com

mailto:[email protected]




http://kb.fortinet.com

http://docs.fortinet.com

Introduction Documentation Conventions

FRh

Fortinet Tools and Documentation CDMany Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.

Comments on Fortinet technical documentation Please send information about any errors or omissions in this technical document to [email protected].

Documentation ConventionsFortinet technical documentation uses the conventions described in this section.• IP addresses• Cautions, Notes, & Tips• Typographical conventions• Command syntax conventions

IP addressesTo avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.

Cautions, Notes, & TipsFortinet technical documentation uses the following guidance and styles for cautions, notes and tips.

Typographical conventionsFortinet documentation uses the following typographical conventions:

Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

Note: Presents useful information, usually focused on an alternative, optional method, such as a shortcut, to perform a step.

Tip: Highlights useful additional information, often tailored to your workplace activity.




http://ietf.org/rfc/rfc1918.txt?number-1918

http://docs.fortinet.com

mailto:[email protected]

Documentation Conventions Introduction

Command syntax conventionsThe command line interface (CLI) requires that you use valid syntax, and conform to expected input constraints. It will reject invalid commands.Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.

Table 3: Typographical conventions in Fortinet technical documentation

Convention ExampleButton, menu, text box, field, or check box label

From Minimum log level, select Notification.

CLI input config system dnsset primary <address_ipv4>

end

CLI output FGT-602803030703 # get system settingscomments : (null)opmode : nat

Emphasis HTTP connections are not secure and can be intercepted by a third party.

File content <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD><BODY><H4>You must authenticate to use this service.</H4>

Hyperlink Visit the Fortinet Technical Support web site, https://support.fortinet.com.

Keyboard entry Type a name for the remote VPN peer or client, such as Central_Office_1.

Navigation Go to VPN > IPSEC > Auto Key (IKE).

Publication For details, see the FortiGate Administration Guide.

Table 4: Command syntax notation

Convention DescriptionSquare brackets [ ] A non-required word or series of words. For example:

[verbose {1 | 2 | 3}]indicates that you may either omit or type both the verbose word and its accompanying option, such as:verbose 3




https://support.fortinet.com/



Introduction Documentation Conventions

FRh

Angle brackets < > A word constrained by data type.To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example:<retries_int>indicates that you should enter a number of retries, such as 5.Data types include:• <xxx_name>: A name referring to another part of the

configuration, such as policy_A.• <xxx_index>: An index number referring to another part of the

configuration, such as 0 for the first static route.• <xxx_pattern>: A regular expression or word with wild cards

that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

• <xxx_fqdn>: A fully qualified domain name (FQDN), such as mail.example.com.

• <xxx_email>: An email address, such as [email protected].

• <xxx_url>: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet.com/.

• <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.• <xxx_v4mask>: A dotted decimal IPv4 netmask, such as

255.255.255.0.• <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask

separated by a space, such as 192.168.1.99 255.255.255.0.

• <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as such as 192.168.1.99/24.

• <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

• <xxx_v6mask>: An IPv6 netmask, such as /96.• <xxx_ipv6mask>: An IPv6 address and netmask separated by a

space.• <xxx_str>: A string of characters that is not another data type,

such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences. See the FortiWeb CLI Reference.

• <xxx_int>: An integer number that is not another data type, such as 15 for the number of minutes.

Curly braces { } A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].






Documentation Conventions Introduction

Options delimited by vertical bars |

Mutually exclusive options. For example:{enable | disable}indicates that you must enter either enable or disable, but must not enter both.

Options delimited by spaces

Non-mutually exclusive options. For example:{http https ping snmp ssh telnet}indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as:ping https sshNote: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type:ping https snmp sshIf the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.






What’s new

FRh

What’s newThe list below contains the new features or major changes in the current v4.2 FortiWeb release. IP List Policy - A new method to define source IPs that are trusted (trust IP) and not trusted (black IP) was added to the Web protection IP List Policy. See “Configuring an IP list policy” on page 220.File Upload Restriction - Provides a new web protection technique to specify the exact file types that are permitted to be uploaded to selected hosts or URLs. See “Configuring file upload restriction policy” on page 263.FortiAnalyzer support - FortiWeb now supports storage of log messages remotely on a FortiAnalyzer unit. See “Configuring FortiAnalyzer policies” on page 321.Event and Attack Log Console - The system status display now includes an Event Log console widget and an Attack Log console widget. The Alert console widget was removed. See“Attack Log Console widget” on page 48 and “Event Log Console widget” on page 48.Rewrite URLs in HTTP body - URLs in the body of HTTP responses can now be rewritten, similar to rewriting URLs in HTTP headers. See “Configuring URL rewriting policy” on page 244.Allow Request Method - The Allow Method Exceptions feature was changed to the Allow Request Method. It includes Allow Method Policy and Allow Method Exceptions. See “Configuring allowed request method policy” on page 235.HTTP Protocol Constraints Exceptions - HTTP protocol exception settings were added to HTTP protocol constraints. See “Configuring HTTP protocol constraint profiles” on page 252.Severity and trigger policy - Settings for severity level and trigger policy are now available in all web protection rules, where appropriate. For example, see “Configuring page access rules” on page 198Policy item details link - The ability to view a read-only version of the details for a specific rule associated with a policy is available, where appropriate, without leaving the policy view. For example, see Detail link in “Configuring URL access policy” on page 216.Support for HTTP and HTTPS in same policy - HTTPS service is now configurable in the same policy as HTTP. See “Configuring server policies” on page 118.Persistent server session values- The values for persistent server settings in server policy were updated. See “Configuring server policies” on page 118 and “Appendix B: Maximum values” on page 397.Extended signature set granularity- The granularity of extended signature sets is now selectable, with a range of none (disable), basic, enhanced or full. See “Configuring server protection rules” on page 201.Validation of multiple identical parameters in a single request - HTTP validation rules now validate all instances of multiple identical parameters in a single request. See “Configuring HTTP parameter validation rules” on page 192.Cloning custom protection profiles - You can now clone customer protection profiles and use as a base for new profiles. See “Configuring inline protection profiles” on page 268 and “Configuring offline protection profiles” on page 274.




What’s new

Persistent Server Session Threshold - You can now define a threshold that triggers a persistent server session event log. See “Enabling logging” on page 327.Log message download - You can now download a specific range of event, attack or traffic logs from the FortiWeb hard disk to your local computer. See “Downloading log messages” on page 343.Back up and Restore Web Protection Profile - In addition to system configuration files, you can now back up and restore web protection profiles. See “Backing up and restoring configurations” on page 96.FTP configuration backup and schedule - You can now back up configurations to an FTP server. See “Configuring an FTP backup and schedule” on page 98.Severity information in log message - A severity level (high, medium, low) was added to log messages. See “Responding to web protection rule violations” on page 191.Configuration synchronization - You can synchronize configuration information on the local FortiWeb unit to a peer (remote) FortiWeb unit, even if the unit is not part of a high-availability (HA) pair. See “Synchronizing configurations” on page 59.Signature update without restart - FortiWeb no longer requires a restart and login after a signature update. See “Uploading signature updates” on page 101.Brute force login - The GUI has been reorganized and PCRE regular expression checking was added. See “Configuring brute force login profiles” on page 224.Custom Application Policy - You can now create application policy plug-ins that recognize non-standard, customized applications, and modify the URL information so that an auto-learning profile can work more effectively. See “Configuring custom application policies” on page 160.





About the web-based manager

FRh

About the web-based managerThis chapter describes aspects that are general to the use of the web-based manager, a graphical user interface (GUI) that provides access the FortiWeb unit from within a web browser.This chapter includes the following topics:• System requirements• URL for access• Settings

System requirementsThe management computer that you use to access the web-based manager must have:• a compatible web browser, such as Microsoft Internet Explorer 6.0 or greater, or • Mozilla Firefox 3.0 or greater• Adobe Flash Player 10 or greater plug-inTo minimize scrolling, the computer’s screen should have a resolution that is a minimum of 1280 x 1024 pixels.

URL for accessYou access the web-based manager by URL using a network interface on the FortiWeb unit that you have configured for administrative access. The default URL to access the web-based manager through the network interface on port1 is https://192.168.1.99/.If the network interfaces were configured during installation of the FortiWeb unit (see the FortiWeb Install and Setup Guide), the URL and/or permitted administrative access protocols may no longer be in their default state. In that case, use either a DNS-resolvable domain name for the FortiWeb unit as the URL, or the IP address that was assigned to the network interface during the installation process.For example, you might have configured port2 with the IP address 10.0.0.1 and enabled HTTPS. You might have also configured a private DNS server on your network to resolve fortiweb.example.com to 10.0.0.1. In this case, to access the web-based manager through port2, you could enter either https://fortiweb.example.com/ or https://10.0.0.1/.For information on enabling administrative access protocols and configuring IP addresses for the FortiWeb unit, see “Configuring the network and VLAN interfaces” on page 50.

Note: If the URL is correct and you still cannot access the web-based manager, you may also need to configure from which hosts the FortiWeb unit will accept login attempts for your administrator account (that is, trusted hosts), and/or static routes. For details, see “Configuring administrator accounts” on page 75 and “Configuring static routes” on page 105.



https://192.168.1.99/



About the web-based manager

SettingsSome settings for the web-based manager apply regardless of which administrator account you use to log in. Global settings include the idle timeout, TCP port number on which the web-based manager listens for connection attempts, the network interfaces on which it listens, the language of its display, and whether or not more than one administrator can log in simultaneously.For details, see “Configuring the web-based manager’s global settings” on page 82.

Single administrator modeIf single administrator mode is enabled, when you log in to the web-based manager, you may be required to disconnect other administrator's account sessions before you can continue.

Figure 1: Single administrator mode disconnection prompt

For details, see “Security Settings” on page 84.





Deployment guidelines

FRh

Deployment guidelinesIntegrating FortiWeb into your network and configuring it to protect your web assets is not an overnight process. Nor is it a linear process. Be prepared to roll out FortiWeb in phases over several weeks with tests and configuration edits part of each stage.These deployment guidelines apply to each web application you choose to protect with FortiWeb. That is, for each server you protect with a server policy, go through these phases. You can deploy multiple applications in sequence or in parallel.

Deployment prerequisitesThis chapter assumes you have completed the following steps:• You have installed and partly configured FortiWeb as described in the FortiWeb Install

and Setup Guide or the FortiWeb-VM Install Guide.• A basic auto-learning profile is in place. (If not, see “Generating an auto-learning profile

and its components” on page 281).• You have chosen your final operation mode, one of reverse proxy, true transparent

proxy, or transparent inspection. If you chose offline protection, that is fine for now. You can switch to your final operation mode later.

• You can access the web-based manager and your administrator account profile has read and write access to all relevant features. For details, see “About permissions” on page 80.

Server policyTo begin deployment, you must have at least one active server policy monitoring at least one real web server. If not, see “Configuring policies” in the FortiWeb Install and Setup Guide for instructions on creating a basic server policy that you can start with.The backbone of a FortiWeb unit's web site protection is the server policies that apply to your web sites and web applications. Here are a few tips to remember as you deploy:• Change policy settings with care. Any changes take effect immediately.• When you change a server policy that has already been tested, you should retest it.• The FortiWeb unit applies rules, policies and data scans in a set order. (See “Order of

execution” on page 190.) Review the logic of your server policies to make sure they deliver the web protection you expect.

• By the end of your FortiWeb deployment, make sure that all physical web servers are covered by a policy. If a server has no associated policy or all policies for it are disabled, FortiWeb will not monitor traffic to that web server. In reverse proxy mode, FortiWeb will block traffic to servers without an enabled policy.

Deployment workflowThis chapter takes you through four or five phases, depending on your initial operation mode. Those phases progress from a bare-bones, untested web server protection configuration to the end of the deployment period several weeks later.This chapter includes the following sections:









Phase 1: Examine the initial configuration Deployment guidelines

• Phase 1: Examine the initial configuration• Phase 2: Monitor and tune the configuration• Phase 3: Test for vulnerabilities• Phase 4: Switch from offline protection mode (if applicable)• Phase 5: Prepare for full operation

Phase 1: Examine the initial configurationThis phase covers activities the first day of the first week. Spend the time confirming you have a working configuration.

Do a visual checkAccess the FortiWeb web-based manager (see “URL for access” on page 25) and look for obvious problems.• If you cannot access the web-based manager or access seems incomplete, your

installation may not be correct. Review the FortiWeb Install and Setup Guide to make sure you installed the unit correctly. If there is still a problem, see “Troubleshoot connectivity issues” on page 373.

• Does the web-based manager’s URL, or the text or data on the dashboard contain odd characters? If so, you may be using the wrong character set. See “Appendix D: Language support & regular expressions” on page 401.)

• Examine the Service Status widget on the dashboard (go to System > Status > Status), as shown in Figure 2. Does it list at least one policy and a real server. If not, you have not created a valid server policy yet and FortiWeb has nothing to work with. Create at least one server policy before going further. See “Configuring policies” in the FortiWeb Install and Setup Guide. (Do not be concerned that nothing appears in the Server Status column at this point. That column applies to servers in server farms.)

• Also examine the Policy Sessions widget on the dashboard. Are there active sessions related to your policies. If not, it may mean that policy is not being applied to an active web resource.

Figure 2: Service Status and Policy Sessions widgets

Check dynamic data on the dashboardThe FortiWeb dashboard is the first place to start, not just during deployment, but any time you want to know the health of your system. Go to System > Status > Status and examine the Policy Summary widget, as shown in Figure 3 on page 29.• Examine the HTTP Traffic Monitor. If there is no traffic, you have a problem. Check to

see if your gateway setting is correct (go to Router > Static > Static Route). Also see the troubleshooting topic “Check traffic flow” on page 369.








Deployment guidelines Phase 1: Examine the initial configuration

FRh

Figure 3: Policy Summary widget

• Examine the Attack Event History. If you have a large number of attacks, it may mean some aspect of your policy configuration is generating false positives. If you have no attacks, but you have reasonable levels of traffic, it may mean the protection profile used by your server policy is incomplete.

• Examine the Attack Log widget. If the list includes many identical entries, it likely indicates false positives (unless it is a DoS assault). If there are many entries of a different nature, it likely indicates real attacks. If there are no attack log entries but the Attack Event History shows attacks, it likely means you have not correctly configured logging. See “Configuring and enabling logging” on page 323.

Figure 4: Attack Log Console widget

Check your auto-learning dataAn auto-learning profile can teach you a great deal about the threats your web assets face. A profile also helps you understand the application structure and how real users use it.• Check that each server policy includes an auto-learning profile. Go to Server >

Server Policy > Policy. Click the Edit icon for your policy. Look in the WAF Auto Learn Profile field or the Web Protection Profile field to make sure at least one of those fields references an auto-learn profile. If there is no profile, create one and use it. See “Generating an auto-learning profile and its components” on page 281.




Phase 2: Monitor and tune the configuration Deployment guidelines

• If your server policy includes an auto-learning profile, check that it is gathering data. Go to Auto Learn > Auto Learn Report and click the Detail icon to see the report. If the report shows few or zero hits, the profile is not gathering data. (No data could also be a result of no traffic.)

Figure 5: Auto Learn Report Overview tab

Phase 2: Monitor and tune the configurationOnce you confirm you have a working configuration in phase 1, move to the this phase.Phase 2 covers the remaining days of the first week. Spend the time eliminating false positives and refining log reports.

Stay diligentEach day, check the dashboard for obvious problems.Examine the auto-learn report for each server in your system (see “Check your auto-learning data” on page 29). If an auto-learning profile is returning many URLs that do not make sense, such as URLs with complex session IDs like this/app/login.asp;jsessionid=xxx;p1=111;p2=123?p3=5555&p4=66aaaaa

you need to configure a custom application policy and a URL replacer; otherwise such URLs reduce the value of the auto-learning profile. See “Configuring custom application policies” on page 160.

Tune up alertsWhen you configure protection profiles, many of their components include an action option that sets the response to a detected violation. Actions also combine with severity levels and trigger responses, as shown in Figure 6 on page 31.





Deployment guidelines Phase 2: Monitor and tune the configuration

FRh

Figure 6: Dialog showing actions, severity and triggers

The available actions vary with the protection feature. See “Responding to web protection rule violations” on page 191 for a list of all actions and their uses.When you select many action items, such as Alert & Deny or Redirect, the auto-learning feature stops gathering auto-learning data for the applicable connection, resulting in incomplete session information for the auto-learning profile. During the deployment phase, you want each connection processed completely.To get complete connection processing, without having to change all your actions, enable the Monitor Mode option on each server policy. Go to Server Policy > Server Policy. Edit each policy and select Monitor Mode. When enabled, this mode treats all actions as if they were the Alert action.Alerts show up on the dashboard and may generate email if you configured email policy for use in triggers. (If you are not getting email, see “Define logs, reports and email alerts” on page 32.)Since many of the rules and policies that make up protection profiles are based, at least in part, on regular expressions or data ranges whose values are hard to predict, many of your initial alerts will not be real attacks or violations. They will be false positives.If the dashboard indicates you are getting dozens or hundreds of nearly identical alerts, you need to search for and fix false positives. Here are some tips:• Examine your web protection profile (go to Web Protection > Web Protection Profile

and view the settings in the applicable offline or inline protection profile). Does it include a server protection rule that seems to be causing alerts for valid URLs. If so, create and use exceptions to reduce false positives. See “Configuring server protection exceptions” on page 207.

• If your web protection profile includes a server protection rule where the Extended Signature Set option is set to Full, reduce it to Basic to see if that reduces false positives. See “Configuring server protection rules” on page 201.

Figure 7: Extended signature set option

• If your web protection profile includes HTTP protocol constraints that seem to be causing alerts for legitimate HTTP requests, create and use exceptions to reduce false positives. See “Configuring HTTP protocol constraint exceptions” on page 254.

• Most dialog boxes that accept regular expressions include the >> (test) icon. This opens the Regular Expression Validator window, as shown in Figure 8 on page 32, where you can fine-tune the expression to eliminate false positives.




Phase 2: Monitor and tune the configuration Deployment guidelines

Figure 8: Regular expression validator dialog

• To learn more about the behavior of regular expressions that generate alerts, enable the Retain Packet Payload options in the logging configuration. Packet payloads provide the actual data that triggered the alert, which may help you to fine tune your regular expressions to reduce false positives. See “Enabling logging” on page 327 and “Viewing log message details” on page 335.

Define logs, reports and email alertsLog messages, log reports and email alerts will provide you with valuable information about problems with your system. It is time to review and augment your log settings. • Go to Log&Report > Log Policy > Email Policy. Make sure an email policy exists that

directs email to you or other FortiWeb administrators. Set the Log Level option to Critical. That way any problem rated as critical, alert or emergency generates an email. See “Configuring email policies” on page 317.

• Go to Log&Report > Log Policy > Trigger Policy. Make sure a trigger policy exists that references the email policy described above. Triggers can be added to many rules and policies. See “Configuring trigger policies” on page 322.

• Go to Log&Report > Log Config > Global Log Settings. Enable the Alert Mail option and set it to reference the email policy described above. See “Configuring global log settings” on page 324.

• Go to Log&Report > Report Config. Either create a new report or edit an existing one. (See Figure 9 on page 33.) Use the data filter options under Report Scope (click the blue arrow to see options) to tailor the report’s contents. Use the options under Schedule to create a report schedule. Under Output, pick a report format and select the email policy described above. See “Configuring and generating reports” on page 344.





Deployment guidelines Phase 3: Test for vulnerabilities

FRh

Figure 9: New log report dialog

• Consider directing reports to your web developers to get their feedback.On a daily basis, review the attack log to find vulnerabilities in your system. Go to Log&Report > Log Access > Attack.

Figure 10: Part of an attack log

Phase 3: Test for vulnerabilitiesOnce you have tuned your alerts and eliminate the most obvious false positive in phase 2, move to the this phase.Phase 3 covers the second week. Use this time to search for attack vulnerabilities and to further tune alerts.

Stay diligentContinue your regular daily checks and expand them.• Each day, check the dashboard for obvious problems (see “Check dynamic data on the

dashboard” on page 28) • Continue to examine the auto-learn report for each server in your system (see “Check

your auto-learning data” on page 29).• Review the attack log. • Review alerts and fix those that represent false positives.




Phase 3: Test for vulnerabilities Deployment guidelines

• Begin monitoring the third-party cookies FortiWeb observes in traffic to your web servers. When cookies are found, an icon appears on the Server Policy > Policy > Policy tab for each affected server. If cookies are threats, such as if they are used for state tracking or database input, consider enabling the Cookie Poison option on the inline protection profiles for those servers. See “Cookie Poison” on page 272.

Aggregate attack typesUse the Log Message aggregation feature to group similar attack types. This makes it easier to quickly see all significant threats. See “Grouping similar attack log messages” on page 340.For example, a web worm let loose on the Internet can create hundreds if not thousands of alerts. This could swamp FortiWeb's attack log with alerts and obscure other dangerous problems. By aggregating similar alerts—group them under the Sub Type column of the attack log—you will not miss other problem alerts.Another tactic is to aggregate attacks under the Source IP column. This lets you closely track an attacker and all of its attacking methods.To view the contents of an aggregated group, click the blue arrow, as shown in Figure 11.

Figure 11: Part of an attack aggregation report

Search for vulnerabilitiesUse FortiWeb’s web vulnerability scan feature to detect known vulnerabilities on your web servers and web applications. • Create a web vulnerability scan profile and enable all threat options. You can reduce

options later that do not apply. Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Profile. See “Configuring web vulnerability scan profiles” on page 303.

• Create a web vulnerability scan policy that includes the email alerts you created the first week. Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy. See “Configuring web vulnerability scan policies” on page 300.

• Start with a schedule that scans your site daily in off peak hours. Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Schedule. See “Configuring web vulnerability scan schedules” on page 308.

• Go to Web Vulnerability Scan > Web Vulnerability Scan > Scan History to locate vulnerabilities. Click the View scan report icon next to a report. It opens an HTML report that lists vulnerabilities, as shown in Figure 12 on page 35. If you find a false positive in the report, click the False Positive button to remove it from the current and subsequent reports.

Caution: Fortinet strongly recommends that you do not scan for vulnerabilities on live web sites during peak hours. Either run the scans in off-peak hours or duplicate the web site and its database in a test environment and perform the scan there.





Deployment guidelines Phase 4: Switch from offline protection mode (if applicable)

FRh

Figure 12: Web vulnerabilities scan report

• Create XML protection rules and policies to protect against the discovered vulnerabilities. See “XML protection profile workflow” on page 163.

• Create web protection rules and policies to protect against the discovered vulnerabilities. See .“Web protection profile workflow” on page 189

Once you have tested for vulnerabilities and set policies to guard against the threats, move to the next phase.

Phase 4: Switch from offline protection mode (if applicable)This section applies only if you chose offline protection mode when you first set up your FortiWeb unit. If you chose another mode, skip to “Phase 5: Prepare for full operation” on page 37.This phase covers about one week. In this period, you will switch from offline protection mode to one of the other three modes: reverse proxy, true transparent proxy, or transparent inspection. Following the switch, you must reconfigure some of your network settings and protection profiles, and then test the new configuration.

If you plan to deploy multiple web applications, you can change the operation mode once you deploy and test all servers and applications in offline protection mode, or change modes after you deploy just the first one. In that case, the subsequent applications must be deployed in the new mode.

Caution: Switching modes is not a trivial matter. Back up your system before changing the operation mode. Changing modes deletes the following: any policies not applicable to the new mode, all static routes and all VLAN settings. You may also need to re-cable your network topology to suit the operation mode.




Phase 4: Switch from offline protection mode (if applicable) Deployment guidelines

Prepare to switch operation modeBefore you switch from offline protection mode, take note of the following:• Go to Router > Static > Static Route and take note of the configuration settings (such

as the gateway IP and port) for each static route.• Go to System > Network > Interface and take note of the configuration settings for any

VLANs.• Go to Web Protection > Web Protection Policy > Offline Protection Profile. View each

offline protection profile and take note of the policies and rules it references.

Change operation modeWhen you switch operation mode, follow these steps:1 Determine which operation mode to use. See “Configuring the operation mode” on

page 71 for an explanation of modes.2 Review the topic “Matching topology with operation mode” in the FortiWeb Install and

Setup Guide to determine if you need to re-cable your FortiWeb unit for the new mode.3 If re-cabling is needed, power off your unit, change the cables, and power on the unit.

Access the web-based manager again.4 Change the operation mode in one of two ways:

• In the Operation Mode row of the System Information widget on the dashboard, click Change. Select a new operation mode from the Mode dialog and click Apply.

• Go to System > Config > Operation. Select a new operation mode from the Mode dialog and click Apply.

Figure 13: Changing modes

The fields presented in the dialog vary with the operation mode you select.

Reconfigure your systemSwitching between vastly different operation modes results in a loss of some configuration data. Check the following items:• Go to Router > Static > Static Route. If your static routes were erased, recreate them.

See “Configuring static routes” on page 105.• Go to System > Network > Interface. If your VLAN configurations were removed,

recreate them. If you chose one of the transparent modes, consider creating a v-zone bridge instead of VLANs. See “Configuring v-zones (bridges)” on page 55.

• Go to Web Protection > Web Protection Policy > Inline Protection Profile. Create new inline protection profiles that reference the rules and policies in each of your previous offline protection profiles. See “Configuring inline protection profiles” on page 268 for information on creating a profile.







Deployment guidelines Phase 5: Prepare for full operation

FRh

• Go to Server Policy > Policy > Policy. Edit your existing server policies to reference the new inline protection profiles instead of the offline protection profiles. See “Configuring server policies” on page 118.

Before going any further, let your reconfigured FortiWeb unit run and gather data. Watch the monitors on the dashboard to make sure traffic is flowing through your unit in the new mode.

Retest your systemA new operation mode means a new round of testing and alert tuning.• Delete your existing auto-learning profiles and create new ones. Make sure your server

policies reference the new auto-learning profiles. See “Configuring server policies” on page 118.

• Make sure the new auto-learning profiles are gathering data. See “Check your auto-learning data” on page 29.

• Continue running web vulnerability scans and adjust your policies and rules to reflect any vulnerabilities found. See “Search for vulnerabilities” on page 34.

Remain diligentEach day, check the dashboard for obvious problems (see “Check dynamic data on the dashboard” on page 28) and examine the auto-learn report for each server in your system (see “Check your auto-learning data” on page 29).Review the attack log (go to Go to Log&Report > Log Access > Attack tab) daily to find vulnerabilities in your system. Review alerts and fix those that represent false positives.

Phase 5: Prepare for full operationThis phase covers a week or more, depending on what new features you configure.

Extend your server configurationAfter your FortiWeb unit has operated for several days without significant problems, it is a good time to adjust profiles and policies to provide additional protection and to improve performance. Here is a list of some enhancements:• If your operation mode is reverse proxy or true transparent proxy mode (without

HTTPS), you can configure the FortiWeb unit to authenticate users. These can be local users, LDAP user, RADIUS users, NTLM users, or a combination of these. See “Users and user groups” on page 107.

• If your operation mode is reverse proxy, you can group physical servers and domain servers into a server farm. See “Grouping physical and domain servers into server farms” on page 135. Once you have a server farm, you can apply load-balancing (see “Deployment Mode” on page 123) and server health checks (see “Configuring server health checks” on page 143).Once you create server farms and server health checks, indicators appear in the Service Status widget on the dashboard, as shown in Figure 14 on page 38.




Phase 5: Prepare for full operation Deployment guidelines

Figure 14: Service status showing health-check indicators

• If your operation mode is reverse proxy, you can enable SSL to encrypt connections from the FortiWeb unit to protected web servers. To do so, first download a certificate (see “Uploading a certificate” on page 88) and then enable the SSL Server and Certificate options on the server policy.

• Depending on your chosen operation mode, you can add other rules and policies to your inline protection profiles, such as:• page access rules (see “Configuring page access rules” on page 198)• start page rules (see “Configuring start page rules” on page 213)• brute force login profiles (see “Configuring brute force login profiles” on page 224)• URL rewriting policy (see “Configuring URL rewriting policy” on page 244)

• Review the list of top candidates for your IP blacklist and add them, as applicable. See “Viewing the top 10 IP blacklist candidates” on page 223.

Remain diligentMake sure you locate and solve any problems created by new configuration settings made in this phase.Each day, check the dashboard for obvious problems (see “Check dynamic data on the dashboard” on page 28) and examine the auto-learn report for each server in your system (see “Check your auto-learning data” on page 29).Review the attack log (go to Go to Log&Report > Log Access > Attack tab) daily to find vulnerabilities in your system. Review alerts and fix those that represent false positives.

Make final deployment settingsOnce your FortiWeb unit has operated for several days without significant problems after new configuration settings, it is time to make the final changes to prepare your FortiWeb unit for normal operation.• If you enabled the Monitor Mode server policy option, as suggested in phase 2, disable

it now. Go to Server Policy > Policy and edit each server policy to clear the option. Clearing it instructs the FortiWeb unit to apply the specified action for each violation. For example, if the action is Alert & Deny, monitor mode enforced just the Alert portion. With monitor mode disabled, the Deny portion is now enforced too.

• Review each action related to rules and policies. For more serious violations, change a simple Alert action to a blocking action, such as Alert & Deny, Deny or Redirect, as applicable. See “Responding to web protection rule violations” on page 191 for a list of actions and their uses.

• By this point, you have collected enough auto-learning data to generate protection profiles. Consider turning off the auto-learning function to save resources. To do so, deselect the auto-learning profile in applicable server policies.





Deployment guidelines What else can you do?

FRh

What else can you do?Your FortiWeb unit has additional protection and maintenance features you can use:• Configure DoS protection and synchronization with a remote FortiWeb unit. For details,

see “Configuring DoS protection” on page 70 and “Synchronizing configurations” on page 59.

• Configure HTTP content routing and conversion policy. For details, see “Configuring HTTP content routing policy” on page 139 and “Configuring HTTP conversion policy” on page 141.

• Consider invoking the web anti-defacement feature to protect your web sites from hackers. See “Configuring anti-defacement” on page 293.

• If you have configured and deployed two FortiWeb units, you can set them up for high availability. “Configuring high availability (HA)” on page 61.

• Configure backups, firmware updates, and similar maintenance features. For details, see “Backing up and restoring configurations” on page 96, “Configuring an FTP backup and schedule” on page 98, “Uploading signature updates” on page 101, and “Scheduling signature updates” on page 102.

• Make sure you are getting the most out of your configuration. See the chapter “Fine tuning and best practices” on page 355.




What else can you do? Deployment guidelines





System Viewing system status

FRh

SystemThis chapter describes the System menu. Using its options you can view and configure a wide variety of system settings.This chapter includes:• Viewing system status• Configuring the network and VLAN interfaces• Configuring the DNS settings• Synchronizing configurations• Configuring high availability (HA)• Configuring the SNMP agent• Configuring DoS protection• Configuring the operation mode• Viewing RAID status• Configuring administrator accounts• Configuring the web-based manager’s global settings• Managing certificates• Backing up and restoring configurations• Configuring an FTP backup and schedule• Configuring system time• Uploading signature updates• Scheduling signature updates• Accessing the Setup Wizard

Viewing system statusSystem > Status > Status appears when you log in to the web-based manager. It contains a dashboard with widgets that each indicate performance level or other status values.The following widgets are available in the system status dashboard:• System Information widget• CLI Console widget• System Resources widget• Policy Summary widget• Attack Log Console widget• Event Log Console widget• Service Status widget• Policy Sessions widget




Viewing system status System

To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see “About permissions” on page 80.

Figure 15: Viewing the dashboard

In the default dashboard setup, widgets display the serial number and current system status of the FortiWeb unit, including uptime, system resource usage, event log messages, host name, firmware version, system time, and status of connected web servers and policy sessions. The dashboard also contains a CLI widget that enables you to use the command line interface through the web-based manager.To customize the dashboard, select which widgets to display, where they are located on the tab, and whether they are minimized or maximized.To move a widget, position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.To display any of the widgets not currently shown on the Status tab, click Add Content. Any widgets currently already displayed on the Status tab will be grayed out in the Add Content menu, as you can only have one of each display on the Status tab.

Figure 16: Adding a widget






FRh

To display the default set of widgets on the dashboard, select Back to Default.To see the available options for a widget, position your mouse cursor over the icons in the widget’s title bar. Options vary slightly from widget to widget, but always include options to close, minimize or maximize the widget.

Table 5: A minimized widget

System Information widgetThe System Information widget on the dashboard displays the serial number and the status of basic systems, such as the firmware version, system time, up time, and host name, and high availability (HA) status.In addition to displaying system information, the System Information widget enables you to configure some basic attributes such as the host name, operation mode, and high availability (HA) mode, and to change the firmware.FortiWeb administrators, whose access profiles permit Write access to items in the System Configuration category, can change the system time, host name, firmware, and operation mode, and high availability (HA) mode.

Table 6: System Information widget

GUI item DescriptionWidget Title The name of the widget.

Disclosure arrow Click to maximize or minimize the widget.This arrow replaces the widget’s icon when you place your mouse cursor over the title bar.

Edit Click to change settings for the widget.This option appears only on the CLI Console widget.

Refresh Click to update the displayed information.This option does not appear on the CLI Console widget.

Close Click to close the widget on the dashboard. You will be prompted to confirm the action. To show the widget again, click Add Content near the top of the tab.

Disclosure arrowRefresh

CloseWidget title





GUI item DescriptionHA Status Displays the status of high availability (HA) for this unit, either:

• Standalone: The FortiWeb unit is not operating in HA mode. It is operating as a single, independent FortiWeb unit.

• Master: The FortiWeb unit is operating as the primary unit in an HA pair.• Backup: The FortiWeb unit is operating as the backup unit in an HA pair.The default value is Standalone.Click Configure to configure the HA status for this unit. See “Configuring high availability (HA)” on page 61.

Host Name Displays the host name of the FortiWeb unit. Click Change to change the host name. See “Changing the FortiWeb unit’s host name” on page 45.

Firmware Version Displays the version of the firmware currently installed on the FortiWeb unit.Click Update to install a new version of firmware. See “Installing new firmware” on page 385.

Serial Number Displays the serial number of the FortiWeb unit. The serial number is specific to the FortiWeb unit’s hardware and does not change with firmware upgrades. Use this number when registering the hardware with Fortinet Technical Support.

System Uptime Displays the time in days, hours, and minutes since the FortiWeb unit last started.

System Time Displays the current date and time according to the FortiWeb unit’s internal clock. Click Change to change the time or configure the FortiWeb unit to get the time from an NTP server. See “Configuring system time” on page 100.

Operation Mode Displays the current operation mode of the FortiWeb unit, either:• Reverse proxy: Reverse proxy traffic is destined for a virtual server’s

network interface and IP address. Forward it to a physical/domain server and apply the first applicable policy. The FortiWeb unit logs, blocks, or modifies traffic according to the matching policy and its protection profile.

• Offline protection: Monitor traffic received on the virtual server’s network interface (regardless of the IP address) and apply the first applicable policy. The FortiWeb unit logs or blocks traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It does not, for example, apply SSL or load-balance connections.)Caution: Unlike in reverse proxy mode, actions other than Alert cannot be guaranteed to be successful in offline protection mode. The FortiWeb unit will attempt to block traffic that violates the policy by mimicking the client or server and requesting to reset the connection. However, the client or server may receive the reset request after it receives the other traffic due to possible differences in routing paths.

• True transparent proxy: Proxy traffic is destined for a physical/domain serve. Apply the first applicable policy. Traffic is received on a network port that belongs to a Layer 2 v-zone (bridge), and no changes to the IP address scheme of the network are required.

• Transparent inspection: Inspect traffic destined for a physical/domain server. Asynchronously capture traffic and apply the first applicable policy. The FortiWeb unit logs or blocks traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It does not, for example, apply SSL or load-balance connections.) Similar to offline protection mode, actions other than Alert cannot be guaranteed to be successful. It is easy to switch between transparent inspection and true transparent proxy without changing your network topology.

The default operation mode is reverse proxy mode. Click Change to switch the operation mode.Caution: Back up the configuration before changing the operation mode. Changing modes deletes any policies not applicable to the new mode, all static routes, all v-zone IPs and all VLAN settings. For instructions on backing up the configuration, see “Backing up and restoring configurations” on page 96.

Reboot Click to halt and restart the operating system of the FortiWeb unit.








FRh

Changing the FortiWeb unit’s host nameThe host name of the FortiWeb unit is used in several places.• It appears in the System Information widget on the Status tab. For more information

about the System Information widget, see “System Information widget” on page 43.• It is used in the command prompt of the CLI.• It is used as the SNMP system name. For information about SNMP, see “Configuring

the SNMP agent” on page 66.The System Information widget and the get system status CLI command will display the full host name. If the host name is longer than 16 characters, the host name may appear in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed.For example, if the host name is FortiWeb1234567890, the CLI prompt would be FortiWeb123456789~#.Administrators whose access profiles permit Write access to items in the System Configuration category can change the host name.

To change the host name of the FortiWeb unit1 Go to System > Status > Status.2 In the System Information widget, in the Host Name row, click Change.3 In the New Name field, type a new host name.

The host name can be up to 35 characters in length. It can include US-ASCII letters, numbers, hyphens, and underscores, but not spaces and special characters.

4 Click OK.

CLI Console widgetThe CLI Console widget on the dashboard enables you to enter CLI commands through the web-based manager, without making a separate Telnet, SSH, or local console connection to access the CLI.

To use the console, first click within the console area. Doing so automatically logs you in using the same administrator account you used to access the web-based manager. You can then type commands into the CLI Console widget. Alternatively, you can copy and paste commands from or into the console.

ShutDown Click to halt the operating system of the FortiWeb unit, preparing its hardware to be powered off.

Reset Click to revert the configuration of the FortiWeb unit to the default values for its currently installed firmware version.

Caution: Back up the configuration before selecting Reset. This operation cannot be undone. Configuration changes made since the last backup will be lost. For instructions on backing up the configuration, see “Backing up and restoring configurations” on page 96.

Note: You can also configure the local domain name of the FortiWeb unit. For details, see “Configuring the DNS settings” on page 58.

Note: The CLI Console widget requires that your web browser support JavaScript.





For information on available commands, see the FortiWeb CLI Reference.

Table 7: CLI Console widget

Table 8: CLI Console Preferences window

Note: The prompt, by default the model number such as FortiWeb-1000B #, contains the host name of the FortiWeb unit. To change the host name, see “Changing the FortiWeb unit’s host name” on page 45.

GUI item DescriptionClose Click to hide the widget. It no longer appears on the dashboard unless you

add it again by clicking Add Content.

Edit Click to open the Console Preferences pop-up window, where you can change the buffer length and input method, as well as the appearance of the console by defining fonts and colors for the text and background.

GUI item DescriptionPreview Shows a preview of your changes to the CLI Console widget’s appearance.

Text Click the current color swatch to the left of this label, then click a color from the color palette to the right to change the color of the text in the CLI Console.

Background Click the current color swatch to the left of this label, then click a color from the color palette to the right to change the color of the background in the CLI Console.

EditClose







FRh

System Resources widgetThe System Resources widget on the dashboard displays CPU and memory usage.

Table 9: System Resources widget

Policy Summary widgetThe Policy Summary widget on the dashboard displays three graphs:• HTTP Traffic Monitor: Displays the traffic volume throughput during each time period.• Attack Event History: Displays the number of each type of common exploit, SQL

injection, cross-site scripting (XSS), or information disclosure attacks that were prevented.

• HTTP Hit History: Displays the total number of requests.For each graph, you can select which policy’s statistics to view and the size of the interval (Rate threshold or Time interval) represented by each unit on the graph.By positioning your cursor over a point in the graph, you can display information for that point in time, such as (for HTTP Traffic Monitor) the traffic volume at that point in time.

Use external command input box

Select to display a command input field below the normal console emulation area. When this option is enabled, you can enter commands by typing them into either the console emulation area or the external command input field.

Console buffer length Enter the number of lines the console buffer keeps in memory. The valid range is from 20 to 9999.

Font Select a font from the list to change the display font of the CLI Console.

Size Select the size in points of the font. The default size is 10 points.

GUI item DescriptionCPU Usage The current CPU usage displayed as a dial gauge and as a percentage.

The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

Memory Usage The current memory (RAM) usage displayed as a dial gauge and as a percentage. The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.





Figure 17: Policy Summary widget

Attack Log Console widgetThe Attack Log Console on the dashboard widget displays the latest attack logs. Attack logs are recorded when there is an attack or intrusion attempt against the web servers protected by the FortiWeb unit.Attack logs help you track violations that are defined by the web protection and server policies configured on the FortiWeb unit. Each attack log message in the console shows the type of attack and the date and time of the attack. The attack type includes a link to a log detail. Select the link to open a separate attack log details window with additional information about the attack. For more information, see “Viewing log message details” on page 335.

Figure 18: Attack Log Console widget

Event Log Console widgetThe Event Log Console widget on the dashboard displays log-based messages.






FRh

Event logs help you track system events on your FortiWeb unit such as firmware changes, and network events such as changes to policies. Each message shows the date and time that the event occurred. For more information, see “Viewing log messages” on page 331.

Figure 19: Event Log Console widget

Service Status widgetThe Service Status widget on the dashboard lists configured policies, the real servers (physical and domain servers) associated with the policy, and the connectivity status of the servers associated with the policy.

Table 10: Service Status widget

Tip: Event log messages can also be delivered by email, Syslog, FortiAnalyzer or SNMP. For more information, see “Enabling logging” on page 327,“Configuring and enabling logging” on page 323,and “Configuring the SNMP agent” on page 66.

RefreshClose

GUI item Description# Shows the index number of the policy.

Policy Name Shows the name of the policy.For information on policies, see “Configuring server policies” on page 118.

Real Server Lists the real servers that the policies protect.

RefreshClose




Configuring the network and VLAN interfaces System

Policy Sessions widgetThe Policy Sessions widget on the dashboard displays the number of server sessions that are currently governed by each policy.

Table 11: Policy Sessions widget

Configuring the network and VLAN interfacesSystem > Network > Interface displays two interface types: the network interfaces that are associated with the physical ports on a FortiWeb unit, and if configured, the VLAN subinterfaces. For more information about VLAN subinterfaces, see “Adding a VLAN subinterface” on page 53.You must always have at least one IP address configured on at least one FortiWeb network interface in order to connect to your management computer to the FortiWeb unit CLI or the web-based manager.

Server Status For servers that are part of a server farm, shows the connectivity status.There may be multiple icons in this column.To determine which real server is associated with an icon, hover your mouse cursor over the icon. The name of the real server then appears in a tool tip.• Green icon: The server health check is currently detecting that the real

server is responsive to connections.• Flashing yellow-to-red icon: The server health check is currently

detecting that the real server is not responsive to connections. The method that the FortiWeb unit will use to reroute connections to an available server varies by your configuration of Deployment Mode.

For information on server health checks, see “Configuring server health checks” on page 143.Note: For a single server, there is no associated server health check, and therefore no icon in this column. To make server health checks for a single server, instead of configuring the policy with a Deployment Mode of Single Server, create a server farm and add that real server as the sole member, then select that server farm in the policy.

Close Click to hide the widget. It no longer appears on the dashboard unless you add it again by clicking Add Content.

Refresh Click to refresh the information displayed on the widget.

GUI item Description# Shows the index number of the policy.

Policy Shows the name of the policy.For information on policies, see “Configuring server policies” on page 118.

Session Shows the total number of sessions currently being governed by the policy.

Close Click to hide the widget. It no longer appears on the dashboard unless you add it again by clicking Add Content.

Refresh Click to refresh the information displayed on the widget.

RefreshClose

Note: When the FortiWeb unit operates in true transparent proxy or transparent inspection mode and you configured a v-zone (bridge), do not configure any physical network interfaces other than port1. For details, see “Configuring v-zones (bridges)” on page 55.





System Configuring the network and VLAN interfaces

FRh

Depending on your network topology and other considerations, you may need to configure one or more of the FortiWeb unit’s other network interfaces to enable the FortiWeb unit to connect to your network and to the web servers it protects. You can configure each network interface separately, with its own IP address, netmask, and accepted administrative access protocols.

To change settings in this part of the web-based manager, your administrator's account access profile must have Write permission to items in the Network Configuration category. For details, see “About permissions” on page 80.

Table 12: System > Network > Interface tab

Caution: Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb unit.

Note: You can restrict which IP addresses are permitted to log in as a FortiWeb administrator through the network interfaces. For details, see “Configuring administrator accounts” on page 75.

GUI item DescriptionCreate New Click to create a new VLAN subinterface. For more information, see “Adding a

VLAN subinterface” on page 53.Note: You cannot create a new network interface, only a VLAN subinterface. To view or modify an existing network interfaces, click the Edit icon.

(No column heading.)

Shows an icon indicating that a description is available for the network interface. To view the description, hover your cursor over the icon.

Name Shows the name of the network interface, usually directly associated with one physical link as indicated by its name, such as port1.Note: A pointer beside the name indicates there is a VLAN subinterface associated with the port. For more information, see “Adding a VLAN subinterface” on page 53.

IP/Netmask Displays the IP address and netmask of the network interface, separated by a slash ( / ).

Access Displays the administrative access services that are enabled on the network interface, such as HTTPS for the web-based manager.Note: Administrative access is not available for VLAN subinterfaces.

Status Indicates the “up” (available) or “down” (unavailable) administrative status of the network interface.• Green up arrow: The network interface is up and permitted to receive or

transmit traffic. To disable the network interface, click Bring Down.• Red down arrow: The network interface is down and not permitted to

receive or transmit traffic. To enable the network interface, click Bring Up.


Click the Edit icon to view or modify the settings of the network interface or VLAN subinterface.Click the Delete icon to remove a VLAN subinterface.Note: Network interfaces associated with a physical port cannot be deleted.

EditNetwork interface description





To edit a network interface1 Go to System > Network > Interface.2 In the row corresponding to a network interface, click the Edit icon.3 Configure the following:

GUI item DescriptionName Displays the name (such as port2) and media access control (MAC)

address of this network interface.

IP/Netmask Type the IP address/subnet mask. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.Warning: If you are changing the interface’s IP address and you have configured a static route for the interface, the new IP address of the interface must be in the same subnet as the default gateway. Otherwise, all the static routes and the default gateway information will be lost.

Administrative Access Enable the types of administrative access that you want to permit on this interface.Note: Administrative access is not available for VLAN subinterfaces.

HTTPS Enable to allow secure HTTPS connections to the web-based manager through this network interface.For information on configuring the port number where the FortiWeb unit listens for these connections, see “Configuring the web-based manager’s global settings” on page 82.

PING Enable to allow ICMP ping responses from this network interface.

HTTP Enable to allow HTTP connections to the web-based manager through this network interface.For information on configuring the port number where the FortiWeb listens for these connections, see “Configuring the web-based manager’s global settings” on page 82.Caution: HTTP connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiWeb unit.

SSH Enable to allow SSH connections to the CLI through this network interface.

SNMP Enable to allow SNMP connections to this network interface.Note: This setting only configures which network interface will receive SNMP queries. To configure which network interface will send traffic, see “Configuring the SNMP agent” on page 66.






FRh

4 Click OK.If you were connected to the web-based manager through this network interface and you changed the IP, you are now disconnected from it.

5 To access the web-based manager again, in your web browser, modify the URL to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 10.10.10.5, you would browse to https://10.10.10.5.If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiWeb unit, you may also need to modify the IP address and subnet of your computer to match the FortiWeb unit’s new IP address.

Adding a VLAN subinterfaceThis section describes how a virtual local area network (VLAN) works with FortiWeb and how to add a VLAN subinterface to a network interface on the FortiWeb unit. Similar to a local area network (LAN), use a IEEE 802.1q VLAN to reduce the size of a broadcast domain and thereby reduce the amount of broadcast traffic received by network hosts, improving network performance.Unlike physical LANs, VLANs do not require you to install separate hardware switches and routers to achieve this effect. Instead, VLAN-compliant switches, such as FortiWeb units, restrict broadcast traffic based upon whether its VLAN ID matches that of the destination network. As such, VLAN trunks can be used to join physically distant broadcast domains as if they were close.The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN. VLAN header addition is handled automatically by FortiWeb units, and does not require that you adjust the maximum transmission unit (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, this tag may be added, removed, or rewritten before forwarding to other nodes on the network.For example, a Layer 2 switch or FortiWeb unit operating in true transparent proxy mode would typically add or remove a tag when forwarding traffic among members of the VLAN, but would not route tagged traffic to a different VLAN ID. In contrast, a FortiWeb unit operating in reverse proxy mode, inspecting the traffic to make routing decisions based upon higher-level layers/protocols, might route traffic between different VLAN IDs (also known as inter-VLAN routing) if indicated by its policy, such as if it has been configured to do WSDL-based routing.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see “About permissions” on page 80.

TELNET Enable to allow Telnet connections to the CLI through this network interface.Caution: Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiWeb unit.

Description Type a comment. The comment may be up to 63 characters long.This field is optional.




http://www.ieee802.org/1/pages/802.1Q.html


Table 13: Interface tab with VLAN subinterface

To add a VLAN subinterface

1 Go to System > Network > Interface.2 Click Create New.3 Configure the following:

GUI item DescriptionCreate New Click to create a new VLAN subinterface.


Displays an icon indicating that a description is available for the network interface. To view the description, hover your cursor over the icon.Note: VLAN subinterfaces do not provide a description.

Name If a VLAN subinterface exists, a pointer appears beside the name of the network interface. Click the pointer to expand the list of VLANs associated with the network interface.

IP/Netmask Displays the IP address and netmask of the VLAN subinterface, separated by a slash ( / ).

Access Displays the administrative access services that are enabled on the network interface.Note: VLAN subinterfaces do not permit administrative access.

Status Indicates the “up” (available) or “down” (unavailable) administrative status of the network interface.• Green up arrow: The network interface is up and permitted to receive or

transmit traffic. To disable the network interface, click Bring Down.• Red down arrow: The network interface is down and not permitted to

receive or transmit traffic. To enable the network interface, click Bring Up.


Click the Edit icon to view or modify the settings of the VLAN subinterface.Click the Delete icon to remove a VLAN subinterface.

VLAN subinterface name EditVLAN indicator

Network interface description

Note: When the FortiWeb unit operates in either of the transparent modes, VLAN subinterfaces do not support Cisco discovery protocol (CDP).






FRh

4 Click OK.

Configuring v-zones (bridges)System > Network > V-zone lists any of network ports configured as bridges.Bridges allow network connections to travel through the FortiWeb unit’s physical network ports without explicitly connecting to one of its IP addresses.Use bridges only when:• the FortiWeb unit operates in true transparent proxy or transparent inspection mode,

and

GUI item DescriptionName Type the name (such as vlan_100) of this VLAN subinterface.

You cannot modify this field if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name.

Type Indicates whether the interface is directly associated with a physical network port, or is instead a VLAN subinterface.This option is set by the system automatically and cannot be changed.

Interface Select the name of the network interface with which the VLAN subinterface will be associated.

VLAN ID Type the VLAN ID of packets that belong to this VLAN subinterface.• If one physical network port (that is, a VLAN trunk) will handle

multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.

• If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.

The valid range is between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.For the maximum number of interfaces for your FortiWeb model, including VLAN subinterfaces, see “Appendix B: Maximum values” on page 397.Note: Inter-VLAN routing is not supported if the FortiWeb unit is operating in true transparent proxy mode. In that case, you must configure the same VLAN IDs on each physical network port.

IP/Netmask Type the IP address/subnet mask associated with the VLAN, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.






• you want to deploy FortiWeb between incoming connections and the web server it is protecting, without changing your IP address scheme or performing routing or network address translation (NAT)

In that case, do not assign IP addresses to the ports that you will connect to either the web server or to the overall network. Instead, group the two physical network ports by adding their associated network interfaces to a bridge.Bridges on the FortiWeb unit support IEEE 802.1d spanning tree protocol (STP) and, therefore, do not require that you manually test the bridged network for Layer 2 loops. Bridges are also capable of electing a root switch and designing a tree on their own that uses the minimum cost path to the root switch; although, you may prefer to do so manually for design and performance reasons.

True bridges typically have no IP address of their own. They use only media access control (MAC) addresses to describe the location of physical ports within the scope of their network and do network switching at Layer 2 of the OSI model. However, if you require the ability to use an IP address to use ICMP ECHO requests (ping) to test connectivity with the physical ports comprising the bridge, you can assign an IP address to the bridge and thereby create a virtual network interface that will respond.To configure a bridge in the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see “About permissions” on page 80.

Table 14: System > Network > V-zone tab

Note: If you prefer to disable STP, see the config system v-zone command in the FortiWeb CLI Reference.

GUI item DescriptionName Displays the name of the v-zone (bridge).

Edit






http://standards.ieee.org/getieee802/download/802.1D-2004.pdf


FRh

To configure a v-zone (bridge)1 Go to System > Network > V-zone.2 Click Create New, or, in the row corresponding to an existing bridge, click the Edit icon.3 Configure the following:

Interface name Displays the name and current status (in parentheses) of each network port that belongs to the bridge, such as port4 (forwarding). Possible states include:• listening: The port is up and, by using the spanning tree protocol (STP), has

determined that it will participate in forwarding frames. It is receiving bridge protocol data units (BPDUs) that tell it about its distance from the root switch, but it is not yet transmitting BPDUs about itself or forwarding frames, and is not yet learning.

• learning: The port is building a database of media access control (MAC) addresses of the network nodes that are connected on the Ethernet network in order to discover which links in the tree are functional. It continues to receive BPDUs, but now it is also transmitting BPDUs to allow the spanning tree to learn about its existence in preparation for forwarding. The time required to learn the spanning tree varies by the size of the network, but can be many seconds.

• forwarding: Learning is sufficient for the port to be capable of forwarding frames. It continues to receive and forward BPDUs and update its database of MAC addresses, and, therefore, may leave this state if STP detects a topology change that requires this port to, for example, block instead of forward frames in order to maintain a valid, non-looping tree. This is the usual state during normal operation.

• disabled: The port was automatically disabled. Its network cable may be disconnected or the link is otherwise broken. The cause must be corrected before the port can function in the bridge.

• blocked: The port was automatically disabled in order to prevent a Layer 2 loop in the spanning tree, because its link is redundant with another part of the tree. It is on standby and could be automatically enabled in failover scenarios, if the redundant part of the tree fails. If you do not want this port to remain disabled, you must remove the redundant part of the tree that causes this port to be blocked.


Click the Edit icon to view or modify the settings of the bridge. For details, see “Configuring the network and VLAN interfaces” on page 50.

GUI item DescriptionName Type the name of the v-zone (bridge).




Configuring the DNS settings System

4 Click OK.In the interface name column, each network interface’s status is in parentheses next to the name of the port, such as port4 (forwarding). Depending on the status, each port in the bridge may or may not be immediately functional. For detail see, see “Interface name” on page 57.

5 Connect one of the physical ports in the bridge to your protected servers, and the other port to your overall network.

Configuring fail-openIf your unit supports fail-open, selecting System > Network > Fail-open enables you to configure fail-to-wire behavior in the event that the FortiWeb unit is shut down, rebooted, or unexpectedly loses power.

For FortiWeb units and operation modes that support fail-open, this feature allows connections to pass through unfiltered when powered off. This may be useful if you are required by contract to provide uninterrupted connectivity, or if you consider connectivity interruption to be a greater risk than being open to attack during the power interruption. Select either:• PowerOff-Bypass: Behave as a wire when powered off, allowing connections to pass

through, bypassing policy and profile filtering.• PowerOff-Cutoff: Interrupt connectivity when powered off.

Configuring the DNS settingsSystem > Network > DNS enables you to configure the FortiWeb unit with its local domain name, and the IP addresses of the domain name system (DNS) servers that the FortiWeb unit will query to resolve domain names such as www.example.com into IP addresses.FortiWeb units require connectivity to DNS servers for DNS lookups. Your Internet service provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.

IP/Netmask The FortiWeb unit is set to a default IP/Netmask of 0.0.0.0/0.0.0.0. To create a true bridge without its own IP address, enter a unique IP/Netmask for your location.Note: When operating in either of the transparent modes, failure to change the IP/Netmask for your location will result in an Invalid IP Address error message.To create a virtual network interface that can respond to ICMP ECHO (ping) requests, enter an IP address/subnet mask for the virtual network interface.

Interface name Displays a list of network interfaces that currently have no IP address of their own, are not members of another bridge, and which therefore could be members of this bridge.To add a pair of network interfaces to the bridge, select them and click the right arrow.Note: In either of the transparent modes, port1 cannot be included in a bridge. It is configured with an IP address to allow CLI and web-based manager connections.

Member Displays a list of network interfaces that belong to this bridge.

Note: Fail-open is supported only when the FortiWeb unit operates in true transparent proxy (TTP) mode or transparent inspection (TI) mode, and only for models with a CP7 processor, such as the FortiWeb-1000C and FortiWeb-3000C.Fail-open is disabled if the FortiWeb unit is configured as a high availability master or backup.





System Synchronizing configurations

FRh

To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see “About permissions” on page 80.

Table 15: System > Network > DNS tab

Synchronizing configurationsSystem > Config > Config-Synchronization enables you to synchronize the configuration information on the local FortiWeb unit with a peer (remote) FortiWeb unit. As a result, the configuration information on the peer FortiWeb unit is updated with that of the local FortiWeb unit. This type of configuration synchronization is useful in the following scenario: • two FortiWeb units are used in an environment where high availability (HA) or load-

balancing is performed by the gateway or the router• the two FortiWeb units are not part of a high availability (HA) pair, but the units are

required to have the same security policiesEssentially, synchronization relieves you of the need to update policies on two FortiWeb units whenever policies or settings change. The second unit updates its settings automatically from the other.

Note: For improved performance, use DNS servers on your local network.

GUI item DescriptionPrimary DNS Server Type the IP address of the primary DNS server.

Secondary DNS Server Type the IP address of the secondary DNS server.

Local Domain Name Type the name of the local domain to which the FortiWeb unit belongs, if any.This field is optional. It will not appear in the Host: field of HTTP headers for client connections to protected web servers.




Synchronizing configurations System

Figure 20: Example scenario for configuration synchronization

There are two levels of configuration synchronization: full and partial.

Full synchronization updates all configuration files on the peer FortiWeb unit, except for the following:• Network interfaces define the physical connection of the FortiWeb unit to the network

(management IP) and must remain unchanged. For more information, see “Configuring the network and VLAN interfaces” on page 50.

• Configuration data for administrator accounts, access profiles and administrator settings must remain unchanged. For more information, see “Configuring administrator accounts” on page 75.

Partial synchronization updates all configuration files on the peer FortiWeb unit, with the exception of:• All configurations on the System menu. For more information, see “System” on

page 41.• Router > Static configurations. For more information, see “Router” on page 105• Server Policy > Policy configurations. For more information, see “Configuring server

policies” on page 118.• Server Policy > Server configurations. For more informations, see “Configuring

servers” on page 129.• Server Policy > Server Health Check configurations. For more information, see

“Configuring server health checks” on page 143.• Server Policy > Service configurations. For more information, see “Configuring

services” on page 145.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see “About permissions” on page 80.

Note: Full synchronization option is not available in the reverse proxy operation mode.





System Configuring high availability (HA)

FRh

Table 16: System > Config > Config-Synchronization tab

Configuring high availability (HA)System > Config > HA-Config enables you to configure a FortiWeb unit to operate as one of two units in an active-passive high availability (HA) pair.FortiWeb units that are joined as an HA pair enhance availability. To distinguish the units in an HA pair, each unit is configured with a unique HA operating mode. The HA mode determines whether the unit operates as a master HA unit or a backup HA unit. Functionally, there is no difference between the master and backup. Before configuring HA, verify that your FortiWeb units meet the HA requirements:• You have two FortiWeb units.• The units are the same hardware model (for example, both FortiWeb-1000C).• The units have identical firmware versions installed.• There is a redundant network topology in place: if the master fails, physical network

cabling and routes must redirect web traffic to the backup.• To carry heartbeat and synchronization traffic between the HA pair, the heartbeat

interface on both HA units must be connected through Ethernet crossover cables or through switches.

GUI item DescriptionPeer FortiWeb IP Type the IP address of the remote FortiWeb unit that you want to

synchronize with the local FortiWeb unit.

Test Select to test the connection from the local FortiWeb unit and the remote FortiWeb unit.

Peer FortiWeb Port Type the port number of the remote FortiWeb unit that is used for config synchronization. The default port is 8333. For more information about how to set the port number for configuration synchronization, see “Configuring the web-based manager’s global settings” on page 82.

Peer FortiWeb Password Enter the administrator password for the remote FortiWeb unit.

Synchronization Type Select either Partial or Full (note that Full configuration sync is not available in the reverse proxy operation mode). For details, see the previous descriptions in this topic.

Synchronize Click to initiate the synchronization of configuration information from the local FortiWeb unit to the peer FortiWeb unit.

Note: If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must be reachable by Layer2 Multicast.




Configuring high availability (HA) System

For more information on heartbeat and synchronization, see “About the heartbeat and synchronization” on page 65.You can have more than one HA pair on the same network as long as each pair has a different group ID.Each unit in the HA pair also has an Effective HA mode attribute. This mode defines whether the HA unit is the main working unit or a backup unit. The main working unit is responsible for scanning web traffic. The backup unit does not scan web traffic but is ready to take over if a failure occurs in the main working unit. The main and backup units synchronize and detect failures by communicating through a heartbeat interface that connects the two units in the HA pair. Failure is assumed when the main unit is unresponsive to a heartbeat signal from the backup unit for a configured amount of time (Detection interval x Heartbeat lost threshold). If the main working unit fails, the two units in the HA pair switch their effective HA modes: standby becomes main, and main becomes a standby. The IP address carrying web traffic is transferred automatically to the unit whose effective HA mode is the main working unit. The master and backup HA modes do not change. In a failure situation, the amount of time that it takes the backup unit to take over from the main unit varies by your network’s responsiveness to changeover notification and by your configuration (ARP packet numbers x ARP packet interval).Figure 21 shows an example HA network topology with IP address transfer from the main unit to the backup unit upon failover. In this example, the heartbeat interfaces are connected with crossover Ethernet cables.

Figure 21: HA topology and failover - Ethernet cable connection for heartbeat


FortiWebHA pair

Firewall

Internet

Clientport1

10.0.0.1port2

192.168.1.1

Switch

192.168.1.2/24

192.168.1.3/24

WebServer 1

Web Server 2

Master (main)

Secondary

port1 port2

IP addresses transferupon failover

Primary

HeartbeatInterface

Backup(standby)






FRh

Table 17: System > Config > HA-Config tab

GUI item DescriptionConfigured HA mode

Select one of the following as the HA operating mode:• MASTER: A FortiWeb unit configured with a master HA mode will form an HA

pair with another FortiWeb unit whose HA synchronize group ID matches that defined on the master, and whose Heartbeat Interface are connected to the master by Ethernet crossover cables or through switches. The master initially acts as the main working unit in the HA pair and scans web traffic.

• BACKUP: A FortiWeb unit configured with a backup HA mode will form an HA pair with another FortiWeb unit whose HA synchronize group ID matches that defined on the backup, and whose Heartbeat Interface are connected to the backup by Ethernet crossover cables or through switches. The backup unit initially acts as the backup unit in the HA pair and does not scan web traffic.If the backup detects through the heartbeat interface that the master has failed, the backup automatically begins acting as the main working unit in the HA pair and broadcasts ARP packets to notify the network of the changeover. The network interface IP address is transferred to the backup, and the backup takes over scanning web traffic. The master become a standby working unit.The backup does not revert to a standby role if it detects that the master is once again available. Instead, another failover must occur in order to cause the master to become the main unit once again. Or you can manually switch the roles of the master and backup units.

• STANDALONE: Do not operate as a member of an HA pair. Instead, operate as a single, independent FortiWeb unit. No other dialog options appear when this option is in effect.

The default value is STANDALONE.

Effective HA mode

The effective HA mode defines whether the HA unit is the main working unit or a backup unit. The main working unit is responsible for scanning web traffic. The backup unit does not scan web traffic but is ready to take over if a failure occurs in the main working unit.




Configuring high availability (HA) System

HA synchronize group ID

Enter a number that identifies the HA pair. Both members of the HA pair must have the same group ID. If you have more than one HA pair on the same network, each HA pair must have a different group ID. Changing the group ID changes the cluster’s virtual MAC address.The default value is 0. The valid range is 0 to 63.

Detection interval

Enter the number of 100-millisecond intervals between each heartbeat packet that the FortiWeb unit sends to the other FortiWeb unit in the HA pair. This is also the amount of time that a FortiWeb unit waits before expecting to receive a heartbeat packet from the other unit.This part of the configuration is synchronized between the main unit and backup unit.The default value is 1 (that is, 100 milliseconds). The valid range is 1 to 20 (that is, between 100 and 2 000 milliseconds).Note: Although this setting is synchronized between the main unit and the backup unit, you should initially configure both units with the same Detection interval to prevent inadvertent failover from occurring before the initial synchronization.

Heartbeat lost threshold

Enter the number of heartbeat intervals that one of the HA units retries the heartbeat and waits to receive HA heartbeat packets from the other HA unit before assuming that the other unit has failed.This part of the configuration is synchronized between the main unit and backup unit.Normally, you do not need to change this setting. Exceptions include: • Increase the failure detection threshold if a failure is detected when none has

actually occurred. For example, during peak traffic times, if the main unit is very busy, it might not respond to heartbeat packets in time, and the backup unit may assume that the main unit has failed.

• Reduce the failure detection threshold or detection interval if administrators and HTTP clients have to wait too long before being able to connect through the main unit, resulting in noticeable down time.

The default value is 1. The valid range is from 1 to 60.Note: Although this setting is synchronized between the main unit and the backup unit, you should initially configure both units with the same Heartbeat lost threshold to prevent inadvertent failover from occurring before the initial synchronization.

ARP packet numbers

Enter the number of times that the FortiWeb unit will broadcast address resolution protocol (ARP) packets when it takes on the main role in order to notify the network that a new physical port has become associated with the HA pair IP address and virtual MAC. This is sometimes called “using gratuitous ARP packets to train the network,” and can occur when the main unit is starting up, or during a failover. Also configure ARP packet interval.Normally, you do not need to change this setting. Exceptions include:• Increase the number of times the main unit sends gratuitous ARP packets if

your HA pair takes a long time to fail over or to train the network. Sending more gratuitous ARP packets may help the failover to happen faster.

• Decrease the number of times the main unit sends gratuitous ARP packets if your HA pair has a large number of VLAN interfaces and virtual domains. Because gratuitous ARP packets are broadcast, sending gratuitous ARP packets may generate a large amount of network traffic. As long as the HA pair still fails over successfully, you could reduce the number of times gratuitous ARP packets are sent to reduce the amount of traffic produced by a failover.

The default value is 3. The valid range is 1 to 16.






FRh

About the heartbeat and synchronizationTo keep the configurations concurrent so the backup unit in an HA pair will be ready in case of failover, HA pairs synchronize their configuration every 30 seconds. Synchronization includes WSDL files, certificates, and schema files. (HTTP sessions, state data related to protection profile features, and log messages, however, are not synchronized. Upon failover, sessions must be re-formed with the new main unit.)

Only the FortiWeb unit currently acting as the main unit (scanning web traffic) is configured with IP addresses on its network interface. The backup unit will only use the configured IP addresses if a failover occurs, and the backup unit therefore must assume the role of the main unit.

Heartbeat and synchronization traffic occur over the network interface ports that you have configured in Heartbeat Interface. Heartbeat and synchronization are performed through multicast UDP on port numbers 5055 (heartbeat) and 5056 (synchronization). The multicast IP address 224.0.0.1 is hard-coded, and cannot be configured.

ARP packet interval

Enter the number of seconds to wait between each time that the FortiWeb unit broadcasts ARP packets.Normally, you do not need to change this setting. Exceptions include:• Decrease the interval if your HA pair takes a long time to fail over or to train

the network. Sending ARP packets more frequently may help the failover to happen faster.

• Increase the interval if your HA pair has a large number of VLAN interfaces and virtual domains. Because gratuitous ARP packets are broadcast, sending gratuitous ARP packets may generate a large amount of network traffic. As long as the HA pair still fails over successfully, you could increase the interval between when gratuitous ARP packets are sent to reduce the rate of traffic produced by a failover.

The default value is 1. The valid range is from 1 to 20.

Port Monitor Enable to monitor for link failure the network interfaces that correlate directly to a physical port.Port monitoring (also called interface monitoring) monitors physical network ports to verify that they are functioning properly and connected to their networks. If the physical port fails or becomes disconnected, a failover will occur. Note: To prevent unintentional failover, do not configure port monitoring until you have configured HA on both units in the HA pair, and connected the physical network ports that will be monitored .

Heartbeat Interface

Select the ports on the FortiWeb unit that the main unit and backup unit will use to send heartbeat signals between each other. The heartbeat interface must be defined on each unit in the HA pair. Port matching is not necessary. If enough ports are available, you can select a primary heartbeat interface and a secondary heartbeat interface on each unit in the HA pair for redundancy. You cannot use the same port for both the primary and secondary heartbeat interface on the same unit. Ports that currently have an IP address assigned for other purposes (that is, virtual servers or bridges) are disabled.Note: Heartbeat interfaces can be connected through Ethernet crossover cables or through switches. If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must be reachable by Layer2 Multicast.

Note: If an HA pair is not configured, you can still synchronize the configuration between the local FortiWeb unit and its peers. For more information, see “Synchronizing configurations” on page 59

Note: Since backup units do not have IP addresses, the backup unit can only be accessed through the local console. For more information on using the local console’s CLI, see the FortiWeb CLI Reference.





Configuring the SNMP agent System

Failover is triggered by any interruption to either the heartbeat or a port monitored network interface whose length of time exceeds your configured limits (Detection interval x Heartbeat lost threshold). While the main unit is unresponsive, the backup unit does the following:1 modifies the network that the IP addresses are now associated with its virtual MAC

addresses2 performs the role of the main unit and scans network trafficThe HA units will not change roles when the failed unit resumes responsiveness to the heartbeat. Instead, a second failover must occur to cause the HA units to change roles again. You can manually switch over the roles if desired.Because log messages are not synchronized, after a failover, you may notice that there is a gap in the master log files that corresponds to the period of its down time. Log files are stored on the backup during the time when the backup is acting as the main unit subsequent to a failover.

Configuring the SNMP agentSystem > Config > SNMP enables you to configure the FortiWeb unit’s simple network management protocol (SNMP) agent to allow queries for system information and to send traps (alarms or event messages) to the computer that you designate as its SNMP manager. In this way you can use an SNMP manager to monitor the FortiWeb unit.Before you can use SNMP, you must activate the FortiWeb unit’s SNMP agent and add it as a member of at least one community. You must also enable SNMP access on the network interface through which the SNMP manager connects. (See “Configuring the network and VLAN interfaces” on page 50.)On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the FortiWeb unit belongs, and compile the necessary Fortinet-proprietary management information blocks (MIBs) and Fortinet-supported standard MIBs. For information on MIBs, see “Appendix C: SNMP MIB support” on page 399.


To configure the SNMP agent1 Go to System > Config > SNMP .2 Configure the following and click OK.

Note: If switches are used to connect heartbeat interfaces between an HA pair, the heartbeat interfaces must be reachable by Layer2 Multicast.

Caution: Failure to configure the SNMP manager as a host in a community to which the FortiWeb unit belongs, or to supply it with required MIBs, will make the SNMP monitor unable to query or receive traps from the FortiWeb unit.





System Configuring the SNMP agent

FRh

Table 18: Configuring an SNMP Agent

GUI item DescriptionSNMP Agent Select to activate the SNMP agent, so that the FortiWeb unit can send

traps and receive queries for the communities in which you have enabled queries and traps.For more information on communities, see “Configuring an SNMP community” on page 68.

Description Enter a comment about the FortiWeb unit. The description can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).

Location Enter the physical location of the FortiWeb unit. The location can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).

Contact Enter the contact information for the administrator or other person responsible for this FortiWeb unit, such as a phone number or name. The contact information can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).

Apply Click to save changes made to the description, location, and contact information.

Create New Click Create New to add a new SNMP community. You can add up to three communities. You must add at least one community for SNMP to be functional.For more information, see “Configuring an SNMP community” on page 68.

Communities The list of SNMP communities to which the FortiWeb unit belongs.

Name The name of the SNMP community.

Queries Whether or not the SNMP manager of the community is permitted to query the FortiWeb unit.

Traps Whether or not the FortiWeb unit will send traps to the SNMP manager of the community.

Enable Select to activate the SNMP community.


Click the Delete icon to remove an SNMP community.Click the Edit icon to view or modify an SNMP community. For more information, see “Configuring an SNMP community” on page 68.

EditDelete




Configuring the SNMP agent System

Configuring an SNMP communityAn SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiWeb unit to belong to at least one SNMP community so that community’s SNMP managers can query the FortiWeb unit’s system information and receive SNMP traps from the FortiWeb unit. You can add up to three SNMP communities. Each community can have a different configuration for queries and traps, and the set of events that trigger a trap. You can also add the IP addresses of up to eight SNMP managers to each community to designate the destination of traps and which IP addresses are permitted to query the FortiWeb unit.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see “About permissions” on page 80.

To add an SNMP community to the FortiWeb unit’s SNMP agent1 Go to System > Config > SNMP.2 Click Create New.3 Configure the following, then click OK:Table 19: Configuring an SNMP Community

GUI item DescriptionCommunity Name Enter the name of the SNMP community to which the FortiWeb unit and at

least one SNMP manager belongs.The FortiWeb unit will not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiWeb unit will include community name, and an SNMP manager may not accept the trap if its community name does not match.





System Configuring the SNMP agent

FRh

HostsIP Address Enter the IP address of the SNMP manager that, if traps or queries are

enabled in this community:• will receive traps from the FortiWeb unit• will be permitted to query the FortiWeb unitSNMP managers have read-only access.To allow any IP address using this SNMP community name to query the FortiWeb unit, enter 0.0.0.0.Note: Entering 0.0.0.0 effectively disables traps if there are no other host IP entries, because there is no specific destination for trap packets. If you do not want to disable traps, you must add at least one other entry that specifies the IP address of an SNMP manager.

Interface Select either ANY or the name of the network interface from which the FortiWeb unit will send traps and reply to queries.Note: You must select a specific network interface if the SNMP manager is not on the same subnet as the FortiWeb unit. This can occur if the SNMP manager is on the Internet or behind a router.Note: This option only configures which network interface will send SNMP traffic. To configure which network interface will receive queries, see “Configuring the network and VLAN interfaces” on page 50.

Delete Click to remove an SNMP manager from the SNMP community configuration.

Add Click to add an SNMP manager entry. You can add up to eight SNMP managers to each community.

Queries Enter the port number (161 by default) on which the FortiWeb unit listens for SNMP queries from the SNMP managers in this community, then enable queries for either or both SNMP v1 and SNMP v2c.

Traps Enter the port number (162 by default) that will be the source (Local) port number and destination (Remote) port number for trap packets sent to SNMP managers in this community, then enable traps for either or both SNMP v1 and SNMP v2c.

SNMP Event Enable the types of SNMP traps that you want the FortiWeb unit to send to the SNMP managers in this community. (See Figure 22 on page 70.)While most trap events are described by their names, the following events occur when a threshold has been exceeded:• CPU Overusage: CPU usage has exceeded 80%.• Memory Low: Memory (RAM) usage has exceeded 80%.For more information on supported traps and queries, see “Appendix C: SNMP MIB support” on page 399.




Configuring DoS protection System

Figure 22: SNMP Events

Configuring DoS protectionGo to System > Config > DOS Protection to configure protection from TCP SYN flood-style denial of service (DoS) attacks. Once you configure DoS protection, the FortiWeb unit automatically applies it to connections matching any server policy.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see “About permissions” on page 80.

To configure DoS protection1 Go to System > Config > DOS Protection.





System Configuring the operation mode

FRh

Figure 23: DoS prevention dialog

2 Configure the following and click Apply.

Configuring the operation modeSystem > Config > Operation enables you to configure the operation mode of the FortiWeb unit. You will usually set the operation mode once, during installation. Exceptions include if you install the FortiWeb unit in offline protection mode for evaluation purposes, before deciding to switch to reverse proxy mode and actively begin filtering traffic. You can switch between the two types of transparent mode without encountering problems.The operation mode depends on network topology (see the FortiWeb Install and Setup Guide for more information). FortiWeb units can operate in one of the following modes:• Reverse proxy: Reverse proxy traffic is destined for a virtual server’s network interface

and IP address. The FortiWeb unit forwards it to a real server and applies the first applicable policy. The FortiWeb unit logs, blocks, or modifies traffic according to the matching policy and its protection profile. This mode supports user authentication.

• Offline protection: The FortiWeb unit monitors traffic received on the virtual server’s network interface (regardless of the IP address) and applies the first applicable policy. The FortiWeb unit logs or blocks traffic according to the matching policy and its protection profile. In this mode, if FortiWeb detects a malicious request, it attempts to reset the connection. It does not otherwise modify traffic. (It does not, for example, apply SSL or load-balance connections.) This mode does not support user authentication.

GUI item DescriptionSyn Cookie Enable to detect TCP SYN flood attacks. Also configure Half Open

Threshold.

Half Open Threshold Enter the maximum number of TCP SYN packets, including retransmission, that may be sent per second to a destination address. If this threshold is exceeded, the FortiWeb unit determines a DoS attack is occurring and ignores additional traffic from that source address.

Severity Select the severity level you want FortiWeb to use in the records and reports generated when a DoS violation occurs. You can configure the violation as either Low, Medium or High severity.

Trigger Policy Select the trigger policy you want FortiWeb to apply when a DoS violation occurs. Trigger policies determine who will be notified by email when the violation occurs, and whether the log message associated with the violation are recorded.






Configuring the operation mode System

• True transparent proxy: This proxy traffic is destined for a real server. The FortiWeb unit applies the first applicable policy. Traffic is received on a network port that belongs to a Layer 2 bridge, and no changes to the IP address scheme of the network are required. This mode supports user authentication via HTTP but not HTTPS. This mode supports a v-zone bridge.

• Transparent inspection: This traffic is destined for a real server. The FortiWeb unit asynchronously inspects traffic and applies the first applicable policy. The FortiWeb unit logs or blocks traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It does not, for example, apply SSL or load-balance connections.) Similar to offline protection mode, actions other than Alert cannot be guaranteed to be successful. It is easy to switch between transparent inspection and true transparent proxy without changing your network topology. This mode does not support user authentication. This mode supports a v-zone bridge.

The default operation mode is reverse proxy.

Caution: Unlike in reverse proxy mode, actions other than Alert cannot be guaranteed to be successful in offline protection mode. The FortiWeb unit will attempt to block traffic that violates the policy by mimicking the client or server and requesting to reset the connection. However, the client or server may receive the reset request after it receives the other traffic due to possible differences in routing paths.

Table 20: Supported features in different operation modes

Feature Reverse proxy

Offline protection

True transparent proxy Transparent inspectionHTTP HTTPS

Allow Method Yes Yes Yes Yes Yes

AMF3 Support Yes Yes Yes Yes Yes

Authentication Policy Yes No Yes No No

Auto-learning Yes Yes Yes Yes Yes

Brute Force Login Yes No Yes Yes No

Client Certificate Verify Yes No No No No

Cookie Poisoning Yes No Yes No No





System Configuring the operation mode

FRh


To configure the operation mode1 Go to System > Config > Operation.

Alternatively, go to System > Status > Status. In the Operation Mode row of the System Information widget, click Change.

Custom Packet Log Filter Yes Yes Yes Yes Yes

Hidden Field Yes Yes Yes Yes Yes

HTTP Conversion Yes No Yes No No

HTTP Protocol Constraints

Yes Yes Yes Yes Yes

Information Disclosure Yes Yes(alert only)

Yes Yes(alert only)

Yes(alert only)

IP List Yes No Yes Yes No

Page Access Rule Yes No Yes No No

Parameter Validation Yes Yes Yes Yes Yes

Robot Control Yes No Yes Yes No

Server Protection Rules Yes Yes Yes Yes Yes

Session Management Yes Yes Yes Yes Yes

SSLv2 Support Yes No N/A No No

Start Pages Yes No Yes No No

URL Access Rule Yes Yes Yes Yes Yes

URL Rewriting Yes No Yes No No

V-zone Bridge No No Yes Yes Yes

Web Anti-Defacement Yes Yes Yes Yes Yes

Web Vulnerability Scan Yes Yes Yes Yes Yes

X-Forwarded-For Yes No Yes No No

XML Protection Yes No No No No

Table 20: Supported features in different operation modes

Feature Reverse proxy

Offline protection

True transparent proxy Transparent inspectionHTTP HTTPS

Note: The physical topology must match the operation mode. For details, see the FortiWeb Install and Setup Guide.

Caution: Back up your system before changing the operation mode. Changing modes deletes the following: any policies not applicable to the new mode, all static routes, all v-zone IPs, and all VLAN settings. You may also need to re-cable your network topology to suit the operation mode.






Viewing RAID status System

Figure 24: Configuring the operation mode

Figure 25: Configuring the operation mode (true transparent proxy mode)

2 From Operation Mode, select Reverse Proxy, Offline Protection, True Transparent Proxy or Transparent Inspection.If you are changing to true transparent proxy or transparent inspection mode, also enter the gateway and the IP address of port1 (Management IP).

3 Click Apply.If you have not yet adjusted the physical topology to suit the new operation mode, see the FortiWeb Install and Setup Guide. You may also need to reconfigure IP addresses, static routes, bridges, and virtual servers, and enable or disable SSL on your web servers.

Viewing RAID statusSystem > Config > RAID enables you to view the RAID status of the FortiWeb unit. Currently, only RAID level 1 is supported, and only on FortiWeb models 1000B, 1000C, and 3000C shipped with version 4.1 or later. On older units that have been upgraded to version 4.1, the RAID status is visible on the UI, but RAID is not activated. On these older units, disk status is displayed as 'Not Present'.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see “About permissions” on page 80.

To view the RAID status1 Go to System > Config > RAID.






System Configuring administrator accounts

FRh

Figure 26: Viewing RAID

Configuring administrator accountsSystem > Admin displays a list of FortiWeb administrator accounts.In its factory default configuration, a FortiWeb unit has one administrator account, named admin. This administrator has permissions that grant full access to the FortiWeb configuration and firmware. After connecting to the web-based manager or the CLI using the admin administrator account, you can configure additional administrator accounts with various levels of access to different parts of the FortiWeb configuration.Administrators may access the web-based manager and the CLI through the network, depending on administrator account’s trusted hosts, and the administrative access protocols enabled for each of the FortiWeb unit’s network interfaces. For details, see “Configuring the network and VLAN interfaces” on page 50 and “Configuring trusted hosts” on page 78.To determine which administrators are currently logged in, use the CLI command get system logged-users. For details, see the FortiWeb CLI Reference.

If you have not yet created an access profile and are relying on the default profile, consider first creating one or more access profiles tailored to the responsibilities of the new administrator accounts. See “Configuring access profiles” on page 78.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “About permissions” on page 80.

Note: Rebuilding RAID after a disk failure will result in some loss of data in packet logs.

Tip: To prevent multiple administrators from logging in simultaneously, which could allow them to inadvertently overwrite each other’s changes, enable Security Settings. For details, see “Configuring the web-based manager’s global settings” on page 82.





Configuring administrator accounts System

Table 21: System > Admin > Administrators tab

To change an administrator account’s password1 If an administrator forgot their password or if you need to change an administrator

account’s password and you do not know its current password, log in as the admin administrator. Otherwise, you may log in with any administrator account whose access profile permits Read and Write access to items in the Admin Users category.If you have forgotten the password of the admin administrator, you can restore the firmware to reset the FortiWeb unit to its default state, including the default administrator account and password. For details, see “Restoring firmware” on page 391.

2 Go to System > Admin > Administrators.3 In the row corresponding to the administrator account, click Change Password.

4 In the Old Password field, enter the current password for the account. (The admin account does not have an old password initially.)This field does not appear for other administrator accounts if you are logged in as the admin administrator.

GUI item DescriptionCreate New Click to add an administrator account.

Name Displays the name of the administrator account.

Trusted Hosts Displays the IP addresses and netmasks of hosts from which the administrator is permitted to log in.

Profile Displays the access profile assigned to the administrator account. Access profiles determine which parts of the configuration that an administrator has permission to access. For more information on access profiles, see “Configuring access profiles” on page 78.

Type Displays the type of authentication for this administrator.This version currently supports only authentication using a locally stored password.


Click the Delete icon to remove the administrator account. You cannot delete the admin administrator account.Click the Edit icon to view or modify the administrator account.Click Change Password to change the password for the administrator account.

EditDelete

Change Password






FRh

5 In the New Password and Confirm Password fields, enter the new password.6 Click OK.

If you change the password for the admin administrator account, the FortiWeb unit logs you out. To continue using the web-based manager, you must log in. The new password takes effect the next time that administrator account logs in.

To configure an administrator account1 Go to System > Admin > Administrators.2 Click Create New to add an administrator account, or click the Edit icon to change an

existing administrator account.3 Configure the following and click OK:

GUI item DescriptionAdministrator Enter the name of the administrator account, such as admin1.

Password Enter a password for the administrator account. For improved security, the password should be at least six characters long, be sufficiently complex, and be changed regularly.

Confirm Password Re-enter the password to confirm its spelling.

Trusted Host #1Trusted Host #2Trusted Host #3

Enter the IP address and netmask from which the administrator is allowed to log in to the FortiWeb unit. You can specify up to three trusted hosts.To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0. If you allow login from any IP address, consider choosing a longer and more complex password, and limiting administrative access to secure protocols to minimize the security risk. For information on administrative access protocols, see “Configuring the network and VLAN interfaces” on page 50.For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in. For more information, see “Configuring trusted hosts” on page 78.

Access Profile Select either an existing access profile that indicates the permissions for this administrator account, or select Create New to create a new access profile in a pop-up window, without leaving the current page. For more information on access profiles, see “Configuring access profiles” on page 78.You can select prof_admin, a special access profile used by the admin administrator account. However, selecting this access profile will not confer all permissions of the admin administrator. For example, the new administrator could not reset lost administrator passwords.





Configuring trusted hostsConfiguring the trusted hosts of your administrator accounts increases the security of your FortiWeb unit by further restricting administrative access. In addition to knowing the password, an administrator must connect only from the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you enter only one trusted host IP address in each of the three trusted host fields, each with a netmask of 255.255.255.255.When you configure trusted hosts for all administrator accounts, the FortiWeb unit does not respond to administrative access attempts from any other hosts. This provides the greatest degree of security. If you leave even one administrator account unrestricted, the FortiWeb unit accepts administrative access attempts for that account on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.Trusted host definitions apply both to the web-based manager, and to the CLI when accessed through Telnet or SSH. Local console access to the CLI is not affected by trusted hosts, as local console access does not occur through the network.

Configuring access profilesSystem > Admin > Access Profile displays the list of administrator access profiles.Access profiles determine which parts of the configuration an administrator has permission to access, and whether the administrator is permitted to view (Read), modify (Write), or both.When an administrator has only read access to a feature, the administrator can access the web-based manager tab for that feature, and can use the get and show CLI command for that feature, but cannot make changes to the configuration. There are no Create or Apply buttons, or config CLI commands. Lists display only the View icon instead of icons for Edit, Delete or other modification commands. Write access is required for modification of any kind.The prof_admin access profile, a special access profile assigned to the admin administrator account and required by it, does not appear in the list of access profiles. It exists by default and cannot be changed or deleted. If you create other administrator accounts, you may want create other access profiles with different degrees and areas of access.For example, for an administrator whose only role is to audit the log messages, you might make an access profile named log_access_only.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “About permissions” on page 80.

Table 22: System > Admin > Access Profile tab

GUI item DescriptionCreate New Click to add a new access profile.

EditDelete






FRh

To configure an access profile1 Go to System > Admin > Access Profile. 2 Click Create New to add an access profile, or click the Edit icon to modify an existing

profile. 3 Configure the following by selecting or clearing the allow options:

4 Click OK

Profile Name Displays the name of the access profile.


Click the Delete icon to remove the access profile.This option does not appear if this access profile is currently assigned to an administrator account.Click the Edit icon to modify the access profile.

GUI item DescriptionProfile Name Enter the name of the access profile.

Access Control (Maintenance, Admin Users, and so on.)

For each row associated with an area of the configuration, mark either or both the Read and/or Write check boxes to grant that type of permission.Unlike the other rows, whose scope is an area of the configuration, the Maintenance row does not affect the configuration. Instead, it indicates whether the administrator can do special system operations such as changing the firmware.

Allow Read All Click to mark the Read check box in all Access Control categories.

Allow Write All Click to mark the Write check box in all Access Control categories.





About permissionsDepending on the account that you use to log in to the FortiWeb unit, you may not have complete access to all areas of the web-based manager.Access profiles control which commands and areas an administrator account can access. Access profiles assign either read, write, or no access to each area of the FortiWeb software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring the access profile for an administrator account can use, see “Configuring access profiles” on page 78.Table 23, “Administrator access control,” on page 81 identifies the specific commands and areas of the web-based manager that each type of administrator account can access. For complete access to all commands and abilities, you must log in with the administrator account named admin.Unlike other administrator accounts, the administrator account named admin exists by default. The admin account cannot be deleted and its name and permissions cannot be changed. The admin account always has full permission to view and change all FortiWeb configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password.

For a description of the access profiles related to CLI commands, see the FortiWeb CLI Reference.

Caution: Set a strong password for the admin administrator account, and change the password regularly. By default, this administrator account has no password. Failure to maintain the password of the admin administrator account could compromise the security of your FortiWeb unit.








FRh

In Table 23 (above), a black check mark on a white background indicates that the account can access an individual command. A white check mark on a black background indicates that the account can access all commands associated with the specified area.

Table 23: Administrator access control

Menu Administrator account access profileSubmenu

Tab

Mai

nten

ance

Adm

in U

sers

Sys

tem

C

onfig

urat

ion

Net

wor

k C

onfig

urat

ion

Log

& R

epor

t

Rou

ter C

onfig

urat

ion

Aut

h U

sers

Ser

ver P

olic

y C

onfig

urat

ion

XM

L P

rote

ctio

n C

onfig

urat

ion

Web

Pro

tect

ion

Con

figur

atio

n

Aut

olea

rn

Con

figur

atio

n

Web

Ant

i-D

efac

emen

t

Web

Vul

nera

bilit

y S

can

Con

figur

atio

n

adm

in (d

efau

lt)

System

Status

Network

Interface

V-zone

DNS

Config

Admin

Administrators

Access Profile

Settings

Certificates

Maintenance

Wizard

Router

User

Server Policy

XML Protection

Web Protection

Web Protection Profile

Inline Protection Profile

Offline Protection Profile

Auto Learning Profile

Auto Learn

Web Anti-Defacement

Web Vulnerability Scan

Log&Report




Configuring the web-based manager’s global settings System

Configuring the web-based manager’s global settingsSystem > Admin > Settings enables you to view and configure settings for the web-based manager that apply regardless of which administrator account you use to log in.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see “About permissions” on page 80.

Table 24: System > Admin > Settings tab

GUI item DescriptionWeb Administration Ports

HTTP Enter the TCP port number on which the FortiWeb unit will listen for HTTP administrative access. The default is 80.This setting has an effect only if HTTP is enabled as an administrative access protocol on at least one network interface. For details, see “Configuring the network and VLAN interfaces” on page 50.

HTTPS Enter the TCP port number on which the FortiWeb unit will listen for HTTPS administrative access. The default is 443.This setting has an effect only if HTTPS is enabled as an administrative access protocol on at least one network interface. For details, see “Configuring the network and VLAN interfaces” on page 50.





System Configuring the web-based manager’s global settings

FRh

Config-Sync If necessary, change the TCP port number on which the FortiWeb unit will listen for configuration synchronization requests from the peer/remote FortiWeb unit. The default is 8333. For details, see “Synchronizing configurations” on page 59.

Timeout SettingsIdle Timeout Enter the number of minutes that a web-based manager

connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). To maintain security, keep the idle timeout at the default value of 5 minutes.

LanguageWeb Administration Select which language to use when displaying the web-based

manager.Languages currently supported by the web-based manager are:• English• simplified Chinese• traditional Chinese• JapaneseThe display’s web pages will use UTF-8 encoding, regardless of which language you choose. UTF-8 supports multiple languages, and allows them to display correctly, even when multiple languages are used on the same web page. For example, your organization could have web sites in both English and simplified Chinese. Your FortiWeb administrators prefer to work in the English version of the web-based manager. They could use the web-based manager in English while writing rules to match content in both English and simplified Chinese without changing this setting. Both the rules and the web-based manager will display correctly, as long as all rules were input using UTF-8.Usually, your text input method or your management computer’s operating system should match the display by also using UTF-8. If they do not, your input and the web-based manager may not display correctly at the same time.For example, your web browser’s or operating system’s default encoding for simplified Chinese input may be GB2312. However, you usually should switch it to be UTF-8 when using the web-based manager, unless you are writing regular expressions that must match HTTP client’s requests, and those requests use GB2312 encoding.For more information on language support in the web-based manager and CLI, see “Appendix D: Language support & regular expressions” on page 401.Note: This setting does not affect the display of the CLI.




Managing certificates System

Managing certificatesThe Certificates submenu enables you to generate, import, revoke, and manage other aspects of certificates used by the FortiWeb unit.This topic includes:• Managing local and server certificates• Managing OCSP server certificates• Managing CA certificates• Managing the certificate revocation list• Configuring certificate verification rules

Managing local and server certificatesSystem > Certificates > Local displays the list of server certificates that are stored locally on the FortiWeb unit.FortiWeb units require these certificates to present when clients request secure connections, including when:• administrators connect to the web-based manager (HTTPS connections only)• web clients use SSL or TLS to connect to a virtual server, if you have enabled SSL off

loading in the policy (HTTPS connections and reverse proxy mode only)FortiWeb units also require certificates in order to decrypt and scan HTTPS connections travelling through it if operating in any mode except reverse proxy.Which certificate will be used, and how, depends on the purpose.

Security SettingsEnable Single Admin User login

Enable to allow only one administrator account to be logged in at any given time to prevent conflicts. If a second administrator attempts to begin a session when another administrator is already logged in, after the second administrator logs in but before they can access the web-based manager, they must either cancel their new session or disconnect the other currently logged-in administrator.This option may be useful to prevent administrators from inadvertently overwriting each other’s changes.When multiple administrators simultaneously modify the same part of the configuration, they each edit a copy of the current, saved state of the configuration. As each administrator makes changes, FortiWeb does not update the other administrators’ working copies. Each administrator may therefore make conflicting changes without being aware of the other. The FortiWeb unit will only use whichever administrator’s configuration is saved last. If only one administrator can log in this problem cannot occur.Disable to allow multiple administrators to be logged in. In this case, administrators should communicate with each other to avoid overwriting each other’s changes.

Enable Strong Passwords

Enable to enforce strong password rules for administrator accounts. If the password entered is not strong enough when a new administrator account is created, an error message appears and you are prompted to re-enter a stronger password.Strong passwords have the following characteristics:• are between 8 and 16 characters in length• contain at least one upper case and one lower case letter• contain at least one numeric• contain at least one non-alphanumeric character





System Managing certificates

FRh

• For connections to the web-based manager, the FortiWeb unit presents its default certificate.

• For SSL off loading or SSL decryption, upload certificates that do not belong to the FortiWeb unit, but instead belong to the protected servers. Then, select which one the FortiWeb unit will use when configuring the SSL option in a policy or server farm. For details, see “Uploading a certificate” on page 88.

To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “About permissions” on page 80.

Table 25: System > Certificates > Local tab

Note: The FortiWeb unit’s default certificate does not appear in the list of local certificates. It is used only for connections to the web-based manager and cannot be removed.

GUI item DescriptionGenerate Click to generate a certificate signing request. For details, see “Generating

a certificate signing request” on page 86.

Import Click to upload a certificate. For details, see “Uploading a certificate” on page 88.

Name Displays the name of the certificate.

Subject Displays the distinguished name (DN) located in the Subject field of the certificate.If the row contains a certificate request which has not yet been signed, this field is empty.

Comments Displays the description of the certificate, if any. Click the Edit Comments icon to add or modify the comment associated with the certificate or certificate signing request.

Status Displays the status of the local certificate.• OK: Indicates that the certificate was successfully imported. To use the

certificate, select it in a policy or server farm.• PENDING: Indicates that the certificate request has been generated,

but must be downloaded, signed, and imported before it can be used as a local certificate.

(No column heading.) Click the View Certificate Detail icon to view the certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy or server farm.Click the Download icon to download the entry in certificate (.cer) or certificate signing request (.csr) file format.Click the Edit Comments icon to add or modify the comment associated with the certificate.

DeleteDownloadEdit Comments

View Certificate Detail





Generating a certificate signing requestYou can generate a certificate request file based on the information you enter to identify the FortiWeb unit. Certificate request files can then be submitted for verification and signing by a certificate authority (CA).

To generate a certificate request1 Go to System > Certificates > Local.2 Click Generate.3 Configure the certificate signing request:

Table 26: Generate Local Certificate RequestGUI item DescriptionCertification Name Enter a unique name for the certificate request, such as

fwlocal.

Subject Information Includes information that the certificate is required to contain in order to uniquely identify the FortiWeb unit.






FRh

ID Type Select the type of identifier to use in the certificate to identify the FortiWeb unit:• Host IP • Domain Name • E-Mail The type you should select varies by whether or not your FortiWeb unit has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.For example, if your FortiWeb unit has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web-based manager by the domain name of the FortiWeb unit, you might prefer to generate a certificate based upon the domain name of the FortiWeb unit, rather than its IP address.• Host IP requires that the FortiWeb unit have a static, public IP

address. It may be preferable if clients will be accessing the FortiWeb unit primarily by its IP address.

• Domain Name requires that the FortiWeb unit have a FQDN. It may be preferable if clients will be accessing the FortiWeb unit primarily by its domain name.

• E-Mail does not require either a static IP address or a domain name. It may be preferable if the FortiWeb unit does not have a domain name or public IP address.

Depending on your choice, related options appear.

IP Enter the static IP address of the FortiWeb unit.This option appears only if ID Type is Host IP.

Domain Name Type the FQDN of the FortiWeb unit.The domain name must resolve to the static IP address of the FortiWeb unit or protected server. For more information, see “Configuring the network and VLAN interfaces” on page 50.This option appears only if ID Type is Domain Name.

e-mail Type the email address of the owner of the FortiWeb unit.This option appears only if ID Type is E-Mail.

Optional Information Includes information that you may include in the certificate, but which is not required.

Organization Unit

Type the name of your organizational unit, such as the name of your department. This is optional.To enter more than one organizational unit name, click the + icon, and enter each organizational unit separately in each field.

Organization Type the legal name of your organization. This is optional.

Locality(City) Type the name of the city or town where the FortiWeb unit is located. This is optional.

State/Province Type the name of the state or province where the FortiWeb unit is located. (This is optional.

Country Select the name of the country where the FortiWeb unit is located. This is optional.

e-mail Type an email address that may be used for contact purposes. This is optional.

Key Type Displays the type of algorithm used to generate the key.This option cannot be changed, but appears in order to indicate that only RSA is currently supported.





4 Click OK.The certificate is generated. If you selected file-based enrollment, you must now download and manually submit the resulting CSR to a CA. For details, see “Submitting a certificate signing request” on page 88.

Submitting a certificate signing requestAfter you have generated a certificate request, you can download the request file to your management computer in order to submit the request file to a certificate authority (CA) for signing.

To download and submit a certificate request1 Go to System > Certificates > Local.2 Click the row that corresponds to the certificate request.3 Click the Download icon, then select Open or Download one the window that appears.

Your web browser downloads the certificate request (.csr) file.4 Submit the certificate request to your CA.

• Using the web browser on the management computer, browse to the web site for your CA.

• Follow your CA’s instructions to place a Base64-encoded PKCS #10 certificate request, uploading your certificate request.

• Follow your CA’s instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL.

5 When you receive the signed certificate from the CA, install the certificate on the FortiWeb unit. For more information, see “Uploading a certificate” on page 88.

Uploading a certificateYou can upload Base64-encoded server-type X.509 certificates or PKCS #12 RSA-encrypted certificates and keys to the FortiWeb unit.

If a local certificate is signed by an intermediate certificate authority (CA) rather than a root CA, before clients will trust the local certificate, you must demonstrate a link with trusted root CAs, thereby proving that the local certificate is genuine. You can demonstrate this chain of trust either by:• installing each intermediate CA’s certificate in the client’s list of trusted CAs, or

Key Size Select a security key size of 512 Bit, 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.

Enrollment Method Select either:• File Based: You must manually download and submit the

resulting certificate request file to a certificate authority (CA) for signing. Once signed, upload the local certificate.

• Online SCEP: The FortiWeb unit will automatically use HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

DSA

Note: DSA-encrypted certificates are not supported if the FortiWeb unit is operating in a mode other than reverse proxy.






FRh

• including a signing chain in the local certificateTo include a signing chain, before importing the local certificate to the FortiWeb unit:• open the local certificate file in a plain text editor• append the certificate of each intermediate CA in order from the intermediate CA who

signed the local certificate to the intermediate CA whose certificate was signed directly by a trusted root CA

• save the certificateFor example, a local certificate that includes a signing chain might use the following structure:

-----BEGIN CERTIFICATE-----<FortiWeb unit’s local server certificate>-----END CERTIFICATE----------BEGIN CERTIFICATE-----<certificate of intermediate CA 1, who signed the FortiWeb

certificate>-----END CERTIFICATE----------BEGIN CERTIFICATE-----<certificate of intermediate CA 2, who signed the certificate of

intermediate CA 1 and whose certificate was signed by a trusted root CA>

-----END CERTIFICATE-----

To upload a certificate1 Go to System > Certificates > Local.2 Click Import.3 Configure the following:

Table 27: Importing a Certificate

Note: The total file size of all certificates, schema, keys, WSDL, and any other uploaded files may not exceed 12 MB.

GUI item DescriptionName Enter the name of the certificate.

Type Select the type of certificate file to upload, either Local Certificate, Certificate (an unencrypted X.509 certificate) or PKCS12 Certificate (a PKCS #12 encrypted certificate with key).

Certificate file Click Choose File to locate the X.509 certificate file that you want to upload.This option is available only if Type is Certificate or Local Certificate.





4 Click OK.To use a certificate, you must select it in a policy or server farm. For details, see “Configuring server policies” on page 118 or “Grouping physical and domain servers into server farms” on page 135.

Managing OCSP server certificatesSystem > Certificates > Remote displays and imports the certificates of the online certificate status protocol (OCSP) or HTTP CRL servers of your certificate authority (CA).OCSP enables you to revoke or validate certificates by query, rather than by importing certificate revocation lists (CRL). For information about importing CRLs, see “Managing the certificate revocation list” on page 95.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “About permissions” on page 80.

Table 28: System > Certificates > Remote tab

Managing CA certificatesSystem > Certificates > CA displays and enables you to import certificates for certificate authorities (CA).

Key file Click Choose File to locate the key file that you want to upload with the certificate.This option is available only if Type is Certificate.

Certificate with key file

Click Choose File to locate the PKCS #12 certificate-with-key file that you want to upload.This option is available only if Type is PKCS12 Certificate.

Password Enter the password that was used to encrypt the file, enabling the FortiWeb unit to decrypt and install the certificate. This option is available only if Type is Certificate or PKCS12 Certificate.

GUI item DescriptionImport Click to import an OCSP server certificate.

Name Displays the name of the OCSP server certificate.

Subject Displays the distinguished name (DN) located in the Subject field of the certificate.

OCSP Displays the URL of the OCSP server.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a certificate verification configuration.Click the View Certificate Detail icon to view the certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.Click the Download icon to download the entry in certificate (.cer) file format.

View Certificate DetailDownload






FRh

Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates are authentic.CA certificates are required by connections that use SSL or transport layer security (TLS).


Table 29: System > Certificates > CA tab

Grouping CA certificatesSystem > Certificates > CA Group enables you to group certificate authorities (CA).CAs must belong to a group in order to be selected in a certificate verification rule. For details, see “Configuring certificate verification rules” on page 95.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “About permissions” on page 80.

Table 30: System > Certificates > CA Group tab

Tip: The FortiWeb unit does not use CA certificates directly. First, you must group them and then add the group to a certificate verification rule. For details, see “Grouping CA certificates” on page 91.

GUI item DescriptionImport Click to import a CA certificate, then select whether you want to upload it

(Local PC), or provide the URL of a certificate on a simple certificate enrollment protocol server (SCEP).

Name Displays the name of the CA certificate.


(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a certificate verification configuration.Click the View Certificate Detail icon to view the certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.Click the Download icon to download the entry in certificate (.cer) file format.


DeleteEdit





Before you can create a CA group, you must upload at least one of the certificate authority (CA) certificates that you want to add to the group. For details, see “Managing CA certificates” on page 90.

To add a CA group1 Go to System > Certificates > CA Group.2 Click Create New.3 In Name, type a name for the certificate authority group.4 Click OK.5 Click Create New.6 In ID, enter the index number of the host entry within the group, or keep the field’s

default value of auto to let the FortiWeb unit automatically assign the next available index number.

7 In CA, select the name of a certificate authority’s certificate that you have previously uploaded and want to add to the group.

8 Click OK.9 Repeat the previous 3 steps for each CA that you want to add to the group.

To apply a CA group, select it in a certificate verification rule. For details, see “Configuring certificate verification rules” on page 95.

Managing certificates for intermediate CAsSystem > Certificates > Intermediate CA enables you to upload certificates belonging to intermediate (non-root) certificate authorities.If a server certificate is signed by an intermediate certificate authority rather than a root CA, before the client will trust the server’s certificate, you must demonstrate a link with trusted root CAs, thereby proving that the server’s certificate is genuine. Otherwise, the server certificate may cause the client or browser to display certificate warnings.You can demonstrate this chain of trust by doing one of the following:• install each intermediate CA’s certificate in the client’s list of trusted CAs• include a signing chain in the server’s certificate• configure the FortiWeb unit to also provide the certificates of intermediate CAs when it

presents the server certificateTo include a signing chain:• open the server’s certificate file in a plain text editor• append the certificate of each intermediate CA in order from the intermediate CA who

signed the server’s certificate to the intermediate CA whose certificate was signed directly by a trusted root CA

• save the certificate

GUI item Description# Displays the index number of the entry in the list.

Name Displays the name of the certificate authority (CA) group.

Count Displays the number of certificate authorities in the group.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a certificate verification configuration.Click the Edit icon to modify the entry.






FRh

For example, a server’s certificate that includes a signing chain might use the following structure:

-----BEGIN CERTIFICATE-----<server certificate>-----END CERTIFICATE----------BEGIN CERTIFICATE-----<certificate of intermediate CA 1, who signed the server

certificate>-----END CERTIFICATE----------BEGIN CERTIFICATE-----<certificate of intermediate CA 2, who signed the certificate of

intermediate CA 1 and whose certificate was signed by a trusted root CA>

-----END CERTIFICATE-----

To configure the FortiWeb unit to provide the certificates of intermediate CAs when it presents the server certificate:1 Install the certificates of the intermediate CAs on the FortiWeb unit.2 Group them to match the signing chain (see “Grouping certificates for intermediate

CAs” on page 94).3 Select that group along with the server certificate in the policy (“Configuring server

policies” on page 118).The FortiWeb unit will present both the server’s certificate and those of the intermediate CAs when establishing a secure connection with the client.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “About permissions” on page 80.

Table 31: System > Certificates > Intermediate CA tab


GUI item DescriptionImport Click to import an intermediate CA certificate, then select whether you want

to upload it (Local PC), or provide the URL of a certificate on a simple certificate enrollment protocol server (SCEP).

Name Displays the name of the CA certificate.


Delete





Grouping certificates for intermediate CAsSystem > Certificates > Intermediate CA Group enables you to group certificates of intermediate (non-root) certificate authorities (CA).


Table 32: System > Certificates > Intermediate CA Group tab

To add an intermediate CA groupBefore you can create an intermediate CA certificate group, you must upload at least one of the intermediate certificate authority certificates that you want to add to the group. For details, see “Managing certificates for intermediate CAs” on page 92.1 Go to System > Certificates > Intermediate CA Group.2 Click Create New.3 In Name, type a name for the intermediate CA certificate group.4 Click OK.5 Click Create New.6 In ID, enter the index number of the host entry within the group, or keep the field’s

default value of auto to let the FortiWeb unit automatically assign the next available index number.


(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an intermediate CA certificate group.Click the View Certificate Detail icon to view the certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.Click the Download icon to download the entry in certificate (.cer) file format.

Tip: To use intermediate CAs in FortiWeb, first include them in an intermediate CA group and then include the group in a server policy that uses an HTTPS service.


Name Displays the name of the intermediate certificate authority (CA) certificate group.

Count Displays the number of intermediate CA certificates in the group.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy.Click the Edit icon to modify the entry.

DeleteEdit






FRh

7 In CA, select the name of an intermediate CA’s certificate that you have previously uploaded and want to add to the group.

8 Click OK.9 Repeat the previous 3 steps for each intermediate CA certificate that you want to add

to the group.To apply an intermediate CA certificate group, select it in a policy with a server certificate. For details, see “Configuring server policies” on page 118.

Managing the certificate revocation listSystem > Certificates > CRL displays and enables you to import certificate revocation lists (CRL).To ensure that your FortiWeb unit validates only certificates that have not been revoked, you should periodically upload a current certificate revocation list, which may be provided by certificate authorities (CA). Alternatively, you can use HTTP or online certificate status protocol (OCSP) to query for certificate status. For more information, see “Managing OCSP server certificates” on page 90.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “About permissions” on page 80.

Table 33: System > Certificates > CRL tab

Configuring certificate verification rulesSystem > Certificates > Certificate Verify enables you to configure how the FortiWeb unit will verify certificates presented by HTTP clients.

GUI item DescriptionImport Click to import a certificate revocation list.

Name Displays the name of the certificate revocation list.

Subject Displays the distinguished name (DN) located in the Subject field of the certificate revocation list.


Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a certificate verification configuration.Click the Edit icon to update the CRL by connecting to the URL of a new CRL on either a simple certificate enrollment protocol (SCEP) or an HTTP server.Click the View Certificate Detail icon to view the certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.Click the Download icon to download the entry in certificate revocation list (.crl) file format.


Tip: To use CA certificates in FortiWeb: include them in a CA group; add the group to a certificate verification rule; and, then include the rule in a server policy that uses an HTTPS service.




Backing up and restoring configurations System


Table 34: System > Certificates > Certificate Verify tab

To add a certificate verification rule1 Go to System > Certificates > Certificate Verify.2 Click Create New.3 In Name, type a name for the certificate verification rule.4 From CA Group, select the name of a CA group, if any, that you want to use to

authenticate client certificates.5 From OCSP, select the name of an OCSP or HTTP (remote) server certificate, if any,

that you want to use to verify the revocation status of client certificates.6 From CRL, select the name of a certificate revocation list, if any, to use to verify the

revocation status of client certificates.7 Click OK.To apply a certificate verification rule, select it in a server policy that includes an HTTPS service. For details, see “Configuring server policies” on page 118.

Backing up and restoring configurationsSystem > Maintenance > Backup & Restore enables you to create backup files of the system configuration and web protection profiles. You can restore the system configuration or web protection profile from a previous backup, if necessary.Backup & Restore also lets you change the firmware version used on the FortiWeb unit.


Name Displays the name of the certificate revocation list.

CA Group Displays the name of the certificate authority (CA) group selected in the entry.

OCSP Displays the name of the remote certificate selected to use with online certificate status protocol (OCSP) by this entry.

CRL Displays the name of the certificate revocation list selected in the entry.


Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy.Click the Edit icon to modify the entry.

DeleteEdit

Note: Firmware can be installed, upgraded, changed and rebooted in multiple ways. Firmware can also be tested before installing it. For information related to Firmware changes, see “Installing new firmware” on page 385.





System Backing up and restoring configurations

FRh

Back up the FortiWeb unit's configuration regularly. If you accidently change something, the backup can help you restore normal operation quickly and easily. Backups also can aid in troubleshooting.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see “About permissions” on page 80.

Table 35: System > Maintenance > Backup & Restore tab

GUI item DescriptionSystem Configuration

Last Backup Displays the date and time of the last backup.If the configuration has not yet been backed up, or you have restored the firmware and therefore the time of any preceding backup is not known, this field contains a hyphen ( - ).

Backup(option)

Select to back up a FortiWeb configuration. You can choose to back up the whole configuration or only the web protection profiles:• Backup entire configuration - Select if you want to back up all

FortiWeb configuration files currently in use. Backups should be made on a regular basis, especially when making significant configuration additions or changes. A backup should also be done just prior to changing the firmware to prevent loss of configuration information after the firmware change.

• Backup Web Protection Profile related configuration - Select if you want to back up only the web protection profiles currently in use. For more information, see “Web protection” on page 189.

Backup(button)

Appears only if the Backup option is selected.Click to start a backup of the selected configuration. If a File Download dialog appears, select Save and choose a location for the backup file.

Restore(option)

Select to restore a previously backed up configuration. You can choose the specific configuration file you want to restore:Browse: Click to locate and select the configuration file that you want to restore.From File: Locate the full directory path and file name of the selected configuration file.You can use this feature to restore a CLI config FTP backup.




Configuring an FTP backup and schedule System

Configuring an FTP backup and scheduleSystem > Maintenance > FTP Backup enables you to create a backup of the system configuration and web protection profiles on an FTP server. You can create an FTP backup immediately or schedule it for later.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see “About permissions” on page 80.

Table 36: System > Maintenance > FTP Backup tab

Restore(button)

Appears only if the Restore option is selected.Click to start the restoration of the selected configuration to a file.Your web browser uploads the configuration file and the FortiWeb unit restarts with the new configuration. The amount of time required to restore varies by the size of the file and the speed of your network connection. After the FortiWeb unit restarts, you must log in to continue using the web-based manager.

FirmwareCaution: Back up the whole configuration before making any changes to the firmware. The configuration can be restored after the firmware change is complete. Failure to make a backup can result in loss of configuration for features that change between firmware versions.For information related to the firmware changes, see “Installing new firmware” on page 385.

Partition Displays the index number of the partition. A partition can contain only one version of the firmware and the system configuration. One partition is active and the others are backups.

Active Indicates which partition the FortiWeb unit is currently configured to use.• Green check mark: The partition contains the configuration

and firmware that the FortiWeb unit will use when starting or rebooting.

• Gray X mark: The partition contains a backup configuration and firmware, which is not currently being used.

Last Upgrade Displays the date and time of the last update to this partition.

Firmware Version Displays the version and build number of the FortiWeb firmware. On backup partitions, you can click Upload and Reboot to replace the firmware on a partition and make the partition active. For more information on changing firmware, see “Installing new firmware” on page 385.Caution: Back up the whole configuration before making any changes to the firmware. You can restore the configuration after the firmware change is complete. Failure to make a backup can result in loss of configuration for features that change between firmware versions.

Boot alternate firmware

If your upgrade is successful, this button enables you to have two firmware images available for downgrading or upgrading.

GUI item DescriptionName Displays the name of the FTP backup.





System Configuring an FTP backup and schedule

FRh

To configure the FTP backup1 Go to System > Maintenance > FTP Backup.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon.3 In Name, type the name of the FTP backup.

You cannot modify this field if you are editing an existing FTP backup. To modify the name, delete the entry, then recreate it using the new name.

4 Configure the following:

Backup Type Indicates whether the FTP backup is a full configuration backup (full config) or a CLI configuration backup (CLI config).A full config backup includes the CLI configuration file and other uploaded files, such as certificates, XML schema, and XML WSDL files. Note: You cannot restore a full config FTP backup using the web-based manager. Use the execute restore command in the CLI interface.A CLI config backup only includes the CLI configuration file.

Schedule Type

Indicates whether the FTP backup is an immediate backup (Now) or a scheduled backup (Daily).


Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use.Click the Edit icon to modify the entry.

GUI item DescriptionName Type the name of the FTP backup.

FTP Server Type the IP address of the FTP server where the configuration is to be backed up.

FTP Directory Type the directory on the FTP server used to store the configuration backup files

FTP Authentication

Select if you want to enforce user name and password authentication on the FTP server.




Configuring system time System

5 Click OK.

Restoring an FTP backupYou can only restore a full config FTP backup using the execute restore command in the CLI interface. See the FortiWeb CLI Reference.For a CLI config FTP backup, you can use either the execute restore command in the CLI interface or the Restore feature at System > Maintenance > Backup & Restore. See “Backing up and restoring configurations” on page 96.

Configuring system timeSystem > Maintenance > System Time enables you to configure the FortiWeb unit’s system time.You can either manually set the FortiWeb system time or configure the FortiWeb unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.

To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see “About permissions” on page 80.

To configure the date and time1 Go to System > Maintenance > System Time.

Alternatively, go to System > Status > Status. In the System Information widget, in the System Time row, click Change.

FTP User Enter your FTP user name to identify yourself as a registered user of the FTP server. This field is visible only if you enable FTP Authentication.

FTP Password Enter your FTP password to authenticate yourself on the FTP serverThis field is visible only if you enable FTP Authentication.

Backup Type Select the type of FTP backup you want to perform. A full config backup includes the CLI configuration file and other uploaded files, such as certificates, XML schema, and XML WSDL files. Note: You cannot restore a full config FTP backup using the web-based manager. Use the execute restore command in the CLI interface.A CLI config backup only includes the CLI configuration file.

Schedule Type Select Now to initiate the FTP backup immediately.Select Daily to schedule a recurring FTP backup for a specific day and time of the week.

Days Select the specific days when you want the FTP backup to occur. This field is visible only if you select Daily.

Time Select the specific hour and minute of the day when you want the FTP backup to occur.This field is visible only if you select Daily.

Note: For many features to work, including scheduling, logging, and SSL-dependent features, the FortiWeb system time must be accurate.

Note: FortiWeb units support daylight savings time (DST), including recent changes in the USA, Canada and Western Australia.






System Uploading signature updates

FRh

2 From Time Zone, select the time zone where the FortiWeb unit is located.3 Configure the following to either manually configure the system time, or automatically

synchronize the FortiWeb unit’s clock with an NTP server:

Table 37: Setting System Time

4 Click OK.

Uploading signature updatesSystem > Maintenance > Update Signature enables you to update the predefined robots, data types, suspicious URLS, and attack signatures that your FortiWeb unit uses to detect attacks such as:• cross-site scripting (XSS)

GUI item DescriptionSystem Time Displays the date and time according to the FortiWeb unit’s

clock at the time that this tab was loaded, or when you last clicked the Refresh button.

Refresh Click to update the System Time field with the current time according to the FortiWeb unit’s clock.

Time Zone Select the time zone where the FortiWeb unit is located.

Automatically adjust clock for daylight saving changes

Select the check box to have the system time adjusted twice annually to reflect changes between standard time daylight savings time for your location. (Not all jurisdictions recognize daylight savings time.)

Set Time Select this option to manually set the date and time of the FortiWeb unit’s clock, then select the Hour, Minute, Second, Year, Month and Day fields before you click OK.

Synchronize with NTP Server Select this option to automatically synchronize the date and time of the FortiWeb unit’s clock with an NTP server, then configure the Server and Sync Interval fields before you click OK.

Server Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, go to http://www.ntp.org.

Sync Interval Enter how often in minutes the FortiWeb unit should synchronize its time with the NTP server. For example, entering 1440 causes the FortiWeb unit to synchronize its time once a day.


http://www.ntp.org



Scheduling signature updates System

• SQL injection• common exploitsUpdating signatures ensures that your FortiWeb unit can detect recently discovered variations of these attacks.

After restoring the firmware of the FortiWeb unit, you should upload the most currently available attack signatures. Restoring firmware installs the attack signatures that were current at the time that the firmware image file was made: they may no longer be up-to-date.Before you can download signature update files to your management computer, you must first register your FortiWeb unit with the Fortinet Technical Support web site, https://support.fortinet.com/, and obtain a valid support contract. Signature update files will then be available for download when you log in to the Fortinet Technical Support web site.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see “About permissions” on page 80.

Figure 27: Update Signature tab

Scheduling signature updatesSystem > Maintenance > Auto Update enables you to configure how the FortiWeb unit will retrieve predefined robots, data types, suspicious URLS, and attack signature updates that your FortiWeb unit uses to detect attacks such as:• cross-site scripting (XSS)• SQL injection• common exploits

FortiWeb units receive updates from the FortiGuard Distribution Network (FDN). The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). Unless you override the setting with a specific FDS address, FortiWeb units connect to the FDN by connecting to the FDS nearest to the FortiWeb unit by its configured time zone.

Tip: Alternatively, you can schedule automatic updates. For details, see “Scheduling signature updates” on page 102.

Note: Once the attack signature update is complete, you can continue using FortiWeb without restarting the FortiWeb unit.

Tip: Alternatively, you can manually upload update packages. For details, see “Uploading signature updates” on page 101.






System Scheduling signature updates

FRh

In addition to manual update requests, FortiWeb units support automatic, scheduled updates, where the FortiWeb unit periodically polls the FDN to determine if there are any available updates.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see “About permissions” on page 80.

Table 38: System > Maintenance > Auto Update tab

Note: If required, the FortiWeb unit can be configured to connect through a web proxy. For details, see the FortiWeb CLI Reference.

Registration Displays the registration status of the FortiWeb unit with the FortiGuard Distribution Network (FDN). If it is unregistered, you must click Register and complete the form on the Fortinet Technical Support web site in order for the FortiWeb unit to retrieve updates.

FortiWeb Update Service Displays the current update license status, as well as the date, time, and method of the previous update attempt. If the FortiWeb unit’s attack signature update license has expired, click Renew to purchase a new license.

Use override server address

Enable to override the default FortiGuard Distribution Server (FDS) to which the FortiWeb unit connects for updates, then enter the IP address of the override public or private FDS.

Scheduled Update Enable to perform updates according to a schedule, then select one of the following as the frequency of update requests.• Every: Select to request to update once every 1 to 23 hours, then

select the number of hours between each update request.• Daily: Select to request to update once a day, then select the hour of

the day to check for updates.• Weekly: Select to request to update once a week, then select the

day of the week, the hour, and the minute of the day to check for updates. If you select 00 minutes, the update request occurs at a randomly determined time within the selected hour.

When the FortiWeb unit requests an update at the scheduled time, results appear in FortiWeb Update Service in the FortiGuard Information widget. If event logging is enabled, and the FortiWeb unit cannot successfully connect, it will record a log with the message update failed, failed to connect any fds servers!





Accessing the Setup Wizard System

Accessing the Setup WizardThe System menu includes the Wizard option. The Setup Wizard steps you through actions required for basic system configuration, web protection, and log setup. Typically, you use the Setup Wizard just once when you initially configure your FortiWeb unit for web protection after you install the FortiWeb unit hardware. See the FortiWeb Install and Setup Guide for instructions on using the Setup Wizard.

Apply Click to save configuration changes on this tab.

Update Now Click to manually initiate an update request.Results will appear in FortiWeb Update Service in the FortiGuard Information widget. The time required varies by the availability of updates, size of the updates, and speed of the FortiWeb unit’s network connection. If event logging is enabled, and the FortiWeb unit cannot successfully connect, it will record a log with the message update failed, failed to connect any fds servers!






Router Configuring static routes

FRh

RouterThis chapter describes the Router menu. Static routes direct traffic that exits the FortiWeb unit—you can specify through which network interface a packet will leave, and the IP address of a next-hop router that is reachable from that network interface. The router is aware of which IP addresses are reachable through various network pathways, and can forward those packets along pathways capable of reaching the packets’ ultimate destinations.A default route is a special type of static route. A default route matches all packets, and defines a gateway router that can receive and route packets if no other, more specific static route is defined for the packet’s destination IP address.

Configuring static routes Router > Static > Static Route displays the list of static routes, including the default route.You should configure at least one static route, a default route, that points to your gateway. However, you may configure multiple static routes if you have multiple gateway routers each should receive packets destined for a different subset of IP addresses.For example, if a web server is directly attached to one of the network interfaces, but all other destinations, such as connecting clients, are located on distant networks such as the Internet, you might need to add only one route: a default route for the gateway router through which the FortiWeb unit connects to the Internet.The FortiWeb unit examines the packet’s destination IP address and compares it to those of the static routes. If more than one route matches the packet, the FortiWeb unit will apply the route with the smallest index number. For this reason, you should give more specific routes a smaller index number than the default route.When you add a static route through the web-based manager, the FortiWeb unit evaluates the route to determine if it represents a different route compared to any other route already present in the list of static routes. If no route having the same destination exists in the list of static routes, the FortiWeb unit adds the static route, using the next unassigned route index number.

To access this part of the web-based manager, you must have Read and Write permission in your administrator's account access profile to items in the Router Configuration category. For details, see “About permissions” on page 80.

Note: By default, the FortiWeb unit will forward only HTTP/HTTPS traffic to your protected real servers. (That is, IP-based forwarding is disabled.) For information on enabling forwarding of other protocols such as FTP, see the config router setting command in the FortiWeb CLI Reference.





Configuring static routes Router

Table 39: Router > Static > Static Route tab

To configure a static route1 Go to Router > Static > Static Route.2 Click Create New.3 Configure the following, then click OK:

GUI item DescriptionCreate New Click to add a static route.

# Displays the index number of the entry in the list.

IP Displays the destination IP addresses of packets subject to the static route, where 0.0.0.0 indicates that the route matches all destination IP addresses.

Mask Displays the network mask associated with the IP address, where 0.0.0.0 indicates that the route matches all subnet masks.

Gateway Displays the IP address of the next-hop router where packets subject to the static route will be forwarded.

Device Displays the name of the network interface through which packets subject to the static route will egress.


Click the Delete icon to remove an entry.Click the Edit icon to modify an entry.

GUI item DescriptionDestination IP/Mask Type the destination IP address and network mask of packets that will

be subject to this static route, separated by a slash ( / ).The value 0.0.0.0/0.0.0.0 is reserved for the default route, which matches all packets.

Gateway Type the IP address of the next-hop router where the FortiWeb unit will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/Mask. For an Internet connection, the next hop routing gateway routes traffic to the Internet.Warning: The gateway IP address must be in the same subnet as the interface’s IP address. When you change the interface’s IP address later on, the new IP address must also be in the same subnet as the interface’s default gateway address; otherwise, all the static routes and the default gateway information will be lost.

Interface Select the name of the network interface through which the packets subject to the static route will egress towards the next-hop router.

EditDelete





Users and user groups

FRh

Users and user groupsThis chapter describes the User menu. You need to define users and user groups if you want the FortiWeb unit to protect web sites that require user authentication, such as a shopping cart application. If the FortiWeb unit's role is to protect a corporate information portal, where no user authentication is required, there is no need to configure user access.The FortiWeb authentication feature uses local users, LDAP queries, RADIUS queries, and NTLM queries to authorize HTTP requests. For details, see “Configuring authentication policy” on page 257.

You can create user groups for each user type or combine several user types in one group for easy management of user authentication. This chapter includes the following topics:• Configuring local users• Configuring LDAP user queries• Configuring RADIUS user queries• Configuring NTLM user queries• Grouping users

User creation workflowThe following lists the steps to configure user authentication for your FortiWeb unit. 1 Define your FortiWeb users in one or more of the following ways:

• For local users, create a record for each user. See “Configuring local users” on page 108.

• For user credentials stored on an LDAP server, configure access to that server. See “Configuring LDAP user queries” on page 109.

• For users credentials stored on an RADIUS server, configure access to that server. See “Configuring RADIUS user queries” on page 111.

• For user credentials accessed through an NT LAN Manager, configure NTLM access. See “Configuring NTLM user queries” on page 113.

2 Optionally, if you want to use secure connections, you must upload the applicable certificates, define a certificate verification rule, and possibly also an intermediate CA certificate group. For example, to configure a secure connection to an LDAP server, you must upload the certificate of the CA that signed the LDAP server’s certificate. See “Managing certificates” on page 84.

3 Create one or more user groups and add users to the groups. See “Grouping users” on page 114.

4 Add the user groups to an authentication rule. See “Configuring authentication rules” on page 261.

Note: User authentication applies only when the FortiWeb unit is operating in reverse proxy mode, or in true transparent proxy mode that does not use HTTPS.




Configuring local users Users and user groups

5 Add authentication rules to an authentication policy. See “Configuring authentication rules” on page 261.

6 Select the authentication policy in an inline protection profile. See “Configuring an inline protection profile” on page 269

7 Select the inline protection profile as the web protection profile in a server policy. See “Configuring server policies” on page 118.

Configuring local usersUser > Local User > Local User displays the list of locally defined user accounts.The FortiWeb authentication feature uses local user entries to authorize HTTP requests. For more information, see “Configuring authentication policy” on page 257.Local user accounts are activated indirectly by selecting them in a user group that is selected within an authentication rule. Then, select the rule within an authentication policy, and ultimately select the policy within an inline protection profile. For details, see “User creation workflow” on page 107.

To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see “About permissions” on page 80.

Table 40: User > Local User > Local User tab

To configure a local user1 Go to User > Local User > Local User.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon.3 In Name, type the name of the local user entry.

This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name. (You cannot delete a user if any user group has it as a member.)

Note: User passwords are not encrypted when downloading a FortiWeb configuration backup file. If you configure local user accounts, be sure to store configuration backup files in a safe location.

GUI item DescriptionCreate New Click to add a user.


Name Displays the name of the entry.

User Name Displays the user name that the client must provide when authenticating.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a user group.Click the Edit icon to modify the entry.





Users and user groups Configuring LDAP user queries

FRh


5 Click OK.

Configuring LDAP user queriesUser > LDAP User > LDAP User displays the list of LDAP queries that can authenticate users.The FortiWeb authentication feature uses LDAP user queries to authorize HTTP requests. For more information, see “Configuring authentication policy” on page 257.LDAP user accounts are activated indirectly by selecting them in a user group that is selected within an authentication rule. Then, select the rule within an authentication policy, and ultimately select the policy within an inline protection profile. For details, see “User creation workflow” on page 107.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see “About permissions” on page 80.

Table 41: User > LDAP User > LDAP User tab

GUI item DescriptionName Type a display name for the user.

User Name Type the user name that the client must provide when authenticating.

Password Type the password for the local user account. The maximum length is 63 characters.

GUI item DescriptionCreate New Click to add an LDAP user account query.

Only one LDAP user query can exist at any given time. If a query is already configured, this button is grayed out.



Server IP Displays the IP address of the LDAP server that will be queried to authenticate users.

Port Displays the TCP port number where the LDAP server listens for queries.

Edit




Configuring LDAP user queries Users and user groups

Before configuring the query, if you will configure a secure connection, you must upload the certificate of the CA that signed the LDAP server’s certificate. For details, see “Managing CA certificates” on page 90.

To configure the LDAP user query1 Go to User > LDAP User > LDAP User.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon.3 In Name, type the name of the LDAP user query entry.

This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name.


Common Name Identifier

Displays the common name (CN) attribute, often cn, whose value is the user name.

Distinguished Name Displays the distinguished name (DN) that, when prefixed with the common name, forms the full path in the directory to the user account object.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently a member of a user group.Click the Edit icon to modify the entry.

GUI item DescriptionServer IP Type the IP address of the LDAP server.

Server Port Type the port number where the LDAP server listens.The default port number varies by your selection in Secure Connection: port 389 is typically used for non-secure connections or for STARTTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections.

Common Name Identifier

Type the identifier, often cn, for the common name (CN) attribute whose value is the user name.Identifiers may vary by your LDAP directory’s schema.

Distinguished Name Type the distinguished name (DN) that, when prefixed with the common name, forms the full path in the directory to the user account objects.





Users and user groups Configuring RADIUS user queries

FRh

5 Click OK.

Configuring RADIUS user queriesUser > RADIUS User > RADIUS User displays the list of RADIUS queries that can authenticate users.Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and accounting functions. The FortiWeb authentication feature uses RADIUS user queries to authorize HTTP requests. If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the unit sends the user’s credentials to the RADIUS server for authentication. If the RADIUS server can authenticate the user, the user is successfully authenticated with the FortiWeb unit. If the RADIUS server cannot authenticate the user, the FortiWeb unit refuses the connection. You can override the default authentication scheme by selecting a specific authentication protocol or changing the default port for RADIUS traffic. For details, see “Configuring authentication policy” on page 257.RADIUS user accounts are activated indirectly, by selecting them in a user group that is selected within an authentication rule. Then, select the rule within an authentication policy, and ultimately select the policy within an inline protection profile. For details, see “User creation workflow” on page 107.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see “About permissions” on page 80.

Bind Type Select one of the following LDAP query binding styles:• Simple: Bind using the client-supplied password and a bind DN

assembled from the Common Name Identifier, Distinguished Name, and the client-supplied user name.

• Regular: Bind using a bind DN and password that you configure in User DN and Password.

• Anonymous: Do not provide a bind DN or password. Instead, perform the query without authenticating. Select this option only if the LDAP directory supports anonymous queries.

User DN Type the bind DN, such as cn=FortiWebA,dc=example,dc=com, of an LDAP user account with permissions to query the Distinguished Name.This field may be optional if your LDAP server does not require the FortiWeb unit to authenticate when performing queries, and does not appear if Bind Type is Anonymous or Simple.

Password Type the password of the User DN.This field may be optional if your LDAP server does not require the FortiWeb unit to authenticate when performing queries, and does not appear if Bind Type is Anonymous or Simple.

Secure Connection Enable to connect to the LDAP servers using an encrypted connection, then select the style of the encryption in Protocol.

Protocol Select whether the LDAP query will be secured using LDAPS or STARTTLS. You may need to reconfigure Server Port to correspond to the change in protocol.This option appears only if Secure Connection is enabled.

Test LDAP Click to test that the current settings are correct, and that the FortiWeb unit can communicate with the LDAP server.




Configuring RADIUS user queries Users and user groups

Table 42: User > RADIUS User > RADIUS User tab

To configure the RADIUS user queryBefore configuring the query, if you will configure a secure connection, you must upload the certificate of the CA that signed the RADIUS server’s certificate. For details, see “Managing CA certificates” on page 90.1 Go to User > RADIUS User > RADIUS User.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon.3 In Name, type the name of the RADIUS user query entry.



GUI item DescriptionCreate New Click to add an RADIUS user account query.



Server IP Displays the IP address of the RADIUS server that will be queried to authenticate users.


GUI item DescriptionName Enter a name for this RADIUS user query.

Server IP Type the IP address of the primary RADIUS server.





Users and user groups Configuring NTLM user queries

FRh

5 Click OK.

Configuring NTLM user queriesUser > NTLM User > NTLM User displays the list of NT LAN Manager (NTLM) user account queries.NTLM queries can be made to a Microsoft Windows or Active Directory server that is configured for NTLM authentication. FortiWeb supports both NTLM v1 and NTLM v2.The FortiWeb authentication feature uses NTLM user queries to authorize HTTP requests. For more information, see “Configuring authentication policy” on page 257.NTLM user account queries are used indirectly by selecting them in a user group that is selected within an authentication rule. Then, select the rule within an authentication policy, and ultimately select the policy within an inline protection profile. For details, see “User creation workflow” on page 107.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see “About permissions” on page 80.

Table 43: User > NTLM User > NTLM User tab

Server Port Type the port number where the RADIUS server listens.The default port number is 1812.

Server Secret Enter the RADIUS server secret key for the primary RADIUS server. The primary server secret key should be a maximum of 16 characters in length.

Secondary Server IP Type the IP address of the secondary RADIUS server, if applicable.

Secondary Server Port Type the port number where the RADIUS server listens.The default port number is 1812.

Secondary Server Secret

Enter the RADIUS server secret key for the secondary RADIUS server. The secondary server secret key should be a maximum of 16 characters in length.

Authentication Scheme Select Default to authenticate with the default method. The default authentication scheme uses PAP, MS-CHAP-V2, and CHAP, in that order.Select Specify Authentication Protocol to override the default authentication method, and choose the protocol from the list: MS-CHAP-V2, CHAP, MS-CHAP, or PAP, depending on what your RADIUS server needs.

NAS IP Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiWeb unit uses to communicate with the RADIUS server will be applied.

Test Radius Click to test that the current settings are correct, and that the FortiWeb unit can communicate with the RADIUS server .

DeleteEdit




Grouping users Users and user groups

To configure an NTLM user query1 Go to User > NTLM User > NTLM User.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon.3 In Name, type the name of the NTLM user entry.



5 Click OK.

Grouping usersUser > User Group > User Group displays the list of user groups.The FortiWeb authentication feature uses user groups to authorize HTTP requests. Any group can include a mixture of local user accounts, LDAP user queries, RADIUS user queries, and NTLM user queries.User groups are used indirectly, by selecting them in within an authentication rule. Then, select the rule within an authentication policy, and ultimately select the policy within an inline protection profile. For details, see “User creation workflow” on page 107.

GUI item DescriptionCreate New Click to add an NTLM user account query.



Server IP Displays the IP address of the NTLM server that will be queried.

Port Displays the TCP port number where the NTLM server listens for queries.


GUI item DescriptionName Type a display name for the user.

Server IP Type the IP address of the NTLM server that will be queried.

Port Type the TCP port number where the NTLM server listens for queries.

Tip: Before you can configure a user group, you must first configure one or more users.





Users and user groups Grouping users

FRh

To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see “About permissions” on page 80.

Table 44: User > User Group > User Group tab

To configure a user group1 Go to User > User Group > User Group.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon.

3 In Name, type the name of the user group.This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name.

GUI item DescriptionCreate New Click to add an NTLM user account query.



Auth Type Displays one of the following:Basic: Basic authentication is the original and most compatible authentication scheme for HTTP. However, it is also the least secure as it sends the user name and password unencrypted to the server. Groups with this authentication type can include local users. LDAP queries, and RADIUS queries.Digest: Digest authentication encrypts the password and thus is more secure than the basic authentication. Groups with this authentication type can include local users only.NTLM: NTLM is a proprietary protocol of Microsoft and is deemed to be more secure. Groups with this authentication type can include NTLM users only.

Count Displays the number of individual user accounts and/or user queries contained in the entry.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an authentication rule.Click the Edit icon to modify the entry.

Delete

Edit




Grouping users Users and user groups

4 Select an authentication type: • Basic: This is the original and most compatible authentication scheme for HTTP.

However, it is also the least secure as it sends the user name and password unencrypted to the server.

• Digest: Authentication encrypts the password and thus is more secure than the basic authentication.

• NTLM: Authentication is a proprietary protocol of Microsoft and is deemed to be more secure.

5 Click OK.6 Click Create New, then configure the following:

7 Repeat the previous step for each individual rule that you want to add to the group of users.

8 If you need to modify an individual rule, click its Edit icon. To remove an individual user or user query from the group of users, click its Delete icon. To remove all individual users or user queries from the group of users, click the Clear icon.

9 Click OK.

GUI item DescriptionID Type the index number of the individual rule within the group of users, or keep

the field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.

User Type Select the type of user or user query you want to add to the group. The options presented vary with the setting for the group’s Auth Type option.Note: You can mix user types in the group. However, if the authentication rule’s Auth Type does not support a given user type, all user accounts of that type will be ignored, effectively disabling them.

User Name Select the name of user or user query. The list contents varies with your selection User Type.





Server policy

FRh

Server policyThis chapter describes the Server Policy menu and how to use all the features of a server policy.This chapter includes the following topics: • Configuring server policies• Configuring servers• Configuring server health checks• Configuring services• Configuring protected servers• Configuring predefined patterns• Configuring custom patterns• Configuring custom application policies

Server policy workflow requirementsThe creation of server policy involves multiple steps. The number and sequence of steps depends on what you wish to achieve. Some steps may be bypassed depending on your requirements.1 Optionally, if you want to use secure connections, you must upload the applicable

certificates, define a certificate verification rule, and possibly also an intermediate CA certificate group. See “Managing certificates” on page 84.

2 Configure one or more virtual servers, physical servers, or domain servers. See “Configuring virtual servers” on page 129, “Configuring physical servers” on page 131 and “Configuring domain servers” on page 133.

3 Configure one or more protected servers. See “Configuring protected servers” on page 147.

4 Optionally, add two or more servers to a server farm. See “Grouping physical and domain servers into server farms” on page 135.

5 Configure logging and trigger policy if you plan to include triggers in a web protection profile used by the server policy. See “Log configuration workflow” on page 313.

6 Configure one or more XML, inline, or offline protection profiles. See:• “XML protection profile workflow” on page 163 (reverse proxy mode only)• “Inline protection profile workflow” on page 268 (any mode except offline protection)• “Offline protection profile workflow” on page 274 (offline protection mode only)

7 If you want the FortiWeb unit to gather auto-learning data, configure an auto-learning profile and its required components. See “Auto-learning profile workflow” on page 278.

8 If the policy is to include user authentication, you must configure users, user groups, and an authentication policy, and include that policy as part of an inline protection profile. See “HTTP authentication policy workflow” on page 259.

9 After you complete the applicable previous steps, you can configure or complete server policies. See “Configuring server policies” on page 118.




Configuring server policies Server policy

Configuring server policiesServer Policy > Policy > Policy displays the list of policies.Use FortiWeb policies to:• determine which connections FortiWeb will allow or block• apply a profile that specifies how FortiWeb will process the connections that it allows• route traffic to specific destination real servers (if supported by the operation mode)• use an auto-learning profile to gather additional information about your HTTP traffic for

use as guidance when modifying the policy or profiles

When determining the policy to apply to a connection, FortiWeb units will consider the operation mode:• Reverse Proxy: Apply the policy whose virtual server and service match the

connection.• Offline Protection: Apply the policy whose network interface in the virtual server

matches the connection. Do not consider the service or the IP address of the virtual server.

• True Transparent Proxy: Apply the policy whose v-zone bridge) matches the connection. Do not consider the IP address of the bridge.

• Transparent Inspection: Apply the policy whose v-zone bridge matches the connection. Do not consider the IP address of the bridge.

The FortiWeb unit will apply only one policy to each connection. If an HTTP connection does not match any of the policies, the FortiWeb unit will block the connection.Policies are not used while they are disabled, as indicated by “Status” on page 121.Policy behavior varies with the operation mode.

Note: There is a limit to the number of server policies you can create. The limit varies with the model of your FortiWeb unit. For details, see “Appendix B: Maximum values” on page 397.





Server policy Configuring server policies

FRh

Policies can be configured to detect URL-embedded attacks that are obfuscated using recursive URL encoding (that is, multiple levels of URL encoding). For more information, see the circulate-url-decode option of the config server-policy policy command in the FortiWeb CLI Reference.To access this part of the web-based manager, your administrator's account access profile must have Read permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 46: Server Policy > Policy > Policy tab

Table 45: Policy behavior by operation mode

Reverse Proxy Offline Protection True Transparent Proxy

Transparent Inspection

Matches by • Service• Virtual server

Virtual server’s network interface, but not its IP address.

V-zone (bridge), but not its IP address.

V-zone (bridge), but not its IP address.

Violations Blocked or modified, according to profile.

Attempts to block by mimicking the client or server and requesting to reset the connection; does not modify otherwise.

Blocked or modified, according to profile.

Attempts to block by mimicking the client or server and requesting to reset the connection; does not modify otherwise.

Profile support • Inline protection profiles

• Auto-learning profiles• XML protection

profiles

• Offline protection profiles

• Auto-learning profiles

• Inline protection profiles


• Offline protection profiles


SSL Certificate used to offload SSL from the servers to FortiWeb; can optionally re-encrypt before forwarding to the destination server.

Certificate used to decrypt and scan only; does not act as an SSL origin or terminator.



Forwarding • Forwards to a single real server or member of a server farm using the port number where it listens; similar to a network address translation (NAT) policy on a general-purpose firewall.

• Can load-balance or route connections to a specific server based upon XML content.

Lets the traffic pass through to a member of a server farm, but does not load-balance.

Forwards to a member of a server farm (but allowing to pass through, without actively redistributing connections) using the port number where it listens.

Lets the traffic pass through to a member of a server farm, but does not load-balance.

Note: When you switch the operation mode, policies will be deleted from the configuration file if they are not applicable in the current operation mode.

Delete

Edit

ViewCookies






GUI item DescriptionCreate New Click to add a policy.

# Displays the index number of the entry in the list.On FortiWeb units, the index number of a policy indicates its alphabetical order only. It does not indicate order of evaluation for matches with connections. Instead, the FortiWeb unit will apply the one policy that matches the connection, if any exists.

Policy Name Displays the name of the entry.

Policy Type Indicates whether the policy applies a web protection profile (either inline or offline protection profile) or an XML protection profile.

Virtual ServerorV-zone

Sets the virtual server or v-zone (bridge) where the policy will either apply a protection profile and route traffic to one or more real servers.

HTTP Service Displays the service that defines the TCP port number where the virtual server receives HTTP traffic.

HTTPS Service Displays the service that defines the TCP port number where the virtual server receives HTTPS traffic.

Deployment Mode Displays the method of distribution that the FortiWeb unit will use when forwarding connections accepted by this policy.• Single Server: Forward connections to a single real server.• Server Balance: Use a load-balancing algorithm when distributing

connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, the FortiWeb unit forwards subsequent connections to another real server in the server farm.

• HTTP Content Routing: Use HTTP Content Routing to route HTTP requests to a specific real server in a server farm by specifying the host or URL and the request file.

• XPath Content Routing: Use content routing rules defined as XPath expressions in the server farm configuration when distributing connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, or if a request does not match the XPath expression, the FortiWeb unit forwards connections to the first real server in the server farm.

• WSDL Content Routing: Use WSDL content routing rules defined in the server farm configuration when distributing connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, or if a request does not match the WSDL content routing rules, the FortiWeb unit forwards connections to the first real server in the server farm.

• Offline Protection: Allow connections to pass through the FortiWeb unit, but instead of applying an inline protection profile, apply an offline protection profile.

• Transparent Servers: Allow connections to pass through the FortiWeb unit, and apply a protection profile.

You can use the Service Status widget to determine whether or not a real server is currently responding to the server health check. For details, see “Service Status widget” on page 49.

Enable Mark this check box to allow the policy to be used when evaluating traffic for a matching policy.For details, see “Enabling or disabling a policy” on page 128.Note: You can use SNMP traps to notify you of changes to the policy’s status. For details, see “Configuring an SNMP community” on page 68.






FRh

To add or edit a policy1 Go to Server Policy > Policy > Policy.2 For a new policy, click Create New. Or, for an existing policy, click the Edit icon in the

applicable row.A dialog appears.

Status Indicates whether or not a policy will be used when evaluating traffic for a matching policy.• Green icon: The policy will be used when evaluating traffic for a

matching policy.• Flashing yellow-to-red icon: The policy will not be used when evaluating

traffic for a matching policy.To be used, a policy’s Enable option must be marked.

(No column heading.) Click the Edit icon to modify the entry. For details, see “Configuring server policies” on page 118.Click the Delete icon to remove the entry. Policies may be automatically deleted if you switch the Operation Mode and the policy’s type is not supported by the new mode.Caution: Deleting a policy also removes any auto-learning data it has gathered using an auto-learning profile. To retain this data, instead either deselect the auto-learning profile in the policy, or disable the policy. For details, see “Enabling or disabling a policy” on page 128.When available, click the View Cookies icon to display cookies that have been observed in reply traffic from the server managed by this policy.This icon appears only after cookies have been observed in the Set-Cookie: HTTP header, and does not appear for cookies that may have been set using client-side JavaScript. Based upon whether or not the content of the cookies is sensitive, such as if they are used for state tracking or database input, you may want to enable Cookie Poison in the policy’s inline protection profile. For details, see “Cookie Poison” on page 269.

Note: Available options vary by the operation mode and the deployment mode of the FortiWeb unit.





3 Configure the following, then click OK:

Table 47: Editing a policy

GUI item DescriptionPolicy Name Type a name for the policy.

Policy Type Select whether you will apply an XML protection profile or a web protection profile, then select the name of the protection profile from Web Protection Profile or XML Protection Profile.Depending on the types of profiles that the current operation mode supports, not all policy types may be available. For details, see Table 45 on page 119.






FRh

Virtual Server,Data Capture Portor V-zone

Select the name of a virtual server, data capture port or v-zone (bridge).The name and use of this option varies by operating mode:• Reverse proxy mode: Virtual Server identifies the IP address and

network interface of incoming traffic that will be routed and to which the policy will apply a profile.

• Offline protection mode: Data Capture Port identifies the network interface of incoming traffic that the policy to which it will attempt to apply a profile. The IP address of the virtual server will be ignored.

• Either of the transparent modes: V-zone (bridge) indicates the incoming traffic to which the policy will apply a profile.

Alternatively, you can select the Create New menu option to add a virtual server in a pop-up window, without leaving the current page. For details, see “Configuring virtual servers” on page 129 or “Configuring v-zones (bridges)” on page 55.

Deployment Mode Select the method of distribution that the FortiWeb unit will use when forwarding connections accepted by this policy.• Single Server: Forward connections to a single physical server or

domain server. This option is available only if the FortiWeb unit is operating in reverse proxy mode.

• Server Balance: Use a load-balancing algorithm when distributing connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, the FortiWeb unit forwards subsequent connections to another real server in the server farm. Also configure Load Balancing Algorithm, Persistence Timeout, Server Health Check, and Server Farm. This option is available only if the FortiWeb unit is operating in reverse proxy mode.

• HTTP Content Routing: Use HTTP content routing to route HTTP requests to a specific real server in a server farm by specifying the host or URL and the request file

• XPath Content Routing: Use content routing rules defined as XPath expressions in the server farm configuration when distributing connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, or if a request does not match the XPath expression, the FortiWeb unit forwards connections to the first real server in the server farm. Also configure Server Health Check and Server Farm. This option is available only if the FortiWeb unit is operating in reverse proxy mode and Policy Type is XML Protection.

• WSDL Content Routing: Use WSDL content routing rules defined in the server farm configuration when distributing connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, or if a request does not match the WSDL content routing rules, the FortiWeb unit forwards connections to the first real server in the server farm. Also configure Server Health Check and Server Farm. This option is available only if the FortiWeb unit is operating in reverse proxy mode and Policy Type is XML Protection.

• Offline Protection: Allow connections to pass through the FortiWeb unit, and apply an offline protection profile. Also configure Server Health Check and Server Farm. This option is available only if the FortiWeb unit is operating in offline protection mode.

• Transparent Servers: Allow connections to pass through the FortiWeb unit, and apply a protection profile. Also configure Server Farm. This option is available only if the FortiWeb unit is operating in either of the transparent modes.

Depending on the types of network topologies that the current operation mode supports, not all deployment modes may be available. For details, see Table 45 on page 119.

Server Type If you select Single Server as the deployment mode, you must select either a Physical Server or Domain Server. For details, see “Configuring physical servers” on page 131 and “Configuring domain servers” on page 133.





Physical Server Select the physical server to which to forward connections, or select Create New to configure a new physical server in a pop-up window, without leaving the current page. This option appears only when selected as a server type. For details, see “Configuring physical servers” on page 131.

Domain Server Select the domain server to which to forward connections, or select Create New to configure a new domain server in a pop-up window, without leaving the current page. This option appears only when selected as a server type. For details, see “Configuring domain servers” on page 133.

Server's Port Enter the TCP port number where the physical/domain server listens for web or web services connections, depending on whether you have selected a web protection profile or an XML protection profile, respectively. This option appears only when Server Type in visible.This option appears only if Deployment Mode is Single Server.

Load Balancing Algorithm

Select the load-balancing algorithm to use when distributing new connections amongst real servers in the server farm. This option appears only if Deployment Mode is Server Balance.• Round Robin: Distributes new connections to the next real server in

the server farm, regardless of weight, response time, traffic load, or number of existing connections. Unresponsive servers are avoided.

• Weighted Round Robin: Distributes new connections using the round robin method, except that real servers with a higher weight value will receive a larger percentage of connections.

• Least Connection: Distributes new connections to the real server with the fewest number of existing, fully-formed connections.

• HTTP session based Round Robin: Distributes new connections, if they are not associated with an existing HTTP session, to the next real server in the server farm, regardless of weight, response time, traffic load, or number of existing connections. Unresponsive servers are avoided. Session management is enabled automatically when you enable this feature, and it therefore does not require that you enable Session Management in the web protection profile. This option is available only if Policy Type is Web Protection.

Persistence Timeout Enter the timeout for inactive TCP sessions.This option appears only if Deployment Mode is Server Balance or Transparent Servers.

Server Health Check Select the server health check to use when determining responsiveness of real servers in the server farm, or select Create New to add a server health check in a pop-up window, without leaving the current page. For details, see “Configuring server health checks” on page 143.This option appears only if Deployment Mode is Server Balance, Content Routing, or WSDL Content Routing.Note: If a real server is unresponsive, wait until the server becomes responsive again before disabling its server health check. Server health checks record the up or down status of the server. If you deactivate the server health check while the server is unresponsive, the server health check will be unable to update the recorded status, and FortiWeb unit will continue to regard the real server as if it were unresponsive. You can determine the real server’s connectivity status using the Service Status widget or an SNMP trap. For details, see “Service Status widget” on page 49 or “Configuring an SNMP community” on page 68.

Server Farm Select the server farm whose real servers will receive the connections. For details, see “Grouping physical and domain servers into server farms” on page 135.This option appears only if Deployment Mode is Server Balance, HTTP Content Routing, WSDL Content Routing, Offline Protection, or Transparent Servers.Note: If Deployment Mode is Offline Protection or Transparent Servers, you must select a server farm, even though the FortiWeb unit will allow connections to pass through instead of actively distributing connections. Therefore, if you want to govern connections for only a single real server, rather than a group of servers, you must configure a server farm with that single real server as its only member in order to select it in the policy.






FRh

Protected Servers Select a protected servers group to allow or reject connections based upon whether the Host: field in the HTTP header is empty or does or does not match the protected hosts group. For details, see “Configuring protected servers” on page 147.If you do not select a protected servers group, connections will be accepted or blocked based upon other criteria in the policy or protection profile, but regardless of the Host: field in the HTTP header.Attack log messages contain DETECT_ALLOW_HOST_FAILED when this feature does not detect an allowed protected host name.Note: Unlike HTTP 1.1, HTTP 1.0 does not require the Host: field. The FortiWeb unit will not block HTTP 1.0 requests for lacking this field, regardless of whether or not you have selected a protected servers group.

Web Protection ProfileorXML Protection Profile

The name of this drop-down list varies by your selection in Policy Type.Select the profile to apply to the connections accepted by this policy, or select Create New to add a new profile in a pop-up window, without leaving the current page. If you want to view the details of a profile, select the profile from the list and click View Profile Details. A protection profile details window opens. To return to the policy settings, click Back to Policy Settings. For details on specific protection profiles, see “Configuring XML protection profiles” on page 184, “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.Note: Depending on the profile types that the current operation mode supports, not all profiles may be available. For details, see Table 45 on page 119.• XML protection profiles apply to reverse proxy mode only.• Offline protection profiles apply to offline protection mode only.• Inline protection profiles apply to any mode except offline protection.Note: Clients with source IP addresses designated as a trusted IP are exempt from being blocked by the protection profile. For details, see “Configuring an IP list policy” on page 220.

WAF Auto Learning Profile

Select the auto-learning profile, if any, to use in order to discover attacks, URLs, and parameters in your web servers’ HTTP sessions, or select Create New to add a new auto-learning profile in a pop-up window, without leaving the current page. For details, see “Applying auto-learning profiles” on page 278.Data gathered using an auto-learning profile can be viewed in an auto-learning report, and used to generate profiles. For details, see “Auto learn” on page 281.

HTTP Service Select the custom or predefined service that defines the TCP port number where the virtual server or bridge receives traffic, or select Create New to a new service in a pop-up window, without leaving the current page. For details, see “Configuring services” on page 145.This option does not apply to true transparent proxy or transparent inspection modes.Note: This option only defines the port number. It does not specify SSL/TLS. For example, it is possible to configure a web server to listen on the well-known port number for HTTP (port 80), yet use SSL (HTTPS). To specify SSL/TLS, see HTTPS Service.





HTTPS Service Select the custom or predefined service that defines the TCP port number where the virtual server or bridge receives traffic, or select Create New to create a new service in a pop-up window, without leaving the current page. For details, see “Configuring services” on page 145.Enable if connections from HTTP clients to the FortiWeb unit or protected hosts use SSL. Also configure Certificate. FortiWeb units contain specialized hardware to accelerate SSL processing. Offloading SSL processing may improve the performance of secure HTTP (HTTPS) connections.SSL 3.0, TLS 1.0, and TLS 1.1 are supported.The FortiWeb unit handles SSL negotiations and encryption and decryption, instead of the real servers, also known as offloading. Connections between the client and the FortiWeb unit will be encrypted. Connections between the FortiWeb unit and each web server will be clear text or encrypted, depending on SSL Server.This option appears only if the FortiWeb unit is operating in reverse proxy mode.Note: If the FortiWeb unit is operating in offline protection mode or either of the transparent modes, you must enable SSL in the server farm instead.Caution: You must enable either this option or SSL, if the connection uses SSL. Failure to enable an SSL option and provide a certificate for HTTPS connections will result in the FortiWeb unit being unable to decrypt connections, and therefore unable to scan HTML or XML content.

Blocking Port Choose the specific blocking port interface (that is, port1, port2, and so on) where TCP reset packets are sent.This option appears only if the FortiWeb unit is operating in offline protection mode.

Certificate Select the server certificate the FortiWeb unit will use when encrypting or decrypting SSL-secured connections, or select Create New to upload a new certificate in a pop-up window, without leaving the current page. For more information, see “Uploading a certificate” on page 88.This option appears only if HTTPS Service is enabled.






FRh

Certificate Verification

Select the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. (If you do not select one, the client is not required to present a personal certificate.)If the client presents an invalid certificate, the FortiWeb unit will not allow the connection.To be valid, a client certificate must:• not be expired• not be revoked by either certificate revocation list (CRL) or, if

enabled, online certificate status protocol (OCSP) (see “Configuring certificate verification rules” on page 95)

• be signed by a certificate authority (CA) whose certificate you have imported into the FortiWeb unit (see “Managing CA certificates” on page 90); if the certificate has been signed by a chain of intermediate CAs, those certificates must be included in an intermediate CA group (see Certificate Intermediate Group)

• contain a CA field whose value matches the CA certificate• contain an Issuer field whose value matches the Subject field in

the CA certificatePersonal certificates, sometimes also called user certificates, establish the identity of the person connecting to the web site.You can require that clients present a certificate alternatively or in addition to HTTP authentication. For more information, see “Configuring authentication policy” on page 257.This option appears only if HTTPS Service is enabled, and only applies if the FortiWeb unit is operating in reverse proxy mode. SSL 3.0 or TLS 1.0 is required.Note: If the connection fails when you have selected a certificate verifier, verify that the certificate meets the web browser’s requirements. Web browsers may have their own certificate validation requirements in addition to FortiWeb's requirements. For example, personal certificates for client authentication may be required to either:• not be restricted in usage/purpose by the CA, or • contain a Key Usage field that contains a Digital Signature or

have a ExtendedKeyUsage or EnhancedKeyUsage field whose value contains Client Authentication

If the certificate does not satisfy browser requirements, although it may be installed in the browser, when the FortiWeb unit requests the client’s certificate, the browser may not present a certificate selection dialog to the user, or the dialog may not contain that certificate. In that case, verification will fail.For browser requirements, see your web browser’s documentation.

Certificate Intermediate Group

Select the name of a group of intermediate certificate authority (CA) certificates, if any, that will be presented to clients in order for them to validate the server certificate’s CA signature.This can prevent clients from getting certificate warnings when the server certificate configured in Certificate has been signed by an intermediate CA, rather than directly by a root CA or other CA currently trusted by the client.Alternatively, you can include the entire signing chain in the server certificate itself before uploading it to the FortiWeb unit, thereby completing the chain of trust with a CA already known to the client.This option appears only if HTTPS Service is enabled and the FortiWeb unit is operating in reverse proxy mode.

SSL Server Enable to use SSL to encrypt connections from the FortiWeb unit to protected web servers. Also configure Certificate.Disable to pass traffic to protected web servers in clear text.To test whether the web server supports SSL connections, click SSL Support Test. This option appears only in reverse proxy mode. (The FortiWeb unit cannot act as an SSL terminator or initiator in offline protection mode or either of the transparent modes.)Note: Enable only if the protected host supports SSL.





Enabling or disabling a policyYou can individually enable and disable policies.

To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

To enable or disable a policy1 Go to Server Policy > Policy > Policy.

2 In the row corresponding to the policy that you want to enable, mark the check box in the Enable column.

3 In the row corresponding to the policy that you want to disable, clear the check box in the Enable column.To determine whether the policy is applicable, see the column “Status” on page 121.

Persistent Server Sessions

Enter the maximum number of concurrent TCP client connections that can be accepted by this policy. The maximum number of HTTP sessions established with each server depends on this field, and whether you have selected a single real server or a server farm and the Load Balancing Algorithm.For example, if you set the value of Persistent Server Sessions to 10 000 and there are 4 real servers in a server farm that uses Round Robin-style load-balancing, up to 10 000 client connections would be accepted, resulting in up to 2 500 HTTP sessions evenly distributed to each of the 4 real servers.Each model of FortiWeb units has a maximum allowed number of persistent sessions. The Edit Policy dialog lists the minimum and maximum for your FortiWeb model next to this field. For more specifications, see “Appendix B: Maximum values” on page 397.

Monitor Mode When enabled, this mode treats all blocking actions (deny, redirect, and so on) as if they were the Alert action.This enables FortiWeb to log attacks and complete processing of the connection. This is needed to let the auto-learning feature collect more information to build profiles of attacks. If auto-learning is not enabled, clear this option. See “Tune up alerts” on page 30.

URL Case Sensitivity Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests, such as: start page rules, IP list rules, and page access rules.For example, when this option is enabled, an HTTP request involving http://www.Example.com/ would not match profile features that specify http://www.example.com (difference is lower case "e").

Comments Enter a description or other comment. The description may be up to 35 characters long.

Caution: When the operation mode is reverse proxy, disabling a policy could all block traffic if no remaining active policies match that traffic. That is, if no policies exist or none are enabled, the FortiWeb unit will deny HTTP/HTTPS traffic..





Server policy Configuring servers

FRh

Configuring serversServer Policy > Server > enables you to configure various types of servers in your network. This section includes the following topics: • Configuring virtual servers• Configuring physical servers• Configuring domain servers• Grouping physical and domain servers into server farms• Configuring HTTP content routing policy• Configuring HTTP conversion policy

Configuring virtual serversServer Policy > Server > Virtual Server displays the list of virtual servers.Before you can create a policy, you must first configure a virtual server that defines the network interface or bridge and IP address where traffic destined for an individual real server or server farm will arrive.When the FortiWeb unit receives traffic destined for a virtual server, it can then forward the traffic to a real server or a server farm. The FortiWeb unit identifies traffic as being destined for a specific virtual server if:• the traffic arrives on the network interface or bridge associated with the virtual server• for reverse proxy mode, the destination address is the IP address of a virtual server

(the destination IP address is ignored in other operation modes, except that it must not be identical with the real server’s IP address)

Virtual servers are applied by selecting them within a policy. For details, see “Configuring server policies” on page 118.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 48: Server Policy > Server > Virtual Server tab

Caution: Virtual servers can be on the same subnet as real servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could forward to the real server 10.0.0.2.However, this is not recommended. Unless your network’s routing configuration prevents it, it could allow clients that are aware of the real server’s IP address to bypass the FortiWeb unit by accessing the real server directly.

DeleteEdit




Configuring servers Server policy

To add a virtual server1 Go to Server Policy > Server > Virtual Server.2 Click Create New.

A dialog appears.


4 Click OK.To define the listening port of the virtual server, create a custom service and select it in the policy where the virtual server is also selected. For details, see “Configuring services” on page 145.To apply the virtual server, you must select it in a policy. For details, see “Configuring server policies” on page 118.

Enabling or disabling a virtual serverYou can individually enable and disable virtual servers. Disabled virtual servers can be selected in a policy, but will result in a policy that is unable to forward traffic until the virtual server is enabled.

GUI item DescriptionCreate New Click to add a virtual server.



IP Address Displays the IP address and subnet of the virtual server.

Interface Displays the network interface or bridge where traffic destined for the virtual server will arrive.

Enable Mark the check box to enable use of the virtual server. For details, see “Enabling or disabling a virtual server” on page 130.


GUI item DescriptionName Type the name of the virtual server.

IP Address Type the IP address and subnet of the virtual server.If the FortiWeb unit is operating in offline protection mode or either of the transparent modes, this IP address will be ignored when deciding whether or not to apply a policy to the connection, and can therefore be any IP address, except that it must not be identical to the real server. If the virtual server’s IP is identical to the real server, the configuration will not function.

Interface Select the network interface or bridge to which the virtual server is bound, and where traffic destined for the virtual server will arrive.






FRh

By default, virtual servers are enabled, and the FortiWeb unit can forward traffic from them.


To enable or disable a virtual server1 Go to Server Policy > Server > Virtual Server.

2 In the row corresponding to the virtual server that you want to enable, in the Enable column, mark the check box.

3 In the row corresponding to the virtual server that you want to disable, in the Enable column, clear the check box.

Configuring physical serversServer Policy > Server > Physical Server displays the list of physical servers.Before you can create a policy, you must first configure one or more domain servers or physical servers. Domain servers use domain names while physical servers use IP addresses. A physical server defines the IP address of an individual real server or a member of a server farm that is the ultimate destination of traffic received by the FortiWeb unit at a virtual server address, and where the FortiWeb unit will forward traffic after applying the protection profile and other policy settings. You can also use domain names of the protected real servers. For details, see “Configuring domain servers” on page 133.

Physical servers versus protected hostsUnlike a physical server, which is a single network IP, protected hosts group should contain all network IPs, virtual IPs, and domain names that clients use in the Host: field of the HTTP header to access the web server.For example, clients often access a web server via a public network such as the Internet. Therefore the protected hosts group contains domain names, public IP addresses and public virtual IPs on a network edge router or firewall that are routable from that public network. But the physical server is only the IP address that the FortiWeb unit uses to forward traffic to the server and, therefore, is often a private network address, unless the FortiWeb unit is operating in a mode other than reverse proxy.Physical servers are applied either by selecting them within a policy, or grouping them into a server farm that is selected in a policy.

Caution: Disabling a virtual server could block traffic matching policies in which you have selected the virtual server. For details, see “Configuring server policies” on page 118.

Note: A physical server is usually not the same as a protected hosts group.





For details, see “Configuring server policies” on page 118 or “Grouping physical and domain servers into server farms” on page 135.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 49: Server Policy > Server > Physical Server tab

To add a physical server1 Go to Server Policy > Server > Physical Server.2 Click Create New.

A dialog appears.


Note: Server health checks cannot be used with an individual physical server. If you want to monitor a server for responsiveness, you must group one or more physical servers into a server farm.

GUI item DescriptionCreate New Click to add a physical server.



IP Address Displays the IP address of the physical server.

Enable Mark the check box to enable use of the physical server. For details, see “Enabling or disabling a physical server” on page 133.


GUI item DescriptionName Enter the name of the physical server.

IP Address Enter the IP address of the physical server.

DeleteEdit






FRh

4 Click OK.To forward traffic from a virtual server to multiple physical servers, you must group the physical servers into a server farm. For more information, see “Grouping physical and domain servers into server farms” on page 135.To apply the physical server, you must select it in a policy, or group it into a server farm that is selected in a policy. For details, see “Configuring server policies” on page 118.

Enabling or disabling a physical serverYou can individually enable and disable physical servers. You can select disabled physical servers for a server farm, but they will not be used when forwarding traffic.By default, physical servers are enabled and the FortiWeb unit can forward traffic to them. To prevent traffic from being forwarded to a physical server, such as when the server will be unavailable for a long time due to repairs, you can disable it. If the disabled physical server is a member of a load-balanced server farm, the FortiWeb unit will automatically forward connections to other enabled physical servers in the server farm. For XPath or WSDL content routed server farms, the FortiWeb unit will forward connections to the first physical server in the server farm.


To enable or disable a physical server1 Go to Server Policy > Server > Physical Server.

2 In the row corresponding to the physical server that you want to enable, mark the check box in the Enable column.

3 In the row corresponding to the physical server that you want to disable, clear the check box in the Enable column.

Configuring domain serversServer Policy > Server > Domain Server displays the list of domain servers.Before you can create a policy, you must first configure one or more domain servers or physical servers. Domain servers use domain names while physical servers use IP addresses.

Note: If the physical server is a member of a server farm and will be unavailable only temporarily, you can alternatively configure a server health check to automatically prevent the FortiWeb unit from forwarding traffic to that physical server when it is unresponsive. For details, see “Configuring server health checks” on page 143.

Caution: Disabling a physical server could block traffic matching policies in which you have selected the physical server, or selected a server farm in which the physical server is a member. For details, see “Configuring server policies” on page 118.





Domain servers define an individual server or a member of a server farm that is the ultimate destination of traffic received by the FortiWeb unit at a virtual server address, and where the FortiWeb unit will forward traffic after applying the protection profile and other policy settings. Domain servers are applied either by selecting them within a policy, or grouping them into a server farm that is selected in a policy.

For details, see “Configuring server policies” on page 118 or “Grouping physical and domain servers into server farms” on page 135.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 50: Server Policy > Server > Domain Server tab

To add a domain server1 Go to Server Policy > Server > Domain Server.2 Click Create New.

A dialog appears.


Note: Server health checks cannot be used with an individual domain server. If you want to monitor a server for responsiveness, you must group one or more domain servers into a server farm.

GUI item DescriptionCreate New Click to add a domain server.



Domain Displays the domain name of the domain server.

Enable Mark the check box to enable use of the domain server. For details, see “Enabling or disabling a domain server” on page 135.







FRh

4 Click OK.To forward traffic from a virtual server to multiple domain servers, you must group the domain servers into a server farm. For more information, see “Grouping physical and domain servers into server farms” on page 135.To apply the domain server, you must select it in a policy, or group it into a server farm that is selected in a policy. For details, see “Configuring server policies” on page 118.

Enabling or disabling a domain serverYou can individually enable and disable domain servers. Disabled domain servers can be selected in a server farm, but will not be used when forwarding traffic.By default, domain servers are enabled and the FortiWeb unit can forward traffic to them. To prevent traffic from being forwarded to a domain server, such as when the server will be unavailable for a long time due to repairs, you can disable the domain server. If the disabled domain server is a member of a load-balanced server farm, the FortiWeb unit will automatically forward connections to other enabled domain servers in the server farm. For XPath or WSDL content routed server farms, the FortiWeb unit will forward connections to the first domain server in the server farm.


To enable or disable a domain server1 Go to Server Policy > Server > Domain Server.2 In the row corresponding to the domain server that you want to enable, mark the check

box in the Enable column.3 In the row corresponding to the domain server that you want to disable, clear the

check box in the Enable column.

Grouping physical and domain servers into server farmsServer Policy > Server > Server Farm displays the list of server farms. You need to create physical or domain servers before you can create a working server farm.Server farms define a group of physical and domain servers (real servers) among which the FortiWeb unit will distribute connections, or where the connections will pass through to, depending on the FortiWeb unit’s operating mode. (Reverse proxy mode actively distributes connections; offline protection and both transparent modes do not.)

GUI item DescriptionName Enter the name of the domain server.

Domain Enter the domain name of the domain server.

Note: If the domain server is a member of a server farm and will be unavailable only temporarily, you can alternatively configure a server health check to automatically prevent the FortiWeb unit from forwarding traffic to that domain server when it is unresponsive. For details, see “Configuring server health checks” on page 143.

Caution: Disabling a domain server could block traffic matching policies in which you have selected the domain server, or selected a server farm in which the domain server is a member. For details, see “Configuring server policies” on page 118.





• Reverse Proxy mode: When the FortiWeb unit receives traffic destined for a virtual server, it can forward the traffic to a physical or domain server or a server farm. If you have configured the policy to forward traffic to a server farm, the connection is routed to one of the physical or domain servers in the server farm. Which of the physical or domain servers receives the connection depends on your configuration of load-balancing algorithm, weight, server health checking, or content routing by either XPath expressions, HTTP content or WSDL content routing.To prevent traffic from being forwarded to unavailable real servers, the availability of physical and domain servers in a server farm can be verified using a server health check. Whether the FortiWeb unit will redistribute or drop the connection when a physical or domain server in a server farm is unavailable varies by the availability of other members and by your configuration of the Deployment Mode option in the policy. For details, see “Deployment Mode” on page 123.

• Offline protection/transparent modes: When the FortiWeb unit receives traffic destined for a virtual server or passing through a bridge, it allows the traffic to pass through to members of the server farm.

Server farms are applied by selecting them within a policy. For details, see “Configuring server policies” on page 118.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 51: Server Policy > Server > Server Farm tab

To configure a server farm1 Go to Server Policy > Server > Server Farm.

GUI item DescriptionCreate New Click to add a server farm.


Server Farm Name Displays the name of the entry.

Physical Server Count

Displays the number of physical and domain servers that are members of the server farm.


DeleteEdit

Note: Before configuring a server farm, you must first configure the real servers that will be members of the server farm. For details, see “Configuring physical servers” on page 131.






FRh

2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon.A dialog appears.


4 In Server Farm Name, type a name for the server farm.This field cannot be modified if you are editing an existing server farm. To modify the name, delete the entry, then recreate it using the new name.

5 In Comments, type a description for the server farm.6 From the Type list, select the method of distribution that the FortiWeb unit will use

when forwarding connections to the real servers in this server farm.If you select HTTP Content Routing from the Type list, continue with the next step. Otherwise, go to step 8.

7 In some cases, HTTP host names and URLs must be converted before HTTP content can be routed to a specific real server. For more information, see “Configuring HTTP conversion policy” on page 141.

8 Click OK.9 Click Create New.

A dialog appears.

DeleteEdit

Clear






GUI item DescriptionID Enter the index number of the real server entry within the server farm,

or keep the field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.The first real server will receive connections if you have configured XPath or WSDL content routing and the other server is unavailable. For round robin-style load-balancing, the index number indicates the order in which connections will be distributed.

Server Type Select either Physical Server or Domain Server. For details, see “Configuring physical servers” on page 131 and “Configuring domain servers” on page 133.

Physical Server If the server type is physical, select the name of a physical server that will be a member of the server farm.

Domain Server If the server type is domain, select the name of a domain server that will be a member of the server farm.

Port Type the TCP port number where the real server listens for connections.

Note: The remainder of the GUI items depend on the Type selected when initially creating the server farm.

Weight If the server farm will be used with the weighted round-robin load-balancing algorithm, type the numerical weight of the real server. Real servers with a greater weight will received a greater proportion of connections.

XPATH Expression Click the icon to display a pop-up window that enables you to enter an XPath expression. HTTP requests with content matching this expression will be routed to this real server.Note: For web service connections, you can alternatively or additionally configure the WSDL Content Routing option.

WSDL Content Routing

Select the name of the WSDL content routing group, if any, that defines web services that will be routed to this real server. For information on configuring a WSDL content routing group, see “Configuring WSDL content routing groups” on page 173.Note: You can alternatively or additionally configure the XPATH Expression option.

HTTP Content Routing

Select the HTTP content routing policy to use to route HTTP requests to a specific real server in a server farm. For more information, see “Configuring HTTP content routing policy” on page 139.






FRh

If the server farm will be used with a policy whose Deployment Mode is Content Routing or WSDL Content Routing, place the real server that you want to be the failover first in the list of real servers in the server farm. In content routing or WSDL content routing, each server in the server farm may not host identical web services. If a real server is unresponsive to the server health check, the FortiWeb unit will forward subsequent connections to the first real server in the server farm, which will be considered to be the failover. Make sure the first real server can act as a backup for all other servers in the server farm.

11 Repeat the previous step for each real server that you want to add to the server farm.12 If you need to modify a real server, click its Edit icon. To remove a single real server

from the server farm, click its Delete icon. To remove all real servers from the server farm, click the Clear icon.

13 Click OK.To monitor members of the server farm for responsiveness, configure a server health check that will be used with the server farm. For details, see “Configuring server health checks” on page 143.To use a server farm as the destination for web or web services connections, select it when configuring a policy. For details, see “Configuring server policies” on page 118.

Configuring HTTP content routing policyServer Policy > Server > HTTP Content Routing Policy displays the HTTP Content Routing Policy window. An HTTP content routing policy protects the identify of internal host names or URLs used in a server farm by routing connections to the appropriate real servers. HTTP content routing is beneficial in cases where one virtual server provides the interface for many physical web servers. With content routing enabled, you can route web traffic according to URL or host. In some cases, HTTP requests must be converted before HTTP content routing can occur. For more information, see “Configuring HTTP conversion policy” on page 141.

SSL Enable if connections to the server use SSL, and if the FortiWeb unit is operating in a mode other than reverse proxy. Also configure Certificate File.Unlike HTTPS Service in policies, when you enable this option, the FortiWeb unit will not apply SSL. Instead, it will use the certificate to decrypt and scan connections before passing the encrypted traffic through to the web servers or clients.SSL 3.0, TLS 1.0, and TLS 1.1 are supported.Caution: You must enable either this option or HTTPS Service if the connection uses SSL. Failure to enable an SSL option and provide a certificate will result in the FortiWeb unit being unable to decrypt connections, and therefore unable to scan HTML or XML content.Note: When this option is enabled, the web server must be configured to apply SSL. The FortiWeb unit will use the certificate to decrypt and scan traffic only. It will not apply SSL to the connections.Note: Ephemeral (temporary key) Diffie-Hellman exchanges are not supported if the FortiWeb unit is operating in offline protection mode.

Certificate File Select the real server’s certificate that the FortiWeb unit will use when decrypting SSL-secured connections, or select Create New to upload a new certificate in a pop-up window, without leaving the current page. For more information, see “Uploading a certificate” on page 88.This option appears only if SSL is enabled.






Table 52: Server Policy > Server > HTTP Content Routing Policy tab

To configure an HTTP content routing policy1 Go to Server Policy > Server > HTTP Content Routing Policy.2 Click Create New.

A dialog appears.

3 In Name, type the name of the HTTP content routing policy.4 Configure the following:

5 Click OK.

GUI item DescriptionCreate New Click to add an HTTP content routing policy.


Policy Name Displays the name of the policy.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server farm or policy.Click the Edit icon to modify the entry.

GUI item DescriptionHost status Select to enable the Host field.

Host Choose whether routing will be done based on a specific IP or Host. Enter the IP address or host of the real server used to route HTTP requests to. Leave this field empty if routing is to be done base only on the URL.

Type Select the method used to match the URL upon which routing will take place. If matching is done according to Host, choose Regular Expression and add "\/" (a back slash and forward slash with no space between) in the URL pattern, such as \/example.

URL pattern Enter the specific request file to be routed.

DeleteEdit






FRh

Below are two examples of how to use HTTP content routing.

Example 1 - HTTP content routing according to URLYour network has one virtual server (front end) with three physical web servers (back end). The front-end server has the URL www.example.com. Its back-end applications are differentiated by directories, such as: /games, /school and /work.The back-end servers were configured with the following IP addresses:10.5.5.11 – games application10.5.5.12 – school application10.5.5.13 – work applicationWhen HTTP content routing is enabled, HTTP requests to www.example.com/school are automatically routed to the appropriate back-end web server, 10.5.5.12. Similarly, requests for /games go to 10.5.5.11 and /work go to 10.5.5.13.

Example 2 - HTTP content routing according to HostYour network has three different hosts (back end) that all terminate on the same virtual server IP address (front end). Requests need to be routed to different hosts at the back end.The back-end hosts are configured as:www.example1.comwww.example2.comwww.example3.com When HTTP content routing is enabled, HTTP requests to www.example1.com are automatically routed to the appropriate back-end host.

Configuring HTTP conversion policyServer Policy > Server > HTTP Content Conversion Policy displays existing conversion policies.An HTTP conversion policy is used only in situations where HTTP requests received by the FortiWeb unit include a host name or URL that needs to be converted before the request is routed to a real server (forward conversion), or where the "Location" field in an HTTP response needs to be converted to a host name or URL (reverse conversion).This enables bidirectional conversion of URLs and host names for HTTP content routing. For more information, see “Configuring HTTP content routing policy” on page 139.The HTTP conversion policy is used as part of configuring a server farm, which is in turn used as part of an overall server policy. For more information on server farm configuration, see “Grouping physical and domain servers into server farms” on page 135.


Caution: When configuring HTTP conversion policy, check to see whether there are any URL rewriting policies in use that might conflict with the HTTP conversion policy. If conflicts occur, the URL rewriting policy takes priority over the HTTP conversion policy. For more information on URL rewriting policy, see “Configuring URL rewriting policy” on page 244.





Table 53: Server Policy > Server > HTTP Content Conversion Policy tab

To add an HTTP Content Conversion Policy1 Go to Server Policy > Server > HTTP Content Conversion Policy.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon.A dialog appears.

3 In Name, type a name for the HTTP conversion policy.This field cannot be modified if you are editing an existing HTTP conversion policy. To modify the name, delete the entry, then recreate it using the new name.

4 Click OK.5 Click Create New, or, in the row corresponding to an entry that you want to modify, click


GUI item DescriptionCreate New Click to add an HTTP content conversion policy.


Policy Name Displays the name of the policy.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server farm or policy.Click the Edit icon to modify the entry.

DeleteEdit





Server policy Configuring server health checks

FRh


7 Click OK.

Configuring server health checksServer Policy > Server Health Check > Server Health Check displays the list of server health checks.To create a policy that will include a server farm whose servers are monitored for responsiveness, you must first create a server health check to do the monitoring.

GUI item DescriptionID Enter the index number of the conversion policy, or keep the default

value of auto to let the FortiWeb unit automatically assign the next available index number.

Conversion Method Select the HTTP conversion method. The conversion method modifies the HTTP packet header information, depending whether the packet is an HTTP request or an HTTP response.• With Forward Conversion, the FortiWeb unit converts the original

URL in the HTTP request packet to a specific destination URL on a destination host.

• With Reverse Conversion, the FortiWeb unit modifies the HTTP response packet to the original URL.

Original URL Enter the URL from the original HTTP request packet. The original URL is part of the HTTP request packet. Depending on the HTTP conversion method, the Original URL is converted to a destination URL (forward conversion), or inserted as the location for HTTP response packets (reverse conversion).

Destination URL Enter the URL to be used as the destination URL.The FortiWeb unit converts the Original URL value to the Destination URL.

Original Host Enter the host name from the original HTTP request packet. The host name is contained in the Host: field in the HTTP request packet.

Destination Host Enter the name of the destination host.The FortiWeb unit converts the Original Host value to the Destination Host.




Configuring server health checks Server policy

Server health checks poll real servers that are members of the server farm to determine their availability (that is, whether or not the server is responsive) before forwarding traffic. Server health check configurations can specify TCP, HTTP, or ICMP ECHO (ping). A health check occurs every number of seconds indicated by the interval. If a reply is not received within the timeout period, and you have configured the health check to retry, it will attempt a health check again; otherwise, the server is deemed unresponsive. The FortiWeb unit will compensate by disabling traffic to that server until it becomes responsive again.

Server health checks are applied by selecting them in a policy, for use with the entire server farm. For details, see “Configuring server policies” on page 118.To view the status currently being detected by server health checks, use the Service Status widget on the dashboard. For details, see “Service Status widget” on page 49.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 54: Server Policy > Server Health Check > Server Health Check tab

To add a server health check1 Go to Server Policy > Server Health Check > Server Health Check.2 Click Create New.

A dialog appears.

Note: If a real server will be unavailable for a long period, such as when a server is undergoing hardware repair or when you have removed a server from the server farm, you may improve the performance of your FortiWeb unit by disabling the real server, rather than allowing the server health check to continue to check for responsiveness. For details, see “Configuring physical servers” on page 131.

GUI item DescriptionCreate New Click to add a server health check.



Type Displays the protocol that the server health check will use to contact the real server.• Disabled (the server health check is currently disabled)• Ping• TCP• HTTP

Details Displays the URL that will be used in the HTTP GET request if the server health check Type is HTTP. If the real server successfully returns this content, it is considered to be responsive.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server policy.Click the Edit icon to modify the entry.

DeleteEdit





Server policy Configuring services

FRh

Figure 28: Adding a server health check

3 In Name, type the name of the server health check.4 From Protocol Type, select the protocol that the server health check will use to contact

the real server, one of: Ping, CVP, or HTTP.5 Configure the following:

6 Click OK.To apply a server health check, select it when configuring a policy that uses a server farm. For details, see “Configuring server policies” on page 118.

Configuring servicesServer Policy > Service displays predefined and custom services.Services define protocols and TCP port numbers and can be selected in a policy to define the traffic that the policy will match.While some predefined services are available (see“Viewing the list of predefined services” on page 146), you may need to configure your own custom services if your virtual servers will receive traffic on non-standard TCP port numbers.Before or during creating a policy, you must configure a service that defines the TCP port number where traffic destined for a virtual server will arrive. (Exceptions include policies whose Deployment Mode is Offline Protection, which do not require that you define a TCP port number using a service.) For details, see “Configuring server policies” on page 118.

Viewing the list of custom servicesServer Policy > Service > Custom displays the list of custom services.

GUI item DescriptionURL Path Enter the portion of the URL, such as /index.html, that follows the

URL’s domain name or IP address portion. This path will be used in the HTTP GET request to verify the responsiveness of the server. If the real server successfully returns this content, it is considered to be responsive.This option appears only if Protocol Type is HTTP.

Timeout Enter the number of seconds that must pass after the server health check to indicate a failed health check.

Retry Times Enter the number of times, if any, a failed health check will be retried before the server is considered unresponsive.

Interval Enter the number of seconds between each server health check.




Configuring services Server policy

Custom services can be selected in a policy in order to define the protocol and listening port of a virtual server. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 55: Server Policy > Service > Custom tab

To add a custom service1 Go to Server Policy > Service > Custom.2 Click Create New.

A dialog appears. 3 Configure the following:

4 Click OK.To use a custom service as the listening port of a virtual server, you must select it in a policy. For details, see “Configuring server policies” on page 118.

Viewing the list of predefined servicesServer Policy > Service > Predefined displays the list of predefined services.

GUI item DescriptionCreate New Click to add a custom service.

Service Name Displays the name of the entry.

Detail Displays the protocol and TCP port number of the service.


GUI item DescriptionName Enter the name of the service.

Protocol Only TCP is available.

Port Enter the TCP port number of the service.

DeleteEdit





Server policy Configuring protected servers

FRh

Predefined services can be selected in a policy in order to define the protocol and listening port of a virtual server. For details, see “Configuring server policies” on page 118.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 56: Server Policy > Service > Predefined tab

Configuring protected serversServer Policy > Protected Servers > Protected Servers displays the list of protected server groups (also called a protected host group).A protected server group contains one or more IP addresses or fully qualified domain names (FQDNs). Each entry in the protected server group defines a virtual or real web host, according to the Host: field in the HTTP header of requests from clients that you want the FortiWeb unit to protect.For example, if your web servers receive requests with HTTP headers, such as

GET /index.php HTTP/1.1Host: www.example.com

you might define a protected server group with an entry of www.example.com and select it in the policy. This would reject requests that are not for that host.

Unlike a real server, which is a single IP at the network layer, a protected server group should contain all network IPs, virtual IPs, and domain names that clients use to access the web server at the application (HTTP) layer.For example, clients often access a web server via a public network such as the Internet. Therefore, the protected server group contains domain names, public IP addresses and public virtual IPs on a network edge router or firewall that are routable from that public network. But the physical server is only the IP address that the FortiWeb unit uses to forward traffic to the server and, therefore, is often a private network address (unless the FortiWeb unit is operating in offline protection or either of the transparent modes).Protected server groups can be used by:• policies• input rules• server protection exceptions• start page rules• page access rules• IP list rules

GUI item DescriptionName Displays the name of the entry.

Detail Displays the protocol and TCP port number of the service.

Note: A protected hosts group is usually not the same as a real server.




Configuring protected servers Server policy

• allowed method exceptions• HTTP authentication rules• hidden fields rulesThese rules can use protected host definitions to apply rules only to requests for a protected host. If you do not specify a protected server group in the rule, the rule will be applied based upon other criteria such as the URL, but regardless of the Host: field.Policies can use protected host definitions to block connections that are not destined for a protected host. If you do not select a protected server group in a policy, connections will be accepted or blocked regardless of the Host: field.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 57: Server Policy > Protected Servers > Protected Servers tab

To add a protected server group1 Go to Server Policy > Protected Servers > Protected Servers. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon.

GUI item DescriptionCreate New Click to add a protected server group.

# Displays the index number of the protected server group.


Protected Server Count

Displays the number of hosts contained in the protected server group.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy or other item.Click the Edit icon to modify the entry.

DeleteEdit

Clear

DeleteEdit





Server policy Configuring protected servers

FRh

3 In Name, type the name of the protected server group.This field cannot be modified if you are editing an existing protected server group. To modify the name, delete the entry, then recreate it using the new name.

4 From Default Action, select whether to Accept or Deny HTTP requests that do not match any of the host definitions that you will add to this protected server group.

5 Click OK.6 Click Create New

A dialog appears.7 Configure the following:

8 Repeat the previous step for each host that you want to add to the protected server group.

9 If you need to modify a host, click its Edit icon. To remove a single host from the protected server group, click its Delete icon. To remove all hosts from the protected server group, click the Clear icon.

10 Click OK.To use a protected server group, you must select it in a policy, input rule, start page rule, page access rule, trusted IP rule, or hidden field rule. For details, see:• “Configuring server policies” on page 118• “Configuring parameter validation input rules” on page 194• “Configuring page access rules” on page 198• “Configuring start page rules” on page 213• “Configuring URL access rules” on page 218• “Configuring URL access policy” on page 216

GUI item DescriptionID Enter the index number of the host entry within the protected server group, or

keep the field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.

Host Enter the IP address or FQDN of a real or virtual web host, according to the Host: field in HTTP requests, that you want the FortiWeb unit to protect.If clients connect to your web servers through the IP address of a virtual server on the FortiWeb unit, this should be the IP address of that virtual server or any domain name to which it resolves, not the actual IP address of the web server.For example, if a virtual server 10.0.0.1/24 forwards traffic to the physical server 192.168.1.1, for protected hosts, you would enter:• 10.0.0.1, the address of the virtual server• www.example.com, the domain name that resolves to the virtual server

Action Select whether to Accept or Deny HTTP requests whose Host: field matches this host entry.




Configuring predefined patterns Server policy

• “Configuring allowed method exceptions” on page 237• “Configuring hidden field rules” on page 241Attack log messages contain DETECT_ALLOW_HOST_FAILED when this feature does not detect an allowed protected host name.

Configuring predefined patternsPredefined patterns are data types and rules that are used by input rules to define the data type of an input, and by auto-learning profiles to detect valid input parameters.This section includes the following topics:• Grouping predefined data types• Viewing the list of predefined data types• Grouping suspicious URLs• Viewing predefined URL rules

Grouping predefined data typesServer Policy > Predefined Pattern > Data Type Group displays the list of data type groups.A data type group defines which predefined data types (see “Viewing the list of predefined data types” on page 152) the FortiWeb unit will attempt to detect and track in input parameters when gathering data for an auto-learning report.For example, if you include the Email data type in the data type group, auto-learning profiles that use the data type group might discover that your web applications use a parameter named username whose value is an email address.

Data type groups are used by auto-learning profiles. For details, see “Applying auto-learning profiles” on page 278.


Table 58: Server Policy > Predefined Pattern > Data Type Group tab

Tip: If you know that your network’s HTTP sessions do not include a specific data type, omit it from the data type group to improve performance. The FortiWeb unit will not expend resources scanning traffic for that data type.

Note: Alternatively, you can automatically configure a data type group that includes all types by generating a default auto-learning profile. For details, see “Generating an auto-learning profile and its components” on page 281.

DeleteEdit





Server policy Configuring predefined patterns

FRh

To add a data type group1 Go to Server Policy > Predefined Pattern > Data Type Group.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type a name for the data type group.This field cannot be modified if you are editing an existing data type group. To modify the name, delete the entry, then recreate it using the new name.

4 For Type, enable the predefined data types that you want to include in the group.To view the regular expressions for the types of patterns that each data type will detect, see “Viewing the list of predefined data types” on page 152.

5 Click OK.

GUI item DescriptionCreate New Click to add a data type group.

# Displays the index number of the data type group.


Count Displays the number of predefined data types included in this data type group.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an auto-learning profile.Click the Edit icon to modify the entry.





To use a data type group, select it when configuring an auto-learning profile. For details, see “Applying auto-learning profiles” on page 278.

Viewing the list of predefined data typesServer Policy > Predefined Pattern > Predefined Data Type displays the list of predefined data types.You select predefined data types in data type groups, which are used by input rules to define the data type of an input, and by auto-learning profiles to detect valid input parameters. For details, see “Grouping predefined data types” on page 150.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 59: Server Policy > Predefined Pattern > Predefined Data Type tab





FRh

GUI item DescriptionName Select the blue arrow beside a pattern to expand the entry and display the

individual rules contained in the entry.Displays the name of the data type.• Address: Canadian postal codes and United States ZIP code and

ZIP + 4 codes.• Canadian Post Code: Canadian postal codes such as K2H 7B8.• CA Province Name and Abbrev: Modern and older names and

abbreviations of Canadian provinces in English, as well as some abbreviations in French, such as Quebec, IPE, Sask, and Nunavut. Does not detect province names in French.

• CA Social Insurance Nubmer: Canadian Social Insurance Numbers (SIN) such as 123-456-789.

• China Post Code: Chinese postal codes such as 610000.• Country Name and Abbrev: Country names, codes, and abbreviations

in English characters, such as CA, Cote d’Ivoire, Brazil, Russian Federation, and Brunei.

• Credit Card Number: American Express, Carte Blanche, Diners Club, enRoute, Japan Credit Bureau (JCB), Master Card, Novus, and Visa credit card numbers.

• Date/Time: Dates and times in various formats such as +13:45 for time zone offsets, 1:01 AM, 1am, 23:01:01, and 01.01.30 AM for times, and 31.01.2009, 31/01/2009, 01/31/2000, 2009-01-3, 31-01-2009, 1-31-2009, 01 Jan 2009, 01 JAN 2009, 20-Jan-2009 and February 29, 2009 for dates.

• Email: Email addresses such as [email protected].• Level 1 Password: A string of at least 6 characters, with one or more

each of lower-case characters, upper-case characters, and digits, such as aBc123. Level 1 passwords are “weak” passwords, generally easier to crack than level 2 passwords.

• Level 2 Password: A string of at least 8 characters, with one or more each of lower-case characters, upper-case characters, digits, and special characters, such as aBc123$%.

• Markup/Code: HTML comments, wiki code, hexadecimal HTML color codes, quoted strings in VBScript and ANSI SQL, SQL statements, and RTF bookmarks such as:• #00ccff, • [link url="http://example.com/url?var=A&var2=B"]• SELECT * FROM TABLE• {\*\bkmkstart TagAmountText}Does not match ANSI escape codes, which are instead detected as strings.

• Numbers: Numbers in various monetary, decimal, comma-separated value (CSV) and other formats such as 123, +1.23, $1,234,567.89, 1'235.140, and -123.45e-6. Does not detect hexadecimal numbers, which are instead detected as strings or code, and social security numbers, which are instead detected as strings.

• Phone: Australian, United States, and Indian phone numbers in various formats such as (123)456-7890, 1.123.456.7890, 0732105432, and +919847444225.

• Strings: Character strings such as alphanumeric words, credit card numbers, United States social security numbers (SSN), UK vehicle registration numbers, ANSI escape codes, and hexadecimal numbers in formats such as user1, 123-45-6789, ABC 123 A, 4125632152365, [32mHello, and 8ECCA04F.

• URI: Uniform resource identifiers (URI) such as http://www.example.com, ftp://ftp.example.com, and mailto:[email protected].

• US Social Security Number: United States social security numbers (SSN) such as 123-45-6789.

• US State Name and Abbrev: United States state names and modern postal abbreviations such as HI and Wyoming. Does not detect older postal abbreviations such as Fl. or Wyo.

• US Zip Code: United States ZIP code and ZIP + 4 codes such as 34285-3210.


Grouping suspicious URLsServer Policy > Predefined Pattern > Suspicious URL Rule displays the list of suspicious URL groups.A suspicious URL group selects a subset of one or more of the predefined suspicious URLs (see “Viewing predefined URL rules” on page 155). It can also include existing custom suspicious rules (see “Creating custom suspicious URLs” on page 157). Each of those entries in the suspicious URL group defines a type of URL. The FortiWeb unit considers HTTP requests for these administratively sensitive URLs to be possibly malicious when gathering data for an auto-learning profile.HTTP requests for URLs typically associated with administrative access to your web applications or web server, for example, may be malicious if they originate from the Internet instead of your management LAN. You may want to discover such requests for the purpose of designing blacklist rules to protect your web server.If you know that your network’s web servers are not vulnerable to a specific type of suspicious URL, such as if the URL is associated with attacks on Microsoft IIS web servers but all of your web servers are Apache web servers, omit it from the suspicious URL group to improve performance. The FortiWeb unit will not expend resources scanning traffic for that type of suspicious URL.Suspicious URL groups are used by auto-learning profiles. For details, see “Applying auto-learning profiles” on page 278.Before creating an auto-learning profile for web protection, you must configure a suspicious URL group that defines which suspicious URL types the FortiWeb unit will attempt to detect.


Table 60: Server Policy > Predefined Pattern > Suspicious URL Rule tab

Pattern Displays the regular expression that is used to detect the presence of the data type when you select the blue arrow beside a pattern. Parameter values must match the regular expression in order for an auto-learning profile to successfully detect the data type, or for an input rule to permit the input.

Description Displays a description when you select the blue arrow beside a pattern that may include examples of values that match the regular expression.

Note: Alternatively, you can automatically configure a suspicious URL group that includes all suspicious URL rules by generating a default auto-learning profile. For details, see “Generating an auto-learning profile and its components” on page 281.

GUI item DescriptionCreate New Click to add a suspicious URL group.

# Displays the index number of the suspicious URL group.

Delete

Edit






FRh

To add a suspicious URL group1 Go to Server Policy > Predefined Pattern > Suspicious URL Rule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type a name for the suspicious URL group.This field cannot be modified if you are editing an existing suspicious URL group. To modify the name, delete the entry, then recreate it using the new name.

4 Enable the predefined suspicious URL types that you want to detect:• Apache• IIS (Microsoft IIS)• Tomcat (Apache Tomcat)To view detailed descriptions of the types of patterns that each suspicious URL type will detect, see “Viewing predefined URL rules” on page 155.For better performance, clear the Server Type options that do not apply.

5 Optionally, from Custom Suspicious Rule, select an existing custom suspicious URL rule. For more information on creating custom suspicious URL rules, see “Creating custom suspicious URL rules” on page 158.

6 Click OK.To use a suspicious URL group, select it when configuring an auto-learning profile. For details, see “Applying auto-learning profiles” on page 278.

Viewing predefined URL rulesServer Policy > Predefined Pattern > Predefined URL Rule displays the list of predefined suspicious URL types.


Count Displays the number of predefined suspicious URL types included in this suspicious URL group. For details, see “Viewing predefined URL rules” on page 155.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an auto-learning profile.Click the Edit icon to modify the entry.




Configuring custom patterns Server policy

Predefined suspicious URL types are selected in suspicious URL groups, which are used by auto-learning profiles to detect malicious HTTP requests by URL. For details, see “Grouping suspicious URLs” on page 154.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 61: Server Policy > Predefined Pattern > Predefined URL Rule tab

Configuring custom patternsGo to Server Policy > Custom Pattern to configure the custom data types and custom suspicious URL rules. This section contains the following topics:• Creating custom data types• Creating custom suspicious URLs• Creating custom suspicious URL rules

Creating custom data typesServer Policy > Custom Pattern > Custom Data Type displays defined custom data types.

GUI item DescriptionName Displays the name of the suspicious URL type.

Select the blue arrow beside a pattern to expand the entry and display the individual rules contained in the entry.

Pattern Displays the regular expression that is used to detect the presence of the suspicious URL. The requested URL must match the regular expression in order for an auto-learning profile to successfully detect the suspicious URL.

Description Displays a description that may include examples of values that match the regular expression.





Server policy Configuring custom patterns

FRh

You can add custom data types to input rules to define the data type of an input, and to auto-learning profiles to detect valid input parameters. You can use both custom data types and predefined data types. For details about predefined data types, see “Viewing the list of predefined data types” on page 152.To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 62: Server Policy > Custom Pattern > Custom Data Type tab

To create a custom data type1 Go to Server Policy > Custom Pattern > Custom Data Type.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type a name for the custom data type.This field cannot be modified if you are editing an existing custom data type. To modify the name, delete the entry, then recreate it using the new name.

4 In Expression, enter a regular expression that defines this data type.To test the regular expression against sample text, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.

5 Click OK.To use a custom data type, select it when configuring an input rule. For details, see “Configuring parameter validation input rules” on page 194.

Creating custom suspicious URLsServer Policy > Custom Pattern > Custom Suspicious URL displays the list of custom suspicious URL types.Configure custom suspicious URLs to augment the list of predefined suspicious URLs. You can add custom suspicious URLs to input rules, and to auto-learning profiles to detect valid input parameters. For details, see “Grouping suspicious URLs” on page 154.

GUI item DescriptionCreate New Click to add a custom data type.

# Displays the index number of the custom data type.





Configuring custom patterns Server policy


Table 63: Server Policy > Custom Pattern > Custom Suspicious URL tab

To create a custom suspicious URL1 Go to Server Policy > Custom Pattern > Custom Suspicious URL. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type a name for the custom suspicious URL.This field cannot be modified if you are editing an existing custom suspicious URL. To modify the name, delete the entry, then recreate it using the new name.

4 In Expression, enter a regular expression that defines this suspicious URL.To test the regular expression against sample text, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.

5 Click OK.To use a custom suspicious URL, add it to a custom suspicious URL rule, add the rule to a suspicious URL rule, and then select that rule when configuring an auto-learning profile. For details, see “Applying auto-learning profiles” on page 278.

Creating custom suspicious URL rulesServer Policy > Custom Pattern > Custom Suspicious URL Rule displays the list of custom suspicious URL rules.Custom suspicious URL rules are selected in URL rules, which are used by auto-learning profiles to detect malicious HTTP requests by URL. For details, see “Grouping suspicious URLs” on page 154.

GUI item DescriptionCreate New Click to add a custom suspicious URL.

# Displays the index number of the suspicious URL.






Server policy Configuring custom patterns

FRh

To access this part of the web-based manager, your administrator's account access profile must have Read permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

Table 64: Server Policy > Custom Pattern > Custom Suspicious URL Rule tab

To create a custom suspicious URL rule1 Go to Server Policy > Custom Pattern > Custom Suspicious URL Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon. A dialog appears.

3 In Name, type a name for the custom suspicious URL. This field cannot be modified if you are editing an existing custom suspicious URL. To modify the name, delete the entry, then recreate it using the new name.

4 Click OK.5 Click Create New to add custom suspicious URLs to the rule or click the Edit icon to

change an existing rule. A dialog appears.

6 Select an existing suspicious URL name from the drop-down list.

Tip: Before you can create a custom suspicious URL rule, you must first define one or more custom suspicious URLs. See “Creating custom suspicious URLs” on page 157.

GUI item DescriptionCreate New Click to add a custom suspicious URL rule.

# Displays the index number of the suspicious URL rule.





Configuring custom application policies Server policy

7 Click OK.To use a custom suspicious URL rule, add the rule to a suspicious URL rule, then select that rule when configuring an auto-learning profile. For details, see “Applying auto-learning profiles” on page 278.

Configuring custom application policiesSome web applications build URLs differently than expected by FortiWeb, which can cause FortiWeb to create incorrect auto-learning profiles. These “non-standard” URLs will cause several issues:• You cannot generate security rules based on the auto-learning profile as it does not

represent the application's structure.• Endless URL/parameter learning consumes unnecessary resources.• Auto-learning profiles are presented incorrectly.For example, with Outlook Web App (OWA), every user has their user name as part of the URL. Thus FortiWeb auto-learning will continue to create new URLs as new users are being added to the system. For this reason, auto-learning cannot create a true application structure as these URLs will not produce enough hits. Example URLs:www.example.com/owa/tom/index.htmlwww.example.com/owa/mark/index.html

To solve this kind of problem, FortiWeb lets you create application policy plug-ins that recognize the non-standard, customized applications and modify the URL information so that an auto-learning profile can work properly. In the above OWA case, you can extract the user directory and add it as a parameter value.

Custom application workflow1 Create the custom application plug-ins (URL replacers). See “Configuring URL

replacers” on page 160.2 Add the application plug-ins to an application policy. See “Configuring application

policies” on page 161.3 Include the application policy in one or more auto-learning profiles. See “Applying auto-

learning profiles” on page 278.4 Include the auto-learning profiles in server policies. See “Configuring server policies”

on page 118.

Configuring URL replacersA URL replacer defines how to modify the non-standard request URLs. Use the replacer in the custom application policies. See “Custom application workflow” on page 160. To access this part of the web-based manager, your administrator's account access profile must have Read permission to items in the Server Policy Configuration category. For details, see “About permissions” on page 80.

To create a URL replacer1 Go to Server Policy > Custom Application > URL Replacer.





Server policy Configuring custom application policies

FRh


3 In Name, enter a name for the plug-in. 4 Select one of the two types. For Predefined, only JSP is supported in the current

release. For Custom-Defined, enter the following information:• In URL Path, enter the regular expression used to match the request URL in the

HTTP header. To test the regular expression against sample text, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.

• In New URL, enter the new URL string to be sent to the auto-learning module that uses the plug-in.

• In Param Change, enter the new parameter’s value string. • In New Param, enter the new parameter’s name string.

5 Click OK.Two examples follow.

Example oneThe HTTP request URL from a client is /app/login.asp;jsessionid=xxx;p1=111;p2=123?p3=5555&p4=66aaaaa, which is a JSP application type. When you create the URL replacer, if you select JSP as the predefined application type, the JSP plug-in will change the URL to /app/login.asp?p4=66aaaaa with 3 extra parameters: p1=111,p2=123 and p3=5555.

Example twoIf the HTTP request URL from a client is /tom/login.asp and you created the following URL replacer:Type: Custom-DefinedURL Path: ^/(.*)/(.*)$New URL: /$1Param Change: $0New Param: usernameThen the URL will be changed to /login.asp with an extra parameter: username=tom.

Configuring application policiesAfter you create a URL replacer (see “Configuring URL replacers” on page 160), you can create an application policy that uses the replacer. In turn, include it in an auto-learning profile. See “Custom application workflow” on page 160.




Configuring custom application policies Server policy


To create a custom application policy1 Go to Server Policy > Custom Application > Application Policy.

2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon.

3 Enter a name for the policy and click OK.A dialog appears.

4 Click Create New to create an application rule.

5 Enter an ID for the rule or leave auto as default.6 Set the priority level of the rule. Type the order of evaluation for this rule in the group,

starting from 0. To create an entry with the highest match priority, enter 0. For lower-priority matches, enter higher numbers. Note: Rule order affects URL replacer plug-in matching and behavior. The search begins with the smallest priority number (greatest priority) rule in the list and progresses in order towards the largest number in the list. Matching rules are determined by comparing the rule and the connection’s content. If no rule matches, the connection remains unchanged.When the FortiWeb unit finds a matching rule, it applies the matching rule's specified actions to the connection.

7 Select the rule type. Currently, you can only select URL Replacer.8 Select a plug-in/URL replacer from the drop-down list. If there is no URL replacer in the

list, you must create one first. 9 Click OK.





XML protection Configuring protection schedules

FRh

XML protectionThis chapter describes the XML protection menu. It contains features that act upon HTTP requests with XML content, such as AJAX (JavaScript that uses the XMLHttpRequest object), RSS, and SOAP connections.This chapter includes the following topics:• Configuring protection schedules• Configuring content filter rules• Configuring intrusion prevention rules• Configuring WSDL content routing groups• Managing XML signature and encryption keys• Managing schema files• Managing WSDL files• Configuring XML protection profiles

XML protection profile workflowThe creation of an XML protection profile involves multiple activities. The number and sequence of steps depends on what you wish to achieve. All steps are optional, though some steps have dependencies on others. • Create one or more schedules if you intend to include content filters in your profile. See

“Configuring protection schedules” on page 163.• Create one or more content filters. See “Configuring content filter rules” on page 166.• Create one or more intrusion filters. See “Configuring intrusion prevention rules” on

page 170.• Load one or more schema files. See “Managing schema files” on page 178.• Load one or more web service definition language (WSDL) files (see “Managing WSDL

files” on page 181). To configure protection for a web service, you also must configure an XML web service group (see “Grouping WSDL files” on page 183). You can also route the web service to a specific server in a server farm (see “Configuring WSDL content routing groups” on page 173).

• Import a key file and then create a key management profile to add XML signature validation, XML encryption, or XML decryption to your profile. See “Managing XML signature and encryption keys” on page 175.

• After you complete the applicable previous activities, configure one or more XML protection profiles. See “Configuring XML protection profiles” on page 184.

Configuring protection schedulesXML Protection > Schedule menu enables you to view and configure protection schedules for one-time or recurring use.

Note: For information on the IETF RFC, W3C standards and IEEE standards supported by this version of FortiWeb, see “Appendix A: Supported RFCs, W3C and IEEE standards” on page 395.




Configuring protection schedules XML protection

Configure a schedules to define when a content filter rule will apply. For example, a FortiWeb unit might be configured with a content filter rule that uses a one-time schedule to block access to the web service during an emergency maintenance period.For details, see “Configuring content filter rules” on page 166.This section includes the following topics:• Configuring one-time schedules• Configuring recurring schedules

Configuring one-time schedulesXML Protection > Schedule > One Time displays the list of schedules that run once for a specified period of time.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see “About permissions” on page 80.

Table 65: XML Protection > Schedule > One Time tab

To create a one-time schedule1 Go to XML Protection > Schedule > One Time.2 Click Create New.

A dialog appears that enables you to specify the time and duration of the schedule.

3 In Name, type the name of the schedule.

GUI item DescriptionCreate New Click to add a one-time schedule.



Start Displays the time and date that the schedule will begin.

End Displays the time and date that the schedule will stop.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a content filter rule.Click the Edit icon to modify the entry.

DeleteEdit





XML protection Configuring protection schedules

FRh

4 In the Start row, select the date and time that the schedule will begin.5 In the End row, select the date and time that the schedule will end.6 Click OK.To apply a schedule, select it as the period when configuring a content filter rule. For more information, see “Configuring content filter rules” on page 166.

Configuring recurring schedulesXML Protection > Schedule > Recurring displays the list of schedules that run repeatedly at the specified times and days of the week.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see “About permissions” on page 80.

Table 66: XML Protection > Schedule > Recurring tab

To create a recurring schedule1 Go to XML Protection > Schedule > Recurring.2 Click Create New.

A dialog appears that enables you to specify the time and duration of the schedule, and the days of the week during which the schedule will apply.

GUI item DescriptionCreate New Click to add a recurring schedule.



Start Displays the time that the schedule will begin.

End Displays the time that the schedule will stop.

Day Displays the days of the week when the schedule runs.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a content filter rule.Click the Edit icon to modify the entry.

DeleteEdit




Configuring content filter rules XML protection

3 In Name, type the name of the schedule.4 In the Start row, select the time that the schedule will begin.

5 In the End row, select the time that the schedule will end.6 In the Day row, select the days of the week when the schedule runs.7 Click OK.To apply a schedule, select it as the period when configuring a content filter rule. For more information, see “Configuring content filter rules” on page 166.

Configuring content filter rulesXML Protection > Content Filter > Content Filter displays the list of filter rules that can be applied to XML traffic.Content filter rules contain one or more individual rules that each accept or block and/or log specific XML content that matches their XPath expression and time schedule.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see “About permissions” on page 80.

Table 67: XML Protection > Content Filter > Content Filter tab

Note: A recurring schedule with a stop time that occurs before the start time starts at the start time and finishes at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next. To create a recurring schedule that runs for 24 hours, set the start and stop times to the same time.

Tip: Before you can create an effective content filter, you must first define a schedule. See “Configuring protection schedules” on page 163.

GUI item DescriptionCreate New Click to add a content filter rule.


Name Displays the name of the entry.Select the blue arrow to expand the entry, displaying the individual rules contained in the entry.

ID Displays the index number of the content filter. For details, see “How priority affects content filter rule matching” on page 169.

Period Displays the schedule that defines when this content filter will apply. For details, see “Configuring protection schedules” on page 163.

IP Range Lists the client IP address or IP address range that apply, if specified.

DeleteEdit





XML protection Configuring content filter rules

FRh

To create a content filter rule1 Go to XML Protection > Content Filter > Content Filter.2 Click Create New.

A dialog appears that enables you to specify the content filter rule.

3 In Name, type the name of the content filter rule.This field cannot be modified if you are editing an existing content filter rule. To modify the name, delete the entry, then recreate it using the new name.

4 In Comments, type a description for the content filter rule.5 Click OK.

XPATH Expression Displays the XPath expression that matches web service content to which the action is applied.

Action Displays the action that the FortiWeb unit will take when content matches XPATH Expression. For details on how the action interacts with ID to determine which content filter rules will be applied, see “How priority affects content filter rule matching” on page 169.• Accept: Accept the connection.• Alert: Accept the connection and generate an alert and/or log message.

For more information on logging and alerts, see “Configuring and enabling logging” on page 323.

• Deny: Block the connection.• Alert & Deny: Block the connection and generate an alert and/or log

message. For more information on logging and alerts, see “Configuring and enabling logging” on page 323.

Enable Mark the check box to enable use of the content filter rule. For details, see “Enabling or disabling a content filter rule” on page 169.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a protection profile.Click the Edit icon to modify the entry.

DeleteEdit

Clear




Configuring content filter rules XML protection

6 Click Create New.A dialog appears.


8 Repeat the previous steps for each content filter that you want to add to the content filter rule.

9 If you need to modify a content filter, click its Edit icon. To remove a single content filter from the content filter rule, click its Delete icon. To remove all content filters from the content filter rule, click the Clear icon.

GUI item DescriptionID Enter the index number of the content filter, or keep the field’s default

value of auto to let the FortiWeb unit automatically assign the next available index number.The number must be between 1 and 99,999 and must be unique for each content filter.

Priority Enter the order of evaluation for this content filter, starting from 0.To enter a content filter with the highest match priority, enter 0. For lower-priority matches, enter higher numbers.Note: Content filter rule order affects content filter rule matching and behavior. For details, see “How priority affects content filter rule matching” on page 169.

Period Select the existing schedule that defines when this content filter will be applicable. For details, see “Configuring protection schedules” on page 163.

IP Range If this content filter should not apply to all IP addresses, enter a client IP address or IP address range.

XPATH Expression Click the Edit icon. A dialog appears. Enter an XPath expression that matches web service content to which the action will be applied, or enter the expression directly into this field.The maximum length of the expression is 1000 characters.

Action Select the action that the FortiWeb unit will take when content matches XPATH Expression. For details on how action interacts with ID to determine which content filter rules will be applied, see “How priority affects content filter rule matching” on page 169.• Accept: Accept the connection.• Alert: Accept the connection and generate an alert and/or log




Edit





XML protection Configuring content filter rules

FRh

10 Click OK.To apply the content filter rule, select it in an XML protection profile that is selected in a policy. For more information, see “Configuring XML protection profiles” on page 184.

How priority affects content filter rule matchingEach time a connection attempt matches a policy that uses an XML protection profile, the FortiWeb unit searches that policy’s protection profile’s content filter rule list for a matching content filter rule.The search begins with the lowest priority number (greatest priority) content filter in the content filter rule list and progresses in order towards the highest number in the list. Matching content filter rules are determined by comparing the content filter rule and the connection’s web service content. If no content filter rule matches, the connection is dropped.

When the FortiWeb unit finds a matching content filter rule, it applies the matching content filter rule's specified actions to the connection. If the action is:• Alert: The FortiWeb unit applies the action, then evaluates the next content filter rule

for a match.• Accept or Deny: The FortiWeb unit applies the action and disregards all lower priority

rules.As a general rule, you should arrange the list content filter rules from most specific to most general because only the first matching content filter rule is applied to the connection. Once one is accepted or denied, subsequent possible matches would not be considered or applied. Ordering content filter rules from most specific to most general prevents content filter rules, which match a wide range of traffic and whose action is Accept or Deny, from superseding and effectively masking other content filter rules whose action is Alert, or that match exceptions.

Enabling or disabling a content filter ruleYou can individually enable and disable content filter rules. Disabled content filter rules can be selected in an XML protection profile, but will not be used when applying the protection profile.

To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see “About permissions” on page 80.

Note: Because match evaluation continues until either the content filter rule list is exhausted or the connection is accepted or denied, multiple content filter rules can be applied.

Caution: Disabling a content filter rule could allow traffic-matching policies in whose XML protection profile you have selected the content filter rule. For details, see “Configuring XML protection profiles” on page 184.




Configuring intrusion prevention rules XML protection

To enable or disable a content filter rule1 Go to XML Protection > Content Filter > Content Filter.

2 In the row corresponding to the content filter rule that you want to enable, mark the check box in the Enable column.

3 In the row corresponding to the content filter rule that you want to disable, clear the check box in the Enable column.

Configuring intrusion prevention rulesXML Protection > Intrusion Filters > Intrusion Filters displays the list of intrusion prevention rules.Intrusion prevention rules define data constraints for XML elements, enabling you to prevent use of element depths, data types, and lengths that could be used to execute attacks such as oversized payloads, recursive payloads, and buffer overflows.Intrusion prevention rules are applied by selecting them in an XML protection profile. For details, see “Configuring XML protection profiles” on page 184.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see “About permissions” on page 80.

Table 68: XML Protection > Intrusion Filters > Intrusion Filters tab

GUI item DescriptionCreate New Click to add an intrusion prevention rule.



Max Elements Displays the maximum number of XML elements to allow in a single request.

Max Element Depth Displays the maximum depth of XML elements to allow in the tree of a single request.

Max Name Length Displays the maximum length to allow for any XML element, attribute or namespace.

Max Attributions Displays the maximum number of attributes to allow in a single request.

DeleteEdit





XML protection Configuring intrusion prevention rules

FRh

To create an intrusion prevention rule1 Go to XML Protection > Intrusion Filters > Intrusion Filters.2 Click Create New.

A dialog appears that enables you to enter constraints on the types and lengths of allowed data.


Max Attributions Per Element

Displays the maximum number of attributes to allow for any XML element.

Max Attribution Value Length

Displays the maximum length of the value to allow for any attribute of any XML element.

Allow DTDs Indicates whether or not use of document type definitions (DTDs) are allowed.

Enable Mark the check box to enable use of the intrusion prevention rule. For details, see “Enabling or disabling an intrusion prevention rule” on page 172.


GUI item DescriptionName Enter a name for the intrusion prevention rule.




Configuring intrusion prevention rules XML protection

4 Click OK.To apply the intrusion protection rule, select it in an XML protection profile that is selected in a policy. For more information, see “Configuring XML protection profiles” on page 184.

Enabling or disabling an intrusion prevention ruleYou can individually enable and disable intrusion prevention rules. Disabled intrusion prevention rules can be selected in an XML protection profile, but will not be used when applying the protection profile.

Max Elements Enter the maximum number of XML elements to allow in a single request.

Max Element Depth Enter the maximum depth of XML elements to allow in the tree of a single request.

Max Name Length Enter the maximum length to allow for any XML element, attribute or namespace.

Max Attributions Enter the maximum number of attributes to allow in a single request.

Max Attributions Per Element

Enter the maximum number of attributes to allow for any XML element.

Max Attribution Value Length

Enter the maximum length of the allowed value of any attribute of any XML element.

Max Namespace Declarations

Enter the maximum number of XML namespace (XMLNS) declarations to allow in a single request.

Max Namespace Declarations per Element

Enter the maximum number of XML namespace (XMLNS) declarations to allow for any XML element.

Max Text Nodes Enter the maximum number of text nodes to allow in a single request.

Max Text Node Length

Enter the maximum length to allow for any text node.

Max Text Node Ratio Enter the maximum size ratio to allow for any text node, where the maximum size ratio is:T/(D-T)where D is the total size of the request and T is the size of the text node.

Max CData Enter the maximum number of character data (CDATA) section to allow in a single request.

Max CData Length Enter the maximum length of the value to allow for any character data (CDATA) section in a single request.

Max Character Reference

Enter the maximum number of character entity references to allow in a single request.

Max PIs Enter the maximum number of processing instructions (PIs) to allow in a single request.

Max Gen Entity Reference

Enter the maximum number of general entity references to allow in a single request.

Allow DTDs Enable to allow use of document type definitions (DTDs).Unlike W3C XML schema scanning, DTD scanning is currently not supported, and therefore inclusion of DTDs can only be specifically allowed or denied.

Comments Enter a description for the intrusion prevention rule.

Caution: Disabling an intrusion prevention rule could allow traffic-matching policies in whose XML protection profile you have selected the intrusion prevention rule. For details, see “Configuring XML protection profiles” on page 184.





XML protection Configuring WSDL content routing groups

FRh


To enable or disable an intrusion prevention rule1 Go to XML Protection > Intrusion Filters > Intrusion Filters.

2 In the row corresponding to the intrusion prevention rule that you want to enable, mark the check box in the Enable column.

3 In the row corresponding to the intrusion prevention rule that you want to disable, clear the check box in the Enable column.

Configuring WSDL content routing groupsXML Protection > WSDL Routing > WSDL Routing displays the list of WSDL content routing groups.WSDL content routing groups select a set of web service operations from WSDL files that you can then route to a specific real server when configuring a server farm.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see “About permissions” on page 80.

Table 69: XML Protection > WSDL Routing > WSDL Routing tab

Tip: Before you can create an effective WSDL content routing group, you must first import a web service definition file. See “Managing WSDL files” on page 181.

GUI item DescriptionCreate New Click to add a WSDL content routing group.



Routing Table Count Displays the names of the WSDL files that are used by the WSDL content routing group.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server farm.Click the Edit icon to modify the entry.

DeleteEdit




Configuring WSDL content routing groups XML protection

To create a WSDL content routing group1 Go to XML Protection > WSDL Routing > WSDL Routing.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the content routing group.This field cannot be modified if you are editing an existing content routing group. To modify the name, delete the entry, then recreate it using the new name.


A dialog appears.


7 Repeat the previous steps for each WSDL operation that you want to add to the content routing group.

8 If you need to modify a WSDL operation, click its Edit icon. To remove a single WSDL operation from the content routing group, click its Delete icon. To remove all WSDL operations from the content routing group, click the Clear icon.

9 Click OK.

GUI item DescriptionID Enter the index number of the WSDL operation within the content routing group,

or keep the field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.

Web Service Select the name of a WSDL file that you uploaded.

Operation Select the name of an operation within the WSDL file you selected. HTTP requests containing this WSDL operation will be routed to a real server in the server farm using this WSDL content routing group.

DeleteEdit

Clear





XML protection Managing XML signature and encryption keys

FRh

To apply a content routing group, select it as the content that will be destined for a specific real server when configuring a server farm. For more information, see “Grouping physical and domain servers into server farms” on page 135.

Managing XML signature and encryption keysKey files contain a key, seed data that can be used with an algorithm to apply and verify XML signatures and/or to encrypt or decrypt XML elements. Keys are not used directly, but instead must first be added to a key management group in order to select it in an XML protection profile. For details, see “Grouping keys into key management groups” on page 176.

Uploading a keyXML Protection > XML Sig/Enc > Key File displays keys already uploaded to the FortiWeb unit, and that may be used in a key management group.If you want to configure XML protection profiles that will apply or validate XML signatures, or apply XML encryption or decryption, you must first upload a key file.To access this part of the web-based manager, your administrator’s account access profile must have Read permission to items in the XML Protection Configuration category. For details, see “About permissions” on page 80.

Table 70: XML Protection > XML Sig/Enc > Key File tab

To upload a key file1 Go to XML Protection > XML Sig/Enc > Key File.

GUI item DescriptionImport Click to upload a key file. For details, see “Uploading a key” on page 175.



Comments Displays the description of the entry.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a key management group.

Delete





Managing XML signature and encryption keys XML protection

2 Click Import.A dialog appears.

3 In Name, enter a descriptive name.4 In Key File, select the field or click Browse to locate and select the key file that you

want to upload.5 In Comments, type a description for the key file.6 Click OK.

The file is uploaded from your management computer. The time required varies by the size of the file and the speed of your network connection.

7 After uploading key files, before you can use a key in a protection profile, you must first add the key to a key management group. For details, see “Grouping keys into key management groups” on page 176.

Grouping keys into key management groupsXML Protection > XML Sig/Enc > Key Management displays the list of key management groups.Key management groups pair cryptographic algorithms with keys, and may be selected when configuring the FortiWeb unit to use of XML signatures, XML encryption or XML decryption in an XML protection profile.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see “About permissions” on page 80.

Table 71: XML Protection > XML Sig/Enc > Key Management tab

Tip: Before you can create a key management group, you must first upload one or more key files. For details, see “Uploading a key” on page 175.

GUI item DescriptionCreate New Click to add a key management group.



DeleteEdit





XML protection Managing XML signature and encryption keys

FRh

To create a key management group1 Go to XML Protection > XML Sig/Enc > Key Management.2 Click Create New.

An dialog appears that enables you to add members to the key management group.

3 In Name, type the name of the key management group.This field cannot be modified if you are editing an existing key management group. To modify the name, delete the entry, then recreate it using the new name.

4 In Comments, type a description for the key management group.5 Click OK.6 Click Create New.

A dialog appears.


Key File Count Displays the number of keys used by the key management group.


GUI item DescriptionID Enter the index number of the key file and algorithm combination within the key

management group, or keep the field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.

Key File Select the name of a key file that you uploaded.

Algo Select the name of an encryption algorithm that you want to use with that key. For algorithms that include the bit strength (for example, 128, 192, or 256), a higher number indicates stronger security, but may increase load on the FortiWeb unit.

DeleteEdit

Clear




Managing schema files XML protection

8 Repeat the previous steps for each key file and algorithm combination that you want to add to the key management group.

9 If you need to modify an entry, click its Edit icon. To remove a single entry from the group, click its Delete icon. To remove all entries from the group, click the Clear icon.

10 Click OK.To apply a key management group, select it when configuring XML encryption or decryption in an XML protection profile. For more information, see “Configuring XML protection profiles” on page 184.

Managing schema filesXML Protection > Load Schema > Load Schema displays the list of XML schema files already uploaded to the FortiWeb unit.Schema files are used by the Schema Validation option in XML protection profiles. For details, see “Schema Validation” on page 187.


Table 72: XML Protection > Load Schema > Load Schema tab

Note: Failing to upload a schema file could block traffic-matching policies in the XML protection profile where you enabled the Schema Validate option, because the FortiWeb unit may not be able to do schema validation. For details, see “Schema Validation” on page 187.

GUI item DescriptionLoad New Click to upload an uncompressed XML schema file. For details, see

“Managing schema files” on page 178.

Load ZIP Click to upload a ZIP-compressed XML schema file. For details, see “Managing schema files” on page 178.



Validated Indicates whether or not the schema file has been successfully validated. If the schema has been uploaded but not yet been validated, you can click the Edit icon in the right-most column to validate it.

Comments Displays the description of the entry.

Delete

EditView





XML protection Managing schema files

FRh

To upload a schema file

1 Go to XML Protection > Load Schema > Load Schema.2 Click either Load New to upload an uncompressed schema file, or Load ZIP to upload

a schema file that is compressed within a ZIP file.An upload dialog appears whose appearance varies slightly by whether you are uploading a compressed or uncompressed schema.

Figure 29: Uploading an uncompressed schema

Figure 30: Uploading a compressed schema

3 In Name, type the name of the schema.4 In Schema File or Schema ZIP File, enter a file name in the field or click Browse to

locate and select the schema file that you want to upload.5 In Comments, type a description for the schema.6 Click OK.

The file is uploaded from your management computer. The time required varies by the size of the file and the speed of your network connection.

Enable Mark the check box to enable use of the schema file if you have enabled Schema Validation. For details, see “Enabling or disabling a schema file” on page 180.

(No column heading.) Click the Delete icon to remove the schema. This option does not appear for the default schemas (RSS 2.0, UBL 1.0, and UBL 2.0).Click the Edit icon to validate the schema. For details, see “Managing schema files” on page 178. This option does not appear for the default schemas.Click the View icon to display the contents of the schema file in a pop-up window.





Managing schema files XML protection

7 If you uploaded a compressed schema file, select the root file of the schema from the Schema File List area, and click the right arrow.

8 Click OK.The FortiWeb unit validates the root schema file and all child schema files. If a schema is not successfully validated, such as if a compressed schema is too large, an error message appears. You may select a different root schema file and attempt the validation again immediately, or you may validate the schema at another time by clicking its Edit icon in the list of schema files. However, the FortiWeb unit will not use the schema until it is validated.To use the schema to validate requests, you must enable the Schema Validation option in an XML protection profile used by a policy. For details, see “Schema Validation” on page 187.

Enabling or disabling a schema fileYou can individually enable and disable schema files that you uploaded to the FortiWeb unit. Disabled schema files will not be used when performing schema validation.


To enable or disable a schema file1 Go to XML Protection > Load Schema > Load Schema.

2 In the row corresponding to the schema file that you want to enable, mark the check box in the Enable column.

Note: Disabling a schema file could block traffic-matching policies in whose XML protection profile you have enabled the Schema Validation option, because the FortiWeb unit may not be able to do schema validation. For details, see “Schema Validation” on page 187.





XML protection Managing WSDL files

FRh

3 In the row corresponding to the schema file that you want to disable, clear the check box in the Enable column.

Managing WSDL filesXML Protection > Load WSDL > Load WSDL displays the list of web service definition language (WSDL) files that have been uploaded to the FortiWeb unit.If you want to configure protection profiles that will prevent web services definition language (WSDL) scans and/or validate web services actions, you should first upload the WSDL file that defines the acceptable actions for your web services.WSDL files cannot be used directly, but instead must be added to a XML web service group in order to be either selected for use with the WSDL Verify option in an XML protection profile, or added to a WSDL content routing group in order to be selected for routing to a specific server in a server farm. For details, see “Grouping WSDL files” on page 183 and “Configuring WSDL content routing groups” on page 173.


Table 73: XML Protection > Load WSDL > Load WSDL tab

To upload a WSDL file

1 Go to XML Protection > Load WSDL > Load WSDL.

Caution: Failing to upload a WSDL file could allow traffic-matching policies in whose XML protection profile you have enabled the WSDL Verify option, because the FortiWeb unit will not be able to do WSDL verification. For details, see “WSDL Verify” on page 187.

GUI item DescriptionImport Click to upload a WSDL file.



Operations Displays the web service operations defined in the WSDL file.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a XML web service group.Click the Edit icon to view details of the entry, or to individually enable or disable web service operations defined in the WSDL file. For details, see “Enabling and disabling operations in a WSDL file” on page 182.

DeleteEdit





Managing WSDL files XML protection

2 Click Import.A dialog appears.

3 In Name, type the name of the WSDL file.4 In WSDL File, enter a WSDL file name in the field or click Browse to locate and select

the WSDL file that you want to upload.5 Click OK.

The FortiWeb unit validates the WSDL file. If valid, the file is uploaded from your management computer. The time required varies by the size of the file and the speed of your network connection.

After uploading WSDL files, you can use them in either:• a WSDL content routing group (see “Configuring WSDL content routing groups” on

page 173)• an XML protection profileIn order to use WSDL files in an XML protection profile, you must first create a XML web service group. For more information, see “Grouping WSDL files” on page 183.You can also individually enable or disable web service operations within each WSDL file. For more information, see “Enabling and disabling operations in a WSDL file” on page 182.

Enabling and disabling operations in a WSDL fileIn addition to individually enabling or disabling WSDL files, you can individually enable or disable web service operations that are defined within each WSDL file.


To enable or disable a web service operation1 Go to XML Protection > Load WSDL > Load WSDL.

Caution: Disabling a web service operation could allow traffic-matching policies in whose XML protection profile you enabled the WSDL Verify option, because the FortiWeb unit will not be able to do full WSDL verification. For details, see “WSDL Verify” on page 187.





XML protection Managing WSDL files

FRh

2 In the row corresponding to the WSDL file that contains the web service operation that you want to enable or disable, click the Edit icon.A dialog appears that displays information about the schema namespace URL, web service URL, and each web service operation that is defined in the WSDL file.

3 In each row corresponding to a web service operation that you want to enable, mark the check box in the Enable column.

4 In each row corresponding to a web service operation that you want to disable, clear the check box in the Enable column.

5 Click OK.

Grouping WSDL filesXML Protection > Load WSDL > XML Web Service Group displays the list of groups of web service definition language (WSDL) files already uploaded to the FortiWeb unit.XML web service groups are used by the WSDL Verify option in XML protection profiles. For details, see “WSDL Verify” on page 187.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see “About permissions” on page 80.

Table 74: XML Protection > Load WSDL > XML Web Service Group tab

Tip: Before you can create a web service group, you must first import one or more WSDL files. See “Managing WSDL files” on page 181.

GUI item DescriptionCreate New Click to add a XML web service group.



DeleteEdit




Configuring XML protection profiles XML protection

To create a XML web service group1 Go to XML Protection > Load WSDL > XML Web Service Group.2 Click Create New.

A dialog appears that enables you to select WSDL files to be members of the XML web service group.

3 In Name, type the name of the XML web service group.4 In Comments, type a description for the XML web service group.5 In the Web Services area, click Add.6 From the Web Service drop-down list, select the name of a WSDL file that you want to

be a member of this group.7 Repeat the previous two steps for each additional member.8 Click OK.To use the XML web service group to validate requests, you must enable the WSDL Verify option when editing an XML protection profile, then select the web service group from the drop-down list. Lastly, you must configure a server policy to include the profile. For details, see “WSDL Verify” on page 187 and “Web Service” on page 187.

Configuring XML protection profilesXML Protection > XML Protection Profile > XML Protection Profile displays a list of XML protection profiles.Protection profiles are a set of attack protection settings. When a connection matches a policy, the FortiWeb unit applies the protection profile selected for that policy.Protection profiles are applied by selecting them within a server policy. For details, see “Configuring server policies” on page 118.

Web Services Displays the WSDL files that are members of the group.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an XML protection profile.Click the Edit icon to modify the entry.

Note: XML protection profiles can be configured at any time, but can be selected in a policy only while the FortiWeb unit is operating in a mode that supports them. For details, see Table 45, “Policy behavior by operation mode,” on page 119.





XML protection Configuring XML protection profiles

FRh

Use SNMP traps to notify you when an XML protection profile has been enforced. For details, see “Configuring an SNMP community” on page 68.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see “About permissions” on page 80.

Table 75: XML Protection > XML Protection Profile > XML Protection Profile tab

To create an XML protection profile1 Go to XML Protection > XML Protection Profile > XML Protection Profile.

Tip: Before you can create an effective profile, you need to configure one or more XML protection features. See “XML protection profile workflow” on page 163.

GUI item DescriptionCreate New Click to add an XML protection profile.



Intrusion Prevention Rule

Displays the name of the intrusion prevention rule used by this XML protection profile.

Filter Rule Displays the name of the content filter rule used by this XML protection profile.

Schema Validation Indicates whether or not schema validation is enabled for traffic matching the policy.If you have disabled the schema file or have not uploaded it to the FortiWeb unit, results of schema validation vary by whether you have also enabled WSDL Verify.• If this option is enabled, WSDL Verify is enabled, and the schema file

does not exist or is disabled, the schema validator will allow the connection.

• If this option is enabled, WSDL Verify is disabled, and the schema file does not exist or is disabled, the schema validator will block the connection.

Schema Poisoning Indicates whether or not external schema reference prevention is enabled, thereby preventing schema poisoning attacks for traffic matching the policy.

WSDL Scanning Prevention

Indicates whether or not WSDL scanning prevention is enabled for traffic matching the policy.

External Entity Attack Prevention

Indicates whether or not external entity attack prevention is enabled for traffic matching the policy.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server policy.Click the Edit icon to modify the entry.

DeleteEdit





2 Click Create New.A dialog appears that enables you to configure the XML protection profile.


GUI item DescriptionName Enter the name of the XML protection profile.

Intrusion Prevention Rule

Select an existing intrusion prevention rule. For details, see “Configuring intrusion prevention rules” on page 170.

Filter Rule Select an existing content filter rule. For details, see “Configuring content filter rules” on page 166.





XML protection Configuring XML protection profiles

FRh

Schema Validation Enable to validate the schema for traffic matching the policy.This option may require that you first upload a schema file to the FortiWeb unit, and enable it.• If this option is enabled, and WSDL Verify is enabled, and the

schema file does not exist or is disabled, the schema validator will allow the connection.

• If this option is enabled, and WSDL Verify is disabled, and the schema file does not exist or is disabled, the schema validator will block the connection.

For details on uploading a schema file, see “Managing schema files” on page 178.

Schema Poisoning Enable to prevent external schema references, and thereby preventing schema poisoning attacks, for traffic matching the policy.This option does not permit schema referencing by URL for security reasons, and requires that you upload a schema. For details, see “Managing schema files” on page 178.

External Entity Attack Prevention

Enable to prevent external entity attacks for traffic matching the policy.

WSDL Scanning Prevention

Enable to prevent WSDL scanning for traffic matching the policy.

WSDL Verify Enable to verify that, for traffic matching the policy, the connection uses web service operations that are valid for that web service according to the WSDL file. This option requires that you first upload a WSDL file to the FortiWeb unit. See “Managing WSDL files” on page 181.

WSDL verify action This option appears only if WSDL Verify is enabled. Select which action that the FortiWeb unit will take if the connection fails WSDL verification.• Accept: Accept the connection.• Alert: Accept the connection and generate an alert and/or log




Web Service This option appears only if WSDL Verify is enabled. Select the XML web service group to use for verification of the request, or select Create New to create a new XML web service group in a pop-up window, without leaving the current page. For details, see “Grouping WSDL files” on page 183. To create a group, you first need to upload a WSDL file uploading a WSDL file. See “Managing WSDL files” on page 181.

XML SIG Enable to validate XML signatures for forward traffic. Also configure XML SIG action and Key Info. For the XML signature specification, see http://www.w3.org/TR/xmldsig-core/.

XML SIG action This option appears only if XML SIG is enabled. Select the action that the FortiWeb unit will take if the forward traffic fails XML signature verification.• Accept: Accept the connection.• Alert: Accept the connection and generate an alert and/or log




XML ENC Enable to decrypt XML for forward traffic. Also configure XML ENC action and Key Info.For the XML encryption/decryption specification, see http://www.w3.org/TR/xmlenc-core/.


http://www.w3.org/TR/xmldsig-core/

http://www.w3.org/TR/xmlenc-core/





4 Click OK.To apply an XML protection profile, you must select it in a policy. For details, see “Configuring server policies” on page 118.

XML ENC action This option appears only if XML ENC is enabled. Select which action the FortiWeb unit will take if the forward traffic fails XML decryption.• Accept: Accept the connection.• Alert: Accept the connection and generate an alert and/or log



message. For more information on logging and alerts, see “Configuring and enabling logging” on page 323

Key Info This option appears only if XML SIG is enabled. Select an existing key management group to use for XML signature verification and/or decryption of forward traffic. For details, see “Grouping keys into key management groups” on page 176.

XML reverse SIG Enable to sign reply traffic with XML signatures. Also configure XML reverse SIG key and XML reverse SIG XPATH. For the XML signature specification, see http://www.w3.org/TR/xmldsig-core/.

XML reverse SIG key Select which key management group will be used for XML signing of reply traffic, or select Create New to upload a new key management group in a pop-up window, without leaving the current page. For details, see “Grouping keys into key management groups” on page 176.This option appears only if XML reverse SIG is enabled.

XML reverse SIG XPATH

Click the Edit icon and enter an XPath expression that matches XML elements in reply traffic to which you want to apply XML signatures.This option appears only if XML reverse SIG is enabled.

XML reverse ENC Enable to encrypt XML reply traffic. Also configure XML reverse ENC key and XML reverse ENC XPATH. For the XML encryption/decryption specification, see http://www.w3.org/TR/xmlenc-core/.

XML reverse ENC key Select which key management group will be used for XML encryption of reply traffic, or select Create New to upload a new key management group in a pop-up window, without leaving the current page. For details, see “Grouping keys into key management groups” on page 176.This option appears only if XML reverse ENC is enabled.

XML reverse ENC XPATH

Click the Edit icon and enter an XPath expression that matches XML elements in reply traffic to which you want to apply XML encryption.This option appears only if XML reverse ENC is enabled.

SQL Injection Prevention

Enable to prevent SQL injection attacks by blocking requests that contain SQL statements.

SQL Injection Prevention Action

Select which action the FortiWeb unit will take if the connection contains SQL statements.• Accept: Accept the connection.• Alert: Accept the connection and generate an alert and/or log




This option appears only if SQL Injection Prevention is enabled.

Non-XML traffic Enable to accept HTTP requests that do not contain Content-Type: text/xml in the HTTP header. This may be required if the web service uses representational state transfer (REST) instead of SOAP. Disable to reject non-XML HTTP requests.

Comments Enter a description for the XML protection profile.



http://www.w3.org/TR/xmldsig-core/





Web protection

FRh

Web protectionThis chapter describes the Web Protection menu. It contains features that act upon HTTP requests, HTTP headers, HTML documents, and cookies.This chapter includes the following topics:• Order of execution• Responding to web protection rule violations• Configuring HTTP parameter validation rules• Configuring page access rules• Configuring server protection rules• Configuring start page rules• Configuring URL access policy• Configuring an IP list policy• Configuring brute force login profiles• Configuring robot control profiles• Configuring allowed request method policy• Configuring hidden field protection profiles• Configuring URL rewriting policy• Configuring HTTP protocol constraint profiles• Configuring authentication policy• Configuring file upload restriction policy• Configuring inline protection profiles• Configuring offline protection profiles• Applying auto-learning profiles

Web protection profile workflowWeb protection profiles fall into two categories: inline and offline. (A related profile, auto-learning, has distinctly different workflow. See “Auto-learning profile workflow” on page 278.) Creating a web protection profile involves multiple activities. The number and sequence of steps depends on what you wish to achieve. All steps are optional, though some steps have dependencies on others. • Several web protection features include an option to include a trigger policy. To use this

option, first create one or more logging policies and trigger policies. See “Log configuration workflow” on page 313.

• Configure one or more file upload restriction rules followed by one or more file upload restriction policies for use in inline or offline protection profiles. See “Configuring file upload restriction policy” on page 263.

• Configure one or more allow request method policies for use in inline or offline protection profiles. See “Configuring allowed request method policy” on page 235.




Order of execution Web protection

• Configure one or more URL access rules followed by one or more URL access policies for use in inline or offline protection profiles. See “Configuring URL access policy” on page 216.

• Configure one or more server protection rules for use in inline or offline protection profiles. See “Configuring server protection rules” on page 201.

• Configure one or more page access rules for use in an inline protection profile. See “Configuring page access rules” on page 198.

• Configure one or more input rules followed by one or more parameter validation rules for use in inline or offline protection profiles. See “Configuring HTTP parameter validation rules” on page 192.

• Configure one or more hidden fields rules followed by one or more hidden fields protection policies for use in inline or offline protection profiles. See “Configuring hidden field protection profiles” on page 239.

• Configure one or more start page policies for use in an inline protection profile. See “Configuring start page rules” on page 213.

• Configure one or more brute force login policies for use in an inline protection profile. See “Configuring brute force login profiles” on page 224.

• Configure one or more robot control policies for use in inline or offline protection profiles. See “Configuring robot control profiles” on page 227. Optionally, configure a custom robot control to include in the policy. See “Configuring custom protection groups” on page 209.

• Configure one or more IP list policies for use in inline or offline protection profiles. See “Configuring an IP list policy” on page 220.

• Configure one or more URL rewriting rules followed by one or more URL rewriting policies for use in an inline protection profile. See “Configuring URL rewriting policy” on page 244.

• Configure one or more authentication rules followed by one or more authentication policies for use in an inline protection profile. See “HTTP authentication policy workflow” on page 259. Before you can create effective authentication rules, you must first configure users and user groups. See “User creation workflow” on page 107.

• After you complete the applicable previous activities, configure one or more inline protection profiles (see “Inline protection profile workflow” on page 268) or offline protection profiles (see “Offline protection profile workflow” on page 274).

Order of executionFortiWeb units perform each of the web protection profile scans and other actions in the following sequence, from the top of the table towards the bottom. Disabled scans are skipped.

Note: The blocking style varies by feature and configuration. For example, when detecting cookie poisoning, instead of resetting the HTTP connection, you could log and remove the offending cookie. For details, see each specific feature.

Table 76: Execution sequence of web protection techniques

Scan/action Involves Request from client to serverIP (client IP list policy) Source IP address of the client





Web protection Responding to web protection rule violations

FRh

Responding to web protection rule violationsThe FortiWeb unit responses to web protection rule violations according to predefined violation controls. The violation controls are associated with web protection rules using the Action, Severity, and Trigger Policy or Trigger Action fields associated with each rule type. See Table 77 on page 192 for a description.While every violation is recorded by the FortiWeb unit in a log message, you can control the specific response on a per-violation basis.

Brute Force Login Source IP address of the client and URL in the HTTP header

Standalone IP Access Limit / Share IP Access Limit (malicious robot/client rate limiting)

Source IP address of the client

HTTP Authentication Policy Authorization:

HTTP Protocol Constraints Content-Length:, parameter length, body length, header length, and header line length

Host (protected real or virtual host) Host:

Cookie Poison Cookie:

Start Pages Host:, URL in HTTP header, and session state

Page Access Rule Host:, URL in HTTP header, and session state

URL Access Policy Host:, URL in HTTP header

Allow Request Method Host:, URL in HTTP header, and request method in HTTP header

Robot Control User-Agent:

Parameter Validation Rule Host:, URL in the HTTP header, and visible inputs’ name, data type, and length

Hidden Fields Protection Rule Host:, URL in the HTTP header, and invisible inputs’ name, data type, and length

Cross-Site Scripting, SQL Injection, Common Exploits

Inputs

URL Rewriting Policy Host: and URL in HTTP headerReply from server to clientInformation Disclosure Server-identifying custom HTTP headers and error

messages such as Server:

Credit Card Detection Credit card number in the body, and, if configured, Credit Card Detection Threshold

Table 76: Execution sequence of web protection techniques




Configuring HTTP parameter validation rules Web protection

Table 77: Rule violation controls

Configuring HTTP parameter validation rulesWeb Protection > Parameter Validation Rule > Parameter Validation Rule displays the list of parameter validation rules. The parameter validation rules are composed of individual HTTP input rules. The HTTP input rules define whether or not certain parameters are required in HTTP requests, and if so, the maximum allowed length of the parameter. Each HTTP input rule can be associated with specific URL and/or host name. If a single HTTP request includes multiple identical parameters, the HTTP parameter validation rules are enforced for all instances of the parameter within the HTTP request.

GUI item Description OptionsAction Defines the action FortiWeb

takes when a violation of the rule occurs.The specific actions associated with a violation depend on the type of violation. The Action drop-down menu for each rule includes only the actions that apply to that particular rule.Select the specific action you want FortiWeb to perform when the associated violation occurs. The default action for each type of violation is Alert.For more information on logging and alerts, see “Configuring and enabling logging” on page 323.

Alert: Accept the connection and generate an alert and/or log message.

Alert & Deny: Block the connection and generate an alert and/or log message.

Redirect: Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message. For details, see “Redirect URL” on page 273.

Send 403 Forbidden: Reply with an HTTP 403 (Access Forbidden) error message and generate an alert and/or log message.

Pass: Allow the request. Similar to alert but does not generate an alert and/or log message.

Continue: Allow the request, applying any subsequent rules defined in the web protection profile. See “Order of execution” on page 190.

Alert: Do not cloak, except for removing sensitive headers. (Sensitive information in the body remains unaltered.) Accept the connection and generate an alert and/or log message.

Alert & Erase: Hide replies with sensitive information (sometimes called “cloaking”). Block the connection or remove the sensitive information, and generate an alert and/or log message. Note: This option is not fully supported in offline protection mode. Only an alert and/or log message can be generated; sensitive information will not be blocked or erased.

Severity Defines the severity level associated with the rule violation.Select the severity level you want to assign to the violation.

Each violation type has a configurable severity. You can configure each violation type to be recorded and reported as either Low, Medium or High severity.The severity of the violation is recorded in the log message associated with the violation.

Trigger Policy or Trigger Action

Defines who gets notified when a violation of the rule occurs.Select the trigger policy you want FortiWeb to perform when the associated rule violation occurs.There is no default trigger action.

Trigger Action or Trigger Policy lists predefined trigger policies, if any exist. Select the appropriate policy.Trigger policies contain email policies that determine who will receive an alert email when the violation occurs, and/or whether the log message is recorded in a Syslog server or by FortiAnalyzer. For more information, see “Configuring trigger policies” on page 322.





Web protection Configuring HTTP parameter validation rules

FRh

Parameter validation rules are applied by selecting them within an inline or offline protection profile. For details, see “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 78: Web Protection > Parameter Validation Rule > Parameter Validation Rule tab

To configure a parameter validation rule1 Go to Web Protection > Parameter Validation Rule > Parameter Validation Rule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the parameter validation rule.This field cannot be modified if you are editing an existing parameter validation rule. To modify the name, delete the entry, then recreate it using the new name.


A dialog appears.

Tip: Before you can configure an effective parameter validation rule, you must configure one or more input rules. See “Configuring parameter validation input rules” on page 194.

GUI item DescriptionCreate New Click to add a parameter validation rule.



Rule Count Displays the number of individual rules contained in the entry.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline or offline protection profile.Click the Edit icon to modify the entry.

Delete

Edit

DeleteEdit

Clear






7 Repeat the previous steps for each input rule that you want to add to the parameter validation rule.

8 To modify an input rule, click its Edit icon. To remove a single input rule from the parameter validation rule, click its Delete icon. To remove all input rules from the parameter validation rule, click the Clear icon.

9 Click OK.To apply the parameter validation rule, select it in an inline or offline protection profile. For details, see “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.Attack log messages contain DETECT_PARAM_RULE_FAILED when this feature detects a parameter rule violation.

Configuring parameter validation input rulesWeb Protection > Parameter Validation Rule > Input Rule displays the list of parameter validation input rules.Input rules define whether or not parameters are required, and their maximum allowed length, for HTTP requests matching the Host: in the HTTP header and URL defined in the input rule.Unlike hidden field groups, input rules are for visible inputs only. For information on constraining hidden inputs, see “Configuring hidden field rules” on page 241.Each input rule contains one or more individual rules. This enables you to define, within one input rule, all parameter restrictions that apply to HTTP requests matching that URL and host name.

GUI item DescriptionID Enter the index number of the input rule within the parameter validation rule, or


Input Rule Select the name of an input rule. For information on input rules, see “Configuring parameter validation input rules” on page 194.Note: If you want to view the information associated with the input rule used by this parameter validation rule, select the Detail link beside the Input Rule list. A read-only version of the Edit Input Rule window opens.

Tip: If you do not want sensitive inputs such as passwords to appear in the attack logs’ packet payloads, you can obscure them. For details, see “Obscuring sensitive data in the logs” on page 329.






FRh

For example, one web page might have multiple inputs: a user name, password, and a preference for whether or not to remember the login. Within the input rule for that web page, you could define separate rules for each parameter in the HTTP request: one rule for the user name parameter, one rule for the password parameter, and one rule for the preference parameter.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 79: Web Protection > Parameter Validation Rule > Input Rule tab

Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see “Configuring protected servers” on page 147.

To configure an input rule1 Go to Web Protection > Parameter Validation Rule > Input Rule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


GUI item DescriptionCreate New Click to add an input rule.



Host Displays the IP address or fully qualified domain name (FQDN) of the real or virtual host as it appears in the Host: field of HTTP header of requests to which the entry applies.

Request URL Displays the URL, such as /index.php, as it appears in the HTTP request to which the entry applies.

Action Displays the action taken by FortiWeb when a violation of the input rule occurs. For information, see “Responding to web protection rule violations” on page 191.


(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a parameter validation rule.Click the Edit icon to modify the entry.

DeleteEdit





3 In Name, type the name of the input rule.This field cannot be modified if you are editing an existing input rule. To modify the name, delete the entry, then recreate it using the new name.


GUI item DescriptionHost Status Enable to apply this input rule only to HTTP requests for specific web

hosts. Also configure Host.Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

Host Select the IP address or FQDN of a protected host.

Request URL Depending on your selection in Request URL Type, type either: • the literal URL, such as /index.php, that the HTTP request must

contain in order to match the input rule. The URL must begin with a slash ( / ).

• a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

Do not include the name of the web host, such as www.example.com, which is configured separately in the Host drop-down list.To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.

Request URL Type Select whether the Request URL field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).

Delete

Edit

Clear






FRh


A dialog appears.7 Configure the following:

Action, Severity and Trigger Policy

The Action, Severity and Trigger Policy drop-down menus allow you to control what the FortiWeb unit will do when it detects a specific violation such as an attack, suspicious request or other threat. Each violation can be uniquely configured.The following actions are available for this type of attack:• Alert• Alert & Deny• Redirect• Send 403 ForbiddenNote: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature.For information on Action, Severity and Trigger Policy settings, see “Responding to web protection rule violations” on page 191.

GUI item DescriptionID Enter the index number of the individual rule within the group of input rules, or


Name Type the name of the input as it appears in the HTTP content, such as username.

Max Length Type the maximum allowed length of the parameter value.To disable the length limit, type 0.

Required Enable if the parameter is required for HTTP requests to this combination of Host: field and URL.

Use Type Check

Enable to display Argument Type and Data Type settings.

Argument Type

When Use Type Check is enabled, select one of:• Data Type - use one of the predefined data types.• Regular Expression - define a regular expression.• Custom Data Type - use one of the custom data types.




Configuring page access rules Web protection

8 Repeat the previous steps for each individual rule that you want to add to the group of input rules.

9 To modify an individual rule, click its Edit icon. To remove an individual rule from the group of input rules, click its Delete icon. To remove all individual rules from the group of input rules, click the Clear icon.

10 Click OK.To apply the input rule, select it in a parameter validation rule. For details, see “Configuring HTTP parameter validation rules” on page 192.

Configuring page access rulesWeb Protection > Page Access Rule > Page Access Rule displays the list of page access rules.Page access rules define URLs that must be accessed in a specific order, such as to enforce the business logic of a web application. Requests for other, non-ordered URLs may interleave ordered URLs during the client’s session. Page access rules may be specific to a web host.For example, an e-commerce application might be designed to work properly in this order:1 A client begins a session by adding an item to a shopping cart. (/addToCart.do?*)2 The client either views and adds additional items to the shopping cart, or proceeds

directly to the checkout.3 The client confirms the items to purchase. (/checkout.do)4 The client provides shipping information. (/shipment.do)5 The client pays for the items and shipment, completing the transaction.

(/payment.do)Sessions that begin at the shipping or payment stage should therefore be invalid. If the web application does not enforce this rule itself, it could be open to cross-site request forgery (CSRF) attacks on the payment feature. To prevent such abuse, the FortiWeb unit could enforce the rule itself using a page access rule set with the following order:1 /addToCart.do?item=*

2 /checkout.do?login=*

3 /shipment.do

4 /payment.do

Attempts to request /payment.do before those other URLs during a session would be denied, and generate an alert and/or attack log message (see “Configuring and enabling logging” on page 323).

Data Type Select a predefined data type. For information on data types, see “Viewing the list of predefined data types” on page 152.This option is only available when the Argument Type is Data Type.

Regular Expression

Type a regular expression that matches all valid values, and no invalid values, for this input.To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.This option is only available when the Argument Type is Regular Expression.

Custom Data Type

Select a custom data type. For information on custom data types, see “Creating custom data types” on page 156.This option is only available when the Argument Type is Custom Data Type.





Web protection Configuring page access rules

Use SNMP traps to notify you when a page access rule has been enforced. For details, see “Configuring an SNMP community” on page 68.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 80: Web Protection > Page Access Rule > Page Access Rule tab

To configure a page access ruleBefore you configure a page access rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see “Configuring protected servers” on page 147.1 Go to Web Protection > Page Access Rule > Page Access Rule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon.A dialog appear.

3 In Name, type the name of the page access rule.This field cannot be modified if you are editing an existing page access rule. To modify the name, delete the entry, then recreate it using the new name.

GUI item DescriptionCreate New Click to add a page access rule.




(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline protection profile.Click the Edit icon to modify the entry.

DeleteEdit

Delete

Edit

Clear

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration GuideRevision 10 199http://docs.fortinet.com/ • Feedback



Configuring page access rules Web protection



A dialog appear.


GUI item DescriptionSeverity Select the severity level you want FortiWeb to use in the records and

reports generated when the a page access rule is violated. You can configure the severity to be either Low, Medium or High.

Trigger Policy Select the trigger policy you want FortiWeb to apply when the a page access rule is violated. Trigger policies determine who will be notified by email when the violation occurs, and whether a log message associated with the violation is recorded in Syslog or FortiAnalyzer. For more information, see “Configuring trigger policies” on page 322.

GUI item DescriptionID Type the index number of the individual rule within the page access rule, or

keep the field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.Page access rules should be added to the set in the order which clients will be permitted to access them.For example, if a client must access /login.asp before /account.asp, add the rule for /login.asp first.

Host Select the name of a protected host that the Host: field of an HTTP request must be in order to match the page access rule.This option is available only if Host Status is enabled.

Host Status Enable if you want the page access rule to apply only to HTTP requests for a specific web host. Also configure Host.

URL Pattern Depending on your selection in Type, enter either: • the literal URL, such as /cart.php, that the HTTP request must contain in

order to match the page access rule. The URL must begin with a slash ( / ).• a regular expression, such as ^/*.php, matching all and only the URLs to

which the page access rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /cart.cfm.


Type Select whether URL Pattern is a Simple String (that is, a literal URL) or a Regular Expression.





Web protection Configuring server protection rules

FRh

8 Repeat the previous steps for each individual rule that you want to add to the page access rule.

9 To modify an individual rule, click its Edit icon. To remove an individual rule from the page access rule, click its Delete icon. To remove all individual rules from the page access rule, click the Clear icon.

10 Click OK.To apply the page access rule, select it in an inline protection profile. For details, see “Configuring inline protection profiles” on page 268.

Attack log messages contain DETECT_PAGE_RULE_FAILED when this feature detects a request for a URL that violates the required sequence of URLs within a session.

Configuring server protection rulesWeb Protection > Server Protection Rule > Server Protection Rule displays the list of server protection rules.Server protection rules enable and configure actions for several security features specifically designed to protect web servers, such as:• cross-site scripting (XSS) attack prevention• SQL injection prevention• sensitive information disclosure prevention• prevention of other injection attacks• prevention of credit card data leaksIn addition to scanning standard requests, server protection rules can also scan action message format 3.0 (AMF3) binary inputs used by Adobe Flash clients to communicate with server-side software. For more information, see “Enable AMF3 Protocol Detection” on page 274 (for inline protection profiles) or “Enable AMF3 Protocol Detection” on page 278 (for offline protection profiles).Attack definitions can be updated. For information on uploading a new set of attack definitions, see “Uploading signature updates” on page 101.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Note: In order for page access rules to be enforced, you must also enable “Session Management” on page 271 in the inline protection profile.

Tip: To extend the scope and versatility of a server protection rule, you can create and incorporate exceptions (see “Configuring server protection exceptions” on page 207) and custom protection groups (see “Configuring custom protection groups” on page 209).




Configuring server protection rules Web protection

Table 81: Web Protection > Server Protection Rule > Server Protection Rule tab

Before you configure a server protection rule, if you want to apply any exceptions, you must first define the server protection exception. For details, see “Configuring server protection exceptions” on page 207.

To configure a server protection rule1 Go to Web Protection > Server Protection Rule > Server Protection Rule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon. A new dialog appears.

GUI item DescriptionCreate New Click to add a server protection rule.



Extended Signature Set

Indicates whether or not to use an extended set of attack definitions, which contains more attack definitions on top of the default set of attach definitions. • Basic: a basic set of signatures• Enhanced: an enhanced set of signatures, which also includes the basic

set• Full: a full set of signatures, which also includes the basic set and

enhanced set • Disable: the extended signature set is not used

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline or offline protection profile.Click the Edit icon to modify the entry.Click the View icon to view a predefined entry.Click Clone to create a new entry based on a predefined entry.

CloneView

Edit

Tip: Alternatively, you can automatically configure a server protection rule that detects all attack types by generating a default auto-learning profile. For details, see “Generating an auto-learning profile and its components” on page 281.






FRh

Alternatively, click the Clone icon to create a new entry based on a predefined entry. In this case, a dialog appears with just the Name field.


Tip: A blue pointer in front of an attack type means there are additional attack subtypes associated with the main attack type. You must enable the main attack type in order to select the subtypes. Once the main attack type is enabled, click the pointer to expand the attack subtype list. You can then enable or disable individual attack subtypes, or select All/None to enable or disable all subtypes associated with the main attack type. Disabling the main attack type automatically disables all associated attack subtypes.

GUI item DescriptionName Type the name of the server protection rule. This field cannot be

modified if you are editing an existing server protection rule. To modify the name, delete the entry, then recreate it using the new name.

Action, Severity and Trigger Action

The Action, Severity and Trigger Action drop-down menus allow you to control what the FortiWeb unit will do when it detects a specific violation such as an attack, suspicious request or other threat. Each violation can be uniquely configured.Note: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select the Alert action. If you select Alert & Deny instead, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature.For information on Action, Severity and Trigger Action settings, see “Responding to web protection rule violations” on page 191.





Cross-Site Scripting Enable to prevent cross-site scripting (XSS) attacks. Once enabled, you can expand the list to see the individual subtypes associated with this main type of attack, such as CSRF (cross-site request forgery).Attack log messages contain DETECT_XSS_ATTACK when this feature detects a possible cross-site scripting attack.The following actions are available for this type of attack:• Alert• Alert & Deny• Redirect• Send 403 ForbiddenFor information on Action, Severity and Trigger Action settings, see “Responding to web protection rule violations” on page 191.

SQL Injection Enable to prevent SQL injection attacks. Once enabled, you can expand the list to see the individual subtypes associated with this main type of attack, such as blind SQL injection.Attack log messages contain DETECT_SQL_INJECTION when this feature detects a possible SQL injection attack.The following actions are available for this type of attack:• Alert• Alert & Deny• Redirect• Send 403 ForbiddenFor information on Action, Severity and Trigger Action settings, see “Responding to web protection rule violations” on page 191.

Common Exploits Enable to prevent common exploits. Once enabled, you can expand the list to select individual subtypes of this type of attack, such as an injection attack in a language other than SQL.Attack log messages contain Common Exploits and the subtype (for example, Common Exploits: Command Injection) when this feature detects a possible common exploit attack.The following actions are available for this type of attack:• Alert• Alert & Deny• Redirect• Send 403 ForbiddenFor information on Action, Severity and Trigger Action settings, see “Responding to web protection rule violations” on page 191.






FRh

Information Disclosure Enable to detect server errors and other sensitive messages in the requested document and HTTP headers. Once enabled, you can expand the list to select individual subtypes of this type of attack, such as enabling CF Information Leakage (Adobe ColdFusion server information).Error messages, HTTP headers such as Server: Microsoft-IIS/6.0, and other messages could inform attackers of the vendor, product, and version numbers of software running on your web servers, thereby advertising their specific vulnerabilities.Sensitive information is predefined according to fixed signatures. Attack log messages contain DETECT RESPONSE INFORMATION DISCLOSURE when this feature detects sensitive information.The following actions are available for this type of attack:• Alert• Alert & Erase

Note: This option is not fully supported in offline protection mode. Only an alert and/or log message can be generated; sensitive information will not be blocked or erased.

• RedirectFor information on Action, Severity and Trigger Action settings, see “Responding to web protection rule violations” on page 191.Note: Because this feature can potentially require the FortiWeb unit to rewrite the header and body of every request from a server, it can result in a performance decrease. To minimize impact, Fortinet recommends enabling this feature only to help you identify information disclosure through logging, and until you can reconfigure the server to omit such sensitive information.Note: Some attackers use 4XX HTTP status codes to determine information about a site (whether a page exists, has login failures, and so on). Normally, the FortiWeb unit raises attack logs for this type of attack, but too many 4xx HTTP status events may obfuscate other information disclosure logs. You can turn off these types of logs by disabling the HTTP Return Code 4XX option.Note: Some attackers use 5XX HTTP status codes to determine information about the HTTP server (Not Implemented, Service Unavailable, and so on). Normally, the FortiWeb unit raises attack logs for this type of attack, but too many 5XX HTTP status events may obfuscate other information disclosure logs. You can turn off these types of logs by disabling the HTTP Return Code 5XX option.

Remote File Inclusion Enable to prevent remote file inclusion. Once enabled, you can expand the list to enable or disable detection of various remote file inclusion signature.The following actions are available for this type of attack:• Alert• Alert & Deny• Redirect• Send 403 ForbiddenFor information on Action, Severity and Trigger Action settings, see “Responding to web protection rule violations” on page 191.

Custom Protection Group

Select a custom protection group to use, if any. For details, see “Configuring custom protection groups” on page 209.Note: If you want to view the information associated with the custom protection group used by this server protection rule, select the Detail link beside the Custom Protection Group list. A read-only version of the Edit Custom Protection Group window opens.





4 Click OK.To apply the server protection rule, select it in an inline protection profile or an offline protection profile. For details, see “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.

Credit Card Detection Enable to detect credit card numbers in the response from the server. Also configure Credit Card Detection Threshold.Credit card numbers being sent from the server to the client could constitute a violation of PCI DSS. In most cases, the client should only receive mostly-obscured versions of their credit card number, if they require it to confirm which card was used. This prevents bystanders from viewing the number, but also reduces the number of times that the actual credit card number could be observed by network attackers. For example, a web page might confirm a transaction by displaying a credit card number as:XXXX XXXX XXXX 1234 This mostly-obscured version protects the credit card number from unnecessary exposure and disclosure. It would not trigger the credit card number detection feature.However, if a web application does not obscure displays of credit card numbers, or if an attacker has found a way to bypass the application’s protection mechanisms and gain a list of customers’ credit card numbers, a web page might contain a list with many credit card numbers in clear text. Such a web page would be considered a data leak, and trigger credit card number disclosure detection.Attack log messages contain DETECT RESPONSE INFORMATION disclosure: credit card leakage when this feature detects credit card number disclosure.The following actions are available for this type of attack:• Alert • Alert & Deny• Alert & Erase For information on Action, Severity and Trigger Action settings, see “Responding to web protection rule violations” on page 191.

Credit Card Detection Threshold

Enter 0 to report any credit card number disclosures, or enter a threshold if the web page must contain a number of credit cards that equals or exceeds the threshold in order to trigger the credit card number detection feature.For example, to ignore web pages with only one credit card number, but to detect when a web page containing two or more credit cards, enter 2.

Extended Signature Set Clear Disable to enable the level of additional attack definitions you want to use. The extended set of attack definitions contains more attack definitions on top of the default set of attach definitions.You can select checking against:• Basic: a basic set of signatures• Enhanced: an enhanced set of signatures, which also includes

the basic set• Full: a full set of signatures, which also includes the basic set and

enhanced setYou can also disable checking against extended signature sets. While the Full signature set can detect more attacks, it might also cause false positives. Select a lower level of checking to reduce false positives.For information on Action, Severity and Trigger Action settings, see “Responding to web protection rule violations” on page 191.

Exception Name Select which server protection exception to use, if any.Note: If you want to view the information associated with the Exception used by this server protection rule, select the Detail link beside the Exception Name list. A read-only version of the Edit Server Protection Exception window opens.






FRh

Configuring server protection exceptionsWeb Protection > Server Protection Rule > Server Protection Exception displays the list of server protection exceptions.Exceptions may be useful if you know that some URLs, during normal use, will cause false positives by matching an attack signature. Server protection exceptions define request URLs that will not be subject to server protection rules.For example, if the HTTP POST URL /pageupload should accept input that is PHP code, but it is the only URL on the host that should do so, you would create an exception with PHP Injection, then use that exception in the server protection rule that normally would block all injection attacks.Server protection exception rules can be created directly from the detail view for attack log entries. A server protection exception must be created first.Server protection exceptions are applied by selecting them within a server protection rule. For details, see “Configuring server protection rules” on page 201.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 82: Web Protection > Server Protection Rule > Server Protection Exception tab

To configure a server protection exception1 Go to Web Protection > Server Protection Rule > Server Protection Exception.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


GUI item DescriptionCreate New Click to add a server protection exception.



Rule Count Displays the number of individual exceptions contained in the entry.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server protection rule.Click the Edit icon to modify the entry.

Edit





3 In Name, type the name of the server protection exception.This field cannot be modified if you are editing an existing server protection exception. To modify the name, delete the entry, then recreate it using the new name.

4 Click OK.A dialog appears.


Delete

Edit

Clear

Tip: A pointer in front of an attack type means there are additional attack subtypes associated with the main attack type. You must enable the main attack type in order to select the subtypes. Once the main attack type is enabled, click the pointer to expand the attack subtype list. You can then enable or disable individual attack subtypes, or select All/None to enable or disable all subtypes associated with the main attack type. Disabling the main attack type automatically disables all associated attack subtypes.

GUI item DescriptionID Enter the index number of the individual entry within the server

protection exception, or keep the field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.

Host Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in order to match the server protection exception.This option is available only if Host Status is enabled.






FRh

6 Repeat the previous steps for each entry that you want to add to the server protection exception.

7 To create exception rules from individual attack log entries, open the detail view for the log entry, and click New Protection Exception. Select the name of an existing protection exception to add the rule to. For more information on viewing attack log details, see “Viewing log messages” on page 331.

8 To modify a server protection exception, click its Edit icon. To remove a single entry from the exception, click its Delete icon. To remove all entries from the exception, click the Clear icon.

9 Click OK.To apply the server protection exception, select it in a server protection rule. For details, see “Configuring server protection rules” on page 201.

Configuring custom protection groupsWeb Protection > Server Protection Rule > Custom Protection Group displays the list of custom protection groups.

Host Status Enable to require that the Host: field of the HTTP request to match a protected hosts entry in order to match the server protection exception. Also configure Host.


URL Pattern Depending on your selection in Type, type either: • the literal URL, such as /causes-false-positives.php,

that the HTTP request must contain in order to match the server protection exception. The URL must begin with a slash ( / ).

• a regular expression, such as ^/.*.php, matching all and only the URLs to which the server protection exception should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /bbcode.cfm.


Note: For each of the attack types, select the blue arrow to expand the entry and select or clear the individual rules contained in the entry.

Cross-Site Scripting Enable to omit detection of cross-site scripting (XSS) attacks, then disable individual attack subclasses that you do not want to omit, if any.

SQL Injection Enable to omit detection of SQL injection attacks, then disable individual attack subclasses that you do not want to omit, if any.

Common Exploits Enable to omit detection of common exploits, such as an injection attack in a language other than SQL, then disable individual attack subclasses that you do not want to omit, if any.

Information Disclosure Enable to omit detection of server errors and other sensitive messages in the requested document and HTTP headers, then disable individual information subclasses that you do not want to omit, if any, from the Information Disclosure drop-down list.

Remote File Inclusion Enable to omit detection of remote file inclusion, then disable individual remote file inclusion signatures that you do not want to omit, if any.

Credit Card Detection Enable to omit detection of credit card numbers in the response from the server.





Custom protection groups enable you to assemble individual custom protection rules into groups. To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 83: Web Protection > Server Protection Rule > Custom Protection Group tab

To configure a custom protection group1 Go to Web Protection > Server Protection Rule > Custom Protection Group.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


GUI item DescriptionCreate New Click to add a custom protection group.



Rule Count Displays the number of individual custom protection rules contained in the group.


EditDelete

Tip: Before you can configure a custom protection group, you must first configure one or more custom protection rules. For details, see “Configuring custom protection rules” on page 211.

DeleteEdit

Clear






FRh

3 In Name, type the name of the custom protection group.This field cannot be modified if you are editing an existing custom protection group. To modify the name, delete the entry, then recreate it using the new name.

4 To modify the custom protection rules associated with a protection group, click its Edit icon. To remove a single entry, click its Delete icon. To remove all entries, click the Clear icon.

5 Click OK.6 To associate specific custom protection rules with the custom protection group, click

Create New.A dialog appears.


8 Click OK.To apply the custom protection group, select it in a server protection rule. For details, see “Configuring server protection rules” on page 201.

Configuring custom protection rulesWeb Protection > Server Protection Rule > Custom Protection Rule displays the list of custom protection rules that have been created.Custom protection rules enable creation of custom signatures and custom data leakage expressions, which can then be associated with custom protection groups and server protection rules.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

GUI item DescriptionID Number automatically assigned to the new protection group.

Custom Protection Rule Select the specific custom protection rule to be applied to the protection group. For information on custom protection rules, see “Configuring custom protection rules” on page 211.Note: If you want to view the information associated with the custom protection rule used by this custom protection group, select the Detail link beside the custom protection rule list. A read-only version of the Edit Custom Protection Rule window opens.





Table 84: Web Protection > Server Protection Rule > Custom Protection Rule tab

To configure a custom protection rule1 Go to Web Protection > Server Protection Rule > Custom Protection Rule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the custom protection rule. This field cannot be modified if you are editing an existing server protection rule. To modify the name, delete the entry, then recreate it using the new name.


GUI item DescriptionCreate New Click to add a custom protection rule.




GUI item DescriptionType Select the type of data that the rule applies to, Signature Creation or

Data Leakage.

Check Count Enter the threshold for the number of data leakage reports before triggering the action specified for this rule. Appears only if Data Leakage is selected.

Case Sensitive Select to specify that case sensitivity is used for rule checking.

Edit





Web protection Configuring start page rules

FRh

5 Click OK.6 Repeat this procedure for each individual rule that you want to add to a custom

protection group. To apply the custom protection rule, select it in a custom protection group. For details, see “Configuring custom protection groups” on page 209.

Configuring start page rulesWeb Protection > Start Pages > Start Pages displays the list of main web pages.When you select a start page group in the inline protection profile, HTTP clients must begin from a valid start page in order to initiate a valid session.For example, you may wish to specify that HTTP clients of an e-commerce web site must begin their session from either an item view or the first stage of the shopping cart checkout, and cannot begin a valid session from the third stage of the shopping cart checkout. To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 85: Web Protection > Start Pages > Start Pages tab

Expression Enter the string of text that defines the type of data the rule will check.To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.


The Action, Severity and Trigger Policy drop-down menus allow you to control what the FortiWeb unit will do when it detects a specific violation such as an attack, suspicious request or other threat. Each violation can be uniquely configured.The following actions are available for this type of attack:• Alert• Alert & Deny• Redirect• Send 403 Forbidden (only if Type is Signature Creation) • Alert & Erase (only if Type is Data Leakage) Note: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For information on Action, Severity and Trigger Policy settings, see “Responding to web protection rule violations” on page 191.

GUI item DescriptionCreate New Click to add a group of start pages.


Delete

Edit




Configuring start page rules Web protection

To configure a start page groupBefore you configure a start page rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see “Configuring protected servers” on page 147.1 Go to Web Protection > Start Pages > Start Pages.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the start page rule. This field cannot be modified if you are editing an existing start page rule. To modify the name, delete the entry, then recreate it using the new name.


5 Click OK.


Page Count Displays the number of individual URLs contained in the entry.


GUI item DescriptionAction, Severity and Trigger Policy

The Action, Severity and Trigger Policy drop-down menus allow you to control what the FortiWeb unit will do when it detects a specific violation such as an attack, suspicious request or other threat. Each violation can be uniquely configured.The following actions are available for this type of attack:• Alert• Alert & Deny• Redirect• Send 403 ForbiddenNote: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature.For information on Action, Severity and Trigger Policy settings, see “Responding to web protection rule violations” on page 191.

Delete

Edit

Clear





Web protection Configuring start page rules

FRh



8 Repeat the previous steps for each start page that you want to add to the group of start pages.

9 To modify a start page, click its Edit icon. To remove a single start page from the group of start pages, click its Delete icon. To remove all start pages from the group of start pages, click the Clear icon.

10 Click OK.To apply the group of start pages, select it in an inline protection profile. For details, see “Configuring inline protection profiles” on page 268.

GUI item DescriptionID Enter the index number of the start page within the group of start pages, or keep

the field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.

Host Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in order to match a valid start page.This option is available only if Host Status is enabled.

Host Status Enable to require that the Host: field of the HTTP request to match a protected hosts entry in order to match a valid start page. Also configure Host.


URL Pattern Depending on your selection in Type, type either: • the literal URL, such as /index.php, that the HTTP request must contain

in order to match the start page rule. The URL must begin with a slash ( / ).• a regular expression, such as ^/*.php, matching all and only the URLs to

which the start page rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.


Default Select Yes to use the page as the default for HTTP requests that either:• do not specify any URL• do not specify the URL of a valid start page (only if you have selected

Redirect from Action)




Configuring URL access policy Web protection

Attack log messages contain DETECT_START_PAGE_FAILED when this feature detects a start page violation.

Configuring URL access policyWeb Protection > URL Access Policy> URL Access Policy displays the list of URL access policies.URL access policies enable you to group individual URL access rules that define which HTTP requests to allow or deny based upon their host name and URL.

To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 86: Web Protection > URL Access Policy> URL Access Policy tab

To configure a URL access policy1 Go to Web Protection > URL Access Policy> URL Access Policy.

Note: In order for start pages to be enforced, you must also enable “Session Management” on page 271 in the inline protection profile.

Note: URL access rules are evaluated after some other rules. For details, see “Order of execution” on page 190.

Tip: Before you can configure an effective URL access policy, you must configure one or more URL access rules. See “Configuring URL access rules” on page 218.

GUI item DescriptionCreate New Click to add a URL access policy.



URL Access Count Displays the number of individual URL access rules contained in the entry.


Delete

Edit





Web protection Configuring URL access policy


3 In Name, type the name of the policy.This field cannot be modified if you are editing an existing URL access policy. To modify the name, delete the entry, then recreate it using the new name.


A dialog appears.


7 Click OK.8 Repeat the previous two steps for each individual rule that you want to add to the URL

access policy.9 To modify an individual rule, click its Edit icon. To remove an individual rule from the

URL access policy, click its Delete icon. To remove all rules from the URL access policy, click the Clear icon.

GUI item DescriptionID Enter the index number of the individual rule within the URL access policy, or


Priority Enter the priority for this rule in relation to other defined rules. Rules with lower priority are applied first.

Access Rule Name

Choose the name of a predefined URL access rule to add to the policy. See “Configuring URL access rules” on page 218 for more information about defining URL access rules.Note: If you want to view the information associated with the URL Access Rule used by this policy, select the Detail link beside the Access Rule Name list. A read-only version of the URL Access Rule window opens.

Delete

Edit

Clear

FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration GuideRevision 10 217http://docs.fortinet.com/ • Feedback



Configuring URL access policy Web protection

10 Click OK.To apply the URL access policy, select it in an inline or offline protection profile. For details, see “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.

Configuring URL access rulesWeb Protection > URL Access > URL Access Rule displays the list of URL access rules.URL access rules define HTTP requests that will be accepted or denied based upon their host name and URL.

Use SNMP traps to notify you when a URL access rule is enforced. For details, see “Configuring an SNMP community” on page 68.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 87: Web Protection > URL Access Policy> URL Access Rule tab

Before you configure a URL access rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see “Configuring protected servers” on page 147.

Caution: IP trust policy rules only block initial requests from a client. They will not block server-side redirects. For more information, see “Configuring an IP list policy” on page 220.

Note: URL access rules are evaluated after some other rules. For details, see “Order of execution” on page 190.

GUI item DescriptionCreate New Click to add an URL access rule.



Count Displays the number of individual rules contained in the entry.

Host Displays the name of the host (either a web host name or IP address) in the Host: field of an HTTP request that must match in order to pass the URL access rule.

Action Displays the action taken by FortiWeb when a violation of the access rule occurs.For information, see “Responding to web protection rule violations” on page 191.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an URL access policy.Click the Edit icon to modify the entry.

EditDelete





Web protection Configuring URL access policy

FRh

To configure an URL access rule1 Go to Web Protection > URL Access Policy > URL Access Rule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the URL access rule.This field cannot be modified if you are editing an existing black list rule. To modify the name, delete the entry, then recreate it using the new name.


5 Click OK.

GUI item DescriptionHost Status Enable to require that the Host: field of the HTTP request to match a protected

hosts entry in order to match the URL access rule. Also configure Host.

Host Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in order to match the URL access rule.This option is available only if Host Status is enabled.


The Action, Severity and Trigger Policy drop-down menus allow you to control what the FortiWeb unit will do when it detects a violation, such as an attack, suspicious request or other threat. Each violation can be uniquely configured.The following actions are available for this type of attack:• Pass• Alert & Deny• ContinueFor information on Action, Severity and Trigger Policy settings, see “Responding to web protection rule violations” on page 191.

DeleteEdit

Clear




Configuring an IP list policy Web protection

6 Click Create New. A dialog appears.


8 Click OK.9 Repeat the previous steps for each individual condition that you want to add to the URL

access rule.10 Click OK.

To apply the URL access rule, select it in a URL access policy. For details, see “Configuring URL access policy” on page 216.Attack log messages contain DETECT_URLACCESS_PAGE when this feature detects a suspicious HTTP request.

Configuring an IP list policyWeb Protection > IP List > IP List Policy displays the IP list policies. An IP list policy enables you to define whether specific source IP addresses are trusted or not trusted:• Trust IPs are source IP addresses for which you explicitly allow access to your web

servers because they are trusted.

GUI item DescriptionID Enter the index number of the individual rule within the URL access rule, or


URL Type Indicate whether the text entered is a regular expression or a simple text string.

URL Pattern Depending on your selection in URL Type, enter either: • the literal URL, such as /index.php. The URL must begin with a slash ( / ).• a regular expression, such as ^/*.php, matching all and only the desired

URLs. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.

Do not include the name of the web host, such as www.example.com, which is configured separately in the Host drop-down list for the URL access rule.

Meet this condition if:

Select whether the access condition is met when the HTTP request matches the regular expression (or text string), or when it does not match the regular expression (or text string).





Web protection Configuring an IP list policy

FRh

• Black IPs are source IP addresses for which you explicitly disallow and block access to your web servers because they have failed web protection policy scans.

If a source IP address is not explicitly blacklisted in an IP list policy and it does not appear on the IP Blacklist TOP10 tab (see “Viewing the top 10 IP blacklist candidates” on page 223), the source IP has access to your web servers, pending additional web protection scan techniques. If a source IP addresses is explicitly designated as a trusted IP (that is, the IP address is trusted by FortiWeb), that IP can connect to your web servers and is exempt from many of the restrictions that would otherwise be applied by the web protection profile used by a server policy. For more information on the protection techniques performed by FortiWeb, and the scans performed based on the IP address, see “Order of execution” on page 190.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 88: Web Protection > IP List > IP List Policy tab

To configure IP list policies and members1 Go to Web Protection> IP List> IP List Policy.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


GUI item DescriptionCreate New Click to add a new IP list policy.


Name Displays the name of the IP list policy.

IP List Count Displays the quantity of IP list policy members associated with the policy. Each member identifies the type of client and the IP address of the client.

(No column heading.) Click the Delete icon to remove the entry.Click the Edit icon to modify the entry.

DeleteEdit




Configuring an IP list policy Web protection

3 In Name, type the name of the policy.This field cannot be modified if you are editing an existing IP list policy. To modify the name, delete the entry, then recreate the policy using the new name.


A dialog appears.


GUI item DescriptionType The first web protection technique that FortiWeb performs when it gets a

request to connect to your web servers is to check the source IP address that originated the request. For more information, see “Order of execution” on page 190.Use the Type option to define whether the source IP address is a: • a Trust IP, which is a source IP address that is trusted and allowed to

access your web servers, unless it fails some other web protection technique

• a Black IP, which is associated with a source IP address that is not trusted, and is permanently blocked from accessing your web servers

Note: Designating an IP address as a black IP will block all connections from that source IP address. If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router, making the source IP address a black IP could block innocent clients that share the same source IP address with an offending client. To detect a shared source IP address, see “Viewing the top 10 IP blacklist candidates” on page 223.

Delete

Edit

Clear





Web protection Configuring an IP list policy

FRh

7 Click OK.8 Repeat the previous steps for each individual IP list policy member that you want to

add to the IP list policy.9 To modify an individual policy, click its Edit icon. To remove an individual policy from the

IP list policy, click its Delete icon.10 Click OK.

To apply the IP list policy, select it in an inline or offline protection profile. For details, see “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.

Viewing the top 10 IP blacklist candidatesWeb Protection > IP List > IP Blacklist TOP10 displays the list of the top 10 candidates for addition to the IP address black list. IPs appear automatically on the top 10 list when they violate a protection setting, such as robot control. These are candidates for the black list but at not yet on your black list. To add one to a black list, click the Edit icon. You can also move IPs from the top 10 list using the IP List Policy tab (see “To configure IP list policies and members” on page 221).

Blacklisted IP addresses define which source IP addresses are not permitted to connect to your web servers. The list of top 10 candidates tracks the number of times each source IP address is blocked. If an IP address is frequently the source of errors or attacks, it may be a good candidate for the IP blacklist.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

IP The source IP address of the client that you want to add to the IP List Policy. This IP address will be treated accordingly to the Type selection.

Use IP Blacklist TOP10

This item appears only if Type is set to Black IP.FortiWeb keeps a list of source IP addresses that are blocked from your web servers because they fail web protection configurations. These source IP addresses are candidates for formal designation as a black IP. The candidates are tracked on the IP Blacklist TOP10 tab. For more information, see “Viewing the top 10 IP blacklist candidates” on page 223.To add source IP addresses from the IP Blacklist TOP10 to the black list, select Use IP Blacklist Top10 and then select an IP address from the drop-down list.

Severity If Type is set to Black IP, select the severity level you want FortiWeb to use in the records and reports generated when the specified IP address attempts to access your web servers. You can configure each violation type to be either Low, Medium or High severity.

Trigger Policy Select the trigger policy you want FortiWeb to apply when the specified IP address attempts to access your web servers. Trigger policies determine who will be notified by email when the source IP address attempts to access your web servers, and whether the log message associated with the attempt is recorded in Syslog or FortiAnalyzer. For more information, see “Configuring trigger policies” on page 322.

GUI item Description




Configuring brute force login profiles Web protection

Table 89: Web Protection > IP List > IP Blacklist TOP 10 tab

Configuring brute force login profilesWeb Protection > Brute Force Login > Brute Force Login displays the list of brute force login attack profiles.Brute force attacks attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight. For example, in brute force attacks on authentication, multiple web clients may rapidly try one user name and password combination after another in an attempt to eventually guess a correct login and gain access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL.Brute force login attack profiles track the rate at which each source IP address makes requests for specific URLs. If the source IP address exceeds the threshold, the FortiWeb unit penalizes the source IP address by blocking additional requests for the time period that you indicate in the profile.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 90: Web Protection > Brute Force Login > Brute Force Login tab

GUI item Description# Displays the rank number of the entry in the top 10 list.

Count Displays the number of times that connections from the IP address have been blocked due to a policy violation.

IP Displays the source IP address of blocked connections and the name of the violated policy.

Type Indicates whether the source IP address is for a single client (Standalone IP), or is shared by multiple clients behind a network address translation (NAT) device such as a firewall or router (Shared IP).Note: If the Type is Shared IP, blacklisting the IP could block innocent clients that share the same source IP address with an offending client.

(No column heading.) Click the Edit icon. This opens the Edit IP List Policy Member dialog box. You can then add the source IP to the black list. For details, see “Configuring an IP list policy” on page 220.

Refresh Click to refresh the display of top 10 IP black list candidates.

Edit

DeleteEdit





Web protection Configuring brute force login profiles

FRh

Before you configure a brute force login attack profile, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see “Configuring protected servers” on page 147.

To configure a brute force login attack profile1 Go to Web Protection > Brute Force Login > Brute Force Login.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the brute force login profile.This field cannot be modified if you are editing an brute force login profile. To modify the name, delete the entry, then recreate it using the new name.


5 Click OK.

GUI item DescriptionCreate New Click to add a brute force login attack profile.




GUI item DescriptionSeverity Select the severity level you want FortiWeb to use in the records and reports

generated when a violation of the brute force login profile occurs. You can configure the violation as either Low, Medium or High severity. For information on Severity and Trigger Policy settings, see “Responding to web protection rule violations” on page 191.

Trigger Policy Select the trigger policy you want FortiWeb to apply when a violation of the brute force login profile occurs. Trigger policies determine who will be notified by email when the profile violation occurs, and whether the log message associated with the violation are recorded. For more information, see “Responding to web protection rule violations” on page 191.

Delete

Edit

Clear




Configuring brute force login profiles Web protection



8 Click OK.9 Repeat the two previous steps for each individual login page that you want to add to

the brute force login attack profile.

GUI item DescriptionID Type the index number of the login page in the brute force login attack profile list.

The index number affects the order of display only, and does not affect match order.

Host Status Enable to require that the Host: field of the HTTP request to match a protected hosts entry in order to be included in the brute force login attack profile’s rate calculations. Also configure Host.

Host Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in order to match the brute force login attack profile.This option is available only if Host Status is enabled.

Request File Type the URL that the HTTP request must match to be included in the brute force login attack profile’s rate calculations. When you have finished typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.

Block Period Type the length of time in seconds for which the FortiWeb unit will block additional requests after a source IP address exceeds a rate threshold.The block period is shared by all clients whose traffic originates from the source IP address. The limit is 10 000 seconds.

Standalone IP Access Limit

Type the rate threshold for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb unit to block additional requests for the length of the time in the Block Period field.To disable the rate limit, type 0.

Share IP Access Limit

Type the rate threshold for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb unit to block additional requests for the length of the time in the Block Period field.To disable the rate limit, type 0.Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. In addition, the rate is a total rate for all clients that use the same source IP address. For these reasons, you should usually enter a greater value for this field than for Standalone IP Access Limit.





Web protection Configuring robot control profiles

FRh

10 To modify a login page, click its Edit icon. To remove a single login page from the group of login pages, click its Delete icon. To remove all login pages from the group of login pages, click the Clear icon.

11 Click OK.To apply the brute force login attack profile, select it in an inline protection profile. For details, see “Configuring inline protection profiles” on page 268.Attack log messages contain DETECT_BRUTE_FORCE_LOGIN when this feature detects a brute force login attack.

Configuring robot control profilesWeb Protection > Robot Control > Robot Control displays the list of robot control profiles.Search engines, link checkers, retrievals of entire web sites for a user’s offline use, and other automated uses of the web (sometimes called robots, spiders, web crawlers, or automated user agents) often access web sites at a more rapid rate than human users. However, it would be unusual for them to request the same URL within that time frame. Usually, web crawlers request many different URLs in rapid sequence. For example, while indexing a web site, a search engine’s web crawler may rapidly request the web site’s most popular URLs. If the URLs are web pages, it may also follow the hyperlinks by requesting all URLs mentioned in those web pages. In this way, the behavior of web crawlers differs from a typical brute force login attack, which focuses repeatedly on one URL.You can request that robots not index and/or follow links, and disallow their access to specific URLs (see http://www.robotstxt.org/). However, misbehaving robots frequently ignore the request, and there is no single standard way to rate-limit robots.Robot control profiles can track the rate at which each source IP address makes requests. If the source IP address exceeds the threshold, the FortiWeb unit penalizes the source IP address by blocking additional requests for the time period that you indicate in the profile.Robot control profiles can also use the User-Agent: field in the HTTP header to allow legitimate robots or to block robots that are notorious for misbehaving.Robot control profiles enable you to associate predefined and custom robot control groups with rules that determine which specific robots are considered to be bad robots and which robots are allowed access to your web servers without being rate controlled or subject to parameter validation rules or server protection rules. To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 91: Web Protection > Robot Control > Robot Control tab

DeleteEdit

View Clone




http://www.robotstxt.org/

Configuring robot control profiles Web protection

Before you configure a robot control profile, you must first create robot groups, which can then be applied to the robot control profile. Robot groups are used by the profile to identify the specific robots that are allowed access to your web servers without being rate controlled or subject to parameter validation rules, server protection rules, or bad robot detection. For details, see “Configuring predefined robot groups” on page 230 and “Configuring custom robot groups” on page 232.

To configure a robot control profile

1 Go to Web Protection > Robot Control > Robot Control.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon. A new dialog appears.Alternatively, click the Clone icon to create a new entry based on a predefined entry. In this case, a dialog appears with just the Name field.

GUI item DescriptionCreate New Click to add a robot control profile.



Bad Robot Indicates whether the blocking feature for bad web crawlers (robots), those known to ignore no-index, no-follow and other directives, is enabled or disabled.

Bad Robot Action Displays the action taken by FortiWeb when a violation of the robot control profile occurs.

Allow Robot Identifies well-known robots (for example, Google) that are allowed and will not be rate-controlled or subject to parameter validation rules, server protection rules, or Bad Robot blocking.

Standalone IP Access Limit

Displays the rate threshold for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb unit to block additional requests for the length of the time in the Block Period column.0 indicates that the rate is not limited.

Share IP Access Limit Displays the rate threshold for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb unit to block additional requests for the length of the time in the Block Period column.0 indicates that the rate is not limited.

Block Period Displays the length of time for which the FortiWeb unit will block additional requests after a source IP address exceeds a rate threshold.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline or offline protection profile, or if the entry is a template entry.Click the Edit icon to modify the entry.Click the View icon to view a template entry.Click the Clone icon to create a new entry that clones the settings from a predefined robot control.

Note: Alternatively, you can automatically configure a robot control profile that allows all predefined search engine types by generating a default auto-learning profile. For details, see “Generating an auto-learning profile and its components” on page 281.






FRh

3 In Name, type the name of the robot control profile.This field cannot be modified if you are editing an existing robot control profile. To modify the name, delete the entry, then recreate it using the new name.


GUI item DescriptionBad Robot Enable to detect web crawlers that are known to ignore no-index,no-follow

and other directives, then select which action the FortiWeb unit will take when it detects one.


The Action, Severity and Trigger Policy drop-down menus allow you to control what the FortiWeb unit will do when it detects a bad robot violation. Each violation can be uniquely configured.The following actions can be performed for this type of attack:• Alert• Alert & Deny• Redirect• Send 403 ForbiddenFor information on Action, Severity and Trigger Policy settings, see “Responding to web protection rule violations” on page 191.Note: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature.

Allow Robot Select a group of well-known search engines’ web crawlers, if any, that will be exempt from the rate limit of this robot control profile. For details about creating robot groups, see “Configuring predefined robot groups” on page 230. The FortiWeb unit will omit any subsequent intrusion detection features, including parameter validation rules, server protection rules, or bad robot detection.Note: If you want to view the information associated with the robot group, select the Detail link beside the Allow Robot list. A read-only version of the Edit Robot Group window opens.Attack log messages contain log messages such as DETECT_ALLOW_ROBOT_GOOGLE, DETECT_ALLOW_ROBOT_YAHOO, and DETECT_ALLOW_ROBOT_MSN, when this feature detects an allowed predefined robot. For details, see “Event Log Console widget” on page 48 or “Viewing log messages” on page 331.





5 Click OK.To apply the robot control profile, select it in an inline or offline protection profile. For details, see “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.Attack log messages contain DETECT_MALICIOUS_ROBOT when this feature detects a misbehaving robot or any other HTTP client that exceeds the rate limit.

Configuring predefined robot groupsWeb Protection > Robot Control > Robot Group displays the list of groups of predefined robots.A robot group contains one or more of the predefined robot signatures. For information on predefined robot signatures, see “Viewing the list of predefined robots” on page 234. To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Allow Custom Robot

Select a group of custom robots, if any, that will be exempt from the rate limit of this robot control profile. For details about creating custom robot groups, see “Configuring custom robot groups” on page 232. The FortiWeb unit will omit any subsequent intrusion detection features, including parameter validation rules, server protection rules, or bad robot detection.Note: If you want to view the information associated with the custom robot group, select the Detail link beside the Allow Custom Robot list. A read-only version of the Edit Custom Robot Group window opens.Attack log messages contain log messages such as DETECT_ALLOW_ROBOT: Custom-Robot-1 (where Custom-Robot-1 is the name that you configured for the robot’s signature) when this feature detects an allowed custom robot. For details, see “Event Log Console widget” on page 48 or “Viewing log messages” on page 331.

Malicious Robot PreventionStandalone IP Access Limit

Type the rate limit in number of requests per second for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb unit to block additional requests for the length of the time set in the Block Period field.To disable the rate limit, type 0.

Share IP Access Limit

Type the rate limit in number of requests per second for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb unit to block additional requests for the length of the time set in the Block Period field.To disable the rate limit, type 0.Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. In addition, the rate is a total rate for all clients that use the same source IP address. For these reasons, you should usually enter a greater value for this field than for Standalone IP Access Limit.

Block Period Type the length of time for which the FortiWeb unit will block additional requests after a source IP address exceeds its rate threshold.






FRh

Table 92: Web Protection > Robot Control > Robot Group tab

To configure a predefined robot group1 Go to Web Protection > Robot Control > Robot Group. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon. A new dialog appears.Alternatively, click the Clone icon to create a new entry based on a predefined entry. In this case, a dialog appears with just the Name field.

3 In Name, type the name of the robot group.This field cannot be modified if you are editing an existing robot group. To modify the name, delete the entry, then recreate it using the new name.


GUI item DescriptionCreate New Click to add a known robot group.



Count Displays the number of known robots contained in the group.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a robot control profile.Click the Edit icon to modify the entry.Click the View icon to view a predefined entry.Click the Clone icon to create a new entry based on a predefined entry.

Delete

Edit

ViewClone

Clear

Delete Edit





A new dialog appears.


7 Click OK.8 Repeat the previous steps for each robot that you want to add to the robot group.9 To modify a robot, click its Edit icon. To remove a single robot from the robot group,

click its Delete icon. To remove all robots from the robot group, click the Clear icon.10 Click OK.

To use a robot group, you must select it in a robot control profile. For details, see “Configuring robot control profiles” on page 227.

Configuring custom robot groupsWeb Protection > Robot Control > Custom Robot displays the list of custom robot groups.Instead of using groups of predefined well-known robots, you can configure groups of custom robot signatures. Each signature is a regular expression that the FortiWeb unit can compare to the User-Agent: field in the HTTP header in order to determine whether or not the HTTP client is a legitimate robot. Legitimate robots, such as search engine indexers, usually should be exempt from attack detection. If your organization has written its own search indexer, or uses a third-party spider not identified in the predefined list, you may need to write a custom robot signature.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 93: Web Protection > Robot Control > Custom Robot tab

GUI item DescriptionID Enter the index number of the robot entry within the robot group, or keep the

field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.

Robot Select the name of a robot. For the predefined list of well-known robots and their defining patterns, see “Viewing the list of predefined robots” on page 234.

GUI item DescriptionCreate New Click to add a custom robot group.


DeleteEdit






FRh

To configure a group of custom robot signatures1 Go to Web Protection > Robot Control > Custom Robot. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the custom robot signature set.This field cannot be modified if you are editing an existing custom robot. To modify the name, delete the entry, then recreate it using the new name.


A dialog appears.



Count Displays the number of custom robots contained in the group.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a robot control profile.Click the Edit icon to modify the entry.

GUI item DescriptionID Type the index number of the custom robot signature within the set, or keep the

field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.

Robot Type Name

Type a name, such as Intranet-Indexer, for the signature. This name will appear in log messages where the signature was used to detect a robot.

Clear

Delete Edit





7 Click OK.8 Repeat the previous steps for each custom robot signature that you want to add to the

custom robot group. Only one group may be selected per robot control profile, so you may want to include multiple custom robots signatures in this group.

9 To modify a custom robot signature, click its Edit icon. To remove a single signature from the group, click its Delete icon. To remove all signatures from the group, click the Clear icon.

10 Click OK.To use a custom robot group, you must select it in a robot control profile. For details, see “Configuring robot control profiles” on page 227.

Viewing the list of predefined robotsWeb Protection > Robot Control > Known Robot displays the predefined list of well-known robots.Select the blue arrow next to a robot name to expand the entry, displaying the pattern contained in the entry.

Figure 31: Viewing the list of known robots

The pattern contains a regular expression that the FortiWeb unit uses to compare the User-Agent: field in the HTTP header in order to determine whether or not the HTTP client is a well-known, legitimate robot. Legitimate robots, such as search engine indexers, should be included in a robot group and applied to a robot control profile to prevent attack detection.You apply predefined robots indirectly by first forming groups of robots, then selecting those groups in a robot control profile. For details, see “Configuring predefined robot groups” on page 230.

Robot Expression

Type a regular expression that matches all and only the User-Agent: fields in the HTTP header known to be produced by the custom robot.For example, if a custom robot is either:• User-Agent: happy-spider • User-Agent: happy-spider2.0. but not User-Agent: baiduspider, you would write a regular expression to match the first two cases, but that would not match the third.To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.





Web protection Configuring allowed request method policy

FRh

Configuring allowed request method policyWeb Protection > Allow Request Method > Allow Method Policy displays the list of policies for allowed HTTP request methods.The request method policy enables you to build specific combinations of allowed HTTP request methods and specific exceptions to those combinations.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 94: Web Protection > Allow Request Method > Allow Method Policy tab

To include method exceptions, create them first. For more information, see “Configuring allowed method exceptions” on page 237.

To configure an HTTP request method policy1 Go to Web Protection > Allow Request Method > Allow Method Policy.

Tip: To extend the versatility of a request method policy, you can create and incorporate exceptions (see “Configuring allowed method exceptions” on page 237).

GUI item DescriptionCreate New Click to add a new HTTP request method policy.


Name Displays the name of the allow method policy.

Severity Each policy is assigned a severity. When a policy violation occurs, the violation is recorded and reported with the designated severity. See “Responding to web protection rule violations” on page 191.

Trigger Policy Trigger policy contains information to identify who will receive an alert email when a violation occurs, and how the log message associated with the violation, if applicable, is recorded. See “Responding to web protection rule violations” on page 191.

Allow Method Exceptions

Identifies the name of the HTTP method exception rules associated with the policy. For more information, see “Configuring allowed method exceptions” on page 237.


DeleteEdit




Configuring allowed request method policy Web protection

2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.

3 In Name, type the name of the HTTP request method policy.This field cannot be modified if you are editing an existing allowed method exception. To modify the name, delete the entry, then recreate it using the new name.


5 Click OK.To apply the allow method policy, select it in an inline or offline protection profile. For details, see “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.

GUI item DescriptionName Enter the name of the allow method policy.

Allow Request Mark the check boxes for all HTTP request methods that you want to allow for this specific policy. Only the selected methods will be allowed on all web servers where this policy is used, unless exceptions are defined for specific URL/hosts. For more information, see “Configuring allowed method exceptions” on page 237. Note: If a WAF Auto Learning Profile is used in the server policy where the HTTP request method is applied (via the Web Protection Profile), you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb unit to learn about. If a method is disabled, the FortiWeb unit will reset the connection, and therefore cannot learn about the session.

Severity Select the severity level you want FortiWeb to use in the records and reports generated when a violation of the HTTP request method policy occurs. You can configure the violation as either Low, Medium or High severity. For information on Severity and Trigger Policy settings, see “Responding to web protection rule violations” on page 191.

Trigger Policy Select the trigger policy you want FortiWeb to apply when a violation of the HTTP request method policy occurs. Trigger policies determine who will be notified by email when the policy violation occurs, and whether the log message associated with the violation are recorded. For more information, see “Responding to web protection rule violations” on page 191.

Allow Method Exceptions

Select the HTTP request method exception to apply to the policy. The method exceptions define specific HTTP request methods that are allowed by specific URLs and hosts.Note: If you want to view the information associated with the HTTP request method exceptions used by this policy, select the Detail link beside the Allow Method Exceptions list. A read-only version of the Allow Method Exceptions window opens. For more information, see “Configuring allowed method exceptions” on page 237.





Web protection Configuring allowed request method policy

FRh

Configuring allowed method exceptionsWeb Protection > Allow Request Method > Allow Method Exceptions displays the list of allowed method exceptions.While most URL and host name combinations controlled by a profile may require similar HTTP request methods, you may have some that require different methods. Instead of forming separate policies and profiles for those requests, you can configure allowed method exceptions. The method exceptions define specific HTTP request methods that are allowed by specific URLs and hosts.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 95: Web Protection > Allow Request Method > Allow Method Exceptions tab

Before you configure an allowed method exception, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see “Configuring protected servers” on page 147.

To configure an allowed method exception1 Go to Web Protection > Allow Request Method > Allow Method Exceptions.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


GUI item DescriptionCreate New Click to add an allowed method exception.



Allow Method Exception Count

Displays the number of individual rules contained in the entry.


Delete

Edit




Configuring allowed request method policy Web protection

3 In Name, type the name of the allowed method exception.This field cannot be modified if you are editing an existing allowed method exception. To modify the name, delete the entry, then recreate it using the new name.


A dialog appears.


GUI item DescriptionID Enter the index number of the individual rule within the allowed method

exception, or keep the field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.

Host Status Enable to require that the Host: field of the HTTP request to match a protected hosts entry in order to match the allowed method exception. Also configure Host.

Host Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in order to match the allowed method exception.This option is available only if Host Status is enabled.


DeleteEdit

Clear





Web protection Configuring hidden field protection profiles

FRh

7 Click OK.8 Repeat the previous steps for each exception that you want to add to the allowed

method exceptions.9 To modify an exception, click its Edit icon. To remove an exception, click its Delete icon.

To remove all exceptions, click the Clear icon.10 Click OK.

To apply the allowed method exception, select it in an allow method policy. For details, see “Configuring allowed request method policy” on page 235.

Configuring hidden field protection profilesWeb Protection > Hidden Fields Protection > Hidden Fields Protection displays the list of hidden field protection profiles.Hidden files are unlike other inputs, because they are not visible on a rendered web page. As such, if hidden fields are tampered with, they could go undetected. Hidden field protection profiles enable you to apply individual hidden field protection rules that FortiWeb uses to detect hidden fields that have been tampered with. To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 96: Web Protection > Hidden Fields Protection > Hidden Fields Protection tab

URL Pattern Depending on your selection in Type, enter either: • the literal URL, such as /index.php, that is an exception to the generally

allowed HTTP request methods. The URL must begin with a slash ( / ).• a regular expression, such as ^/*.php, matching all and only the URLs

which are exceptions to the generally allowed HTTP request methods. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.For example, if multiple URLs on a host have identical HTTP request method requirements, you would type a regular expression matching all of and only those URLs.


Allow Method Exception

Select the check boxes for all HTTP request methods you want to allow.Note: If a WAF Auto Learning Profile will be selected in the policy with an offline protection profile that uses this allowed method exception, you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb unit to learn about. If a method is disabled, the FortiWeb unit will reset the connection, and therefore cannot learn about the session.

Tip: To create a hidden fields protection profile, you must first configure one or more hidden field rules. See “Configuring hidden field rules” on page 241.

GUI item DescriptionCreate New Click to add a hidden field group.




Configuring hidden field protection profiles Web protection

To configure a hidden field profile1 Go to Web Protection > Hidden Fields Protection > Hidden Fields Protection.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the hidden field profile.This field cannot be modified if you are editing an existing hidden field group. To modify the name, delete the entry, then recreate it using the new name.


A dialog appears.

6 Select the name of a hidden field rule that you want to apply to the hidden fields protection profile from the Hidden Fields Rule drop-down list.To view the information associated with a hidden fields rule, select the Detail link. A read-only version appears.

7 Click OK.8 Repeat the previous steps for each individual rule that you want to add to the hidden

field profile.



Rule Count Displays the number of individual hidden fields rules contained in the profile.


Clear






FRh

9 To modify an individual rule, click its Edit icon. To remove an individual rule from the hidden field profile, click its Delete icon. To remove all individual rules from the hidden field profile, click the Clear icon.

10 Click OK.To apply the hidden field group, select it in an inline protection profile. For details, see “Configuring inline protection profiles” on page 268.

Configuring hidden field rulesWeb Protection > Hidden Fields Protection > Hidden Fields Rule displays the list of hidden field rules.Like other types of parameters and inputs, hidden form inputs can be vulnerable to tampering and can be used as a vector for other attacks.Unlike other inputs, hidden form inputs are often written into an HTML page by the web server when it serves that page to the client, and are not visible on the rendered web page. As such, they are sometimes perceived as relatively safe.Like other inputs, however, hidden fields are accessible through the JavaScript document object model (DOM). As inputs, they can be used to inject invalid data into your databases or attempt to tamper with the session state.Hidden field rules prevent such tampering by caching the values of a session’s hidden inputs as they pass to the HTTP client, and verifying that they remain unchanged when the HTTP client submits a form.Unlike visible inputs, hidden field rules are for hidden inputs only. For information on constraining visible inputs, see “Configuring parameter validation input rules” on page 194.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 97: Web Protection > Hidden Fields Protection > Hidden Fields Rule tab

Note: In order for hidden field groups to be enforced, you must also enable “Session Management” in the inline protection profile.

GUI item DescriptionCreate New Click to add a hidden field constraint.



Edit Click the Edit icon to modify the entry.

Delete Click the Delete icon to remove the entry.




Configuring hidden field protection profiles Web protection

Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see “Configuring protected servers” on page 147.

To configure a hidden field rule1 Go to Web Protection > Hidden Fields Protection > Hidden Fields Rule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the hidden field constraint.This field cannot be modified if you are editing an existing hidden field rule. To modify the name, delete the entry, then recreate it using the new name.


GUI item DescriptionHost status Enable if you want the hidden field rule to apply only to HTTP requests for a

specific web host. Also configure Host.

Host Select the name of a protected host that the Host: field of an HTTP request must be in order to match the hidden field rule.This option is available only if Host status is enabled.






FRh

5 Click OK.6 Click Fetch URL, and then enter the following information in the pop-up dialog that

appears:

• The pop-up dialog also includes a Fetch URL button. Click it to retrieve the web page you specified in Request URL. Another pop-up dialog appears, displaying a list of hidden inputs that the FortiWeb unit found in that web page, and the URLs to which those hidden inputs will be posted when a client submits the form.

Figure 32: Fetch URL dialog

Request URL Type the exact URL that contains the hidden form for which you want to create a hidden field rule. The URL must begin with a slash ( / ). Do not include the web host name, such as www.example.com. It is configured separately in the Host drop-down list.


The Action, Severity and Trigger Policy drop-down menus allow you to control what the FortiWeb unit will do when it detects a specific violation such as an attack, suspicious request or other threat. Each violation can be uniquely configured.The following actions are available for this type of attack:• Alert• Alert & Deny• Redirect• Send 403 ForbiddenFor information on Action, Severity and Trigger Policy settings, see “Responding to web protection rule violations” on page 191.Note: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature.

GUI item DescriptionPserver Select the IP address of the physical server that hosts the web site with the

hidden field.

Port Type the TCP port number on which the physical server listens for HTTP connections.




Configuring URL rewriting policy Web protection

Entries in the list are color-coded by the recommended course of action:• Blue: The URL/hidden field exists in the requested URL, but you have not yet

configured it in the hidden field rule.You may want to add it to the hidden field rule.

• Red: The URL/hidden field does not exist in the requested URL, yet it is currently configured in the hidden field rule. You may want to remove it from the hidden field rule.

• Black: The URL/hidden field exists in both the requested URL and your hidden field rule.

• For each entry that you want to be in the hidden field rule, in the Status column, select its check box.

• Click OK to save the entries in the dialog.7 If there are any additional hidden fields or post URLs that you want to manually add to

the hidden field rule, click Create New. A dialog appears. Enter the name of the post URL or hidden field.

8 Repeat the previous steps for each post URL or hidden field that you want to manually add to the hidden field rule.

9 To modify an individual rule, click its Edit icon. To remove an individual rule from the hidden field rule, click its Delete icon. To remove all individual rules from the hidden field rule, click the Clear icon.

10 Click OK.To apply the hidden field rule, select it in a hidden fields protection profile. For details, see “Configuring hidden field protection profiles” on page 239.

Configuring URL rewriting policyWeb Protection > URL Rewriting Policy > URL Rewriting Policy displays the list of URL rewriting policies.


Note: In addition to new items, select the check boxes of any previously configured items that you want to keep in the hidden field rule. If you do not, they will be deleted.

Caution: When configuring URL rewriting policy, check to see whether there are any HTTP conversion policies in use that might conflict with the URL rewriting policy. If conflicts occur, the URL rewriting policy takes priority over the HTTP conversion policy. See “Configuring HTTP conversion policy” on page 141.

Tip: To create an effective URL rewriting policy, you must first configure one or more URL rewriting rules. See “Configuring URL rewriting rules” on page 246.





Web protection Configuring URL rewriting policy

FRh

Table 98: Web Protection > URL Rewriting Policy > URL Rewriting tab

Before you can configure a URL rewriting policy, you must first configure the URL rewriting rules that you want to include in the policy. For details, see “Configuring URL rewriting rules” on page 246.

To configure a URL rewriting policy1 Go to Web Protection > URL Rewriting Policy > URL Rewriting Policy.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, enter the name of the URL rewriting group.This field cannot be modified if you are editing an existing URL rewriting group. To modify the name, delete the entry, then recreate it using the new name.


A dialog appears.

GUI item DescriptionCreate New Click to add a URL rewriting group.



URL Rewriting Count Displays the number of individual rules contained in the entry.


Delete

Edit

Clear

DeleteEdit






7 Click OK.8 Repeat the previous steps for each individual rule that you want to add to the URL

rewriting policy.9 To modify an individual rule, click its Edit icon. To remove an individual rule from the

URL rewriting policy, click its Delete icon. To remove all individual rules from the URL rewriting policy, click the Clear icon.

10 Click OK.To apply the URL rewriting policy, select it in an inline protection profile. For details, see “Configuring inline protection profiles” on page 268.

Configuring URL rewriting rulesWeb Protection > URL Rewriting Policy> URL Rewriting Rule displays the list of URL rewriting rules.URL rewriting rules can:• rewrite the URL line or the Referer: field in the HTTP header• redirect requests to another web siteSimilar to error message cloaking, URL rewriting can be useful to prevent the disclosure of underlying technology or web site structures to HTTP clients.For example, when visiting a blog web page, its URL might be:

http://www.example.com/wordpress/?feed=rss2

Simply knowing the file name, that the blog uses PHP, its compatible database types, and the names of parameters via the URL could help an attacker craft an appropriate attack for that platform. By rewriting the URL to something more human-readable and less platform-specific, the details can be hidden, such as:

http://www.example.com/rss2

GUI item DescriptionID Type the index number of the entry, or keep the field’s default value of auto to let

the FortiWeb unit automatically assign the next available index number.The number must be between 1 and 99,999 and must be unique for each entry in the group.

Priority Type the order of evaluation for this rule in the group, starting from 0.To create an entry with the highest match priority, enter 0. For lower-priority matches, enter larger numbers.Note: Rule order affects URL rewriting rule matching and behavior. The search begins with the smallest Priority number (greatest priority) rule in the list and progresses in order towards the largest number in the list. Matching rules are determined by comparing the rule and the connection’s content. If no rule matches, the connection remains unchanged.When the FortiWeb unit finds a matching rule, it applies the matching rule's specified actions to the connection.

Rewriting Rule Name

Select the name of an existing URL rewriting rule that you want to include in the group.If you want to view the information associated with a URL rewriting rule, select the Detail link. A read-only version appears.

Note: URLs in the HTML body are not rewritten.






FRh


Table 99: Web Protection > URL Rewriting Policy > URL Rewriting Rule tab

To configure a URL rewrite rule1 Go to Web Protection > URL Rewriting Policy> URL Rewriting Rule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


Note: URL rewrites are applicable when the FortiWeb unit operates in reverse proxy mode and true transparent proxy mode without HTTPS.

GUI item DescriptionCreate New Click to add a URL rewriting rule.



URL Rewriting Count Displays the number of URL rewriting items contained in the entry.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a URL rewriting set.Click the Edit icon to modify the entry.

DeleteEdit

Delete

Edit

Clear





3 In Name, enter the name of the URL rewriting rule.This field cannot be modified if you are editing an existing URL rewriting rule. To modify the name, delete the entry, then recreate it using the new name.

4 From the Action list, select which of the following actions you want the FortiWeb unit to take when it receives a matching request:• Rewrite HTTP Header: Rewrite header fields (Host:, request URL, and Referer:

fields), as specified in the URL Rewriting Condition Table.• Redirect: Send a 302 (Moved Temporarily) response to the client, with a new Location: field in the HTTP header.

• Send 403 Forbidden: Send a 403 (Forbidden) response to the client.• Rewrite HTTP Body: Rewrite URLs in body of responses.The contents of the URL Rewriting Condition Table vary with the Action selection.

5 Click OK and configure the following information. 6 In the fields below the URL Rewriting Condition Table, enter the following information,

which varies depending on the selection made in the Action list:

GUI item DescriptionRedirect Location

Type the value for the Location: field in the HTTP header for the 302 response.

Send 403 Forbidden No options available.

Rewrite HTTP Body Replacement Type the replacement value for the specific HTTP content in the body of responses. For an example, see “URL rewriting examples” on page 250.






FRh


A dialog appears.

Rewrite HTTP Header Note: If a check box beside an option is available but you do not configure it, the FortiWeb unit will preserve the value from the client’s request when rewriting it.HostThis is the replacement value for the Host: field.Type the name of the host, such as store.example.com, to which the request will be redirected.This field supports back references such as $0 to the parts of the original request that matched any capture groups that you entered in Regular Expression for each object in the condition table. (A capture group is a regular expression, or part of one, surrounded in parentheses.)Use $n (0 <= n <= 9) to invoke a substring, where n is the order of appearance of the regular expression, from left to right, from outside to inside, then from top to bottom. For example, regular expressions in the condition table in this order:(a)(b)(c(d))(e)(f)would result in variables with the following values:• $0: a• $1: b• $2: cd• $3: d• $4: e• $5: fFor an example, see “URL rewriting examples” on page 250.

URLThis is the replacement value for the URL field.Type the string, such as /catalog/item1, that will replace the request URL.Do not include the name of the web host, such as www.example.com, nor the protocol.Like Host, this field supports back references such as $0 to the parts of the original request that matched any capture groups that you entered in Regular Expression for each object in the condition table.For an example, see “URL rewriting examples” on page 250.

RefererThis is the replacement value for the Referer: field.Select the referer URL that will be used when rewriting the Referer: field in the HTTP header.This option is available only if Action is Rewrite HTTP Header.







10 Click OK.11 Repeat the previous steps for each condition that you want to add to the URL rewriting

rule.12 To modify an individual condition, click its Edit icon. To remove an individual condition

from the URL rewriting rule, click its Delete icon. To remove all individual conditions from the URL rewriting rule, click the Clear icon.

13 Click OK.To apply the URL rewrite rule, you must first add it to a URL Rewriting Policy. For details, see “Configuring URL rewriting policy” on page 244.

URL rewriting examplesThe following topics provide examples using regular expressions and variables to rewrite URLs.• Rewriting URLs using regular expressions• Rewriting URLs using variables

GUI item DescriptionID Type the index number of the individual entry in the URL rewriting condition

table. The index number is an identifier only, and does not affect the display order or match order.The number must be between 1 and 99,999 and must be unique for each entry.

Object Select which part of the HTTP request will be tested for a match:• HTTP Host • HTTP Request URL • HTTP RefererIf the request must meet multiple conditions (for example, it must contain both a matching Host: field and a matching URL), add each object match condition to the condition table separately.

If no Referer field in HTTP header

Select either:• Do not meet this condition • Meet this condition Requests can lack a Referer: field for several reasons, such as if the user manually types the URL, and the request does not result from a hyperlink from another web site, or if the URL resulted from an HTTPS connection. (See the RFC 2616 section on the Referer: field.) In those cases, the field cannot be tested for a matching value.This option appears only if Object is HTTP Referer.

Regular Expression

Depending on your selection in Object and Meet this condition, type a regular expression that defines either all matching or all non-matching Host: fields, URLs, or Referer: fields. Then, also configure Meet this condition.For example, for the URL rewriting rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in Meet this condition, select Match this condition.The pattern is not required to begin with a slash ( / ).When you have finished typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.

Meet this condition if

Indicate how to use Regular Expression when determining whether or not this URL rewriting condition has been met.• Object does not match the regular expression: If the regular expression does

not match the request object, the condition is met.• Object matches the regular expression: If the regular expression does match

the request object, the condition is met.If all conditions are met, the FortiWeb unit will do your selected Action.





http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html


FRh

Rewriting URLs using regular expressionsExample.edu is a large university. Professors of example.edu use a mixture of WordPress and Movable Type software for their course web pages to keep students updated. In addition, the campus bookstore and software store use custom shopping cart software. The URLs of these web applications contain clues about the underlying vendors, databases and scripting languages.Because it is a large organization with many mobile users and guests, and an Internet connection with large bandwidth, the university is therefore a frequent target of attacks. Its network administrators want to hide the underlying technology to make it more difficult for attackers to craft platform-specific attacks. Example.edu also wants to make clients’ bookmarked URLs more permanent, so that clients will not need to repair them if the university switches software vendors.Because it has so many URLs, the university uses regular expressions to rewrite sets of similar URLs, rather than configuring rewrites for each URL individually. More specific URL rewrite rules are selected first in the URL rewriting group, before general ones, due to the affects of the matching order on which rewrite rule is applied.

Rewriting URLs using variablesExample.com has a web site that uses ASP, but the administrator wants it to appear that the web site uses PHP. To do this, she configures a rule that changes any requested file's suffix which is ".asp" into ".php".The condition table contains two match conditions, in this order:1 The Host: may be anything.2 The request URL must end in “.asp”.If both of those are true, the request is rewritten.The administrator does not want to rewrite matching requests into a single URL. Instead, she wants each rewritten URL to re-use parts of the original request.To assemble the rewritten URL by re-using the original request’s file path and Host:, the administrator uses two variables: $0 and $1. Each variable refers to a part of the original request. The parts are determined by which capture group was matched in the Regular Expression field of each condition table object.• $0: The text that matched the first capture group (.*). In this case, because the

object is the Host: field, the matching text is the host name, www.example.com.• $1: The text that matched the second capture group, which is also (.*). In this case,

because the object is the request URL, the matching text is the file path, news/local.

Table 100: Example URL rewrites using regular expressions

Regular Expression in URL match condition

URL Example URL in client’s request

Result

^/cgi/python/ustore/payment.html$

/store/checkout /cgi/python/ustore/payment.html

/store/checkout

^/ustore*$ /store/view /ustore/viewItem.asp?id=1&img=2

/store/view

/Wordpress/(.*) /blog/$0 /wordpress/10/11/24 /blog/10/11/24/(.*)\.xml /$0 /index.xml /index




Configuring HTTP protocol constraint profiles Web protection

Configuring HTTP protocol constraint profilesWeb Protection > HTTP Protocol Constraints > HTTP Protocol Constraints displays the list of HTTP protocol constraint profiles.Use HTTP protocol constraints to prevent vulnerability to attacks such as buffer overflows in web servers that do not restrict elements of the HTTP protocol, such as its header lines, to acceptable lengths.


Table 102: Web Protection > HTTP Protocol Constraints > HTTP Protocol Constraints tab

Table 101: Example URL rewrite using regular expressions and variables

Example request URL Rewriting Condition Table

Replacement URL Result

www.example.com HTTP Host

(.*) Host $0 www.example.com

/news/local.asp HTTP URL

/(.*)\.asp URL /$1.php /news/local.php

Tip: If you plan to add HTTP constraints exceptions to your HTTP protocol constraints profile, configure the exceptions first. See “Configuring HTTP protocol constraint exceptions” on page 254

GUI item DescriptionCreate New Click to add an HTTP protocol constraint.



Header Length Displays the maximum acceptable length in bytes of the HTTP header.

Content Length Displays the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header.

Body Length Displays the maximum acceptable length in bytes of the HTTP body.

Parameter Length Displays the maximum acceptable length in bytes of parameters in the URL or, for HTTP POST requests, in the HTTP body. Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.

DeleteEdit

View

Clone





Web protection Configuring HTTP protocol constraint profiles

FRh

To configure an HTTP protocol constraint1 Go to Web Protection > HTTP Protocol Constraints > HTTP Protocol Constraints.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon. A dialog appears.Alternatively, click the Clone icon to make a new entry based on a predefined entry. In this case, a dialog appears with only a Name field.

3 In Name, type the name of the protocol constraint.This field cannot be modified if you are editing an existing protocol restraint. To modify the name, delete the entry, then recreate it using the new name.


Header Line Length Displays the maximum acceptable length in bytes of each line in the HTTP header.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline or offline protection profile.Click the Edit icon to modify the entry.Click the View icon to view the predefined entry.Click the Clone icon to create a new entry based on a predefined protocol constraint.

Note: Enter 0 for any numerical parameter to disable that parameter check.





5 Click OK.To apply the HTTP protocol constraint profile, select it in an inline or offline protection profile. For details, see “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.

Configuring HTTP protocol constraint exceptionsWeb Protection > HTTP Protocol Constraints > HTTP Constraints Exceptions displays the list of HTTP protocol constraint exceptions.Exceptions may be useful if you know that some HTTP protocol constraints, during normal use, will cause false positives by matching an attack signature. Exceptions define HTTP constraints that will not be subject to HTTP protocol constraint policy.

GUI item DescriptionName The name of the protocol constraint. This field cannot be modified if

you are editing an existing protocol constraint. To modify the name, delete the entry, then recreate it using the new name.

Action, Severity and Trigger Action

The Action, Severity and Trigger Action drop-down menus allow you to control what the FortiWeb unit will do when it detects a specific HTTP protocol violation. Each violation can be uniquely configured.For information on Action, Severity and Trigger Action settings, see “Responding to web protection rule violations” on page 191.

Header Length Type the maximum acceptable length in bytes of the HTTP header.

Content Length Type the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header.

Body Length Type the maximum acceptable length in bytes of the HTTP body.

Parameter Length Type the maximum acceptable length in bytes of parameters in the URL or, for HTTP POST requests, HTTP body. Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.

Header Line Length Type the maximum acceptable length in bytes of each line in the HTTP header.

HTTP Request Length Type the maximum acceptable length in bytes of the HTTP request.

URL Parameter Length Type the maximum acceptable length of an URL parameter (including the name and value).

Illegal HTTP Version Enable to check for illegal HTTP version numbers. If the HTTP version is not "HTTP/1.0" or "HTTP/1.1", it is considered illegal.

Number of Cookies In Request

Type the maximum acceptable number of cookies in an HTTP request.

Number of Header Lines In Request

Type the maximum acceptable number of lines in the HTTP header.

Illegal HTTP Request Method

Enable to check for illegal HTTP version numbers.

Number of URL Parameters

Type the maximum number of URL parameters.

Illegal Host Name Enable to check for illegal characters in the Host: line of the HTTP header, such as NULL characters or encoded characters. For example, characters such as "0x0" or "%00*" are considered illegal.

Exception Name Select the HTTP Constraints Exception that you want to apply to this policy. For more information, see “Configuring HTTP protocol constraint exceptions” on page 254.If you want to view the information associated with a exception, select the Detail link. A read-only version appears.





Web protection Configuring HTTP protocol constraint profiles

FRh

For example, if no exceptions are defined, FortiWeb executes the HTTP protocol constraint policy as defined in “Configuring HTTP protocol constraint profiles” on page 252. But, if you select Header Length Check as a HTTP protocol constraint exception for a specific host, FortiWeb would ignore the HTTP header length check when executing the web protection profile for that host.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 103: Web Protection > HTTP Protocol Constraints > HTTP Constraint Exception tab

To configure a HTTP constraint exception1 Go to Web Protection > HTTP Protocol Constraints > HTTP Constraints Exception.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the server protection exception.This field cannot be modified if you are editing an existing server protection exception. To modify the name, delete the entry, then recreate it using the new name.

4 Click OK.

GUI item DescriptionCreate New Click to add a server protection exception.



Exception Rule Count Displays the number of individual exceptions contained in the entry.


EditDelete







GUI item DescriptionID Displays the index number of the entry in the list.

Host Status Enable to apply this HTTP constraint exception only to HTTP requests for specific web hosts. Also configure Host.Disable to apply the exceptions to all web hosts.

Host Select the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies.

Request Type Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).





Web protection Configuring authentication policy

FRh

7 Click OK.To apply the HTTP protocol constraint exception, select it in the HTTP Protocol Constraint profile. For details, see “Configuring HTTP protocol constraint profiles” on page 252.

Configuring authentication policyIf a web site does not support RFC 2617 HTTP authentication on its own and does not provide HTML form-based authentication, you can use a FortiWeb unit to authenticate HTTP clients before they are permitted to access a web page or web site.

When HTTP authentication is configured:

URL Pattern Depending on your selection in the Request Type field, enter either: • the literal URL, such as /index.php, that the HTTP request must

contain in order to match the input rule. The URL must begin with a slash ( / ).

• a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.


Header Length Type the maximum acceptable length in bytes of the HTTP header.

Content Length Type the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header.

Body Length Type the maximum acceptable length in bytes of the HTTP body.

Parameter Length Type the maximum acceptable length in bytes of parameters in the URL or, for HTTP POST requests, HTTP body. Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.

Header Line Length Type the maximum acceptable length in bytes of each line in the HTTP header.

HTTP Request Length Type the maximum acceptable length in bytes of the HTTP request.

URL Parameter Length Type the maximum acceptable length of an URL parameter (including the name and value).

Number of Cookies In Request

Type the maximum acceptable number of cookies in an HTTP request.

Number of Header Lines In Request

Type the maximum acceptable number of lines in the HTTP header.

Illegal HTTP Request Method

Enable to check for illegal HTTP version numbers.

Number of URL Parameters

Type the maximum number of URL parameters.

Illegal Host Name Enable to check for illegal characters in the Host: line of the HTTP header, such as NULL characters or encoded characters. For example, characters such as "0x0" or "%00*" are considered illegal.

Note: Authentication applies when the FortiWeb unit operates in reverse proxy mode or true transparent proxy mode without HTTPS.




http://tools.ietf.org/html/rfc2617

Configuring authentication policy Web protection

• If the client’s initial request does not already include an Authorization: field in its HTTP header, the FortiWeb unit replies with an HTTP 401 (Authorization Required) response. The response includes a WWW-Authenticate: field in the HTTP header that indicates which style of authentication to use (basic, digest, or NTLM) and the name of the realm (usually the name, such as “Restricted Area”, of a set of URLs that can be accessed using the same set of credentials).The browser then prompts its user to enter a user name and password. (The prompt may include the name of the realm, in order to indicate to the user which login is valid.) The browser includes these in the Authorization: field of the HTTP header when repeating its request.

Figure 33: An HTTP authentication prompt in the Google Chrome browser

• Valid user name formats vary by the authentication server. For example:• For a local user, enter a user name in the format username.• For LDAP authentication, enter a user name in the format required by the

directory’s schema.• For NTLM authentication, enter a user name in the format DOMAIN/username.

• The FortiWeb unit compares the supplied credentials to:• the locally defined set of user accounts• a set of user objects on a lightweight directory access protocol (LDAP) directory• user accounts on an NT LAN Manager (NTLM) server

• If the client authenticates successfully, the FortiWeb unit forwards the original request to the server. If the client does not authenticate successfully, the FortiWeb unit repeats its HTTP 401 response to the client, asking again for valid credentials.

• Once the client has authenticated with the FortiWeb unit, if the server applies no other restrictions and the resource is found, it returns the requested resource to the client.

• If the client’s browser is configured to do so, it can cache the realm along with the supplied credentials, automatically re-supplying the user name and password for each request with a matching realm. This provides convenience to the user. Otherwise, the user would have to re-enter their user name and password for every request.

Caution: Advise users to clear their cache and close their browser after an authenticated session to ensure that no one else can access the web site using their credentials. Browsers often cache credentials until manually cleared, or until cleared automatically by closing a browser tab or window. This is because, without a web application with its own notion of sessions, the HTTP protocol itself is essentially stateless, it relies only on these cached credentials, and there is no other way to log out.






FRh

HTTP authentication policy workflowTo configure HTTP authentication, you must at a minimum:1 Configure users and user groups. See “User creation workflow” on page 107.2 Configure an authentication rule to select the set of URLs that is the authentication

realm, the authorization type, and associate a user group. See “Configuring authentication rules” on page 261.

3 Group sets of authentication rules into authentication profiles. See “Configuring authentication policy” on page 259.

4 Select the authentication profile in an inline protection profile that is used by a server policy. See “Configuring inline protection profiles” on page 268.

Configuring authentication policyWeb Protection > Authentication Policy > Authentication Policy displays the list of HTTP authentication profiles.Authentication policies are used by the HTTP authentication feature to authorize HTTP requests.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 104: Web Protection > Authentication Policy > Authentication Policy tab

Caution: HTTP authentication is not secure. All user names and data (and, depending on the authentication style, passwords) are sent in clear text. If you require encryption and other security features in addition to authorization, use HTTP authentication with SSL/TLS.

Tip: Alternatively or in addition to HTTP authentication, with SSL connections, you can require that clients present a valid personal certificate. For details, see “Certificate Verification” on page 127.

GUI item DescriptionCreate New Click to add an authentication policy.





DeleteEdit





To configure an authentication policy1 Go to Web Protection > Authentication Policy > Authentication Policy.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the authentication policy.This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name.



A dialog appears.


Tip: Before you can configure an authentication policy, you must first configure the authentication rules that you want to include in the policy. For details, see “Configuring authentication rules” on page 261.

GUI item DescriptionLDAP Cache Enable if you want the LDAP query result caching.

LDAP Cache Timeout

Enter the LDAP cache timeout duration, in seconds. The default timeout is 300 seconds. This field appears only when you enable LDAP Cache.

Alert Type Select the instances when alerts will be issued for HTTP authentication attempts:• None: No alerts are issued for HTTP authentication.• Failed Only: Alerts are issued only for HTTP authentication failures.• Successful Only: Alerts are issued for successful HTTP authentication. • All: Alerts are issued for all failed and successful HTTP authentication.

DeleteEdit

Clear






FRh

8 Click OK.9 Repeat the previous steps for each individual rule that you want to add to the

authentication policy.10 To modify an individual rule, click its Edit icon. To remove an individual rule from the

authentication policy, click its Delete icon. To remove all individual rules from the authentication policy, click the Clear icon.

11 Click OK.To apply the authentication policy, select it in an inline protection profile. For details, see “Configuring inline protection profiles” on page 268.

Configuring authentication rulesWeb Protection > Authentication Policy > Authentication Rule displays the list of authentication rules.Authentication rules are used by the HTTP authentication policy to define sets of request URLs that will be authorized for each user group.

If you want to apply rules only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see “Configuring protected servers” on page 147.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 105: Web Protection > Authentication Policy > Authentication Rule tab

GUI item DescriptionID Type the index number of the individual rule within the authentication policy, or


Auth Rule Select the name of an existing authentication rule.

Tip: Before you can configure an authentication rule set, you must first configure any user groups that you want to include. For details, see “Grouping users” on page 114.

GUI item DescriptionCreate New Click to add an authentication rule.




(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an authentication policy.Click the Edit icon to modify the entry.

Delete

Edit





To configure an authentication rule1 Go to Web Protection > Authentication Policy > Authentication Rule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the authentication rule.This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name.

4 If you want to require that the Host: field of the HTTP request to match a protected hosts entry in order to match the HTTP authentication rule, enable Host Status, then, from Host, select which protected hosts entry (either a web host name or IP address) the Host: field of the HTTP request must be.


A dialog appears.


GUI item DescriptionID Type the index number of the individual rule within the group of authentication

rules, or keep the field’s default value of auto to let the FortiWeb unit automatically assign the next available index number.

DeleteEdit

Clear





Web protection Configuring file upload restriction policy

FRh

8 Click OK.9 Repeat the previous steps for each individual rule that you want to add to the group of

authentication rules.10 To modify an individual rule, click its Edit icon. To remove an individual rule from the

group of authentication rules, click its Delete icon. To remove all individual rules from the group of authentication rules, click the Clear icon.

11 Click OK.To apply the authentication rule, select it in an authentication policy. For details, see “Configuring authentication policy” on page 259.

Configuring file upload restriction policyWeb Protection > File Upload Restriction > File Upload Restriction Policy displays the list of file upload restriction policies that the FortiWeb unit uses to limit the types of files that can be uploaded to your web servers. The file upload restriction policies are composed of individual rules. The rules identify the host and/or URL to which the restriction applies and the specific types of files that are allowed.

Auth Type Select which type of HTTP authentication to use:• Basic: Clear text, Base64-encoded user name and password. Supports all

user queries except NTLM. NTLM users will be ignored if included in the user group.

• Digest: Hashed user name, realm, and password. Only local users are supported. Other types are ignored if included in the user group.

• NTLM: Encrypted user name and password. Only NTLM queries are supported. Other types are ignored if included in the user group.

For more information on available user types, see “User Type” on page 116.

User Group Select the name of a user group that is authorized to use the URL in Auth Path.

User Realm Type the realm, such as Restricted Area, to which the Auth Path belongs.The realm is often used by users’ browsers:• It may appear in the browser’s prompt for the user’s credentials. Especially if

a user has multiple logins, and only one login is valid for that specific realm, displaying the realm helps to indicate which user name and password should be supplied.

• After authenticating once, the browser may cache the authentication credentials for the duration of the browser session. If the user requests another URL from the same realm, the browser often will automatically re-supply the cached user name and password, rather than asking the user to enter them again for each request.

The realm may be the same for multiple authentication rules, if all of those URLs permit the same user group to authenticate.For example, the user group All_Employees could have access to the Auth Path URLs /wiki/Main and /wiki/ToDo. These URLs both belong to the realm named Intranet Wiki. Because they use the same realm name, users authenticating to reach /wiki/Main usually will not have to authenticate again to reach /wiki/ToDo, as long as both requests are within the same browser session.This field does not appear if Auth Type is NTLM, which does not support HTTP-style realms.

Auth Path Type the literal URL, such as /employees/holidays.html, that a request must match in order to trigger HTTP authentication.

Tip: To create an effective file upload restriction policy, you must first configure one or more file upload restriction rules. See “Configuring file upload restriction rules” on page 265.




Configuring file upload restriction policy Web protection


Table 106: Web Protection > File Upload Restriction > File Upload Restriction Policy tab

To configure a file upload restriction policy1 Go to Web Protection > File Upload Restriction > File Upload Restriction Policy.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


3 In Name, type the name of the file upload restriction rule.This field cannot be modified if you are editing an existing policy. To modify the name, delete the entry, then recreate it using the new name.

GUI item DescriptionCreate New Click to add a file upload restriction policy.



Count Displays the number of file upload restriction rules used by the policy.


DeleteEdit

Delete

Edit

Clear






FRh



A dialog appears.


8 Click OK.The new file upload restriction rules appear in the list.

9 Repeat the previous steps for each rule that you want to add to the file upload restriction policy.

10 To modify an individual rule, click its Edit icon. To remove an individual rule from the group of rules, click its Delete icon. To remove all individual rules from the group of rules, click the Clear icon.

11 Click OK.To apply the file upload restriction policy, select it in an inline or offline protection profile. For details, see “Configuring inline protection profiles” on page 268.

Configuring file upload restriction rulesWeb Protection > File Upload Restriction > File Upload Restriction Rule displays the list of file upload restriction rules. The rules define the specific host and request URL for which upload restrictions apply, and define the specific file types that are allowed to be uploaded to that host or URL.

GUI item DescriptionAction Select the action you want FortiWeb to perform when the policy is violated:

• Alert: Accept the file upload and generate an alert and/or log message. • Alert & Deny: Block the file upload and generate an alert and/or log

message.For more information on logging and alerts, see “Configuring and enabling logging” on page 323.

Severity Select the severity level you want FortiWeb to use in the records and reports generated when the specified policy is violated. You can configure each violation to be either Low, Medium or High severity.

Trigger Policy Select the trigger policy you want FortiWeb to apply when the specified policy is violated. Trigger policies determine who will be notified by email when the policy is violated, and whether the log message associated with the violation is recorded in Syslog or FortiAnalyzer. For more information, see “Configuring trigger policies” on page 322.

ID Displays the index number of the rule associated with the policy.

File Upload Restriction Rule

Select an existing file upload restriction rule that you want to use in the policy. If you are unsure what specific file types are allowed by the rule, select the Detail link next to the rule name.




Configuring file upload restriction policy Web protection

Detection and restriction is performed by scanning HTTP PUT and POST URL request methods submitted to your web servers.For example, if you want to allow only specific types of files to be uploaded to a host or a URL called /fileuploads (for example, MP3 audio files, PDF text files and GIF and JPG picture files), you can create a file upload restriction policy that contains rules that define only those specific file types. When FortiWeb receives an HTTP PUT or POST request for the host or /fileuploads URL, it scans the HTTP request and allows only the specified file types to be uploaded. FortiWeb will block file uploads for any HTTP request that contains a file type other than those specified in the upload restriction policy. To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “About permissions” on page 80.

Table 107: Web Protection > File Upload Restriction > File Upload Restriction Rule tab

To configure a file upload restriction rule1 Go to Web Protection > File Upload Restriction > File Upload Restriction Rule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon.

GUI item DescriptionCreate New Click to add a file upload restriction rule.


Name Displays the name of the file upload restriction rule.

Host Displays the IP address or fully qualified domain name (FQDN) of the real or virtual host as it appears in the Host: field of HTTP header of requests to which the entry applies.

Request URL Displays the URL, such as /fileuploads, as it appears in the HTTP PUT or POST request to which the entry applies.

Count Displays the number of individual file types allowed by the rule.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a parameter validation rule.Click the Edit icon to modify the entry.

Edit






FRh

A dialog appears.

3 In Name, type the name of the file upload restriction rule.This field cannot be modified if you are editing an existing rule. To modify the name, delete the entry, then recreate it using the new name.


5 Click OK.6 Click Add File Types.

A dialog appears.


GUI item DescriptionHost Status Enable to apply this file upload restriction rule only to HTTP requests for

specific web hosts. Also configure Host.Disable to match the file upload restriction rule based upon the other criteria, such as the URL, but regardless of the Host: field.

Host Select the IP address or FQDN of a protected host.

Request URL Enter the literal URL, such as /fileupload, to which the file upload restriction applies. The URL must begin with a slash ( / ).Do not include the name of the host, such as www.example.com, which is configured separately in the Host drop-down list.

Clear

Delete




Configuring inline protection profiles Web protection

8 Click OK.The selected file types appear in the list at the bottom of the rule window.

9 Click OK.To add the file upload restriction rule to a policy, select it in a file upload restriction policy. The policies are then used by web protection policies to detect and restrict specific file uploads based on the specified file types and host or URL. For more information, see “Configuring file upload restriction policy” on page 263.

Configuring inline protection profilesInline protection profiles are a set of attack protection settings. The FortiWeb unit applies the profile when a connection matches a server policy that includes the protection profile. You can use inline protection profiles in server policies for any mode except offline protection.

Inline protection profile workflowBefore configuring an inline protection profile, first configure any of the following that you want to include in the profile:• a file upload restriction policy (see “Configuring file upload restriction policy” on

page 263)• an allowed method policy (see “Configuring allowed request method policy” on

page 235)• a URL access policy (see “Configuring URL access policy” on page 216) • a server protection rule (see “Configuring server protection rules” on page 201)• a page access rule (see “Configuring page access rules” on page 198)• a parameter validation rule (see “Configuring HTTP parameter validation rules” on

page 192)• a hidden fields group (see “Configuring hidden field protection profiles” on page 239)• a start pages policy (see “Configuring start page rules” on page 213)

GUI item DescriptionFile Types This column lists the common file types that could be uploaded to a web server.

Allow File Types

This column lists the specific file types that selected for the upload restriction rule. FortiWeb will allow uploading the file types in this column to a web server, once the upload restriction rule is applied. Uploading of file types not included in this column will not be allow by FortiWeb.

Right and left selection arrows

The selection arrows enable you to move file types between the File Types and Allow File Types columns.Select a file type in the left column and click the right arrow to move the selected file type to the Allow File Types column. Repeat as required for the file upload restriction rule you are creating.

ID Displays the index number of the entry in the list.

Allow File Types

Displays the list of file types associated with the file upload restriction rule. These are the file types that FortiWeb will allow to be uploaded to the Request URL and Host (if specified).


Click the Delete icon to remove the entry in the associated row. Click Clear to remove all file types from the rule.





Web protection Configuring inline protection profiles

FRh

• a brute force login attack profile (see “Configuring brute force login profiles” on page 224)

• a robot control profile (see “Configuring robot control profiles” on page 227)• an IP list policy (see “Configuring an IP list policy” on page 220)• a URL rewriting rule (see “Configuring URL rewriting rules” on page 246)• an HTTP authentication policy (see “Configuring authentication policy” on page 257)• lastly, select the inline protection policy in a server policy

Configuring an inline protection profileWeb Protection > Web Protection Profile > Inline Protection Profile displays the list of web protection profiles that can be included in server policies when the FortiWeb unit is operating in any mode except offline protection.


Table 108: Web Protection > Web Protection Profile > Inline Protection Profile tab

Note: Inline web protection profiles can be configured at any time, but can be selected in a policy only while the FortiWeb unit is operating in a mode that supports them. For details, see Table 45, “Policy behavior by operation mode,” on page 119.

Tip: To increase the scope of an inline protection rule, first configure the policies and rules used by the inline rule. See “Web protection profile workflow” on page 189.

GUI item DescriptionCreate New Click to add an inline protection profile.



Session Management Indicates whether session management by the FortiWeb unit is enabled or disabled. For more information about session management, see “Session Management” on page 271.

HTTP Conversion Indicates whether the FortiWeb unit will translate the IP addresses in the Host:, Referer: and Location: fields of HTTP requests and responses, replacing the virtual server’s IP address with that of the real server, and vice versa. For details, see “HTTP Conversion” on page 272.

Cookie Poison Indicates whether cookie poisoning prevention is enabled or disabled.

DeleteEdit

View Clone





To configure an inline protection profile1 Go to Web Protection > Web Protection Profile > Inline Protection Profile.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon. A dialog appears.Alternatively, click the Clone icon to create an entry populated with settings from a predefined profile. In this case, a dialog opens with just the Name field.

Cookie Poison Action Displays the action that the FortiWeb unit will take when cookie poisoning is detected.• Alert: Accept the connection and generate an alert and/or log message. • Alert & Deny: Block the connection and generate an alert and/or log

message. • Remove Cookie: Accept the connection, but remove the poisoned

cookie from the datagram, preventing it from reaching the web server, and generate an alert and/or log message.

For more information on logging and alerts, see “Configuring and enabling logging” on page 323.

Server Protection Rule

Displays the name of the server protection rule that will be applied to matching HTTP requests. For details on server protection rules, see “Configuring server protection rules” on page 201.

Page Access Rule Displays the name of the page access rule that will be applied to matching HTTP requests. For details on page access rules, see “Configuring page access rules” on page 198.

Parameter Validation Rule

Displays the name of the parameter validation rule that will be applied to matching HTTP requests. For details on parameter validation rules, see “Configuring HTTP parameter validation rules” on page 192.

Start Pages Displays the name of the start pages that HTTP requests must use in order to initiate a valid session. For details on start pages, see “Configuring start page rules” on page 213.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy.Click the Edit icon to modify the entry.Click the View icon to view a predefined entry.Click the Clone icon to create a new entry based on a predefined entry. You can clone global protection profiles as well as custom protection profiles.






FRh


GUI item DescriptionName Type the name of the inline protection profile. This field cannot be

modified if you are editing an existing inline protection profile. To modify the name, delete the entry, then recreate it using the new name.

Session Management Enable to track the states of HTTP sessions using a cookie named FORTIWAFSID. Also configure Session Timeout.This feature requires that the client support cookies.Note: You must enable this option:• to enforce the Start Pages, Page Access Rule, and Hidden Fields

Protection Rule features, if any of those options are enabled.• if you want to include this profile’s traffic in the traffic log, in addition

to enabling traffic logs in general. For more information, see “Enabling logging” on page 327.

Note: Session management is automatically enabled for policies whose Load Balancing Algorithm is HTTP session based Round Robin. If only those types of policies use this protection profile, session management will already be enabled, and therefore you do not need to enable this option.





Session Timeout Type the HTTP session timeout in seconds.This option appears only if Session Management is enabled.

HTTP Conversion Enable to:• For forward traffic from clients, replace the virtual server’s IP

address in the Host: and Referer: field in the HTTP header with that of the real server’s IP address.

• For reply traffic from servers, including traffic that has been redirected, replace the real server’s IP address in the Location: field with that of the virtual server’s IP address.

This may be useful if your real servers reject HTTP requests whose Host: and Referer: field does not match their own IP address. It is also useful if the real server is behind network address translation (NAT) and redirects requests to its private network IP address, which clients cannot directly access. However, it increases load on the FortiWeb unit, and should not be enabled unless required.Note: Do not enable this option if the real server has multiple virtual hosts.Note: The FortiWeb unit does not support this option if the operation mode is offline protection, true transparent proxy mode with HTTPS, or transparent inspection mode.

X-Forwarded-for Support

Enable to include the X-Forwarded-For: HTTP header on connections forwarded to your web servers. Behavior varies by the header already provided by the HTTP client or web proxy, if any:• Header absent: Add the header, using the source IP address of the

connection.• Header present: Verify that the source IP address of the connection

is present in this header’s list of IP addresses. If it is not, append it.This option can be useful, for example, for web servers that log or analyze clients’ IP addresses, and support the X-Forwarded-For: header. When this option is disabled, from the web server’s perspective, all connections appear to be coming from the FortiWeb unit, which performs network address translation (NAT). But when enabled, the web server can instead analyze this header to determine the source and path of the original client connection.

Cookie Poison Enable to detect cookie poisoning, then select which of the following actions the FortiWeb unit will take if cookie poisoning is detected:• Alert: Accept the connection and generate an alert and/or log

message. • Alert & Deny: Block the connection and generate an alert and/or log

message. • Remove Cookie: Accept the connection, but remove the poisoned

cookie from the datagram before it reaches the web server, and generate an alert and/or log message.

For more information on logging and alerts, see “Configuring and enabling logging” on page 323.When enabled, each cookie is accompanied by a cookie named <cookie_name>_fortinet_waf_auth, which tracks the cookie’s original value when set by the web server. If the cookie returned by the client does not match this digest, the FortiWeb unit will detect cookie poisoning.

File Upload Restriction

Select an existing file upload restriction policy, if any, that will be applied to matching HTTP requests.

Allow Request Method

Select an existing allow method policy, if any, that will be applied to matching HTTP requests. Attack log messages contain DETECT_ALLOW_METHOD_FAILED when this feature detects a non-allowed HTTP request method.

URL Access Policy Select the name of the URL access policy, if any, that will be applied to matching HTTP requests.Attack log messages contain DETECT_URL_ACCESS_ALERT_DENY when this feature detects a URL matched by this policy.







FRh


Select the name of the server protection rule, if any, that will be applied to matching HTTP requests.If enabled, server protection rules can scan AMF3 requests. For more information, see “Enable AMF3 Protocol Detection” on page 274.Attack log messages for this feature vary by which type of attack was detected. For a list, see “Configuring server protection rules” on page 201.

Page Access Rule Select the name of the page access rule, if any, that will be applied to matching HTTP requests.This option appears only if Session Management is enabled.Attack log messages contain DETECT_PAGE_RULE_FAILED when this feature detects a request for a URL that violates the required sequence of URLs within a session.


Select the name of the parameter validation rule, if any, that will be applied to matching HTTP requests.Attack log messages contain DETECT_PARAM_RULE_FAILED when this feature detects a parameter rule violation.

Hidden Fields Protection Rule

Select the name of a hidden fields group, if any, that will be applied to matching HTTP requests.This option appears only if Session Management is enabled.

Start Pages Select the name of the start page group, if any, that HTTP requests must use in order to initiate a valid session.This option appears only if Session Management is enabled.Attack log messages contain DETECT_START_PAGE_FAILED when this feature detects a start page violation.

Brute Force Login Select the name of a brute force login attack profile, if any, that will be applied to matching HTTP requests.Attack log messages contain DETECT_BRUTE_FORCE_LOGIN when this feature detects a brute force login attack.

Robot Control Select the name of a robot control profile, if any, that will be applied to matching HTTP requests.Attack log messages contain DETECT_MALICIOUS_ROBOT when this feature detects a misbehaving robot or any other HTTP client that exceeds the rate limit.

URL Rewriting Policy Select the name of a URL rewriting rule set, if any, that will be applied to matching HTTP requests.


Select the name of an HTTP parameter constraint, if any, that will be applied to matching HTTP requests.Attack log messages contain HTTP_HEADER_LEN_OVERFLOW or HTTP_HEADER_LINE_LEN_OVERFLOW when this feature detects an HTTP request that does not comply with the constraints.

IP List Select the name of an IP list policy, if any, that will be applied to matching HTTP requests.

HTTP Authentication Policy

Select the name of an HTTP authentication rule, if any, that will be applied to matching HTTP requests. If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message.

Redirect URL Type a URL including the FQDN/IP and path, if any, to which an HTTP client will be redirected if their HTTP request violates any of the rules in this profile.For example, you could enter www.example.com/products/.If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb unit will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP 403 (Access Forbidden) or 404 (File Not Found) error message.





Configuring offline protection profiles Web protection

4 Click OK.If you will use this offline protection profile in conjunction with an auto-learning profile in order to indicate which attacks and other aspects should be discovered, also configure the auto-learning profile. For details, see “Applying auto-learning profiles” on page 278.To apply the inline protection profile, select it in a server policy. For details, see “Configuring server policies” on page 118.

Configuring offline protection profilesUse offline protection profiles when you want to preview the effects of some web protection features without affecting traffic or network topology. Offline protection profiles in server policies apply only when the FortiWeb unit is operating in offline protection mode.

Offline protection profile workflowBefore configuring an offline protection profile, first configure any of the following that you want to include in the profile:• a file upload restriction policy (see “Configuring file upload restriction policy” on

page 263)• an allowed method policy (see “Configuring allowed request method policy” on

page 235)• a URL access policy (see “Configuring URL access policy” on page 216)

Redirect URL With Reason

Enable to include the reason for redirection as a parameter in the URL, such as reason=DETECT_PARAM_RULE_FAILED, when traffic has been redirected using Redirect URL. The FortiWeb unit also adds fortiwaf=1 to the URL to detect and cancel a redirect loop (when the redirect action recursively triggers an attack event). Caution: If you specify a redirect URL that is protected by the FortiWeb unit, you should enable this option to prevent infinite redirect loops.By default, this option is disabled.

Enable AMF3 Protocol Detection

Enable to scan requests that use action message format 3.0 (AMF3) for:• cross-site scripting (XSS) attacks• SQL injection attacks• common exploitsif you have enabled those in your selected server protection rule.AMF3 is a binary format that can be used by Adobe Flash clients to send input to server-side software.Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb unit to be unable to scan AMF3 requests for attacks.

URL Rewriting Policy Select the name of a URL rewriting rule set, if any, that will be applied to matching HTTP requests. For details, see “Configuring URL rewriting policy” on page 244.

HTTP Authentication Policy

Select the name of an HTTP authentication rule, if any, that will be applied to matching HTTP requests. For details, see “Configuring authentication policy” on page 257.If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message.


Tip: Click Detail beside any field to open a dialog that lets you view and modify the associated policy.





Web protection Configuring offline protection profiles

FRh

• a server protection rule (see “Configuring server protection rules” on page 201)• a parameter validation rule (see “Configuring HTTP parameter validation rules” on

page 192)• a robot control profile (see “Configuring robot control profiles” on page 227)• an IP list policy (see “Configuring an IP list policy” on page 220)• lastly, select the offline protection policy in a server policy

Configuring an offline protection profileWeb Protection > Web Protection Profile > Offline Protection Profile displays the list of offline protection profiles.An offline protection profile is designed for use only in offline protection mode. Offline protection profiles cannot be guaranteed to block attacks. They attempt to reset the connection, but due to variable speeds of different routing paths, the reset request may arrive after the attack has finished. Their primary purpose is to detect attacks, especially for use in conjunction with auto-learning profiles. In fact, if used in conjunction with auto-learning profiles, you should configure the offline protection profile to log but not block attacks in order to gather complete session statistics for the auto-learning feature.Unlike inline protection profiles, offline protection profiles do not support HTTP conversion, cookie poisoning detection, start page rules, and page access rules.


Table 109: Web Protection > Web Protection Profile > Offline Protection Profile tab

Note: Offline web protection profiles can be configured at any time, but can only be selected in a policy while the FortiWeb unit is operating in a offline mode. For details, see Table 45, “Policy behavior by operation mode,” on page 119.

GUI item DescriptionCreate New Click to add an offline protection profile.



Session Management Indicates whether session management by the FortiWeb unit is enabled or disabled. For more information about session management, see “Configuring offline protection profiles” on page 274.


Displays the name of the server protection rule that will be applied to matching HTTP requests. For details on server protection rules, see “Configuring server protection rules” on page 201.

Delete EditClone View




Configuring offline protection profiles Web protection

To configure an offline protection profile1 Go to Web Protection > Web Protection Profile > Offline Protection Profile.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon. A dialog appears.Alternatively, click the Clone icon to create an entry populated with settings from a predefined profile. In this case, a dialog opens with just the Name field.



Displays the name of the parameter validation rule that will be applied to matching HTTP requests. For details on parameter validation rules, see “Configuring HTTP parameter validation rules” on page 192.

(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy.Click the Edit icon to modify the entry.Click the View icon to view a predefined entry.Click the Clone icon to create a new entry based on a predefined entry. You can clone global protection profiles as well as custom protection profiles.

GUI item DescriptionName Type the name of the offline protection profile. This field cannot be

modified if you are editing an existing offline protection profile. To modify the name, delete the entry, then recreate it using the new name.

Session Management

Enable to track the states of HTTP sessions using a cookie named FORTIWAFSID, which is required if you will select a WAF Auto Learning Profile in the policy with this offline protection profile. Also configure Session Timeout.This feature requires that the client support cookies.Note: You must enable this option if you want to include the profile’s traffic in the traffic log, in addition to enabling traffic logs in general. For more information, see “Enabling logging” on page 327.





Web protection Configuring offline protection profiles

FRh

Session Timeout Enter the HTTP session timeout in seconds.This option appears only if Session Management is enabled.

Session Key Word Enter the name of the session ID cookie, if any, that will be used by the application to track the session when working in offline or either of the transparent modes. By default, FortiWeb tracks the following session ID cookies: ASPSESSIONID, PHPSESSIONID and JSESSIONID. Use this field to create your own unique session ID tracking key word.This option appears only if Session Management is enabled.

File Upload Restriction Policy

Select an existing file upload restriction policy, if any, that will be applied to matching HTTP requests.

Allow Request Method Policy

Select an existing allow request method policy, if any, that will be applied to matching HTTP requests. Attack log messages contain DETECT_ALLOW_METHOD_FAILED when this feature detects a non-allowed HTTP request method.Note: If a WAF Auto Learning Profile will be selected in the policy with this profile, you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb unit to learn about. If a method is disabled, the FortiWeb unit will reset the connection, and therefore cannot learn about the session.

URL Access Policy Select the name of the URL access policy, if any, that will be applied to matching HTTP requests.Attack log messages contain DETECT_URL_ACCESS_ALERT_DENY when this feature detects an URL that matches this policy.Note: Do not select an URL access policy if this offline protection profile will be used in a policy with WAF Auto Learning Profile. Selecting an URL access policy will cause the FortiWeb unit to reset the connection when it detects a request with a blocked URL and Host: field combination, resulting in incomplete session information for the auto-learning feature.


Select the name of the server protection rule, if any, that will be applied to matching HTTP requests.Attack log messages for this feature vary by which type of attack was detected. For a list, see “Configuring server protection rules” on page 201.Note: If a WAF Auto Learning Profile will be selected in the policy with this profile, you should select a server protection rule whose Action is Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature.


Select the name of the parameter validation rule, if any, that will be applied to matching HTTP requests.Attack log messages contain DETECT_PARAM_RULE_FAILED when this feature detects a parameter rule violation.Note: If a WAF Auto Learning Profile will be selected in the policy with this profile, you should select a parameter validation rule whose Action is Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature.

Hidden Fields Protection Rule

Select the name of a hidden fields group, if any, that will be applied to matching HTTP requests.This option appears only if Session Management is enabled.

Robot Control Select the name of a robot control profile, if any, that will be applied to matching HTTP requests.Attack log messages contain DETECT_MALICIOUS_ROBOT when this feature detects a misbehaving robot or any other HTTP client that exceeds the rate limit.Note: If a WAF Auto Learning Profile will be selected in the policy with this profile, you should select a robot control rule whose Action is Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature.


Select the name of an HTTP protocol constraint, if any, that will be applied to matching HTTP requests.




Applying auto-learning profiles Web protection

4 Click OK.If you will use this offline protection profile in conjunction with an auto-learning profile in order to indicate which attacks and other aspects should be discovered, also configure the auto-learning profile. For details, see “Applying auto-learning profiles” on page 278.To apply the offline protection profile, select it in a policy. For details, see “Configuring server policies” on page 118.

Applying auto-learning profilesAuto-learning profiles are designed to be used in conjunction with an inline or offline protection profile. Those profiles detect attacks. Only if attacks are detected can the auto-learning profile accumulate auto-learning data and generate its report. As a result, when you create a server policy, you must include an auto-learning profile as well as an inline or offline protection profile.Auto-learning profiles are useful when you want to collect information about the HTTP sessions on your unique network in order to design inline or offline protection profiles suited for them.Auto-learning profiles gather data on the HTTP requests that your FortiWeb unit is handling. They track your web servers’ response to each request, such as 401 Unauthorized or 500 Internal Server Error, to learn about whether the request is legitimate or a potential attack attempt. Such data is used for auto-learning reports, and can serve as the basis for generating inline protection profiles or offline protection profiles (see “Generating a profile from auto-learning data” on page 289). This reduces much of the research and guesswork about what HTTP request methods, data types, and other types of content that your web sites and web applications use when designing an appropriate defense. Also, see “Viewing auto-learning reports” on page 282.

Auto-learning profile workflowBefore configuring an auto-learning profile, first configure any of the following that you want to include in the profile:• a data type group (see “Grouping predefined data types” on page 150)• a suspicious URL rule (see “Grouping suspicious URLs” on page 154)

IP List Policy Select the name of an IP list policy, if any, that will be applied to matching HTTP requests.

Enable AMF3 Protocol Detection

Enable to scan requests that use action message format 3.0 (AMF3) for:• cross-site scripting (XSS) attacks• SQL injection attacks• common exploitsif you have enabled those in your selected server protection rule.AMF3 is a binary format that can be used by Adobe Flash clients to send input to server-side software.Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb unit to be unable to scan AMF3 requests for attacks.

Tip: Click Detail beside any field to open a dialog that lets you view and modify the policy.





Web protection Applying auto-learning profiles

FRh

• one or more URL replacers and a custom application policy (see “Custom application workflow” on page 160)

• lastly, select the auto-learning profile in a server policy

Configuring auto-learning profilesWeb Protection > Web Protection Profile > Auto Learning Profile displays the list of auto-learning profiles.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Auto Learn Configuration category. For details, see “About permissions” on page 80.

Table 110: Web Protection > Web Protection Profile > Auto Learning Profile tab

To configure an auto-learning profile

1 Go to Web Protection > Web Protection Profile > Auto Learning Profile.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


Note: Use auto-learning profiles with profiles whose Action is Alert.If Action is Alert & Deny, the FortiWeb unit will reset the connection, preventing the auto-learning feature from gathering complete data on the session.

GUI item DescriptionCreate New Click to add an auto-learning profile.



Data Type Group Displays the name of a data type group. The auto-learning profile will learn about the names, length, and required presence of these types of parameter inputs. For details, see “Grouping predefined data types” on page 150.

Suspicious URL Rule Displays the name of a suspicious URL rule. The auto-learning profile will learn about attempts to access these types of URLs that may indicate an attempt to gain administrative or other unauthorized access to the web server or web application. For details, see “Grouping suspicious URLs” on page 154.


DeleteEdit

Clone

Note: Alternatively, you could generate a default auto-learning profile and its required components, and then modify them. For details, see “Generating an auto-learning profile and its components” on page 281.




Applying auto-learning profiles Web protection

Alternatively, click the Clone icon to create an entry populated with settings from a predefined profile. In this case, a dialog opens with just the Name field.


4 Click OK.To apply the auto-learning profile, select it in a policy with an inline or offline protection profile. For details, see “Configuring server policies” on page 118.

Once the policy has begun to match connections and accumulate data, you can view the current statistics any time by displaying the auto-learning report. For details, see “Viewing auto-learning reports” on page 282.

GUI item DescriptionName Type the name of the auto-learning profile. This field cannot be modified if

you are editing an existing auto-learning profile. To modify the name, delete the entry, then recreate it using the new name.

Data Type Group Select the name of a data type group to use, if any. The auto-learning profile will learn about the names, length, and required presence of these types of parameter inputs. For details, see “Grouping predefined data types” on page 150.

Suspicious URL Rule

Select the name of a suspicious URL rule to use, if any. The auto-learning profile will learn about attempts to access URLs that are typically used for web server or web application administrator login, such as /admin.php. Requests from clients for these types of URLs are considered a possible attempt at either vulnerability scanning or administrative login attacks, and therefore potentially malicious. For details, see “Grouping suspicious URLs” on page 154.

Server Protection Threshold

Enter the threshold for the number of attacks of each type over which the auto-learning profile will not add the attack to the server protection rules (see “Configuring server protection rules” on page 201). This means that, if the attach is higher than the threshold, FortiWeb deems this behavior as normal to the web application’s behavior.

Server Protection Exception Threshold

Enter the threshold of the percentage of attacks to total hits over which the auto-learning profile adds the attack to the server protection exceptions (see “Configuring server protection exceptions” on page 207).

Application Policy Select an existing application policy from the drop-down list. For details, see “Configuring custom application policies” on page 160.

Note: Use auto-learning profiles with offline protection profiles whose Action is Alert.If Action is Alert & Deny, the FortiWeb unit will reset the connection, preventing the auto-learning feature from gathering complete data on the session.





Auto learn Generating an auto-learning profile and its components

FRh

Auto learnThis chapter describes the Auto Learn menu and explains how to generate a default auto-learning profile and its required components, and how to use reports generated from auto-learning. Auto-learning gathers information about the URLs and other characteristics of HTTP sessions that the FortiWeb unit frequently sees passing to your real servers. It tracks your web servers’ response to each request, such as 401 Unauthorized or 500 Internal Server Error, to learn about whether the request is legitimate or a potential attack attempt. It then generates reports based upon this information. By learning about your typical traffic, the FortiWeb unit can help you to quickly make profiles designed specifically for your unique HTTP traffic.This chapter includes the following topics:• Generating an auto-learning profile and its components• Viewing auto-learning reports• Generating a profile from auto-learning data

Generating an auto-learning profile and its componentsThe auto-learning feature enables you to generate an auto-learning profile and all of its required components.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Autolearn Configuration category. For details, see “About permissions” on page 80.Generated auto-learning profile components include:• data type groups• suspicious URL rules groups• server protection rule• robot control profile and robot groups• inline or offline protection profile

To generate an auto-learning profile1 Go to Auto Learn > Default Auto Learn Profile > Default Auto Learn Profile.

Figure 34: Generating a default auto-learning profile

2 In Profile Name, type a name prefix, such as gen-autolearn.




Viewing auto-learning reports Auto learn

3 Select an operation mode option from the drop-down list.4 Click Generate Profile.The FortiWeb unit will automatically suffix a dash ( - ) to the profile name followed by a number indicating the year, month, day, and time on which the profile and its associated components were generated. All associated components thereby have identical suffixes, and can be easily identified for modification.In the generated components, all options are enabled that are required to guarantee a complete data set for the purpose of the report generated by the auto-learning profile. This is regardless of whether the web server is Apache, IIS, or Apache Tomcat, and assumes that you want to learn about all parameters and allow web crawlers from the popular search engines Google, Yahoo!, and MSN. The server protection rule will use only attack definitions that do not cause false positives (that is, they do not use the extended rule set). The offline protection or inline protection profile will track all HTTP request methods, and apply a session timeout of 1 200 seconds. The FortiWeb unit will log, but not block, detected attacks.To improve performance, you can modify the generated groups and profiles. For example, if you only operate one type of web server, or if you know that you do not need to watch for a specific data type, you could modify the generated data type group and suspicious URL rule group. The FortiWeb unit would then not expend resources to look for those things. For details, see “Grouping predefined data types” on page 150 and “Grouping suspicious URLs” on page 154.To use all attack definitions, or if you want to make one of the search engines’ crawlers subject to attack detection, you could modify the generated robot control profile and server protection rule. For details, see “Configuring robot control profiles” on page 227 and “Configuring server protection rules” on page 201.To apply a generated auto-learning profile, select it and its associated inline or offline protection profile in a policy. For details, see “Configuring server policies” on page 118.

Viewing auto-learning reportsAuto Learn > Auto Learn Report > Auto Learn Report displays the list of reports that the FortiWeb unit has generated from information gathered by auto-learning profiles. For information on configuring auto-learning profiles, see “Applying auto-learning profiles” on page 278.Reports generated from auto-learning profile data can help you to learn about the nature of your network. They can also help you to know whether or not the auto-learning profile has collected sufficient amounts of data. When the auto-learning feature has gathered a satisfactory amount of information, you can use the data to generate web profiles as a basis for configuration of your FortiWeb unit.Auto-learning reports may also serve to inform you about the types of normal HTTP requests and attacks occurring on your network.

To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Autolearn Configuration category. For details, see “About permissions” on page 80.

Note: Auto-learning reports require that your web browser have the Adobe Flash Player plug-in.





Auto learn Viewing auto-learning reports

FRh

Table 111: Auto Learn > Auto Learn Report > Auto Learn Report tab

To view a report generated from auto-learning data1 Go to Auto Learn > Auto Learn Report > Auto Learn Report.2 In the row corresponding to the auto-learning profile whose data you want to view, click

the Detail icon.The report page appears with two panes: • The left-hand pane lets you navigate through the web sites and URLs that are the

subjects of the report.• The right-hand pane includes tabs that display report, charts, and buttons that

enable you to adjust any profile generated from the data.If a tab contains multiple pages of results, click the arrows at the bottom of the tab, such as next > and << first, to move forward or backwards through the pages of results.

GUI item DescriptionName Display the name of the auto-learning profile whose gathered information was

used to generate the report.

Detail Click to view the report, to create a PDF version of the report, or to generate a web profile based upon the data gathered for the report.

Purge Data Click to remove data gathered by this auto-learning profile. Subsequent reports and any profiles generated from them will include only data gathered by the auto-learning profile after you click this icon.Note. When a report is open, you can clear data for individual nodes by right-clicking the node in the left-hand pane and selecting Clear Data. Data is also cleared automatically if you delete the policy that uses the auto-learning profile.





Figure 35: Parts of auto-learning reports

Using the navigation paneYou can change the display and content of data in the left-hand navigation pane. To do so, right-click the name of an item, then click a pop-up menu option:

If you select Filter the Tree, the following dialog appears.

Navigation pane

Click to collapse this pane.

Auto-learning profile

Host

Common part of URLRequested file

Expansion icons

} Display pane }Pop-up option name DescriptionRefresh the Tree Select to update the display in the navigation pane.

Filter the Tree Select to show or hide HTTP sessions in the report by their HTTP request method and/or other attributes. A pop-up dialog appears. See Figure 36.

Expand Current Node Select to expand the item and all of its subitems.This option has no effect when right-clicking the name of the auto-learning profile.

Stop Learning Each URL on an auto-learning report includes the right-click menu option Stop Learning. By selecting this option for a URL that you know is complex and hard to track effectively or that may generate inaccurate data, you reduce processing resources. FortiWeb not longer gathers report data for a stopped URL.Right-click the URL again and select Start Learning to reverse the stop action.

Clean Data Select to empty auto-learning data for this item. This may be useful if you know that the inputs required by a specific page have changed since you initially began learning about a web site’s parameters, and you want to eliminate obsolete data from the auto-learning report and any profiles that are generated from it.






FRh

Figure 36: Filtering an auto-learning report

To show only specific nodes in the URL tree and hide the rest, select which attributes that a node or its subnode must satisfy in order to be included.For example, to include only parts of the URL tree pertaining to HTTP POST requests to Java server pages (JSP files), you would enter .jsp in the Search field under URL and enable POST under HTTP Method.In the navigation pane, to view statistics for a subset of sessions with specific hosts and their URLs, click the expand icon ( + ) next to an item to expand it, then click the name of the subitem whose statistics you want to view. Depending on the level in the navigation tree, an item may be either an auto-learning profile observing multiple hosts, a single host, a common part of a path contained in multiple URLs, or a single requested file. This enables you to view:• statistics specific to each requested URL• totals for a group of URLs with a common path• totals for all requested URLs on the host• totals for all requests on all hosts observed by the auto-learning profile

Using the report display paneTabs, statistics and charts appear on the report display (right-hand) pane. Their appearance varies depending on which level you selected in the navigation tree.

The report display pane contains several feature buttons above the report.• Click Refresh in the right-hand pane to update the display with current statistics.

Note: If URL rewriting is configured, the tree’s URL is the one requested by the client, not the one to which it was rewritten before passing to the server.





• Click Generate Config in the right-hand pane to generate a web protection policy from the auto-learn profile. For information on editing the auto-learn profile before generating a new web protection policy, see “Generating a profile from auto-learning data” on page 289.

• Click Generate PDF in the right-hand pane to get a PDF copy of the report.A pop-up dialog appears. Enter the PDF a name and click OK.

Overview tabThe Overview tab provides a statistical summary for all sessions established with the host during the use of the auto-learning profile, or since its auto-learning data was last cleared, whichever is shorter.

Figure 37: Overview tab

Under Item in the table, the Hits Count link opens Visits tab. The Attack Count opens the Attacks tab.The Overview tab includes several buttons that can edit the generated report. (Also see “Generating a profile from auto-learning data” on page 289.)• The Edit Allow Method button appears only when you select a profile in the navigation

pane. It opens a pop-up dialog where you can select which HTTP request methods to allow in the generated profile. Select the Off or On options in the Status drop-down list.

• The Edit Protected Servers button appears only when you select the auto-learn profile in the navigation pane. It opens a dialog where you can select or deselect IP addresses and/or domain names that will be members of the generated protected servers group.






FRh

• The Edit URL Page button appears only when you select a URL in the navigation pane. It opens a dialog where you can specify that the currently selected URL will be included in start pages and IP list rules in the generated profile. You can also select an action to take if there is a rule violation. The choices are:Alert & Deny: Block the connection and generate an alert and/or log message.Continue: Allow the request, applying any subsequent rules defined in the web protection profile. Pass: Allow the request. Similar to alert but does not generate an alert and/or log message.

Attacks tabThe Attacks tab provides statistics in both tabular and graphical format on sessions that contained one of the types of attacks that the web profile selected in the associated policy was configured to detect.Sometimes, auto-learning reports may contain fewer attacks than you see in the FortiWeb unit’s attack logs. For details, see “About the attack count” on page 289.

Figure 38: Auto-learning report Attacks tab

The inclusion of the Action and Enable columns varies with the level of the item selected in the navigation pane. Use the Enable drop-down lists to turn auto-learning on or off for a specific attack type. The default is on. Use the Action drop-down lists to change how the FortiWeb units reacts to a specific attack type. The choices are:• Alert: Accept the connection and generate an alert and/or log message.





• Alert & Deny: Block the connection and generate an alert and/or log message.• Send 403 Forbidden: Reply with an HTTP 403 (Access Forbidden) error message and

generate an alert and/or log message.• Redirect: Redirect the request to the URL that you specify in the protection profile and

generate an alert and/or log message.

Visits tabThe Visits tab provides statistics in both tabular and graphical format on the HTTP request methods used. When you select an auto-learning profile in the navigation pane, this tab includes a set of bar charts that give statistics about the most used and least used URLs, plus suspicious URLs. When you select a host IP in the navigation pane, the report includes a set of tables that give statistics on HTTP return codes in the 400 and 500 series. The Visits tab includes several buttons that can edit the generated report. (Also see “Generating a profile from auto-learning data” on page 289.)• The Edit Allow Method button appears only when you select a profile in the navigation

pane. It opens a pop-up dialog where you can select which HTTP request methods to allow in the generated profile. Select the Off or On options in the Status drop-down list.

• The Edit URL Access button appears only when you select a profile in the navigation pane.It opens a pop-up dialog where you can choose the start pages related to a protected server.

• The Edit Start Page button appears only when you select a profile in the navigation pane. It opens a pop-up dialog where you can choose the URL access rules related to a protected server.

• The Edit Exception Method button appears when you select a URL in the navigation pane. It opens a pop-up dialog where you can select which HTTP request methods to treat as exceptions for that URL. Select the Off or On options in the Status drop-down list.

Parameters tabThe Parameters tab provides tabular statistics on the parameters and their values as they appeared in HTTP requests, as well as applicable URL replacements. This tab appears only for items that are leaf nodes in the navigation tree; that is, they represent a single complete URL as it appeared in a real HTTP request, and therefore could have had those exact associated parameters.Percentages in the TypeMatch and Required columns indicate how likely the parameter with that name is of that exact data type, and whether or not the web application requires that input for that URL. The MinLen and MaxLen columns indicate the likely valid range of length for that input’s value. Together the columns provide information on what is likely the correct configuration of a profile for that URL.

Cookies tabThe Cookies tab provides tabular statistics on the name, value, expiry date, and path of each cookie crumb that appeared in HTTP requests. This tab appears only for hosts that use cookies. This tab does not appear at the policy level of the navigation tree.





Auto learn Generating a profile from auto-learning data

FRh

About the attack countSometimes, auto-learning reports may contain fewer attacks than you see in the FortiWeb unit’s attack logs. Possible causes include:• The attack was attempted, but was targeted towards a URL that did not actually exist

on the server (that is, it resulted in an HTTP 404 File Not Found reply code). Because the URL did not exist, the auto-learning report does not include it in its tree of requested URLs.In other words, the attack was not counted in the report because it did not result in an actual page hit.

• The attack was attempted, and the URL existed, but the FortiWeb unit was configured to block the attack (Alert & Deny), resulting in an unsuccessful connection attempt. Unsuccessful connections do not result in an actual page hit and have incomplete session data, and therefore are not included in auto-learning reports.

To ensure that auto-learning reports have complete session data, you should log but not block attacks (that is, select Alert instead) while gathering auto-learning data.

Generating a profile from auto-learning dataWhen viewing a report generated from auto-learning data, you can generate an inline protection profile or an offline protection profile suitable for the HTTP sessions observed. If some observed sessions are not indicative of typical traffic and you do not want to include elements in the generated profile, or you want to select an action other than the default for a type of observed attack, you can selectively change the action for that type of attack.In addition to the generated profile itself, the FortiWeb unit also generates all rules and other auxiliary configurations that the profile depends upon.For example, if the FortiWeb unit observed HTTP PUT requests with required parameters of a password and a user name that is an email address, when generating a profile, it would also generate the parameter validation rules and input rules that the profile requires, using the data types and maximum lengths of the arguments observed in the HTTP sessions.Generated profiles and auxiliary configurations are editable. They can be adjusted or used as the basis for additional configuration.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Autolearn Configuration category. For details, see “About permissions” on page 80.

To configure a profile using auto-learning data1 Go to Auto Learn > Auto Learn Report > Auto Learn Report.2 In the row corresponding to the auto-learning profile whose data you want to view, click

Detail. The report appears.




Generating a profile from auto-learning data Auto learn

Figure 39: Viewing an auto-learning report

3 In the left-hand pane, if you want to adjust the actions that will appear in the generated profile for the subset of sessions handled for specific web hosts and their URLs, click the expand icon ( + ) next to an item to expand the item, then click the name of the subitem whose actions you want to affect.Statistics and charts appear on the right-hand pane. The content of the report and the available buttons varies depending on the selected node in the navigation tree.If a tab contains multiple pages of results, click the arrows at the bottom of the tab, such as next > and << first, to move forward or backwards through the pages of results.

4 For most selected items in the left-hand navigation pane, the report provides buttons and drop-down lists to help you configure a profile for generation. Select the following as applicable:

Table 112: Auto Learn report features

GUI item DescriptionOverview tab

Edit Protected Servers

Click to open a pop-up dialog. Enable or disable the IP addresses and/or domain names that will be members of the generated protected servers group. For details, see “Configuring protected servers” on page 147.This appears only if you have selected the name of the auto-learning profile in the navigation pane.

Navigation pane

Click to collapse this pane.

Auto-learning profile

Host

Common part of URLRequested file

Expansion icons

} Display pane }
FortiWeb™ Web Application Firewall Version 4.0 MR2 Administration Guide
290 Revision 10http://docs.fortinet.com/ • Feedback



Auto learn Generating a profile from auto-learning data

FRh

5 In the right-hand pane, click Generate Config. The following pop-up dialog appears:

Figure 40: Generating an inline or offline profile from auto-learning data

6 In Profile Name, type a name prefix, such as generated-profile.The FortiWeb unit will automatically add a dash ( - ) to the profile name followed by a number indicating the year, month, day, and time on which the profile was generated in order to indicate the data on which the profile was based.

Edit URL Page Click to open a pop-up dialog. Enable or disable whether the currently selected URL will be included in start pages and IP list rules in the generated profile. This appears only if you have selected a URL in the navigation pane.For more information on those rule types, see “Configuring start page rules” on page 213, “Configuring URL access policy” on page 216 and “Configuring URL access rules” on page 218.

AttacksAction and Enable

Select from the Enable drop-down list to enable or disable detection of each type of attack, and select from Action which action that the generated profile will take. The availability of these lists varies with the level of the item selected in the navigation pane.For details, see “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.

VisitsEdit Allow Method

Click to open a pop-up dialog. Change the Status option to select which HTTP request methods to allow in the generated profile. This appears only if you have selected a profile in the navigation pane.For details, see “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.

Edit URL AccessClick to open a pop-up dialog. This appears only if you have selected a profile in the navigation pane. For details, see “Configuring URL access policy” on page 216.

Edit Start Page Click to open a pop-up dialog. This appears only if you have selected a profile in the navigation pane.For details, see “Configuring start page rules” on page 213.

Edit Exception Method

Click to open a pop-up dialog. This appears only if you have selected a URL in the navigation pane.For details, see “Configuring allowed method exceptions” on page 237.

ParametersSet Type the data type and maximum length of the parameter, and

indicate whether or not the parameter is required input. These settings will appear in the generated parameter validation rule and input rules. For details, see “Configuring parameter validation input rules” on page 194 and “Configuring HTTP parameter validation rules” on page 192.




Generating a profile from auto-learning data Auto learn

7 From Profile Type, select which type of web profile you want to generate, either Inline (to generate an inline protection profile) or Offline (to generate an offline protection profile).

8 Click OK.The generated profile appears in the list of either inline or offline protection profiles, depending on its type. Adjust it if necessary. For details, see “Configuring inline protection profiles” on page 268 or “Configuring offline protection profiles” on page 274.

If you do not configure any settings, by default, the FortiWeb unit will generate a profile that allows the HTTP GET method and any other methods whose usage exceeded the threshold, and will add the remaining methods to an allowed method exception. It will also create start page rules and trust IP rules for the top 10 most commonly requested URLs, and create black IP rules for the top 10 most commonly requested suspicious URLs. To apply the generated profile, select it in a policy. For details, see “Configuring server policies” on page 118. If you are done collecting auto-learning data, for performance reasons, you may also want to deselect the auto-learning profile in all policies.

Note: You may also need to adjust configuration items used by the generated profile, such as input rules. The generated configuration items will be based upon auto-learning data current at the time that the profile is generated, which may have changed while you were reviewing the auto-learning report.





Web anti-defacement Configuring anti-defacement

FRh

Web anti-defacementThis chapter describes the Web Anti-Defacement menu, which configures the FortiWeb unit to monitor web sites for defacement attacks and to fix attack damage.This chapter includes:• Configuring anti-defacement• Reverting a web site to a backup revision

Configuring anti-defacementWeb Anti-Defacement > Web Anti-Defacement > Web Site with Anti-Defacement displays the list of web sites for which you have configured anti-defacement protection.Anti-defacement monitors a web site’s files for any changes at specified time intervals. If it detects a change that could indicate a defacement attack, the FortiWeb unit can notify you and quickly react by automatically restoring the web site contents to the previous backup revision.

To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Anti-Defacement Management category. For details, see “About permissions” on page 80.

Table 113: Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-Defacement tab

Caution: When you intentionally modify the web site, you must disable the Enable Monitor and Restore Changed Files Automatically options; otherwise, the FortiWeb unit sees your changes as a defacement attempt and undoes them.

GUI item DescriptionCreate New Click to add a web site that the FortiWeb unit will monitor for defacement.

Refresh Click to refresh the tab’s display, including the current Connected status.

ID The index number of the entry in the list.

Name A descriptive name for the web site.

Hostname/IP The IP address or fully qualified domain name (FQDN) of the real server on which the web site is hosted.

Monitor Indicates whether or not anti-defacement is currently enabled for the web site.• Green icon: Anti-defacement is enabled.• Flashing yellow-to-red icon: Anti-defacement is disabled.

DeleteEdit

View

Revert site




Configuring anti-defacement Web anti-defacement

Before configuring a web site for anti-defacement protection, you must have the following information ready:

• FQDN or IP address of the web site’s server• root folder of the web site• connection type (FTP, SSH, or Windows Share) and the credentials you use to

access the root folder of the web site• alert email address

To configure anti-defacement1 Go to Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-

Defacement.2 Click Create New to add a new entry, or click the Edit icon to edit an existing entry.

A dialog appears.

Connected Indicates the connection results of the FortiWeb unit’s most recent attempt to connect to the web site’s server. • Green check mark icon: The connection was successful.• Red X mark icon: The FortiWeb unit was unable to connect. Verify the IP

address/FQDN and login credentials of your anti-defacement configuration. If these are valid, verify that connectivity has not been interrupted by dislodged cables, routers, or firewalls.

Total Files Displays the total number of files on the web site.

Total Backup Displays the total number of files that have been backed up onto the FortiWeb unit for recovery purposes. Those files that you choose not to monitor will not be backed up.

Total Changed Displays the total number of files that have changed.


Click the View icon display the web site’s anti-defacement configuration and backup statistics, including disk usage.Click the Edit icon to modify an entry.Click the Delete icon to remove an entry.Click the Revert site icon to revert the web site to a backup revision. See “Reverting a web site to a backup revision” on page 297.





Web anti-defacement Configuring anti-defacement

FRh

3 Configure the following settings:

GUI item DescriptionWeb Site Name Type a name for the web site.

This name will not be used when monitoring the web site, nor will it be referenced in any other part of the configuration, and therefore can be any identifier that is useful to you. It does not need to be the web site’s FQDN or virtual host name.

Description Enter a comment. The comment may be up to 63 characters long.This field is optional.

Enable Monitor Enable to monitor the web site’s files for changes, and to download backup revisions that can be used to revert the web site to its previous revision if the FortiWeb unit detects a change attempt. Note: While you are intentionally modifying the web site, you must turn off this option and Restore Changed Files Automatically. Otherwise, the FortiWeb unit will detect your changes as a defacement attempt, and undo them.

Hostname/IP Type the IP address or FQDN of the real server on which the web site is hosted.This will be used when connecting by SSH or FTP to the web site to monitor its contents and download backup revisions, and therefore could be different from the real or virtual web host name that may appear in the Host: field of HTTP headers.

Connect Type Select which protocol (FTP, SSH, or Windows Share) to use when connecting to the web site in order to monitor its contents and download web site backups.

FTP/SSH Port Enter the TCP port number on which the web site’s real server listens. The standard port number for FTP is 21; the standard port number for SSH is 22. This field appears only if Connect Type is FTP or SSH.

Windows Share Name

Type the name of the shared folder on the web server.This field appears only if Connect Type is Windows Share.




Configuring anti-defacement Web anti-defacement

4 Click Test Connection to test the connection between the FortiWeb unit and the web server.

5 Click OK.The FortiWeb unit connects to the web site and downloads the first backup copy revision. (It may subsequently download additional revisions. See “About web site backups” on page 297.)When a defacement attack occurs, the damaged/changed files will be restored automatically if you enabled Restore Changed Files Automatically. Otherwise, when the FortiWeb unit notifies you of the attack, you must manually revert the web site to one of the backup revisions. For details, see “Reverting a web site to a backup revision” on page 297.

Folder of Web Site

Type the path to the web site’s folder, such as public_html, on the real server. The path is relative to the initial location when logging in with the user name that you specify in User Name.

User Name Enter the user name, such as fortiweb, that the FortiWeb unit will use to log in to the web site’s real server.

Password Enter the password for the user name you entered in User Name.

Alert Email Address

Type the recipient email address (MAIL TO:) to which the FortiWeb unit will send an email when it detects that the web site has changed.

Monitor Interval for Root Folder

Enter the time interval in seconds between each monitoring connection from the FortiWeb unit to the web server. During this connection, the FortiWeb unit examines Folder of Web Site (but not its subfolders) to see if any files have been changed by comparing the files with the latest backup. If it detects any file changes, the FortiWeb unit will download a new backup revision. If you have enabled Restore Changed Files Automatically, the FortiWeb unit will revert the files to their previous version.For details, see “About web site backups” on page 297.

Monitor Interval for Other Folder

Enter the time interval in seconds between each monitoring connection from the FortiWeb unit to the web server. During this connection, the FortiWeb unit examines subfolders to see if any files have been changed by comparing the files with the latest backup. If any file change is detected, the FortiWeb unit will download a new backup revision. If you have enabled Restore Changed Files Automatically, the FortiWeb unit will revert the files to their previous version.For details, see “About web site backups” on page 297.

Maximum Depth of Monitored Folders

Type how many folder levels deep to monitor for changes to the web site’s files. Files in subfolders deeper than this level will not be backed up.

Skip Files Larger Than

Type a file size limit in kilobytes (KB) to indicate which files will be included in the web site backup. Files exceeding this size will not be backed up. The default file size limit is 10 240 KB.Note: Backing up large files can impact performance.

Skip Files With These Extensions

Type zero or more file extensions, such as iso, avi, to exclude from the web site backup. Separate each file extension with a comma.Note: Backing up large files, such as video and audio, can impact performance.

Restore Changed Files Automatically

Enable to automatically restore the web site to the previous revision number when it detects that the web site has been changed.Disable to do nothing. In this case, you must manually restore the web site to a previous revision when the FortiWeb unit detects that the web site has been changed. See “Reverting a web site to a backup revision” on page 297. Note: While you are intentionally modifying the web site, you must turn off this option and Enable Monitor. Otherwise, the FortiWeb unit will detect your changes as a defacement attempt, and undo them.





Web anti-defacement Reverting a web site to a backup revision

FRh

About web site backupsWhen a FortiWeb unit is configured to protect a web site using the web anti-defacement feature, it will periodically download a backup copy of that web site’s files automatically. It will create a new backup revision in the following cases:• When the FortiWeb unit initiates monitoring for the first time, the FortiWeb unit will

download a backup copy of the web site’s files and store it as the first revision.

• If the FortiWeb unit could not successfully connect during a monitor interval, it will create a new revision the next time that it re-establishes the connection.

Reverting a web site to a backup revisionIf you do not enable automatic recovery of changed files (see Restore Changed Files Automatically), after a defacement attack, you can still manually revert the defaced web site to any known good backup revision that the FortiWeb unit has downloaded. FortiWeb units automatically make backups of web sites periodically that they have been configured to protect using the anti-defacement feature. For details about web site backup, see “About web site backups” on page 297.

To revert a web site to a backup revision1 Go to Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-

Defacement.

2 In the row corresponding to the web site you want to revert, click the Revert site icon.A dialog appears listing previous site backup copies.

3 In the row corresponding to the copy that you want to restore, click the Revert to this time icon.

4 Click OK.

Note: Backup copies will omit files exceeding the file size limit and/or matching the file extensions that you have configured the FortiWeb unit to omit. See “Configuring anti-defacement” on page 293.

Revert site

Revert to this time




Reverting a web site to a backup revision Web anti-defacement





Web vulnerability scans

FRh

Web vulnerability scansWeb vulnerability scanning can detect known vulnerabilities on your web servers and web applications, helping you to design protection profiles that are an efficient use of processing resources. Vulnerability scans may also be required for compliance with some regulations and certifications.The vulnerability scan is configured and controlled through web vulnerability scan policies. The vulnerability scan policy determines which servers/applications to scan, what specific vulnerabilities to scan for and when to perform the scan. When a policy is applied, the vulnerability scan starts from an initial directory, authenticates if enabled to do so, then scans for vulnerabilities in web pages located in the same directory or subdirectory as the initial URL. After performing the scan, the FortiWeb unit generates a report from the scan results.This chapter includes the following topics:• Preparing for the vulnerability scan• Configuring web vulnerability scan policies• Configuring web vulnerability scan profiles• Configuring web vulnerability scan schedules• Viewing scan history and reports

Web vulnerability scan workflowThe following is the sequence of steps to prepare, define, run, and obtain a report for a web vulnerability scan. 1 Optionally, configure an email policy in advance so that you can include it in the scan

profile. This way, scan reports are sent to recipients automatically. See “Log configuration workflow” on page 313.

2 Prepare for the scan. See “Preparing for the vulnerability scan” on page 300.3 Create a scan profile. The profile defines the specific vulnerabilities to scan. See

“Configuring web vulnerability scan profiles” on page 303.4 Create a scan schedule, unless you plan to execute the scan immediately. The

schedule defines the frequency the scan will be run. See “Configuring web vulnerability scan schedules” on page 308.

5 Create a scan policy. The policy integrates a scan profile and schedule, which enables pre-configuration of multiple scan scenarios. See “Configuring web vulnerability scan policies” on page 300.

6 Start a vulnerability scan manually, or wait for a scheduled vulnerability scan to run automatically. See “Starting and stopping a web vulnerability scan” on page 302.

7 View or download a vulnerability scan report. The report provides details and analysis of the scan results. See “Viewing scan history and reports” on page 309.

Tip: Create and run web vulnerability scans early in the configuration of your FortiWeb unit. Use the reports to locate vulnerabilities and fine tune your protection settings.




Preparing for the vulnerability scan Web vulnerability scans

Preparing for the vulnerability scanFor best results, before running a vulnerability scan, you should prepare the network and target hosts for the vulnerability scan.

Live web sitesFortinet strongly recommends that you do not scan for vulnerabilities on live web sites. Instead, duplicate the web site and its database in a test environment and perform the scan in that environment. For more information, see “Scan Mode” on page 306

Network accessibilityYou may need to configure each target host and any intermediate NAT or security devices to allow the vulnerability scan to properly reach the target hosts.

Traffic loadIf you do not plan to rate limit the vulnerability scan, be aware that some web servers could perceive its rapid rate of requests as a denial of service (DoS) attack. You may need to configure the web server to omit rate limiting for connections originating from the IP address of the FortiWeb unit. Rapid access also can result in degraded network performance during the scan. For more information, see “Delay Between Each Request” on page 307

SchedulingYou should work with the owners of target hosts to schedule an appropriate time to run the vulnerability scan. For example, you might schedule to avoid peak traffic hours, to restrict unrelated network access, and to ensure that the target hosts will not be powered off during the vulnerability scan.

Configuring web vulnerability scan policiesWeb Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy enables you to configure web vulnerability scan (WVS) policies. The WVS policies define the type of scan to perform (an immediate scan or a scheduled scan), the WVS profile to use (the scan details), the format of the WVS report and who is to receive a copy of the report.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see “About permissions” on page 80.

Tip: Before you can create an effective web vulnerability scan policy, you must first configure a web vulnerability scan profile. See “Configuring web vulnerability scan profiles” on page 303. If the scan will run on a set schedule, first create a web vulnerability scan schedule. See “Configuring web vulnerability scan schedules” on page 308.





Web vulnerability scans Configuring web vulnerability scan policies

FRh

Table 114: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy tab

To configure a web vulnerability scan policy1 Go to Web Vulnerability Scan > Web Vulnerability Scan >

Web Vulnerability Scan Policy.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click


GUI item DescriptionCreate New Click to add a new web vulnerability scan policy.


Name Displays the name of the policy. Click the blue arrow beside the policy name to expand the entry and display a summary of the scan associated with the policy.

Schedule Displays the type of schedule used by the policy. If the policy uses a WVS schedule the name of the schedule is shown, otherwise Run Now is shown.

Profile Displays the name of the scan profile used by the policy.

(No column heading.) Status indicates whether the scan is idle (the status indicator is solid green) or running (the status indicator is flashing red and yellow). Click the Delete icon to remove the entry. Click the Edit icon to modify the entry. The Start/Stop icon appears only if the policy is configured as Run Now. If so, the icon changes depending on the current status of the scan:• Stop appears if the scan associated with the policy is in progress. • Start appears if the scan associated with the policy is not in progress.For more information on starting and stopping a scan, see “Starting and stopping a web vulnerability scan” on page 302.

DeleteEdit

Status

Start/Stop




Configuring web vulnerability scan policies Web vulnerability scans


4 Click OK.

Starting and stopping a web vulnerability scanYou can manually start and stop a scan if the schedule type associated with the WVS Policy is set to Run Now. You cannot manually start a scan that has a set schedule.

To start a scan1 Go to Web Vulnerability Scan > Web Vulnerability Scan >

Web Vulnerability Scan Policy.

GUI item DescriptionName Type the name of the policy.

This field cannot be modified if you are editing an existing WVS policy. To modify the name, delete the entry, then recreate it using the new name.

Type Select the type of WVS scan to be performed by this policy. Run Now - The scan can be manually started at any time by the user. For more information, see “Starting and stopping a web vulnerability scan” on page 302Schedule - The scan is performed according to the schedule defined in the Schedule field below.

Schedule Displayed only if Schedule is selected as the Type. Select the predefined schedule to use for the scan. For more information on configuring WVS schedules, see “Configuring web vulnerability scan schedules” on page 308.

Profile Select the predefined profile to associate with the policy. The profile defines the specific details of the web vulnerability scan. For more information on configuring WVS profiles, see “Configuring web vulnerability scan profiles” on page 303.

Report Format Select the file formats for the WVS report. You can choose to generate reports in the following formats: • HTML• MHT (MIME HTML, which can be included in email)• PDF• RTF (Rich Text Format)• TXT (plain text)

Email Select the predefined email policy to associate with the WVS Policy. The email policy determines who receives the WVS report via email.For more information on configuring email policy, see “Configuring email policies” on page 317.





Web vulnerability scans Configuring web vulnerability scan profiles

FRh

2 In the WVS policy list, choose a policy and verify the Schedule column says Run Now and the status indicator is green (idle).If Schedule is not set to Run Now, the WVS scan runs on a set schedule. You cannot manually start a scan that has a set schedule. For more information, see “Configuring web vulnerability scan policies” on page 300.

3 Click the Start icon associated with the WVS policy. The vulnerability scan connects to the starting point configured in the WVS Profile and, if enabled to do so, authenticates. The status indicator flashes red and yellow while the scan is running.

4 When the scan is finished the status indicator returns to green (idle).5 Click the blue arrow beside the policy name to expand the scan results.

If an email policy is defined for the scan, a detailed scan report is distributed accordingly.

6 If required, view or download a full report of the scan results. For more information, see “Viewing scan history and reports” on page 309.

To stop a scan1 Go to Web Vulnerability Scan > Web Vulnerability Scan >

Web Vulnerability Scan Policy.2 Verify the status indicator is running (flashing red and yellow). 3 Click the Stop icon associated with the WVS policy.4 The vulnerability scan stops.

The status indicator returns to green (idle). You can expand the policy name to view a summary of the scan results to the point where the scan was stopped.

Configuring web vulnerability scan profilesWeb Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Profile enables you to configure web vulnerability scan (WVS) profiles. A WVS profile defines the web server to scan, as well as the specific vulnerabilities to scan for. The WVS profiles are associated with WVS policies, which determine when to perform the scan and how to publish the results of the scan defined by the profile.You can define multiple profiles, depending on scanning requirements, and apply the profiles to WVS policies as required. For more information, see “Configuring web vulnerability scan policies” on page 300.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see “About permissions” on page 80.

Table 115: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Profile tab

Edit




Configuring web vulnerability scan profiles Web vulnerability scans

To configure a vulnerability scan profile1 Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Profile.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click

the Edit icon.3 A dialog appears.

GUI item DescriptionCreate New Click to add a new web vulnerability scan profile.


Name Displays the name of the profile.

Target Server Displays the hostname/IP or URL to be scanned.

Scan Mode Indicates whether the scan used Basic Mode (use HTTP GET only and omit both user-defined and predefined sensitive URLs) or Enhanced Mode (use both HTTP POST and GET, excluding only user-defined URLs).

(No column heading.) Click the Delete icon to remove the entry. Click the Edit icon to modify the entry.






FRh


GUI item DescriptionName Type the name of the profile.

This field cannot be modified if you are editing an existing WVS profile. To modify the name, delete the entry, then recreate it using the new name.




Configuring web vulnerability scan profiles Web vulnerability scans

Hostname/IP or URL Type the fully qualified domain name (FQDN), IP address, or full URL to indicate which directory of the web site you want to scan. Behavior of the scan varies by the type of the entry:• A FQDN/IP such as www.example.com. Assume HTTP and

scan the entire web site located on this host.• A partial URL such as https://webmail.example.com/dir1/. Use

the protocol specified in the URL, and scan the web pages located in this directory of the web site. Other directories will be ignored.

• A full URL such as http://example.com/dir1/start.jsp. Use the protocol specified in the URL, starting from the web page in the URL, and scan all local URLs reachable via links from this web page that are located within the same subdirectory.

Links to external web sites and redirects using HTTP 301 (Moved Permanently) or 302 (Moved Temporarily or Found) will not be followed.Unless you will enter an IP address for the host, you must have configured a DNS server that the FortiWeb unit can use to query for the FQDN. For details, see “Configuring the DNS settings” on page 58.Note: This starting point for the scan can be overridden if the web server automatically redirects the request after authentication. See “Login with HTTP Authentication” and “Login with specified URL/data” on page 307.

Scan Enable detection of any of the following vulnerabilities that you want to include in the scan report:• Common Web Server Vulnerability (outdated software and

software with known memory leaks, buffer overflows, and other problems)

• XSS (Cross-site Scripting) • SQL Injection • Source-code Disclosure • OS Commanding For a description of vulnerabilities, see “Configuring server protection rules” on page 201.

Scan Mode Select whether the scan job will use Basic Mode (use HTTP GET only and omit both user-defined and predefined sensitive URLs) or Enhanced Mode (use both HTTP POST and GET, excluding only user-defined URLs).Also configure Exclude scanning following URLs.Basic Mode will avoid alterations to the web site’s databases, but only if all inputs always uses POST requests. It also omits testing of the following URLs, which could be sensitive:• /formathd• /formatdisk• /shutdown• /restart• /reboot• /resetCaution: Fortinet strongly recommends that you do not scan for vulnerabilities on live web sites, even if you use Basic Mode. Instead, duplicate the web site and its database into a test environment, and then use Enhanced Mode with that test environment.Basic Mode cannot be guaranteed to be non-destructive. Many web sites accept input through HTTP GET requests, and so it is possible that a vulnerability scan could result in database changes, even though it does not use POST. In addition, Basic Mode cannot test for vulnerabilities that are only discoverable through POST, and therefore may not find all vulnerabilities.

Request Timeout Type the number of seconds for the vulnerability scanner to wait for a response from the web site before it assumes that the request will not successfully complete, and continues with the next request in the scan. It will not retry requests that time out.






FRh

Delay Between Each Request

Type the number of seconds to wait between each request.Some web servers may rate limit the number of requests, or black list clients that issue continuous requests and therefore appear to be a web site harvester or denial of service (DoS) attacker. Introducing a delay can be useful to prevent the vulnerability scanner from being blacklisted or rate limited, and therefore slow or unable to complete its scan.

Login OptionLogin with HTTP Authentication

Enable to use basic HTTP authentication if the web server returns HTTP 401 (Unauthorized) to request authorization. Also configure User and Password.Alternatively, configure Login with specified URL/data.After authentication, if the web server redirects the request (HTTP 302), the FortiWeb unit will use this new web page as its starting point for the scan, replacing the URL that you configured in Hostname/IP or URL.Note: If a web site requires authentication and you do not configure the vulnerability scan to authenticate, the scan results will be incomplete.

User Enter the user name to provide to the web site if it requests HTTP authentication.

Password Enter the password of the user name.

Login with specified URL/data

Enable to authenticate if the web server does not use HTTP 401, but instead provides a web page with a form that allows the user to authenticate using HTTP POST. Also configure Authenticate URL and Authenticate Data.After authentication, if the web server redirects the request (HTTP 302), the FortiWeb unit will use this new web page as its starting point for the scan, replacing the URL that you configured in Hostname/IP or URL.Note: If a web site requires authentication and you do not configure the vulnerability scan to authenticate, the scan results will be incomplete.

Authenticate URL

Type the URL, such as /login.jsp, that the vulnerability scan will use to authenticate before beginning the scan.

Authenticate Data

Type the parameters, such as userid=admin&password=Re2b8WyUI, that will be accompany the HTTP POST request to the authentication URL, and contains the values necessary to authenticate. Typically, this string will include user name and password parameters, but may contain other variables, depending on the web page.

Scan Website URLs OptionCrawl entire website automatically

Select this option to automatically follow links leading from the initial starting point that you configured in Hostname/IP or URL. The vulnerability scanner will stop following links when it has scanned the number of URLs configured in Crawl URLs Limit.Alternatively, select Specify URLs for scanning.

Crawl URLs Limit

Type the maximum number of URLs to scan for vulnerabilities while automatically crawling links leading from the initial starting point.Note: The actual number of URLs scanned could exceed this limit if the vulnerability scanner reaches the limit but has not yet finished crawling all links on a page that it has already started to scan.




Configuring web vulnerability scan schedules Web vulnerability scans

5 Click OK.You can now apply the WVS Profile to a WVS Policy. For more information, see “Configuring web vulnerability scan policies” on page 300.

Configuring web vulnerability scan schedulesWeb Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Schedule enables you to configure web vulnerability scan (WVS) schedules. A WVS schedule defines when the scan will occur and whether the scan is a one time or a recurring event. You can define multiple schedules, depending on scanning requirements, and apply the schedules to WVS policies as required. For more information, see “Configuring web vulnerability scan policies” on page 300.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see “About permissions” on page 80.

Table 116: Web Vulnerability Scan > Web Vulnerability Scan >Web Vulnerability Scan Schedule tab

Specify URLs for scanning

Select this option to manually specify which URLs to scan, such as /login.do, rather than having the vulnerability scanner automatically crawl the web site. Enter each URL on a separate line in the text box.You can enter up to 10 000 URLs.

Exclude scanning following URLs

Enable to exclude specific URLs, such as /addItem.cfm, from the vulnerability scan. Enter each URL on a separate line in the text box. This may be useful to accelerate the scan if you know that some URLs do not need scanning. It could also be useful if you are scanning a live web site and wish to prevent the scanner from inadvertently adding information to your databases.You can enter up to 1 000 URLs.

GUI item DescriptionCreate New Click to add a new web vulnerability scan schedule.


Name Displays the name of the schedule.

Type Displays the type of schedule: One Time or Recurring.

Time Displays the time that the scan is scheduled to run.

Date Displays a value only when the schedule type is One Time. Identifies the date on which the one time vulnerability scan is scheduled to run.

Day Displays values only when the schedule type is Recurring. Identifies the days of the week on which the recurring vulnerability scan is scheduled to run.

(No column heading.) Click the Delete icon to remove the entry. Click the Edit icon to modify the entry.

Edit





Web vulnerability scans Viewing scan history and reports

FRh

To configure a vulnerability scan schedule1 Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Schedule.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click



4 Click OK.You can now apply the WVS Schedule to a WVS Policy. For more information, see “Configuring web vulnerability scan policies” on page 300.

Viewing scan history and reportsAfter a web vulnerability scan completes, the FortiWeb unit generates a report summarizing and analyzing the results of the scan.Web Vulnerability Scan > Web Vulnerability Scan > Scan History enables you to view an historical archive of WVS reports. You can choose a WVS report from the archive and view the report or download and save the report.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see “About permissions” on page 80.

GUI item DescriptionName Displays the name of the schedule.

This field cannot be modified if you are editing an existing WVS schedule. To modify the name, delete the entry, then recreate it using the new name.

Type Select the type of schedule.One Time: the vulnerability scan will be run one time only at the time and date specified below.Recurring: the vulnerability scan will be run on the days of the week and the time specified below.

Time Displays the time that the scan is scheduled to run.

Date This field displays values only if Type is set to One Time. Identifies the date on which the one time vulnerability scan is scheduled to run.

Day This field displays values only if Type is set to Recurring. Identifies one or more days of the week on which the recurring vulnerability scan is scheduled to run.




Viewing scan history and reports Web vulnerability scans

Table 117: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan History tab

About web vulnerability scan reportsThe web vulnerability scan report is divided into sections for a summary, vulnerabilities and server information.While viewing the Application Vulnerabilities section of the report, if any vulnerabilities are detected, such as cross-site scripting or SQL injection, the vulnerability is described for each URL on which it is detected. The report provides the following information for each vulnerability:• type• severity• URI• method• response header• response bodyTo view the web server’s response to the request for that part of the scan, click View.


Target Server Displays the base URL that was scanned for vulnerabilities. Click to view the scan report associated with this server.

URLs Found Displays the number of URLs below the base URL that were scanned for vulnerabilities.

Alerts Found Displays the total number of vulnerabilities discovered during the scan.

Scan Time Displays the date and time that the scan was performed.

Scan Mode Indicates whether the scan job used Basic Mode (use HTTP GET only and omit both user-defined and predefined sensitive URLs) or Enhanced Mode (use both HTTP POST and GET, excluding only user-defined URLs).

(No column heading.) Click the View the scan report icon to view a report that summarizes and analyzes the results of the associated vulnerability scan. For more information, see “About web vulnerability scan reports” on page 310.Click the Download report file icon to open or save the associated report.Click the Delete the scan report icon to remove the report.

View the scan report

Delete the scan reportDownload report file





Web vulnerability scans Viewing scan history and reports

FRh

If after viewing the response you determine that the result is a false positive, click False Positive. The false positive status will be saved and visible in any subsequent printout or view of the report, helping to remind you that particular item should be ignored.

Figure 41: Viewing a vulnerability report

http://www.example.com/




Viewing scan history and reports Web vulnerability scans





Logs and reports About logging

FRh

Logs and reportsUse the Log & Report menu to configure logging, reports, and alert email. It also enables you to view locally stored log messages using the web-based manager, to download log messages for further processing or analysis and to generate reports.FortiWeb units provide extensive logging capabilities for traffic, system and network protection functions. Detailed log information enables you to analyze network activity to identify security issues and reduce network misuse and abuse.This chapter includes the following topics:• About logging• Log message field descriptions• Configuring and enabling logging• Viewing log messages• Downloading log messages• Configuring and generating reports.• Viewing and downloading reports

Log configuration workflowThe following lists steps to configure log policy, settings, and reports. 1 Set log policies. See “Configuring log alert policies” on page 316.2 Create one or more trigger policies. See “Configuring trigger policies” on page 322.3 Set global log options. See “Configuring and enabling logging” on page 323.Once you complete the above steps, you can begin viewing attack, event, and traffic logs, and creating custom reports.

About loggingFortiWeb units can log many different network activities and traffic including:• overall network traffic• system-related events including system restarts and HA activity• matches of policies whose Action include AlertFor more information about log types, see “Log types” on page 314. You can select a priority level that log messages must meet in order to be recorded. For more information, see “Log priority levels” on page 314.A FortiWeb unit can save log messages to its memory, or to a remote location such as a Syslog server or FortiAnalyzer unit. For more information, see “Configuring and enabling logging” on page 323. The FortiWeb unit can also use log messages as the basis for reports. For more information, see “Configuring and generating reports” on page 344.

Tip: Consider creating log alert and trigger policies early in the configuration of your FortiWeb unit. A web vulnerability scan policy, and many XML protection and web protection rules can reference these policies and alert to key personnel to problems.




Log message field descriptions Logs and reports

Event and attack log messages are also displayed in the system status dashboard. For more information, see “Viewing system status” on page 41.

Log typesFortiWeb units can record the following categories of log messages:

Log priority levelsEach log message contains a field that indicates the priority of the log message, such as pri=warning.

For each location where the FortiWeb unit can store log files (disk, memory, Syslog or FortiAnalyzer), you can define a priority threshold. The FortiWeb unit will store all log messages equal to or exceeding the log priority level you select.

For example, if you select Error, the FortiWeb unit will store log messages whose log priority level is Error, Critical, Alert, or Emergency. For more information, see “Configuring global log settings” on page 324.

Log message field descriptionsTable 120, “Log message fields,” on page 315 describes the fields that are available for each type of log message. The specific fields that appear in a log message depends on selections you make. For more information, see “Viewing log messages” on page 331.

Table 118: Log types

Log file type DescriptionEvent Displays administration events such as downloading a backup copy of the

configuration.

Traffic Displays traffic flow information such as HTTP requests and, if a reply was permitted by the policy, HTTP responses.

Attack Displays attack and intrusion attempt events.

Caution: Avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

Table 119: Log severity levels

Levels Description0 - Emergency The system has become unusable.

1 - Alert Immediate action is required.

2 - Critical Functionality is affected.

3 - Error An error condition exists and functionality could be affected.

4 - Warning Functionality could be affected.

5 - Notification Information about normal events.

6 - Information General information about system operations.

Caution: Avoid recording log messages using low log priority thresholds such as information or notification to the local hard disk for an extended period of time. A low log priority threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.





Logs and reports Log message field descriptions

FRh

For a detailed description of each FortiWeb log message, see the FortiWeb Log Message Reference.

Table 120: Log message fields

Log message field

Description Used with log type:Event Attack Traffic

Sample content

Date Displays the date that the log message was recorded.

x x x 2010-11-28

Time Displays the time that the log message was recorded.

x x x 15:38:01

ID Displays a 10-digit number that identifies the log message. The log message number consists of: • the first two digits represent the log type. • the second two digits represent the log

subtype. • the fifth digit is reserved for future use and

is always set to 0 (zero)• the last five digits is a static identifier

assigned to each individual log message.

x x x 0116080121

MSG ID A unique 12-digit number assigned to each individual log message generated by the FortiWeb unit.

x x x 000044866169

Type Displays the type of log that occurred: event, attack or traffic.

x x x eventattacktraffic

Subtype Displays the log subtype, which provides additional information to identify the cause of the log message.

x x x Subtype identify the area in which activity occurred.Numerous Subtypes are defined for events, protection rule violations (attacks) or traffic. For more information, see the FortiWeb Log Message Reference.

Level Displays the log priority level (log level) associated with the situation for which the log message was created.

x x x emergencyalertcriticalerrorwarningnoticeinformationdebug

Device ID Displays the identification number of the device from which the log message originated.

x x x FV-1AA2B34567890

Time Zone Displays the timezone in which the device is located.

x x x (GMT-5:00)Eastern Time (US & Canada)"

User Displays the login name of the user that performed the action that caused the event log to be created.

x admin

User Interface Displays the type of user interface used when the log was created.

x GUI(10.0.0.22)

Action Displays the action associated with the log. x loginmonitorbackupdownloadupgrade








Configuring log alert policies Logs and reports

Configuring log alert policiesTo stay aware of problems and track activities, you can configure log-based alerts in the form of system email, Syslog messages, and FortiAnalyzer messages, combined with email triggers.This section includes the following topics:• Configuring email policies• Configuring Syslog policies• Configuring FortiAnalyzer policies• Configuring trigger policies

Status Displays the result of the action. x alertsucceedfailure

Reason Displays the reason for the status. x name_invalid

Protocol The protocol used by the web traffic x x TCP

Service The IP network service that defines the TCP port number on which the virtual server receives traffic.

x x HTTPHTTPS

Source The web traffic source IP address. x x 10.0.0.0

Source Port The web traffic source port number. x x 3471

Destination The web traffic destination IP address. x x 10.0.0.1

Destination Port The web traffic destination port number. x x 8080

Policy The name of the policy in use when the log was created.

x x server policy name

HTTP method The http request method which are allowed to pass through the FortiWeb unit.

x get

URL The URL address for the HTTP request. x x /image/example

HTTP Host The host home page of the HTTP request. x x example.com

HTTP Agent The web browser used for the HTTP request. x x web_browser_information

HTTP Session ID The serial number of the session associated with the HTTP request (if known).

x 1ABC123ABC123unknown

Action The action that was specified within the policy. x x alertdenyreturn 403 errorredirect

Severity Level The severity level associated with an attack. Severity level is user-defined per violation.

x highmediumlow

Trigger Policy The name of the trigger policy used for email alerts and Syslog.

x trigger policy name

Message The detail message describing the reason that the log message was created.

x x x descriptive text

Table 120: Log message fields

Log message field

Description Used with log type:Event Attack Traffic

Sample content





Logs and reports Configuring log alert policies

FRh

Configuring email policiesLog&Report > Log Policy > Email Policy enables you to create policies that are used by protection rules to alert specific administrators or other personnel when an alert condition occurs, such as a system failure or network attack. An email policy includes email address information for selected recipients and it sets the frequency that emails will be sent to those recipients.The email policies are attached to FortiWeb protection policies that monitor for occurrences of certain violations. When the protection policy detects a violation, an alert email is distributed if the violation control conditions are met.For example, you might configure a server protection rule to monitor for SQL-injection violations and take specific actions if those types of violations occur. The specific actions can include sending an alert email, in which case the email is sent to the individuals identified in the email policy attached to the trigger policy used for the SQL-injection violation. The trigger policy could also include recording the violation in Syslog or FortiAnalyzer according to the policies attached to the trigger policy used for the SQL violation. For more information on Syslog or FortiAnalyzer policy, see “Configuring Syslog policies” on page 319 and “Configuring FortiAnalyzer policies” on page 321.The alert email policy also enables you to define the interval that emails are sent if the same alert condition persists following the initial occurrence.For example, you might configure the FortiWeb unit to send only one alert message for each 15-minute interval after warning-level log messages begin to be recorded. In that case, if the alert condition continues to occur for 35 minutes after the first warning-level log message, the FortiWeb unit would send a total of three alert email messages, no matter how many warning-level log messages were recorded during that period of time.Intervals are configured separately for each severity level of log messages. For more information on the severity levels of log messages, see “Log priority levels” on page 314.Before you can send alerts, you must enable alert email for the log type that you want to use as a trigger. For details, see “Enabling logging” on page 327.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “About permissions” on page 80.Table 121: Log&Report > Log Policy > Email Policy tab

GUI item DescriptionCreate New Click to add a new email policy.


Policy Name Displays the name of the email policy.


DeleteEdit





To configure email policies1 Go to Log&Report > Log Policy > Email Policy2 Click Create New, or, in the row corresponding to an entry that you want to modify, click



GUI item DescriptionPolicy Name Type the name of the email policy. This field cannot be modified if you

are editing an existing email policy. To modify the name, delete the entry, then recreate it using the new name.

SMTP server Enter the fully qualified domain name (FQDN) or IP address of the SMTP relay or server that the FortiWeb unit will use to send alerts and generated reports.Caution: If you enter a domain name, you must also configure the FortiWeb unit with at least one DNS server. Failure to configure a DNS server may cause the FortiWeb unit to be unable to resolve the domain name, and therefore unable to send the alert. For information on configuring use of a DNS server, see “Configuring the DNS settings” on page 58.

Email from Enter the sender email address that the FortiWeb unit will use when sending alert email messages.

Email to Enter one to three recipient email addresses, one per field.

Authentication Enable to authenticate with the SMTP relay when sending alerts.






FRh

4 Click OK.The FortiWeb unit saves the configuration and returns to the Email Policy tab.

Configuring Syslog policiesLog&Report > Log Policy > Syslog Policy enables you to create policies that are used by protection rules to store log messages remotely on a Syslog server.For example, once you create a Syslog policy, it can be used by a trigger policy, which in turn can be applied to a trigger action in a protection rule.

Before you can log remotely, you must enable alert email for the log type that you want to use as a trigger. For details, see “Enabling logging” on page 327.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “About permissions” on page 80.

SMTP user Enter the user name of the account on the SMTP relay that will be used to send alerts.This option is available only if Authentication is enabled.

Password Enter the password of the account on the SMTP relay that will be used to send alerts.This option is available only if Authentication is enabled.

Apply & Test Click to save the alert configuration and send a sample alert to the recipient.

Log Level Select the priority threshold that log messages must meet or exceed in order to cause an alert. For more information on log levels, see “Log priority levels” on page 314.

Emergency Enter the number of minutes between each alert if an alert condition of severity level Emergency continues to occur after the initial alert.

Alert Enter the number of minutes between each alert if an alert condition of severity level Alert continues to occur after the initial alert.

Critical Enter the number of minutes between each alert if an alert condition of severity level Critical continues to occur after the initial alert.

Error Enter the number of minutes between each alert if an alert condition of severity level Error continues to occur after the initial alert.

Warning Enter the number of minutes between each alert if an alert condition of severity level Warning continues to occur after the initial alert.

Notification Enter the number of minutes between each alert if an alert condition of severity level Notification continues to occur after the initial alert.

Information Enter the number of minutes between each alert if an alert condition of severity level Information continues to occur after the initial alert.

Debug Enter the number of minutes between each alert if an alert condition of severity level Debug continues to occur after the initial alert.

Note: Logs stored remotely cannot be viewed from the FortiWeb web-based manager. If you require the ability to view logs from the web-based manager, also enable local storage. For details, see “Enabling logging” on page 327.





Table 122: Log&Report > Log Policy > Syslog Policy tab

To configure Syslog policies1 Go to Log&Report > Log Policy > Syslog Policy.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click



4 Click OK.5 To verify logging connectivity, from the FortiWeb unit, trigger a log message that

matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.If the remote host does not receive the log messages, verify the FortiWeb unit’s network interfaces (see “Configuring the network and VLAN interfaces” on page 50) and static routes (see “Configuring static routes” on page 105), and the policies on any intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host, try using the execute traceroute command to determine the point where connectivity fails. For details, see the FortiWeb CLI Reference.

GUI item DescriptionCreate New Click to add a new Syslog policy.


Policy Name Displays the name of the Syslog policy.


GUI item DescriptionPolicy Name Type the name of the Syslog policy. This field cannot be modified if you

are editing an existing Syslog policy. To modify the name, delete the entry, then recreate it using the new name.

Name/IP Enter the IP address of the remote Syslog server.

Port Enter the listening port number of the Syslog server. The default is 514.

Enable CSV format Enable to send log messages in comma-separated value (CSV) format.

Edit







FRh

Configuring FortiAnalyzer policiesLog&Report > Log Policy > FortiAnalyzer Policy enables you to create policies that are used by protection rules to store log messages remotely on a FortiAnalyzer unit.For example, once you create a FortiAnalyzer policy, it can be used by a trigger policy, which in turn can be applied to a trigger action in a protection rule.

Before you can log remotely, you must enable alert email for the log type that you want to use as a trigger. For details, see “Enabling logging” on page 327.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “About permissions” on page 80.

Table 123: Log&Report > Log Policy > FortiAnalyzer Policy tab

To configure FortiAnalyzer policies1 Go to Log&Report > Log Policy > FortiAnalyzer Policy.2 Click Create New, or, in the row corresponding to an entry that you want to modify, click



Note: Logs stored remotely cannot be viewed from the web-based manager of the FortiWeb unit. If you require the ability to view logs from the web-based manager, also enable local storage. For details, see “Enabling logging” on page 327.

GUI item DescriptionCreate New Click to add a new FortiAnalyzer policy.


Policy Name Displays the name of the FortiAnalyzer policy.


DeleteEdit





4 Click OK.5 Confirm with the FortiAnalyzer administrator that the FortiWeb unit has been added to

the FortiAnalyzer unit’s device list, allocated sufficient disk space quota, and assigned permission to transmit logs to the FortiAnalyzer unit. For details, see the FortiAnalyzer Administration Guide.

6 To verify logging connectivity, from the FortiWeb unit, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.If the remote host does not receive the log messages, verify the FortiWeb unit’s network interfaces (see “Configuring the network and VLAN interfaces” on page 50) and static routes (see “Configuring static routes” on page 105), and the policies on any intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host, try using the execute traceroute command to determine the point where connectivity fails. For details, see the FortiWeb CLI Reference.

Configuring trigger policiesLog&Report > Log Policy > Trigger Policy enables you to create policies that are used by protection rules to trigger alert emails and to generate Syslog and FortiAnalyzer records. For example, if you create a trigger policy that uses an email policy and a Syslog policy, that trigger policy can be applied as a trigger action to specific violations in a protection rule. Alert email and Syslog records will be created according to the trigger policy when a rule violation occurs.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “About permissions” on page 80.

Table 124: Log&Report > Log Policy > Trigger Policy tab

To configure trigger policies1 Go to Log&Report > Log Policy > Trigger Policy.

GUI item DescriptionPolicy Name Type the name of the FortiAnalyzer policy. This field cannot be modified

if you are editing an existing FortiAnalyzer policy. To modify the name, delete the entry, then recreate it using the new name.

IP Address Enter the IP address of the remote FortiAnalyzer unit.

GUI item DescriptionCreate New Click to add a new Syslog policy.


Policy Name Displays the name of the trigger policy.


DeleteEdit





http://docs.fortinet.com/faz.html

http://docs.fortinet.com/faz.html


Logs and reports Configuring and enabling logging

FRh



4 Click OK.

Configuring and enabling loggingTo diagnose problems or track actions that the FortiWeb unit performs as it receives and processes traffic, configure the FortiWeb unit to record log messages.You can configure the FortiWeb unit to store log messages either locally (that is, in RAM or to the hard disk) and or remotely (that is, on a Syslog server or FortiAnalyzer unit). Your choice of storage location may be affected by several factors, including the following.• Rebooting the FortiWeb unit clears logs stored in memory.• Logging only locally may not satisfy your requirements for off-site log storage.• Attack logs and traffic logs cannot be logged to local memory.• Very frequent logging may cause undue wear when stored on the local hard drive. A

low severity threshold is one possible cause of frequent logging. For more information on severity levels, see “Log priority levels” on page 314.

• Very frequent logging, such as when the severity level is low, may rapidly consume all available log space when stored in memory. If the available space is consumed, and if the FortiWeb unit is configured to do so, it may store any new log message by overwriting the oldest log message. For high traffic volumes, this may occur so rapidly that you cannot view old log messages before they are replaced. For more information on severity levels, see “Log priority levels” on page 314.

GUI item DescriptionPolicy Name Type the name of the trigger policy. This field cannot be modified if you

are editing an existing Syslog policy. To modify the name, delete the entry, then recreate it using the new name.

Email Policy Select the email policy that you want to associate with the trigger action policy. This email policy will be used by all protection rule violations when applied to the protection rule trigger action.

Syslog Policy Select the Syslog policy that you want to associate with the trigger action policy. This Syslog policy will be used by all protection rule violations when applied to the protection rule trigger action.

FortiAnalyzer Policy Select the FortiAnalyzer policy that you want to associate with the trigger action policy. This FortiAnalyzer policy will be used by all protection rule violations when applied to the protection rule trigger action.




Configuring and enabling logging Logs and reports

• Usually, fewer log messages can be stored in memory. Logging to a Syslog server or FortiAnalyzer unit may provide you with additional log storage space.

For information on viewing locally stored log messages, see “Viewing log messages” on page 331.This section includes the following topics:• Configuring global log settings• Enabling logging• Obscuring sensitive data in the logs

Configuring global log settingsLog&Report > Log Config > Global Log Settings displays the settings used to store log information and alert users that logs have occurred.Depending on the type of log, log messages can be stored on local hard disk, local memory, Syslog server or FortiAnalyzer unit as show in Table 125.

Use alert emails to notify users when problems occur. Distribution of alert emails is managed though email policies that define who receives the alert emails and the frequency that the alert emails are sent.

To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “About permissions” on page 80.

To configure log settings1 Go to Log&Report > Log Config > Global Log Settings.

Table 125: Log storage

Storage area Log typeEvent logs Traffic logs Attack logs

Local disk yes yes yes

Local memory yes no no

Syslog server yes yes yes

FortiAnalyzer yes yes yes

Caution: Avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.






FRh


Table 126: Global Log Settings

GUI item DescriptionDisk Enable to record log messages to the local hard disk on the FortiWeb unit.

If the FortiWeb unit is logging to its hard disk, you can use the web-based manager to view log messages that are stored locally on the FortiWeb unit. For details, see “Viewing log messages” on page 331.Before you can log to the hard disk, you must first enable logging. For details, see “Enabling logging” on page 327. For logging accuracy, you should also verify that the FortiWeb unit’s system time is accurate. For details, see “Configuring system time” on page 100.Expand the disk storage configuration to display additional options:Log Level: Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.Caution: Avoid recording log messages using low severity thresholds such as information or notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.For information about severity levels, see “Log priority levels” on page 314.When log disk is full: Select what the FortiWeb unit will do when the local disk is full and a new log message occurs, either:• Do not log: discards the new log message.• Overwrite oldest logs: deletes the oldest log file in order to free disk space,

and store the new log message.Log rolling settings: Enter the maximum file size of the current log file.When a log file reaches the size limit, the FortiWeb unit will rotate the current log file: that is, it renames the current log file (elog.log) with a file name indicating its sequential relationship to other log files of that type (elog2.log, and so on.), then creates a new current log file. The log file size limit must be between 10 MB and 1 000 MB





Memory Enable to record log messages in the local random access memory (RAM) of the FortiWeb unit. Note: Only event logs can be stored in the local memory. Attack and traffic logs cannot be stored in memoryIf the FortiWeb unit is logging to memory, you can use the web-based manager to view log messages that are stored locally on the FortiWeb unit. For details, see “Viewing log messages” on page 331.Caution: Log messages stored in memory should not be regarded as permanent. All log entries stored in memory are cleared when the FortiWeb unit restarts. When available memory space for log messages is full, the FortiWeb unit will store any new log message by overwriting the oldest log message.Before you can record event logs to the local memory, you must first enable logging. For details, see “Enabling logging” on page 327. For logging accuracy, you should also verify that the FortiWeb unit’s system time is accurate. For details, see “Configuring system time” on page 100.Expand the memory storage configuration to display additional options:Log Level: Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.For information about severity levels, see “Log priority levels” on page 314.

Syslog Enable to store log messages remotely, on a Syslog server.Warning: Enabling Syslog could result in excessive log messages being recorded in Syslog. Syslog entries are controlled by Syslog policies and trigger actions associated with various types of violations. If the Syslog option is enabled, but a trigger action has not been selected for a specific type of violation, every occurrence of that violation will be recorded in Syslog and transmitted to the Syslog server. For more information, see “Responding to web protection rule violations” on page 191.Note: Logs stored remotely cannot be viewed from the FortiWeb web-based manager. Before you can store logs on a remote location you must first enable logging. For details, see “Enabling logging” on page 327. For logging accuracy, you should also verify that the FortiWeb unit’s system time is accurate. For details, see “Configuring system time” on page 100.Expand the Syslog storage configuration to display additional options:Syslog Policy: Select the policy to use when storing log information remotely. The Syslog policy includes the address information for the remote Syslog server For more information see “Configuring Syslog policies” on page 319.Log Level: Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.For information about severity levels, see “Log priority levels” on page 314.Facility: Select the facility identifier that the FortiWeb unit will use to identify itself when sending log messages to the first Syslog server.To easily identify log messages from the FortiWeb unit when they are stored on the Syslog server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier






FRh

3 Click Apply.

Enabling loggingLog&Report > Log Config > Other Log Settings allows you to enable or disable logging for each log type.For more information on log types, see “Log types” on page 314.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “About permissions” on page 80.

To enable logging1 Go to Log&Report > Log Config > Other Log Settings.

Alert Mail Enable to generate alert email when log messages are created. Warning: Enabling Alert Email could result in excessive alert email. Distribution of alert emails is controlled by email policies and trigger actions associated with various types of violations. If the Alert Mail option is enabled, but a trigger action has not been selected for a specific type of violation, every occurrence of that violation will result in an alert email to the individuals associated with the policy selected in the Email Policy field. For more information, see “Responding to web protection rule violations” on page 191.Expand the Alert Mail configuration to display additional options:Email Policy: Select the email policy to use for alert emails. For more information see “Configuring email policies” on page 317.Alert Mail is not available for the traffic logs.

FortiAnalyzer Enable to store log messages remotely, on a FortiAnalyzer unit.Warning: Enabling FortiAnalyzer could result in excessive log messages being recorded in FortiAnalyzer. FortiAnalyzer entries are controlled by FortiAnalyzer policies and trigger actions associated with various types of violations. If the FortiAnalyzer option is enabled, but a trigger action has not been selected for a specific type of violation, every occurrence of that violation will be recorded in FortiAnalyzer. For more information, see “Responding to web protection rule violations” on page 191.Note: Logs stored remotely cannot be viewed from the FortiWeb web-based manager. Before you can store logs on a remote location you must first enable logging. For details, see “Enabling logging” on page 327. For logging accuracy, you should also verify that the FortiWeb unit’s system time is accurate. For details, see “Configuring system time” on page 100.Expand the FortiAnalyzer storage configuration to display additional options:FortiAnalyzer Policy: Select the policy to use when storing log information remotely. The FortiAnalyzer policy includes the address information for the remote Syslog server. For more information see “Configuring FortiAnalyzer policies” on page 321.Log Level: Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.For information about severity levels, see “Log priority levels” on page 314.





2 Enable one or more of the following:

Table 127: Configuring Other Log Settings

GUI item DescriptionEnable Attack Log Enable to log violations of attack policies, such as server protection

rules.

Retain Packet Payload For

Under Retain Packet Payload For, mark the corresponding check box for each of the attack types or validation failures that are detected using a regular expression, such as XSS Attack Detection or Parameter Rule Violation, if you want to retain the offending packet payload with its log message. Packet retention is enabled by default for all message types, except custom signature detection.Packet payloads supplement the log message by providing the actual data that triggered the regular expression, which may help you to fine-tune your regular expressions to prevent false positives, or to examine changes to attack behavior for subsequent forensic analysis.The FortiWeb unit retains only the first 4 KB of data from the offending HTTP request payload that triggered the log message.Packet payloads are accessible from the Packet Log column when viewing an attack log using the web-based manager. For details, see “Viewing log messages” on page 331.If packet payloads could contain sensitive information, you may need to obscure those elements. For details, see “Obscuring sensitive data in the logs” on page 329.

Enable Event Log Enable to log system events, such as user activity or rebooting the FortiWeb unit.






FRh

3 Click Apply.

Obscuring sensitive data in the logs If enabled to do so, a FortiWeb unit will hide some predefined data types, including user names and passwords, that could appear in the packet payloads accompanying a log message. You can also define your own sensitive data types, such as ages or other identifying numbers, using regular expressions.

To exclude custom sensitive data from log packet payloads1 Go to Log&Report > Log Config > Log Custom Sensitive Rule.

2 On the right side of the tab, select one or both of the following:• Enable Predefined Rules: Use the predefined credit card number and password

data types.• Enable Custom Rules: Use your own regular expressions to define sensitive data.

3 Click Create New. A dialog appears.

Persistent Server Session Threshold

Select a threshold level that will trigger an event log when the actual number of persistent server sessions reaches the defined percentage (50% to 90%) of the total number of persistent server sessions allowed for the FortiWeb unit. The default setting is 80%.For example, if Persistent Server Session Threshold is set to 50%, and the allowed number of persistent server sessions is 15,000, an event log is triggered when the actual number of persistent sessions reaches 50% of the allowed number, or 7,500 persistent server sessions.For more information on the total persistent server sessions, see “Appendix B: Maximum values” on page 397.

Enable Traffic Log Enable to log traffic events such as HTTP requests and responses, and the expiration of HTTP sessions. If you do not need traffic data, disable this feature to increase system performance.

Enable Packet Log If you want to retain regular traffic packet payloads, mark Enable Packet Log. Unlike attack packet payloads, only request direction traffic packets are retained, and only the first 4 KB of the payload if it is larger.Note: Retaining traffic packet payloads is resource intensive. Only enable this option when absolutely necessary.Packet payloads are accessible from the Packet Log column when viewing a log using the web-based manager. For details, see “Viewing packet log details” on page 336.

Note: Sensitive data definitions are not retroactive. They will hide strings in subsequent log messages, but will not affect existing ones.

DeleteEdit





4 Give the rule a name.5 Select either General Mask (a regular expression that will match any substring in the

packet payload) or Field Mask (a regular expression that will match only the value of a specific form input).• In the field next to General Mask, type a regular expression that matches all the

strings or numbers that you want to obscure in the packet payloads.For example, to hide a parameter that contains the age of users under 14, you could enter:age\=[1-13]

Valid expressions must not start with an asterisk ( * ). The maximum length is 21 characters.

• For Field Mask, in the left-hand field (Field Name), type a regular expression that matches all and only the input names whose values you want to obscure. (The input name itself will not be obscured. If you wish to do this, use General Mask instead.) Then, in the right hand field (Field Value), type a regular expression that matches all input values that you want to obscure. Valid expressions must not start with an asterisk ( * ). The maximum length is 22 characters.For example, to hide a parameter that contains the age of users under 14, for Field Name, you would enter age, and for Field Value, you could enter [1-13].

Caution: Field masks using asterisks are greedy: a match for the parameter’s value will obscure it, but will also obscure the rest of the parameters in the line. To avoid this, enter an expression whose match terminates with, but does not consume, the parameter separator.

For example, if parameters are separated with an ampersand ( & ), and you want to obscure the value of the Field Name username but not any of the parameters that follow it, you could enter the Field Value:

.*?(?=\&)

This would result in:

username****&age=13&origurl=%2Flogin





Logs and reports Viewing log messages

FRh

6 Click OK.The expression appears in the list of regular expressions that define sensitive data that will be obscured in the logs.When viewing new log messages, data types matching your expression will be replaced with a string of * characters equal in length to the sensitive data.

Viewing log messagesIf you have configured the FortiWeb unit to store log messages locally (that is, to memory or the hard disk), you can view the log messages currently stored in each file.Log messages are in human-readable format, where each log’s name, such as Source (src in Raw view), indicates its contents.Exceptions include the attack log’s Message (msg) field, which contains a code such as DETECT_PARAM_RULE_FAILED that indicates which feature detected the attack. For each feature’s attack detection code, see the feature’s description located in applicable chapters of this Administration Guide.

When viewing log messages, you can customize aspects of the display to focus on log messages and fields that match your criteria. For more information, see “Customizing the log view” on page 337. For attack logs and traffic logs, you can view detailed information about each log and the packet payload. For more information, see “Viewing log message details” on page 335.For attack logs, you can perform a quick or advanced search for specific logs. For more information, see “Searching attack logs” on page 341.The logs associated with attacks that are blocked by FortiWeb are highlighted to distinguish them from other attacks that are not blocked. This section includes the following topics:• Selecting a log type to view• Viewing log message details• Viewing packet log details• Customizing the log view• Searching attack logs

Tip: To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.

Note: Not all detected attacks may be blocked, redirected, or sanitized.

For example, while using auto-learning, you can configure protection profiles with an action of Alert (log but not deny), allowing the connection to complete in order to gather full auto-learning data.

To determine whether or not an attack attempt was permitted to reach a web server, show the Action column. For details, see “Displaying and arranging log columns” on page 338.




Viewing log messages Logs and reports

Selecting a log type to viewLog&Report > Log Access enables you to select the type of log message to view, if log messages are stored locally on the hard disk or in the local random access memory (RAM) of the FortiWeb unit.

To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “About permissions” on page 80.Table 128: Log&Report > Log Access > Event tab

Note: In addition to locally stored log messages, event log messages and attack log messages can also be viewed in the system status dashboard. For more information, see “Viewing system status” on page 41.

Column SettingsPrevious page

Next pageRaw (or Formatted)

Clear All Filters

Log SearchRefresh

Log Message Aggregation

Note: The columns and type of information displayed depends on which log type tab is selected.

GUI item DescriptionData Source (not shown)

Visible only when the Event tab is selected. Data Source enables you to view event logs that are stored in the FortiWeb unit’s random access memory (RAM), or event log files stored on the FortiWeb unit’s hard disk.Select either Memory to display the most recent logs stored in the FortiWeb unit’s memory, or Disk to display a list of the historical log files that are stored on the FortiWeb unit’s hard disk.For information on configuring event log storage location, see “Configuring global log settings” on page 324.FortiWeb always stores attack and traffic logs on disk, so there is no data source selection on the Attack or Traffic tabs.

Previous page Click to view the previous page.

Next page Click to view the next page.

View n per page Click the black arrow to changed the number of rows of log entries to display per page.

Line Enter a log entry number, then press Enter to go to that entry. The number following the slash ( / ) is the total number of entries in the log file.

Column Settings Click this icon to display or hide the columns that correspond to log fields, or change the order in which they appear on the page. For more information, see “Displaying and arranging log columns” on page 338.






FRh

To view log messages1 Go to Log&Report > Log Access.2 Click the tab corresponding to the type of log file that you want to view (Event, Attack,

or Traffic).• For Attack logs, go to step 3• For Event logs, go to step 6• For Traffic logs, go to step 10For more information on log types, see “Log types” on page 314.

3 To view Attack logs, select Log&Report > Log Access > Attack. Log messages associated with attacks that have been blocked by FortiWeb are highlighted to distinguish them from other attacks that are not blocked.

4 If you want to view the historical attack log files that are stored on local hard disk, select the Log Management link at the top-right of the attack log list.

5 Go to step .

RaworFormatted

These icons let you to toggle between a Raw and Formatted view of the log information. The raw view displays the log message as it actually appears in the log file. The formatted view displays the log message in a columnar format.Click to switch the log information view to that opposite of what is currently displayed.For details on both view types, see “Customizing the log view” on page 337.

Clear All Filters Click this icon to clear all log view filters. For details on log view filters, see “Filtering log messages” on page 339.

Log Message Aggregation

Visible only when the Attack tab is selected. Enables you to view only the attack logs associated with specific categories, including: HTTP Host, URL, Source IP or Subtype. For more information, see “Grouping similar attack log messages” on page 340.

Log Search Visible only when the Attack tab is selected. Enables you to perform searches for attack logs using advanced search criteria. For more information, see “Searching attack logs” on page 341.

Refresh Visible only when the Attack tab is selected. Enables you to update the attack log list by adding any new logs that were created since the log list was opened.

Tip: If there are no traffic logs, verify that you have enabled Session Management in the profiles whose traffic you want to log.

Blocked attack





6 To view Event log messages, select Log&Report > Log Access > Event. For Event logs only, you can select the log data storage location (disk or memory) and then select from which data source location you want to view the log information. For more information on configuring the FortiWeb unit to store log messages locally, see “Configuring and enabling logging” on page 323.

7 To view event log messages stored in local random access memory (RAM), select Memory as the Data Source.

8 If you want to view historical event log files stored on the local hard disk, select Disk as the Data Source.

9 Go to step .10 To view Traffic logs, select Log&Report > Log Access > Traffic.

Note: Only event logs are stored in local memory. Attack and traffic logs are stored on disk.

Data Source: MemoryEvent log messages






FRh

11 If you want to view the historical traffic log files that are stored on local hard disk, select the Log Management link at the top-right of the traffic log list. Historical log files are stored on the local hard disk. You can view the log messages associated with any historical log file, download the entire log file or clear the log file from the disk.

12 Click one of:• View to display all log messages associated with a specific log file.• Download to download the log file to your management computer, then select either

Normal format (raw, plain text logs) or CSV format (comma-separated value). If you would like to password-encrypt the log files before downloading them, enable Encryption and type a password in Password. Click OK to begin the download to your management computer.Raw, unencrypted logs can be viewed with a plain text editor. CSV-formatted, unencrypted logs can be viewed with a spreadsheet application, such as Microsoft Excel or OpenOffice Calc.

• Clear to remove the log file from the local hard disk.13 If you want to download log messages that were generated within a specific date

range, select the Download tab. For more information, see “Downloading log messages” on page 343.

Viewing log message detailsWhen viewing attack log messages or traffic log messages, you can view detailed information about each message directly within the web-based manager window. You can then use this detailed information to create new protection exceptions based on an attack log entry.

View log messagesDownload log fileClear Log fileHistorical log file





Table 129: Viewing log message details

Viewing packet log detailsIf you have enabled retention of attack and traffic logs in log configuration, you can view detailed information about each packet log directly within the web-based manager window. Packet logs display decoded packet payload information. This information supplements the log message by providing the actual data that triggered the regular expression, which may help you to fine-tune your regular expressions to prevent false positives, or aid in forensic analysis.For information on enabling attack and traffic logs, see “Enabling logging” on page 327.

GUI item DescriptionDetail icon This item is available only when accessing attack and traffic logs. There are

no details associated with event logs.Select Detail to display all recorded information about a specific log stored in the FortiWeb unit’s hard disk. To download the log information, see “Viewing log messages” on page 331.

Detail display area Provides detailed information about the selected log message.

Log message detailLog message detail display






FRh

Table 130: Viewing Packet Log details

Customizing the log viewLog messages can be displayed in either raw or formatted view:• Raw view displays log messages exactly as they appear in the log file.• Formatted view displays log messages in a columnar format. Each log field in a log

message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison. When displaying log messages in formatted view, you can customize the log view by hiding, displaying and arranging columns and/or by filtering columns, refining your view to include only those log messages and fields that you want to see.

To display logs in raw or formatted view1 Go to the tab corresponding to the type of log file that you want to view, such as

Log&Report > Log Access > Event.2 Click the Formatted or Raw icon, depending on which log information view is currently

displayed.If you click the Formatted icon, options appear that enable you to display and arrange log columns and/or filter log columns.

Figure 42: Viewing log messages (formatted)

GUI item DescriptionPacket Log This icon is available only when accessing event and traffic logs.

Select Packet Log to display all recorded information about the packet payload for a specific log stored in the FortiWeb unit’s hard disk. To download the log information, see “Viewing log messages” on page 331.

Packet Log display area

Provides detailed packet information about the selected log message.

Packet Log iconPacket Log detail display





Figure 43: Viewing log messages (raw)

Displaying and arranging log columnsWhen viewing logs in Formatted view, you can display, hide and re-order columns to display only relevant categories of information in your preferred order.For most columns, you can also filter data within the columns to include or exclude log messages which contain your specified text in that column. For more information, see “Filtering log messages” on page 339.

Figure 44: Displaying and arranging log columns

To display or hide columns1 Go to the tab corresponding to the type of log file that you want to view, such as

Log&Report > Log Access > Event.2 Click the Column Settings icon.

Lists of available and displayed columns for the log type appear.3 Select which columns to hide or display:

• In the Available fields area, select the names of individual columns you want to display, then click the single right arrow to move them to the Show these fields in this order area.

• In the Show these fields in this order area, select the names of individual columns you want to hide, then click the single left arrow to move them to the Available fields area.

4 Click OK.

To change the order of the columns1 Go to the tab corresponding to the type of log file that you want to view, such as

Log&Report > Log Access > Event.2 Click the Column Settings icon.

Lists of available and displayed columns for the log type appear.






FRh

3 In the Show these fields in this order area, select a column name whose order of appearance you want to change.

4 Click Move Up or Move Down to move the column in the ordered list.Placing a column name towards the top of the Show these fields in this order list will move the column to the left side of the Formatted log view.

5 Click OK.

Filtering log messagesWhen viewing log messages in formatted view, you can filter columns to display only those log messages that do or do not contain your specified content in that column. By default, most column headings contain a gray filter icon, which becomes green when a filter is configured and enabled.

Figure 45: Filter icons

To filter log messages by column contents1 In the heading of the column that you want to filter, click the Filter icon. The applicable

filter window appears.2 If you want to exclude log messages with matching content in this column, mark the

check box named NOT.If you want to include log messages with matching content in this column, clear the check box named NOT.

3 Enter the value that matching log messages must contain. The value type varies with the filter you select, such as date values, time values, and so on.Matching log messages will be excluded or included in your view based upon whether you have marked or cleared NOT.

4 For date and time filters, you can specify a range. Select the From and To check boxes and enter a value in the associated field.

5 Click OK.A column’s filter icon is green when the filter is currently enabled.

To clear a filter1 In the heading of the column whose filter you want to clear, click the Filter icon. The

filter window appears.A column’s filter icon is green when the filter is currently enabled.

Note: Filters do not appear in Raw view.

Filter not in useFilter in use (green-color icon)





2 To disable the filter on this column, click Clear Filter.Alternatively, to clear the filters on all columns, click the Clear All Filters icon.

3 Click OK.A column’s filter icon is gray when the filter is currently disabled.

Grouping similar attack log messagesWhen viewing attack log messages, especially if there are many attacks of the same kind, to the same URL, or to the same web host, you may find it easier to view the log messages when these log messages are grouped by one of those similarities, rather than by sequential order. This action is called log message aggregation.

To group similar attack log messages1 Go to Log&Report > Log Access > Attack.2 Click the Log Message Aggregation icon.

A dialog appears.

Figure 46: Selecting the log message grouping type

3 In Available fields, select which aspect you want to use when grouping the log messages, then click the right arrow to move it to the Aggregate log by these fields area.

4 Click OK.Attack log messages are no longer in sequential order, but are instead grouped by the similar aspect you selected. To view log messages in a group, click the arrow in that column to expand the set.

Figure 47: Attack log messages viewed when grouped by attack subtype

See “Aggregate attack types” on page 34 for example uses of aggregation.






FRh

Searching attack logsWhen viewing attack logs, you may find it easier to locate a specific log using the attack log search function. You can perform an attack log quick search or an advanced search.

Figure 48: Initiating an attack log search

Table 131: Setting up an attack log search

GUI item DescriptionQuick search keywords

Enter the keywords you want to search for. These keywords will be used for a quick search or an advanced search.You can enter one keyword or multiple keywords. If a keyword consists of multiple words separated by a space, use quotation marks (“ ”) to encapsulate the words as one keyword. If quotation marks are not used, the search will treat each word as an individual keyword. A quick search returns all results that include the specified keyword. For example, entering allow as a keyword will provide results such as: allow_host and waf_allow_method.

Quick log search Select the Log Search icon to initiate a quick search for the specified keywords. A quick search is very broad, searching for the keyword in attack log fields, including: subtype, source, destination, source port, destination port, HTTP method, action, policy, service, HTTP host, URL and message. To obtain more precise search results, use the Advanced search option.

Advanced Search Select Advanced Search to open the Search Dialog. Click the blue expand arrow to see all the criteria parameters. An advanced search enables you to search for precise terms. It provides results for exact keyword matches, and allows you to search for terms within specific fields of an attack log, including: time and date, sub type, source, destination, source port, destination port, HTTP method, action, policy, service and HTTP host.

Generate Log Detail PDF

Displayed only after a search is complete. Select to generate a PDF file with details of the selected attack logs. You can generate PDF only for attack logs shown on the current page (maximum of 30 per page). Once the PDF is generated for the current page, if required, proceed to the next pages and select additional logs for PDF generation.

Reset search Select to clear the quick search keyword field.

Back Select to return to the full list of attack logs.

Search results Displays the list of the attack logs that match the search parameters.

Search icon

Keyword

Advanced search

Reset searchBack

Search results

Log search

Generate Log Detail PDF





To search for an attack log1 At the top of the Attack log window, click the Log Search icon. 2 To perform a quick search, go to step 3. To perform an advanced search, go to step 5.3 Enter the term you want to search in the Keyword box.4 Select the Log Search icon to initiate the quick search. Continue with step 9.5 Select Advanced Search to open the Search Dialog.

6 Click the blue arrow to expand the list of search parameters.7 Enter the advanced search parameters:

GUI item DescriptionKeyword(s) Keywords are optional for an advanced search.

Enter the exact keywords you want to search for. Unlike a quick search, an advanced search returns only the results that exactly match the specified keywords. For example, entering allow as a keyword will not provide results such as allow_host and waf_allow_method. You must enter the exact terms.If a keyword consists of multiple words separated by a space, use quotation marks (“ ”) to encapsulate the words as one keyword. If quotation marks are not used, the search will treat each word as an individual keyword. Note: If you entered keywords in the quick search field before opening the advanced Search Dialog, those keywords are retained when the dialog opens, and will be used as part of the parameters for the advanced search. Remove the keyword if it does not apply to your advanced search.





Logs and reports Downloading log messages

FRh

8 Select OK to initiate the search.9 The results that match the given search criteria appear in the Search Results. 10 To generate a detailed report of the attack log search results in PDF format, select the

Generate Log Detail PDF icon.

11 Select Back to return to the full list of attack logs.

Downloading log messagesLog&Report > Log Access >Download enables you to download a specific range of event, attack or traffic logs from the FortiWeb hard disk to your local computer. You can select the log type to download, the start date and time, and the end date and time.

From/ToHourMinute

Select the date and time range that contains the attack log that you are searching for. Note: The date fields default to the current date. Ensure the date fields are set to the actual date range that you want to search.

all/any Select all if you want to search for all terms specified in the fields shown below the all/any options. For example, if terms are entered in Sub Type and Action, the search results display only the attack logs matching both of those terms.Select any if you want to search for any one of the terms specified in the fields shown below the all/any options. For example, if terms are entered in Sub Type, Source, Action and Policy, the search results display the attack logs that match any of those terms.

not Select not if you want to search for conditions that exclude a specific term. For example, if an IP address is entered in the Source field, and not is selected, the search results exclude all attack logs with that source IP address.

Log fields Lists the fields of an attack log that can be searched for specific terms. Enter the exact terms the appropriate log fields:• Sub Type• Source• Destination• Source Port• Destination Port• HTTP Method• Action• Policy• Service• HTTP HostTo exclude log records that match a criterion, mark its Not check box,

Note: Search results include only exact matches for keywords and terms entered in the advanced Search Dialog. Ensure that the keywords and terms are accurate and relevant to the search and that the date and time fields cover the actual range you want to search.

Note: A Log Detail report can be generated only for one page of results (30 logs) at a time. After generating a report for one page of results, move to the next page and generate another report, if required.

Note: If you want to download an entire event log file (elog), attack log file (alog) or traffic log file (tlog) stored on the FortiWeb hard disk, see “Viewing log messages” on page 331.




Configuring and generating reports Logs and reports

To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “About permissions” on page 80.

To download log messages1 Go to Log&Report > Log Access >Download.2 Configure the following:

3 Click Download.4 If a file download dialog appears, click Save and then choose the directory where you

want to save the downloaded log file.The log files are downloaded to the specified directory in a compressed file format (TGZ). You can use commercial file compression and text editing tools to extract and open the compressed log file.

Configuring and generating reportsLog&Report > Report Config > Report Config enables you to configure and generate reports.

GUI item DescriptionLog Type Select the type of logs to download.

System Time Displays the date and time according to the FortiWeb unit’s clock at the time that this tab was loaded, or when you last clicked the Refresh button.

Time Zone Select the time zone in which the FortiWeb unit is located.

Automatically adjust clock for daylight saving changes

Select the check box to have the system time adjusted twice annually to reflect changes between standard time daylight savings time. (Not all jurisdictions recognize daylight savings time.)

Start Time Choose the starting point for the log download by selecting the year, month and day as well as the hour, minute and second that defines the first of the log messages to download.

End Time Choose the end point for the log download by selecting the year, month and day as well as the hour, minute and second that defines the last of the log messages to download.





Logs and reports Configuring and generating reports

FRh

When generating a report, FortiWeb units collate information collected from log files and present the information in tabular and graphical format.In addition to log files, FortiWeb units require a report profile in order to generate a report. A report profile is a group of settings that contains the report name, file format, subject matter, and other aspects that the FortiWeb unit considers when generating the report. FortiWeb units can generate reports automatically, according to the schedule that you configure in the report profile, or manually, when you click the Run now icon in the report profile list. You may want to create one report profile for each type of report that you will generate on demand or periodically, by schedule.

Before you generate a report, collect log data that will be the basis of the report. For information on enabling logging to the local hard disk, see “Configuring and enabling logging” on page 323.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “About permissions” on page 80.

Table 132: Log&Report > Report Config > Report Config tab

Note: Generating reports can be resource intensive. To avoid email processing performance impacts, you may want to generate reports during times with low traffic volume, such as at night or weekends. For more information on scheduling the generation of reports, see “Configuring the schedule of a report profile” on page 351.

GUI item DescriptionCreate New Click to add a new report profile. For more information, see “Configuring a report

profile” on page 346.

Delete In the left column, mark the check boxes of the report profiles that you want to remove, then click the Delete icon. Alternatively, click the Delete icon in the row corresponding to each report profile that you want to remove.

(Check box in column heading.)

To remove all report profiles, mark the check box in the column heading to select all report profiles, then click the Delete icon.To remove individual report profiles, mark the check box corresponding to each report profile that you want to remove, then click the Delete icon.

Report Displays the name of the report profile.

Title Displays the title of this report.

DeleteEdit

Run now





Configuring a report profileYou can create report profiles to define what information will appear in generated reports.To access this part of the web-based manager, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “About permissions” on page 80.

To configure a report profile1 Go to Log&Report > Report Config > Report Config.2 Click Create New to add a report profile, or click the Edit icon to modify an existing

report profile.A multisection dialog appears.

Figure 49: New report dialog

3 In Report Name, enter a name for the report profile.Report names cannot include spaces.

4 If you are creating or cloning a new report profile, select from Type either to run the report immediately after configuration (On Demand) or run the report at configured intervals (On Schedule).

Schedule Displays the scheduled frequency when the FortiWeb unit generates the report.If this report is not scheduled to be periodically generated according to the schedule configured in the report profile, but instead will be generated only on demand, when you manually click the Run now icon, None appears in this column.

Action Click the Delete icon it to remove the report profile.Click the Edit icon to modify the report profile. For more information, see “Configuring a report profile” on page 346.Click the Run now icon to immediately generate a report using this report profile. This option can be used with both scheduled and on demand report profiles, and occurs independently of any automatic report generation schedules you may have configured. For more information, see “Configuring the schedule of a report profile” on page 351. To view the resulting report, see “Viewing and downloading reports” on page 353.

Note: For on-demand reports, the FortiWeb unit does not save the report profile after the generating the report. If you want to save the report profile, but do not want to generate the report at regular intervals, select On Schedule, but then in the Schedule section, select Not Scheduled.






FRh

5 In Report Title, enter a name that will appear in the title area of the report. The title may include spaces.

6 In Description, enter a comment or other description.7 Click the blue expand arrow next to each section, and configure the following:

8 Click OK when you complete the applicable sections.On-demand reports are generated immediately; scheduled reports, if you have configured a schedule, are generated at those intervals. For information on viewing generated reports, see “Viewing and downloading reports” on page 353.

Configuring the headers, footers, and logo of a report profileWhen configuring a report profile, you can provide text and logos to customize the appearance of reports generated from the profile.

Table 133: Properties section of a report profile

Note: You cannot change the Type when editing a report profile. To change the scheduled/on demand Type, create a new report profile instead.

Name of the section DescriptionProperties Select to add logos, headers, footers and company information to

customize the report. For more information, see “Configuring the headers, footers, and logo of a report profile” on page 347.

Report Scope Select the time span of log messages from which to generate the report. You can also create a data filter to include in the report only those logs that match a set of criteria.For more information, see “Configuring the time period and log filter of a report profile” on page 348.

Report Types Select one or more subject matters to include in the report. For more information, see “Configuring the query selection of a report profile” on page 349.

Report Format Select the number of top items to include in ranked report subtypes, and other advanced features. For more information, see “Configuring the advanced options of a report profile” on page 350.

Schedule Select when the FortiWeb unit will run the report, such as weekly or monthly. For more information, see “Configuring the schedule of a report profile” on page 351.This section is available only if Type is On Schedule.

Output Select the file formats and destination email addresses, if any, of reports generated from this report profile. For more information, see “Configuring the output of a report profile” on page 352.

GUI item DescriptionCompany Name Enter the name of your company or other organization.

Header Comment Enter a title or other information to include in the header.





When adding a logo to the report, select a logo file format that is compatible with your selected file format outputs. If you select a logo that is not supported for a file format, the logo will not appear in that output. For example, if you provide a logo graphic in WMF format, it will not appear in PDF or HTML output.

Configuring the time period and log filter of a report profileWhen configuring a report profile, you can select the time span of log messages from which to generate the report. You can also filter out log messages that you do not want to include in the report.

Table 135: Time Period section of a report profile

Footer Comment Select which information to include in the footer:• Report Title: Use the text from Report Name.• Custom: Use other text that you type into the field to the right of

this option.

Title Page Logo Select either No Logo to omit the title page logo. Select Custom to include a logo, then click Select to locate the logo file, and click Upload to save it to the FortiWeb unit’s hard disk for use in the report title page.

Header Logo Select either No Logo to omit the header logo. Select Custom to include a logo, then click Select to locate the logo file, and click Upload to save it to the FortiWeb unit’s hard disk for use in the report header. The header logo will appear on every page in PDF- and Microsoft Word (RTF)-formatted reports, and at the top of the page in HTML-formatted reports.

Table 134: Report file formats and their supported logo file formats

PDF reports JPG, PNG, GIF

RTF reports JPG, PNG, GIF, WMF

HTML reports JPG, PNG, GIF

GUI item DescriptionTime Period Select the time span of the report, such as This Month or Last N

Days.Alternatively, select and configure From Date and To Date.

Past N HoursPast N DaysPast N Weeks

Enter the number N of the unit of time.This option appears only when you have selected Last N Hours, Last N Days, or Last N Weeks from Time Period, and therefore must define N.

From DateHour

Select and configure the beginning of the time span. For example, you may want the report to include log messages starting from May 5, 2006 at 6 PM. You must also configure To Date.

To DateHour

Select to configure the end of the time span. For example, you may want the report to include log messages up to May 6, at 12 AM. You must also select and configure From Date.






FRh

Table 136: Data Filter section of a report profile

Configuring the query selection of a report profileWhen configuring a report profile, you can select one or more queries or query groups that define the subject matter of the report.

GUI item DescriptionNone Select this option to include all log messages within the time span.

Include logs that match the following criteria

Select this option to include only the log messages within the time span whose values match your filter criteria, then select whether log messages must meet every configured criteria (all) or if meeting any one of them is sufficient (any), and configure the following criteria. • Priority: Mark the check box to filter by log severity threshold (in

raw logs, the pri field), then select the name of the severity and whether to include logs that are greater than or equal to (>=), equal to (=), or less than or equal to (<=) that severity.

• Source(s): Type the source IP address (in raw logs, the src field) that log messages must match.

• Destination(s): Type the destination IP address (in raw logs, the dst field) that log messages must match.

• Http Method(s): Type the HTTP method (in raw logs, the http_method field) that log messages must match.

• User(s): Type the administrator account name (in raw logs, the user field) that log messages must match.

• Action(s): Type the firewall action (in raw logs, the action field) that log messages must match.

• Subtype(s): Type the subtype (in raw logs, the subtype field) that log messages must match.

• Policy(s): Type the policy name (in raw logs, the policy field) that log messages must match.

• Service(s): Type the source IP address (in raw logs, the src field) that log messages must match.

• Message(s): Type the message (in raw logs, the msg field) that log messages must match.

• Day of Week: Mark the check boxes for the days of the week whose log messages you want to include.

To exclude the log messages which match a criterion, mark its not check box, located on the right-hand side of the criterion.





Each query group contains multiple individual queries, each of which correspond to a chart that will appear in the generated report. You can select all queries within the group by marking the check box of the query group, or you can expand the query group and then individually select each query that you want to include.For example:• If you want the report to include charts about both normal traffic and attacks, you might

enable both of the query groups Attack Activity and Event Activity.• If you want the report to specifically include only a chart about top system event types,

you might expand the query group Event Activity, then enable only the individual query Top Event Types.

Figure 50: Report Type(s) section of a report profile

Configuring the advanced options of a report profileWhen configuring a report profile, you can configure various advanced options that affect how many log messages are used to formulate ranked report subtypes, and how results will be displayed.

Table 137: Report Format section of a report profile

GUI item DescriptionInclude reports with no matching data

Enable to include reports for which there is no data. In this instance, a blank report appears in the summary. You might enable this option to verify inclusion of report types selected in the report profile when filter criteria or absent logs would normally cause the report type to be omitted.






FRh

Configuring the schedule of a report profileWhen configuring a report profile, you can select whether the FortiWeb unit will generate the report on demand or according to the schedule that you configure.

Table 138: Schedule section of a report profile

Ranked Reports Ranked reports (top x, or top y of top x) can include a different number of results per cross-section, then combine remaining results under “Others.” For example, in Top Sources By Top Destination, the report includes the top x destination IP addresses, and their top y source IP addresses, then groups the remaining results. You can configure both x and y in the Advanced section of Report FormatIn Ranked Reports, (“top n” report types, such as Top Attack Type), you can specify how many items from the top rank will be included in the report. For example, you could set the Top Attack URLs report to include up to 30 of the top n denied URLs by entering 30 for values of the first variable 1.. 30. Some ranked reports rank not just one aspect, but two, such as Top Sources By Top Destination: this report ranks top source IP addresses for each of the top destination IP addresses. For these double ranked reports, you can also configure the rank threshold of the second aspect by entering the second threshold in values of the second variable for each value of the first variable 1..30.

Include Summary Information Enable to include a summary of the report profile settings.

Include Table of Contents Enable to include a table of contents for the report.

Note: Reports that do not include “Top” in their name display all results. Changing the Ranked Reports values will not affect these reports.

Note: Generating reports can be resource-intensive. To improve performance, schedule reports during times when traffic volume is low, such as at night or during weekends.

GUI item DescriptionSchedules

Not Scheduled Select if you do not want the FortiWeb unit to generate the report automatically according to a schedule.If you select this option, the report will only be generated on demand, when you manually click the Run now icon from the report profile list. For more information, see “Configuring and generating reports” on page 344.

Daily Select to generate the report each day. Also configure Time.

These Days Select to generate the report on specific days of each week, then mark the check boxes for those days. Also configure Time.





Configuring the output of a report profileWhen configuring a report profile, you can select one or more file formats in which to save reports generated from the profile. You can also configure the FortiWeb unit to email the reports to specific recipients.

Table 139: Output section of a report profile

These Dates Select to generate the report on specific date of each month, then enter those date numbers. Separate multiple date numbers with a comma. Also configure Time.For example, to generate a report on the first and 30th day of every month, enter 1,30.

Time Select the time of the day when the report will be generated. This option does not apply if you have selected Not Scheduled.

GUI item DescriptionFile Output Enable file formats that you want to generate and store on the

FortiWeb unit’s hard drive.HTML file format reports will always be generated (indicated by the permanently enabled check box), but you may also choose to generate reports in:• PDF• MS Word• plain text (Text), and• MIME HTML (MHT, which can be included in email)

Email Output Enable file formats that you want to generate for an email that will be mailed to the recipients defined by the email policy.

Email Policy Select the predefined email policy that you want to associate with the report output. This email policy determines who receives the report email.For more information on configuring email policy, see “Configuring email policies” on page 317.

Email Subject Type the subject line of the email.

Email Body Type the message body of the email.

Email Attachment Name

Type a file name that will be used for the attached reports.

Compress Report Files

Enable to enclose the generated report formats in a compressed archive, as a single attachment.





Logs and reports Viewing and downloading reports

FRh

Viewing and downloading reportsLog&Report > Report Browse > Report Browse displays a list of reports that have been generated from the report profiles. You can view, delete, and/or download generated reports.FortiWeb units can generate reports automatically, according to the schedule that you configure in the report profile, and/or manually, when you click the Run now icon the Log&Report > Report Browse > Report Config tab. For more information, see “Configuring and generating reports” on page 344.

Table 140: Log&Report > Report Browse > Report Browse tab

GUI item DescriptionRefresh Click to refresh the display with the current list of completed, generated

reports.

Delete In the column containing check boxes, in each row corresponding to a report that you want to delete, mark the check box, then click the Delete icon.

Go to first page Click to display the first page in the list of generated reports.This icon is gray and disabled if you are currently on the first page.

Go to next page Click to display the previous page.This icon is gray and disabled if you are currently on the last page.

(Text field with no label.) Type a page number, then press Enter to display in the list of generated reports.This field cannot be modified if there is only one page in the list of generated reports.

Go to previous page Click to display the next page.This icon is gray and disabled if you are currently on the first page.

Go to the last page Click to display the last page in the list of generated reports.This icon is gray and disabled if you are currently on the last page.

(Check box with no column heading.)

In the column containing check boxes, in each row corresponding to a report that you want to delete, mark the check box, then click the Delete icon.

Delete

Go to next pageGo to previous page

Go to the first page

Go to the last page

Rename




Viewing and downloading reports Logs and reports

Report Files Displays the name of the generated report, the date and time at which it was generated, and, if necessary to distinguish it from other reports generated at that time, a sequence number.For example, Report_1-2008-03-31-2112_018 is a report named “Report_1”, generated on March 31, 2008 at 9:12 PM. It was the nineteenth report generated at that date and time (the first report generated at that time did not have a sequence number).To view the report in HTML format, click the name of the report. The report appears in a pop-up window.To view only an individual section of the report in HTML format, click the blue triangle next to the report name to expand the list of HTML files that comprise the report, then click one of the file names.

Started Displays the data and time when the FortiWeb unit started to generate the report.

Finished Displays the date and time when the FortiWeb unit completed the generated report.

Size (bytes) Displays the file size in bytes of each of the HTML files that comprise an HTML-formatted report.This column is empty for the overall report, and contains sizes only for its component files.

Other Formats Click the name of an alternative file format, if any were configured to be generated by the report profile, to download the report in that file format.

Action Click the Delete icon to remove the report.Click Rename to rename a generated report.Note: To reduce the amount of hard disk space consumed by reports, regularly download then delete generated reports from the FortiWeb unit.





Fine tuning and best practices Avoiding problems

FRh

Fine tuning and best practicesThis chapter is a collection of fine-tuning and best practice tips and guidelines to help you configure the most secure and reliable operation of your FortiWeb units.This chapter includes:• Avoiding problems• Tuning security• Tuning high availability (HA)• Tuning policy• Tuning performance

Avoiding problemsAs you configure your FortiWeb unit and integrate it effectively into your network, take care not to create problems and setbacks. FortiWeb includes powerful commands and options—features needed for efficient management—that, if misused or mistimed, can undo your hard work.Here is a list of tips to avoid problems:

Set operation modeOnce the FortiWeb unit is setup and integrated with your network, there is little reason to change its operation mode. Do not do so unless you have a compelling reason. If you must change the mode, first back up your configuration. Changing between very different modes deletes any policies not applicable to the new mode, all static routes, all v-zone IPs and all VLAN settings. (You can switch between the two types of transparent mode without encountering these problems.) See “Configuring the operation mode” on page 71.

Perform backupsPerform backups before executing potential configuration altering actions:• Before upgrading the firmware, always perform a full backup, including configurations. • Back up your configuration before running CLI commands that can change your

settings, such as execute factoryreset and execute restore.• Back up your configuration before clicking the Reset button in the System Information

console on the dashboard.• Back up your configuration before changing operation mode.There are two backup methods available:• manual as shown in Figure 51 (see “Backing up and restoring configurations” on

page 96.)• via FTP as shown in Figure 52 (see “Configuring an FTP backup and schedule” on

page 98)To lessen the impact on performance, set the FTP backup time to off-peak hours or weekends.




Avoiding problems Fine tuning and best practices

Figure 51: Backup & Restore under System > Maintenance

Figure 52: FTP Backup under System > Maintenance

Download log messagesEvent log messages stored in memory are cleared when the FortiWeb unit shuts down. Use the log download feature to save the log before shutting down. See “Downloading log messages” on page 343.





Fine tuning and best practices Tuning security

FRh

Disable web anti-defacementIf you use the web anti-defacement feature, make sure you turn it off before you change your site during updates; otherwise, the feature may undo all your changes. On the Web Site with Anti-Defacement tab, select the Edit icon next to the applicable web site. On the edit dialog, clear the check box next to Enable Monitor and Restore Changed Files Automatically. Enable this option later when you complete your site updates. (See “Configuring anti-defacement” on page 293.)

Tuning security FortiWeb is designed to enhance the security of your web sites and web servers, and when fully configured, it can automatically plug holes commonly used by attackers to compromise a system. This section lists tips for further enhancing security.

Administrator security• As soon as possible during initial FortiWeb setup, give the default administrator, admin,

a password. This administrator has the highest level of permissions available and access to this administrator should be limited to as few people as possible.

• Change all administrator passwords regularly. Set a policy—such as every 60 days—and follow it. (To see the dialog in Figure 53, click the Edit Password icon to reveal the password dialog.)

Figure 53: Edit Password under System > Admin > Administrator

• Instead of allowing administrative access to the FortiWeb unit from any source, restrict it to trusted internal hosts. See Figure 54 and “Configuring trusted hosts” on page 78.




Tuning security Fine tuning and best practices

Figure 54: Edit Administrator under System > Admin > Administrators

• Do not use the default administrator access profile for all new administrators. Create one or more access profiles with limited permissions tailored to the responsibilities of the new administrator accounts. See “Configuring access profiles” on page 78.

• By default, an administrator login that is idle for more than five minutes times out. You can change this to a longer period on the Administrators Settings dialog shown in Figure 55, but Fortinet does not recommend it. A web-based manager GUI or CLI session left unattended lets anyone change your settings.

• Administrator passwords should be at least six characters long and include both numbers and letters. For additional security, select the Enable Strong Passwords option on the Administrators Settings dialog, shown in Figure 55, to force the use of stronger passwords. See “Configuring the web-based manager’s global settings” on page 82.





Fine tuning and best practices Tuning security

FRh

Figure 55: Settings under System > Admin

• Restrict the interface used for administrative access (usually port1) to just the access protocols needed, as shown in Figure 56.

Figure 56: Edit Interface under System > Network

Use only the most secure protocols. Disable Telnet. Disable ping except during troubleshooting. Use HTTP only if the network interface connects to a trusted private network. See “Configuring the network and VLAN interfaces” on page 50.




Tuning security Fine tuning and best practices

Data security• To protect your web servers, install the FortiWeb unit or units between the web servers

and a general purpose firewall. FortiWeb units do not replace firewalls.• Make sure web traffic cannot bypass the FortiWeb unit in a complex network

environment. • Restrict the interfaces used for non-administrative access to just the access protocols

your applications need, as shown in Figure 56. For example, disable Telnet: it is insecure and rarely needed. Disable ping except during troubleshooting. See “Configuring the network and VLAN interfaces” on page 50.

• If enabled to do so, a FortiWeb unit will hide selected data types, including user names and passwords, that could appear in the packet payloads accompanying a log message. You can also define your own sensitive data types, such as ages or other identifying numbers, using regular expressions and hide them too. See “Obscuring sensitive data in the logs” on page 329.

• FortiWeb does not encrypt or obfuscate user passwords when downloading a configuration backup file. If you have local user accounts, the passwords will be in plain text. Store configuration backup files in a secure location.

• Upgrade to the latest available firmware to take advantage of new definitions for predefined robots, data types, suspicious URLS, and attack signatures. There are two methods available:• manual, as shown in Figure 57 (see “Uploading signature updates” on page 101)• scheduled, as shown in Figure 58 (see “Scheduling signature updates” on

page 102)

Figure 57: Update Signature under System > Maintenance





Fine tuning and best practices Tuning high availability (HA)

FRh

Figure 58: Auto Update under System > Maintenance

Tuning high availability (HA)To enhance availability, set up two FortiWeb units to act as an active-passive high availability (HA) pair. If your primary FortiWeb unit fails, the backup FortiWeb unit can continue processing web traffic with only a minor interruption. For details, see “Configuring high availability (HA)” on page 61.

Figure 59: HA-Config under System > Config

Keep these points in mind when setting up an HA pair:




Tuning policy Fine tuning and best practices

• Isolate HA interface connections from your overall network. Heartbeat and synchronization packets contain sensitive configuration information and can consume considerable network bandwidth. For best results, directly connect the two HA interfaces using a crossover cable. If your system uses switches instead of crossover cables to connect the HA heartbeat interfaces, those interfaces must be reachable by Layer2 Multicast. For details, see the FortiWeb Install and Setup Guide.

• When configuring an HA pair, pay close attention to the options ARP packets numbers and ARP packet interval as shown in Figure 59.The FortiWeb unit broadcasts ARP packets to the network to ensure timely failover. This broadcast can slow performance; so, set the value of ARP packets numbers no higher than needed. When the FortiWeb unit broadcasts ARP packets, it does so at regular intervals. For performance reasons, set the value for ARP packet interval no greater than required.Some experimentation may be needed to set these options at their optimum value. See “Configuring high availability (HA)” on page 61.

Set an SNMP HA heartbeat alertUse SNMP to generate a message if the HA heartbeat fails.

Figure 60: SNMP community setting under System > Config > SNMP

• Configure an SNMP community and select the HA heartbeat failed option in the SNMP Event list, as shown in Figure 60. For details, see “Configuring the SNMP agent” on page 66.

Tuning policyThe backbone of a FortiWeb unit's web site protection is the application of server policies. Here are a few tips to help avoid problems and increase performance:• Disable or delete policies and policy settings with care. Any changes made to policies

take effect immediately.• Verify that all physical web servers are covered by a policy.

If a server has no associated policy or all policies for it are disabled, FortiWeb will not monitor web traffic to that web server. In reverse proxy mode, FortiWeb will block traffic to servers without an enabled policy.

• The FortiWeb unit applies the many types of rules, policies and data scans in a set order. (See “Order of execution” on page 190.) Within certain policies, such as URL access policy, FortiWeb executes the rules in the priority you assign. Review the logic of your web protection policies to make sure they deliver the web protection you expect.






Fine tuning and best practices Tuning performance

FRh

• When you have multiple policies or rules that apply to one configuration item (for example, a server), make sure they are processed in order from the most specific to most general. For example, arrange to have specific server policies at the top of the list. Policy matches are checked from the top of the list, downward. For example, a very general policy matches all connection attempts. But if you create a policy that contains exceptions, you want it processed before the general policy.For example, when creating a content filter for XML protection profiles, arrange the priority of content filter rules from most specific to most general, as shown in Figure 61, because only the first matching content filter rule is applied. This prevents general content filter rules, which match a wide range of traffic and whose action is Accept or Deny, from superseding and effectively masking other content filter rules whose action is Alert. See “Configuring content filter rules” on page 166.

Figure 61: Edit Content Filter under XML Protection > Content Filter

Tuning performanceWhen configuring your FortiWeb unit and its features, there are many settings and practices that can yield better performance.

System performance• Verify that the system time and time zone are correct. Many features rely on a correct

system time. See “Configuring system time” on page 100.• To reduce latency associated with DNS queries, use a DNS server on your local

network as your primary DNS. See “Configuring the DNS settings” on page 58.• Where applicable, create one or more VLAN interfaces. VLANs reduce the size of a

broadcast domain and the amount of broadcast traffic received by network hosts, thus improving network performance. See “Adding a VLAN subinterface” on page 53.

Log and report performance • If you do not need a traffic log, turn off that feature to reduce the use of system

resources. See “Enabling logging” on page 327.• Reduce repetitive log messages. Use the alert email policy, as shown in Figure 62, to

define the interval that emails are sent if the same condition persists following the initial occurrence. See “Configuring email policies” on page 317.




Tuning performance Fine tuning and best practices

Figure 62: Email Policy under Log&Report > Log Policy

• Avoid recording log messages using low severity thresholds, such as information or notification, to the local hard disk for an extended period of time. Excessive logging frequency saps system resources and can cause undue wear on the hard disk and may cause premature failure. See “Configuring global log settings” on page 324.

• Generating reports can be resource intensive. To avoid performance impacts, consider scheduling report generation during times with low traffic volume, such as at night and on weekends. See Figure 63 and “Configuring the schedule of a report profile” on page 351.






FRh

Figure 63: Report Config under Log&Report

Feature configuration performance• Each URL on an auto-learning report includes the right-click menu option Stop

Learning. By selecting this option for a URL that you know is complex and hard to track effectively or that may generate inaccurate data, you reduce processing resources. See “Viewing auto-learning reports” on page 282. FortiWeb not longer gathers report data for a stopped URL.

• Once you have collected enough auto-learning data for generating protection profiles, consider turning off the auto-learning function to save resources. To do so, deselect the auto-learning profile in applicable server policies. See “Configuring server policies” on page 118.

• If you have enabled the server health check feature as part of a server farm and one of the servers is down for an extended period, you may improve the performance of your FortiWeb unit by disabling the physical server, rather than allowing the server health check to continue to checking for the server's responsiveness. See “Configuring server health checks” on page 143.

• Tune the list of predefined data type groups to include just those the FortiWeb unit is likely to encounter when gathering data for an auto-learning report. By pruning the list shown in Figure 64, you reduce the resources used by the FortiWeb unit. See “Grouping predefined data types” on page 150.





Figure 64: Data Type Group under Server Policy > Predefined Pattern

• When configuring a suspicious URL rule, clear one or more server type options if you do not operate all three web servers, as shown in Figure 65. By pruning the list, you reduce the resources used by the FortiWeb unit when applying the rule. See “Grouping suspicious URLs” on page 154.

Figure 65: Suspicious URL Rule under Server Policy > Predefined Pattern

• When you configure a server protection rule as part of a web protection profile, consider limiting the scope and application of the Information Disclosure options shown in Figure 66. (Click the blue arrow next to Information Disclosure to see the list.)Do you need to watch for all the information types? If not, clear applicable options to increase performance. See “Configuring server protection rules” on page 201.






FRh

Figure 66: Server Protection Rule under Web Protection > Server protection Rule

The the Information Disclosure feature can potentially require the FortiWeb unit to rewrite the header and body of every request from a server, resulting in reduced performance. Fortinet recommends enabling this feature only to help you identify information disclosure through logging, and until you can reconfigure the server to omit such sensitive information. Clear the All / None option to disable the feature.

• If you use the web anti-defacement feature, tune your configuration to avoid backing up overly large files. See Figure 67 and “Configuring anti-defacement” on page 293.





Figure 67: Web Anti-Defacement under Web Anti-Defacement

Unless you need to back up large files, reduce the setting for the Skip Files Larger Than option from the default of 10 240 KB.Use the Skip Files With These Extensions option to exclude specific types of large files, such as compressed files and video clips.

Troubleshooting tip• Packet capture can be useful for troubleshooting but can be resource intensive. (See

“Debug the packet flow” on page 378.) To minimize the performance impact on your FortiWeb unit, use packet capture only during periods of minimal traffic. Use a serial console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished.





Troubleshooting Establish a system baseline

FRh

TroubleshootingThis chapter provides guidelines to help you determine why your FortiWeb unit is behaving unexpectedly. It includes general troubleshooting methods and specific troubleshooting tips using both the command line interface (CLI) and the web-based manager. Some CLI commands provide troubleshooting information not available through the web-based manager. The web-based manager is better suited for viewing large amounts of information on screen, reading logs and archives, and viewing status through the dashboard.This chapter includes:• Establish a system baseline• Check traffic flow• Define the problem• Search for a known solution• Create a troubleshooting plan• Gather system information• Troubleshoot connectivity issues• Troubleshoot resource issues• Troubleshoot user and admin login issues• Troubleshoot bootup issues• Contact Fortinet customer support for assistance

Establish a system baselineBefore you can clearly define an abnormal operation, you need to know what the normal operating status is. You can create a repository of this baseline information by keeping logs, and by regularly running information gathering commands and saving the output. When there is a problem, this regular operation data helps you determine what has changed.It is a good idea to back up the FortiWeb unit's configuration regularly. If you accidently change something, the backup can help you restore normal operation quickly and easily. Backups also can aid in troubleshooting. For details, see “Backing up and restoring configurations” on page 96.

Check traffic flowOne of your first tests should be to establish if the FortiWeb unit is actually monitoring or inspecting web traffic on your web servers. Before going further, make these basic configuration and traffic flow checks:• Is there a server policy applied to the web server or servers FortiWeb was installed to

protect? Your FortiWeb unit will not allow traffic to a web server without a server policy for that server if the operation mode is reverse proxy.




Define the problem Troubleshooting

• If a server policy exists for the web server, does the server policy reference an auto-learning profile? If yes, check your auto-learning report to see if the profile is gathering data. Go to Auto Learn > Auto Learn Report and click the Detail icon to view the report. If no, create an auto-learning profile and see if it gathers data. When an auto-learning profile is in effect, it should gather data if you have web traffic.

• If your system utilizes secure connections (HTTPS and SSL) and there is no traffic flow, is there a problem with your certificate?

• If you run a test attack from a browser aimed at your web site, does it show up in the attack log? To execute a simple attack, append the cmd.exe command to your site's URL, for examplewww.example.com/cmd.exe

Under normal circumstances, you should see a new common exploit entry, such as a start page violation, in the Attack Log widget of the system dashboard.

If your server policies are correct and your certificate, if applicable, is valid, then move on to “Define the problem” on page 370, and be sure to look for connectivity problems as described in “Troubleshoot connectivity issues” on page 373.

Define the problemBefore you can solve a problem, you need to understand it. Often this step can be the longest in this process. Before starting to troubleshoot a problem, answer these questions:• Where and when did the problem occur?• Has it ever worked before?

If the unit never worked properly, you may not want to spend time troubleshooting something that could well be defective.

• Does your configuration rely on HTTPS or SSL?If yes, make sure your certificate is loaded and valid.

• Where does the problem lie? Be specific. Do not assume the problem being experienced is the actual problem. First determine if the FortiWeb unit's problem lies elsewhere before starting to troubleshoot the unit.

• Is it a connectivity issue? Can your FortiWeb unit communicate with your network and the Internet? Is there connection to a DNS server?

• Is there more than one thing not working? Make a list.

• Is it partly working? If so, what parts are working?Make a list.

• Can the problem be reproduced at will or is it intermittent?An intermittent problem can be difficult to troubleshoot due to the difficulty reproducing the issue.

• Are the servers covered by server policy working? Has a policy been disabled?Check the Server Status widget on the dashboard.





Troubleshooting Search for a known solution

FRh

• Is your system overloaded?View the Resource Monitor on the dashboard. View the traffic log. (If there is no traffic log, someone likely turned that feature off. See “Enabling logging” on page 327.)

• Is your system under attack?View the Attack Event History on the dashboard. View the attack log.

• What has changed?Do not assume that nothing has changed in the network. Use the FortiWeb event log to see if something changed in the configuration. If something did change, see what the effect is when you roll back the change.

• After determining the scope of the problem and isolating it, what servers does if affect?Once the problem is defined, you can search for a solution and then create a troubleshooting plan to solve it.

Search for a known solutionYou can save time and effort during the troubleshooting process by checking if other FortiWeb administrators experienced a similar problem before. First check within your organization. Next, access the Fortinet online resources that provide valuable information about FortiWeb technical issues.

Technical documentationFortiWeb installation guides, administration guides, quick start guides, and other technical documents are available online at:


Also check the release notes for your FortiWeb unit.

Knowledge BaseThe Fortinet Knowledge Base includes a variety of articles, white papers, and other documentation providing technical insight into a range of Fortinet products at:


Fortinet technical discussion forumsAdministrators can exchange experiences and tips related to their Fortinet products through an online technical forum at:

http://support.fortinet.com/forum

Fortinet training services online campusThe Fortinet Online Campus hosts a collection of tutorials and training materials which can help increase your knowledge of the Fortinet products at:


Create a troubleshooting planOnce you fully define the problem or problems, begin creating a troubleshooting plan. The plan should list all possible causes of the problems that you can think of, and how to test for each cause.







http://support.fortinet.com/forum

Gather system information Troubleshooting

The plan will act as a checklist so that you know what you have tried and what is left to check. The checklist is helpful if more than one person will be troubleshooting: without a written plan, people can become easily confused and steps skipped. Also, if you have to pass the problem-solving to someone else, providing a detailed list of what data you gathered and what solutions you tried demonstrates professionalism.Be ready to add steps to your plan as needed. After you are part way through, you may discover that you forgot some tests, or a test you performed discovered new information. This is normal.

Check your accessMake sure your administrator account has the permissions you need to run all diagnostic tests and to make configuration changes. Also, you may need access to other networking equipment such as switches, routers, and servers to help you test. If you do not normally have access to this equipment, contact your network administrator for assistance.

Gather system informationYour FortiWeb unit provides many features to aid in troubleshooting and performance monitoring.Use the web-based manager's dashboard and the CLI commands to define the scope and details of your problem. Keep track of the information you gather—Fortinet customer support may request it if you contact them for assistance.Table 141: Web-based manager information gathering features

Table 142: CLI information gathering features

Tip: Check to make sure the FortiWeb unit’s attack signature update license has not expired. You should be working with the latest attack signatures and other updates.

System > Status > Status Displays the firmware version, serial number, host name, HA status, and up-time in the System Information widget.Displays CPU usage and memory usage in the System Resources widget.Shows server connectivity status in the Server Status column.

System > Network > Interface Displays details about each configured system interface (port).

Router > Static > Static Route Displays a list of configured static routes including their IPs, masks, and gateways.

Server Policy > Policy > Policy Show server status in the Enable and Status columns.

Logs&Report >Log Access Provides access to the event, traffic, and attack logs.For the attack and traffic logs, use the Packet Log and Detail icons to drill in to any entry for greater detail.

Logs&Report >Report Browse Provides access to preconfigured log reports.

diagnose debug crashlog show

Displays details on application proxies that have backtraces, traps, and registration dumps.

diagnose debug flow <params>

Traces the flow of packets through the FortiWeb unit.

diagnose hardware cpu list Displays a list of specifications and settings for each CPU in the unit.

diagnose hardware interrupts list

Displays a list of specifications and settings for all interrupts for each CPU.

diagnose hardware mem list Displays memory usage details.





Troubleshooting Troubleshoot connectivity issues

FRh

The above CLI commands explain how to display data. Many of these commands also have options for modifying data. For CLI command syntax details for these and other commands, see the FortiWeb CLI Reference.Before using a diagnose debug command, make sure to enable the debug feature by entering:

diagnose debug enable

Check port assignmentsThere are 65 535 ports available for each of the TCP and UDP stacks that applications can use when communicating with each other. If someone recently changed a FortiWeb or network port, that may be part of your problem. For a list of ports used by FortiWeb, see “Appendix E: Ports used by FortiWeb” on page 403.In addition, some ports may be assigned to other Fortinet appliances on your network. See the Fortinet Knowledge Base article, "Traffic Types and TCP/UDP Ports used by Fortinet Products" at:


Troubleshoot connectivity issuesThis section includes troubleshooting questions related to connectivity issues.• Are all cables and interfaces connected properly?

See “Check hardware connections” on page 374.• Are you experiencing packet loss or device connectivity problems?

See “Run ping and traceroute” on page 374.

diagnose hardware nic list <interface>

Displays a list of specifications and settings for the specified network interface port.

diagnose network arp list Displays the contents of the address resolution protocol (ARP) table.

diagnose network route list

Displays all routes in the routing table including their type, source, and other data.

diagnose network sniffer packet <params>

Performs a packet trace on a specified network interface.

diagnose system top <params>

Displays a list of the most system-intensive processes.

execute ping <dest> Tests connectively to other devices on your network or elsewhere.

execute time Displays the system time.

execute traceroute <dest> Traces the route of packets between your FortiWeb unit and a specified server.

get log <log-type> Retrieves the log type specified: event-log, traffic-log, attack-log.

get log reports <name> Provides access to the named log report.

get router all Displays a list of configured static routes including their IPs, masks, and gateways.

get system interface Displays details about each configured system interface (port).

get system performance Displays CPU usage, memory usage, and up-time.

get system status Provides the firmware version, serial number, bios, host name, and HA status.






Troubleshoot connectivity issues Troubleshooting

• Are there routes in the routing table for default and static routes? Do all connected subnets have a route in the routing table? See “Verify the contents of the routing table” on page 377.

• Are the ARP table entries correct for the next-hop destination? See “Verify the contents of the ARP table” on page 377.

• Is traffic entering the FortiWeb unit and, if so, does it arrive on the expected interface? Is the traffic exiting the FortiWeb unit to the expected destination? Is the traffic being sent back to the originator?Perform a sniffer trace. See “Perform a sniffer trace” on page 377.Debug the packet flow. See “Debug the packet flow” on page 378.

Check hardware connectionsIf there is no traffic flowing from the FortiWeb unit, it may be a hardware problem.

To check hardware connections• Ensure the network cables are properly plugged in to the interfaces on the FortiWeb

unit.• Ensure there are connection lights for the network cables on the unit.• Change the cable if the cable or its connector are damaged or you are unsure about

the cable’s type or quality.• Connect the FortiWeb unit to different hardware to see if that makes a difference.• In the web-based manager, select Status > Network > Interface and ensure the link

status is up (up arrow on green circle) for the interface.If the status is down (down arrow on red circle), click Bring Up next to it in the Status column.You can also enable an interface in CLI, for example:config system interfaceedit port2set status up

end

If any of these checks solve the problem, it was a hardware connection issue. You should still perform some basic software tests to ensure complete connectivity. If the hardware connections are correct and the unit is powered on but you cannot connect using the CLI or web-based manager, you may be experiencing bootup problems. See “Troubleshoot bootup issues” on page 381.

Run ping and traceroutePing and traceroute are useful tools in network troubleshooting. Both tools accept either IP addresses or fully-qualified domain names as parameters. This can help you determine why particular services, such as email or web browsing, are not working properly.

Both ping and traceroute require particular ports to be open on firewalls to function. Since you typically use these tools to troubleshoot, you can allow them in the firewall policies and on interfaces only when you need them, and otherwise keep the ports disabled for added security.

Note: If ping does not work, you likely have it disabled on at least one of the interface settings, and firewall policies for that interface.






FRh

Check connections with pingThe ping command sends a small data packet to the destination and waits for a response. The response has a timer that may expire, indicating the destination is unreachable. Ping is part of Layer-3 on the OSI Networking Model. Ping sends Internet Control Message Protocol (ICMP) “echo request” packets to the destination, and listens for “echo response” packets in reply. However, many public networks block ICMP packets because ping can be used in a denial of service (DoS) attack, or by an attacker to find active locations on the network. By default, FortiWeb units have ping enabled.If ping does not work from your FortiWeb unit, make sure it was not disabled. Go to System >Network >Interface. Examine the list of allowed protocols in the Access column for the port used by the web-based manager (usually port1). If ping is not in the list, add it.

To enable ping1 Go to System >Network >Interface.2 Click the Edit icon in the applicable row. A dialog appears.3 Select PING on the Edit Interface dialog. 4 Click OK.

What ping can tell youBeyond the basic connectivity information, ping tells you the amount of packet loss (if any), how long it takes the packet to make the round trip, and the variation in that time from packet to packet.If ping shows any packet loss, you should investigate:• possible ECMP, split horizon, or network loops• cabling to ensure no loose connectionsIf ping shows total packet loss, you should investigate:• hardware to ensure cabling is correct• all equipment between the two locations to determine they are properly connected• addresses and routes to ensure all IP addresses and routing information along the

route is configured as expected• firewalls to ensure they are set to allow ping to pass through

How to use pingYou can ping from the FortiWeb unit in the CLI Console widget of the web-based manager or through CLI. For example:

execute ping 172.20.120.169

See the execute ping command in the FortiWeb CLI Reference for an explanation of the command output and see execute ping-options for a description of the many options to tailor the ping response to your needs.If the FortiWeb web-based manager and CLI are not available, you can run ping on a Windows or Linux PC.





Troubleshoot connectivity issues Troubleshooting

To ping a device from a Windows PC1 Open a command window.

• In Windows XP, select Start > Run, enter cmd, and select OK.• In Windows 7, select the Start icon, enter cmd in the search box, and select

cmd.exe from the list.2 In the command window, enter the ping command and an IP address, for example:

ping 172.20.120.169

Ping options include:• -t, to send packets until you press Control-C• -a, to resolve addresses to domain names where possible• -n x, where x is an integer stating the number of packets to send

To ping a device from a Linux PC1 Go to a command line prompt.2 Enter:

“/bin/etc/ping 172.20.120.169”

Check routes with tracerouteTraceroute sends ICMP packets to test each hop along the route. It sends three packets, and then increases the time to live (TTL) setting by one each time. This effectively allows the packets to go one hop farther along the route. This explains why most traceroute commands display their maximum hop count before they start tracing the route—that is the maximum number of steps it will take before declaring the destination unreachable. Also the TTL setting may result in steps along the route timing out due to slow responses. There are many possible reasons for this to occur.Traceroute by default uses UDP with destination ports numbered from 33434 to 33534. The traceroute utility usually has an option to specify use of ICMP echo request (type 8) instead, as used by the Windows tracert utility. If you have a firewall and you want traceroute to work from both machines (Unix-like systems and Windows) you will need to allow both protocols inbound through your firewall (UDP with ports from 33434 to 33534 and ICMP type 8).

What traceroute can tell youWhere ping only tells you if the signal reached its destination and came back successfully, traceroute shows each step of its journey to its destination and how long each step takes. If ping finds an outage between two points, use traceroute to locate exactly where the problem is. The traceroute output can identify other problems, such as an inability to connect to a DNS server.

How to use tracerouteYou can run a route trace from the FortiWeb unit in the CLI Console widget of the web-based manager or through CLI, for example:

execute traceroute docs.fortinet.com

See the execute traceroute command in the FortiWeb CLI Reference for an explanation of the command output.If the FortiWeb web-based manager and CLI are not available, you can trace a route on a Windows or Linux PC.







FRh

To use traceroute on a Windows PC1 Open a command window.

• In Windows XP, select Start > Run, enter cmd, and select OK.• In Windows 7, select the Start icon, enter cmd in the search box, and select

cmd.exe from the list.2 Enter the tracert command to trace the route from the host PC to the destination web

site, for example:tracert fortinet.com

In the tracert output, the first, or left column, is the hop count, which cannot go over 30 hops. The second, third, and fourth columns are how long each of the three packets takes to reach this stage of the route. These values are in milliseconds and normally vary quite a bit. Typically a value of <1ms indicates a local connection.The fifth, or far right column, is the domain name of that device and its IP address or possibly just the IP address.

To use traceroute on a Linux PC1 Go to a command line prompt. 2 Enter:

“/bin/etc/traceroute fortinet.com”

The Linux traceroute output is very similar to the MS Windows tracert output.

Verify the contents of the routing tableWhen you have little connectivity, a good place to look for information is the routing table. The routing table is where the FortiWeb unit stores currently used static routes. If a route is in the routing table, it saves the time and resources of a lookup. If a route was not used for a while and a new route needs to be added, the oldest, least-used route is bumped if the routing table is full. This ensures the most recently used routes stay in the table. To check the routing table in the CLI, enter:

diagnose network route list

Verify the contents of the ARP tableWhen you have poor connectivity, another good place to look for information is the address resolution protocol (ARP) table. A functioning ARP is especially important in high-availability configurations.To check the ARP table in the CLI, enter:

diagnose network arp list

Perform a sniffer traceWhen troubleshooting networks and routing in particular, it helps to look inside the headers of packets to determine if they are traveling along the route you expect. Packet sniffing is also called a network tap, packet capture, or logic analyzing.




Troubleshoot resource issues Troubleshooting

What can sniffing packets tell youPacket sniffing can tell you if the traffic is reaching its destination, what the port of entry is on the FortiWeb unit, if the ARP resolution is correct, and if the traffic is being sent back to the source as expected. Packet sniffing can also tell you if the FortiWeb unit is silently dropping packets.

To sniff packetsThe general form of the internal FortiWeb packet sniffer command is:

diagnose network sniffer packet <interface_name> <filter_str> <verbose-level> <count_int>

This example checks network traffic on port1, with no filter, and captures 10 packets:diagnose network sniffer packet port1 none 1 10

See the FortiWeb CLI Reference for an explanation of the command and its parameters.

Debug the packet flowIf you have determined that network traffic is not entering and leaving the FortiWeb unit as expected, debug the packet flow using CLI. This operation requires you to enter several debug commands to set the policy to use and then to set the server IP to apply the policy to, for example:

diagnose debug enablediagnose debug flow filter policy policy-name Policy1diagnose debug flow filter policy source-ip 172.20.120.27

See the FortiWeb CLI Reference for an explanation of the command and its parameters.

Troubleshoot resource issuesThis section includes troubleshooting questions related to sluggish or stalled performance.• Is a process hogging system resources?

Check for a misbehaving process. See “Look for system-intensive processes” on page 378.

• Is a server under attack?See “Prepare for attacks” on page 379.

• Has there been a sustained spike in HTTP traffic related to a specific policy?See “Monitor traffic” on page 379.

Look for system-intensive processesUse the CLI to view a list of the most system-intensive processes. This may show processes that are hogging resources. For example:

diagnose system top 10

The above command generates a report of processes every 10 seconds. The report provides the process names, their process ID (pid), status, CPU usage, and memory usage.

Note: If you configure virtual IP addresses on your FortiWeb unit, it will use those addresses in preference to the physical IP addresses. You will notice this when you are sniffing packets because all traffic will use the virtual IP addresses. This is due to the ARP update that is sent out when the virtual IP address is configured.







Troubleshooting Troubleshoot user and admin login issues

FRh

The report continues to refresh and display in the CLI window until you enter q (quit).

Monitor trafficHeavy or unusual traffic loads can cause problems.In the FortiWeb unit's web-based manager, you can view traffic two ways:• Monitor current HTTP traffic on the dashboard. Go to System >Status > Status and

examine the graphs in the Policy Summary widget.• Examine traffic history in the traffic log. Go to Logs&Report >Log Access >Traffic.

Prepare for attacksA prolonged denial of service (DoS) or brute-force login attack (to name just a few attack types) can bring a system to a standstill, if your unit is not prepared for it. In the FortiWeb unit's web-based manager, you can watch for attacks in two ways:• Monitor current HTTP traffic on the dashboard. Go to System >Status > Status and

examine the attack event history graph in the Policy Summary widget.• Examine attack history in the traffic log. Go to Logs&Report >Log Access >Attack.If attacks occur, use the FortiWeb unit's rich feature set to configure attack defenses. For a list of attack types and suggested defenses, see “Characteristics of XML threats” on page 15 and “Characteristics of HTTP threats” on page 16.

Troubleshoot user and admin login issuesA common problem is the inability of users or administrators to log in. There are a number of potential reasons for these problems. Once the source of the problem is found, the administrator should follow the appropriate policies to resolve the problems, notifying affected users if warranted.

Use correct user name and password combination for userThis may be obvious, but it should be the first thing to check. While there are valid reasons for users to forget login information or enter the wrong information, it may actually be someone trying to use someone else's credentials to gain illegal access to the company network. If this is the case, you do not want to waste time on any additional troubleshooting. Also if this is the case, it will generally be a single user with problems instead of a group of users.

Check user authentication policiesIn FortiWeb, users and organized into groups. Groups are part of authentication policies. If several users have authentication problems, it is possible someone changed authentication policy or user group memberships. If a user is legitimately having an authentication policy, you need to find out where the problem lies.

To troubleshoot user access1 In the web-based manager, go to User > User Group and examine each group to

locate the name of the problem user.2 Note the user group to which the affected users belong, especially if multiple affected

users are part of one group. If the user is not a group member, there is no access.




Troubleshoot user and admin login issues Troubleshooting

3 Go to Web Protection > Authentication Policy > Authentication Rule and determine which rule contains the problem user group. If the user group is not part of a rule, there is no access.

4 Go to Web Protection > Authentication Policy > Authentication Policy and locate the policy that contains the rule governing the problem user group. If the rule is not part of a policy, there is no access.

5 Go to Web Protection > Web Protection Profile > Inline Protection Profile and determine which profile contains the related authentication policy. If the policy is not part of a profile, there is no access.

6 Make sure that inline protection profile is included in the server policy that applies to the server the user is trying to access. If the profile is not part of the server policy, there is no access.

Authentication involves user groups, authentication rules and policy, inline protection policy, and finally, server policy. If a user is not in a user group used in the policy for a specific server, the user will have no access.

Change an administrator's passwordAny manager with write privileges to Admin Users in their access profile (admingrp in the CLI) can reset an administrator password, if they know the current password.Sometimes administrators forget their passwords. There is just one administrator with the authority to reset other administrators’ passwords without knowing their current password. That is the default administrator, admin.

Trusted hosts for admin account will not allow current IPA trusted host is a secure location where an administrator logs in. For example, on a secure network an administrator can to log in from an internal subnet but not from the Internet.If an external administrator login is required, a secure VPN tunnel can be established with a set IP address or range of addresses that are entered as a trusted host address. Trusted host login issues occur when an administrator attempts to log in from an IP address that is not included in the trusted host list.

To verify trusted host login issues1 Record the IP address where the administrator is attempting to log in to the FortiWeb

unit.2 Log in to the web-based manager and go to System > Admin> Administrators.3 Select the administrator account in question and click the Edit icon.4 Compare the list of trusted hosts to the problem IP address. If there is a match, the

problem is not due to trusted hosts. 5 If there is no match and the new address is valid (secure), add it to the list of trusted

hosts.6 Select OK. If the problem was due to trusted hosts, the administrator can now log in.





Troubleshooting Troubleshoot bootup issues

FRh

Troubleshoot bootup issuesThis section addresses problems you may experience in rare cases when powering on your FortiWeb unit. If you continue to have problems, please contact customer support for assistance.

When you cannot connect to the FortiWeb unit through the network using CLI or the web-based manager, connect a PC directly to the FortiWeb unit's management console using a serial connection. (The cable varies with the FortiWeb model. See the model's Quick Start Guide for details.)Open a terminal emulation interface, such as HyperTerminal, to act as the console. The issues covered in this section all refer to various potential bootup issues. Once you have a direct cable link to the FortiWeb unit, work through the following steps and keep a copy of the console's output messages. If you have multiple problems, go the problem closest to the top of the list first, and work your way down.• A. Do you see the boot options menu• B. Do you have problems with the console text• C. Do you have visible power problems• D. You have a suspected defective FortiWeb unit

A. Do you see the boot options menu1 Do you see the boot options menu?

• If no, ensure your serial communication parameters are set to no flow control, check that the correct baud rate is correctly set (usually 9600, data bits 8, parity none, stop bits 1), and reboot the FortiWeb unit by powering off and on. • If that fixes your problem, you are done.• If it does not fix your problem, go to C. Do you have visible power problems.

B. Do you have problems with the console text1 Do you see any console messages?

• If no, go to C. Do you have visible power problems.• If yes, continue.

2 Are there console messages but text is garbled on the screen?• If yes, ensure your console communication settings are correct for your unit (such

as, baud rate 9600, data bits 8, parity none, stop bits 1). Check the FortiWeb Quick Start Guide for settings specific to your model. • If that fixes the problem, you are done.

3 Do the console messages stop before the prompt: Press Any Key to Download Boot Image?• If yes, go to D. You have a suspected defective FortiWeb unit.• If no, follow the console instruction Press any key to Download Boot Image

and go to the next step.4 When pressing a key, do you see one of the following messages?

Note: It is rare that units experience any of the symptoms listed here. Fortinet hardware is reliable with a long expected operation life.




Contact Fortinet customer support for assistance Troubleshooting

[G] Get Firmware image from TFTP server[F] Format boot device[B] Boot with backup firmware and act as default[Q] Quit menu and continue to boot with default firmware[H] Display this list of options

• If yes, go to D. You have a suspected defective FortiWeb unit.• If no, ensure you serial communication parameters are set to no flow control,

check that the correct baud rate is set.To find the unit's current baud rate using CLI, enter these commands:config system console get

Change settings if needed and reboot the FortiWeb unit by powering off and on. 5 Did the reboot fix the problem?

• If that fixes your problem, you are done.• If that does not fix your problem, go to D. You have a suspected defective FortiWeb

unit.

C. Do you have visible power problems1 Is there any LED on the FortiWeb unit?

• If no, ensure power is on. If that fixes the problem you are done. If not, continue.• If yes, continue.

2 Do you have an external power adapter?• If no, go to D. You have a suspected defective FortiWeb unit.• If yes, try replacing the power adapter.

3 Is the power supply defective?• If no, go to D. You have a suspected defective FortiWeb unit.• If yes, replace the power supply and begin the tests again at A. Do you see the boot

options menu.

D. You have a suspected defective FortiWeb unitIf you followed the previous steps and determined there is a good chance your unit is defective, contact Fortinet customer support.

Contact Fortinet customer support for assistanceAfter you define your problem, researched a solution, created a plan, and executed that plan, and if you have not solved the problem, it is time to contact Fortinet customer support for assistance.To receive technical support and service updates, your Fortinet product must be registered. Registration, support programs, assistance, and regional phone contacts are available at the following URL:







Troubleshooting Contact Fortinet customer support for assistance

FRh

When you are registered and ready to contact support:1 Prepare the following information first:

• your contact information• the firmware version• a recent server policy configuration• access to recent event, traffic and attack logs• a network topology diagram and IP addresses• a list of troubleshooting steps performed so far and the resultsFor bootup problems:• provide all console messages and output• if you suspect a hard disk issue, provide your evidence

2 Document the problem and the steps you took to define the problem.3 Open a support ticket.For details on using the Fortinet support portal and providing the best information, see the Knowledge Base article, "Fortinet Support Portal for Product Registration, Contract Registration, Ticket Management, and Account Management" at:






Contact Fortinet customer support for assistance Troubleshooting





Installing new firmware Testing new firmware before installing it

FRh

Installing new firmwareFortinet periodically releases FortiWeb firmware updates to include enhancements and address issues. After you have registered your FortiWeb unit, FortiWeb firmware is available for download at http://support.fortinet.com.Installing new firmware can overwrite attack signature packages using the versions of the packages that were current at the time that the firmware image was built. To avoid repeat updates, update the firmware before updating your FortiGuard packages.New firmware can also introduce new features which you must configure for the first time.For late-breaking information specific to the firmware release version, see the Release Notes available with that release.

This chapter includes the following topics:• Testing new firmware before installing it• Installing firmware• Installing backup firmware• Restoring firmware

Testing new firmware before installing itYou can test a new firmware image by temporarily running it from memory, without saving it to disk. By keeping your existing firmware on disk, if the evaluation fails, you do not have to re-install your previous firmware. Instead, you can quickly revert to your existing firmware by simply rebooting the FortiWeb unit.

To test a new firmware image1 Download the firmware file from the Fortinet Technical Support web site,

https://support.fortinet.com/.2 Connect your management computer to the FortiWeb console port using a RJ-45-to-

DB-9 serial cable or a null-modem cable.3 Initiate a connection from your management computer to the CLI of the FortiWeb unit.

For details, see the FortiWeb Install and Setup Guide.4 Connect port1 of the FortiWeb unit directly or to the same subnet as a TFTP server.5 Copy the new firmware image file to the root directory of the TFTP server.

Note: In addition to major releases that contain new features, Fortinet releases patch releases that resolve specific issues without containing new features and/or changes to existing features. It is recommended to download and install patch releases as soon as they are available.

Note: Before you can download firmware updates for your FortiWeb unit, you must first register your FortiWeb unit with Fortinet Technical Support. For details, go to http://support.fortinet.com/ or contact Fortinet Technical Support.


http://support.fortinet.com






Testing new firmware before installing it Installing new firmware

6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach the TFTP server.To use the FortiWeb CLI to verify connectivity, enter the following command:execute ping 192.168.1.168 where 192.168.1.168 is the IP address of the TFTP server.

7 Enter the following command to restart the FortiWeb unit:execute reboot

8 As the FortiWeb units starts, a series of system startup messages appear.Press any key to display configuration menu........

9 Immediately press a key to interrupt the system startup.

If you successfully interrupt the startup process, the following messages appears:[G]: Get firmware image from TFTP server.[F]: Format boot device.[B]: Boot with backup firmware and set as default.[Q]: Quit menu and continue to boot with default firmware.[H]: Display this list of options.

Enter G,F,B,Q,or H:

Please connect TFTP server to Ethernet port "1".

10 Type G to get the firmware image from the TFTP server.The following message appears:Enter TFTP server address [192.168.1.168]:

11 Type the IP address of the TFTP server and press Enter.The following message appears:Enter local address [192.168.1.188]:

12 Type a temporary IP address that can be used by the FortiWeb unit to connect to the TFTP server.The following message appears:Enter firmware image file name [image.out]:

13 Type the firmware image file name and press Enter.The FortiWeb unit downloads the firmware image file from the TFTP server and displays a message similar to the following:Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?

14 Type R.The FortiWeb image is loaded into memory and uses the current configuration, without saving the new firmware image to disk.

15 To verify that the new firmware image has been loaded, log in to the CLI and type:get system status

Note: You have only three seconds to press a key. If you do not press a key soon enough, the FortiWeb unit reboots and you must log in and repeat the execute reboot command.





Installing new firmware Installing firmware

FRh

16 Test the new firmware image.• If the new firmware image operates successfully, you can install it to disk,

overwriting the existing firmware, using the procedure “Installing firmware” on page 387.

• If the new firmware image does not operate successfully, reboot the FortiWeb unit to discard the temporary firmware and resume operation using the existing firmware.

Installing firmwareYou can use either the web-based manager or the CLI to upgrade or downgrade the firmware of the FortiWeb unit.Firmware changes are either:• an upgrade to a newer version• a reversion to an earlier versionThe firmware version number is used to determine if you are upgrading or reverting your firmware image.For example, if your current firmware version is FortiWeb-1000B 4.00,build0194,100119, changing to FortiWeb-1000B 4.00,build0192,091210, an earlier build number and date, indicates that you are reverting.

If you are installing a firmware version that requires a different size of system partition, you may be required to format the boot device before installing the firmware by re-imaging the boot device. In that case, do not install the firmware using this procedure. Instead, see “Restoring firmware” on page 391.

To install firmware using the web-based manager1 Download the firmware file from the Fortinet Technical Support web site,

https://support.fortinet.com/.2 Log in to the web-based manager of the FortiWeb unit as the admin administrator, or

an administrator account whose access profile contains Read and Write permissions in the Maintenance category.

3 Go to System > Status > Status.

Caution: Back up your configuration before beginning this procedure.Reverting to an earlier firmware version could reset the configuration, including the IP addresses of network interfaces. For information on backups, see “Backing up and restoring configurations” on page 96. For information on reconnecting to a FortiWeb unit whose network interface configuration has been reset, see the FortiWeb Install and Setup Guide.







Installing firmware Installing new firmware

Figure 68: System Information widget

4 In the System Information widget, in the Firmware Version row, click Update. A browse window appears.

5 Click Browse to locate and select the firmware file that you want to install, then click OK.

6 Click OK.Your management computer uploads the firmware image to the FortiWeb unit. The FortiWeb unit installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection.If you are downgrading the firmware to a previous version, the FortiWeb unit reverts the configuration to default values for that version of the firmware. Either reconfigure the FortiWeb unit or restore the configuration file. For details, see the FortiWeb Install and Setup Guide and “Backing up and restoring configurations” on page 96.

7 Clear the cache of your web browser and restart it to ensure that it reloads the web-based manager and correctly displays all interface changes. For details, see your browser's documentation.

8 To verify that the firmware was successfully installed, log in to the web-based manager and go to System > Status > Status. Text appearing in the Firmware Version row indicates the currently installed firmware version.

9 Update the attack definitions.

To install firmware using the CLI1 Download the firmware file from the Fortinet Technical Support web site,


DB-9 serial cable or a null-modem cable.3 Initiate a connection from your management computer to the CLI of the FortiWeb unit,

and log in as the admin administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category.For details, see the FortiWeb Install and Setup Guide.

4 Connect port1 of the FortiWeb unit directly or to the same subnet as a TFTP server.5 Copy the new firmware image file to the root directory of the TFTP server.

Note: Installing firmware replaces the current attack definitions with those included with the firmware release that you are installing. After you install the new firmware, make sure that your attack definitions are up-to-date. For more information, see “Uploading signature updates” on page 101.









Installing new firmware Installing backup firmware

FRh

6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach the TFTP server.To use the FortiWeb CLI to verify connectivity, enter the following command:execute ping 192.168.1.168 where 192.168.1.168 is the IP address of the TFTP server.

7 Enter the following command to download the firmware image from the TFTP server to the FortiWeb unit:execute restore image tftp <name_str> <tftp_ipv4> where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter:execute restore image tftp image.out 192.168.1.168 One of the following message appears:This operation will replace the current firmware version!Do you want to continue? (y/n) or:Get image from tftp server OK.Check image OK.This operation will downgrade the current firmware version!Do you want to continue? (y/n)

8 Type y.The FortiWeb unit downloads the firmware image file from the TFTP server. The FortiWeb unit installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection.If you are downgrading the firmware to a previous version, the FortiWeb unit reverts the configuration to default values for that version of the firmware. Either reconfigure the FortiWeb unit or restore the configuration file. For details, see the FortiWeb Install and Setup Guide and “Backing up and restoring configurations” on page 96.

9 To verify that the firmware was successfully installed, log in to the CLI and type:get system status The firmware version number is displayed.


Installing backup firmwareYou can install backup firmware which can be loaded if the primary firmware fails.

To install backup firmware1 Download the firmware file from the Fortinet Technical Support web site,


DB-9 serial cable or a null-modem cable.








Installing backup firmware Installing new firmware

3 Initiate a connection from your management computer to the CLI of the FortiWeb unit, and log in as the admin administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category.For details, see the FortiWeb Install and Setup Guide.

4 Connect port1 of the FortiWeb unit directly or to the same subnet as a TFTP server.5 Copy the new firmware image file to the root directory of the TFTP server.6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach

the TFTP server.To use the FortiWeb CLI to verify connectivity, enter the following command:execute ping 192.168.1.168 where 192.168.1.168 is the IP address of the TFTP server.





Enter G,F,B,Q,or H:





13 Type the firmware image file name and press Enter.The FortiWeb unit downloads the firmware image file from the TFTP server and displays a message similar to the following:Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?

Note: You have only 3 seconds to press a key. If you do not press a key soon enough, the FortiWeb unit reboots and you must log in and repeat the execute reboot command.






Installing new firmware Restoring firmware

FRh

14 Type B.The FortiWeb unit saves the backup firmware image and restarts. When the FortiWeb unit restarts, it is running the primary firmware.

To use backup firmware as the primary firmware1 Connect your management computer to the FortiWeb console port using a RJ-45-to-

DB-9 serial cable or a null-modem cable.2 Initiate a connection from your management computer to the CLI of the FortiWeb unit,

and log in as the admin administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category.For details, see the FortiWeb Install and Setup Guide.



Immediately press a key to interrupt the system startup.


Enter G,F,B,Q,or H:


5 Type B to reboot and use the backup firmware.

Restoring firmwareRestoring the firmware can be useful if:• you are unable to connect to the FortiWeb unit using the web-based manager or the

CLI• you want to install firmware without preserving any existing configuration• a firmware version that you want to install requires a different size of system partition

(see the Release Notes accompanying the firmware)• a firmware version that you want to install requires that you format the boot device (see

the Release Notes accompanying the firmware)Unlike installing firmware, restoring firmware re-images the boot device, including the signatures that were current at the time that the firmware image file was created.Also, restoring firmware can only be done during a boot interrupt, before network connectivity is available, and therefore requires a local console connection to the CLI. It cannot be done through a network connection.






Restoring firmware Installing new firmware

To restore the firmware1 Download the firmware file from the Fortinet Technical Support web site,


DB-9 serial cable or a null-modem cable.3 Initiate a local console connection from your management computer to the CLI of the

FortiWeb unit, and log in as the admin administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category.For details, see the FortiWeb Install and Setup Guide.

4 Connect port1 of the FortiWeb unit directly or to the same subnet as a TFTP server.5 Copy the new firmware image file to the root directory of the TFTP server.6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach

the TFTP server.To use the FortiWeb CLI to verify connectivity, enter the following command:execute ping 192.168.1.168 where 192.168.1.168 is the IP address of the TFTP server.





Enter G,F,B,Q,or H:


10 If the firmware version requires that you first format the boot device before installing firmware, type F. Format the boot disk before continuing.

Caution: Back up your configuration before beginning this procedure, if possible. Restoring firmware resets the configuration, including the IP addresses of network interfaces. For information on backups, see “Backing up and restoring configurations” on page 96. For information on reconnecting to a FortiWeb unit whose network interface configuration has been reset, see the FortiWeb Install and Setup Guide.









Installing new firmware Restoring firmware

FRh




14 Type the file name of the firmware image and press Enter.The FortiWeb unit downloads the firmware image file from the TFTP server and displays a message similar to the following:Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?

15 Type D.The FortiWeb unit downloads the firmware image file from the TFTP server. The FortiWeb unit installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection.The FortiWeb unit reverts the configuration to default values for that version of the firmware.

16 To verify that the firmware was successfully installed, log in to the CLI and type:get system status The firmware version number is displayed.

17 Either reconfigure the FortiWeb unit or restore the configuration file. For details, see FortiWeb Install and Setup Guide and “Backing up and restoring configurations” on page 96.







Restoring firmware Installing new firmware





Appendix A: Supported RFCs, W3C and IEEE standards

FRh


The current release of FortiWeb supports the following IETF RFC, W3C standards and IEEE standards.

RFCRFC 1213 Management Information Base for Network Management of TCP/IP-based internets: MIB-II - see reference 1 RFC 2616Hypertext Transfer Protocol -- HTTP/1.1 - see reference 1, reference 2 RFC 2617HTTP Authentication: Basic and Digest Access Authentication - see reference 1 RFC 2665 Definitions of Managed Objects for the Ethernet-like Interface Types - see reference 1

W3C standardsextensible markup language (XML) 1.0 (Third Edition)• XML Current Status:

http://www.w3.org/standards/techs/xml#w3c_all• W3C Recommendation 04 February 2004:

http://www.w3.org/TR/2004/REC-xml-20040204see reference 1, reference 2

XML Schema v1.0• XML Schema Current Status:

http://www.w3.org/standards/techs/xmlschema#w3c_all)see reference 1

• XML Schema Part 0: Primer Second Edition, W3C Recommendation 28 October 2004:http://www.w3.org/TR/2004/REC-xmlschema-0-20041028/

• XML Schema Part 1: Structures Second Edition, W3C Recommendation 28 October 2004: http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/

• XML Schema Part 2: Datatypes Second Edition, W3C Recommendation 28 October 2004: http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/

simple object access protocol (SOAP) 1.1• W3C Note 08 May 2000

http://www.w3.org/TR/2000/NOTE-SOAP-20000508/see reference 1

web services description language (WSDL) 1.0



http://tools.ietf.org/rfc/rfc1213.txt



http://www.w3.org/TR/2004/REC-xml-20040204



http://www.w3.org/standards/techs/xmlschema#w3c_all


http://www.w3.org/TR/2000/NOTE-SOAP-20000508/

http://www.w3.org/TR/2000/NOTE-SOAP-20000508/

http://www.w3.org/standards/techs/xml#w3c_all

http://www.w3.org/TR/2004/REC-xmlschema-0-20041028/




• W3C Note 15 March 2001http://www.w3.org/TR/wsdlsee reference 1

XML encryption• XML Encryption Current Status

http://www.w3.org/standards/techs/xmlenc#w3c_allsee reference 1

• XML Encryption Syntax and Processinghttp://www.w3.org/TR/2002/REC-xmlenc-core-20021210/

XML signature• XML Signature Current Status

http://www.w3.org/standards/techs/xmlsig#w3c_allsee reference 1

• XML Signature Syntax and Processinghttp://www.w3.org/TR/2002/REC-xmldsig-core-20020212/

IEEE standardsspanning tree protocol IEEE 802.1dsee reference 1 virtual LANs IEEE 802.1qsee reference 1





http://www.w3.org/standards/techs/xmlsig#w3c_all

http://www.w3.org/standards/techs/xmlenc#w3c_all

http://www.w3.org/TR/wsdl


http://standards.ieee.org/getieee802/download/802.1D-2004.pdf

http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/

http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/

Appendix B: Maximum values Interpreting maximum values

FRh

Appendix B: Maximum valuesThis table shows maximum configurable values for FortiWeb Version 4.0 MR2. All performance values are assumed to mean ”up to” and depend on your configuration. The maximum number of persistent server sessions per policy is limited by the unit’s RAM.

FortiWeb-VMFor a FortiWeb-VM virtual appliance running in a VMware image, the maximum number of server sessions varies with the amount of memory available to FortiWeb-VM on the VMware server.To see the maximum allowed sessions, do the following:1 Open the web-based manager.2 Go to Server Policy > Policy.3 Either click Create New or edit an existing policy.4 Look at the minimum-maximum range indicator next to the Persistent Server Sessions

option. That number tells you the maximum server sessions for your installation.The number of network interfaces (ports) for FortiWeb-VM is 4. For installation instructions, see the FortiWeb-VM Install Guide.

Interpreting maximum valuesSome of the values in Table 143 need explanation to fully understand their application.

Table 143: Maximum configurable values

FortiWeb modelFortiWeb-400B FortiWeb-1000B FortiWeb-1000C FortiWeb-3000C

Maximum policies per unit 20 40 60 100

Default RAM 1 GB 2 GB 3 GB 6 GB

Maximum persistent server sessions per policy

8 000 15 000 20 000 50 000

Maximum persistent server sessions per unit

20 000 40 000 60 000 100 000

Maximum HTTP transactions per second

10 000 22 000 27 000 40 000

Network Interfaces (ports) 4 4 4 6

VLAN Interfaces 32 32 32 32

Maximum servers per server farm

20 20 20 20





Interpreting maximum values Appendix B: Maximum values

Persistent server sessionsYou can set the value of maximum persistent server sessions per policy to a lower number (to a fixed minimum) when configuring a server policy by using the Persistent Server Sessions option. FortiWeb distributes the number of persistent server sessions evenly across the physical servers protected by the server policy. For details, see “Configuring server policies” on page 118.You cannot maximize both the number of allowed policies and the number of persistent server sessions per policy. The maximum persistent server sessions per unit sets the overall limit. For example, the FortiWeb-400B allows 20 server policies and up to 8 000 persistent server sessions per policy. That does not mean you can have 160 000 persistent server sessions running at one time. The upper limit is 20 000.

Network and VLAN interfacesYou can set up VLAN interfaces across the network interfaces in any arrangement. For example, on a unit with four network interfaces you could distribute them evenly at 8 per interface or apply all 32 to one network interface.





Appendix C: SNMP MIB support

FRh

Appendix C: SNMP MIB supportThe FortiWeb SNMP agent supports the following management information blocks (MIBs):

You can obtain these MIB files from the Fortinet Technical Support web site, https://support.fortinet.com/.To communicate with your FortiWeb unit’s SNMP agent, you must first compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager, you do not have to compile them again.To view a trap or query’s name, object identifier (OID), and description, open its MIB file in a plain text editor.All traps sent include the message, the FortiWeb unit’s serial number, and host name.For instructions on how to configure traps and queries, see “Configuring the SNMP agent” on page 66.

Table 144: FortiWeb MIBs

MIB or RFC DescriptionFortinet Core MIB This Fortinet-proprietary MIB enables your SNMP manager to query for

system information and to receive traps that are common to multiple Fortinet devices.

FortiWeb MIB This Fortinet-proprietary MIB enables your SNMP manager to query for FortiWeb-specific information and to receive FortiWeb-specific traps.

RFC-1213 (MIB II) The FortiWeb SNMP agent supports MIB II groups, except:• There is no support for the EGP group from MIB II (RFC 1213,

section 3.11 and 6.10).• Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP,

and so on.) do not accurately capture all FortiWeb traffic activity. More accurate information can be obtained from the information reported by the FortiWeb MIB.

RFC-2665 (Ethernet-like MIB)

The FortiWeb SNMP agent supports Ethernet-like MIB information, except the dot3Tests and dot3Errors groups.





Appendix C: SNMP MIB support





Appendix D: Language support & regular expressions

FRh


Languages currently supported by the web-based manager are:• English• simplified Chinese• Japanese• traditional ChineseCharacters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the nature of the item being configured.For example, the host name must not contain special characters, and so the web-based manager and CLI will not accept most symbols and non-ASCII encoded characters as input when configuring the host name. This means that languages other than English often are not supported. However, some configuration items, such as names and comments, may use the language of your choice.To use other languages in those cases, you must use an encoding that supports it.Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings into UTF-8 before it is stored. If your input method encodes some characters differently than in UTF-8, your configured items may not display or operate as expected.Regular expressions are especially impacted. The matching feature uses the UTF-8 character values. If you enter a regular expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8, matches may not be what you expect.For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as yen symbols ( ¥ ) and vice versa. A regular expression intended to match HTTP requests containing money values with a yen symbol therefore may not work if the symbol is entered using the wrong encoding.For best results, you should:• use UTF-8 encoding, or• use only the characters whose numerically encoded values are the same in UTF-8,

such as the US-ASCII characters that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and other encodings, or

• for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients

Note: HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by the client’s operating system or input language. If you cannot predict the client’s encoding, only English portions of the request may match, because regardless of the encoding, the values for English characters tend to be encoded identically. For example, English words may be legible regardless of interpreting a web page as either ISO 8859-1 or as GB2312, whereas simplified Chinese characters might only be legible if the page is interpreted as GB2312.





In order to configure your FortiWeb unit using other encodings, you may need to switch language settings on your management computer, including for your web browser or Telnet/SSH client. For instructions on how to configure your management computer’s operating system language, locale, or input method, see its documentation.

In a similar fashion, your web browser or CLI client should usually interpret display output as encoded using UTF-8. If it does not, your configured items may not display correctly in the web-based manager or CLI. Exceptions include items such as regular expressions that you may have configured using other encodings in order to match the encoding of HTTP requests that the FortiWeb unit receives.For information on configuring the display language of the web-based manager, see “Configuring the web-based manager’s global settings” on page 82.

Note: If you choose to configure parts of the FortiWeb unit using non-ASCII characters, verify that all systems interacting with the FortiWeb unit also support the same encodings. You should also use the same encoding throughout the configuration if possible in order to avoid needing to switch the language settings of your web browser or Telnet/SSH client while you work.





Appendix E: Ports used by FortiWeb

FRh

Appendix E: Ports used by FortiWebThe following tables list the default port assignments used by FortiWeb.

Take care when reassigning ports. Many UDP and TCP port numbers have internationally recognized IANA port assignments and are commonly associated with specific applications or protocols.

Table 145: Default ports used by FortiWeb for outgoing traffic

Port number Port type Default uses21 TCP Web anti-defacement backup (Windows share)

25 TCP SMTP

53 UDP/TCP DNS

69 UDP Back up, restore, update during bootup

123 UDP NTP synchronization

137, 138, 139 UDP Web site anti-defacement backup

162 UDP SNMP traps

389 TCP LDAP

443 TCP FDS firmware updates

445 TCP NTLM, web site anti-defacement backup

514 UDP Syslog

636 TCP LDAPS

1812 UDP RADIUS

5055 UDP HA heartbeat

5056 UDP HA configuration synchronization

Table 146: Default ports FortiWeb uses for incoming traffic and listening

Port number Port type Default uses22 TCP SSH administrative access, CLI access

23 TCP Telnet administrative access

80 TCP HTTP administrative access, predefined HTTP service

161 UDP SNMP queries

443 TCP HTTPS administrative access, predefined HTTPS service

8333 TCP FortiWeb conf-sync remote connection




http://www.iana.org/assignments/port-numbers

http://www.iana.org/assignments/port-numbers

Appendix E: Ports used by FortiWeb





Index

FRh

IndexSymbols_email, 21_fortinet_waf_auth, 272_fqdn, 21_index, 21_int, 21_ipv4, 21_ipv4/mask, 21_ipv4mask, 21_ipv6, 21_ipv6mask, 21_name, 21_pattern, 21_str, 21_url, 21_v4mask, 21_v6mask, 21

Numerics301 Moved Permanently, 306302 Moved Temporarily, 248, 306, 307401 Authorization Required, 258401 Unauthorized, 278, 281, 307403 Forbidden, 192, 248, 273, 288404 File Not Found, 273, 289500 Internal Server Error, 278, 2815055, 655056, 65

Aaccess profile, 77, 78, 80access protocols, 359action message format (AMF), 274, 278actions, 31Active Directory, 113active-passive, 61address resolution protocol (ARP), 64administrative access, 82

interface settings, 52restricting, 51, 52, 75, 77, 78

administrator"admin" account, 387, 390, 392password, 77trusted host, 77

Adobe Flash, 25aggregation, 34AJAX, 163alert, 167, 168, 187, 188, 192, 270, 272, 287

false positives, 31tuning, 31

alert email, 313, 316enabling, 296, 317

algorithm, 176allow method exception, 237alphanumeric, 153anonymous, 111ANSI, 153ANSI escape code, 153anti-defacement, 293, 294

performance, 367Apache, 155, 282

Tomcat, 155, 282ARP, 377

packets, 362ASCII, 401, 402attack

count in auto-learning report, 289log, 33, 289, 328log aggregation, 34log search, 341protection, 184signatures, 101, 360

attacks, 29Attacks tab, 287attributes, XML, 170, 172authentication, 257, 259, 261, 307

supporting modes, 71Authorization, 191, 258auto-learning, 281

performance, 284, 365profile, 278, 279reports, 282

Bback up web site, 297backup, 96, 98, 355

firmware, 389partition, 98

Backup HA unit, 61Base64, 88Basic Mode, 306bind DN, 111black IP, 221, 292Block Period, 230boot interrupt, 391bootup, 381bridge, 55, 119, 120, 123bridge protocol data unit (BPDU), 57broadcast, 64browser, 25, 92, 127brute force login attack, 224buffer overflow, 170, 252, 306bypass, 129




Index

Ccertificate, 84, 126, 139

default, 85local, 85operation modes, 88personal, 127server, 85signing chain, 89, 92, 127signing request, 85, 86trust, 89, 92, 127user, 127warning, 92, 127

certificate authority (CA), 86, 88, 90, 92, 95, 96, 127certificate revocation list (CRL), 90, 95, 127chain of trust, 127character data (CDATA), 172character entity references, 172Chinese, 83CIDR, 21Cisco discovery protocol (CDP), 54CLI, 42, 45, 75, 78

commands, 372Console widget, 43, 45prompt, 45

CLI commandsdebug, 378diagnose, 377network, 377packet, 378sniffer, 378

cloaking, 192clock, 44, 101cluster, 135ColdFusion, 205color code, 153column view

logs, 338command line interface (CLI), 14, 20command prompt, 45comma-separated value (CSV), 153, 320, 335Common Exploits, 204community, 66, 67, 68compliance, 299configure DoS, 70connectivity, 373contact information, SNMP, 67content filter, 363content routing, 120, 123, 136

examples, 141HTTP, 120, 123, 136WSDL, 136XPath, 136

Content-Length, 191, 252, 254, 257Content-Type, 188conventions, 19cookie, 121, 189, 191, 271, 272, 276country code, 153cp1252, 401CPU usage, 47, 69credit card number, 153, 206, 209

cross-site request forgery (CSRF), 198, 204cross-site scripting (XSS), 101, 102, 201, 204, 209, 274,

278, 306CSR

submit, 88custom robot

signature, 232customize dashboard, 42

Ddashboard, 28, 41

customize, 42data constraints, 170data leak, 201, 206dates, 153daylight savings time (DST), 100debug command, 378decrypt, 126defacement, web site, 293default

administrator account, 80, 387, 390, 392route, 105

delete items, 15denial of service (DoS), 70, 300, 307deployment mode, 37DETECT_ALLOW_HOST_FAILED, 125, 150DETECT_ALLOW_METHOD_FAILED, 272, 277DETECT_ALLOW_ROBOT, 230DETECT_ALLOW_ROBOT_GOOGLE, 229DETECT_ALLOW_ROBOT_MSN, 229DETECT_ALLOW_ROBOT_YAHOO, 229DETECT_BLACK_PAGE, 220, 273, 277DETECT_BRUTE_FORCE_LOGIN, 227, 273DETECT_MALICIOUS_ROBOT, 230, 273, 277DETECT_PAGE_RULE_FAILED, 201, 273DETECT_PARAM_RULE_FAILED, 194, 273, 277DETECT_RESPONSE_INFORMATION_DISCLOSURE, 205DETECT_RESPONSE_INFORMATION_disclosure credit

card leakage, 206DETECT_SQL_INJECTION, 204DETECT_START_PAGE_FAILED, 216, 273DETECT_URL_ACCESS_ALERT_DENY, 272, 277DETECT_XSS_ATTACK, 204diagnose command, 377Diffie-Hellman exchange, 139digital certificate requests, 84distinguished name (DN), 85, 90, 91, 94, 95DNS server, 59, 318

test connection, 376document object model (DOM), 241document type description (DTD), 171, 172documentation

conventions, 19Release Notes, 391

domain namelocal, 45, 58, 59

DoS, 70dotted decimal, 21down, 51





Index

down time, 66downgrade, 387DSA, 88

Eelements, XML, 170, 172email alert, 296, 317encoding, 83, 401encrypt, 126Enhanced Mode, 306escape codes, 153Ethernet, 399event log, 328

console, 42event, SNMP, 69expected input, 20extended signature set, 31external entity attack, 185, 187external schema reference, 185, 187

Ffail-open, 58false positive, 31, 206, 207, 254, 311, 328, 336file size

limit, 179files

extensions, 368large, 367

filterclear, 339icon, 339logs, 339

firewall, 360firmware

backup, 389change, 43downgrade, 387install, backup firmware image, 389restore, 391test, 385upgrade, 387version, 42, 44

Flash, 274, 278forensic analysis, 328, 336forgotten password, 76formatted view, logs, 338formatting the boot device, 391FortiAnalyzer, 323, 327FortiGuard Distribution Network (FDN), 102, 103FortiGuard Distribution Server (FDS), 103Fortinet

Knowledge Base, 18Technical Documentation, 18

comments, 19conventions, 19

Technical Support, 18, 399Training Services, 18

FORTIWAFSID, 271, 276FortiWeb-VM, 397

FTP, 98, 105, 294backup, 355

FTP backup, 98fully qualified domain name (FQDN), 21, 87

Ggateway, 105, 106GB2312, 401general entity reference, 172Google, 282graphical user interface (GUI), 25gratuitous ARP, 64greedy, 330group ID, 63group name

HA, 64

HHA

Backup, 61group name, 64heartbeat interface, 65interface monitoring, 65Master, 61mode setting, 63

Master, 63Slave, 63Standalone, 63

pair, 61port monitor, 65

hard disk, 334logging to, 325

hardwareproblems, 374

health check, server, 132, 134, 136, 144heartbeat

interface, 65heartbeat, HA, 64

interface, 65hexadecimal, 153high availability (HA), 61, 313

mode, 43status, 43

hit, 289Host, 125, 147, 148, 149, 191, 242, 246, 250, 269host name, 42, 45, 399HTTP, 52, 144, 145

headers, 147port number, 82

HTTP authentication, 257, 259, 261HTTP Content Routing, 120, 123, 136HTTP_HEADER_LEN_OVERFLOW, 273HTTP_HEADER_LINE_LEN_OVERFLOW, 273HTTPS, 51, 52, 84, 87

port number, 82hypertext markup language (HTML), 153

IICMP, 52, 56, 58, 399





Index

ICMP ECHO, 144, 320, 322idle, 83IEEE 802.1d, 56, 396IEEE 802.1q, 53, 55, 396IIS, 155index number, 21information disclosure, 366injection attack, 204, 209input constraints, 20input method, 402installation, 14interface

administrative access, 52monitoring, HA, 65

intervalhealth check, 145

inter-VLAN routing, 53, 55IP address, 78IP-based forwarding, 105ISO 8859-1, 401

JJapanese, 83JavaScript, 45, 121, 163, 241

Kkey, 176

file, 175management group, 188

key size, certificate, 88key type, certificate, 87

Llanguage, 26, 83, 401, 402

web-based manager, 83Layer 2, 53, 56, 57Layer 3, 53LDAP

bind, 111password, 111

LDAPS, 110lightweight directory access protocol (LDAP), 258limit

file size, 179rate, 227

link checker, 227Linux, 377load balancing, 120, 123

algorithm, 136deployment mode, 37weight, 136

local console access, 45, 78local domain name, 45, 58, 59locale, 402Location, 248, 269, 272

log, 100attack log, 328column view, 338event log, 328filter, 339formatted view, 338level, 314message aggregation, 340message details, 335messages cleared, 356packet log details, 336raw view, 339rotate, 325storing, 323Syslog, 326to memory, 326to the hard disk, 325traffic log, 329types, 314, 327

log details, 336log filter

clear, 339log in

problems, 379log level, 314loop, 56, 57lost password, 76

MMAIL TO, 296management information block (MIB), 66, 399manager, SNMP, 66, 68, 69, 399markup, 153Master HA unit, 61maximum transmission unit (MTU), 53maximum values, 397media access control (MAC) address, 52, 56, 57memory leak, 306memory usage, 47, 69memory, log to, 326MIB

RFC 1213, 399RFC 2665, 399

MicrosoftActive Directory, 113Excel, 335IIS, 154, 155Internet Explorer, 25

minimum cost path, 56mode

deployment, 37HA, 63monitor, 38offline protection, 71, 119reverse proxy, 53, 71, 119transparent inspection, 72, 119true transparent proxy, 58, 72, 119

monitor mode, 38Mozilla Firefox, 25MS Windows, 377MSN, 282





Index

multicast, 65

Nnavigation pane, 284netmask

administrator account, 77network address translation (NAT), 56, 119, 224, 226, 228,

230network interface

status, 51Network Time Protocol (NTP), 100next-hop router, 105, 106no-follow, 228no-index, 228notification, 293, 296, 317NT LAN Manager (NTLM), 113, 258

Oobject identifier (OID), 399offline protection mode, 44, 71, 119, 125

switching from, 35offloading, 85, 126one-arm, 129online certificate status protocol (OCSP), 90, 96, 127operation mode, 43, 44, 126, 355

supported features in, 72switching, 35, 71

order of execution, 190oversized payload, 170Overview tab, 286

Ppacket, 336packet capture, 368packet command, 378packet payload, 32, 328pair, 61partition, 98, 387, 391password, 77, 380

encrypt log files, 335forgotten, 76LDAP bind, 111lost, 80plain, 360reset, 76, 80strong, 358weak, 153

pattern, 21payload, 336PCI DSS, 206PDF report, 352performance, 41, 150, 205, 363permissions, 77, 78, 80

access, 372persistent server sessions, 398phone number, 153ping, 52, 56, 58, 144, 320, 322, 374PKCS #10, 88PKCS #12, 88

policymaximum number, 398server, 117

portmonitor, HA, 65number, 26, 65, 69, 82, 120, 124, 125, 126numbers, 373SNMP, 69UDP ports 33434-33534, 376

postal code, 153power interruption, 58power on, 381predefined

data type, 365primary heartbeat interface, 65processing flow, 190processing instruction (PI), 172prompt, 46protocol, 359, 360proxy, 272

Qquery

anonymous, 111DNS, 58report, 349SNMP, 66, 69, 399

RRAID, 74random access memory (RAM), 47, 326, 332, 334rapid spanning tree protocol (RTSP), 56rate limit, 227, 307raw view, logs, 339reachable, 105read & write

administrator, 103really simple syndication (RSS), 163recursive payload, 170redirect, 246, 248Referer, 246, 249, 250, 269, 272regular expression, 21, 151, 154, 156, 196, 198, 200, 209,

215, 220, 226, 232, 234, 239, 250, 328GB2312 encoding, 83tuning, 31validator, 31

Release Notes, 391remove items, 15report

download, 353, 354HTML format, 352MS Word format, 352on demand, 345, 351PDF format, 352periodically generated, 345query, 349schedule, 351time span, 348view, 353vulnerability scan, 299, 309





Index

representational state transfer (REST), 188reset

password, 80resolution, 25retry

health check, 145reverse proxy, 44reverse proxy mode, 44, 53, 71, 119, 125reverting web site, 297rewrite, 246RFC

1213, 3992616, 2502617, 2572665, 399

robot, 227root

folder of a web site, 296Schema file, 180

routeby web service operations, 136, 173by XPath, 136content, 136default, 105static, 74, 105

RSA, 88RTF bookmarks, 153RTF report, 352rule violation

severity, 191

Sscheduling, 100, 164, 165schema

compressed, 179file, 178poisoning attack, 185, 187verification, 178

searchattack log, 341

search engine, 227secondary heartbeat interface, 65Secure Shell (SSH), 45, 51, 52, 78, 294security, 357sensitive information, 201sequence of scans, 190serial number, 44, 399

certificate, 85, 90, 91, 94, 95serial port parameters, 381server, 191, 205

farm, 119, 135health check, 132, 134, 136, 144, 365maximum sessions, 398protection rules, 201status, 132, 134, 136, 144

server farm, 50status, 50

session timeout, 124Session-Id, 277Set-Cookie, 121Setup Wizard, 104

severitylevel, 349levels, 30rule violation, 191

Shift-JIS, 401signature set, 31signing chain, 89, 92, 127simple certificate enrollment protocol (SCEP), 88, 91, 93, 95simple network management protocol (SNMP), 52, 66, 68, 69

Agent, 67agent, 399community, 67contact information, 67OID, 399query, 69RFC 12123, 399RFC 2665, 399system name, 45

simple object access protocol (SOAP), 163sniffer command, 378Social Insurance Number (SIN), 153Social Security Number (SSN), 153source code disclosure, 306spanning tree protocol (STP), 56, 57special characters, 45, 401spider, 227SQL

injection, 102, 188, 201, 204, 209, 274, 278, 306injection, blind, 204statements, 153

SSL, 13, 38, 85, 100, 110, 126, 139certificate, 126, 139hardware accelerated, 126offload, 126on the web servers, 74

Start Learning, 284STARTTLS, 110, 111state name, 153static route, 74, 105status

FortiWeb, 41server, 132, 134, 136, 144

storing logs, 323STP, 56string, 21subject information, certificate, 86submit

CSR, 88subnet, 52, 55SYN flood, 70sync interval, 101syntax, 20Syslog, 323, 326system resource usage, 42system time, 42, 44, 100

TTCP, 144

session timeout, 124SYN flood, 70





Index

FRh

Telnet, 45, 53, 78, 359text node, 172text/xml, 188TFTP, 385, 392throughput, 47time, 44, 100, 153time to live (TTL), 376timeout, 124, 306

health check, 144, 145idle, 83

TLS, 126, 139Tomcat, 155traceroute, 320, 322, 374, 376tracert, 377traffic flow, 379traffic log, 329

delay, 333traffic volume, 47transparent inspection mode, 44, 72, 119transport layer security (TLS), 91trap, 66, 69, 399

SNMP, 399triggers, 30troubleshooting, 369

bootup, 381connectivity, 373debug packet flow, 378hardware, 374packet sniffing, 377plan, 371resources, 378routing table, 377Syslog, 320, 322traffic flow, 369

true transparent proxy mode, 44, 58, 72, 119trust IP, 220, 292trusted client, 221trusted host, 77, 78, 357, 380tunneling, 103

UUDP, 65UK vehicle registration, 153Unicode, 401uniform resource identifier (URI), 153up, 51upgrade, 387uptime, 42US-ASCII, 45, 401, 402user authentication

supporting modes, 71User-Agent, 191, 227, 232, 234UTF-8, 83, 401

Vvalidator, 31value parse error, 21VBScript, 153

virtual host, 149virtual LAN, 53virtual MAC, 64virtual network interface, 56, 58virtual server, 119, 120, 123VLAN, 50, 53VLAN trunk, 55vulnerability scan, 299

false positive, 311preparation, 300rate limit, 307report, 299, 309timeout, 306

v-zone, 55, 119, 120, 123

WW3C

SOAP, 163WSDL, 181, 183XML, 163XML encryption, 188XML Schema, 172XML signatures, 187

web anti-defacement, 367web browser, 25web crawler, 227web proxy, 103web service definition language (WSDL), 136, 181, 183

content routing, 120, 123, 173file, 181scan, 181scanning attack, 185, 187verification, 187

web traffic, 369web-based manager

language, 83widget, 28, 41wiki code, 153wild cards, 21WSDL

verification, 187WVS report

format, 302WWW-Authenticate, 258

XX.509, 88X-Forwarded-For, 272XML, 163

attributes, 170, 172decryption, 187, 188elements, 170, 172encryption, 188namespace (XMLNS), 172signature, 187, 188

XMLHttpRequest, 163XPath, 120, 123, 136, 188

content filter rule, 166, 167, 168expression, 138




Index

YYahoo!, 282

ZZIP code, 153





www.fortinet.com

Download - Fortiweb Admin 40 Mr2

Top Related