Fortiweb Admin 40 Mr2

FortiWeb Web Application Firewall
Version 4.0 MR2 Administration Guide
FortiWeb Web Application Firewall Administration Guide Version 4.0 MR2 Revision 10 16 June 2011 Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Regulatory compliance FCC Class A Part 15 CSA/CUS
Contents
Contents
Introduction ............................................................................................ 13
Scope ............................................................................................................................. 14 Workflow ........................................................................................................................ 14 Deleting entries ............................................................................................................. 15 Characteristics of XML threats .................................................................................... 15 Characteristics of HTTP threats .................................................................................. 16 Customer service & technical support ....................................................................... 18 Documentation Conventions ....................................................................................... IP addresses............................................................................................................. Cautions, Notes, & Tips ............................................................................................ Typographical conventions ....................................................................................... Command syntax conventions.................................................................................. 19 19 19 19 20
Whats new ............................................................................................. 23 About the web-based manager............................................................. 25 Deployment guidelines.......................................................................... 27

Deployment prerequisites ......................................................................................... 27 Server policy ...................................................................................................... 27 Deployment workflow................................................................................................ 27 Phase 1: Examine the initial configuration ................................................................. Do a visual check...................................................................................................... Check dynamic data on the dashboard .................................................................... Check your auto-learning data.................................................................................. Phase 2: Monitor and tune the configuration ............................................................. Stay diligent .............................................................................................................. Tune up alerts........................................................................................................... Define logs, reports and email alerts ........................................................................ Phase 3: Test for vulnerabilities .................................................................................. Stay diligent .............................................................................................................. Aggregate attack types ............................................................................................. Search for vulnerabilities .......................................................................................... Phase 4: Switch from offline protection mode (if applicable)................................... Prepare to switch operation mode ............................................................................ Change operation mode ........................................................................................... Reconfigure your system .......................................................................................... Retest your system ................................................................................................... Remain diligent ......................................................................................................... 28 28 28 29 30 30 30 32 33 33 34 34 35 36 36 36 37 37
FortiWeb Web Application Firewall Version 4.0 MR2 Administration Guide Revision 10 http://docs.fortinet.com/ Feedback
Contents
Phase 5: Prepare for full operation ............................................................................. Extend your server configuration .............................................................................. Remain diligent ......................................................................................................... Make final deployment settings ................................................................................
37 37 38 38
What else can you do? ................................................................................................. 39
System .................................................................................................... 41
Viewing system status.................................................................................................. System Information widget ....................................................................................... Changing the FortiWeb units host name ........................................................... CLI Console widget................................................................................................... System Resources widget ........................................................................................ Policy Summary widget ............................................................................................ Attack Log Console widget ....................................................................................... Event Log Console widget ........................................................................................ Service Status widget ............................................................................................... Policy Sessions widget ............................................................................................. Configuring the network and VLAN interfaces .......................................................... Adding a VLAN subinterface..................................................................................... Configuring v-zones (bridges)................................................................................... Configuring fail-open................................................................................................. 41 43 45 45 47 47 48 48 49 50 50 53 55 58
Configuring the DNS settings ...................................................................................... 58 Synchronizing configurations ..................................................................................... 59 Configuring high availability (HA) ............................................................................... 61 About the heartbeat and synchronization ................................................................. 65 Configuring the SNMP agent ....................................................................................... 66 Configuring an SNMP community............................................................................. 68 Configuring DoS protection ......................................................................................... 70 Configuring the operation mode ................................................................................. 71 Viewing RAID status ..................................................................................................... 74 Configuring administrator accounts ........................................................................... Configuring trusted hosts.......................................................................................... Configuring access profiles....................................................................................... About permissions .................................................................................................... 75 78 78 80
Configuring the web-based managers global settings ............................................ 82 Managing certificates ................................................................................................... Managing local and server certificates ..................................................................... Generating a certificate signing request............................................................. Submitting a certificate signing request.............................................................. Uploading a certificate........................................................................................ Managing OCSP server certificates.......................................................................... Managing CA certificates.......................................................................................... 84 84 86 88 88 90 90
Contents
Grouping CA certificates .................................................................................... Managing certificates for intermediate CAs........................................................ Grouping certificates for intermediate CAs......................................................... Managing the certificate revocation list..................................................................... Configuring certificate verification rules ....................................................................
91 92 94 95 95
Backing up and restoring configurations ................................................................... 96 Configuring an FTP backup and schedule ................................................................. 98 Restoring an FTP backup ....................................................................................... 100 Configuring system time ............................................................................................ 100 Uploading signature updates..................................................................................... 101 Scheduling signature updates................................................................................... 102 Accessing the Setup Wizard ...................................................................................... 104
Router.................................................................................................... 105
Configuring static routes ........................................................................................... 105
Users and user groups ........................................................................ 107

User creation workflow ........................................................................................... 107 Configuring local users .............................................................................................. 108 Configuring LDAP user queries................................................................................. 109 Configuring RADIUS user queries............................................................................. 111 Configuring NTLM user queries ................................................................................ 113 Grouping users ........................................................................................................... 114
Server policy......................................................................................... 117

Server policy workflow requirements ...................................................................... 117 Configuring server policies........................................................................................ 118 Enabling or disabling a policy ................................................................................. 128 Configuring servers .................................................................................................... Configuring virtual servers ...................................................................................... Enabling or disabling a virtual server ............................................................... Configuring physical servers................................................................................... Enabling or disabling a physical server ............................................................ Configuring domain servers.................................................................................... Enabling or disabling a domain server ............................................................. Grouping physical and domain servers into server farms....................................... Configuring HTTP content routing policy ................................................................ Configuring HTTP conversion policy ...................................................................... 129 129 130 131 133 133 135 135 139 141
Configuring server health checks ............................................................................. 143 Configuring services .................................................................................................. 145 Viewing the list of custom services ......................................................................... 145 Viewing the list of predefined services.................................................................... 146
Contents
Configuring protected servers................................................................................... 147 Configuring predefined patterns ............................................................................... Grouping predefined data types ............................................................................. Viewing the list of predefined data types ................................................................ Grouping suspicious URLs ..................................................................................... Viewing predefined URL rules ................................................................................ Configuring custom patterns ..................................................................................... Creating custom data types .................................................................................... Creating custom suspicious URLs.......................................................................... Creating custom suspicious URL rules................................................................... Configuring custom application policies.................................................................. Custom application workflow .................................................................................. Configuring URL replacers ..................................................................................... Configuring application policies .............................................................................. 150 150 152 154 155 156 156 157 158 160 160 160 161
XML protection ..................................................................................... 163

XML protection profile workflow.............................................................................. 163 Configuring protection schedules............................................................................. 163 Configuring one-time schedules ............................................................................. 164 Configuring recurring schedules ............................................................................. 165 Configuring content filter rules ................................................................................. 166 How priority affects content filter rule matching ...................................................... 169 Enabling or disabling a content filter rule................................................................ 169 Configuring intrusion prevention rules .................................................................... 170 Enabling or disabling an intrusion prevention rule .................................................. 172 Configuring WSDL content routing groups.............................................................. 173 Managing XML signature and encryption keys ........................................................ 175 Uploading a key ...................................................................................................... 175 Grouping keys into key management groups ......................................................... 176 Managing schema files............................................................................................... 178 Enabling or disabling a schema file ........................................................................ 180 Managing WSDL files.................................................................................................. 181 Enabling and disabling operations in a WSDL file .................................................. 182 Grouping WSDL files .............................................................................................. 183 Configuring XML protection profiles......................................................................... 184
Web protection ..................................................................................... 189

Web protection profile workflow.............................................................................. 189 Order of execution ...................................................................................................... 190 Responding to web protection rule violations ......................................................... 191 Configuring HTTP parameter validation rules.......................................................... 192 Configuring parameter validation input rules .......................................................... 194
Contents
Configuring page access rules.................................................................................. 198 Configuring server protection rules .......................................................................... Configuring server protection exceptions ............................................................... Configuring custom protection groups .................................................................... Configuring custom protection rules ....................................................................... 201 207 209 211
Configuring start page rules ...................................................................................... 213 Configuring URL access policy ................................................................................. 216 Configuring URL access rules ................................................................................ 218 Configuring an IP list policy....................................................................................... 220 Viewing the top 10 IP blacklist candidates.............................................................. 223 Configuring brute force login profiles ...................................................................... 224 Configuring robot control profiles ............................................................................ Configuring predefined robot groups ...................................................................... Configuring custom robot groups............................................................................ Viewing the list of predefined robots....................................................................... 227 230 232 234
Configuring allowed request method policy ............................................................ 235 Configuring allowed method exceptions ................................................................. 237 Configuring hidden field protection profiles ............................................................ 239 Configuring hidden field rules ................................................................................. 241 Configuring URL rewriting policy .............................................................................. Configuring URL rewriting rules.............................................................................. URL rewriting examples.......................................................................................... Rewriting URLs using regular expressions ...................................................... Rewriting URLs using variables ....................................................................... 244 246 250 251 251
Configuring HTTP protocol constraint profiles........................................................ 252 Configuring HTTP protocol constraint exceptions .................................................. 254 Configuring authentication policy ............................................................................. HTTP authentication policy workflow...................................................................... Configuring authentication policy............................................................................ Configuring authentication rules ............................................................................. 257 259 259 261
Configuring file upload restriction policy ................................................................. 263 Configuring file upload restriction rules................................................................... 265 Configuring inline protection profiles ....................................................................... 268 Inline protection profile workflow............................................................................. 268 Configuring an inline protection profile ................................................................... 269 Configuring offline protection profiles ..................................................................... 274 Offline protection profile workflow........................................................................... 274 Configuring an offline protection profile .................................................................. 275 Applying auto-learning profiles ................................................................................. 278 Auto-learning profile workflow................................................................................. 278 Configuring auto-learning profiles........................................................................... 279
Contents
Auto learn ............................................................................................. 281

Generating an auto-learning profile and its components ....................................... 281 Viewing auto-learning reports ................................................................................... Using the navigation pane ...................................................................................... Using the report display pane ................................................................................. Overview tab .................................................................................................... Attacks tab ....................................................................................................... Visits tab........................................................................................................... Parameters tab................................................................................................. Cookies tab ...................................................................................................... About the attack count ............................................................................................ 282 284 285 286 287 288 288 288 289
Generating a profile from auto-learning data ........................................................... 289
Web anti-defacement ........................................................................... 293

Configuring anti-defacement ..................................................................................... 293 About web site backups.......................................................................................... 297 Reverting a web site to a backup revision................................................................ 297
Web vulnerability scans ...................................................................... 299

Web vulnerability scan workflow............................................................................. 299 Preparing for the vulnerability scan.......................................................................... 300 Configuring web vulnerability scan policies ............................................................ 300 Starting and stopping a web vulnerability scan....................................................... 302 Configuring web vulnerability scan profiles ............................................................ 303 Configuring web vulnerability scan schedules ........................................................ 308 Viewing scan history and reports.............................................................................. 309 About web vulnerability scan reports ...................................................................... 310
Logs and reports.................................................................................. 313

Log configuration workflow ..................................................................................... 313 About logging.............................................................................................................. 313 Log types ................................................................................................................ 314 Log priority levels.................................................................................................... 314 Log message field descriptions ................................................................................ 314 Configuring log alert policies .................................................................................... Configuring email policies....................................................................................... Configuring Syslog policies..................................................................................... Configuring FortiAnalyzer policies .......................................................................... Configuring trigger policies ..................................................................................... Configuring and enabling logging............................................................................. Configuring global log settings................................................................................ Enabling logging ..................................................................................................... Obscuring sensitive data in the logs ....................................................................... 316 317 319 321 322 323 324 327 329
Contents
Viewing log messages................................................................................................ Selecting a log type to view .................................................................................... Viewing log message details .................................................................................. Viewing packet log details ...................................................................................... Customizing the log view ........................................................................................ Displaying and arranging log columns ............................................................. Filtering log messages ..................................................................................... Grouping similar attack log messages ............................................................. Searching attack logs .............................................................................................
331 332 335 336 337 338 339 340 341
Downloading log messages....................................................................................... 343 Configuring and generating reports.......................................................................... Configuring a report profile ..................................................................................... Configuring the headers, footers, and logo of a report profile .......................... Configuring the time period and log filter of a report profile ............................. Configuring the query selection of a report profile............................................ Configuring the advanced options of a report profile........................................ Configuring the schedule of a report profile ..................................................... Configuring the output of a report profile.......................................................... 344 346 347 348 349 350 351 352
Viewing and downloading reports............................................................................. 353
Fine tuning and best practices ........................................................... 355

Avoiding problems...................................................................................................... 355 Tuning security ........................................................................................................... 357 Tuning high availability (HA)...................................................................................... 361 Set an SNMP HA heartbeat alert............................................................................ 362 Tuning policy............................................................................................................... 362 Tuning performance ................................................................................................... 363 Troubleshooting tip ................................................................................................. 368
Troubleshooting................................................................................... 369
Establish a system baseline ...................................................................................... 369 Check traffic flow ........................................................................................................ 369 Define the problem...................................................................................................... 370 Search for a known solution ...................................................................................... Technical documentation........................................................................................ Knowledge Base..................................................................................................... Fortinet technical discussion forums....................................................................... Fortinet training services online campus ................................................................ 371 371 371 371 371
Create a troubleshooting plan ................................................................................... 371 Check your access ................................................................................................. 372 Gather system information ........................................................................................ 372 Check port assignments ......................................................................................... 373
Contents
Troubleshoot connectivity issues ............................................................................. Check hardware connections ................................................................................. Run ping and traceroute ......................................................................................... Check connections with ping............................................................................ Check routes with traceroute ........................................................................... Verify the contents of the routing table ................................................................... Verify the contents of the ARP table....................................................................... Perform a sniffer trace ............................................................................................ What can sniffing packets tell you .................................................................... Debug the packet flow ............................................................................................ Troubleshoot resource issues................................................................................... Look for system-intensive processes...................................................................... Monitor traffic .......................................................................................................... Prepare for attacks ................................................................................................. Troubleshoot user and admin login issues .............................................................. Use correct user name and password combination for user .................................. Check user authentication policies ......................................................................... Change an administrator's password ..................................................................... Trusted hosts for admin account will not allow current IP....................................... Troubleshoot bootup issues ...................................................................................... A. Do you see the boot options menu..................................................................... B. Do you have problems with the console text...................................................... C. Do you have visible power problems ................................................................. D. You have a suspected defective FortiWeb unit..................................................
373 374 374 375 376 377 377 377 378 378 378 378 379 379 379 379 379 380 380 381 381 381 382 382
Contact Fortinet customer support for assistance.................................................. 382
Installing new firmware ....................................................................... 385

Testing new firmware before installing it ................................................................. 385 Installing firmware ...................................................................................................... 387 Installing backup firmware......................................................................................... 389 Restoring firmware ..................................................................................................... 391
Appendix A: Supported RFCs, W3C and IEEE standards................ 395 Appendix B: Maximum values ............................................................ 397
FortiWeb-VM........................................................................................................... 397 Interpreting maximum values .................................................................................... 397 Persistent server sessions...................................................................................... 398 Network and VLAN interfaces................................................................................. 398
10
Contents
Appendix C: SNMP MIB support......................................................... 399 Appendix D: Language support & regular expressions................... 401 Appendix E: Ports used by FortiWeb................................................. 403 Index...................................................................................................... 405
11
Contents
12
Introduction
Introduction
Welcome and thank you for selecting Fortinet products for your network protection. FortiWeb units are designed specifically to protect web servers.
Note: Any reference to a FortiWeb unit also applies to FortiWeb-VM, unless specifically noted otherwise. Both versions perform the same tasks and you configure them the same way. Only their installation differs.
The FortiWeb family of web application firewalls provides specialized, layered application threat protection. FortiWebs integrated web application and XML firewalls protect your web-based applications and internet-facing data from attack and data loss. Using advanced techniques to provide bidirectional protection against sophisticated threats like SQL injection and cross-site scripting, FortiWeb helps you prevent identity theft, financial fraud and corporate espionage. FortiWeb delivers the technology you need to monitor and enforce government regulations, industry best practices, and internal policies. FortiWeb significantly reduces deployment costs by consolidating a web application firewall, XML filtering, web traffic acceleration, and application traffic balancing into a single device. It drastically reduces the time required to protect your internet-facing data and eases the challenges associated with policy enforcement and regulatory compliance. Its intelligent, application-aware, load-balancing engine: increases application performance improves resource utilization improves application stability reduces server response times.
In addition to providing application content-based routing and in-depth protection for many HTTP/HTTPS- and XML-specific attacks, FortiWeb units contain specialized hardware to accelerate SSL processing, and can thereby enhance both the security and the performance of connections to your web servers. This chapter introduces you to the following topics: Registering your Fortinet product Scope Workflow Deleting entries Characteristics of XML threats Characteristics of HTTP threats Customer service & technical support Documentation Documentation Conventions
Registering your Fortinet product

Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.
13
Scope
Introduction
Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. For more information, see the Fortinet Knowledge Base article Registration Frequently Asked Questions.
Scope
This document describes how to use the web-based manager of the FortiWeb unit. It assumes you have already successfully installed the FortiWeb unit by following the instructions in the FortiWeb Install and Setup Guide. At this stage: The FortiWeb unit is integrated into your network and is powered on. You have completed firmware updates, if applicable. You configured a port on the FortiWeb unit during installation. You must configure at least one port to access the web-based manager or CLI. If not, consult the FortiWeb Install and Setup Guide. You have administrative access to the web-based manager through a browser, and you can log in successfully. If not, consult the FortiWeb Install and Setup Guide. You have given the default administrator a password. If not, consult the FortiWeb Install and Setup Guide or refer to Configuring administrator accounts on page 75. You have set the operation mode. If not, consult the FortiWeb Install and Setup Guide or refer to Configuring the operation mode on page 71. You have configured additional network interfaces. If not, consult the FortiWeb Install and Setup Guide or refer to Configuring the network and VLAN interfaces on page 50. You have configured the system time. If not, consult the FortiWeb Install and Setup Guide or refer to Configuring system time on page 100. You have configured the DNS. If not, consult the FortiWeb Install and Setup Guide or refer to Configuring the DNS settings on page 58. You have configured a default gateway. If not, consult the FortiWeb Install and Setup Guide or refer to Configuring static routes on page 105. You have configured basic logging. If not, consult the FortiWeb Install and Setup Guide or refer to Configuring log alert policies on page 316. You have created at least one server policy. If not, consult the FortiWeb Install and Setup Guide or refer to Server policy workflow requirements on page 117.
This document does not cover commands for the command line interface (CLI). For information on the CLI, see the FortiWeb CLI Reference.
Workflow
There is a logical order to follow during the setup and configuration of your FortiWeb unit. Make sure you have followed the workflow steps documented in the FortiWeb Install and Setup Guide. That workflow guides you through installation, setup, and the creation of a basic system. This document explains how to develop more comprehensive server policies and other protection features for your web sites and web servers.
14
Introduction
Deleting entries
For a first-time FortiWeb user, read the chapter on deployment guidelines before going further. See Deployment guidelines on page 27. You can find targeted workflow information throughout this guide: Look for a workflow topic on the opening page of several chapters. Within some chapters, complicated topics also have a workflow section. Within feature descriptions, look for a brief tip on recommended workflow.
Since server policies provide most of FortiWeb's protection features. When you begin to expand existing server policies or create new ones, review Server policy workflow requirements on page 117. This topic gives the highest level workflow. The creation of server policy involves multiple steps. You can drill down into workflow topics in other chapters.
Deleting entries
As you configure your FortiWeb unit, you create entries in the tables on tabs accessed by the menu. The ability to delete entries on any table is limitedyou cannot delete or remove an item that is a component of something else. A few examples are: You cannot delete a user on one of the user tabs if that user is a member of a group, unless you first remove the user from the group. You cannot delete a group if that group is used by an authentication rule, unless you first remove the group from the rule. You cannot remove an XML protection schedule item if it is used in the Period option of a content filter rule, unless you first remove the schedule reference from the rule. You cannot delete a web protection parameter validation rule if it is used by in an inline or offline protection profile, unless you first remove the rule reference from the profile.
The Delete icon does not appear next to a table item if the delete operation is not allowed.
Characteristics of XML threats

XML messages can be relatively large: many megabytes and thousands of packets. Unstructured matching of elements in those messages is both CPU and memoryintensive. Because of the complexity of XML content, it is often not practical to develop signatures for XML-specific attacks on a traditional firewall or UTM. This leads to zero day vulnerabilities before attacks can be characterized and signatures developed. FortiWeb units understand the XML protocol and only allow XML operations that you specifically allow. Table 1 lists several XML-related threats and describes how FortiWeb units protect against them.
15
Characteristics of HTTP threats
Introduction
Table 1: XML-related threats Attack Technique Schema Poisoning Description Protection FortiWeb Solution Schema Poisoning option in protection profile prevents external schemas references to be used
Manipulating the XML Protect against schema schema to alter processing poisoning by relying on information trusted WSDL documents and XML schemas Injection of malicious scripts or content into request parameters Poorly encoded SOAP messages causing the application to fail
XML Parameter Tampering Inadvertent XML DoS
Validation of parameter Schema validation in values to ensure they are protection profile consistent with WSDL and XML schema specifications Content inspection ensures SOAP messages are constructed properly according to WSDL, XML schema and intrusion prevention rules Schema validation and WSDL verification and intrusion prevention rule in protection profile
WSDL Scanning
Scanning the WSDL Web services cloaking interface can reveal hides the web services true sensitive information about location from consumers invocation patterns, underlying technology and associated vulnerabilities Sending oversized messages to create an XDoS attack Inspect the payload and enforce element, document, and other maximum payload thresholds
WSDL scanning option and ability to filter services from WSDL on a per IP / Time basis
Oversized Payload
XML documents are checked with schema and intrusion prevention rule
Recursive Payload
Sending mass amounts of nested data to create an XDoS attack against the XML parser
Content inspection ensures Intrusion prevention SOAP messages are definition constructed properly according to WSDL, XML schema, and other security specifications Rely on dirty word searches, restrictive context-sensitive filtering and data validation techniques Suppress external URI references to protect against malicious data sources and instructions; rely on well-known and certified URIs XML Profile option to filter SQL transactions from XML documents
SQL Injection
SQL Injection allows commands to be executed directly against the database for unauthorized disclosure and modification of data An attack on an application that parses XML input from un-trusted sources (DTD internal subset)
External Entity Attack
Similar to schema poisoning

Web applications are increasingly being targeted by exploits such as SQL injection and cross-site scripting attacks. These attacks aim to compromise the target web server, either to steal information or to post malicious files on a trusted site to further exploit visitors to the site. The types of attacks that web servers are vulnerable to are numerous and varied. FortiWeb units offer several options for preventing web-related attacks. Table 2 lists several Web-related threats and describes how FortiWeb units protect against them.
16
Introduction
Table 2: Web-related threats Attack Technique Description Protection FortiWeb Solution Apply age access rules.
Cross-site A script causes a browser Enforce web application request forgery to access a web site on business logic to prevent (CSRF) which the browser has random access to URLs. already been authenticated, giving a third party access to a users session on that site. Cross-site Attackers cause a browser scripting (XSS) to execute a client-side script, allowing them to bypass security. SQL injection SQL Injection allows commands to be executed directly against the database for unauthorized disclosure and modification of data. Content filtering, cookie security, disable clientside scripts. Rely on dirty word searches, restrictive context-sensitive filtering and data validation techniques.
Apply XSS signature scanning in server protection rules. Apply parameter validation rules, hidden fields protection features, and SQL injection signature scanning.
Attacks via Attackers attempt XSS, Actively scan Flash action Apply AMF3 protocol Flash AMF SQL injection or other message format binary scanning for known binary protocol common exploits through a data for known exploits. exploits. flash client. Information leakage A web server reveals Configure server software details (such as its OS, to minimize information server software and leakage. installed modules) in responses or error messages. An attacker can leverage this information to craft exploits for a specific system or configuration. Attackers use exploits to obtain users credit card information from a secure server. An attacker sends multiple SYN messages to a host without responding to an ACK reply, leaving connections half open and consuming resources on the server. This may cause the server to ignore SYN messages from legitimate users and reduce service. An attacker attempts to gain authorization by repeatedly trying ID and password combinations until one works. Detect and block credit card disclosure. Information disclosure detection in server protection rules can alert when leakage happens, or block it altogether. URL rewriting can hide underlying implementation details. Credit card detection in server protection rules can detect and block disclosure of credit card numbers on web pages. Use a configurable threshold to detect a flood of SYN messages.
Credit card theft
SYN Flood DoS Attack
Detect increased SYN activity, close half open connections before resources are exhausted.
Brute force login attack
Require strong passwords Brute force login for users, and throttle policies can throttle the login attempts. number of login attempts per standalone or shared IP for specific resources.
17
Customer service & technical support
Introduction
Table 2: Web-related threats Attack Technique Bad robots Description Misbehaving web crawlers ignore the robots.txt file, and consume server resources and bandwidth on a site. Attackers use specially crafted HTTP requests to target web server vulnerabilities (such as a buffer overflow) to execute malicious code. Protection FortiWeb Solution
Ban bad robots by source Robot control can IP or User Agent field. throttle requests per IP, and block robots identified by the User Agent field. Limit the length of HTTP protocol fields. HTTP protocol constraint policies enforce configurable limits on the length of HTTP headers, bodies, and parameters.
HTTP protocol attack
Customer service & technical support

Fortinet Technical Support provides services designed to make sure that you can install your Fortinet products quickly, configure them easily, and operate them reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article Technical Support Requirements.
Training
Fortinet Training Services provides classes that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://training.fortinet.com, or email them at training@fortinet.com.
Fortinet Knowledge Base

The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes. In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Base.
18
Introduction
Documentation Conventions
Fortinet Tools and Documentation CD

Many Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.
Comments on Fortinet technical documentation

Please send information about any errors or omissions in this technical document to techdoc@fortinet.com.
Fortinet technical documentation uses the conventions described in this section. IP addresses Cautions, Notes, & Tips Typographical conventions Command syntax conventions
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Cautions, Notes, & Tips

Fortinet technical documentation uses the following guidance and styles for cautions, notes and tips.
Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.
Note: Presents useful information, usually focused on an alternative, optional method, such as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
19
Introduction
Table 3: Typographical conventions in Fortinet technical documentation Convention Example
Button, menu, text box, From Minimum log level, select Notification. field, or check box label CLI input config system dns set primary <address_ipv4> end FGT-602803030703 # get system settings comments : (null) opmode : nat HTTP connections are not secure and can be intercepted by a third party. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4> Visit the Fortinet Technical Support web site, https://support.fortinet.com. Type a name for the remote VPN peer or client, such as Central_Office_1. Go to VPN > IPSEC > Auto Key (IKE). For details, see the FortiGate Administration Guide.
CLI output
Emphasis File content
Hyperlink Keyboard entry Navigation Publication
Command syntax conventions

The command line interface (CLI) requires that you use valid syntax, and conform to expected input constraints. It will reject invalid commands. Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.
Table 4: Command syntax notation Convention Square brackets [ ] Description A non-required word or series of words. For example: [verbose {1 | 2 | 3}] indicates that you may either omit or type both the verbose word and its accompanying option, such as: verbose 3
20
Introduction
Table 4: Command syntax notation Angle brackets < > A word constrained by data type. To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example: <retries_int> indicates that you should enter a number of retries, such as 5. Data types include: <xxx_name>: A name referring to another part of the configuration, such as policy_A. <xxx_index>: An index number referring to another part of the configuration, such as 0 for the first static route. <xxx_pattern>: A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all email addresses ending in @example.com. <xxx_fqdn>: A fully qualified domain name (FQDN), such as mail.example.com. <xxx_email>: An email address, such as admin@mail.example.com. <xxx_url>: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet.com/. <xxx_ipv4>: An IPv4 address, such as 192.168.1.99. <xxx_v4mask>: A dotted decimal IPv4 netmask, such as 255.255.255.0. <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask separated by a space, such as 192.168.1.99 255.255.255.0. <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDRnotation netmask separated by a slash, such as such as 192.168.1.99/24. <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234. <xxx_v6mask>: An IPv6 netmask, such as /96. <xxx_ipv6mask>: An IPv6 address and netmask separated by a space. <xxx_str>: A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences. See the FortiWeb CLI Reference. <xxx_int>: An integer number that is not another data type, such as 15 for the number of minutes. A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces. You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].
Curly braces { }
21
Introduction
Table 4: Command syntax notation Options delimited Mutually exclusive options. For example: by vertical bars | {enable | disable} indicates that you must enter either enable or disable, but must not enter both. Options delimited Non-mutually exclusive options. For example: by spaces {http https ping snmp ssh telnet} indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as: ping https ssh Note: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type: ping https snmp ssh If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.
22
Whats new
Whats new
The list below contains the new features or major changes in the current v4.2 FortiWeb release. IP List Policy - A new method to define source IPs that are trusted (trust IP) and not trusted (black IP) was added to the Web protection IP List Policy. See Configuring an IP list policy on page 220. File Upload Restriction - Provides a new web protection technique to specify the exact file types that are permitted to be uploaded to selected hosts or URLs. See Configuring file upload restriction policy on page 263. FortiAnalyzer support - FortiWeb now supports storage of log messages remotely on a FortiAnalyzer unit. See Configuring FortiAnalyzer policies on page 321. Event and Attack Log Console - The system status display now includes an Event Log console widget and an Attack Log console widget. The Alert console widget was removed. SeeAttack Log Console widget on page 48 and Event Log Console widget on page 48. Rewrite URLs in HTTP body - URLs in the body of HTTP responses can now be rewritten, similar to rewriting URLs in HTTP headers. See Configuring URL rewriting policy on page 244. Allow Request Method - The Allow Method Exceptions feature was changed to the Allow Request Method. It includes Allow Method Policy and Allow Method Exceptions. See Configuring allowed request method policy on page 235. HTTP Protocol Constraints Exceptions - HTTP protocol exception settings were added to HTTP protocol constraints. See Configuring HTTP protocol constraint profiles on page 252. Severity and trigger policy - Settings for severity level and trigger policy are now available in all web protection rules, where appropriate. For example, see Configuring page access rules on page 198 Policy item details link - The ability to view a read-only version of the details for a specific rule associated with a policy is available, where appropriate, without leaving the policy view. For example, see Detail link in Configuring URL access policy on page 216. Support for HTTP and HTTPS in same policy - HTTPS service is now configurable in the same policy as HTTP. See Configuring server policies on page 118. Persistent server session values- The values for persistent server settings in server policy were updated. See Configuring server policies on page 118 and Appendix B: Maximum values on page 397. Extended signature set granularity- The granularity of extended signature sets is now selectable, with a range of none (disable), basic, enhanced or full. See Configuring server protection rules on page 201. Validation of multiple identical parameters in a single request - HTTP validation rules now validate all instances of multiple identical parameters in a single request. See Configuring HTTP parameter validation rules on page 192. Cloning custom protection profiles - You can now clone customer protection profiles and use as a base for new profiles. See Configuring inline protection profiles on page 268 and Configuring offline protection profiles on page 274.
23
Whats new
Persistent Server Session Threshold - You can now define a threshold that triggers a persistent server session event log. See Enabling logging on page 327. Log message download - You can now download a specific range of event, attack or traffic logs from the FortiWeb hard disk to your local computer. See Downloading log messages on page 343. Back up and Restore Web Protection Profile - In addition to system configuration files, you can now back up and restore web protection profiles. See Backing up and restoring configurations on page 96. FTP configuration backup and schedule - You can now back up configurations to an FTP server. See Configuring an FTP backup and schedule on page 98. Severity information in log message - A severity level (high, medium, low) was added to log messages. See Responding to web protection rule violations on page 191. Configuration synchronization - You can synchronize configuration information on the local FortiWeb unit to a peer (remote) FortiWeb unit, even if the unit is not part of a highavailability (HA) pair. See Synchronizing configurations on page 59. Signature update without restart - FortiWeb no longer requires a restart and login after a signature update. See Uploading signature updates on page 101. Brute force login - The GUI has been reorganized and PCRE regular expression checking was added. See Configuring brute force login profiles on page 224. Custom Application Policy - You can now create application policy plug-ins that recognize non-standard, customized applications, and modify the URL information so that an auto-learning profile can work more effectively. See Configuring custom application policies on page 160.
24
About the web-based manager

This chapter describes aspects that are general to the use of the web-based manager, a graphical user interface (GUI) that provides access the FortiWeb unit from within a web browser. This chapter includes the following topics: System requirements URL for access Settings
System requirements
The management computer that you use to access the web-based manager must have: a compatible web browser, such as Microsoft Internet Explorer 6.0 or greater, or Mozilla Firefox 3.0 or greater Adobe Flash Player 10 or greater plug-in
To minimize scrolling, the computers screen should have a resolution that is a minimum of 1280 x 1024 pixels.
URL for access

You access the web-based manager by URL using a network interface on the FortiWeb unit that you have configured for administrative access. The default URL to access the web-based manager through the network interface on port1 is https://192.168.1.99/. If the network interfaces were configured during installation of the FortiWeb unit (see the FortiWeb Install and Setup Guide), the URL and/or permitted administrative access protocols may no longer be in their default state. In that case, use either a DNS-resolvable domain name for the FortiWeb unit as the URL, or the IP address that was assigned to the network interface during the installation process. For example, you might have configured port2 with the IP address 10.0.0.1 and enabled HTTPS. You might have also configured a private DNS server on your network to resolve fortiweb.example.com to 10.0.0.1. In this case, to access the web-based manager through port2, you could enter either https://fortiweb.example.com/ or https://10.0.0.1/. For information on enabling administrative access protocols and configuring IP addresses for the FortiWeb unit, see Configuring the network and VLAN interfaces on page 50.
Note: If the URL is correct and you still cannot access the web-based manager, you may also need to configure from which hosts the FortiWeb unit will accept login attempts for your administrator account (that is, trusted hosts), and/or static routes. For details, see Configuring administrator accounts on page 75 and Configuring static routes on page 105.
25
Settings
Some settings for the web-based manager apply regardless of which administrator account you use to log in. Global settings include the idle timeout, TCP port number on which the web-based manager listens for connection attempts, the network interfaces on which it listens, the language of its display, and whether or not more than one administrator can log in simultaneously. For details, see Configuring the web-based managers global settings on page 82.
Single administrator mode

If single administrator mode is enabled, when you log in to the web-based manager, you may be required to disconnect other administrator's account sessions before you can continue.
Figure 1: Single administrator mode disconnection prompt
For details, see Security Settings on page 84.
26
Deployment guidelines
Integrating FortiWeb into your network and configuring it to protect your web assets is not an overnight process. Nor is it a linear process. Be prepared to roll out FortiWeb in phases over several weeks with tests and configuration edits part of each stage. These deployment guidelines apply to each web application you choose to protect with FortiWeb. That is, for each server you protect with a server policy, go through these phases. You can deploy multiple applications in sequence or in parallel.
Deployment prerequisites
This chapter assumes you have completed the following steps: You have installed and partly configured FortiWeb as described in the FortiWeb Install and Setup Guide or the FortiWeb-VM Install Guide. A basic auto-learning profile is in place. (If not, see Generating an auto-learning profile and its components on page 281). You have chosen your final operation mode, one of reverse proxy, true transparent proxy, or transparent inspection. If you chose offline protection, that is fine for now. You can switch to your final operation mode later. You can access the web-based manager and your administrator account profile has read and write access to all relevant features. For details, see About permissions on page 80.
Server policy
To begin deployment, you must have at least one active server policy monitoring at least one real web server. If not, see Configuring policies in the FortiWeb Install and Setup Guide for instructions on creating a basic server policy that you can start with. The backbone of a FortiWeb unit's web site protection is the server policies that apply to your web sites and web applications. Here are a few tips to remember as you deploy: Change policy settings with care. Any changes take effect immediately. When you change a server policy that has already been tested, you should retest it. The FortiWeb unit applies rules, policies and data scans in a set order. (See Order of execution on page 190.) Review the logic of your server policies to make sure they deliver the web protection you expect. By the end of your FortiWeb deployment, make sure that all physical web servers are covered by a policy. If a server has no associated policy or all policies for it are disabled, FortiWeb will not monitor traffic to that web server. In reverse proxy mode, FortiWeb will block traffic to servers without an enabled policy.
Deployment workflow
This chapter takes you through four or five phases, depending on your initial operation mode. Those phases progress from a bare-bones, untested web server protection configuration to the end of the deployment period several weeks later. This chapter includes the following sections:
27
Phase 1: Examine the initial configuration
Phase 1: Examine the initial configuration Phase 2: Monitor and tune the configuration Phase 3: Test for vulnerabilities Phase 4: Switch from offline protection mode (if applicable) Phase 5: Prepare for full operation

This phase covers activities the first day of the first week. Spend the time confirming you have a working configuration.
Do a visual check
Access the FortiWeb web-based manager (see URL for access on page 25) and look for obvious problems. If you cannot access the web-based manager or access seems incomplete, your installation may not be correct. Review the FortiWeb Install and Setup Guide to make sure you installed the unit correctly. If there is still a problem, see Troubleshoot connectivity issues on page 373. Does the web-based managers URL, or the text or data on the dashboard contain odd characters? If so, you may be using the wrong character set. See Appendix D: Language support & regular expressions on page 401.) Examine the Service Status widget on the dashboard (go to System > Status > Status), as shown in Figure 2. Does it list at least one policy and a real server. If not, you have not created a valid server policy yet and FortiWeb has nothing to work with. Create at least one server policy before going further. See Configuring policies in the FortiWeb Install and Setup Guide. (Do not be concerned that nothing appears in the Server Status column at this point. That column applies to servers in server farms.) Also examine the Policy Sessions widget on the dashboard. Are there active sessions related to your policies. If not, it may mean that policy is not being applied to an active web resource.
Figure 2: Service Status and Policy Sessions widgets
Check dynamic data on the dashboard

The FortiWeb dashboard is the first place to start, not just during deployment, but any time you want to know the health of your system. Go to System > Status > Status and examine the Policy Summary widget, as shown in Figure 3 on page 29. Examine the HTTP Traffic Monitor. If there is no traffic, you have a problem. Check to see if your gateway setting is correct (go to Router > Static > Static Route). Also see the troubleshooting topic Check traffic flow on page 369.
28
Figure 3: Policy Summary widget
Examine the Attack Event History. If you have a large number of attacks, it may mean some aspect of your policy configuration is generating false positives. If you have no attacks, but you have reasonable levels of traffic, it may mean the protection profile used by your server policy is incomplete. Examine the Attack Log widget. If the list includes many identical entries, it likely indicates false positives (unless it is a DoS assault). If there are many entries of a different nature, it likely indicates real attacks. If there are no attack log entries but the Attack Event History shows attacks, it likely means you have not correctly configured logging. See Configuring and enabling logging on page 323.
Figure 4: Attack Log Console widget
Check your auto-learning data

An auto-learning profile can teach you a great deal about the threats your web assets face. A profile also helps you understand the application structure and how real users use it. Check that each server policy includes an auto-learning profile. Go to Server > Server Policy > Policy. Click the Edit icon for your policy. Look in the WAF Auto Learn Profile field or the Web Protection Profile field to make sure at least one of those fields references an auto-learn profile. If there is no profile, create one and use it. See Generating an auto-learning profile and its components on page 281.
29
Phase 2: Monitor and tune the configuration
If your server policy includes an auto-learning profile, check that it is gathering data. Go to Auto Learn > Auto Learn Report and click the Detail icon to see the report. If the report shows few or zero hits, the profile is not gathering data. (No data could also be a result of no traffic.)
Figure 5: Auto Learn Report Overview tab

Once you confirm you have a working configuration in phase 1, move to the this phase. Phase 2 covers the remaining days of the first week. Spend the time eliminating false positives and refining log reports.
Stay diligent
Each day, check the dashboard for obvious problems. Examine the auto-learn report for each server in your system (see Check your autolearning data on page 29). If an auto-learning profile is returning many URLs that do not make sense, such as URLs with complex session IDs like this /app/login.asp;jsessionid=xxx;p1=111;p2=123?p3=5555&p4=66aaaaa you need to configure a custom application policy and a URL replacer; otherwise such URLs reduce the value of the auto-learning profile. See Configuring custom application policies on page 160.
Tune up alerts
When you configure protection profiles, many of their components include an action option that sets the response to a detected violation. Actions also combine with severity levels and trigger responses, as shown in Figure 6 on page 31.
30
Figure 6: Dialog showing actions, severity and triggers
The available actions vary with the protection feature. See Responding to web protection rule violations on page 191 for a list of all actions and their uses. When you select many action items, such as Alert & Deny or Redirect, the auto-learning feature stops gathering auto-learning data for the applicable connection, resulting in incomplete session information for the auto-learning profile. During the deployment phase, you want each connection processed completely. To get complete connection processing, without having to change all your actions, enable the Monitor Mode option on each server policy. Go to Server Policy > Server Policy. Edit each policy and select Monitor Mode. When enabled, this mode treats all actions as if they were the Alert action. Alerts show up on the dashboard and may generate email if you configured email policy for use in triggers. (If you are not getting email, see Define logs, reports and email alerts on page 32.) Since many of the rules and policies that make up protection profiles are based, at least in part, on regular expressions or data ranges whose values are hard to predict, many of your initial alerts will not be real attacks or violations. They will be false positives. If the dashboard indicates you are getting dozens or hundreds of nearly identical alerts, you need to search for and fix false positives. Here are some tips: Examine your web protection profile (go to Web Protection > Web Protection Profile and view the settings in the applicable offline or inline protection profile). Does it include a server protection rule that seems to be causing alerts for valid URLs. If so, create and use exceptions to reduce false positives. See Configuring server protection exceptions on page 207. If your web protection profile includes a server protection rule where the Extended Signature Set option is set to Full, reduce it to Basic to see if that reduces false positives. See Configuring server protection rules on page 201.
Figure 7: Extended signature set option
If your web protection profile includes HTTP protocol constraints that seem to be causing alerts for legitimate HTTP requests, create and use exceptions to reduce false positives. See Configuring HTTP protocol constraint exceptions on page 254. Most dialog boxes that accept regular expressions include the >> (test) icon. This opens the Regular Expression Validator window, as shown in Figure 8 on page 32, where you can fine-tune the expression to eliminate false positives.
31
Figure 8: Regular expression validator dialog
To learn more about the behavior of regular expressions that generate alerts, enable the Retain Packet Payload options in the logging configuration. Packet payloads provide the actual data that triggered the alert, which may help you to fine tune your regular expressions to reduce false positives. See Enabling logging on page 327 and Viewing log message details on page 335.
Define logs, reports and email alerts

Log messages, log reports and email alerts will provide you with valuable information about problems with your system. It is time to review and augment your log settings. Go to Log&Report > Log Policy > Email Policy. Make sure an email policy exists that directs email to you or other FortiWeb administrators. Set the Log Level option to Critical. That way any problem rated as critical, alert or emergency generates an email. See Configuring email policies on page 317. Go to Log&Report > Log Policy > Trigger Policy. Make sure a trigger policy exists that references the email policy described above. Triggers can be added to many rules and policies. See Configuring trigger policies on page 322. Go to Log&Report > Log Config > Global Log Settings. Enable the Alert Mail option and set it to reference the email policy described above. See Configuring global log settings on page 324. Go to Log&Report > Report Config. Either create a new report or edit an existing one. (See Figure 9 on page 33.) Use the data filter options under Report Scope (click the blue arrow to see options) to tailor the reports contents. Use the options under Schedule to create a report schedule. Under Output, pick a report format and select the email policy described above. See Configuring and generating reports on page 344.
32
Phase 3: Test for vulnerabilities
Figure 9: New log report dialog
Consider directing reports to your web developers to get their feedback.
On a daily basis, review the attack log to find vulnerabilities in your system. Go to Log&Report > Log Access > Attack.
Figure 10: Part of an attack log

Once you have tuned your alerts and eliminate the most obvious false positive in phase 2, move to the this phase. Phase 3 covers the second week. Use this time to search for attack vulnerabilities and to further tune alerts.
Stay diligent
Continue your regular daily checks and expand them. Each day, check the dashboard for obvious problems (see Check dynamic data on the dashboard on page 28) Continue to examine the auto-learn report for each server in your system (see Check your auto-learning data on page 29). Review the attack log. Review alerts and fix those that represent false positives.
33
Begin monitoring the third-party cookies FortiWeb observes in traffic to your web servers. When cookies are found, an icon appears on the Server Policy > Policy > Policy tab for each affected server. If cookies are threats, such as if they are used for state tracking or database input, consider enabling the Cookie Poison option on the inline protection profiles for those servers. See Cookie Poison on page 272.
Aggregate attack types

Use the Log Message aggregation feature to group similar attack types. This makes it easier to quickly see all significant threats. See Grouping similar attack log messages on page 340. For example, a web worm let loose on the Internet can create hundreds if not thousands of alerts. This could swamp FortiWeb's attack log with alerts and obscure other dangerous problems. By aggregating similar alertsgroup them under the Sub Type column of the attack logyou will not miss other problem alerts. Another tactic is to aggregate attacks under the Source IP column. This lets you closely track an attacker and all of its attacking methods. To view the contents of an aggregated group, click the blue arrow, as shown in Figure 11.
Figure 11: Part of an attack aggregation report
Search for vulnerabilities

Use FortiWebs web vulnerability scan feature to detect known vulnerabilities on your web servers and web applications. Create a web vulnerability scan profile and enable all threat options. You can reduce options later that do not apply. Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Profile. See Configuring web vulnerability scan profiles on page 303. Create a web vulnerability scan policy that includes the email alerts you created the first week. Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy. See Configuring web vulnerability scan policies on page 300. Start with a schedule that scans your site daily in off peak hours. Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Schedule. See Configuring web vulnerability scan schedules on page 308.
Caution: Fortinet strongly recommends that you do not scan for vulnerabilities on live web sites during peak hours. Either run the scans in off-peak hours or duplicate the web site and its database in a test environment and perform the scan there.
Go to Web Vulnerability Scan > Web Vulnerability Scan > Scan History to locate vulnerabilities. Click the View scan report icon next to a report. It opens an HTML report that lists vulnerabilities, as shown in Figure 12 on page 35. If you find a false positive in the report, click the False Positive button to remove it from the current and subsequent reports.
34
Phase 4: Switch from offline protection mode (if applicable)
Figure 12: Web vulnerabilities scan report
Create XML protection rules and policies to protect against the discovered vulnerabilities. See XML protection profile workflow on page 163. Create web protection rules and policies to protect against the discovered vulnerabilities. See .Web protection profile workflow on page 189
Once you have tested for vulnerabilities and set policies to guard against the threats, move to the next phase.

This section applies only if you chose offline protection mode when you first set up your FortiWeb unit. If you chose another mode, skip to Phase 5: Prepare for full operation on page 37. This phase covers about one week. In this period, you will switch from offline protection mode to one of the other three modes: reverse proxy, true transparent proxy, or transparent inspection. Following the switch, you must reconfigure some of your network settings and protection profiles, and then test the new configuration.
Caution: Switching modes is not a trivial matter. Back up your system before changing the operation mode. Changing modes deletes the following: any policies not applicable to the new mode, all static routes and all VLAN settings. You may also need to re-cable your network topology to suit the operation mode.
If you plan to deploy multiple web applications, you can change the operation mode once you deploy and test all servers and applications in offline protection mode, or change modes after you deploy just the first one. In that case, the subsequent applications must be deployed in the new mode.
35
Prepare to switch operation mode

Before you switch from offline protection mode, take note of the following: Go to Router > Static > Static Route and take note of the configuration settings (such as the gateway IP and port) for each static route. Go to System > Network > Interface and take note of the configuration settings for any VLANs. Go to Web Protection > Web Protection Policy > Offline Protection Profile. View each offline protection profile and take note of the policies and rules it references.
Change operation mode

When you switch operation mode, follow these steps: 1 Determine which operation mode to use. See Configuring the operation mode on page 71 for an explanation of modes. 2 Review the topic Matching topology with operation mode in the FortiWeb Install and Setup Guide to determine if you need to re-cable your FortiWeb unit for the new mode. 3 If re-cabling is needed, power off your unit, change the cables, and power on the unit. Access the web-based manager again. 4 Change the operation mode in one of two ways: In the Operation Mode row of the System Information widget on the dashboard, click Change. Select a new operation mode from the Mode dialog and click Apply. Go to System > Config > Operation. Select a new operation mode from the Mode dialog and click Apply.
Figure 13: Changing modes
The fields presented in the dialog vary with the operation mode you select.
Reconfigure your system

Switching between vastly different operation modes results in a loss of some configuration data. Check the following items: Go to Router > Static > Static Route. If your static routes were erased, recreate them. See Configuring static routes on page 105. Go to System > Network > Interface. If your VLAN configurations were removed, recreate them. If you chose one of the transparent modes, consider creating a v-zone bridge instead of VLANs. See Configuring v-zones (bridges) on page 55. Go to Web Protection > Web Protection Policy > Inline Protection Profile. Create new inline protection profiles that reference the rules and policies in each of your previous offline protection profiles. See Configuring inline protection profiles on page 268 for information on creating a profile.
36
Phase 5: Prepare for full operation
Go to Server Policy > Policy > Policy. Edit your existing server policies to reference the new inline protection profiles instead of the offline protection profiles. See Configuring server policies on page 118.
Before going any further, let your reconfigured FortiWeb unit run and gather data. Watch the monitors on the dashboard to make sure traffic is flowing through your unit in the new mode.
Retest your system

A new operation mode means a new round of testing and alert tuning. Delete your existing auto-learning profiles and create new ones. Make sure your server policies reference the new auto-learning profiles. See Configuring server policies on page 118. Make sure the new auto-learning profiles are gathering data. See Check your autolearning data on page 29. Continue running web vulnerability scans and adjust your policies and rules to reflect any vulnerabilities found. See Search for vulnerabilities on page 34.
Remain diligent
Each day, check the dashboard for obvious problems (see Check dynamic data on the dashboard on page 28) and examine the auto-learn report for each server in your system (see Check your auto-learning data on page 29). Review the attack log (go to Go to Log&Report > Log Access > Attack tab) daily to find vulnerabilities in your system. Review alerts and fix those that represent false positives.

This phase covers a week or more, depending on what new features you configure.
Extend your server configuration

After your FortiWeb unit has operated for several days without significant problems, it is a good time to adjust profiles and policies to provide additional protection and to improve performance. Here is a list of some enhancements: If your operation mode is reverse proxy or true transparent proxy mode (without HTTPS), you can configure the FortiWeb unit to authenticate users. These can be local users, LDAP user, RADIUS users, NTLM users, or a combination of these. See Users and user groups on page 107. If your operation mode is reverse proxy, you can group physical servers and domain servers into a server farm. See Grouping physical and domain servers into server farms on page 135. Once you have a server farm, you can apply load-balancing (see Deployment Mode on page 123) and server health checks (see Configuring server health checks on page 143). Once you create server farms and server health checks, indicators appear in the Service Status widget on the dashboard, as shown in Figure 14 on page 38.
37
Figure 14: Service status showing health-check indicators
If your operation mode is reverse proxy, you can enable SSL to encrypt connections from the FortiWeb unit to protected web servers. To do so, first download a certificate (see Uploading a certificate on page 88) and then enable the SSL Server and Certificate options on the server policy. Depending on your chosen operation mode, you can add other rules and policies to your inline protection profiles, such as: page access rules (see Configuring page access rules on page 198) start page rules (see Configuring start page rules on page 213) brute force login profiles (see Configuring brute force login profiles on page 224) URL rewriting policy (see Configuring URL rewriting policy on page 244)
Review the list of top candidates for your IP blacklist and add them, as applicable. See Viewing the top 10 IP blacklist candidates on page 223.
Remain diligent
Make sure you locate and solve any problems created by new configuration settings made in this phase. Each day, check the dashboard for obvious problems (see Check dynamic data on the dashboard on page 28) and examine the auto-learn report for each server in your system (see Check your auto-learning data on page 29). Review the attack log (go to Go to Log&Report > Log Access > Attack tab) daily to find vulnerabilities in your system. Review alerts and fix those that represent false positives.
Make final deployment settings

Once your FortiWeb unit has operated for several days without significant problems after new configuration settings, it is time to make the final changes to prepare your FortiWeb unit for normal operation. If you enabled the Monitor Mode server policy option, as suggested in phase 2, disable it now. Go to Server Policy > Policy and edit each server policy to clear the option. Clearing it instructs the FortiWeb unit to apply the specified action for each violation. For example, if the action is Alert & Deny, monitor mode enforced just the Alert portion. With monitor mode disabled, the Deny portion is now enforced too. Review each action related to rules and policies. For more serious violations, change a simple Alert action to a blocking action, such as Alert & Deny, Deny or Redirect, as applicable. See Responding to web protection rule violations on page 191 for a list of actions and their uses. By this point, you have collected enough auto-learning data to generate protection profiles. Consider turning off the auto-learning function to save resources. To do so, deselect the auto-learning profile in applicable server policies.
38
What else can you do?

Your FortiWeb unit has additional protection and maintenance features you can use: Configure DoS protection and synchronization with a remote FortiWeb unit. For details, see Configuring DoS protection on page 70 and Synchronizing configurations on page 59. Configure HTTP content routing and conversion policy. For details, see Configuring HTTP content routing policy on page 139 and Configuring HTTP conversion policy on page 141. Consider invoking the web anti-defacement feature to protect your web sites from hackers. See Configuring anti-defacement on page 293. If you have configured and deployed two FortiWeb units, you can set them up for high availability. Configuring high availability (HA) on page 61. Configure backups, firmware updates, and similar maintenance features. For details, see Backing up and restoring configurations on page 96, Configuring an FTP backup and schedule on page 98, Uploading signature updates on page 101, and Scheduling signature updates on page 102. Make sure you are getting the most out of your configuration. See the chapter Fine tuning and best practices on page 355.
39
40
System
Viewing system status
System
This chapter describes the System menu. Using its options you can view and configure a wide variety of system settings. This chapter includes: Viewing system status Configuring the network and VLAN interfaces Configuring the DNS settings Synchronizing configurations Configuring high availability (HA) Configuring the SNMP agent Configuring DoS protection Configuring the operation mode Viewing RAID status Configuring administrator accounts Configuring the web-based managers global settings Managing certificates Backing up and restoring configurations Configuring an FTP backup and schedule Configuring system time Uploading signature updates Scheduling signature updates Accessing the Setup Wizard

System > Status > Status appears when you log in to the web-based manager. It contains a dashboard with widgets that each indicate performance level or other status values. The following widgets are available in the system status dashboard: System Information widget CLI Console widget System Resources widget Policy Summary widget Attack Log Console widget Event Log Console widget Service Status widget Policy Sessions widget
41
System
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see About permissions on page 80.
Figure 15: Viewing the dashboard
In the default dashboard setup, widgets display the serial number and current system status of the FortiWeb unit, including uptime, system resource usage, event log messages, host name, firmware version, system time, and status of connected web servers and policy sessions. The dashboard also contains a CLI widget that enables you to use the command line interface through the web-based manager. To customize the dashboard, select which widgets to display, where they are located on the tab, and whether they are minimized or maximized. To move a widget, position your mouse cursor on the widgets title bar, then click and drag the widget to its new location. To display any of the widgets not currently shown on the Status tab, click Add Content. Any widgets currently already displayed on the Status tab will be grayed out in the Add Content menu, as you can only have one of each display on the Status tab.
Figure 16: Adding a widget
42
System
To display the default set of widgets on the dashboard, select Back to Default. To see the available options for a widget, position your mouse cursor over the icons in the widgets title bar. Options vary slightly from widget to widget, but always include options to close, minimize or maximize the widget.
Table 5: A minimized widget
Widget title Disclosure arrow

GUI item Widget Title Disclosure arrow Description The name of the widget.
Refresh Close
Click to maximize or minimize the widget. This arrow replaces the widgets icon when you place your mouse cursor over the title bar. Click to change settings for the widget. This option appears only on the CLI Console widget. Click to update the displayed information. This option does not appear on the CLI Console widget. Click to close the widget on the dashboard. You will be prompted to confirm the action. To show the widget again, click Add Content near the top of the tab.
Edit Refresh Close
System Information widget

The System Information widget on the dashboard displays the serial number and the status of basic systems, such as the firmware version, system time, up time, and host name, and high availability (HA) status. In addition to displaying system information, the System Information widget enables you to configure some basic attributes such as the host name, operation mode, and high availability (HA) mode, and to change the firmware. FortiWeb administrators, whose access profiles permit Write access to items in the System Configuration category, can change the system time, host name, firmware, and operation mode, and high availability (HA) mode.
Table 6: System Information widget
43
System
GUI item HA Status
Description Displays the status of high availability (HA) for this unit, either: Standalone: The FortiWeb unit is not operating in HA mode. It is operating as a single, independent FortiWeb unit. Master: The FortiWeb unit is operating as the primary unit in an HA pair. Backup: The FortiWeb unit is operating as the backup unit in an HA pair. The default value is Standalone. Click Configure to configure the HA status for this unit. See Configuring high availability (HA) on page 61. Displays the host name of the FortiWeb unit. Click Change to change the host name. See Changing the FortiWeb units host name on page 45.
Host Name
Firmware Version Displays the version of the firmware currently installed on the FortiWeb unit. Click Update to install a new version of firmware. See Installing new firmware on page 385. Serial Number Displays the serial number of the FortiWeb unit. The serial number is specific to the FortiWeb units hardware and does not change with firmware upgrades. Use this number when registering the hardware with Fortinet Technical Support. Displays the time in days, hours, and minutes since the FortiWeb unit last started. Displays the current date and time according to the FortiWeb units internal clock. Click Change to change the time or configure the FortiWeb unit to get the time from an NTP server. See Configuring system time on page 100. Displays the current operation mode of the FortiWeb unit, either: Reverse proxy: Reverse proxy traffic is destined for a virtual servers network interface and IP address. Forward it to a physical/domain server and apply the first applicable policy. The FortiWeb unit logs, blocks, or modifies traffic according to the matching policy and its protection profile. Offline protection: Monitor traffic received on the virtual servers network interface (regardless of the IP address) and apply the first applicable policy. The FortiWeb unit logs or blocks traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It does not, for example, apply SSL or load-balance connections.) Caution: Unlike in reverse proxy mode, actions other than Alert cannot be guaranteed to be successful in offline protection mode. The FortiWeb unit will attempt to block traffic that violates the policy by mimicking the client or server and requesting to reset the connection. However, the client or server may receive the reset request after it receives the other traffic due to possible differences in routing paths. True transparent proxy: Proxy traffic is destined for a physical/domain serve. Apply the first applicable policy. Traffic is received on a network port that belongs to a Layer 2 v-zone (bridge), and no changes to the IP address scheme of the network are required. Transparent inspection: Inspect traffic destined for a physical/domain server. Asynchronously capture traffic and apply the first applicable policy. The FortiWeb unit logs or blocks traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It does not, for example, apply SSL or load-balance connections.) Similar to offline protection mode, actions other than Alert cannot be guaranteed to be successful. It is easy to switch between transparent inspection and true transparent proxy without changing your network topology. The default operation mode is reverse proxy mode. Click Change to switch the operation mode. Caution: Back up the configuration before changing the operation mode. Changing modes deletes any policies not applicable to the new mode, all static routes, all v-zone IPs and all VLAN settings. For instructions on backing up the configuration, see Backing up and restoring configurations on page 96. Click to halt and restart the operating system of the FortiWeb unit.
System Uptime System Time
Operation Mode
Reboot
44
System
ShutDown Reset
Click to halt the operating system of the FortiWeb unit, preparing its hardware to be powered off. Click to revert the configuration of the FortiWeb unit to the default values for its currently installed firmware version. Caution: Back up the configuration before selecting Reset. This operation cannot be undone. Configuration changes made since the last backup will be lost. For instructions on backing up the configuration, see Backing up and restoring configurations on page 96.
Changing the FortiWeb units host name

The host name of the FortiWeb unit is used in several places. It appears in the System Information widget on the Status tab. For more information about the System Information widget, see System Information widget on page 43. It is used in the command prompt of the CLI. It is used as the SNMP system name. For information about SNMP, see Configuring the SNMP agent on page 66.
The System Information widget and the get system status CLI command will display the full host name. If the host name is longer than 16 characters, the host name may appear in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For example, if the host name is FortiWeb1234567890, the CLI prompt would be FortiWeb123456789~#. Administrators whose access profiles permit Write access to items in the System Configuration category can change the host name.
Note: You can also configure the local domain name of the FortiWeb unit. For details, see Configuring the DNS settings on page 58.
To change the host name of the FortiWeb unit 1 Go to System > Status > Status. 2 In the System Information widget, in the Host Name row, click Change. 3 In the New Name field, type a new host name. The host name can be up to 35 characters in length. It can include US-ASCII letters, numbers, hyphens, and underscores, but not spaces and special characters. 4 Click OK.
CLI Console widget

The CLI Console widget on the dashboard enables you to enter CLI commands through the web-based manager, without making a separate Telnet, SSH, or local console connection to access the CLI.
Note: The CLI Console widget requires that your web browser support JavaScript.
To use the console, first click within the console area. Doing so automatically logs you in using the same administrator account you used to access the web-based manager. You can then type commands into the CLI Console widget. Alternatively, you can copy and paste commands from or into the console.
45
System
Note: The prompt, by default the model number such as FortiWeb-1000B #, contains the host name of the FortiWeb unit. To change the host name, see Changing the FortiWeb units host name on page 45.
For information on available commands, see the FortiWeb CLI Reference.

Table 7: CLI Console widget
Close Edit
GUI item Close Edit
Description Click to hide the widget. It no longer appears on the dashboard unless you add it again by clicking Add Content. Click to open the Console Preferences pop-up window, where you can change the buffer length and input method, as well as the appearance of the console by defining fonts and colors for the text and background.
Table 8: CLI Console Preferences window
GUI item Preview Text
Description Shows a preview of your changes to the CLI Console widgets appearance. Click the current color swatch to the left of this label, then click a color from the color palette to the right to change the color of the text in the CLI Console. Click the current color swatch to the left of this label, then click a color from the color palette to the right to change the color of the background in the CLI Console.
Background
46
System
Use external command input box
Select to display a command input field below the normal console emulation area. When this option is enabled, you can enter commands by typing them into either the console emulation area or the external command input field.
Console buffer length Enter the number of lines the console buffer keeps in memory. The valid range is from 20 to 9999. Font Size Select a font from the list to change the display font of the CLI Console. Select the size in points of the font. The default size is 10 points.
System Resources widget

The System Resources widget on the dashboard displays CPU and memory usage.
Table 9: System Resources widget
GUI item CPU Usage
Description The current CPU usage displayed as a dial gauge and as a percentage. The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. The current memory (RAM) usage displayed as a dial gauge and as a percentage. The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.
Memory Usage
Policy Summary widget

The Policy Summary widget on the dashboard displays three graphs: HTTP Traffic Monitor: Displays the traffic volume throughput during each time period. Attack Event History: Displays the number of each type of common exploit, SQL injection, cross-site scripting (XSS), or information disclosure attacks that were prevented. HTTP Hit History: Displays the total number of requests.
For each graph, you can select which policys statistics to view and the size of the interval (Rate threshold or Time interval) represented by each unit on the graph. By positioning your cursor over a point in the graph, you can display information for that point in time, such as (for HTTP Traffic Monitor) the traffic volume at that point in time.
47
System
Figure 17: Policy Summary widget
Attack Log Console widget

The Attack Log Console on the dashboard widget displays the latest attack logs. Attack logs are recorded when there is an attack or intrusion attempt against the web servers protected by the FortiWeb unit. Attack logs help you track violations that are defined by the web protection and server policies configured on the FortiWeb unit. Each attack log message in the console shows the type of attack and the date and time of the attack. The attack type includes a link to a log detail. Select the link to open a separate attack log details window with additional information about the attack. For more information, see Viewing log message details on page 335.
Figure 18: Attack Log Console widget
Event Log Console widget

The Event Log Console widget on the dashboard displays log-based messages.
48
System
Event logs help you track system events on your FortiWeb unit such as firmware changes, and network events such as changes to policies. Each message shows the date and time that the event occurred. For more information, see Viewing log messages on page 331.
Tip: Event log messages can also be delivered by email, Syslog, FortiAnalyzer or SNMP. For more information, see Enabling logging on page 327,Configuring and enabling logging on page 323,and Configuring the SNMP agent on page 66. Figure 19: Event Log Console widget
Close Refresh
Service Status widget

The Service Status widget on the dashboard lists configured policies, the real servers (physical and domain servers) associated with the policy, and the connectivity status of the servers associated with the policy.
Table 10: Service Status widget
Close Refresh
GUI item # Policy Name Real Server
Description Shows the index number of the policy. Shows the name of the policy. For information on policies, see Configuring server policies on page 118. Lists the real servers that the policies protect.
49
Configuring the network and VLAN interfaces
System
Server Status
For servers that are part of a server farm, shows the connectivity status. There may be multiple icons in this column.To determine which real server is associated with an icon, hover your mouse cursor over the icon. The name of the real server then appears in a tool tip. Green icon: The server health check is currently detecting that the real server is responsive to connections. Flashing yellow-to-red icon: The server health check is currently detecting that the real server is not responsive to connections. The method that the FortiWeb unit will use to reroute connections to an available server varies by your configuration of Deployment Mode. For information on server health checks, see Configuring server health checks on page 143. Note: For a single server, there is no associated server health check, and therefore no icon in this column. To make server health checks for a single server, instead of configuring the policy with a Deployment Mode of Single Server, create a server farm and add that real server as the sole member, then select that server farm in the policy. Click to hide the widget. It no longer appears on the dashboard unless you add it again by clicking Add Content. Click to refresh the information displayed on the widget.
Close Refresh
Policy Sessions widget

The Policy Sessions widget on the dashboard displays the number of server sessions that are currently governed by each policy.
Table 11: Policy Sessions widget
Close Refresh
GUI item # Policy Session Close Refresh
Description Shows the index number of the policy. Shows the name of the policy. For information on policies, see Configuring server policies on page 118. Shows the total number of sessions currently being governed by the policy. Click to hide the widget. It no longer appears on the dashboard unless you add it again by clicking Add Content. Click to refresh the information displayed on the widget.

System > Network > Interface displays two interface types: the network interfaces that are associated with the physical ports on a FortiWeb unit, and if configured, the VLAN subinterfaces. For more information about VLAN subinterfaces, see Adding a VLAN subinterface on page 53. You must always have at least one IP address configured on at least one FortiWeb network interface in order to connect to your management computer to the FortiWeb unit CLI or the web-based manager.
Note: When the FortiWeb unit operates in true transparent proxy or transparent inspection mode and you configured a v-zone (bridge), do not configure any physical network interfaces other than port1. For details, see Configuring v-zones (bridges) on page 55.
50
System
Depending on your network topology and other considerations, you may need to configure one or more of the FortiWeb units other network interfaces to enable the FortiWeb unit to connect to your network and to the web servers it protects. You can configure each network interface separately, with its own IP address, netmask, and accepted administrative access protocols.
Caution: Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb unit.
Note: You can restrict which IP addresses are permitted to log in as a FortiWeb administrator through the network interfaces. For details, see Configuring administrator accounts on page 75.
To change settings in this part of the web-based manager, your administrator's account access profile must have Write permission to items in the Network Configuration category. For details, see About permissions on page 80.
Table 12: System > Network > Interface tab
Network interface description GUI item Create New Description
Edit
Click to create a new VLAN subinterface. For more information, see Adding a VLAN subinterface on page 53. Note: You cannot create a new network interface, only a VLAN subinterface. To view or modify an existing network interfaces, click the Edit icon. Shows an icon indicating that a description is available for the network interface. To view the description, hover your cursor over the icon. Shows the name of the network interface, usually directly associated with one physical link as indicated by its name, such as port1. Note: A pointer beside the name indicates there is a VLAN subinterface associated with the port. For more information, see Adding a VLAN subinterface on page 53. Displays the IP address and netmask of the network interface, separated by a slash ( / ). Displays the administrative access services that are enabled on the network interface, such as HTTPS for the web-based manager. Note: Administrative access is not available for VLAN subinterfaces. Indicates the up (available) or down (unavailable) administrative status of the network interface. Green up arrow: The network interface is up and permitted to receive or transmit traffic. To disable the network interface, click Bring Down. Red down arrow: The network interface is down and not permitted to receive or transmit traffic. To enable the network interface, click Bring Up. Click the Edit icon to view or modify the settings of the network interface or VLAN subinterface. Click the Delete icon to remove a VLAN subinterface. Note: Network interfaces associated with a physical port cannot be deleted.
(No column heading.) Name
IP/Netmask Access
Status
(No column heading.)
51
System
To edit a network interface 1 Go to System > Network > Interface. 2 In the row corresponding to a network interface, click the Edit icon. 3 Configure the following:
GUI item Name IP/Netmask
Description Displays the name (such as port2) and media access control (MAC) address of this network interface. Type the IP address/subnet mask. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet. Warning: If you are changing the interfaces IP address and you have configured a static route for the interface, the new IP address of the interface must be in the same subnet as the default gateway. Otherwise, all the static routes and the default gateway information will be lost. Enable the types of administrative access that you want to permit on this interface. Note: Administrative access is not available for VLAN subinterfaces. Enable to allow secure HTTPS connections to the web-based manager through this network interface. For information on configuring the port number where the FortiWeb unit listens for these connections, see Configuring the web-based managers global settings on page 82. Enable to allow ICMP ping responses from this network interface. Enable to allow HTTP connections to the web-based manager through this network interface. For information on configuring the port number where the FortiWeb listens for these connections, see Configuring the web-based managers global settings on page 82. Caution: HTTP connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiWeb unit. Enable to allow SSH connections to the CLI through this network interface. Enable to allow SNMP connections to this network interface. Note: This setting only configures which network interface will receive SNMP queries. To configure which network interface will send traffic, see Configuring the SNMP agent on page 66.
Administrative Access
HTTPS
PING HTTP
SSH SNMP
52
System
TELNET
Enable to allow Telnet connections to the CLI through this network interface. Caution: Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiWeb unit. Type a comment. The comment may be up to 63 characters long. This field is optional.
Description
4 Click OK. If you were connected to the web-based manager through this network interface and you changed the IP, you are now disconnected from it. 5 To access the web-based manager again, in your web browser, modify the URL to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 10.10.10.5, you would browse to https://10.10.10.5. If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiWeb unit, you may also need to modify the IP address and subnet of your computer to match the FortiWeb units new IP address.
Adding a VLAN subinterface

This section describes how a virtual local area network (VLAN) works with FortiWeb and how to add a VLAN subinterface to a network interface on the FortiWeb unit. Similar to a local area network (LAN), use a IEEE 802.1q VLAN to reduce the size of a broadcast domain and thereby reduce the amount of broadcast traffic received by network hosts, improving network performance. Unlike physical LANs, VLANs do not require you to install separate hardware switches and routers to achieve this effect. Instead, VLAN-compliant switches, such as FortiWeb units, restrict broadcast traffic based upon whether its VLAN ID matches that of the destination network. As such, VLAN trunks can be used to join physically distant broadcast domains as if they were close. The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN. VLAN header addition is handled automatically by FortiWeb units, and does not require that you adjust the maximum transmission unit (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, this tag may be added, removed, or rewritten before forwarding to other nodes on the network. For example, a Layer 2 switch or FortiWeb unit operating in true transparent proxy mode would typically add or remove a tag when forwarding traffic among members of the VLAN, but would not route tagged traffic to a different VLAN ID. In contrast, a FortiWeb unit operating in reverse proxy mode, inspecting the traffic to make routing decisions based upon higher-level layers/protocols, might route traffic between different VLAN IDs (also known as inter-VLAN routing) if indicated by its policy, such as if it has been configured to do WSDL-based routing. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see About permissions on page 80.
53
System
Table 13: Interface tab with VLAN subinterface
VLAN subinterface name VLAN indicator Network interface description GUI item Create New (No column heading.) Name Description Click to create a new VLAN subinterface.
Edit
Displays an icon indicating that a description is available for the network interface. To view the description, hover your cursor over the icon. Note: VLAN subinterfaces do not provide a description. If a VLAN subinterface exists, a pointer appears beside the name of the network interface. Click the pointer to expand the list of VLANs associated with the network interface. Displays the IP address and netmask of the VLAN subinterface, separated by a slash ( / ). Displays the administrative access services that are enabled on the network interface. Note: VLAN subinterfaces do not permit administrative access. Indicates the up (available) or down (unavailable) administrative status of the network interface. Green up arrow: The network interface is up and permitted to receive or transmit traffic. To disable the network interface, click Bring Down. Red down arrow: The network interface is down and not permitted to receive or transmit traffic. To enable the network interface, click Bring Up. Click the Edit icon to view or modify the settings of the VLAN subinterface. Click the Delete icon to remove a VLAN subinterface.
IP/Netmask Access
Status
To add a VLAN subinterface

Note: When the FortiWeb unit operates in either of the transparent modes, VLAN subinterfaces do not support Cisco discovery protocol (CDP).
1 Go to System > Network > Interface. 2 Click Create New. 3 Configure the following:
54
System
GUI item Name
Description Type the name (such as vlan_100) of this VLAN subinterface. You cannot modify this field if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name. Indicates whether the interface is directly associated with a physical network port, or is instead a VLAN subinterface. This option is set by the system automatically and cannot be changed. Select the name of the network interface with which the VLAN subinterface will be associated. Type the VLAN ID of packets that belong to this VLAN subinterface. If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received. If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs. The valid range is between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface. For the maximum number of interfaces for your FortiWeb model, including VLAN subinterfaces, see Appendix B: Maximum values on page 397. Note: Inter-VLAN routing is not supported if the FortiWeb unit is operating in true transparent proxy mode. In that case, you must configure the same VLAN IDs on each physical network port. Type the IP address/subnet mask associated with the VLAN, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.
Type
Interface VLAN ID
IP/Netmask
4 Click OK.
Configuring v-zones (bridges)

System > Network > V-zone lists any of network ports configured as bridges. Bridges allow network connections to travel through the FortiWeb units physical network ports without explicitly connecting to one of its IP addresses. Use bridges only when: the FortiWeb unit operates in true transparent proxy or transparent inspection mode, and
55
System
you want to deploy FortiWeb between incoming connections and the web server it is protecting, without changing your IP address scheme or performing routing or network address translation (NAT)
In that case, do not assign IP addresses to the ports that you will connect to either the web server or to the overall network. Instead, group the two physical network ports by adding their associated network interfaces to a bridge. Bridges on the FortiWeb unit support IEEE 802.1d spanning tree protocol (STP) and, therefore, do not require that you manually test the bridged network for Layer 2 loops. Bridges are also capable of electing a root switch and designing a tree on their own that uses the minimum cost path to the root switch; although, you may prefer to do so manually for design and performance reasons.
Note: If you prefer to disable STP, see the config system v-zone command in the FortiWeb CLI Reference.
True bridges typically have no IP address of their own. They use only media access control (MAC) addresses to describe the location of physical ports within the scope of their network and do network switching at Layer 2 of the OSI model. However, if you require the ability to use an IP address to use ICMP ECHO requests (ping) to test connectivity with the physical ports comprising the bridge, you can assign an IP address to the bridge and thereby create a virtual network interface that will respond. To configure a bridge in the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see About permissions on page 80.
Table 14: System > Network > V-zone tab
Edit
GUI item Name Description Displays the name of the v-zone (bridge).
56
System
Interface name
Displays the name and current status (in parentheses) of each network port that belongs to the bridge, such as port4 (forwarding). Possible states include: listening: The port is up and, by using the spanning tree protocol (STP), has determined that it will participate in forwarding frames. It is receiving bridge protocol data units (BPDUs) that tell it about its distance from the root switch, but it is not yet transmitting BPDUs about itself or forwarding frames, and is not yet learning. learning: The port is building a database of media access control (MAC) addresses of the network nodes that are connected on the Ethernet network in order to discover which links in the tree are functional. It continues to receive BPDUs, but now it is also transmitting BPDUs to allow the spanning tree to learn about its existence in preparation for forwarding. The time required to learn the spanning tree varies by the size of the network, but can be many seconds. forwarding: Learning is sufficient for the port to be capable of forwarding frames. It continues to receive and forward BPDUs and update its database of MAC addresses, and, therefore, may leave this state if STP detects a topology change that requires this port to, for example, block instead of forward frames in order to maintain a valid, non-looping tree. This is the usual state during normal operation. disabled: The port was automatically disabled. Its network cable may be disconnected or the link is otherwise broken. The cause must be corrected before the port can function in the bridge. blocked: The port was automatically disabled in order to prevent a Layer 2 loop in the spanning tree, because its link is redundant with another part of the tree. It is on standby and could be automatically enabled in failover scenarios, if the redundant part of the tree fails. If you do not want this port to remain disabled, you must remove the redundant part of the tree that causes this port to be blocked. Click the Edit icon to view or modify the settings of the bridge. For details, see Configuring the network and VLAN interfaces on page 50.
To configure a v-zone (bridge) 1 Go to System > Network > V-zone. 2 Click Create New, or, in the row corresponding to an existing bridge, click the Edit icon. 3 Configure the following:
GUI item Name
Description Type the name of the v-zone (bridge).
57
Configuring the DNS settings
System
IP/Netmask
The FortiWeb unit is set to a default IP/Netmask of 0.0.0.0/0.0.0.0. To create a true bridge without its own IP address, enter a unique IP/Netmask for your location. Note: When operating in either of the transparent modes, failure to change the IP/Netmask for your location will result in an Invalid IP Address error message. To create a virtual network interface that can respond to ICMP ECHO (ping) requests, enter an IP address/subnet mask for the virtual network interface. Displays a list of network interfaces that currently have no IP address of their own, are not members of another bridge, and which therefore could be members of this bridge. To add a pair of network interfaces to the bridge, select them and click the right arrow. Note: In either of the transparent modes, port1 cannot be included in a bridge. It is configured with an IP address to allow CLI and webbased manager connections. Displays a list of network interfaces that belong to this bridge.
Interface name
Member
4 Click OK. In the interface name column, each network interfaces status is in parentheses next to the name of the port, such as port4 (forwarding). Depending on the status, each port in the bridge may or may not be immediately functional. For detail see, see Interface name on page 57. 5 Connect one of the physical ports in the bridge to your protected servers, and the other port to your overall network.
Configuring fail-open
If your unit supports fail-open, selecting System > Network > Fail-open enables you to configure fail-to-wire behavior in the event that the FortiWeb unit is shut down, rebooted, or unexpectedly loses power.
Note: Fail-open is supported only when the FortiWeb unit operates in true transparent proxy (TTP) mode or transparent inspection (TI) mode, and only for models with a CP7 processor, such as the FortiWeb-1000C and FortiWeb-3000C. Fail-open is disabled if the FortiWeb unit is configured as a high availability master or backup.
For FortiWeb units and operation modes that support fail-open, this feature allows connections to pass through unfiltered when powered off. This may be useful if you are required by contract to provide uninterrupted connectivity, or if you consider connectivity interruption to be a greater risk than being open to attack during the power interruption. Select either: PowerOff-Bypass: Behave as a wire when powered off, allowing connections to pass through, bypassing policy and profile filtering. PowerOff-Cutoff: Interrupt connectivity when powered off.
Configuring the DNS settings

System > Network > DNS enables you to configure the FortiWeb unit with its local domain name, and the IP addresses of the domain name system (DNS) servers that the FortiWeb unit will query to resolve domain names such as www.example.com into IP addresses. FortiWeb units require connectivity to DNS servers for DNS lookups. Your Internet service provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.
58
System
Synchronizing configurations
Note: For improved performance, use DNS servers on your local network.
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see About permissions on page 80.
Table 15: System > Network > DNS tab
GUI item Primary DNS Server Secondary DNS Server Local Domain Name
Description Type the IP address of the primary DNS server. Type the IP address of the secondary DNS server. Type the name of the local domain to which the FortiWeb unit belongs, if any. This field is optional. It will not appear in the Host: field of HTTP headers for client connections to protected web servers.
System > Config > Config-Synchronization enables you to synchronize the configuration information on the local FortiWeb unit with a peer (remote) FortiWeb unit. As a result, the configuration information on the peer FortiWeb unit is updated with that of the local FortiWeb unit. This type of configuration synchronization is useful in the following scenario: two FortiWeb units are used in an environment where high availability (HA) or loadbalancing is performed by the gateway or the router the two FortiWeb units are not part of a high availability (HA) pair, but the units are required to have the same security policies
Essentially, synchronization relieves you of the need to update policies on two FortiWeb units whenever policies or settings change. The second unit updates its settings automatically from the other.
59
System
Figure 20: Example scenario for configuration synchronization
There are two levels of configuration synchronization: full and partial.
Note: Full synchronization option is not available in the reverse proxy operation mode.
Full synchronization updates all configuration files on the peer FortiWeb unit, except for the following: Network interfaces define the physical connection of the FortiWeb unit to the network (management IP) and must remain unchanged. For more information, see Configuring the network and VLAN interfaces on page 50. Configuration data for administrator accounts, access profiles and administrator settings must remain unchanged. For more information, see Configuring administrator accounts on page 75.
Partial synchronization updates all configuration files on the peer FortiWeb unit, with the exception of: All configurations on the System menu. For more information, see System on page 41. Router > Static configurations. For more information, see Router on page 105 Server Policy > Policy configurations. For more information, see Configuring server policies on page 118. Server Policy > Server configurations. For more informations, see Configuring servers on page 129. Server Policy > Server Health Check configurations. For more information, see Configuring server health checks on page 143. Server Policy > Service configurations. For more information, see Configuring services on page 145.
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see About permissions on page 80.
60
System
Configuring high availability (HA)
Table 16: System > Config > Config-Synchronization tab
GUI item Peer FortiWeb IP Test Peer FortiWeb Port
Description Type the IP address of the remote FortiWeb unit that you want to synchronize with the local FortiWeb unit. Select to test the connection from the local FortiWeb unit and the remote FortiWeb unit. Type the port number of the remote FortiWeb unit that is used for config synchronization. The default port is 8333. For more information about how to set the port number for configuration synchronization, see Configuring the web-based managers global settings on page 82. Enter the administrator password for the remote FortiWeb unit. Select either Partial or Full (note that Full configuration sync is not available in the reverse proxy operation mode). For details, see the previous descriptions in this topic. Click to initiate the synchronization of configuration information from the local FortiWeb unit to the peer FortiWeb unit.
Peer FortiWeb Password Synchronization Type
Synchronize

System > Config > HA-Config enables you to configure a FortiWeb unit to operate as one of two units in an active-passive high availability (HA) pair. FortiWeb units that are joined as an HA pair enhance availability. To distinguish the units in an HA pair, each unit is configured with a unique HA operating mode. The HA mode determines whether the unit operates as a master HA unit or a backup HA unit. Functionally, there is no difference between the master and backup. Before configuring HA, verify that your FortiWeb units meet the HA requirements: You have two FortiWeb units. The units are the same hardware model (for example, both FortiWeb-1000C). The units have identical firmware versions installed. There is a redundant network topology in place: if the master fails, physical network cabling and routes must redirect web traffic to the backup. To carry heartbeat and synchronization traffic between the HA pair, the heartbeat interface on both HA units must be connected through Ethernet crossover cables or through switches.
Note: If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must be reachable by Layer2 Multicast.
61
System
For more information on heartbeat and synchronization, see About the heartbeat and synchronization on page 65. You can have more than one HA pair on the same network as long as each pair has a different group ID. Each unit in the HA pair also has an Effective HA mode attribute. This mode defines whether the HA unit is the main working unit or a backup unit. The main working unit is responsible for scanning web traffic. The backup unit does not scan web traffic but is ready to take over if a failure occurs in the main working unit. The main and backup units synchronize and detect failures by communicating through a heartbeat interface that connects the two units in the HA pair. Failure is assumed when the main unit is unresponsive to a heartbeat signal from the backup unit for a configured amount of time (Detection interval x Heartbeat lost threshold). If the main working unit fails, the two units in the HA pair switch their effective HA modes: standby becomes main, and main becomes a standby. The IP address carrying web traffic is transferred automatically to the unit whose effective HA mode is the main working unit. The master and backup HA modes do not change. In a failure situation, the amount of time that it takes the backup unit to take over from the main unit varies by your networks responsiveness to changeover notification and by your configuration (ARP packet numbers x ARP packet interval). Figure 21 shows an example HA network topology with IP address transfer from the main unit to the backup unit upon failover. In this example, the heartbeat interfaces are connected with crossover Ethernet cables.
Figure 21: HA topology and failover - Ethernet cable connection for heartbeat
FortiWeb HA pair
Client
Master (main) port1 10.0.0.1 Firewall port2 192.168.1.1
Web Server 1
192.168.1.2/24
Internet
Heartbeat Interface Primary Secondary IP addresses transfer upon failover port1 Backup (standby) port2
Switch
192.168.1.3/24
Web Server 2
62
System
Table 17: System > Config > HA-Config tab
GUI item Configured HA mode
Description Select one of the following as the HA operating mode: MASTER: A FortiWeb unit configured with a master HA mode will form an HA pair with another FortiWeb unit whose HA synchronize group ID matches that defined on the master, and whose Heartbeat Interface are connected to the master by Ethernet crossover cables or through switches. The master initially acts as the main working unit in the HA pair and scans web traffic. BACKUP: A FortiWeb unit configured with a backup HA mode will form an HA pair with another FortiWeb unit whose HA synchronize group ID matches that defined on the backup, and whose Heartbeat Interface are connected to the backup by Ethernet crossover cables or through switches. The backup unit initially acts as the backup unit in the HA pair and does not scan web traffic. If the backup detects through the heartbeat interface that the master has failed, the backup automatically begins acting as the main working unit in the HA pair and broadcasts ARP packets to notify the network of the changeover. The network interface IP address is transferred to the backup, and the backup takes over scanning web traffic. The master become a standby working unit. The backup does not revert to a standby role if it detects that the master is once again available. Instead, another failover must occur in order to cause the master to become the main unit once again. Or you can manually switch the roles of the master and backup units. STANDALONE: Do not operate as a member of an HA pair. Instead, operate as a single, independent FortiWeb unit. No other dialog options appear when this option is in effect. The default value is STANDALONE. The effective HA mode defines whether the HA unit is the main working unit or a backup unit. The main working unit is responsible for scanning web traffic. The backup unit does not scan web traffic but is ready to take over if a failure occurs in the main working unit.
Effective HA mode
63
System
HA synchronize Enter a number that identifies the HA pair. Both members of the HA pair must have the same group ID. If you have more than one HA pair on the same group ID network, each HA pair must have a different group ID. Changing the group ID changes the clusters virtual MAC address. The default value is 0. The valid range is 0 to 63. Detection interval Enter the number of 100-millisecond intervals between each heartbeat packet that the FortiWeb unit sends to the other FortiWeb unit in the HA pair. This is also the amount of time that a FortiWeb unit waits before expecting to receive a heartbeat packet from the other unit. This part of the configuration is synchronized between the main unit and backup unit. The default value is 1 (that is, 100 milliseconds). The valid range is 1 to 20 (that is, between 100 and 2 000 milliseconds). Note: Although this setting is synchronized between the main unit and the backup unit, you should initially configure both units with the same Detection interval to prevent inadvertent failover from occurring before the initial synchronization. Enter the number of heartbeat intervals that one of the HA units retries the heartbeat and waits to receive HA heartbeat packets from the other HA unit before assuming that the other unit has failed. This part of the configuration is synchronized between the main unit and backup unit. Normally, you do not need to change this setting. Exceptions include: Increase the failure detection threshold if a failure is detected when none has actually occurred. For example, during peak traffic times, if the main unit is very busy, it might not respond to heartbeat packets in time, and the backup unit may assume that the main unit has failed. Reduce the failure detection threshold or detection interval if administrators and HTTP clients have to wait too long before being able to connect through the main unit, resulting in noticeable down time. The default value is 1. The valid range is from 1 to 60. Note: Although this setting is synchronized between the main unit and the backup unit, you should initially configure both units with the same Heartbeat lost threshold to prevent inadvertent failover from occurring before the initial synchronization. Enter the number of times that the FortiWeb unit will broadcast address resolution protocol (ARP) packets when it takes on the main role in order to notify the network that a new physical port has become associated with the HA pair IP address and virtual MAC. This is sometimes called using gratuitous ARP packets to train the network, and can occur when the main unit is starting up, or during a failover. Also configure ARP packet interval. Normally, you do not need to change this setting. Exceptions include: Increase the number of times the main unit sends gratuitous ARP packets if your HA pair takes a long time to fail over or to train the network. Sending more gratuitous ARP packets may help the failover to happen faster. Decrease the number of times the main unit sends gratuitous ARP packets if your HA pair has a large number of VLAN interfaces and virtual domains. Because gratuitous ARP packets are broadcast, sending gratuitous ARP packets may generate a large amount of network traffic. As long as the HA pair still fails over successfully, you could reduce the number of times gratuitous ARP packets are sent to reduce the amount of traffic produced by a failover. The default value is 3. The valid range is 1 to 16.
Heartbeat lost threshold
ARP packet numbers
64
System
ARP packet interval
Enter the number of seconds to wait between each time that the FortiWeb unit broadcasts ARP packets. Normally, you do not need to change this setting. Exceptions include: Decrease the interval if your HA pair takes a long time to fail over or to train the network. Sending ARP packets more frequently may help the failover to happen faster. Increase the interval if your HA pair has a large number of VLAN interfaces and virtual domains. Because gratuitous ARP packets are broadcast, sending gratuitous ARP packets may generate a large amount of network traffic. As long as the HA pair still fails over successfully, you could increase the interval between when gratuitous ARP packets are sent to reduce the rate of traffic produced by a failover. The default value is 1. The valid range is from 1 to 20. Enable to monitor for link failure the network interfaces that correlate directly to a physical port. Port monitoring (also called interface monitoring) monitors physical network ports to verify that they are functioning properly and connected to their networks. If the physical port fails or becomes disconnected, a failover will occur. Note: To prevent unintentional failover, do not configure port monitoring until you have configured HA on both units in the HA pair, and connected the physical network ports that will be monitored . Select the ports on the FortiWeb unit that the main unit and backup unit will use to send heartbeat signals between each other. The heartbeat interface must be defined on each unit in the HA pair. Port matching is not necessary. If enough ports are available, you can select a primary heartbeat interface and a secondary heartbeat interface on each unit in the HA pair for redundancy. You cannot use the same port for both the primary and secondary heartbeat interface on the same unit. Ports that currently have an IP address assigned for other purposes (that is, virtual servers or bridges) are disabled. Note: Heartbeat interfaces can be connected through Ethernet crossover cables or through switches. If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must be reachable by Layer2 Multicast.
Port Monitor
Heartbeat Interface
About the heartbeat and synchronization

To keep the configurations concurrent so the backup unit in an HA pair will be ready in case of failover, HA pairs synchronize their configuration every 30 seconds. Synchronization includes WSDL files, certificates, and schema files. (HTTP sessions, state data related to protection profile features, and log messages, however, are not synchronized. Upon failover, sessions must be re-formed with the new main unit.)
Note: If an HA pair is not configured, you can still synchronize the configuration between the local FortiWeb unit and its peers. For more information, see Synchronizing configurations on page 59
Only the FortiWeb unit currently acting as the main unit (scanning web traffic) is configured with IP addresses on its network interface. The backup unit will only use the configured IP addresses if a failover occurs, and the backup unit therefore must assume the role of the main unit.
Note: Since backup units do not have IP addresses, the backup unit can only be accessed through the local console. For more information on using the local consoles CLI, see the FortiWeb CLI Reference.
Heartbeat and synchronization traffic occur over the network interface ports that you have configured in Heartbeat Interface. Heartbeat and synchronization are performed through multicast UDP on port numbers 5055 (heartbeat) and 5056 (synchronization). The multicast IP address 224.0.0.1 is hard-coded, and cannot be configured.
65
Configuring the SNMP agent
System
Note: If switches are used to connect heartbeat interfaces between an HA pair, the heartbeat interfaces must be reachable by Layer2 Multicast.
Failover is triggered by any interruption to either the heartbeat or a port monitored network interface whose length of time exceeds your configured limits (Detection interval x Heartbeat lost threshold). While the main unit is unresponsive, the backup unit does the following: 1 modifies the network that the IP addresses are now associated with its virtual MAC addresses 2 performs the role of the main unit and scans network traffic The HA units will not change roles when the failed unit resumes responsiveness to the heartbeat. Instead, a second failover must occur to cause the HA units to change roles again. You can manually switch over the roles if desired. Because log messages are not synchronized, after a failover, you may notice that there is a gap in the master log files that corresponds to the period of its down time. Log files are stored on the backup during the time when the backup is acting as the main unit subsequent to a failover.

System > Config > SNMP enables you to configure the FortiWeb units simple network management protocol (SNMP) agent to allow queries for system information and to send traps (alarms or event messages) to the computer that you designate as its SNMP manager. In this way you can use an SNMP manager to monitor the FortiWeb unit. Before you can use SNMP, you must activate the FortiWeb units SNMP agent and add it as a member of at least one community. You must also enable SNMP access on the network interface through which the SNMP manager connects. (See Configuring the network and VLAN interfaces on page 50.) On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the FortiWeb unit belongs, and compile the necessary Fortinetproprietary management information blocks (MIBs) and Fortinet-supported standard MIBs. For information on MIBs, see Appendix C: SNMP MIB support on page 399.
Caution: Failure to configure the SNMP manager as a host in a community to which the FortiWeb unit belongs, or to supply it with required MIBs, will make the SNMP monitor unable to query or receive traps from the FortiWeb unit.
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see About permissions on page 80. To configure the SNMP agent 1 Go to System > Config > SNMP . 2 Configure the following and click OK.
66
System
Table 18: Configuring an SNMP Agent
Delete Edit
GUI item SNMP Agent Description Select to activate the SNMP agent, so that the FortiWeb unit can send traps and receive queries for the communities in which you have enabled queries and traps. For more information on communities, see Configuring an SNMP community on page 68. Enter a comment about the FortiWeb unit. The description can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ). Enter the physical location of the FortiWeb unit. The location can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ). Enter the contact information for the administrator or other person responsible for this FortiWeb unit, such as a phone number or name. The contact information can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ). Click to save changes made to the description, location, and contact information. Click Create New to add a new SNMP community. You can add up to three communities. You must add at least one community for SNMP to be functional. For more information, see Configuring an SNMP community on page 68. The list of SNMP communities to which the FortiWeb unit belongs. The name of the SNMP community. Whether or not the SNMP manager of the community is permitted to query the FortiWeb unit. Whether or not the FortiWeb unit will send traps to the SNMP manager of the community. Select to activate the SNMP community.
Description
Location
Contact
Apply Create New
Communities Name Queries Traps Enable
(No column Click the Delete icon to remove an SNMP community. heading.) Click the Edit icon to view or modify an SNMP community. For more information, see Configuring an SNMP community on page 68.
67
System
Configuring an SNMP community

An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiWeb unit to belong to at least one SNMP community so that communitys SNMP managers can query the FortiWeb units system information and receive SNMP traps from the FortiWeb unit. You can add up to three SNMP communities. Each community can have a different configuration for queries and traps, and the set of events that trigger a trap. You can also add the IP addresses of up to eight SNMP managers to each community to designate the destination of traps and which IP addresses are permitted to query the FortiWeb unit. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see About permissions on page 80. To add an SNMP community to the FortiWeb units SNMP agent 1 Go to System > Config > SNMP. 2 Click Create New. 3 Configure the following, then click OK:
Table 19: Configuring an SNMP Community
GUI item Community Name
Description Enter the name of the SNMP community to which the FortiWeb unit and at least one SNMP manager belongs. The FortiWeb unit will not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiWeb unit will include community name, and an SNMP manager may not accept the trap if its community name does not match.
68
System
Hosts IP Address Enter the IP address of the SNMP manager that, if traps or queries are enabled in this community: will receive traps from the FortiWeb unit will be permitted to query the FortiWeb unit SNMP managers have read-only access. To allow any IP address using this SNMP community name to query the FortiWeb unit, enter 0.0.0.0. Note: Entering 0.0.0.0 effectively disables traps if there are no other host IP entries, because there is no specific destination for trap packets. If you do not want to disable traps, you must add at least one other entry that specifies the IP address of an SNMP manager. Select either ANY or the name of the network interface from which the FortiWeb unit will send traps and reply to queries. Note: You must select a specific network interface if the SNMP manager is not on the same subnet as the FortiWeb unit. This can occur if the SNMP manager is on the Internet or behind a router. Note: This option only configures which network interface will send SNMP traffic. To configure which network interface will receive queries, see Configuring the network and VLAN interfaces on page 50. Click to remove an SNMP manager from the SNMP community configuration. Click to add an SNMP manager entry. You can add up to eight SNMP managers to each community. Enter the port number (161 by default) on which the FortiWeb unit listens for SNMP queries from the SNMP managers in this community, then enable queries for either or both SNMP v1 and SNMP v2c. Enter the port number (162 by default) that will be the source (Local) port number and destination (Remote) port number for trap packets sent to SNMP managers in this community, then enable traps for either or both SNMP v1 and SNMP v2c. Enable the types of SNMP traps that you want the FortiWeb unit to send to the SNMP managers in this community. (See Figure 22 on page 70.) While most trap events are described by their names, the following events occur when a threshold has been exceeded: CPU Overusage: CPU usage has exceeded 80%. Memory Low: Memory (RAM) usage has exceeded 80%. For more information on supported traps and queries, see Appendix C: SNMP MIB support on page 399.
Interface
Delete Add Queries
Traps
SNMP Event
69
Configuring DoS protection
System
Figure 22: SNMP Events
Configuring DoS protection

Go to System > Config > DOS Protection to configure protection from TCP SYN floodstyle denial of service (DoS) attacks. Once you configure DoS protection, the FortiWeb unit automatically applies it to connections matching any server policy. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see About permissions on page 80. To configure DoS protection 1 Go to System > Config > DOS Protection.
70
System
Configuring the operation mode
Figure 23: DoS prevention dialog
2 Configure the following and click Apply.

GUI item Syn Cookie Description Enable to detect TCP SYN flood attacks. Also configure Half Open Threshold.
Half Open Threshold Enter the maximum number of TCP SYN packets, including retransmission, that may be sent per second to a destination address. If this threshold is exceeded, the FortiWeb unit determines a DoS attack is occurring and ignores additional traffic from that source address. Severity Select the severity level you want FortiWeb to use in the records and reports generated when a DoS violation occurs. You can configure the violation as either Low, Medium or High severity. Select the trigger policy you want FortiWeb to apply when a DoS violation occurs. Trigger policies determine who will be notified by email when the violation occurs, and whether the log message associated with the violation are recorded.
Trigger Policy

System > Config > Operation enables you to configure the operation mode of the FortiWeb unit. You will usually set the operation mode once, during installation. Exceptions include if you install the FortiWeb unit in offline protection mode for evaluation purposes, before deciding to switch to reverse proxy mode and actively begin filtering traffic. You can switch between the two types of transparent mode without encountering problems. The operation mode depends on network topology (see the FortiWeb Install and Setup Guide for more information). FortiWeb units can operate in one of the following modes: Reverse proxy: Reverse proxy traffic is destined for a virtual servers network interface and IP address. The FortiWeb unit forwards it to a real server and applies the first applicable policy. The FortiWeb unit logs, blocks, or modifies traffic according to the matching policy and its protection profile. This mode supports user authentication. Offline protection: The FortiWeb unit monitors traffic received on the virtual servers network interface (regardless of the IP address) and applies the first applicable policy. The FortiWeb unit logs or blocks traffic according to the matching policy and its protection profile. In this mode, if FortiWeb detects a malicious request, it attempts to reset the connection. It does not otherwise modify traffic. (It does not, for example, apply SSL or load-balance connections.) This mode does not support user authentication.
71
System
Caution: Unlike in reverse proxy mode, actions other than Alert cannot be guaranteed to be successful in offline protection mode. The FortiWeb unit will attempt to block traffic that violates the policy by mimicking the client or server and requesting to reset the connection. However, the client or server may receive the reset request after it receives the other traffic due to possible differences in routing paths.
True transparent proxy: This proxy traffic is destined for a real server. The FortiWeb unit applies the first applicable policy. Traffic is received on a network port that belongs to a Layer 2 bridge, and no changes to the IP address scheme of the network are required. This mode supports user authentication via HTTP but not HTTPS. This mode supports a v-zone bridge. Transparent inspection: This traffic is destined for a real server. The FortiWeb unit asynchronously inspects traffic and applies the first applicable policy. The FortiWeb unit logs or blocks traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It does not, for example, apply SSL or load-balance connections.) Similar to offline protection mode, actions other than Alert cannot be guaranteed to be successful. It is easy to switch between transparent inspection and true transparent proxy without changing your network topology. This mode does not support user authentication. This mode supports a v-zone bridge.
The default operation mode is reverse proxy.

Table 20: Supported features in different operation modes Feature Allow Method AMF3 Support Authentication Policy Auto-learning Brute Force Login Client Certificate Verify Cookie Poisoning Reverse proxy Yes Yes Yes Yes Yes Yes Yes Offline protection Yes Yes No Yes No No No True transparent proxy HTTP Yes Yes Yes Yes Yes No Yes HTTPS Yes Yes No Yes Yes No No Transparent inspection Yes Yes No Yes No No No
72
System
Table 20: Supported features in different operation modes Feature Reverse proxy Offline protection Yes Yes No Yes Yes (alert only) No No Yes No Yes Yes No No Yes No No Yes Yes No No True transparent proxy HTTP Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes N/A Yes Yes Yes Yes Yes Yes Yes No HTTPS Yes Yes No Yes Yes (alert only) Yes No Yes Yes Yes Yes No No Yes No Yes Yes Yes No No Transparent inspection Yes Yes No Yes Yes (alert only) No No Yes No Yes Yes No No Yes No Yes Yes Yes No No
Custom Packet Log Filter Yes Hidden Field HTTP Conversion HTTP Protocol Constraints Information Disclosure IP List Page Access Rule Parameter Validation Robot Control Server Protection Rules Session Management SSLv2 Support Start Pages URL Access Rule URL Rewriting V-zone Bridge Web Anti-Defacement Web Vulnerability Scan X-Forwarded-For XML Protection Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes
Note: The physical topology must match the operation mode. For details, see the FortiWeb Install and Setup Guide.
Caution: Back up your system before changing the operation mode. Changing modes deletes the following: any policies not applicable to the new mode, all static routes, all vzone IPs, and all VLAN settings. You may also need to re-cable your network topology to suit the operation mode.
To configure the operation mode 1 Go to System > Config > Operation. Alternatively, go to System > Status > Status. In the Operation Mode row of the System Information widget, click Change.
73
Viewing RAID status
System
Figure 24: Configuring the operation mode
Figure 25: Configuring the operation mode (true transparent proxy mode)
2 From Operation Mode, select Reverse Proxy, Offline Protection, True Transparent Proxy or Transparent Inspection. If you are changing to true transparent proxy or transparent inspection mode, also enter the gateway and the IP address of port1 (Management IP). 3 Click Apply. If you have not yet adjusted the physical topology to suit the new operation mode, see the FortiWeb Install and Setup Guide. You may also need to reconfigure IP addresses, static routes, bridges, and virtual servers, and enable or disable SSL on your web servers.
Viewing RAID status

System > Config > RAID enables you to view the RAID status of the FortiWeb unit. Currently, only RAID level 1 is supported, and only on FortiWeb models 1000B, 1000C, and 3000C shipped with version 4.1 or later. On older units that have been upgraded to version 4.1, the RAID status is visible on the UI, but RAID is not activated. On these older units, disk status is displayed as 'Not Present'. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see About permissions on page 80. To view the RAID status 1 Go to System > Config > RAID.
74
System
Configuring administrator accounts
Figure 26: Viewing RAID
Note: Rebuilding RAID after a disk failure will result in some loss of data in packet logs.

System > Admin displays a list of FortiWeb administrator accounts. In its factory default configuration, a FortiWeb unit has one administrator account, named admin. This administrator has permissions that grant full access to the FortiWeb configuration and firmware. After connecting to the web-based manager or the CLI using the admin administrator account, you can configure additional administrator accounts with various levels of access to different parts of the FortiWeb configuration. Administrators may access the web-based manager and the CLI through the network, depending on administrator accounts trusted hosts, and the administrative access protocols enabled for each of the FortiWeb units network interfaces. For details, see Configuring the network and VLAN interfaces on page 50 and Configuring trusted hosts on page 78. To determine which administrators are currently logged in, use the CLI command get system logged-users. For details, see the FortiWeb CLI Reference.
Tip: To prevent multiple administrators from logging in simultaneously, which could allow them to inadvertently overwrite each others changes, enable Security Settings. For details, see Configuring the web-based managers global settings on page 82.
If you have not yet created an access profile and are relying on the default profile, consider first creating one or more access profiles tailored to the responsibilities of the new administrator accounts. See Configuring access profiles on page 78. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see About permissions on page 80.
75
System
Table 21: System > Admin > Administrators tab
Delete Edit Change Password

GUI item Create New Name Trusted Hosts Profile Description Click to add an administrator account. Displays the name of the administrator account. Displays the IP addresses and netmasks of hosts from which the administrator is permitted to log in. Displays the access profile assigned to the administrator account. Access profiles determine which parts of the configuration that an administrator has permission to access. For more information on access profiles, see Configuring access profiles on page 78. Displays the type of authentication for this administrator. This version currently supports only authentication using a locally stored password. Click the Delete icon to remove the administrator account. You cannot delete the admin administrator account. Click the Edit icon to view or modify the administrator account. Click Change Password to change the password for the administrator account.
Type
To change an administrator accounts password 1 If an administrator forgot their password or if you need to change an administrator accounts password and you do not know its current password, log in as the admin administrator. Otherwise, you may log in with any administrator account whose access profile permits Read and Write access to items in the Admin Users category. If you have forgotten the password of the admin administrator, you can restore the firmware to reset the FortiWeb unit to its default state, including the default administrator account and password. For details, see Restoring firmware on page 391. 2 Go to System > Admin > Administrators. 3 In the row corresponding to the administrator account, click Change Password.
4 In the Old Password field, enter the current password for the account. (The admin account does not have an old password initially.) This field does not appear for other administrator accounts if you are logged in as the admin administrator.
76
System
5 In the New Password and Confirm Password fields, enter the new password. 6 Click OK. If you change the password for the admin administrator account, the FortiWeb unit logs you out. To continue using the web-based manager, you must log in. The new password takes effect the next time that administrator account logs in. To configure an administrator account 1 Go to System > Admin > Administrators. 2 Click Create New to add an administrator account, or click the Edit icon to change an existing administrator account. 3 Configure the following and click OK:
GUI item Administrator Password
Description Enter the name of the administrator account, such as admin1. Enter a password for the administrator account. For improved security, the password should be at least six characters long, be sufficiently complex, and be changed regularly. Re-enter the password to confirm its spelling. Enter the IP address and netmask from which the administrator is allowed to log in to the FortiWeb unit. You can specify up to three trusted hosts. To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0. If you allow login from any IP address, consider choosing a longer and more complex password, and limiting administrative access to secure protocols to minimize the security risk. For information on administrative access protocols, see Configuring the network and VLAN interfaces on page 50. For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in. For more information, see Configuring trusted hosts on page 78. Select either an existing access profile that indicates the permissions for this administrator account, or select Create New to create a new access profile in a pop-up window, without leaving the current page. For more information on access profiles, see Configuring access profiles on page 78. You can select prof_admin, a special access profile used by the admin administrator account. However, selecting this access profile will not confer all permissions of the admin administrator. For example, the new administrator could not reset lost administrator passwords.
Confirm Password Trusted Host #1 Trusted Host #2 Trusted Host #3
Access Profile
77
System
Configuring trusted hosts

Configuring the trusted hosts of your administrator accounts increases the security of your FortiWeb unit by further restricting administrative access. In addition to knowing the password, an administrator must connect only from the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you enter only one trusted host IP address in each of the three trusted host fields, each with a netmask of 255.255.255.255. When you configure trusted hosts for all administrator accounts, the FortiWeb unit does not respond to administrative access attempts from any other hosts. This provides the greatest degree of security. If you leave even one administrator account unrestricted, the FortiWeb unit accepts administrative access attempts for that account on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access. Trusted host definitions apply both to the web-based manager, and to the CLI when accessed through Telnet or SSH. Local console access to the CLI is not affected by trusted hosts, as local console access does not occur through the network.
Configuring access profiles

System > Admin > Access Profile displays the list of administrator access profiles. Access profiles determine which parts of the configuration an administrator has permission to access, and whether the administrator is permitted to view (Read), modify (Write), or both. When an administrator has only read access to a feature, the administrator can access the web-based manager tab for that feature, and can use the get and show CLI command for that feature, but cannot make changes to the configuration. There are no Create or Apply buttons, or config CLI commands. Lists display only the View icon instead of icons for Edit, Delete or other modification commands. Write access is required for modification of any kind. The prof_admin access profile, a special access profile assigned to the admin administrator account and required by it, does not appear in the list of access profiles. It exists by default and cannot be changed or deleted. If you create other administrator accounts, you may want create other access profiles with different degrees and areas of access. For example, for an administrator whose only role is to audit the log messages, you might make an access profile named log_access_only. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see About permissions on page 80.
Table 22: System > Admin > Access Profile tab
Delete Edit
GUI item Create New Description Click to add a new access profile.
78
System
Profile Name (No column heading.)
Displays the name of the access profile. Click the Delete icon to remove the access profile. This option does not appear if this access profile is currently assigned to an administrator account. Click the Edit icon to modify the access profile.
To configure an access profile 1 Go to System > Admin > Access Profile. 2 Click Create New to add an access profile, or click the Edit icon to modify an existing profile. 3 Configure the following by selecting or clearing the allow options:
4 Click OK
GUI item Profile Name Access Control (Maintenance, Admin Users, and so on.)
Description Enter the name of the access profile. For each row associated with an area of the configuration, mark either or both the Read and/or Write check boxes to grant that type of permission. Unlike the other rows, whose scope is an area of the configuration, the Maintenance row does not affect the configuration. Instead, it indicates whether the administrator can do special system operations such as changing the firmware. Click to mark the Read check box in all Access Control categories. Click to mark the Write check box in all Access Control categories.
Allow Read All Allow Write All
79
System
About permissions
Depending on the account that you use to log in to the FortiWeb unit, you may not have complete access to all areas of the web-based manager. Access profiles control which commands and areas an administrator account can access. Access profiles assign either read, write, or no access to each area of the FortiWeb software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring the access profile for an administrator account can use, see Configuring access profiles on page 78. Table 23, Administrator access control, on page 81 identifies the specific commands and areas of the web-based manager that each type of administrator account can access. For complete access to all commands and abilities, you must log in with the administrator account named admin. Unlike other administrator accounts, the administrator account named admin exists by default. The admin account cannot be deleted and its name and permissions cannot be changed. The admin account always has full permission to view and change all FortiWeb configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrators password without being required to enter that administrators existing password.
Caution: Set a strong password for the admin administrator account, and change the password regularly. By default, this administrator account has no password. Failure to maintain the password of the admin administrator account could compromise the security of your FortiWeb unit.
For a description of the access profiles related to CLI commands, see the FortiWeb CLI Reference.
80
System
Table 23: Administrator access control Menu Submenu Router Configuration Web Vulnerability Scan Configuration Tab System Configuration Network Configuration Log & Report Administrator account access profile
XML Protection Configuration
Web Protection Configuration
Autolearn Configuration
Admin Users
System Status Network Interface V-zone DNS Config Admin Administrators Access Profile Settings Certificates Maintenance Wizard Router User Server Policy XML Protection Web Protection Web Protection Profile Inline Protection Profile Offline Protection Profile Auto Learning Profile Auto Learn Web Anti-Defacement Web Vulnerability Scan Log&Report
In Table 23 (above), a black check mark on a white background indicates that the account can access an individual command. A white check mark on a black background indicates that the account can access all commands associated with the specified area.
Auth Users
admin (default) 81
Server Policy Configuration
Maintenance
Web AntiDefacement
Configuring the web-based managers global settings
System

System > Admin > Settings enables you to view and configure settings for the web-based manager that apply regardless of which administrator account you use to log in. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see About permissions on page 80.
Table 24: System > Admin > Settings tab
GUI item Web Administration Ports HTTP
Description Enter the TCP port number on which the FortiWeb unit will listen for HTTP administrative access. The default is 80. This setting has an effect only if HTTP is enabled as an administrative access protocol on at least one network interface. For details, see Configuring the network and VLAN interfaces on page 50. Enter the TCP port number on which the FortiWeb unit will listen for HTTPS administrative access. The default is 443. This setting has an effect only if HTTPS is enabled as an administrative access protocol on at least one network interface. For details, see Configuring the network and VLAN interfaces on page 50.
HTTPS
82
System
Config-Sync
If necessary, change the TCP port number on which the FortiWeb unit will listen for configuration synchronization requests from the peer/remote FortiWeb unit. The default is 8333. For details, see Synchronizing configurations on page 59. Enter the number of minutes that a web-based manager connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). To maintain security, keep the idle timeout at the default value of 5 minutes.
Timeout Settings Idle Timeout
Language Web Administration Select which language to use when displaying the web-based manager. Languages currently supported by the web-based manager are: English simplified Chinese traditional Chinese Japanese The displays web pages will use UTF-8 encoding, regardless of which language you choose. UTF-8 supports multiple languages, and allows them to display correctly, even when multiple languages are used on the same web page. For example, your organization could have web sites in both English and simplified Chinese. Your FortiWeb administrators prefer to work in the English version of the web-based manager. They could use the web-based manager in English while writing rules to match content in both English and simplified Chinese without changing this setting. Both the rules and the web-based manager will display correctly, as long as all rules were input using UTF-8. Usually, your text input method or your management computers operating system should match the display by also using UTF-8. If they do not, your input and the web-based manager may not display correctly at the same time. For example, your web browsers or operating systems default encoding for simplified Chinese input may be GB2312. However, you usually should switch it to be UTF-8 when using the webbased manager, unless you are writing regular expressions that must match HTTP clients requests, and those requests use GB2312 encoding. For more information on language support in the web-based manager and CLI, see Appendix D: Language support & regular expressions on page 401. Note: This setting does not affect the display of the CLI.
83
Managing certificates
System
Security Settings Enable Single Admin Enable to allow only one administrator account to be logged in at any given time to prevent conflicts. If a second administrator User login attempts to begin a session when another administrator is already logged in, after the second administrator logs in but before they can access the web-based manager, they must either cancel their new session or disconnect the other currently logged-in administrator. This option may be useful to prevent administrators from inadvertently overwriting each others changes. When multiple administrators simultaneously modify the same part of the configuration, they each edit a copy of the current, saved state of the configuration. As each administrator makes changes, FortiWeb does not update the other administrators working copies. Each administrator may therefore make conflicting changes without being aware of the other. The FortiWeb unit will only use whichever administrators configuration is saved last. If only one administrator can log in this problem cannot occur. Disable to allow multiple administrators to be logged in. In this case, administrators should communicate with each other to avoid overwriting each others changes. Enable Strong Passwords Enable to enforce strong password rules for administrator accounts. If the password entered is not strong enough when a new administrator account is created, an error message appears and you are prompted to re-enter a stronger password. Strong passwords have the following characteristics: are between 8 and 16 characters in length contain at least one upper case and one lower case letter contain at least one numeric contain at least one non-alphanumeric character
The Certificates submenu enables you to generate, import, revoke, and manage other aspects of certificates used by the FortiWeb unit. This topic includes: Managing local and server certificates Managing OCSP server certificates Managing CA certificates Managing the certificate revocation list Configuring certificate verification rules
Managing local and server certificates

System > Certificates > Local displays the list of server certificates that are stored locally on the FortiWeb unit. FortiWeb units require these certificates to present when clients request secure connections, including when: administrators connect to the web-based manager (HTTPS connections only) web clients use SSL or TLS to connect to a virtual server, if you have enabled SSL off loading in the policy (HTTPS connections and reverse proxy mode only)
FortiWeb units also require certificates in order to decrypt and scan HTTPS connections travelling through it if operating in any mode except reverse proxy. Which certificate will be used, and how, depends on the purpose.
84
System
For connections to the web-based manager, the FortiWeb unit presents its default certificate.
Note: The FortiWeb units default certificate does not appear in the list of local certificates. It is used only for connections to the web-based manager and cannot be removed.
For SSL off loading or SSL decryption, upload certificates that do not belong to the FortiWeb unit, but instead belong to the protected servers. Then, select which one the FortiWeb unit will use when configuring the SSL option in a policy or server farm. For details, see Uploading a certificate on page 88.
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see About permissions on page 80.
Table 25: System > Certificates > Local tab
View Certificate Detail Delete Download Edit Comments

GUI item Generate Import Name Subject Description Click to generate a certificate signing request. For details, see Generating a certificate signing request on page 86. Click to upload a certificate. For details, see Uploading a certificate on page 88. Displays the name of the certificate. Displays the distinguished name (DN) located in the Subject field of the certificate. If the row contains a certificate request which has not yet been signed, this field is empty. Displays the description of the certificate, if any. Click the Edit Comments icon to add or modify the comment associated with the certificate or certificate signing request. Displays the status of the local certificate. OK: Indicates that the certificate was successfully imported. To use the certificate, select it in a policy or server farm. PENDING: Indicates that the certificate request has been generated, but must be downloaded, signed, and imported before it can be used as a local certificate. Click the View Certificate Detail icon to view the certificates subject, range of dates within which the certificate is valid, version number, serial number, and extensions. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy or server farm. Click the Download icon to download the entry in certificate (.cer) or certificate signing request (.csr) file format. Click the Edit Comments icon to add or modify the comment associated with the certificate.
Comments
Status
85
System
Generating a certificate signing request

You can generate a certificate request file based on the information you enter to identify the FortiWeb unit. Certificate request files can then be submitted for verification and signing by a certificate authority (CA). To generate a certificate request 1 Go to System > Certificates > Local. 2 Click Generate. 3 Configure the certificate signing request:
Table 26: Generate Local Certificate Request GUI item Description Certification Name Subject Information Enter a unique name for the certificate request, such as fwlocal. Includes information that the certificate is required to contain in order to uniquely identify the FortiWeb unit.
86
System
ID Type
Select the type of identifier to use in the certificate to identify the FortiWeb unit: Host IP Domain Name E-Mail The type you should select varies by whether or not your FortiWeb unit has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate. For example, if your FortiWeb unit has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web-based manager by the domain name of the FortiWeb unit, you might prefer to generate a certificate based upon the domain name of the FortiWeb unit, rather than its IP address. Host IP requires that the FortiWeb unit have a static, public IP address. It may be preferable if clients will be accessing the FortiWeb unit primarily by its IP address. Domain Name requires that the FortiWeb unit have a FQDN. It may be preferable if clients will be accessing the FortiWeb unit primarily by its domain name. E-Mail does not require either a static IP address or a domain name. It may be preferable if the FortiWeb unit does not have a domain name or public IP address. Depending on your choice, related options appear. Enter the static IP address of the FortiWeb unit. This option appears only if ID Type is Host IP. Type the FQDN of the FortiWeb unit. The domain name must resolve to the static IP address of the FortiWeb unit or protected server. For more information, see Configuring the network and VLAN interfaces on page 50. This option appears only if ID Type is Domain Name. Type the email address of the owner of the FortiWeb unit. This option appears only if ID Type is E-Mail. Includes information that you may include in the certificate, but which is not required. Type the name of your organizational unit, such as the name of your department. This is optional. To enter more than one organizational unit name, click the + icon, and enter each organizational unit separately in each field. Type the legal name of your organization. This is optional. Type the name of the city or town where the FortiWeb unit is located. This is optional. Type the name of the state or province where the FortiWeb unit is located. (This is optional. Select the name of the country where the FortiWeb unit is located. This is optional. Type an email address that may be used for contact purposes. This is optional. Displays the type of algorithm used to generate the key. This option cannot be changed, but appears in order to indicate that only RSA is currently supported.
IP Domain Name
e-mail Optional Information Organization Unit
Organization Locality(City) State/Province Country e-mail Key Type
87
System
Key Size
Select a security key size of 512 Bit, 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security. Select either: File Based: You must manually download and submit the resulting certificate request file to a certificate authority (CA) for signing. Once signed, upload the local certificate. Online SCEP: The FortiWeb unit will automatically use HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.
Enrollment Method
4 Click OK. The certificate is generated. If you selected file-based enrollment, you must now download and manually submit the resulting CSR to a CA. For details, see Submitting a certificate signing request on page 88.
Submitting a certificate signing request

After you have generated a certificate request, you can download the request file to your management computer in order to submit the request file to a certificate authority (CA) for signing. To download and submit a certificate request 1 Go to System > Certificates > Local. 2 Click the row that corresponds to the certificate request. 3 Click the Download icon, then select Open or Download one the window that appears. Your web browser downloads the certificate request (.csr) file. 4 Submit the certificate request to your CA. Using the web browser on the management computer, browse to the web site for your CA. Follow your CAs instructions to place a Base64-encoded PKCS #10 certificate request, uploading your certificate request. Follow your CAs instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL. 5 When you receive the signed certificate from the CA, install the certificate on the FortiWeb unit. For more information, see Uploading a certificate on page 88.
Uploading a certificate
You can upload Base64-encoded server-type X.509 certificates or PKCS #12 RSAencrypted certificates and keys to the FortiWeb unit.
Note: DSA-encrypted certificates are not supported if the FortiWeb unit is operating in a mode other than reverse proxy.
DSA
If a local certificate is signed by an intermediate certificate authority (CA) rather than a root CA, before clients will trust the local certificate, you must demonstrate a link with trusted root CAs, thereby proving that the local certificate is genuine. You can demonstrate this chain of trust either by: installing each intermediate CAs certificate in the clients list of trusted CAs, or
88
System
including a signing chain in the local certificate open the local certificate file in a plain text editor append the certificate of each intermediate CA in order from the intermediate CA who signed the local certificate to the intermediate CA whose certificate was signed directly by a trusted root CA save the certificate
To include a signing chain, before importing the local certificate to the FortiWeb unit:
For example, a local certificate that includes a signing chain might use the following structure: -----BEGIN CERTIFICATE----<FortiWeb units local server certificate> -----END CERTIFICATE---------BEGIN CERTIFICATE----<certificate of intermediate CA 1, who signed the FortiWeb certificate> -----END CERTIFICATE---------BEGIN CERTIFICATE----<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA> -----END CERTIFICATE----Note: The total file size of all certificates, schema, keys, WSDL, and any other uploaded files may not exceed 12 MB.
To upload a certificate 1 Go to System > Certificates > Local. 2 Click Import. 3 Configure the following:
Table 27: Importing a Certificate GUI item Description Name Type Enter the name of the certificate. Select the type of certificate file to upload, either Local Certificate, Certificate (an unencrypted X.509 certificate) or PKCS12 Certificate (a PKCS #12 encrypted certificate with key). Click Choose File to locate the X.509 certificate file that you want to upload. This option is available only if Type is Certificate or Local Certificate.
Certificate file
89
System
Key file
Click Choose File to locate the key file that you want to upload with the certificate. This option is available only if Type is Certificate. Click Choose File to locate the PKCS #12 certificate-with-key file that you want to upload. This option is available only if Type is PKCS12 Certificate. Enter the password that was used to encrypt the file, enabling the FortiWeb unit to decrypt and install the certificate. This option is available only if Type is Certificate or PKCS12 Certificate.
Certificate with key file Password
4 Click OK. To use a certificate, you must select it in a policy or server farm. For details, see Configuring server policies on page 118 or Grouping physical and domain servers into server farms on page 135.
Managing OCSP server certificates

System > Certificates > Remote displays and imports the certificates of the online certificate status protocol (OCSP) or HTTP CRL servers of your certificate authority (CA). OCSP enables you to revoke or validate certificates by query, rather than by importing certificate revocation lists (CRL). For information about importing CRLs, see Managing the certificate revocation list on page 95. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see About permissions on page 80.
Table 28: System > Certificates > Remote tab
View Certificate Detail Download
GUI item Import Name Subject OCSP (No column heading.)
Description Click to import an OCSP server certificate. Displays the name of the OCSP server certificate. Displays the distinguished name (DN) located in the Subject field of the certificate. Displays the URL of the OCSP server. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a certificate verification configuration. Click the View Certificate Detail icon to view the certificates subject, range of dates within which the certificate is valid, version number, serial number, and extensions. Click the Download icon to download the entry in certificate (.cer) file format.
Managing CA certificates
System > Certificates > CA displays and enables you to import certificates for certificate authorities (CA).
90
System
Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates are authentic. CA certificates are required by connections that use SSL or transport layer security (TLS).
Tip: The FortiWeb unit does not use CA certificates directly. First, you must group them and then add the group to a certificate verification rule. For details, see Grouping CA certificates on page 91.
Table 29: System > Certificates > CA tab

GUI item Import Description Click to import a CA certificate, then select whether you want to upload it (Local PC), or provide the URL of a certificate on a simple certificate enrollment protocol server (SCEP). Displays the name of the CA certificate. Displays the distinguished name (DN) located in the Subject field of the certificate.
Name Subject
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a certificate verification configuration. Click the View Certificate Detail icon to view the certificates subject, range of dates within which the certificate is valid, version number, serial number, and extensions. Click the Download icon to download the entry in certificate (.cer) file format.
Grouping CA certificates
System > Certificates > CA Group enables you to group certificate authorities (CA). CAs must belong to a group in order to be selected in a certificate verification rule. For details, see Configuring certificate verification rules on page 95. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see About permissions on page 80.
Table 30: System > Certificates > CA Group tab
Delete Edit
91
System
GUI item # Name Count
Description Displays the index number of the entry in the list. Displays the name of the certificate authority (CA) group. Displays the number of certificate authorities in the group.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a certificate verification configuration. Click the Edit icon to modify the entry.
Before you can create a CA group, you must upload at least one of the certificate authority (CA) certificates that you want to add to the group. For details, see Managing CA certificates on page 90. To add a CA group 1 Go to System > Certificates > CA Group. 2 Click Create New. 3 In Name, type a name for the certificate authority group. 4 Click OK. 5 Click Create New. 6 In ID, enter the index number of the host entry within the group, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. 7 In CA, select the name of a certificate authoritys certificate that you have previously uploaded and want to add to the group. 8 Click OK. 9 Repeat the previous 3 steps for each CA that you want to add to the group. To apply a CA group, select it in a certificate verification rule. For details, see Configuring certificate verification rules on page 95.
Managing certificates for intermediate CAs

System > Certificates > Intermediate CA enables you to upload certificates belonging to intermediate (non-root) certificate authorities. If a server certificate is signed by an intermediate certificate authority rather than a root CA, before the client will trust the servers certificate, you must demonstrate a link with trusted root CAs, thereby proving that the servers certificate is genuine. Otherwise, the server certificate may cause the client or browser to display certificate warnings. You can demonstrate this chain of trust by doing one of the following: install each intermediate CAs certificate in the clients list of trusted CAs include a signing chain in the servers certificate configure the FortiWeb unit to also provide the certificates of intermediate CAs when it presents the server certificate open the servers certificate file in a plain text editor append the certificate of each intermediate CA in order from the intermediate CA who signed the servers certificate to the intermediate CA whose certificate was signed directly by a trusted root CA save the certificate
To include a signing chain:
92
System
For example, a servers certificate that includes a signing chain might use the following structure: -----BEGIN CERTIFICATE----<server certificate> -----END CERTIFICATE---------BEGIN CERTIFICATE----<certificate of intermediate CA 1, who signed the server certificate> -----END CERTIFICATE---------BEGIN CERTIFICATE----<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA> -----END CERTIFICATE----Note: The total file size of all certificates, schema, keys, WSDL, and any other uploaded files may not exceed 12 MB.
To configure the FortiWeb unit to provide the certificates of intermediate CAs when it presents the server certificate: 1 Install the certificates of the intermediate CAs on the FortiWeb unit. 2 Group them to match the signing chain (see Grouping certificates for intermediate CAs on page 94). 3 Select that group along with the server certificate in the policy (Configuring server policies on page 118). The FortiWeb unit will present both the servers certificate and those of the intermediate CAs when establishing a secure connection with the client. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see About permissions on page 80.
Table 31: System > Certificates > Intermediate CA tab
Delete View Certificate Detail Download

GUI item Import Description Click to import an intermediate CA certificate, then select whether you want to upload it (Local PC), or provide the URL of a certificate on a simple certificate enrollment protocol server (SCEP). Displays the name of the CA certificate.
Name
93
System
Subject
Displays the distinguished name (DN) located in the Subject field of the certificate.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an intermediate CA certificate group. Click the View Certificate Detail icon to view the certificates subject, range of dates within which the certificate is valid, version number, serial number, and extensions. Click the Download icon to download the entry in certificate (.cer) file format.
Grouping certificates for intermediate CAs

System > Certificates > Intermediate CA Group enables you to group certificates of intermediate (non-root) certificate authorities (CA).
Tip: To use intermediate CAs in FortiWeb, first include them in an intermediate CA group and then include the group in a server policy that uses an HTTPS service.
Table 32: System > Certificates > Intermediate CA Group tab
Delete Edit
GUI item # Name Count
Description Displays the index number of the entry in the list. Displays the name of the intermediate certificate authority (CA) certificate group. Displays the number of intermediate CA certificates in the group.
(No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy. Click the Edit icon to modify the entry.
To add an intermediate CA group Before you can create an intermediate CA certificate group, you must upload at least one of the intermediate certificate authority certificates that you want to add to the group. For details, see Managing certificates for intermediate CAs on page 92. 1 Go to System > Certificates > Intermediate CA Group. 2 Click Create New. 3 In Name, type a name for the intermediate CA certificate group. 4 Click OK. 5 Click Create New. 6 In ID, enter the index number of the host entry within the group, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number.
94
System
7 In CA, select the name of an intermediate CAs certificate that you have previously uploaded and want to add to the group. 8 Click OK. 9 Repeat the previous 3 steps for each intermediate CA certificate that you want to add to the group. To apply an intermediate CA certificate group, select it in a policy with a server certificate. For details, see Configuring server policies on page 118.
Managing the certificate revocation list

System > Certificates > CRL displays and enables you to import certificate revocation lists (CRL). To ensure that your FortiWeb unit validates only certificates that have not been revoked, you should periodically upload a current certificate revocation list, which may be provided by certificate authorities (CA). Alternatively, you can use HTTP or online certificate status protocol (OCSP) to query for certificate status. For more information, see Managing OCSP server certificates on page 90. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see About permissions on page 80.
Table 33: System > Certificates > CRL tab
GUI item Import Name Subject (No column heading.)
Description Click to import a certificate revocation list. Displays the name of the certificate revocation list. Displays the distinguished name (DN) located in the Subject field of the certificate revocation list. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a certificate verification configuration. Click the Edit icon to update the CRL by connecting to the URL of a new CRL on either a simple certificate enrollment protocol (SCEP) or an HTTP server. Click the View Certificate Detail icon to view the certificates subject, range of dates within which the certificate is valid, version number, serial number, and extensions. Click the Download icon to download the entry in certificate revocation list (.crl) file format.
Configuring certificate verification rules

System > Certificates > Certificate Verify enables you to configure how the FortiWeb unit will verify certificates presented by HTTP clients.
Tip: To use CA certificates in FortiWeb: include them in a CA group; add the group to a certificate verification rule; and, then include the rule in a server policy that uses an HTTPS service.
95
Backing up and restoring configurations
System
Table 34: System > Certificates > Certificate Verify tab
Delete Edit
GUI item # Name CA Group OCSP CRL (No column heading.) Description Displays the index number of the entry in the list. Displays the name of the certificate revocation list. Displays the name of the certificate authority (CA) group selected in the entry. Displays the name of the remote certificate selected to use with online certificate status protocol (OCSP) by this entry. Displays the name of the certificate revocation list selected in the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy. Click the Edit icon to modify the entry.
To add a certificate verification rule 1 Go to System > Certificates > Certificate Verify. 2 Click Create New. 3 In Name, type a name for the certificate verification rule. 4 From CA Group, select the name of a CA group, if any, that you want to use to authenticate client certificates. 5 From OCSP, select the name of an OCSP or HTTP (remote) server certificate, if any, that you want to use to verify the revocation status of client certificates. 6 From CRL, select the name of a certificate revocation list, if any, to use to verify the revocation status of client certificates. 7 Click OK. To apply a certificate verification rule, select it in a server policy that includes an HTTPS service. For details, see Configuring server policies on page 118.

System > Maintenance > Backup & Restore enables you to create backup files of the system configuration and web protection profiles. You can restore the system configuration or web protection profile from a previous backup, if necessary. Backup & Restore also lets you change the firmware version used on the FortiWeb unit.
Note: Firmware can be installed, upgraded, changed and rebooted in multiple ways. Firmware can also be tested before installing it. For information related to Firmware changes, see Installing new firmware on page 385.
96
System
Back up the FortiWeb unit's configuration regularly. If you accidently change something, the backup can help you restore normal operation quickly and easily. Backups also can aid in troubleshooting. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see About permissions on page 80.
Table 35: System > Maintenance > Backup & Restore tab
GUI item System Configuration Last Backup
Description Displays the date and time of the last backup. If the configuration has not yet been backed up, or you have restored the firmware and therefore the time of any preceding backup is not known, this field contains a hyphen ( - ). Select to back up a FortiWeb configuration. You can choose to back up the whole configuration or only the web protection profiles: Backup entire configuration - Select if you want to back up all FortiWeb configuration files currently in use. Backups should be made on a regular basis, especially when making significant configuration additions or changes. A backup should also be done just prior to changing the firmware to prevent loss of configuration information after the firmware change. Backup Web Protection Profile related configuration - Select if you want to back up only the web protection profiles currently in use. For more information, see Web protection on page 189. Appears only if the Backup option is selected. Click to start a backup of the selected configuration. If a File Download dialog appears, select Save and choose a location for the backup file. Select to restore a previously backed up configuration. You can choose the specific configuration file you want to restore: Browse: Click to locate and select the configuration file that you want to restore. From File: Locate the full directory path and file name of the selected configuration file. You can use this feature to restore a CLI config FTP backup.
Backup (option)
Backup (button)
Restore (option)
97
Configuring an FTP backup and schedule
System
Restore (button)
Appears only if the Restore option is selected. Click to start the restoration of the selected configuration to a file. Your web browser uploads the configuration file and the FortiWeb unit restarts with the new configuration. The amount of time required to restore varies by the size of the file and the speed of your network connection. After the FortiWeb unit restarts, you must log in to continue using the web-based manager.
Firmware Caution: Back up the whole configuration before making any changes to the firmware. The configuration can be restored after the firmware change is complete. Failure to make a backup can result in loss of configuration for features that change between firmware versions. For information related to the firmware changes, see Installing new firmware on page 385. Partition Displays the index number of the partition. A partition can contain only one version of the firmware and the system configuration. One partition is active and the others are backups. Indicates which partition the FortiWeb unit is currently configured to use. Green check mark: The partition contains the configuration and firmware that the FortiWeb unit will use when starting or rebooting. Gray X mark: The partition contains a backup configuration and firmware, which is not currently being used. Displays the date and time of the last update to this partition. Displays the version and build number of the FortiWeb firmware. On backup partitions, you can click Upload and Reboot to replace the firmware on a partition and make the partition active. For more information on changing firmware, see Installing new firmware on page 385. Caution: Back up the whole configuration before making any changes to the firmware. You can restore the configuration after the firmware change is complete. Failure to make a backup can result in loss of configuration for features that change between firmware versions. If your upgrade is successful, this button enables you to have two firmware images available for downgrading or upgrading.
Active
Last Upgrade Firmware Version
Boot alternate firmware

System > Maintenance > FTP Backup enables you to create a backup of the system configuration and web protection profiles on an FTP server. You can create an FTP backup immediately or schedule it for later. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see About permissions on page 80.
Table 36: System > Maintenance > FTP Backup tab
GUI item Name
Description Displays the name of the FTP backup.
98
System
Backup Type Indicates whether the FTP backup is a full configuration backup (full config) or a CLI configuration backup (CLI config). A full config backup includes the CLI configuration file and other uploaded files, such as certificates, XML schema, and XML WSDL files. Note: You cannot restore a full config FTP backup using the web-based manager. Use the execute restore command in the CLI interface. A CLI config backup only includes the CLI configuration file. Schedule Type (No column heading.) Indicates whether the FTP backup is an immediate backup (Now) or a scheduled backup (Daily). Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use. Click the Edit icon to modify the entry.
To configure the FTP backup 1 Go to System > Maintenance > FTP Backup. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. 3 In Name, type the name of the FTP backup. You cannot modify this field if you are editing an existing FTP backup. To modify the name, delete the entry, then recreate it using the new name. 4 Configure the following:
GUI item Name FTP Server FTP Directory
Description Type the name of the FTP backup. Type the IP address of the FTP server where the configuration is to be backed up. Type the directory on the FTP server used to store the configuration backup files
FTP Select if you want to enforce user name and password authentication on the FTP Authentication server.
99
Configuring system time
System
FTP User
Enter your FTP user name to identify yourself as a registered user of the FTP server. This field is visible only if you enable FTP Authentication.
FTP Password Enter your FTP password to authenticate yourself on the FTP server This field is visible only if you enable FTP Authentication. Backup Type Select the type of FTP backup you want to perform. A full config backup includes the CLI configuration file and other uploaded files, such as certificates, XML schema, and XML WSDL files. Note: You cannot restore a full config FTP backup using the web-based manager. Use the execute restore command in the CLI interface. A CLI config backup only includes the CLI configuration file.
Schedule Type Select Now to initiate the FTP backup immediately. Select Daily to schedule a recurring FTP backup for a specific day and time of the week. Days Time Select the specific days when you want the FTP backup to occur. This field is visible only if you select Daily. Select the specific hour and minute of the day when you want the FTP backup to occur. This field is visible only if you select Daily.
5 Click OK.
Restoring an FTP backup

You can only restore a full config FTP backup using the execute restore command in the CLI interface. See the FortiWeb CLI Reference. For a CLI config FTP backup, you can use either the execute restore command in the CLI interface or the Restore feature at System > Maintenance > Backup & Restore. See Backing up and restoring configurations on page 96.
Configuring system time

System > Maintenance > System Time enables you to configure the FortiWeb units system time. You can either manually set the FortiWeb system time or configure the FortiWeb unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.
Note: For many features to work, including scheduling, logging, and SSL-dependent features, the FortiWeb system time must be accurate.
Note: FortiWeb units support daylight savings time (DST), including recent changes in the USA, Canada and Western Australia.
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see About permissions on page 80. To configure the date and time 1 Go to System > Maintenance > System Time. Alternatively, go to System > Status > Status. In the System Information widget, in the System Time row, click Change.
100
System
Uploading signature updates
2 From Time Zone, select the time zone where the FortiWeb unit is located. 3 Configure the following to either manually configure the system time, or automatically synchronize the FortiWeb units clock with an NTP server:
Table 37: Setting System Time GUI item System Time
Description Displays the date and time according to the FortiWeb units clock at the time that this tab was loaded, or when you last clicked the Refresh button. Click to update the System Time field with the current time according to the FortiWeb units clock. Select the time zone where the FortiWeb unit is located.
Refresh Time Zone
Automatically adjust Select the check box to have the system time adjusted twice annually to reflect changes between standard time daylight clock for daylight savings time for your location. (Not all jurisdictions recognize saving changes daylight savings time.) Set Time Select this option to manually set the date and time of the FortiWeb units clock, then select the Hour, Minute, Second, Year, Month and Day fields before you click OK.
Synchronize with NTP Server Select this option to automatically synchronize the date and time of the FortiWeb units clock with an NTP server, then configure the Server and Sync Interval fields before you click OK. Server Sync Interval Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, go to http://www.ntp.org. Enter how often in minutes the FortiWeb unit should synchronize its time with the NTP server. For example, entering 1440 causes the FortiWeb unit to synchronize its time once a day.
4 Click OK.
Uploading signature updates

System > Maintenance > Update Signature enables you to update the predefined robots, data types, suspicious URLS, and attack signatures that your FortiWeb unit uses to detect attacks such as: cross-site scripting (XSS)
101
Scheduling signature updates
System
SQL injection common exploits
Updating signatures ensures that your FortiWeb unit can detect recently discovered variations of these attacks.
Tip: Alternatively, you can schedule automatic updates. For details, see Scheduling signature updates on page 102.
After restoring the firmware of the FortiWeb unit, you should upload the most currently available attack signatures. Restoring firmware installs the attack signatures that were current at the time that the firmware image file was made: they may no longer be up-todate. Before you can download signature update files to your management computer, you must first register your FortiWeb unit with the Fortinet Technical Support web site, https://support.fortinet.com/, and obtain a valid support contract. Signature update files will then be available for download when you log in to the Fortinet Technical Support web site. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see About permissions on page 80.
Note: Once the attack signature update is complete, you can continue using FortiWeb without restarting the FortiWeb unit. Figure 27: Update Signature tab

System > Maintenance > Auto Update enables you to configure how the FortiWeb unit will retrieve predefined robots, data types, suspicious URLS, and attack signature updates that your FortiWeb unit uses to detect attacks such as: cross-site scripting (XSS) SQL injection common exploits
Tip: Alternatively, you can manually upload update packages. For details, see Uploading signature updates on page 101.
FortiWeb units receive updates from the FortiGuard Distribution Network (FDN). The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). Unless you override the setting with a specific FDS address, FortiWeb units connect to the FDN by connecting to the FDS nearest to the FortiWeb unit by its configured time zone.
102
System
Note: If required, the FortiWeb unit can be configured to connect through a web proxy. For details, see the FortiWeb CLI Reference.
In addition to manual update requests, FortiWeb units support automatic, scheduled updates, where the FortiWeb unit periodically polls the FDN to determine if there are any available updates. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see About permissions on page 80.
Table 38: System > Maintenance > Auto Update tab
Registration
Displays the registration status of the FortiWeb unit with the FortiGuard Distribution Network (FDN). If it is unregistered, you must click Register and complete the form on the Fortinet Technical Support web site in order for the FortiWeb unit to retrieve updates.
FortiWeb Update Service Displays the current update license status, as well as the date, time, and method of the previous update attempt. If the FortiWeb units attack signature update license has expired, click Renew to purchase a new license. Use override server address Scheduled Update Enable to override the default FortiGuard Distribution Server (FDS) to which the FortiWeb unit connects for updates, then enter the IP address of the override public or private FDS. Enable to perform updates according to a schedule, then select one of the following as the frequency of update requests. Every: Select to request to update once every 1 to 23 hours, then select the number of hours between each update request. Daily: Select to request to update once a day, then select the hour of the day to check for updates. Weekly: Select to request to update once a week, then select the day of the week, the hour, and the minute of the day to check for updates. If you select 00 minutes, the update request occurs at a randomly determined time within the selected hour. When the FortiWeb unit requests an update at the scheduled time, results appear in FortiWeb Update Service in the FortiGuard Information widget. If event logging is enabled, and the FortiWeb unit cannot successfully connect, it will record a log with the message update failed, failed to connect any fds servers!
103
Accessing the Setup Wizard
System
Apply Update Now
Click to save configuration changes on this tab. Click to manually initiate an update request. Results will appear in FortiWeb Update Service in the FortiGuard Information widget. The time required varies by the availability of updates, size of the updates, and speed of the FortiWeb units network connection. If event logging is enabled, and the FortiWeb unit cannot successfully connect, it will record a log with the message update failed, failed to connect any fds servers!
Accessing the Setup Wizard

The System menu includes the Wizard option. The Setup Wizard steps you through actions required for basic system configuration, web protection, and log setup. Typically, you use the Setup Wizard just once when you initially configure your FortiWeb unit for web protection after you install the FortiWeb unit hardware. See the FortiWeb Install and Setup Guide for instructions on using the Setup Wizard.
104
Router
Configuring static routes
Router
This chapter describes the Router menu. Static routes direct traffic that exits the FortiWeb unityou can specify through which network interface a packet will leave, and the IP address of a next-hop router that is reachable from that network interface. The router is aware of which IP addresses are reachable through various network pathways, and can forward those packets along pathways capable of reaching the packets ultimate destinations. A default route is a special type of static route. A default route matches all packets, and defines a gateway router that can receive and route packets if no other, more specific static route is defined for the packets destination IP address.

Router > Static > Static Route displays the list of static routes, including the default route. You should configure at least one static route, a default route, that points to your gateway. However, you may configure multiple static routes if you have multiple gateway routers each should receive packets destined for a different subset of IP addresses. For example, if a web server is directly attached to one of the network interfaces, but all other destinations, such as connecting clients, are located on distant networks such as the Internet, you might need to add only one route: a default route for the gateway router through which the FortiWeb unit connects to the Internet. The FortiWeb unit examines the packets destination IP address and compares it to those of the static routes. If more than one route matches the packet, the FortiWeb unit will apply the route with the smallest index number. For this reason, you should give more specific routes a smaller index number than the default route. When you add a static route through the web-based manager, the FortiWeb unit evaluates the route to determine if it represents a different route compared to any other route already present in the list of static routes. If no route having the same destination exists in the list of static routes, the FortiWeb unit adds the static route, using the next unassigned route index number.
Note: By default, the FortiWeb unit will forward only HTTP/HTTPS traffic to your protected real servers. (That is, IP-based forwarding is disabled.) For information on enabling forwarding of other protocols such as FTP, see the config router setting command in the FortiWeb CLI Reference.
To access this part of the web-based manager, you must have Read and Write permission in your administrator's account access profile to items in the Router Configuration category. For details, see About permissions on page 80.
105
Router
Table 39: Router > Static > Static Route tab
Delete Edit
GUI item Create New # IP Mask Gateway Device (No column heading.) Description Click to add a static route. Displays the index number of the entry in the list. Displays the destination IP addresses of packets subject to the static route, where 0.0.0.0 indicates that the route matches all destination IP addresses. Displays the network mask associated with the IP address, where 0.0.0.0 indicates that the route matches all subnet masks. Displays the IP address of the next-hop router where packets subject to the static route will be forwarded. Displays the name of the network interface through which packets subject to the static route will egress. Click the Delete icon to remove an entry. Click the Edit icon to modify an entry.
To configure a static route 1 Go to Router > Static > Static Route. 2 Click Create New. 3 Configure the following, then click OK:
GUI item Destination IP/Mask
Description Type the destination IP address and network mask of packets that will be subject to this static route, separated by a slash ( / ). The value 0.0.0.0/0.0.0.0 is reserved for the default route, which matches all packets. Type the IP address of the next-hop router where the FortiWeb unit will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/Mask. For an Internet connection, the next hop routing gateway routes traffic to the Internet. Warning: The gateway IP address must be in the same subnet as the interfaces IP address. When you change the interfaces IP address later on, the new IP address must also be in the same subnet as the interfaces default gateway address; otherwise, all the static routes and the default gateway information will be lost. Select the name of the network interface through which the packets subject to the static route will egress towards the next-hop router.
Gateway
Interface
106
Users and user groups

This chapter describes the User menu. You need to define users and user groups if you want the FortiWeb unit to protect web sites that require user authentication, such as a shopping cart application. If the FortiWeb unit's role is to protect a corporate information portal, where no user authentication is required, there is no need to configure user access. The FortiWeb authentication feature uses local users, LDAP queries, RADIUS queries, and NTLM queries to authorize HTTP requests. For details, see Configuring authentication policy on page 257.
Note: User authentication applies only when the FortiWeb unit is operating in reverse proxy mode, or in true transparent proxy mode that does not use HTTPS.
You can create user groups for each user type or combine several user types in one group for easy management of user authentication. This chapter includes the following topics: Configuring local users Configuring LDAP user queries Configuring RADIUS user queries Configuring NTLM user queries Grouping users
User creation workflow

The following lists the steps to configure user authentication for your FortiWeb unit. 1 Define your FortiWeb users in one or more of the following ways: For local users, create a record for each user. See Configuring local users on page 108. For user credentials stored on an LDAP server, configure access to that server. See Configuring LDAP user queries on page 109. For users credentials stored on an RADIUS server, configure access to that server. See Configuring RADIUS user queries on page 111. For user credentials accessed through an NT LAN Manager, configure NTLM access. See Configuring NTLM user queries on page 113.
2 Optionally, if you want to use secure connections, you must upload the applicable certificates, define a certificate verification rule, and possibly also an intermediate CA certificate group. For example, to configure a secure connection to an LDAP server, you must upload the certificate of the CA that signed the LDAP servers certificate. See Managing certificates on page 84. 3 Create one or more user groups and add users to the groups. See Grouping users on page 114. 4 Add the user groups to an authentication rule. See Configuring authentication rules on page 261.
107
Configuring local users
5 Add authentication rules to an authentication policy. See Configuring authentication rules on page 261. 6 Select the authentication policy in an inline protection profile. See Configuring an inline protection profile on page 269 7 Select the inline protection profile as the web protection profile in a server policy. See Configuring server policies on page 118.
Configuring local users

User > Local User > Local User displays the list of locally defined user accounts. The FortiWeb authentication feature uses local user entries to authorize HTTP requests. For more information, see Configuring authentication policy on page 257. Local user accounts are activated indirectly by selecting them in a user group that is selected within an authentication rule. Then, select the rule within an authentication policy, and ultimately select the policy within an inline protection profile. For details, see User creation workflow on page 107.
Note: User passwords are not encrypted when downloading a FortiWeb configuration backup file. If you configure local user accounts, be sure to store configuration backup files in a safe location.
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see About permissions on page 80.
Table 40: User > Local User > Local User tab GUI item Create New # Name User Name (No column heading.) Description Click to add a user. Displays the index number of the entry in the list. Displays the name of the entry. Displays the user name that the client must provide when authenticating. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a user group. Click the Edit icon to modify the entry.
To configure a local user 1 Go to User > Local User > Local User. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. 3 In Name, type the name of the local user entry. This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name. (You cannot delete a user if any user group has it as a member.)
108
Configuring LDAP user queries
4 Configure the following:
GUI item Name User Name Password
Description Type a display name for the user. Type the user name that the client must provide when authenticating. Type the password for the local user account. The maximum length is 63 characters.
5 Click OK.

User > LDAP User > LDAP User displays the list of LDAP queries that can authenticate users. The FortiWeb authentication feature uses LDAP user queries to authorize HTTP requests. For more information, see Configuring authentication policy on page 257. LDAP user accounts are activated indirectly by selecting them in a user group that is selected within an authentication rule. Then, select the rule within an authentication policy, and ultimately select the policy within an inline protection profile. For details, see User creation workflow on page 107. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see About permissions on page 80.
Table 41: User > LDAP User > LDAP User tab
Edit
GUI item Create New Description Click to add an LDAP user account query. Only one LDAP user query can exist at any given time. If a query is already configured, this button is grayed out. Displays the index number of the entry in the list. Displays the name of the entry. Displays the IP address of the LDAP server that will be queried to authenticate users. Displays the TCP port number where the LDAP server listens for queries.
# Name Server IP Port
109
Common Name Identifier Distinguished Name (No column heading.)
Displays the common name (CN) attribute, often cn, whose value is the user name. Displays the distinguished name (DN) that, when prefixed with the common name, forms the full path in the directory to the user account object. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently a member of a user group. Click the Edit icon to modify the entry.
Before configuring the query, if you will configure a secure connection, you must upload the certificate of the CA that signed the LDAP servers certificate. For details, see Managing CA certificates on page 90. To configure the LDAP user query 1 Go to User > LDAP User > LDAP User. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. 3 In Name, type the name of the LDAP user query entry. This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name. 4 Configure the following:
GUI item Server IP Server Port
Description Type the IP address of the LDAP server. Type the port number where the LDAP server listens. The default port number varies by your selection in Secure Connection: port 389 is typically used for non-secure connections or for STARTTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections. Type the identifier, often cn, for the common name (CN) attribute whose value is the user name. Identifiers may vary by your LDAP directorys schema. Type the distinguished name (DN) that, when prefixed with the common name, forms the full path in the directory to the user account objects.
Common Name Identifier Distinguished Name
110
Configuring RADIUS user queries
Bind Type
Select one of the following LDAP query binding styles: Simple: Bind using the client-supplied password and a bind DN assembled from the Common Name Identifier, Distinguished Name, and the client-supplied user name. Regular: Bind using a bind DN and password that you configure in User DN and Password. Anonymous: Do not provide a bind DN or password. Instead, perform the query without authenticating. Select this option only if the LDAP directory supports anonymous queries. Type the bind DN, such as cn=FortiWebA,dc=example,dc=com, of an LDAP user account with permissions to query the Distinguished Name. This field may be optional if your LDAP server does not require the FortiWeb unit to authenticate when performing queries, and does not appear if Bind Type is Anonymous or Simple. Type the password of the User DN. This field may be optional if your LDAP server does not require the FortiWeb unit to authenticate when performing queries, and does not appear if Bind Type is Anonymous or Simple. Enable to connect to the LDAP servers using an encrypted connection, then select the style of the encryption in Protocol. Select whether the LDAP query will be secured using LDAPS or STARTTLS. You may need to reconfigure Server Port to correspond to the change in protocol. This option appears only if Secure Connection is enabled. Click to test that the current settings are correct, and that the FortiWeb unit can communicate with the LDAP server.
User DN
Password
Secure Connection Protocol
Test LDAP
5 Click OK.

User > RADIUS User > RADIUS User displays the list of RADIUS queries that can authenticate users. Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and accounting functions. The FortiWeb authentication feature uses RADIUS user queries to authorize HTTP requests. If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the unit sends the users credentials to the RADIUS server for authentication. If the RADIUS server can authenticate the user, the user is successfully authenticated with the FortiWeb unit. If the RADIUS server cannot authenticate the user, the FortiWeb unit refuses the connection. You can override the default authentication scheme by selecting a specific authentication protocol or changing the default port for RADIUS traffic. For details, see Configuring authentication policy on page 257. RADIUS user accounts are activated indirectly, by selecting them in a user group that is selected within an authentication rule. Then, select the rule within an authentication policy, and ultimately select the policy within an inline protection profile. For details, see User creation workflow on page 107. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see About permissions on page 80.
111
Table 42: User > RADIUS User > RADIUS User tab
GUI item Create New # Name Server IP (No column heading.)
Description Click to add an RADIUS user account query. Displays the index number of the entry in the list. Displays the name of the entry. Displays the IP address of the RADIUS server that will be queried to authenticate users. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a user group. Click the Edit icon to modify the entry.
To configure the RADIUS user query Before configuring the query, if you will configure a secure connection, you must upload the certificate of the CA that signed the RADIUS servers certificate. For details, see Managing CA certificates on page 90. 1 Go to User > RADIUS User > RADIUS User. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. 3 In Name, type the name of the RADIUS user query entry. This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name. 4 Configure the following:
GUI item Name Server IP
Description Enter a name for this RADIUS user query. Type the IP address of the primary RADIUS server.
112
Configuring NTLM user queries
Server Port Server Secret
Type the port number where the RADIUS server listens. The default port number is 1812. Enter the RADIUS server secret key for the primary RADIUS server. The primary server secret key should be a maximum of 16 characters in length. Type the IP address of the secondary RADIUS server, if applicable.
Secondary Server IP
Secondary Server Port Type the port number where the RADIUS server listens. The default port number is 1812. Secondary Server Secret Enter the RADIUS server secret key for the secondary RADIUS server. The secondary server secret key should be a maximum of 16 characters in length.
Authentication Scheme Select Default to authenticate with the default method. The default authentication scheme uses PAP, MS-CHAP-V2, and CHAP, in that order. Select Specify Authentication Protocol to override the default authentication method, and choose the protocol from the list: MSCHAP-V2, CHAP, MS-CHAP, or PAP, depending on what your RADIUS server needs. NAS IP Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiWeb unit uses to communicate with the RADIUS server will be applied. Click to test that the current settings are correct, and that the FortiWeb unit can communicate with the RADIUS server .
Test Radius
5 Click OK.
Configuring NTLM user queries

User > NTLM User > NTLM User displays the list of NT LAN Manager (NTLM) user account queries. NTLM queries can be made to a Microsoft Windows or Active Directory server that is configured for NTLM authentication. FortiWeb supports both NTLM v1 and NTLM v2. The FortiWeb authentication feature uses NTLM user queries to authorize HTTP requests. For more information, see Configuring authentication policy on page 257. NTLM user account queries are used indirectly by selecting them in a user group that is selected within an authentication rule. Then, select the rule within an authentication policy, and ultimately select the policy within an inline protection profile. For details, see User creation workflow on page 107. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see About permissions on page 80.
Table 43: User > NTLM User > NTLM User tab
Delete Edit
113
Grouping users
GUI item Create New # Name Server IP Port (No column heading.)
Description Click to add an NTLM user account query. Displays the index number of the entry in the list. Displays the name of the entry. Displays the IP address of the NTLM server that will be queried. Displays the TCP port number where the NTLM server listens for queries. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a user group. Click the Edit icon to modify the entry.
To configure an NTLM user query 1 Go to User > NTLM User > NTLM User. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. 3 In Name, type the name of the NTLM user entry. This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name. 4 Configure the following:
GUI item Name Server IP Port
Description Type a display name for the user. Type the IP address of the NTLM server that will be queried. Type the TCP port number where the NTLM server listens for queries.
5 Click OK.
Grouping users
User > User Group > User Group displays the list of user groups. The FortiWeb authentication feature uses user groups to authorize HTTP requests. Any group can include a mixture of local user accounts, LDAP user queries, RADIUS user queries, and NTLM user queries. User groups are used indirectly, by selecting them in within an authentication rule. Then, select the rule within an authentication policy, and ultimately select the policy within an inline protection profile. For details, see User creation workflow on page 107.
Tip: Before you can configure a user group, you must first configure one or more users.
114
Grouping users
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see About permissions on page 80.
Table 44: User > User Group > User Group tab
Edit
Delete
GUI item Create New # Name Auth Type Description Click to add an NTLM user account query. Displays the index number of the entry in the list. Displays the name of the entry. Displays one of the following: Basic: Basic authentication is the original and most compatible authentication scheme for HTTP. However, it is also the least secure as it sends the user name and password unencrypted to the server. Groups with this authentication type can include local users. LDAP queries, and RADIUS queries. Digest: Digest authentication encrypts the password and thus is more secure than the basic authentication. Groups with this authentication type can include local users only. NTLM: NTLM is a proprietary protocol of Microsoft and is deemed to be more secure. Groups with this authentication type can include NTLM users only. Displays the number of individual user accounts and/or user queries contained in the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an authentication rule. Click the Edit icon to modify the entry.
Count (No column heading.)
To configure a user group 1 Go to User > User Group > User Group. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon.
3 In Name, type the name of the user group. This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name.
115
Grouping users
4 Select an authentication type: Basic: This is the original and most compatible authentication scheme for HTTP. However, it is also the least secure as it sends the user name and password unencrypted to the server. Digest: Authentication encrypts the password and thus is more secure than the basic authentication. NTLM: Authentication is a proprietary protocol of Microsoft and is deemed to be more secure. 5 Click OK. 6 Click Create New, then configure the following:
GUI item ID
Description Type the index number of the individual rule within the group of users, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Select the type of user or user query you want to add to the group. The options presented vary with the setting for the groups Auth Type option. Note: You can mix user types in the group. However, if the authentication rules Auth Type does not support a given user type, all user accounts of that type will be ignored, effectively disabling them. Select the name of user or user query. The list contents varies with your selection User Type.
User Type
User Name
7 Repeat the previous step for each individual rule that you want to add to the group of users. 8 If you need to modify an individual rule, click its Edit icon. To remove an individual user or user query from the group of users, click its Delete icon. To remove all individual users or user queries from the group of users, click the Clear icon. 9 Click OK.
116
Server policy
Server policy
This chapter describes the Server Policy menu and how to use all the features of a server policy. This chapter includes the following topics: Configuring server policies Configuring servers Configuring server health checks Configuring services Configuring protected servers Configuring predefined patterns Configuring custom patterns Configuring custom application policies
Server policy workflow requirements

The creation of server policy involves multiple steps. The number and sequence of steps depends on what you wish to achieve. Some steps may be bypassed depending on your requirements. 1 Optionally, if you want to use secure connections, you must upload the applicable certificates, define a certificate verification rule, and possibly also an intermediate CA certificate group. See Managing certificates on page 84. 2 Configure one or more virtual servers, physical servers, or domain servers. See Configuring virtual servers on page 129, Configuring physical servers on page 131 and Configuring domain servers on page 133. 3 Configure one or more protected servers. See Configuring protected servers on page 147. 4 Optionally, add two or more servers to a server farm. See Grouping physical and domain servers into server farms on page 135. 5 Configure logging and trigger policy if you plan to include triggers in a web protection profile used by the server policy. See Log configuration workflow on page 313. 6 Configure one or more XML, inline, or offline protection profiles. See: XML protection profile workflow on page 163 (reverse proxy mode only) Inline protection profile workflow on page 268 (any mode except offline protection) Offline protection profile workflow on page 274 (offline protection mode only) 7 If you want the FortiWeb unit to gather auto-learning data, configure an auto-learning profile and its required components. See Auto-learning profile workflow on page 278. 8 If the policy is to include user authentication, you must configure users, user groups, and an authentication policy, and include that policy as part of an inline protection profile. See HTTP authentication policy workflow on page 259. 9 After you complete the applicable previous steps, you can configure or complete server policies. See Configuring server policies on page 118.
117
Configuring server policies
Server policy

Server Policy > Policy > Policy displays the list of policies. Use FortiWeb policies to: determine which connections FortiWeb will allow or block apply a profile that specifies how FortiWeb will process the connections that it allows route traffic to specific destination real servers (if supported by the operation mode) use an auto-learning profile to gather additional information about your HTTP traffic for use as guidance when modifying the policy or profiles
Note: There is a limit to the number of server policies you can create. The limit varies with the model of your FortiWeb unit. For details, see Appendix B: Maximum values on page 397.
When determining the policy to apply to a connection, FortiWeb units will consider the operation mode: Reverse Proxy: Apply the policy whose virtual server and service match the connection. Offline Protection: Apply the policy whose network interface in the virtual server matches the connection. Do not consider the service or the IP address of the virtual server. True Transparent Proxy: Apply the policy whose v-zone bridge) matches the connection. Do not consider the IP address of the bridge. Transparent Inspection: Apply the policy whose v-zone bridge matches the connection. Do not consider the IP address of the bridge.
The FortiWeb unit will apply only one policy to each connection. If an HTTP connection does not match any of the policies, the FortiWeb unit will block the connection. Policies are not used while they are disabled, as indicated by Status on page 121. Policy behavior varies with the operation mode.
118
Server policy
Table 45: Policy behavior by operation mode Reverse Proxy Matches by Service Virtual server Offline Protection Virtual servers network interface, but not its IP address. Attempts to block by mimicking the client or server and requesting to reset the connection; does not modify otherwise. True Transparent Proxy V-zone (bridge), but not its IP address. Transparent Inspection V-zone (bridge), but not its IP address.
Violations
Blocked or modified, according to profile.
Blocked or modified, Attempts to block by according to profile. mimicking the client or server and requesting to reset the connection; does not modify otherwise. Inline protection profiles Auto-learning profiles Offline protection profiles Auto-learning profiles
Profile support
Inline protection profiles Auto-learning profiles XML protection profiles
Offline protection profiles Auto-learning profiles
SSL
Certificate used to offload SSL from the servers to FortiWeb; can optionally reencrypt before forwarding to the destination server. Forwards to a single real server or member of a server farm using the port number where it listens; similar to a network address translation (NAT) policy on a general-purpose firewall. Can load-balance or route connections to a specific server based upon XML content.
Certificate used to decrypt and scan only; does not act as an SSL origin or terminator. Lets the traffic pass through to a member of a server farm, but does not loadbalance.
Certificate used to decrypt and scan only; does not act as an SSL origin or terminator. Forwards to a member of a server farm (but allowing to pass through, without actively redistributing connections) using the port number where it listens.
Certificate used to decrypt and scan only; does not act as an SSL origin or terminator. Lets the traffic pass through to a member of a server farm, but does not loadbalance.
Forwarding
Note: When you switch the operation mode, policies will be deleted from the configuration file if they are not applicable in the current operation mode.
Policies can be configured to detect URL-embedded attacks that are obfuscated using recursive URL encoding (that is, multiple levels of URL encoding). For more information, see the circulate-url-decode option of the config server-policy policy command in the FortiWeb CLI Reference. To access this part of the web-based manager, your administrator's account access profile must have Read permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 46: Server Policy > Policy > Policy tab
Edit View Cookies
Delete
119
Server policy
GUI item Create New #
Description Click to add a policy. Displays the index number of the entry in the list. On FortiWeb units, the index number of a policy indicates its alphabetical order only. It does not indicate order of evaluation for matches with connections. Instead, the FortiWeb unit will apply the one policy that matches the connection, if any exists. Displays the name of the entry. Indicates whether the policy applies a web protection profile (either inline or offline protection profile) or an XML protection profile. Sets the virtual server or v-zone (bridge) where the policy will either apply a protection profile and route traffic to one or more real servers. Displays the service that defines the TCP port number where the virtual server receives HTTP traffic. Displays the service that defines the TCP port number where the virtual server receives HTTPS traffic. Displays the method of distribution that the FortiWeb unit will use when forwarding connections accepted by this policy. Single Server: Forward connections to a single real server. Server Balance: Use a load-balancing algorithm when distributing connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, the FortiWeb unit forwards subsequent connections to another real server in the server farm. HTTP Content Routing: Use HTTP Content Routing to route HTTP requests to a specific real server in a server farm by specifying the host or URL and the request file. XPath Content Routing: Use content routing rules defined as XPath expressions in the server farm configuration when distributing connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, or if a request does not match the XPath expression, the FortiWeb unit forwards connections to the first real server in the server farm. WSDL Content Routing: Use WSDL content routing rules defined in the server farm configuration when distributing connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, or if a request does not match the WSDL content routing rules, the FortiWeb unit forwards connections to the first real server in the server farm. Offline Protection: Allow connections to pass through the FortiWeb unit, but instead of applying an inline protection profile, apply an offline protection profile. Transparent Servers: Allow connections to pass through the FortiWeb unit, and apply a protection profile. You can use the Service Status widget to determine whether or not a real server is currently responding to the server health check. For details, see Service Status widget on page 49. Mark this check box to allow the policy to be used when evaluating traffic for a matching policy. For details, see Enabling or disabling a policy on page 128. Note: You can use SNMP traps to notify you of changes to the policys status. For details, see Configuring an SNMP community on page 68.
Policy Name Policy Type Virtual Server or V-zone HTTP Service HTTPS Service Deployment Mode
Enable
120
Server policy
Status
Indicates whether or not a policy will be used when evaluating traffic for a matching policy. Green icon: The policy will be used when evaluating traffic for a matching policy. Flashing yellow-to-red icon: The policy will not be used when evaluating traffic for a matching policy. To be used, a policys Enable option must be marked. Click the Edit icon to modify the entry. For details, see Configuring server policies on page 118. Click the Delete icon to remove the entry. Policies may be automatically deleted if you switch the Operation Mode and the policys type is not supported by the new mode. Caution: Deleting a policy also removes any auto-learning data it has gathered using an auto-learning profile. To retain this data, instead either deselect the auto-learning profile in the policy, or disable the policy. For details, see Enabling or disabling a policy on page 128. When available, click the View Cookies icon to display cookies that have been observed in reply traffic from the server managed by this policy. This icon appears only after cookies have been observed in the Set-Cookie: HTTP header, and does not appear for cookies that may have been set using client-side JavaScript. Based upon whether or not the content of the cookies is sensitive, such as if they are used for state tracking or database input, you may want to enable Cookie Poison in the policys inline protection profile. For details, see Cookie Poison on page 269.
To add or edit a policy 1 Go to Server Policy > Policy > Policy. 2 For a new policy, click Create New. Or, for an existing policy, click the Edit icon in the applicable row. A dialog appears.
Note: Available options vary by the operation mode and the deployment mode of the FortiWeb unit.
121
Server policy
3 Configure the following, then click OK:
Table 47: Editing a policy GUI item Policy Name Policy Type Description Type a name for the policy. Select whether you will apply an XML protection profile or a web protection profile, then select the name of the protection profile from Web Protection Profile or XML Protection Profile. Depending on the types of profiles that the current operation mode supports, not all policy types may be available. For details, see Table 45 on page 119.
122
Server policy
Virtual Server, Data Capture Port or V-zone
Select the name of a virtual server, data capture port or v-zone (bridge). The name and use of this option varies by operating mode: Reverse proxy mode: Virtual Server identifies the IP address and network interface of incoming traffic that will be routed and to which the policy will apply a profile. Offline protection mode: Data Capture Port identifies the network interface of incoming traffic that the policy to which it will attempt to apply a profile. The IP address of the virtual server will be ignored. Either of the transparent modes: V-zone (bridge) indicates the incoming traffic to which the policy will apply a profile. Alternatively, you can select the Create New menu option to add a virtual server in a pop-up window, without leaving the current page. For details, see Configuring virtual servers on page 129 or Configuring vzones (bridges) on page 55. Select the method of distribution that the FortiWeb unit will use when forwarding connections accepted by this policy. Single Server: Forward connections to a single physical server or domain server. This option is available only if the FortiWeb unit is operating in reverse proxy mode. Server Balance: Use a load-balancing algorithm when distributing connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, the FortiWeb unit forwards subsequent connections to another real server in the server farm. Also configure Load Balancing Algorithm, Persistence Timeout, Server Health Check, and Server Farm. This option is available only if the FortiWeb unit is operating in reverse proxy mode. HTTP Content Routing: Use HTTP content routing to route HTTP requests to a specific real server in a server farm by specifying the host or URL and the request file XPath Content Routing: Use content routing rules defined as XPath expressions in the server farm configuration when distributing connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, or if a request does not match the XPath expression, the FortiWeb unit forwards connections to the first real server in the server farm. Also configure Server Health Check and Server Farm. This option is available only if the FortiWeb unit is operating in reverse proxy mode and Policy Type is XML Protection. WSDL Content Routing: Use WSDL content routing rules defined in the server farm configuration when distributing connections amongst the real servers in a server farm. If a real server is unresponsive to the server health check, or if a request does not match the WSDL content routing rules, the FortiWeb unit forwards connections to the first real server in the server farm. Also configure Server Health Check and Server Farm. This option is available only if the FortiWeb unit is operating in reverse proxy mode and Policy Type is XML Protection. Offline Protection: Allow connections to pass through the FortiWeb unit, and apply an offline protection profile. Also configure Server Health Check and Server Farm. This option is available only if the FortiWeb unit is operating in offline protection mode. Transparent Servers: Allow connections to pass through the FortiWeb unit, and apply a protection profile. Also configure Server Farm. This option is available only if the FortiWeb unit is operating in either of the transparent modes. Depending on the types of network topologies that the current operation mode supports, not all deployment modes may be available. For details, see Table 45 on page 119. If you select Single Server as the deployment mode, you must select either a Physical Server or Domain Server. For details, see Configuring physical servers on page 131 and Configuring domain servers on page 133.
Deployment Mode
Server Type
123
Server policy
Physical Server
Select the physical server to which to forward connections, or select Create New to configure a new physical server in a pop-up window, without leaving the current page. This option appears only when selected as a server type. For details, see Configuring physical servers on page 131. Select the domain server to which to forward connections, or select Create New to configure a new domain server in a pop-up window, without leaving the current page. This option appears only when selected as a server type. For details, see Configuring domain servers on page 133. Enter the TCP port number where the physical/domain server listens for web or web services connections, depending on whether you have selected a web protection profile or an XML protection profile, respectively. This option appears only when Server Type in visible. This option appears only if Deployment Mode is Single Server. Select the load-balancing algorithm to use when distributing new connections amongst real servers in the server farm. This option appears only if Deployment Mode is Server Balance. Round Robin: Distributes new connections to the next real server in the server farm, regardless of weight, response time, traffic load, or number of existing connections. Unresponsive servers are avoided. Weighted Round Robin: Distributes new connections using the round robin method, except that real servers with a higher weight value will receive a larger percentage of connections. Least Connection: Distributes new connections to the real server with the fewest number of existing, fully-formed connections. HTTP session based Round Robin: Distributes new connections, if they are not associated with an existing HTTP session, to the next real server in the server farm, regardless of weight, response time, traffic load, or number of existing connections. Unresponsive servers are avoided. Session management is enabled automatically when you enable this feature, and it therefore does not require that you enable Session Management in the web protection profile. This option is available only if Policy Type is Web Protection.
Domain Server
Server's Port
Load Balancing Algorithm
Persistence Timeout Enter the timeout for inactive TCP sessions. This option appears only if Deployment Mode is Server Balance or Transparent Servers. Server Health Check Select the server health check to use when determining responsiveness of real servers in the server farm, or select Create New to add a server health check in a pop-up window, without leaving the current page. For details, see Configuring server health checks on page 143. This option appears only if Deployment Mode is Server Balance, Content Routing, or WSDL Content Routing. Note: If a real server is unresponsive, wait until the server becomes responsive again before disabling its server health check. Server health checks record the up or down status of the server. If you deactivate the server health check while the server is unresponsive, the server health check will be unable to update the recorded status, and FortiWeb unit will continue to regard the real server as if it were unresponsive. You can determine the real servers connectivity status using the Service Status widget or an SNMP trap. For details, see Service Status widget on page 49 or Configuring an SNMP community on page 68. Server Farm Select the server farm whose real servers will receive the connections. For details, see Grouping physical and domain servers into server farms on page 135. This option appears only if Deployment Mode is Server Balance, HTTP Content Routing, WSDL Content Routing, Offline Protection, or Transparent Servers. Note: If Deployment Mode is Offline Protection or Transparent Servers, you must select a server farm, even though the FortiWeb unit will allow connections to pass through instead of actively distributing connections. Therefore, if you want to govern connections for only a single real server, rather than a group of servers, you must configure a server farm with that single real server as its only member in order to select it in the policy.
124
Server policy
Protected Servers
Select a protected servers group to allow or reject connections based upon whether the Host: field in the HTTP header is empty or does or does not match the protected hosts group. For details, see Configuring protected servers on page 147. If you do not select a protected servers group, connections will be accepted or blocked based upon other criteria in the policy or protection profile, but regardless of the Host: field in the HTTP header. Attack log messages contain DETECT_ALLOW_HOST_FAILED when this feature does not detect an allowed protected host name. Note: Unlike HTTP 1.1, HTTP 1.0 does not require the Host: field. The FortiWeb unit will not block HTTP 1.0 requests for lacking this field, regardless of whether or not you have selected a protected servers group. The name of this drop-down list varies by your selection in Policy Type. Select the profile to apply to the connections accepted by this policy, or select Create New to add a new profile in a pop-up window, without leaving the current page. If you want to view the details of a profile, select the profile from the list and click View Profile Details. A protection profile details window opens. To return to the policy settings, click Back to Policy Settings. For details on specific protection profiles, see Configuring XML protection profiles on page 184, Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274. Note: Depending on the profile types that the current operation mode supports, not all profiles may be available. For details, see Table 45 on page 119. XML protection profiles apply to reverse proxy mode only. Offline protection profiles apply to offline protection mode only. Inline protection profiles apply to any mode except offline protection. Note: Clients with source IP addresses designated as a trusted IP are exempt from being blocked by the protection profile. For details, see Configuring an IP list policy on page 220. Select the auto-learning profile, if any, to use in order to discover attacks, URLs, and parameters in your web servers HTTP sessions, or select Create New to add a new auto-learning profile in a pop-up window, without leaving the current page. For details, see Applying auto-learning profiles on page 278. Data gathered using an auto-learning profile can be viewed in an autolearning report, and used to generate profiles. For details, see Auto learn on page 281. Select the custom or predefined service that defines the TCP port number where the virtual server or bridge receives traffic, or select Create New to a new service in a pop-up window, without leaving the current page. For details, see Configuring services on page 145. This option does not apply to true transparent proxy or transparent inspection modes. Note: This option only defines the port number. It does not specify SSL/TLS. For example, it is possible to configure a web server to listen on the well-known port number for HTTP (port 80), yet use SSL (HTTPS). To specify SSL/TLS, see HTTPS Service.
Web Protection Profile or XML Protection Profile
WAF Auto Learning Profile
HTTP Service
125
Server policy
HTTPS Service
Select the custom or predefined service that defines the TCP port number where the virtual server or bridge receives traffic, or select Create New to create a new service in a pop-up window, without leaving the current page. For details, see Configuring services on page 145. Enable if connections from HTTP clients to the FortiWeb unit or protected hosts use SSL. Also configure Certificate. FortiWeb units contain specialized hardware to accelerate SSL processing. Offloading SSL processing may improve the performance of secure HTTP (HTTPS) connections. SSL 3.0, TLS 1.0, and TLS 1.1 are supported. The FortiWeb unit handles SSL negotiations and encryption and decryption, instead of the real servers, also known as offloading. Connections between the client and the FortiWeb unit will be encrypted. Connections between the FortiWeb unit and each web server will be clear text or encrypted, depending on SSL Server. This option appears only if the FortiWeb unit is operating in reverse proxy mode. Note: If the FortiWeb unit is operating in offline protection mode or either of the transparent modes, you must enable SSL in the server farm instead. Caution: You must enable either this option or SSL, if the connection uses SSL. Failure to enable an SSL option and provide a certificate for HTTPS connections will result in the FortiWeb unit being unable to decrypt connections, and therefore unable to scan HTML or XML content. Choose the specific blocking port interface (that is, port1, port2, and so on) where TCP reset packets are sent. This option appears only if the FortiWeb unit is operating in offline protection mode. Select the server certificate the FortiWeb unit will use when encrypting or decrypting SSL-secured connections, or select Create New to upload a new certificate in a pop-up window, without leaving the current page. For more information, see Uploading a certificate on page 88. This option appears only if HTTPS Service is enabled.
Blocking Port
Certificate
126
Server policy
Certificate Verification
Select the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. (If you do not select one, the client is not required to present a personal certificate.) If the client presents an invalid certificate, the FortiWeb unit will not allow the connection. To be valid, a client certificate must: not be expired not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP) (see Configuring certificate verification rules on page 95) be signed by a certificate authority (CA) whose certificate you have imported into the FortiWeb unit (see Managing CA certificates on page 90); if the certificate has been signed by a chain of intermediate CAs, those certificates must be included in an intermediate CA group (see Certificate Intermediate Group) contain a CA field whose value matches the CA certificate contain an Issuer field whose value matches the Subject field in the CA certificate Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the web site. You can require that clients present a certificate alternatively or in addition to HTTP authentication. For more information, see Configuring authentication policy on page 257. This option appears only if HTTPS Service is enabled, and only applies if the FortiWeb unit is operating in reverse proxy mode. SSL 3.0 or TLS 1.0 is required. Note: If the connection fails when you have selected a certificate verifier, verify that the certificate meets the web browsers requirements. Web browsers may have their own certificate validation requirements in addition to FortiWeb's requirements. For example, personal certificates for client authentication may be required to either: not be restricted in usage/purpose by the CA, or contain a Key Usage field that contains a Digital Signature or have a ExtendedKeyUsage or EnhancedKeyUsage field whose value contains Client Authentication If the certificate does not satisfy browser requirements, although it may be installed in the browser, when the FortiWeb unit requests the clients certificate, the browser may not present a certificate selection dialog to the user, or the dialog may not contain that certificate. In that case, verification will fail. For browser requirements, see your web browsers documentation. Select the name of a group of intermediate certificate authority (CA) certificates, if any, that will be presented to clients in order for them to validate the server certificates CA signature. This can prevent clients from getting certificate warnings when the server certificate configured in Certificate has been signed by an intermediate CA, rather than directly by a root CA or other CA currently trusted by the client. Alternatively, you can include the entire signing chain in the server certificate itself before uploading it to the FortiWeb unit, thereby completing the chain of trust with a CA already known to the client. This option appears only if HTTPS Service is enabled and the FortiWeb unit is operating in reverse proxy mode. Enable to use SSL to encrypt connections from the FortiWeb unit to protected web servers. Also configure Certificate. Disable to pass traffic to protected web servers in clear text. To test whether the web server supports SSL connections, click SSL Support Test. This option appears only in reverse proxy mode. (The FortiWeb unit cannot act as an SSL terminator or initiator in offline protection mode or either of the transparent modes.) Note: Enable only if the protected host supports SSL.
Certificate Intermediate Group
SSL Server
127
Server policy
Persistent Server Sessions
Enter the maximum number of concurrent TCP client connections that can be accepted by this policy. The maximum number of HTTP sessions established with each server depends on this field, and whether you have selected a single real server or a server farm and the Load Balancing Algorithm. For example, if you set the value of Persistent Server Sessions to 10 000 and there are 4 real servers in a server farm that uses Round Robin-style load-balancing, up to 10 000 client connections would be accepted, resulting in up to 2 500 HTTP sessions evenly distributed to each of the 4 real servers. Each model of FortiWeb units has a maximum allowed number of persistent sessions. The Edit Policy dialog lists the minimum and maximum for your FortiWeb model next to this field. For more specifications, see Appendix B: Maximum values on page 397. When enabled, this mode treats all blocking actions (deny, redirect, and so on) as if they were the Alert action.This enables FortiWeb to log attacks and complete processing of the connection. This is needed to let the auto-learning feature collect more information to build profiles of attacks. If auto-learning is not enabled, clear this option. See Tune up alerts on page 30.
Monitor Mode
URL Case Sensitivity Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests, such as: start page rules, IP list rules, and page access rules. For example, when this option is enabled, an HTTP request involving http://www.Example.com/ would not match profile features that specify http://www.example.com (difference is lower case "e"). Comments Enter a description or other comment. The description may be up to 35 characters long.
Enabling or disabling a policy

You can individually enable and disable policies.
Caution: When the operation mode is reverse proxy, disabling a policy could all block traffic if no remaining active policies match that traffic. That is, if no policies exist or none are enabled, the FortiWeb unit will deny HTTP/HTTPS traffic..
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80. To enable or disable a policy 1 Go to Server Policy > Policy > Policy.
2 In the row corresponding to the policy that you want to enable, mark the check box in the Enable column. 3 In the row corresponding to the policy that you want to disable, clear the check box in the Enable column. To determine whether the policy is applicable, see the column Status on page 121.
128
Server policy
Configuring servers
Configuring servers
Server Policy > Server > enables you to configure various types of servers in your network. This section includes the following topics: Configuring virtual servers Configuring physical servers Configuring domain servers Grouping physical and domain servers into server farms Configuring HTTP content routing policy Configuring HTTP conversion policy
Configuring virtual servers

Server Policy > Server > Virtual Server displays the list of virtual servers. Before you can create a policy, you must first configure a virtual server that defines the network interface or bridge and IP address where traffic destined for an individual real server or server farm will arrive. When the FortiWeb unit receives traffic destined for a virtual server, it can then forward the traffic to a real server or a server farm. The FortiWeb unit identifies traffic as being destined for a specific virtual server if: the traffic arrives on the network interface or bridge associated with the virtual server for reverse proxy mode, the destination address is the IP address of a virtual server (the destination IP address is ignored in other operation modes, except that it must not be identical with the real servers IP address)
Caution: Virtual servers can be on the same subnet as real servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could forward to the real server 10.0.0.2. However, this is not recommended. Unless your networks routing configuration prevents it, it could allow clients that are aware of the real servers IP address to bypass the FortiWeb unit by accessing the real server directly.
Virtual servers are applied by selecting them within a policy. For details, see Configuring server policies on page 118. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 48: Server Policy > Server > Virtual Server tab
Delete Edit
129
Configuring servers
Server policy
GUI item Create New # Name IP Address Interface Enable (No column heading.)
Description Click to add a virtual server. Displays the index number of the entry in the list. Displays the name of the entry. Displays the IP address and subnet of the virtual server. Displays the network interface or bridge where traffic destined for the virtual server will arrive. Mark the check box to enable use of the virtual server. For details, see Enabling or disabling a virtual server on page 130. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy. Click the Edit icon to modify the entry.
To add a virtual server 1 Go to Server Policy > Server > Virtual Server. 2 Click Create New. A dialog appears.

GUI item Name IP Address Description Type the name of the virtual server. Type the IP address and subnet of the virtual server. If the FortiWeb unit is operating in offline protection mode or either of the transparent modes, this IP address will be ignored when deciding whether or not to apply a policy to the connection, and can therefore be any IP address, except that it must not be identical to the real server. If the virtual servers IP is identical to the real server, the configuration will not function. Select the network interface or bridge to which the virtual server is bound, and where traffic destined for the virtual server will arrive.
Interface
4 Click OK. To define the listening port of the virtual server, create a custom service and select it in the policy where the virtual server is also selected. For details, see Configuring services on page 145. To apply the virtual server, you must select it in a policy. For details, see Configuring server policies on page 118.
Enabling or disabling a virtual server

You can individually enable and disable virtual servers. Disabled virtual servers can be selected in a policy, but will result in a policy that is unable to forward traffic until the virtual server is enabled.
130
Server policy
Configuring servers
By default, virtual servers are enabled, and the FortiWeb unit can forward traffic from them.
Caution: Disabling a virtual server could block traffic matching policies in which you have selected the virtual server. For details, see Configuring server policies on page 118.
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80. To enable or disable a virtual server 1 Go to Server Policy > Server > Virtual Server.
2 In the row corresponding to the virtual server that you want to enable, in the Enable column, mark the check box. 3 In the row corresponding to the virtual server that you want to disable, in the Enable column, clear the check box.
Configuring physical servers

Server Policy > Server > Physical Server displays the list of physical servers. Before you can create a policy, you must first configure one or more domain servers or physical servers. Domain servers use domain names while physical servers use IP addresses. A physical server defines the IP address of an individual real server or a member of a server farm that is the ultimate destination of traffic received by the FortiWeb unit at a virtual server address, and where the FortiWeb unit will forward traffic after applying the protection profile and other policy settings. You can also use domain names of the protected real servers. For details, see Configuring domain servers on page 133.
Note: A physical server is usually not the same as a protected hosts group.
Physical servers versus protected hosts

Unlike a physical server, which is a single network IP, protected hosts group should contain all network IPs, virtual IPs, and domain names that clients use in the Host: field of the HTTP header to access the web server. For example, clients often access a web server via a public network such as the Internet. Therefore the protected hosts group contains domain names, public IP addresses and public virtual IPs on a network edge router or firewall that are routable from that public network. But the physical server is only the IP address that the FortiWeb unit uses to forward traffic to the server and, therefore, is often a private network address, unless the FortiWeb unit is operating in a mode other than reverse proxy. Physical servers are applied either by selecting them within a policy, or grouping them into a server farm that is selected in a policy.
131
Configuring servers
Server policy
Note: Server health checks cannot be used with an individual physical server. If you want to monitor a server for responsiveness, you must group one or more physical servers into a server farm.
For details, see Configuring server policies on page 118 or Grouping physical and domain servers into server farms on page 135. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 49: Server Policy > Server > Physical Server tab
Delete Edit
GUI item Create New # Name IP Address Enable (No column heading.) Description Click to add a physical server. Displays the index number of the entry in the list. Displays the name of the entry. Displays the IP address of the physical server. Mark the check box to enable use of the physical server. For details, see Enabling or disabling a physical server on page 133. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy. Click the Edit icon to modify the entry.
To add a physical server 1 Go to Server Policy > Server > Physical Server. 2 Click Create New. A dialog appears.

GUI item Name IP Address Description Enter the name of the physical server. Enter the IP address of the physical server.
132
Server policy
Configuring servers
4 Click OK. To forward traffic from a virtual server to multiple physical servers, you must group the physical servers into a server farm. For more information, see Grouping physical and domain servers into server farms on page 135. To apply the physical server, you must select it in a policy, or group it into a server farm that is selected in a policy. For details, see Configuring server policies on page 118.
Enabling or disabling a physical server

You can individually enable and disable physical servers. You can select disabled physical servers for a server farm, but they will not be used when forwarding traffic. By default, physical servers are enabled and the FortiWeb unit can forward traffic to them. To prevent traffic from being forwarded to a physical server, such as when the server will be unavailable for a long time due to repairs, you can disable it. If the disabled physical server is a member of a load-balanced server farm, the FortiWeb unit will automatically forward connections to other enabled physical servers in the server farm. For XPath or WSDL content routed server farms, the FortiWeb unit will forward connections to the first physical server in the server farm.
Note: If the physical server is a member of a server farm and will be unavailable only temporarily, you can alternatively configure a server health check to automatically prevent the FortiWeb unit from forwarding traffic to that physical server when it is unresponsive. For details, see Configuring server health checks on page 143. Caution: Disabling a physical server could block traffic matching policies in which you have selected the physical server, or selected a server farm in which the physical server is a member. For details, see Configuring server policies on page 118.
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80. To enable or disable a physical server 1 Go to Server Policy > Server > Physical Server.
2 In the row corresponding to the physical server that you want to enable, mark the check box in the Enable column. 3 In the row corresponding to the physical server that you want to disable, clear the check box in the Enable column.
Configuring domain servers

Server Policy > Server > Domain Server displays the list of domain servers. Before you can create a policy, you must first configure one or more domain servers or physical servers. Domain servers use domain names while physical servers use IP addresses.
133
Configuring servers
Server policy
Domain servers define an individual server or a member of a server farm that is the ultimate destination of traffic received by the FortiWeb unit at a virtual server address, and where the FortiWeb unit will forward traffic after applying the protection profile and other policy settings. Domain servers are applied either by selecting them within a policy, or grouping them into a server farm that is selected in a policy.
Note: Server health checks cannot be used with an individual domain server. If you want to monitor a server for responsiveness, you must group one or more domain servers into a server farm.
For details, see Configuring server policies on page 118 or Grouping physical and domain servers into server farms on page 135. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 50: Server Policy > Server > Domain Server tab
GUI item Create New # Name Domain Enable (No column heading.)
Description Click to add a domain server. Displays the index number of the entry in the list. Displays the name of the entry. Displays the domain name of the domain server. Mark the check box to enable use of the domain server. For details, see Enabling or disabling a domain server on page 135. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy. Click the Edit icon to modify the entry.
To add a domain server 1 Go to Server Policy > Server > Domain Server. 2 Click Create New. A dialog appears.
134
Server policy
Configuring servers
GUI item Name Domain
Description Enter the name of the domain server. Enter the domain name of the domain server.
4 Click OK. To forward traffic from a virtual server to multiple domain servers, you must group the domain servers into a server farm. For more information, see Grouping physical and domain servers into server farms on page 135. To apply the domain server, you must select it in a policy, or group it into a server farm that is selected in a policy. For details, see Configuring server policies on page 118.
Enabling or disabling a domain server

You can individually enable and disable domain servers. Disabled domain servers can be selected in a server farm, but will not be used when forwarding traffic. By default, domain servers are enabled and the FortiWeb unit can forward traffic to them. To prevent traffic from being forwarded to a domain server, such as when the server will be unavailable for a long time due to repairs, you can disable the domain server. If the disabled domain server is a member of a load-balanced server farm, the FortiWeb unit will automatically forward connections to other enabled domain servers in the server farm. For XPath or WSDL content routed server farms, the FortiWeb unit will forward connections to the first domain server in the server farm.
Note: If the domain server is a member of a server farm and will be unavailable only temporarily, you can alternatively configure a server health check to automatically prevent the FortiWeb unit from forwarding traffic to that domain server when it is unresponsive. For details, see Configuring server health checks on page 143. Caution: Disabling a domain server could block traffic matching policies in which you have selected the domain server, or selected a server farm in which the domain server is a member. For details, see Configuring server policies on page 118.
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80. To enable or disable a domain server 1 Go to Server Policy > Server > Domain Server. 2 In the row corresponding to the domain server that you want to enable, mark the check box in the Enable column. 3 In the row corresponding to the domain server that you want to disable, clear the check box in the Enable column.
Grouping physical and domain servers into server farms

Server Policy > Server > Server Farm displays the list of server farms. You need to create physical or domain servers before you can create a working server farm. Server farms define a group of physical and domain servers (real servers) among which the FortiWeb unit will distribute connections, or where the connections will pass through to, depending on the FortiWeb units operating mode. (Reverse proxy mode actively distributes connections; offline protection and both transparent modes do not.)
135
Configuring servers
Server policy
Reverse Proxy mode: When the FortiWeb unit receives traffic destined for a virtual server, it can forward the traffic to a physical or domain server or a server farm. If you have configured the policy to forward traffic to a server farm, the connection is routed to one of the physical or domain servers in the server farm. Which of the physical or domain servers receives the connection depends on your configuration of loadbalancing algorithm, weight, server health checking, or content routing by either XPath expressions, HTTP content or WSDL content routing. To prevent traffic from being forwarded to unavailable real servers, the availability of physical and domain servers in a server farm can be verified using a server health check. Whether the FortiWeb unit will redistribute or drop the connection when a physical or domain server in a server farm is unavailable varies by the availability of other members and by your configuration of the Deployment Mode option in the policy. For details, see Deployment Mode on page 123.
Offline protection/transparent modes: When the FortiWeb unit receives traffic destined for a virtual server or passing through a bridge, it allows the traffic to pass through to members of the server farm.
Server farms are applied by selecting them within a policy. For details, see Configuring server policies on page 118. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 51: Server Policy > Server > Server Farm tab
Delete Edit
GUI item Create New # Server Farm Name Physical Server Count (No column heading.) Description Click to add a server farm. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of physical and domain servers that are members of the server farm. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy. Click the Edit icon to modify the entry.
Note: Before configuring a server farm, you must first configure the real servers that will be members of the server farm. For details, see Configuring physical servers on page 131.
To configure a server farm 1 Go to Server Policy > Server > Server Farm.
136
Server policy
Configuring servers
2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears. 3 Configure the following:
Clear
Delete Edit 4 In Server Farm Name, type a name for the server farm. This field cannot be modified if you are editing an existing server farm. To modify the name, delete the entry, then recreate it using the new name. 5 In Comments, type a description for the server farm. 6 From the Type list, select the method of distribution that the FortiWeb unit will use when forwarding connections to the real servers in this server farm. If you select HTTP Content Routing from the Type list, continue with the next step. Otherwise, go to step 8. 7 In some cases, HTTP host names and URLs must be converted before HTTP content can be routed to a specific real server. For more information, see Configuring HTTP conversion policy on page 141. 8 Click OK. 9 Click Create New. A dialog appears.
137
Configuring servers
Server policy
GUI item ID
Description Enter the index number of the real server entry within the server farm, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. The first real server will receive connections if you have configured XPath or WSDL content routing and the other server is unavailable. For round robin-style load-balancing, the index number indicates the order in which connections will be distributed. Select either Physical Server or Domain Server. For details, see Configuring physical servers on page 131 and Configuring domain servers on page 133. If the server type is physical, select the name of a physical server that will be a member of the server farm. If the server type is domain, select the name of a domain server that will be a member of the server farm. Type the TCP port number where the real server listens for connections.
Server Type
Physical Server Domain Server Port
Note: The remainder of the GUI items depend on the Type selected when initially creating the server farm. Weight If the server farm will be used with the weighted round-robin loadbalancing algorithm, type the numerical weight of the real server. Real servers with a greater weight will received a greater proportion of connections. Click the icon to display a pop-up window that enables you to enter an XPath expression. HTTP requests with content matching this expression will be routed to this real server. Note: For web service connections, you can alternatively or additionally configure the WSDL Content Routing option. Select the name of the WSDL content routing group, if any, that defines web services that will be routed to this real server. For information on configuring a WSDL content routing group, see Configuring WSDL content routing groups on page 173. Note: You can alternatively or additionally configure the XPATH Expression option. Select the HTTP content routing policy to use to route HTTP requests to a specific real server in a server farm. For more information, see Configuring HTTP content routing policy on page 139.
XPATH Expression
WSDL Content Routing
HTTP Content Routing
138
Server policy
Configuring servers
SSL
Enable if connections to the server use SSL, and if the FortiWeb unit is operating in a mode other than reverse proxy. Also configure Certificate File. Unlike HTTPS Service in policies, when you enable this option, the FortiWeb unit will not apply SSL. Instead, it will use the certificate to decrypt and scan connections before passing the encrypted traffic through to the web servers or clients. SSL 3.0, TLS 1.0, and TLS 1.1 are supported. Caution: You must enable either this option or HTTPS Service if the connection uses SSL. Failure to enable an SSL option and provide a certificate will result in the FortiWeb unit being unable to decrypt connections, and therefore unable to scan HTML or XML content. Note: When this option is enabled, the web server must be configured to apply SSL. The FortiWeb unit will use the certificate to decrypt and scan traffic only. It will not apply SSL to the connections. Note: Ephemeral (temporary key) Diffie-Hellman exchanges are not supported if the FortiWeb unit is operating in offline protection mode. Select the real servers certificate that the FortiWeb unit will use when decrypting SSL-secured connections, or select Create New to upload a new certificate in a pop-up window, without leaving the current page. For more information, see Uploading a certificate on page 88. This option appears only if SSL is enabled.
Certificate File
If the server farm will be used with a policy whose Deployment Mode is Content Routing or WSDL Content Routing, place the real server that you want to be the failover first in the list of real servers in the server farm. In content routing or WSDL content routing, each server in the server farm may not host identical web services. If a real server is unresponsive to the server health check, the FortiWeb unit will forward subsequent connections to the first real server in the server farm, which will be considered to be the failover. Make sure the first real server can act as a backup for all other servers in the server farm. 11 Repeat the previous step for each real server that you want to add to the server farm. 12 If you need to modify a real server, click its Edit icon. To remove a single real server from the server farm, click its Delete icon. To remove all real servers from the server farm, click the Clear icon. 13 Click OK. To monitor members of the server farm for responsiveness, configure a server health check that will be used with the server farm. For details, see Configuring server health checks on page 143. To use a server farm as the destination for web or web services connections, select it when configuring a policy. For details, see Configuring server policies on page 118.
Configuring HTTP content routing policy

Server Policy > Server > HTTP Content Routing Policy displays the HTTP Content Routing Policy window. An HTTP content routing policy protects the identify of internal host names or URLs used in a server farm by routing connections to the appropriate real servers. HTTP content routing is beneficial in cases where one virtual server provides the interface for many physical web servers. With content routing enabled, you can route web traffic according to URL or host. In some cases, HTTP requests must be converted before HTTP content routing can occur. For more information, see Configuring HTTP conversion policy on page 141.
139
Configuring servers
Server policy
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 52: Server Policy > Server > HTTP Content Routing Policy tab
Delete Edit
GUI item Create New # Policy Name (No column heading.) Description Click to add an HTTP content routing policy. Displays the index number of the entry in the list. Displays the name of the policy. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server farm or policy. Click the Edit icon to modify the entry.
To configure an HTTP content routing policy 1 Go to Server Policy > Server > HTTP Content Routing Policy. 2 Click Create New. A dialog appears.
3 In Name, type the name of the HTTP content routing policy. 4 Configure the following:
GUI item Host status Host Description Select to enable the Host field. Choose whether routing will be done based on a specific IP or Host. Enter the IP address or host of the real server used to route HTTP requests to. Leave this field empty if routing is to be done base only on the URL. Select the method used to match the URL upon which routing will take place. If matching is done according to Host, choose Regular Expression and add "\/" (a back slash and forward slash with no space between) in the URL pattern, such as \/example. Enter the specific request file to be routed.
Type
URL pattern
5 Click OK.
140
Server policy
Configuring servers
Below are two examples of how to use HTTP content routing. Example 1 - HTTP content routing according to URL Your network has one virtual server (front end) with three physical web servers (back end). The front-end server has the URL www.example.com. Its back-end applications are differentiated by directories, such as: /games, /school and /work. The back-end servers were configured with the following IP addresses: 10.5.5.11 games application 10.5.5.12 school application 10.5.5.13 work application When HTTP content routing is enabled, HTTP requests to www.example.com/school are automatically routed to the appropriate back-end web server, 10.5.5.12. Similarly, requests for /games go to 10.5.5.11 and /work go to 10.5.5.13. Example 2 - HTTP content routing according to Host Your network has three different hosts (back end) that all terminate on the same virtual server IP address (front end). Requests need to be routed to different hosts at the back end. The back-end hosts are configured as: www.example1.com www.example2.com www.example3.com When HTTP content routing is enabled, HTTP requests to www.example1.com are automatically routed to the appropriate back-end host.
Configuring HTTP conversion policy

Server Policy > Server > HTTP Content Conversion Policy displays existing conversion policies. An HTTP conversion policy is used only in situations where HTTP requests received by the FortiWeb unit include a host name or URL that needs to be converted before the request is routed to a real server (forward conversion), or where the "Location" field in an HTTP response needs to be converted to a host name or URL (reverse conversion). This enables bidirectional conversion of URLs and host names for HTTP content routing. For more information, see Configuring HTTP content routing policy on page 139. The HTTP conversion policy is used as part of configuring a server farm, which is in turn used as part of an overall server policy. For more information on server farm configuration, see Grouping physical and domain servers into server farms on page 135.
Caution: When configuring HTTP conversion policy, check to see whether there are any URL rewriting policies in use that might conflict with the HTTP conversion policy. If conflicts occur, the URL rewriting policy takes priority over the HTTP conversion policy. For more information on URL rewriting policy, see Configuring URL rewriting policy on page 244.
141
Configuring servers
Server policy
Table 53: Server Policy > Server > HTTP Content Conversion Policy tab
Delete Edit
GUI item Create New # Policy Name (No column heading.) Description Click to add an HTTP content conversion policy. Displays the index number of the entry in the list. Displays the name of the policy. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server farm or policy. Click the Edit icon to modify the entry.
To add an HTTP Content Conversion Policy 1 Go to Server Policy > Server > HTTP Content Conversion Policy. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
3 In Name, type a name for the HTTP conversion policy. This field cannot be modified if you are editing an existing HTTP conversion policy. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK. 5 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
142
Server policy
Configuring server health checks
GUI item ID
Description Enter the index number of the conversion policy, or keep the default value of auto to let the FortiWeb unit automatically assign the next available index number. Select the HTTP conversion method. The conversion method modifies the HTTP packet header information, depending whether the packet is an HTTP request or an HTTP response. With Forward Conversion, the FortiWeb unit converts the original URL in the HTTP request packet to a specific destination URL on a destination host. With Reverse Conversion, the FortiWeb unit modifies the HTTP response packet to the original URL. Enter the URL from the original HTTP request packet. The original URL is part of the HTTP request packet. Depending on the HTTP conversion method, the Original URL is converted to a destination URL (forward conversion), or inserted as the location for HTTP response packets (reverse conversion). Enter the URL to be used as the destination URL. The FortiWeb unit converts the Original URL value to the Destination URL. Enter the host name from the original HTTP request packet. The host name is contained in the Host: field in the HTTP request packet. Enter the name of the destination host. The FortiWeb unit converts the Original Host value to the Destination Host.
Conversion Method
Original URL
Destination URL
Original Host
Destination Host
7 Click OK.

Server Policy > Server Health Check > Server Health Check displays the list of server health checks. To create a policy that will include a server farm whose servers are monitored for responsiveness, you must first create a server health check to do the monitoring.
143
Server policy
Server health checks poll real servers that are members of the server farm to determine their availability (that is, whether or not the server is responsive) before forwarding traffic. Server health check configurations can specify TCP, HTTP, or ICMP ECHO (ping). A health check occurs every number of seconds indicated by the interval. If a reply is not received within the timeout period, and you have configured the health check to retry, it will attempt a health check again; otherwise, the server is deemed unresponsive. The FortiWeb unit will compensate by disabling traffic to that server until it becomes responsive again.
Note: If a real server will be unavailable for a long period, such as when a server is undergoing hardware repair or when you have removed a server from the server farm, you may improve the performance of your FortiWeb unit by disabling the real server, rather than allowing the server health check to continue to check for responsiveness. For details, see Configuring physical servers on page 131.
Server health checks are applied by selecting them in a policy, for use with the entire server farm. For details, see Configuring server policies on page 118. To view the status currently being detected by server health checks, use the Service Status widget on the dashboard. For details, see Service Status widget on page 49. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 54: Server Policy > Server Health Check > Server Health Check tab
Delete Edit
GUI item Create New # Name Type Description Click to add a server health check. Displays the index number of the entry in the list. Displays the name of the entry. Displays the protocol that the server health check will use to contact the real server. Disabled (the server health check is currently disabled) Ping TCP HTTP Displays the URL that will be used in the HTTP GET request if the server health check Type is HTTP. If the real server successfully returns this content, it is considered to be responsive. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server policy. Click the Edit icon to modify the entry.
Details
To add a server health check 1 Go to Server Policy > Server Health Check > Server Health Check. 2 Click Create New. A dialog appears.
144
Server policy
Configuring services
Figure 28: Adding a server health check
3 In Name, type the name of the server health check. 4 From Protocol Type, select the protocol that the server health check will use to contact the real server, one of: Ping, CVP, or HTTP. 5 Configure the following:
GUI item URL Path Description Enter the portion of the URL, such as /index.html, that follows the URLs domain name or IP address portion. This path will be used in the HTTP GET request to verify the responsiveness of the server. If the real server successfully returns this content, it is considered to be responsive. This option appears only if Protocol Type is HTTP. Enter the number of seconds that must pass after the server health check to indicate a failed health check. Enter the number of times, if any, a failed health check will be retried before the server is considered unresponsive. Enter the number of seconds between each server health check.
Timeout Retry Times Interval
6 Click OK. To apply a server health check, select it when configuring a policy that uses a server farm. For details, see Configuring server policies on page 118.
Server Policy > Service displays predefined and custom services. Services define protocols and TCP port numbers and can be selected in a policy to define the traffic that the policy will match. While some predefined services are available (seeViewing the list of predefined services on page 146), you may need to configure your own custom services if your virtual servers will receive traffic on non-standard TCP port numbers. Before or during creating a policy, you must configure a service that defines the TCP port number where traffic destined for a virtual server will arrive. (Exceptions include policies whose Deployment Mode is Offline Protection, which do not require that you define a TCP port number using a service.) For details, see Configuring server policies on page 118.
Viewing the list of custom services

Server Policy > Service > Custom displays the list of custom services.
145
Server policy
Custom services can be selected in a policy in order to define the protocol and listening port of a virtual server. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 55: Server Policy > Service > Custom tab
Delete Edit
GUI item Create New Service Name Detail (No column heading.) Description Click to add a custom service. Displays the name of the entry. Displays the protocol and TCP port number of the service. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy. Click the Edit icon to modify the entry.
To add a custom service 1 Go to Server Policy > Service > Custom. 2 Click Create New. A dialog appears. 3 Configure the following:
GUI item Name Protocol Port
Description Enter the name of the service. Only TCP is available. Enter the TCP port number of the service.
4 Click OK. To use a custom service as the listening port of a virtual server, you must select it in a policy. For details, see Configuring server policies on page 118.
Viewing the list of predefined services

Server Policy > Service > Predefined displays the list of predefined services.
146
Server policy
Configuring protected servers
Predefined services can be selected in a policy in order to define the protocol and listening port of a virtual server. For details, see Configuring server policies on page 118. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 56: Server Policy > Service > Predefined tab
GUI item Name Detail
Description Displays the name of the entry. Displays the protocol and TCP port number of the service.

Server Policy > Protected Servers > Protected Servers displays the list of protected server groups (also called a protected host group). A protected server group contains one or more IP addresses or fully qualified domain names (FQDNs). Each entry in the protected server group defines a virtual or real web host, according to the Host: field in the HTTP header of requests from clients that you want the FortiWeb unit to protect. For example, if your web servers receive requests with HTTP headers, such as GET /index.php HTTP/1.1 Host: www.example.com you might define a protected server group with an entry of www.example.com and select it in the policy. This would reject requests that are not for that host.
Note: A protected hosts group is usually not the same as a real server.
Unlike a real server, which is a single IP at the network layer, a protected server group should contain all network IPs, virtual IPs, and domain names that clients use to access the web server at the application (HTTP) layer. For example, clients often access a web server via a public network such as the Internet. Therefore, the protected server group contains domain names, public IP addresses and public virtual IPs on a network edge router or firewall that are routable from that public network. But the physical server is only the IP address that the FortiWeb unit uses to forward traffic to the server and, therefore, is often a private network address (unless the FortiWeb unit is operating in offline protection or either of the transparent modes). Protected server groups can be used by: policies input rules server protection exceptions start page rules page access rules IP list rules
147
Server policy
allowed method exceptions HTTP authentication rules hidden fields rules
These rules can use protected host definitions to apply rules only to requests for a protected host. If you do not specify a protected server group in the rule, the rule will be applied based upon other criteria such as the URL, but regardless of the Host: field. Policies can use protected host definitions to block connections that are not destined for a protected host. If you do not select a protected server group in a policy, connections will be accepted or blocked regardless of the Host: field. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 57: Server Policy > Protected Servers > Protected Servers tab
Delete Edit
GUI item Create New # Name Protected Server Count (No column heading.) Description Click to add a protected server group. Displays the index number of the protected server group. Displays the name of the entry. Displays the number of hosts contained in the protected server group. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy or other item. Click the Edit icon to modify the entry.
To add a protected server group 1 Go to Server Policy > Protected Servers > Protected Servers. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon.
Clear
Edit Delete
148
Server policy
3 In Name, type the name of the protected server group. This field cannot be modified if you are editing an existing protected server group. To modify the name, delete the entry, then recreate it using the new name. 4 From Default Action, select whether to Accept or Deny HTTP requests that do not match any of the host definitions that you will add to this protected server group. 5 Click OK. 6 Click Create New A dialog appears. 7 Configure the following:
GUI item ID
Description Enter the index number of the host entry within the protected server group, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Enter the IP address or FQDN of a real or virtual web host, according to the Host: field in HTTP requests, that you want the FortiWeb unit to protect. If clients connect to your web servers through the IP address of a virtual server on the FortiWeb unit, this should be the IP address of that virtual server or any domain name to which it resolves, not the actual IP address of the web server. For example, if a virtual server 10.0.0.1/24 forwards traffic to the physical server 192.168.1.1, for protected hosts, you would enter: 10.0.0.1, the address of the virtual server www.example.com, the domain name that resolves to the virtual server Select whether to Accept or Deny HTTP requests whose Host: field matches this host entry.
Host
Action
8 Repeat the previous step for each host that you want to add to the protected server group. 9 If you need to modify a host, click its Edit icon. To remove a single host from the protected server group, click its Delete icon. To remove all hosts from the protected server group, click the Clear icon. 10 Click OK. To use a protected server group, you must select it in a policy, input rule, start page rule, page access rule, trusted IP rule, or hidden field rule. For details, see: Configuring server policies on page 118 Configuring parameter validation input rules on page 194 Configuring page access rules on page 198 Configuring start page rules on page 213 Configuring URL access rules on page 218 Configuring URL access policy on page 216
149
Configuring predefined patterns
Server policy
Configuring allowed method exceptions on page 237 Configuring hidden field rules on page 241
Attack log messages contain DETECT_ALLOW_HOST_FAILED when this feature does not detect an allowed protected host name.

Predefined patterns are data types and rules that are used by input rules to define the data type of an input, and by auto-learning profiles to detect valid input parameters. This section includes the following topics: Grouping predefined data types Viewing the list of predefined data types Grouping suspicious URLs Viewing predefined URL rules
Grouping predefined data types

Server Policy > Predefined Pattern > Data Type Group displays the list of data type groups. A data type group defines which predefined data types (see Viewing the list of predefined data types on page 152) the FortiWeb unit will attempt to detect and track in input parameters when gathering data for an auto-learning report. For example, if you include the Email data type in the data type group, auto-learning profiles that use the data type group might discover that your web applications use a parameter named username whose value is an email address.
Tip: If you know that your networks HTTP sessions do not include a specific data type, omit it from the data type group to improve performance. The FortiWeb unit will not expend resources scanning traffic for that data type.
Data type groups are used by auto-learning profiles. For details, see Applying autolearning profiles on page 278.
Note: Alternatively, you can automatically configure a data type group that includes all types by generating a default auto-learning profile. For details, see Generating an autolearning profile and its components on page 281.
Table 58: Server Policy > Predefined Pattern > Data Type Group tab
Delete Edit
150
Server policy
GUI item Create New # Name Count (No column heading.)
Description Click to add a data type group. Displays the index number of the data type group. Displays the name of the entry. Displays the number of predefined data types included in this data type group. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an auto-learning profile. Click the Edit icon to modify the entry.
To add a data type group 1 Go to Server Policy > Predefined Pattern > Data Type Group. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
3 In Name, type a name for the data type group. This field cannot be modified if you are editing an existing data type group. To modify the name, delete the entry, then recreate it using the new name. 4 For Type, enable the predefined data types that you want to include in the group. To view the regular expressions for the types of patterns that each data type will detect, see Viewing the list of predefined data types on page 152. 5 Click OK.
151
Server policy
To use a data type group, select it when configuring an auto-learning profile. For details, see Applying auto-learning profiles on page 278.
Viewing the list of predefined data types

Server Policy > Predefined Pattern > Predefined Data Type displays the list of predefined data types. You select predefined data types in data type groups, which are used by input rules to define the data type of an input, and by auto-learning profiles to detect valid input parameters. For details, see Grouping predefined data types on page 150. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 59: Server Policy > Predefined Pattern > Predefined Data Type tab
152
Server policy
GUI item Name
Description Select the blue arrow beside a pattern to expand the entry and display the individual rules contained in the entry. Displays the name of the data type. Address: Canadian postal codes and United States ZIP code and ZIP + 4 codes. Canadian Post Code: Canadian postal codes such as K2H 7B8. CA Province Name and Abbrev: Modern and older names and abbreviations of Canadian provinces in English, as well as some abbreviations in French, such as Quebec, IPE, Sask, and Nunavut. Does not detect province names in French. CA Social Insurance Nubmer: Canadian Social Insurance Numbers (SIN) such as 123-456-789. China Post Code: Chinese postal codes such as 610000. Country Name and Abbrev: Country names, codes, and abbreviations in English characters, such as CA, Cote dIvoire, Brazil, Russian Federation, and Brunei. Credit Card Number: American Express, Carte Blanche, Diners Club, enRoute, Japan Credit Bureau (JCB), Master Card, Novus, and Visa credit card numbers. Date/Time: Dates and times in various formats such as +13:45 for time zone offsets, 1:01 AM, 1am, 23:01:01, and 01.01.30 AM for times, and 31.01.2009, 31/01/2009, 01/31/2000, 2009-01-3, 31-01-2009, 1-312009, 01 Jan 2009, 01 JAN 2009, 20-Jan-2009 and February 29, 2009 for dates. Email: Email addresses such as admin@example.com. Level 1 Password: A string of at least 6 characters, with one or more each of lower-case characters, upper-case characters, and digits, such as aBc123. Level 1 passwords are weak passwords, generally easier to crack than level 2 passwords. Level 2 Password: A string of at least 8 characters, with one or more each of lower-case characters, upper-case characters, digits, and special characters, such as aBc123$%. Markup/Code: HTML comments, wiki code, hexadecimal HTML color codes, quoted strings in VBScript and ANSI SQL, SQL statements, and RTF bookmarks such as: #00ccff,  [link url="http://example.com/url?var=A&var2=B"] SELECT * FROM TABLE {\*\bkmkstart TagAmountText} Does not match ANSI escape codes, which are instead detected as strings. Numbers: Numbers in various monetary, decimal, comma-separated value (CSV) and other formats such as 123, +1.23, $1,234,567.89, 1'235.140, and -123.45e-6. Does not detect hexadecimal numbers, which are instead detected as strings or code, and social security numbers, which are instead detected as strings. Phone: Australian, United States, and Indian phone numbers in various formats such as (123)456-7890, 1.123.456.7890, 0732105432, and +919847444225. Strings: Character strings such as alphanumeric words, credit card numbers, United States social security numbers (SSN), UK vehicle registration numbers, ANSI escape codes, and hexadecimal numbers in formats such as user1, 123-45-6789, ABC 123 A, 4125632152365, [32mHello, and 8ECCA04F. URI: Uniform resource identifiers (URI) such as http://www.example.com, ftp://ftp.example.com, and mailto:admin@example.com. US Social Security Number: United States social security numbers (SSN) such as 123-45-6789. US State Name and Abbrev: United States state names and modern postal abbreviations such as HI and Wyoming. Does not detect older postal abbreviations such as Fl. or Wyo. US Zip Code: United States ZIP code and ZIP + 4 codes such as 34285-3210.
153
Server policy
Pattern
Displays the regular expression that is used to detect the presence of the data type when you select the blue arrow beside a pattern. Parameter values must match the regular expression in order for an auto-learning profile to successfully detect the data type, or for an input rule to permit the input. Displays a description when you select the blue arrow beside a pattern that may include examples of values that match the regular expression.
Description
Grouping suspicious URLs

Server Policy > Predefined Pattern > Suspicious URL Rule displays the list of suspicious URL groups. A suspicious URL group selects a subset of one or more of the predefined suspicious URLs (see Viewing predefined URL rules on page 155). It can also include existing custom suspicious rules (see Creating custom suspicious URLs on page 157). Each of those entries in the suspicious URL group defines a type of URL. The FortiWeb unit considers HTTP requests for these administratively sensitive URLs to be possibly malicious when gathering data for an auto-learning profile. HTTP requests for URLs typically associated with administrative access to your web applications or web server, for example, may be malicious if they originate from the Internet instead of your management LAN. You may want to discover such requests for the purpose of designing blacklist rules to protect your web server. If you know that your networks web servers are not vulnerable to a specific type of suspicious URL, such as if the URL is associated with attacks on Microsoft IIS web servers but all of your web servers are Apache web servers, omit it from the suspicious URL group to improve performance. The FortiWeb unit will not expend resources scanning traffic for that type of suspicious URL. Suspicious URL groups are used by auto-learning profiles. For details, see Applying autolearning profiles on page 278. Before creating an auto-learning profile for web protection, you must configure a suspicious URL group that defines which suspicious URL types the FortiWeb unit will attempt to detect.
Note: Alternatively, you can automatically configure a suspicious URL group that includes all suspicious URL rules by generating a default auto-learning profile. For details, see Generating an auto-learning profile and its components on page 281.
Table 60: Server Policy > Predefined Pattern > Suspicious URL Rule tab
Edit Delete
GUI item Create New # Description Click to add a suspicious URL group. Displays the index number of the suspicious URL group.
154
Server policy
Name Count
Displays the name of the entry. Displays the number of predefined suspicious URL types included in this suspicious URL group. For details, see Viewing predefined URL rules on page 155. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an auto-learning profile. Click the Edit icon to modify the entry.
To add a suspicious URL group 1 Go to Server Policy > Predefined Pattern > Suspicious URL Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
3 In Name, type a name for the suspicious URL group. This field cannot be modified if you are editing an existing suspicious URL group. To modify the name, delete the entry, then recreate it using the new name. 4 Enable the predefined suspicious URL types that you want to detect: Apache IIS (Microsoft IIS) Tomcat (Apache Tomcat) To view detailed descriptions of the types of patterns that each suspicious URL type will detect, see Viewing predefined URL rules on page 155. For better performance, clear the Server Type options that do not apply. 5 Optionally, from Custom Suspicious Rule, select an existing custom suspicious URL rule. For more information on creating custom suspicious URL rules, see Creating custom suspicious URL rules on page 158. 6 Click OK. To use a suspicious URL group, select it when configuring an auto-learning profile. For details, see Applying auto-learning profiles on page 278.
Viewing predefined URL rules

Server Policy > Predefined Pattern > Predefined URL Rule displays the list of predefined suspicious URL types.
155
Configuring custom patterns
Server policy
Predefined suspicious URL types are selected in suspicious URL groups, which are used by auto-learning profiles to detect malicious HTTP requests by URL. For details, see Grouping suspicious URLs on page 154. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 61: Server Policy > Predefined Pattern > Predefined URL Rule tab
GUI item Name
Description Displays the name of the suspicious URL type. Select the blue arrow beside a pattern to expand the entry and display the individual rules contained in the entry. Displays the regular expression that is used to detect the presence of the suspicious URL. The requested URL must match the regular expression in order for an auto-learning profile to successfully detect the suspicious URL. Displays a description that may include examples of values that match the regular expression.
Pattern
Description

Go to Server Policy > Custom Pattern to configure the custom data types and custom suspicious URL rules. This section contains the following topics: Creating custom data types Creating custom suspicious URLs Creating custom suspicious URL rules
Creating custom data types

Server Policy > Custom Pattern > Custom Data Type displays defined custom data types.
156
Server policy
You can add custom data types to input rules to define the data type of an input, and to auto-learning profiles to detect valid input parameters. You can use both custom data types and predefined data types. For details about predefined data types, see Viewing the list of predefined data types on page 152. To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Table 62: Server Policy > Custom Pattern > Custom Data Type tab
GUI item Create New # Name
Description Click to add a custom data type. Displays the index number of the custom data type. Displays the name of the entry.
To create a custom data type 1 Go to Server Policy > Custom Pattern > Custom Data Type. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
3 In Name, type a name for the custom data type. This field cannot be modified if you are editing an existing custom data type. To modify the name, delete the entry, then recreate it using the new name. 4 In Expression, enter a regular expression that defines this data type. To test the regular expression against sample text, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. 5 Click OK. To use a custom data type, select it when configuring an input rule. For details, see Configuring parameter validation input rules on page 194.
Creating custom suspicious URLs

Server Policy > Custom Pattern > Custom Suspicious URL displays the list of custom suspicious URL types. Configure custom suspicious URLs to augment the list of predefined suspicious URLs. You can add custom suspicious URLs to input rules, and to auto-learning profiles to detect valid input parameters. For details, see Grouping suspicious URLs on page 154.
157
Server policy
Table 63: Server Policy > Custom Pattern > Custom Suspicious URL tab
Description Click to add a custom suspicious URL. Displays the index number of the suspicious URL. Displays the name of the entry.
To create a custom suspicious URL 1 Go to Server Policy > Custom Pattern > Custom Suspicious URL. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
3 In Name, type a name for the custom suspicious URL. This field cannot be modified if you are editing an existing custom suspicious URL. To modify the name, delete the entry, then recreate it using the new name. 4 In Expression, enter a regular expression that defines this suspicious URL. To test the regular expression against sample text, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. 5 Click OK. To use a custom suspicious URL, add it to a custom suspicious URL rule, add the rule to a suspicious URL rule, and then select that rule when configuring an auto-learning profile. For details, see Applying auto-learning profiles on page 278.
Creating custom suspicious URL rules

Server Policy > Custom Pattern > Custom Suspicious URL Rule displays the list of custom suspicious URL rules. Custom suspicious URL rules are selected in URL rules, which are used by auto-learning profiles to detect malicious HTTP requests by URL. For details, see Grouping suspicious URLs on page 154.
158
Server policy
To access this part of the web-based manager, your administrator's account access profile must have Read permission to items in the Server Policy Configuration category. For details, see About permissions on page 80.
Tip: Before you can create a custom suspicious URL rule, you must first define one or more custom suspicious URLs. See Creating custom suspicious URLs on page 157. Table 64: Server Policy > Custom Pattern > Custom Suspicious URL Rule tab
Description Click to add a custom suspicious URL rule. Displays the index number of the suspicious URL rule. Displays the name of the entry.
To create a custom suspicious URL rule 1 Go to Server Policy > Custom Pattern > Custom Suspicious URL Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
3 In Name, type a name for the custom suspicious URL. This field cannot be modified if you are editing an existing custom suspicious URL. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK. 5 Click Create New to add custom suspicious URLs to the rule or click the Edit icon to change an existing rule. A dialog appears.
6 Select an existing suspicious URL name from the drop-down list.

159
Configuring custom application policies
Server policy
7 Click OK. To use a custom suspicious URL rule, add the rule to a suspicious URL rule, then select that rule when configuring an auto-learning profile. For details, see Applying auto-learning profiles on page 278.

Some web applications build URLs differently than expected by FortiWeb, which can cause FortiWeb to create incorrect auto-learning profiles. These non-standard URLs will cause several issues: You cannot generate security rules based on the auto-learning profile as it does not represent the application's structure. Endless URL/parameter learning consumes unnecessary resources. Auto-learning profiles are presented incorrectly.
For example, with Outlook Web App (OWA), every user has their user name as part of the URL. Thus FortiWeb auto-learning will continue to create new URLs as new users are being added to the system. For this reason, auto-learning cannot create a true application structure as these URLs will not produce enough hits. Example URLs: www.example.com/owa/tom/index.html www.example.com/owa/mark/index.html To solve this kind of problem, FortiWeb lets you create application policy plug-ins that recognize the non-standard, customized applications and modify the URL information so that an auto-learning profile can work properly. In the above OWA case, you can extract the user directory and add it as a parameter value.
Custom application workflow

1 Create the custom application plug-ins (URL replacers). See Configuring URL replacers on page 160. 2 Add the application plug-ins to an application policy. See Configuring application policies on page 161. 3 Include the application policy in one or more auto-learning profiles. See Applying autolearning profiles on page 278. 4 Include the auto-learning profiles in server policies. See Configuring server policies on page 118.
Configuring URL replacers

A URL replacer defines how to modify the non-standard request URLs. Use the replacer in the custom application policies. See Custom application workflow on page 160. To access this part of the web-based manager, your administrator's account access profile must have Read permission to items in the Server Policy Configuration category. For details, see About permissions on page 80. To create a URL replacer 1 Go to Server Policy > Custom Application > URL Replacer.
160
Server policy
2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
3 In Name, enter a name for the plug-in. 4 Select one of the two types. For Predefined, only JSP is supported in the current release. For Custom-Defined, enter the following information: In URL Path, enter the regular expression used to match the request URL in the HTTP header. To test the regular expression against sample text, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. In New URL, enter the new URL string to be sent to the auto-learning module that uses the plug-in. In Param Change, enter the new parameters value string. In New Param, enter the new parameters name string. 5 Click OK. Two examples follow.
Example one
The HTTP request URL from a client is /app/login.asp;jsessionid=xxx;p1=111;p2=123?p3=5555&p4=66aaaaa, which is a JSP application type. When you create the URL replacer, if you select JSP as the predefined application type, the JSP plug-in will change the URL to /app/login.asp?p4=66aaaaa with 3 extra parameters: p1=111,p2=123 and p3=5555.
Example two
If the HTTP request URL from a client is /tom/login.asp and you created the following URL replacer: Type: Custom-Defined URL Path: ^/(.*)/(.*)$ New URL: /$1 Param Change: $0 New Param: username Then the URL will be changed to /login.asp with an extra parameter: username=tom.
Configuring application policies

After you create a URL replacer (see Configuring URL replacers on page 160), you can create an application policy that uses the replacer. In turn, include it in an auto-learning profile. See Custom application workflow on page 160.
161
Server policy
To access this part of the web-based manager, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see About permissions on page 80. To create a custom application policy 1 Go to Server Policy > Custom Application > Application Policy.
2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. 3 Enter a name for the policy and click OK. A dialog appears.
4 Click Create New to create an application rule.
5 Enter an ID for the rule or leave auto as default. 6 Set the priority level of the rule. Type the order of evaluation for this rule in the group, starting from 0. To create an entry with the highest match priority, enter 0. For lowerpriority matches, enter higher numbers. Note: Rule order affects URL replacer plug-in matching and behavior. The search begins with the smallest priority number (greatest priority) rule in the list and progresses in order towards the largest number in the list. Matching rules are determined by comparing the rule and the connections content. If no rule matches, the connection remains unchanged. When the FortiWeb unit finds a matching rule, it applies the matching rule's specified actions to the connection. 7 Select the rule type. Currently, you can only select URL Replacer. 8 Select a plug-in/URL replacer from the drop-down list. If there is no URL replacer in the list, you must create one first. 9 Click OK.
162
XML protection
Configuring protection schedules
XML protection
This chapter describes the XML protection menu. It contains features that act upon HTTP requests with XML content, such as AJAX (JavaScript that uses the XMLHttpRequest object), RSS, and SOAP connections. This chapter includes the following topics: Configuring protection schedules Configuring content filter rules Configuring intrusion prevention rules Configuring WSDL content routing groups Managing XML signature and encryption keys Managing schema files Managing WSDL files Configuring XML protection profiles
Note: For information on the IETF RFC, W3C standards and IEEE standards supported by this version of FortiWeb, see Appendix A: Supported RFCs, W3C and IEEE standards on page 395.
XML protection profile workflow

The creation of an XML protection profile involves multiple activities. The number and sequence of steps depends on what you wish to achieve. All steps are optional, though some steps have dependencies on others. Create one or more schedules if you intend to include content filters in your profile. See Configuring protection schedules on page 163. Create one or more content filters. See Configuring content filter rules on page 166. Create one or more intrusion filters. See Configuring intrusion prevention rules on page 170. Load one or more schema files. See Managing schema files on page 178. Load one or more web service definition language (WSDL) files (see Managing WSDL files on page 181). To configure protection for a web service, you also must configure an XML web service group (see Grouping WSDL files on page 183). You can also route the web service to a specific server in a server farm (see Configuring WSDL content routing groups on page 173). Import a key file and then create a key management profile to add XML signature validation, XML encryption, or XML decryption to your profile. See Managing XML signature and encryption keys on page 175. After you complete the applicable previous activities, configure one or more XML protection profiles. See Configuring XML protection profiles on page 184.

XML Protection > Schedule menu enables you to view and configure protection schedules for one-time or recurring use.
163
XML protection
Configure a schedules to define when a content filter rule will apply. For example, a FortiWeb unit might be configured with a content filter rule that uses a one-time schedule to block access to the web service during an emergency maintenance period. For details, see Configuring content filter rules on page 166. This section includes the following topics: Configuring one-time schedules Configuring recurring schedules
Configuring one-time schedules

XML Protection > Schedule > One Time displays the list of schedules that run once for a specified period of time. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80.
Table 65: XML Protection > Schedule > One Time tab
Delete Edit
GUI item Create New # Name Start End (No column heading.) Description Click to add a one-time schedule. Displays the index number of the entry in the list. Displays the name of the entry. Displays the time and date that the schedule will begin. Displays the time and date that the schedule will stop. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a content filter rule. Click the Edit icon to modify the entry.
To create a one-time schedule 1 Go to XML Protection > Schedule > One Time. 2 Click Create New. A dialog appears that enables you to specify the time and duration of the schedule.
3 In Name, type the name of the schedule.

164
XML protection
4 In the Start row, select the date and time that the schedule will begin. 5 In the End row, select the date and time that the schedule will end. 6 Click OK. To apply a schedule, select it as the period when configuring a content filter rule. For more information, see Configuring content filter rules on page 166.
Configuring recurring schedules

XML Protection > Schedule > Recurring displays the list of schedules that run repeatedly at the specified times and days of the week. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80.
Table 66: XML Protection > Schedule > Recurring tab
Delete Edit
GUI item Create New # Name Start End Day (No column heading.) Description Click to add a recurring schedule. Displays the index number of the entry in the list. Displays the name of the entry. Displays the time that the schedule will begin. Displays the time that the schedule will stop. Displays the days of the week when the schedule runs. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a content filter rule. Click the Edit icon to modify the entry.
To create a recurring schedule 1 Go to XML Protection > Schedule > Recurring. 2 Click Create New. A dialog appears that enables you to specify the time and duration of the schedule, and the days of the week during which the schedule will apply.
165
Configuring content filter rules
XML protection
3 In Name, type the name of the schedule. 4 In the Start row, select the time that the schedule will begin.
Note: A recurring schedule with a stop time that occurs before the start time starts at the start time and finishes at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next. To create a recurring schedule that runs for 24 hours, set the start and stop times to the same time.
5 In the End row, select the time that the schedule will end. 6 In the Day row, select the days of the week when the schedule runs. 7 Click OK. To apply a schedule, select it as the period when configuring a content filter rule. For more information, see Configuring content filter rules on page 166.

XML Protection > Content Filter > Content Filter displays the list of filter rules that can be applied to XML traffic. Content filter rules contain one or more individual rules that each accept or block and/or log specific XML content that matches their XPath expression and time schedule. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80.
Tip: Before you can create an effective content filter, you must first define a schedule. See Configuring protection schedules on page 163. Table 67: XML Protection > Content Filter > Content Filter tab
Delete Edit
GUI item Create New # Name Description Click to add a content filter rule. Displays the index number of the entry in the list. Displays the name of the entry. Select the blue arrow to expand the entry, displaying the individual rules contained in the entry. Displays the index number of the content filter. For details, see How priority affects content filter rule matching on page 169. Displays the schedule that defines when this content filter will apply. For details, see Configuring protection schedules on page 163. Lists the client IP address or IP address range that apply, if specified.
ID Period IP Range
166
XML protection
XPATH Expression Action
Displays the XPath expression that matches web service content to which the action is applied. Displays the action that the FortiWeb unit will take when content matches XPATH Expression. For details on how the action interacts with ID to determine which content filter rules will be applied, see How priority affects content filter rule matching on page 169. Accept: Accept the connection. Alert: Accept the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. Deny: Block the connection. Alert & Deny: Block the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. Mark the check box to enable use of the content filter rule. For details, see Enabling or disabling a content filter rule on page 169. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a protection profile. Click the Edit icon to modify the entry.
Enable (No column heading.)
To create a content filter rule 1 Go to XML Protection > Content Filter > Content Filter. 2 Click Create New. A dialog appears that enables you to specify the content filter rule.
Clear
Delete Edit 3 In Name, type the name of the content filter rule. This field cannot be modified if you are editing an existing content filter rule. To modify the name, delete the entry, then recreate it using the new name. 4 In Comments, type a description for the content filter rule. 5 Click OK.
167
XML protection
6 Click Create New. A dialog appears.
Edit

GUI item ID Description Enter the index number of the content filter, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. The number must be between 1 and 99,999 and must be unique for each content filter. Enter the order of evaluation for this content filter, starting from 0. To enter a content filter with the highest match priority, enter 0. For lower-priority matches, enter higher numbers. Note: Content filter rule order affects content filter rule matching and behavior. For details, see How priority affects content filter rule matching on page 169. Select the existing schedule that defines when this content filter will be applicable. For details, see Configuring protection schedules on page 163. If this content filter should not apply to all IP addresses, enter a client IP address or IP address range. Click the Edit icon. A dialog appears. Enter an XPath expression that matches web service content to which the action will be applied, or enter the expression directly into this field. The maximum length of the expression is 1000 characters. Select the action that the FortiWeb unit will take when content matches XPATH Expression. For details on how action interacts with ID to determine which content filter rules will be applied, see How priority affects content filter rule matching on page 169. Accept: Accept the connection. Alert: Accept the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. Deny: Block the connection. Alert & Deny: Block the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323.
Priority
Period
IP Range XPATH Expression
Action
8 Repeat the previous steps for each content filter that you want to add to the content filter rule. 9 If you need to modify a content filter, click its Edit icon. To remove a single content filter from the content filter rule, click its Delete icon. To remove all content filters from the content filter rule, click the Clear icon.
168
XML protection
10 Click OK. To apply the content filter rule, select it in an XML protection profile that is selected in a policy. For more information, see Configuring XML protection profiles on page 184.
How priority affects content filter rule matching

Each time a connection attempt matches a policy that uses an XML protection profile, the FortiWeb unit searches that policys protection profiles content filter rule list for a matching content filter rule. The search begins with the lowest priority number (greatest priority) content filter in the content filter rule list and progresses in order towards the highest number in the list. Matching content filter rules are determined by comparing the content filter rule and the connections web service content. If no content filter rule matches, the connection is dropped.
Note: Because match evaluation continues until either the content filter rule list is exhausted or the connection is accepted or denied, multiple content filter rules can be applied.
When the FortiWeb unit finds a matching content filter rule, it applies the matching content filter rule's specified actions to the connection. If the action is: Alert: The FortiWeb unit applies the action, then evaluates the next content filter rule for a match. Accept or Deny: The FortiWeb unit applies the action and disregards all lower priority rules. As a general rule, you should arrange the list content filter rules from most specific to most general because only the first matching content filter rule is applied to the connection. Once one is accepted or denied, subsequent possible matches would not be considered or applied. Ordering content filter rules from most specific to most general prevents content filter rules, which match a wide range of traffic and whose action is Accept or Deny, from superseding and effectively masking other content filter rules whose action is Alert, or that match exceptions.
Enabling or disabling a content filter rule

You can individually enable and disable content filter rules. Disabled content filter rules can be selected in an XML protection profile, but will not be used when applying the protection profile.
Caution: Disabling a content filter rule could allow traffic-matching policies in whose XML protection profile you have selected the content filter rule. For details, see Configuring XML protection profiles on page 184.
To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80.
169
Configuring intrusion prevention rules
XML protection
To enable or disable a content filter rule 1 Go to XML Protection > Content Filter > Content Filter.
2 In the row corresponding to the content filter rule that you want to enable, mark the check box in the Enable column. 3 In the row corresponding to the content filter rule that you want to disable, clear the check box in the Enable column.

XML Protection > Intrusion Filters > Intrusion Filters displays the list of intrusion prevention rules. Intrusion prevention rules define data constraints for XML elements, enabling you to prevent use of element depths, data types, and lengths that could be used to execute attacks such as oversized payloads, recursive payloads, and buffer overflows. Intrusion prevention rules are applied by selecting them in an XML protection profile. For details, see Configuring XML protection profiles on page 184. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80.
Table 68: XML Protection > Intrusion Filters > Intrusion Filters tab
Delete Edit
GUI item Create New # Name Max Elements Max Element Depth Max Name Length Max Attributions Description Click to add an intrusion prevention rule. Displays the index number of the entry in the list. Displays the name of the entry. Displays the maximum number of XML elements to allow in a single request. Displays the maximum depth of XML elements to allow in the tree of a single request. Displays the maximum length to allow for any XML element, attribute or namespace. Displays the maximum number of attributes to allow in a single request.
170
XML protection
Max Attributions Per Displays the maximum number of attributes to allow for any XML element. Element Max Attribution Value Displays the maximum length of the value to allow for any attribute of any XML element. Length Allow DTDs Enable Indicates whether or not use of document type definitions (DTDs) are allowed. Mark the check box to enable use of the intrusion prevention rule. For details, see Enabling or disabling an intrusion prevention rule on page 172. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a protection profile. Click the Edit icon to modify the entry.
To create an intrusion prevention rule 1 Go to XML Protection > Intrusion Filters > Intrusion Filters. 2 Click Create New. A dialog appears that enables you to enter constraints on the types and lengths of allowed data.

GUI item Name Description Enter a name for the intrusion prevention rule.
171
XML protection
Max Elements Max Element Depth Max Name Length Max Attributions
Enter the maximum number of XML elements to allow in a single request. Enter the maximum depth of XML elements to allow in the tree of a single request. Enter the maximum length to allow for any XML element, attribute or namespace. Enter the maximum number of attributes to allow in a single request.
Max Attributions Per Enter the maximum number of attributes to allow for any XML element. Element Max Attribution Value Enter the maximum length of the allowed value of any attribute of any XML element. Length Max Namespace Declarations Max Namespace Declarations per Element Max Text Nodes Max Text Node Length Enter the maximum number of XML namespace (XMLNS) declarations to allow in a single request. Enter the maximum number of XML namespace (XMLNS) declarations to allow for any XML element. Enter the maximum number of text nodes to allow in a single request. Enter the maximum length to allow for any text node.
Max Text Node Ratio Enter the maximum size ratio to allow for any text node, where the maximum size ratio is: T/(D-T) where D is the total size of the request and T is the size of the text node. Max CData Max CData Length Max Character Reference Max PIs Max Gen Entity Reference Allow DTDs Enter the maximum number of character data (CDATA) section to allow in a single request. Enter the maximum length of the value to allow for any character data (CDATA) section in a single request. Enter the maximum number of character entity references to allow in a single request. Enter the maximum number of processing instructions (PIs) to allow in a single request. Enter the maximum number of general entity references to allow in a single request. Enable to allow use of document type definitions (DTDs). Unlike W3C XML schema scanning, DTD scanning is currently not supported, and therefore inclusion of DTDs can only be specifically allowed or denied. Enter a description for the intrusion prevention rule.
Comments
4 Click OK. To apply the intrusion protection rule, select it in an XML protection profile that is selected in a policy. For more information, see Configuring XML protection profiles on page 184.
Enabling or disabling an intrusion prevention rule

You can individually enable and disable intrusion prevention rules. Disabled intrusion prevention rules can be selected in an XML protection profile, but will not be used when applying the protection profile.
Caution: Disabling an intrusion prevention rule could allow traffic-matching policies in whose XML protection profile you have selected the intrusion prevention rule. For details, see Configuring XML protection profiles on page 184.
172
XML protection
Configuring WSDL content routing groups
To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80. To enable or disable an intrusion prevention rule 1 Go to XML Protection > Intrusion Filters > Intrusion Filters.
2 In the row corresponding to the intrusion prevention rule that you want to enable, mark the check box in the Enable column. 3 In the row corresponding to the intrusion prevention rule that you want to disable, clear the check box in the Enable column.

XML Protection > WSDL Routing > WSDL Routing displays the list of WSDL content routing groups. WSDL content routing groups select a set of web service operations from WSDL files that you can then route to a specific real server when configuring a server farm. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80.
Tip: Before you can create an effective WSDL content routing group, you must first import a web service definition file. See Managing WSDL files on page 181. Table 69: XML Protection > WSDL Routing > WSDL Routing tab
Delete Edit
GUI item Create New # Name Description Click to add a WSDL content routing group. Displays the index number of the entry in the list. Displays the name of the entry.
Routing Table Count Displays the names of the WSDL files that are used by the WSDL content routing group. (No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server farm. Click the Edit icon to modify the entry.
173
XML protection
To create a WSDL content routing group 1 Go to XML Protection > WSDL Routing > WSDL Routing. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
Clear
Delete Edit 3 In Name, type the name of the content routing group. This field cannot be modified if you are editing an existing content routing group. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK. 5 Click Create New. A dialog appears.

GUI item ID Description Enter the index number of the WSDL operation within the content routing group, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Select the name of a WSDL file that you uploaded. Select the name of an operation within the WSDL file you selected. HTTP requests containing this WSDL operation will be routed to a real server in the server farm using this WSDL content routing group.
Web Service Operation
7 Repeat the previous steps for each WSDL operation that you want to add to the content routing group. 8 If you need to modify a WSDL operation, click its Edit icon. To remove a single WSDL operation from the content routing group, click its Delete icon. To remove all WSDL operations from the content routing group, click the Clear icon. 9 Click OK.
174
XML protection
Managing XML signature and encryption keys
To apply a content routing group, select it as the content that will be destined for a specific real server when configuring a server farm. For more information, see Grouping physical and domain servers into server farms on page 135.

Key files contain a key, seed data that can be used with an algorithm to apply and verify XML signatures and/or to encrypt or decrypt XML elements. Keys are not used directly, but instead must first be added to a key management group in order to select it in an XML protection profile. For details, see Grouping keys into key management groups on page 176.
Uploading a key
XML Protection > XML Sig/Enc > Key File displays keys already uploaded to the FortiWeb unit, and that may be used in a key management group. If you want to configure XML protection profiles that will apply or validate XML signatures, or apply XML encryption or decryption, you must first upload a key file. To access this part of the web-based manager, your administrators account access profile must have Read permission to items in the XML Protection Configuration category. For details, see About permissions on page 80.
Table 70: XML Protection > XML Sig/Enc > Key File tab
Delete
GUI item Import # Name Comments (No column heading.) Description Click to upload a key file. For details, see Uploading a key on page 175. Displays the index number of the entry in the list. Displays the name of the entry. Displays the description of the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a key management group.
Note: The total file size of all certificates, schema, keys, WSDL, and any other uploaded files may not exceed 12 MB.
To upload a key file 1 Go to XML Protection > XML Sig/Enc > Key File.
175
XML protection
2 Click Import. A dialog appears.
3 In Name, enter a descriptive name. 4 In Key File, select the field or click Browse to locate and select the key file that you want to upload. 5 In Comments, type a description for the key file. 6 Click OK. The file is uploaded from your management computer. The time required varies by the size of the file and the speed of your network connection. 7 After uploading key files, before you can use a key in a protection profile, you must first add the key to a key management group. For details, see Grouping keys into key management groups on page 176.
Grouping keys into key management groups

XML Protection > XML Sig/Enc > Key Management displays the list of key management groups. Key management groups pair cryptographic algorithms with keys, and may be selected when configuring the FortiWeb unit to use of XML signatures, XML encryption or XML decryption in an XML protection profile. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80.
Tip: Before you can create a key management group, you must first upload one or more key files. For details, see Uploading a key on page 175. Table 71: XML Protection > XML Sig/Enc > Key Management tab
Delete Edit
GUI item Create New # Name Description Click to add a key management group. Displays the index number of the entry in the list. Displays the name of the entry.
176
XML protection
Key File Count (No column heading.)
Displays the number of keys used by the key management group. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a protection profile. Click the Edit icon to modify the entry.
To create a key management group 1 Go to XML Protection > XML Sig/Enc > Key Management. 2 Click Create New. An dialog appears that enables you to add members to the key management group.
Clear
Delete Edit 3 In Name, type the name of the key management group. This field cannot be modified if you are editing an existing key management group. To modify the name, delete the entry, then recreate it using the new name. 4 In Comments, type a description for the key management group. 5 Click OK. 6 Click Create New. A dialog appears.

GUI item ID Description Enter the index number of the key file and algorithm combination within the key management group, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Select the name of a key file that you uploaded. Select the name of an encryption algorithm that you want to use with that key. For algorithms that include the bit strength (for example, 128, 192, or 256), a higher number indicates stronger security, but may increase load on the FortiWeb unit.
Key File Algo
177
Managing schema files
XML protection
8 Repeat the previous steps for each key file and algorithm combination that you want to add to the key management group. 9 If you need to modify an entry, click its Edit icon. To remove a single entry from the group, click its Delete icon. To remove all entries from the group, click the Clear icon. 10 Click OK. To apply a key management group, select it when configuring XML encryption or decryption in an XML protection profile. For more information, see Configuring XML protection profiles on page 184.

XML Protection > Load Schema > Load Schema displays the list of XML schema files already uploaded to the FortiWeb unit. Schema files are used by the Schema Validation option in XML protection profiles. For details, see Schema Validation on page 187.
Note: Failing to upload a schema file could block traffic-matching policies in the XML protection profile where you enabled the Schema Validate option, because the FortiWeb unit may not be able to do schema validation. For details, see Schema Validation on page 187.
Table 72: XML Protection > Load Schema > Load Schema tab
View Edit
Delete
GUI item Load New Load ZIP # Name Validated Description Click to upload an uncompressed XML schema file. For details, see Managing schema files on page 178. Click to upload a ZIP-compressed XML schema file. For details, see Managing schema files on page 178. Displays the index number of the entry in the list. Displays the name of the entry. Indicates whether or not the schema file has been successfully validated. If the schema has been uploaded but not yet been validated, you can click the Edit icon in the right-most column to validate it. Displays the description of the entry.
Comments
178
XML protection
Enable
Mark the check box to enable use of the schema file if you have enabled Schema Validation. For details, see Enabling or disabling a schema file on page 180. Click the Delete icon to remove the schema. This option does not appear for the default schemas (RSS 2.0, UBL 1.0, and UBL 2.0). Click the Edit icon to validate the schema. For details, see Managing schema files on page 178. This option does not appear for the default schemas. Click the View icon to display the contents of the schema file in a pop-up window.
To upload a schema file

1 Go to XML Protection > Load Schema > Load Schema. 2 Click either Load New to upload an uncompressed schema file, or Load ZIP to upload a schema file that is compressed within a ZIP file. An upload dialog appears whose appearance varies slightly by whether you are uploading a compressed or uncompressed schema.
Figure 29: Uploading an uncompressed schema
Figure 30: Uploading a compressed schema
3 In Name, type the name of the schema. 4 In Schema File or Schema ZIP File, enter a file name in the field or click Browse to locate and select the schema file that you want to upload. 5 In Comments, type a description for the schema. 6 Click OK. The file is uploaded from your management computer. The time required varies by the size of the file and the speed of your network connection.
179
XML protection
7 If you uploaded a compressed schema file, select the root file of the schema from the Schema File List area, and click the right arrow.
8 Click OK. The FortiWeb unit validates the root schema file and all child schema files. If a schema is not successfully validated, such as if a compressed schema is too large, an error message appears. You may select a different root schema file and attempt the validation again immediately, or you may validate the schema at another time by clicking its Edit icon in the list of schema files. However, the FortiWeb unit will not use the schema until it is validated. To use the schema to validate requests, you must enable the Schema Validation option in an XML protection profile used by a policy. For details, see Schema Validation on page 187.
Enabling or disabling a schema file

You can individually enable and disable schema files that you uploaded to the FortiWeb unit. Disabled schema files will not be used when performing schema validation.
Note: Disabling a schema file could block traffic-matching policies in whose XML protection profile you have enabled the Schema Validation option, because the FortiWeb unit may not be able to do schema validation. For details, see Schema Validation on page 187.
To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80. To enable or disable a schema file 1 Go to XML Protection > Load Schema > Load Schema.
2 In the row corresponding to the schema file that you want to enable, mark the check box in the Enable column.
180
XML protection
Managing WSDL files
3 In the row corresponding to the schema file that you want to disable, clear the check box in the Enable column.
Managing WSDL files

XML Protection > Load WSDL > Load WSDL displays the list of web service definition language (WSDL) files that have been uploaded to the FortiWeb unit. If you want to configure protection profiles that will prevent web services definition language (WSDL) scans and/or validate web services actions, you should first upload the WSDL file that defines the acceptable actions for your web services. WSDL files cannot be used directly, but instead must be added to a XML web service group in order to be either selected for use with the WSDL Verify option in an XML protection profile, or added to a WSDL content routing group in order to be selected for routing to a specific server in a server farm. For details, see Grouping WSDL files on page 183 and Configuring WSDL content routing groups on page 173.
Caution: Failing to upload a WSDL file could allow traffic-matching policies in whose XML protection profile you have enabled the WSDL Verify option, because the FortiWeb unit will not be able to do WSDL verification. For details, see WSDL Verify on page 187.
Table 73: XML Protection > Load WSDL > Load WSDL tab
Delete Edit
GUI item Import # Name Operations (No column heading.) Description Click to upload a WSDL file. Displays the index number of the entry in the list. Displays the name of the entry. Displays the web service operations defined in the WSDL file. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a XML web service group. Click the Edit icon to view details of the entry, or to individually enable or disable web service operations defined in the WSDL file. For details, see Enabling and disabling operations in a WSDL file on page 182.
To upload a WSDL file

1 Go to XML Protection > Load WSDL > Load WSDL.
181
Managing WSDL files
XML protection
2 Click Import. A dialog appears.
3 In Name, type the name of the WSDL file. 4 In WSDL File, enter a WSDL file name in the field or click Browse to locate and select the WSDL file that you want to upload. 5 Click OK. The FortiWeb unit validates the WSDL file. If valid, the file is uploaded from your management computer. The time required varies by the size of the file and the speed of your network connection. After uploading WSDL files, you can use them in either: a WSDL content routing group (see Configuring WSDL content routing groups on page 173) an XML protection profile
In order to use WSDL files in an XML protection profile, you must first create a XML web service group. For more information, see Grouping WSDL files on page 183. You can also individually enable or disable web service operations within each WSDL file. For more information, see Enabling and disabling operations in a WSDL file on page 182.
Enabling and disabling operations in a WSDL file

In addition to individually enabling or disabling WSDL files, you can individually enable or disable web service operations that are defined within each WSDL file.
Caution: Disabling a web service operation could allow traffic-matching policies in whose XML protection profile you enabled the WSDL Verify option, because the FortiWeb unit will not be able to do full WSDL verification. For details, see WSDL Verify on page 187.
To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80. To enable or disable a web service operation 1 Go to XML Protection > Load WSDL > Load WSDL.
182
XML protection
Managing WSDL files
2 In the row corresponding to the WSDL file that contains the web service operation that you want to enable or disable, click the Edit icon. A dialog appears that displays information about the schema namespace URL, web service URL, and each web service operation that is defined in the WSDL file.
3 In each row corresponding to a web service operation that you want to enable, mark the check box in the Enable column. 4 In each row corresponding to a web service operation that you want to disable, clear the check box in the Enable column. 5 Click OK.
Grouping WSDL files

XML Protection > Load WSDL > XML Web Service Group displays the list of groups of web service definition language (WSDL) files already uploaded to the FortiWeb unit. XML web service groups are used by the WSDL Verify option in XML protection profiles. For details, see WSDL Verify on page 187. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80.
Tip: Before you can create a web service group, you must first import one or more WSDL files. See Managing WSDL files on page 181. Table 74: XML Protection > Load WSDL > XML Web Service Group tab
Edit Delete
GUI item Create New # Name Description Click to add a XML web service group. Displays the index number of the entry in the list. Displays the name of the entry.
183
Configuring XML protection profiles
XML protection
Web Services (No column heading.)
Displays the WSDL files that are members of the group. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an XML protection profile. Click the Edit icon to modify the entry.
To create a XML web service group 1 Go to XML Protection > Load WSDL > XML Web Service Group. 2 Click Create New. A dialog appears that enables you to select WSDL files to be members of the XML web service group.
3 In Name, type the name of the XML web service group. 4 In Comments, type a description for the XML web service group. 5 In the Web Services area, click Add. 6 From the Web Service drop-down list, select the name of a WSDL file that you want to be a member of this group. 7 Repeat the previous two steps for each additional member. 8 Click OK. To use the XML web service group to validate requests, you must enable the WSDL Verify option when editing an XML protection profile, then select the web service group from the drop-down list. Lastly, you must configure a server policy to include the profile. For details, see WSDL Verify on page 187 and Web Service on page 187.

XML Protection > XML Protection Profile > XML Protection Profile displays a list of XML protection profiles. Protection profiles are a set of attack protection settings. When a connection matches a policy, the FortiWeb unit applies the protection profile selected for that policy. Protection profiles are applied by selecting them within a server policy. For details, see Configuring server policies on page 118.
Note: XML protection profiles can be configured at any time, but can be selected in a policy only while the FortiWeb unit is operating in a mode that supports them. For details, see Table 45, Policy behavior by operation mode, on page 119.
184
XML protection
Use SNMP traps to notify you when an XML protection profile has been enforced. For details, see Configuring an SNMP community on page 68. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the XML Protection Configuration category. For details, see About permissions on page 80.
Tip: Before you can create an effective profile, you need to configure one or more XML protection features. See XML protection profile workflow on page 163. Table 75: XML Protection > XML Protection Profile > XML Protection Profile tab
Delete Edit
GUI item Create New # Name Description Click to add an XML protection profile. Displays the index number of the entry in the list. Displays the name of the entry.
Intrusion Prevention Displays the name of the intrusion prevention rule used by this XML protection profile. Rule Filter Rule Schema Validation Displays the name of the content filter rule used by this XML protection profile. Indicates whether or not schema validation is enabled for traffic matching the policy. If you have disabled the schema file or have not uploaded it to the FortiWeb unit, results of schema validation vary by whether you have also enabled WSDL Verify. If this option is enabled, WSDL Verify is enabled, and the schema file does not exist or is disabled, the schema validator will allow the connection. If this option is enabled, WSDL Verify is disabled, and the schema file does not exist or is disabled, the schema validator will block the connection. Indicates whether or not external schema reference prevention is enabled, thereby preventing schema poisoning attacks for traffic matching the policy. Indicates whether or not WSDL scanning prevention is enabled for traffic matching the policy.
Schema Poisoning WSDL Scanning Prevention
External Entity Attack Indicates whether or not external entity attack prevention is enabled for traffic matching the policy. Prevention (No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server policy. Click the Edit icon to modify the entry.
To create an XML protection profile 1 Go to XML Protection > XML Protection Profile > XML Protection Profile.
185
XML protection
2 Click Create New. A dialog appears that enables you to configure the XML protection profile.

GUI item Name Description Enter the name of the XML protection profile.
Intrusion Prevention Select an existing intrusion prevention rule. For details, see Configuring intrusion prevention rules on page 170. Rule Filter Rule Select an existing content filter rule. For details, see Configuring content filter rules on page 166.
186
XML protection
Schema Validation
Enable to validate the schema for traffic matching the policy. This option may require that you first upload a schema file to the FortiWeb unit, and enable it. If this option is enabled, and WSDL Verify is enabled, and the schema file does not exist or is disabled, the schema validator will allow the connection. If this option is enabled, and WSDL Verify is disabled, and the schema file does not exist or is disabled, the schema validator will block the connection. For details on uploading a schema file, see Managing schema files on page 178. Enable to prevent external schema references, and thereby preventing schema poisoning attacks, for traffic matching the policy. This option does not permit schema referencing by URL for security reasons, and requires that you upload a schema. For details, see Managing schema files on page 178.
Schema Poisoning
External Entity Attack Enable to prevent external entity attacks for traffic matching the policy. Prevention WSDL Scanning Prevention WSDL Verify Enable to prevent WSDL scanning for traffic matching the policy. Enable to verify that, for traffic matching the policy, the connection uses web service operations that are valid for that web service according to the WSDL file. This option requires that you first upload a WSDL file to the FortiWeb unit. See Managing WSDL files on page 181. This option appears only if WSDL Verify is enabled. Select which action that the FortiWeb unit will take if the connection fails WSDL verification. Accept: Accept the connection. Alert: Accept the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. Deny: Block the connection. Alert & Deny: Block the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. This option appears only if WSDL Verify is enabled. Select the XML web service group to use for verification of the request, or select Create New to create a new XML web service group in a pop-up window, without leaving the current page. For details, see Grouping WSDL files on page 183. To create a group, you first need to upload a WSDL file uploading a WSDL file. See Managing WSDL files on page 181. Enable to validate XML signatures for forward traffic. Also configure XML SIG action and Key Info. For the XML signature specification, see http://www.w3.org/TR/xmldsig-core/. This option appears only if XML SIG is enabled. Select the action that the FortiWeb unit will take if the forward traffic fails XML signature verification. Accept: Accept the connection. Alert: Accept the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. Deny: Block the connection. Alert & Deny: Block the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. Enable to decrypt XML for forward traffic. Also configure XML ENC action and Key Info. For the XML encryption/decryption specification, see http://www.w3.org/TR/xmlenc-core/.
WSDL verify action
Web Service
XML SIG
XML SIG action
XML ENC
187
XML protection
XML ENC action
This option appears only if XML ENC is enabled. Select which action the FortiWeb unit will take if the forward traffic fails XML decryption. Accept: Accept the connection. Alert: Accept the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. Deny: Block the connection. Alert & Deny: Block the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323 This option appears only if XML SIG is enabled. Select an existing key management group to use for XML signature verification and/or decryption of forward traffic. For details, see Grouping keys into key management groups on page 176. Enable to sign reply traffic with XML signatures. Also configure XML reverse SIG key and XML reverse SIG XPATH. For the XML signature specification, see http://www.w3.org/TR/xmldsig-core/.
Key Info
XML reverse SIG
XML reverse SIG key Select which key management group will be used for XML signing of reply traffic, or select Create New to upload a new key management group in a pop-up window, without leaving the current page. For details, see Grouping keys into key management groups on page 176. This option appears only if XML reverse SIG is enabled. XML reverse SIG XPATH XML reverse ENC Click the Edit icon and enter an XPath expression that matches XML elements in reply traffic to which you want to apply XML signatures. This option appears only if XML reverse SIG is enabled. Enable to encrypt XML reply traffic. Also configure XML reverse ENC key and XML reverse ENC XPATH. For the XML encryption/decryption specification, see http://www.w3.org/TR/xmlenc-core/.
XML reverse ENC key Select which key management group will be used for XML encryption of reply traffic, or select Create New to upload a new key management group in a pop-up window, without leaving the current page. For details, see Grouping keys into key management groups on page 176. This option appears only if XML reverse ENC is enabled. XML reverse ENC XPATH SQL Injection Prevention SQL Injection Prevention Action Click the Edit icon and enter an XPath expression that matches XML elements in reply traffic to which you want to apply XML encryption. This option appears only if XML reverse ENC is enabled. Enable to prevent SQL injection attacks by blocking requests that contain SQL statements. Select which action the FortiWeb unit will take if the connection contains SQL statements. Accept: Accept the connection. Alert: Accept the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. Deny: Block the connection. Alert & Deny: Block the connection and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. This option appears only if SQL Injection Prevention is enabled. Enable to accept HTTP requests that do not contain Content-Type: text/xml in the HTTP header. This may be required if the web service uses representational state transfer (REST) instead of SOAP. Disable to reject non-XML HTTP requests. Enter a description for the XML protection profile.
Non-XML traffic
Comments
4 Click OK. To apply an XML protection profile, you must select it in a policy. For details, see Configuring server policies on page 118.
188
Web protection
Web protection
This chapter describes the Web Protection menu. It contains features that act upon HTTP requests, HTTP headers, HTML documents, and cookies. This chapter includes the following topics: Order of execution Responding to web protection rule violations Configuring HTTP parameter validation rules Configuring page access rules Configuring server protection rules Configuring start page rules Configuring URL access policy Configuring an IP list policy Configuring brute force login profiles Configuring robot control profiles Configuring allowed request method policy Configuring hidden field protection profiles Configuring URL rewriting policy Configuring HTTP protocol constraint profiles Configuring authentication policy Configuring file upload restriction policy Configuring inline protection profiles Configuring offline protection profiles Applying auto-learning profiles
Web protection profile workflow

Web protection profiles fall into two categories: inline and offline. (A related profile, autolearning, has distinctly different workflow. See Auto-learning profile workflow on page 278.) Creating a web protection profile involves multiple activities. The number and sequence of steps depends on what you wish to achieve. All steps are optional, though some steps have dependencies on others. Several web protection features include an option to include a trigger policy. To use this option, first create one or more logging policies and trigger policies. See Log configuration workflow on page 313. Configure one or more file upload restriction rules followed by one or more file upload restriction policies for use in inline or offline protection profiles. See Configuring file upload restriction policy on page 263. Configure one or more allow request method policies for use in inline or offline protection profiles. See Configuring allowed request method policy on page 235.
189
Order of execution
Web protection
Configure one or more URL access rules followed by one or more URL access policies for use in inline or offline protection profiles. See Configuring URL access policy on page 216. Configure one or more server protection rules for use in inline or offline protection profiles. See Configuring server protection rules on page 201. Configure one or more page access rules for use in an inline protection profile. See Configuring page access rules on page 198. Configure one or more input rules followed by one or more parameter validation rules for use in inline or offline protection profiles. See Configuring HTTP parameter validation rules on page 192. Configure one or more hidden fields rules followed by one or more hidden fields protection policies for use in inline or offline protection profiles. See Configuring hidden field protection profiles on page 239. Configure one or more start page policies for use in an inline protection profile. See Configuring start page rules on page 213. Configure one or more brute force login policies for use in an inline protection profile. See Configuring brute force login profiles on page 224. Configure one or more robot control policies for use in inline or offline protection profiles. See Configuring robot control profiles on page 227. Optionally, configure a custom robot control to include in the policy. See Configuring custom protection groups on page 209. Configure one or more IP list policies for use in inline or offline protection profiles. See Configuring an IP list policy on page 220. Configure one or more URL rewriting rules followed by one or more URL rewriting policies for use in an inline protection profile. See Configuring URL rewriting policy on page 244. Configure one or more authentication rules followed by one or more authentication policies for use in an inline protection profile. See HTTP authentication policy workflow on page 259. Before you can create effective authentication rules, you must first configure users and user groups. See User creation workflow on page 107. After you complete the applicable previous activities, configure one or more inline protection profiles (see Inline protection profile workflow on page 268) or offline protection profiles (see Offline protection profile workflow on page 274).
Order of execution
FortiWeb units perform each of the web protection profile scans and other actions in the following sequence, from the top of the table towards the bottom. Disabled scans are skipped.
Note: The blocking style varies by feature and configuration. For example, when detecting cookie poisoning, instead of resetting the HTTP connection, you could log and remove the offending cookie. For details, see each specific feature. Table 76: Execution sequence of web protection techniques Scan/action Request from client to server IP (client IP list policy) Source IP address of the client Involves
190
Web protection
Responding to web protection rule violations
Table 76: Execution sequence of web protection techniques Brute Force Login Standalone IP Access Limit / Share IP Access Limit (malicious robot/client rate limiting) HTTP Authentication Policy HTTP Protocol Constraints Host (protected real or virtual host) Cookie Poison Start Pages Page Access Rule URL Access Policy Allow Request Method Robot Control Parameter Validation Rule Hidden Fields Protection Rule Cross-Site Scripting, SQL Injection, Common Exploits URL Rewriting Policy Reply from server to client Information Disclosure Credit Card Detection Server-identifying custom HTTP headers and error messages such as Server: Credit card number in the body, and, if configured, Credit Card Detection Threshold Source IP address of the client and URL in the HTTP header Source IP address of the client
Authorization: Content-Length:, parameter length, body length, header length, and header line length Host: Cookie: Host:, URL in HTTP header, and session state Host:, URL in HTTP header, and session state Host:, URL in HTTP header Host:, URL in HTTP header, and request method in HTTP header User-Agent: Host:, URL in the HTTP header, and visible inputs name, data type, and length Host:, URL in the HTTP header, and invisible inputs name, data type, and length Inputs Host: and URL in HTTP header
Responding to web protection rule violations

The FortiWeb unit responses to web protection rule violations according to predefined violation controls. The violation controls are associated with web protection rules using the Action, Severity, and Trigger Policy or Trigger Action fields associated with each rule type. See Table 77 on page 192 for a description. While every violation is recorded by the FortiWeb unit in a log message, you can control the specific response on a per-violation basis.
191
Configuring HTTP parameter validation rules
Web protection
Table 77: Rule violation controls GUI item Action Description Defines the action FortiWeb takes when a violation of the rule occurs. The specific actions associated with a violation depend on the type of violation. The Action dropdown menu for each rule includes only the actions that apply to that particular rule. Select the specific action you want FortiWeb to perform when the associated violation occurs. The default action for each type of violation is Alert. For more information on logging and alerts, see Configuring and enabling logging on page 323. Options Alert: Accept the connection and generate an alert and/or log message. Alert & Deny: Block the connection and generate an alert and/or log message. Redirect: Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message. For details, see Redirect URL on page 273. Send 403 Forbidden: Reply with an HTTP 403 (Access Forbidden) error message and generate an alert and/or log message. Pass: Allow the request. Similar to alert but does not generate an alert and/or log message. Continue: Allow the request, applying any subsequent rules defined in the web protection profile. See Order of execution on page 190. Alert: Do not cloak, except for removing sensitive headers. (Sensitive information in the body remains unaltered.) Accept the connection and generate an alert and/or log message. Alert & Erase: Hide replies with sensitive information (sometimes called cloaking). Block the connection or remove the sensitive information, and generate an alert and/or log message. Note: This option is not fully supported in offline protection mode. Only an alert and/or log message can be generated; sensitive information will not be blocked or erased. Severity Defines the severity level associated with the rule violation. Select the severity level you want to assign to the violation. Defines who gets notified when a violation of the rule occurs. Select the trigger policy you want FortiWeb to perform when the associated rule violation occurs. There is no default trigger action. Each violation type has a configurable severity. You can configure each violation type to be recorded and reported as either Low, Medium or High severity. The severity of the violation is recorded in the log message associated with the violation. Trigger Action or Trigger Policy lists predefined trigger policies, if any exist. Select the appropriate policy. Trigger policies contain email policies that determine who will receive an alert email when the violation occurs, and/or whether the log message is recorded in a Syslog server or by FortiAnalyzer. For more information, see Configuring trigger policies on page 322.
Trigger Policy or Trigger Action

Web Protection > Parameter Validation Rule > Parameter Validation Rule displays the list of parameter validation rules. The parameter validation rules are composed of individual HTTP input rules. The HTTP input rules define whether or not certain parameters are required in HTTP requests, and if so, the maximum allowed length of the parameter. Each HTTP input rule can be associated with specific URL and/or host name. If a single HTTP request includes multiple identical parameters, the HTTP parameter validation rules are enforced for all instances of the parameter within the HTTP request.
192
Web protection
Parameter validation rules are applied by selecting them within an inline or offline protection profile. For details, see Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Tip: Before you can configure an effective parameter validation rule, you must configure one or more input rules. See Configuring parameter validation input rules on page 194. Table 78: Web Protection > Parameter Validation Rule > Parameter Validation Rule tab
Edit Delete
GUI item Create New # Name Rule Count (No column heading.) Description Click to add a parameter validation rule. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of individual rules contained in the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline or offline protection profile. Click the Edit icon to modify the entry.
To configure a parameter validation rule 1 Go to Web Protection > Parameter Validation Rule > Parameter Validation Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
Clear Edit Delete 3 In Name, type the name of the parameter validation rule. This field cannot be modified if you are editing an existing parameter validation rule. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK. 5 Click Create New. A dialog appears.
193
Web protection
GUI item ID
Description Enter the index number of the input rule within the parameter validation rule, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Select the name of an input rule. For information on input rules, see Configuring parameter validation input rules on page 194. Note: If you want to view the information associated with the input rule used by this parameter validation rule, select the Detail link beside the Input Rule list. A read-only version of the Edit Input Rule window opens.
Input Rule
7 Repeat the previous steps for each input rule that you want to add to the parameter validation rule. 8 To modify an input rule, click its Edit icon. To remove a single input rule from the parameter validation rule, click its Delete icon. To remove all input rules from the parameter validation rule, click the Clear icon. 9 Click OK. To apply the parameter validation rule, select it in an inline or offline protection profile. For details, see Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274. Attack log messages contain DETECT_PARAM_RULE_FAILED when this feature detects a parameter rule violation.
Tip: If you do not want sensitive inputs such as passwords to appear in the attack logs packet payloads, you can obscure them. For details, see Obscuring sensitive data in the logs on page 329.
Configuring parameter validation input rules

Web Protection > Parameter Validation Rule > Input Rule displays the list of parameter validation input rules. Input rules define whether or not parameters are required, and their maximum allowed length, for HTTP requests matching the Host: in the HTTP header and URL defined in the input rule. Unlike hidden field groups, input rules are for visible inputs only. For information on constraining hidden inputs, see Configuring hidden field rules on page 241. Each input rule contains one or more individual rules. This enables you to define, within one input rule, all parameter restrictions that apply to HTTP requests matching that URL and host name.
194
Web protection
For example, one web page might have multiple inputs: a user name, password, and a preference for whether or not to remember the login. Within the input rule for that web page, you could define separate rules for each parameter in the HTTP request: one rule for the user name parameter, one rule for the password parameter, and one rule for the preference parameter. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 79: Web Protection > Parameter Validation Rule > Input Rule tab
Delete Edit
GUI item Create New # Name Host Description Click to add an input rule. Displays the index number of the entry in the list. Displays the name of the entry. Displays the IP address or fully qualified domain name (FQDN) of the real or virtual host as it appears in the Host: field of HTTP header of requests to which the entry applies. Displays the URL, such as /index.php, as it appears in the HTTP request to which the entry applies. Displays the action taken by FortiWeb when a violation of the input rule occurs. For information, see Responding to web protection rule violations on page 191. Displays the number of individual rules contained in the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a parameter validation rule. Click the Edit icon to modify the entry.
Request URL Action
Rule Count (No column heading.)
Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see Configuring protected servers on page 147. To configure an input rule 1 Go to Web Protection > Parameter Validation Rule > Input Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
195
Web protection
3 In Name, type the name of the input rule. This field cannot be modified if you are editing an existing input rule. To modify the name, delete the entry, then recreate it using the new name.
Clear Edit Delete 4 Configure the following:

GUI item Host Status Description Enable to apply this input rule only to HTTP requests for specific web hosts. Also configure Host. Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field. Select the IP address or FQDN of a protected host. Depending on your selection in Request URL Type, type either: the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ). a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm. Do not include the name of the web host, such as www.example.com, which is configured separately in the Host drop-down list. To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can finetune the expression. Select whether the Request URL field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
Host Request URL
Request URL Type
196
Web protection
Action, Severity and Trigger Policy
The Action, Severity and Trigger Policy drop-down menus allow you to control what the FortiWeb unit will do when it detects a specific violation such as an attack, suspicious request or other threat. Each violation can be uniquely configured. The following actions are available for this type of attack: Alert Alert & Deny Redirect Send 403 Forbidden Note: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For information on Action, Severity and Trigger Policy settings, see Responding to web protection rule violations on page 191.
5 Click OK. 6 Click Create New. A dialog appears. 7 Configure the following:
GUI item ID
Description Enter the index number of the individual rule within the group of input rules, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Type the name of the input as it appears in the HTTP content, such as username. Type the maximum allowed length of the parameter value. To disable the length limit, type 0. Enable if the parameter is required for HTTP requests to this combination of Host: field and URL. Enable to display Argument Type and Data Type settings. When Use Type Check is enabled, select one of: Data Type - use one of the predefined data types. Regular Expression - define a regular expression. Custom Data Type - use one of the custom data types.
Name Max Length Required Use Type Check Argument Type
197
Configuring page access rules
Web protection
Data Type
Select a predefined data type. For information on data types, see Viewing the list of predefined data types on page 152. This option is only available when the Argument Type is Data Type. Type a regular expression that matches all valid values, and no invalid values, for this input. To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. This option is only available when the Argument Type is Regular Expression.
Regular Expression
Custom Data Select a custom data type. For information on custom data types, see Creating custom data types on page 156. Type This option is only available when the Argument Type is Custom Data Type.
8 Repeat the previous steps for each individual rule that you want to add to the group of input rules. 9 To modify an individual rule, click its Edit icon. To remove an individual rule from the group of input rules, click its Delete icon. To remove all individual rules from the group of input rules, click the Clear icon. 10 Click OK. To apply the input rule, select it in a parameter validation rule. For details, see Configuring HTTP parameter validation rules on page 192.

Web Protection > Page Access Rule > Page Access Rule displays the list of page access rules. Page access rules define URLs that must be accessed in a specific order, such as to enforce the business logic of a web application. Requests for other, non-ordered URLs may interleave ordered URLs during the clients session. Page access rules may be specific to a web host. For example, an e-commerce application might be designed to work properly in this order: 1 A client begins a session by adding an item to a shopping cart. (/addToCart.do?*) 2 The client either views and adds additional items to the shopping cart, or proceeds directly to the checkout. 3 The client confirms the items to purchase. (/checkout.do) 4 The client provides shipping information. (/shipment.do) 5 The client pays for the items and shipment, completing the transaction. (/payment.do) Sessions that begin at the shipping or payment stage should therefore be invalid. If the web application does not enforce this rule itself, it could be open to cross-site request forgery (CSRF) attacks on the payment feature. To prevent such abuse, the FortiWeb unit could enforce the rule itself using a page access rule set with the following order: 1 /addToCart.do?item=* 2 /checkout.do?login=* 3 /shipment.do 4 /payment.do Attempts to request /payment.do before those other URLs during a session would be denied, and generate an alert and/or attack log message (see Configuring and enabling logging on page 323).
198
Web protection
Use SNMP traps to notify you when a page access rule has been enforced. For details, see Configuring an SNMP community on page 68. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 80: Web Protection > Page Access Rule > Page Access Rule tab
Delete Edit
GUI item Create New # Name Rule Count (No column heading.) Description Click to add a page access rule. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of individual rules contained in the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline protection profile. Click the Edit icon to modify the entry.
To configure a page access rule Before you configure a page access rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see Configuring protected servers on page 147. 1 Go to Web Protection > Page Access Rule > Page Access Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appear.
Clear Edit Delete 3 In Name, type the name of the page access rule. This field cannot be modified if you are editing an existing page access rule. To modify the name, delete the entry, then recreate it using the new name.
199
Web protection

GUI item Severity Description Select the severity level you want FortiWeb to use in the records and reports generated when the a page access rule is violated. You can configure the severity to be either Low, Medium or High. Select the trigger policy you want FortiWeb to apply when the a page access rule is violated. Trigger policies determine who will be notified by email when the violation occurs, and whether a log message associated with the violation is recorded in Syslog or FortiAnalyzer. For more information, see Configuring trigger policies on page 322.
Trigger Policy
5 Click OK. 6 Click Create New. A dialog appear.

GUI item ID Description Type the index number of the individual rule within the page access rule, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Page access rules should be added to the set in the order which clients will be permitted to access them. For example, if a client must access /login.asp before /account.asp, add the rule for /login.asp first. Select the name of a protected host that the Host: field of an HTTP request must be in order to match the page access rule. This option is available only if Host Status is enabled. Enable if you want the page access rule to apply only to HTTP requests for a specific web host. Also configure Host. Depending on your selection in Type, enter either: the literal URL, such as /cart.php, that the HTTP request must contain in order to match the page access rule. The URL must begin with a slash ( / ). a regular expression, such as ^/*.php, matching all and only the URLs to which the page access rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /cart.cfm. Do not include the name of the web host, such as www.example.com, which is configured separately in the Host drop-down list. To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. Select whether URL Pattern is a Simple String (that is, a literal URL) or a Regular Expression.
Host
Host Status URL Pattern
Type
200
Web protection
Configuring server protection rules
8 Repeat the previous steps for each individual rule that you want to add to the page access rule. 9 To modify an individual rule, click its Edit icon. To remove an individual rule from the page access rule, click its Delete icon. To remove all individual rules from the page access rule, click the Clear icon. 10 Click OK. To apply the page access rule, select it in an inline protection profile. For details, see Configuring inline protection profiles on page 268.
Note: In order for page access rules to be enforced, you must also enable Session Management on page 271 in the inline protection profile.
Attack log messages contain DETECT_PAGE_RULE_FAILED when this feature detects a request for a URL that violates the required sequence of URLs within a session.

Web Protection > Server Protection Rule > Server Protection Rule displays the list of server protection rules. Server protection rules enable and configure actions for several security features specifically designed to protect web servers, such as: cross-site scripting (XSS) attack prevention SQL injection prevention sensitive information disclosure prevention prevention of other injection attacks prevention of credit card data leaks
In addition to scanning standard requests, server protection rules can also scan action message format 3.0 (AMF3) binary inputs used by Adobe Flash clients to communicate with server-side software. For more information, see Enable AMF3 Protocol Detection on page 274 (for inline protection profiles) or Enable AMF3 Protocol Detection on page 278 (for offline protection profiles). Attack definitions can be updated. For information on uploading a new set of attack definitions, see Uploading signature updates on page 101. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Tip: To extend the scope and versatility of a server protection rule, you can create and incorporate exceptions (see Configuring server protection exceptions on page 207) and custom protection groups (see Configuring custom protection groups on page 209).
201
Web protection
Table 81: Web Protection > Server Protection Rule > Server Protection Rule tab
Clone View Edit
GUI item Create New # Name Extended Signature Set
Description Click to add a server protection rule. Displays the index number of the entry in the list. Displays the name of the entry. Indicates whether or not to use an extended set of attack definitions, which contains more attack definitions on top of the default set of attach definitions. Basic: a basic set of signatures Enhanced: an enhanced set of signatures, which also includes the basic set Full: a full set of signatures, which also includes the basic set and enhanced set Disable: the extended signature set is not used Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline or offline protection profile. Click the Edit icon to modify the entry. Click the View icon to view a predefined entry. Click Clone to create a new entry based on a predefined entry.
Before you configure a server protection rule, if you want to apply any exceptions, you must first define the server protection exception. For details, see Configuring server protection exceptions on page 207.
Tip: Alternatively, you can automatically configure a server protection rule that detects all attack types by generating a default auto-learning profile. For details, see Generating an auto-learning profile and its components on page 281.
To configure a server protection rule 1 Go to Web Protection > Server Protection Rule > Server Protection Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A new dialog appears.
202
Web protection
Alternatively, click the Clone icon to create a new entry based on a predefined entry. In this case, a dialog appears with just the Name field.

Tip: A blue pointer in front of an attack type means there are additional attack subtypes associated with the main attack type. You must enable the main attack type in order to select the subtypes. Once the main attack type is enabled, click the pointer to expand the attack subtype list. You can then enable or disable individual attack subtypes, or select All/None to enable or disable all subtypes associated with the main attack type. Disabling the main attack type automatically disables all associated attack subtypes. GUI item Name Description Type the name of the server protection rule. This field cannot be modified if you are editing an existing server protection rule. To modify the name, delete the entry, then recreate it using the new name. The Action, Severity and Trigger Action drop-down menus allow you to control what the FortiWeb unit will do when it detects a specific violation such as an attack, suspicious request or other threat. Each violation can be uniquely configured. Note: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select the Alert action. If you select Alert & Deny instead, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For information on Action, Severity and Trigger Action settings, see Responding to web protection rule violations on page 191.
Action, Severity and Trigger Action
203
Web protection
Cross-Site Scripting
Enable to prevent cross-site scripting (XSS) attacks. Once enabled, you can expand the list to see the individual subtypes associated with this main type of attack, such as CSRF (cross-site request forgery). Attack log messages contain DETECT_XSS_ATTACK when this feature detects a possible cross-site scripting attack. The following actions are available for this type of attack: Alert Alert & Deny Redirect Send 403 Forbidden For information on Action, Severity and Trigger Action settings, see Responding to web protection rule violations on page 191. Enable to prevent SQL injection attacks. Once enabled, you can expand the list to see the individual subtypes associated with this main type of attack, such as blind SQL injection. Attack log messages contain DETECT_SQL_INJECTION when this feature detects a possible SQL injection attack. The following actions are available for this type of attack: Alert Alert & Deny Redirect Send 403 Forbidden For information on Action, Severity and Trigger Action settings, see Responding to web protection rule violations on page 191. Enable to prevent common exploits. Once enabled, you can expand the list to select individual subtypes of this type of attack, such as an injection attack in a language other than SQL. Attack log messages contain Common Exploits and the subtype (for example, Common Exploits: Command Injection) when this feature detects a possible common exploit attack. The following actions are available for this type of attack: Alert Alert & Deny Redirect Send 403 Forbidden For information on Action, Severity and Trigger Action settings, see Responding to web protection rule violations on page 191.
SQL Injection
Common Exploits
204
Web protection
Information Disclosure
Enable to detect server errors and other sensitive messages in the requested document and HTTP headers. Once enabled, you can expand the list to select individual subtypes of this type of attack, such as enabling CF Information Leakage (Adobe ColdFusion server information). Error messages, HTTP headers such as Server: Microsoft-IIS/6.0, and other messages could inform attackers of the vendor, product, and version numbers of software running on your web servers, thereby advertising their specific vulnerabilities. Sensitive information is predefined according to fixed signatures. Attack log messages contain DETECT RESPONSE INFORMATION DISCLOSURE when this feature detects sensitive information. The following actions are available for this type of attack: Alert Alert & Erase Note: This option is not fully supported in offline protection mode. Only an alert and/or log message can be generated; sensitive information will not be blocked or erased. Redirect For information on Action, Severity and Trigger Action settings, see Responding to web protection rule violations on page 191. Note: Because this feature can potentially require the FortiWeb unit to rewrite the header and body of every request from a server, it can result in a performance decrease. To minimize impact, Fortinet recommends enabling this feature only to help you identify information disclosure through logging, and until you can reconfigure the server to omit such sensitive information. Note: Some attackers use 4XX HTTP status codes to determine information about a site (whether a page exists, has login failures, and so on). Normally, the FortiWeb unit raises attack logs for this type of attack, but too many 4xx HTTP status events may obfuscate other information disclosure logs. You can turn off these types of logs by disabling the HTTP Return Code 4XX option. Note: Some attackers use 5XX HTTP status codes to determine information about the HTTP server (Not Implemented, Service Unavailable, and so on). Normally, the FortiWeb unit raises attack logs for this type of attack, but too many 5XX HTTP status events may obfuscate other information disclosure logs. You can turn off these types of logs by disabling the HTTP Return Code 5XX option. Enable to prevent remote file inclusion. Once enabled, you can expand the list to enable or disable detection of various remote file inclusion signature. The following actions are available for this type of attack: Alert Alert & Deny Redirect Send 403 Forbidden For information on Action, Severity and Trigger Action settings, see Responding to web protection rule violations on page 191. Select a custom protection group to use, if any. For details, see Configuring custom protection groups on page 209. Note: If you want to view the information associated with the custom protection group used by this server protection rule, select the Detail link beside the Custom Protection Group list. A read-only version of the Edit Custom Protection Group window opens.
Remote File Inclusion
Custom Protection Group
205
Web protection
Credit Card Detection
Enable to detect credit card numbers in the response from the server. Also configure Credit Card Detection Threshold. Credit card numbers being sent from the server to the client could constitute a violation of PCI DSS. In most cases, the client should only receive mostly-obscured versions of their credit card number, if they require it to confirm which card was used. This prevents bystanders from viewing the number, but also reduces the number of times that the actual credit card number could be observed by network attackers. For example, a web page might confirm a transaction by displaying a credit card number as: XXXX XXXX XXXX 1234 This mostly-obscured version protects the credit card number from unnecessary exposure and disclosure. It would not trigger the credit card number detection feature. However, if a web application does not obscure displays of credit card numbers, or if an attacker has found a way to bypass the applications protection mechanisms and gain a list of customers credit card numbers, a web page might contain a list with many credit card numbers in clear text. Such a web page would be considered a data leak, and trigger credit card number disclosure detection. Attack log messages contain DETECT RESPONSE INFORMATION disclosure: credit card leakage when this feature detects credit card number disclosure. The following actions are available for this type of attack: Alert Alert & Deny Alert & Erase For information on Action, Severity and Trigger Action settings, see Responding to web protection rule violations on page 191. Enter 0 to report any credit card number disclosures, or enter a threshold if the web page must contain a number of credit cards that equals or exceeds the threshold in order to trigger the credit card number detection feature. For example, to ignore web pages with only one credit card number, but to detect when a web page containing two or more credit cards, enter 2.
Credit Card Detection Threshold
Extended Signature Set Clear Disable to enable the level of additional attack definitions you want to use. The extended set of attack definitions contains more attack definitions on top of the default set of attach definitions. You can select checking against: Basic: a basic set of signatures Enhanced: an enhanced set of signatures, which also includes the basic set Full: a full set of signatures, which also includes the basic set and enhanced set You can also disable checking against extended signature sets. While the Full signature set can detect more attacks, it might also cause false positives. Select a lower level of checking to reduce false positives. For information on Action, Severity and Trigger Action settings, see Responding to web protection rule violations on page 191. Exception Name Select which server protection exception to use, if any. Note: If you want to view the information associated with the Exception used by this server protection rule, select the Detail link beside the Exception Name list. A read-only version of the Edit Server Protection Exception window opens.
4 Click OK. To apply the server protection rule, select it in an inline protection profile or an offline protection profile. For details, see Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274.
206
Web protection
Configuring server protection exceptions

Web Protection > Server Protection Rule > Server Protection Exception displays the list of server protection exceptions. Exceptions may be useful if you know that some URLs, during normal use, will cause false positives by matching an attack signature. Server protection exceptions define request URLs that will not be subject to server protection rules. For example, if the HTTP POST URL /pageupload should accept input that is PHP code, but it is the only URL on the host that should do so, you would create an exception with PHP Injection, then use that exception in the server protection rule that normally would block all injection attacks. Server protection exception rules can be created directly from the detail view for attack log entries. A server protection exception must be created first. Server protection exceptions are applied by selecting them within a server protection rule. For details, see Configuring server protection rules on page 201. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 82: Web Protection > Server Protection Rule > Server Protection Exception tab
Edit
GUI item Create New # Name Rule Count (No column heading.) Description Click to add a server protection exception. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of individual exceptions contained in the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server protection rule. Click the Edit icon to modify the entry.
To configure a server protection exception 1 Go to Web Protection > Server Protection Rule > Server Protection Exception. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
207
Web protection
Clear Edit Delete 3 In Name, type the name of the server protection exception. This field cannot be modified if you are editing an existing server protection exception. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK. A dialog appears.

Tip: A pointer in front of an attack type means there are additional attack subtypes associated with the main attack type. You must enable the main attack type in order to select the subtypes. Once the main attack type is enabled, click the pointer to expand the attack subtype list. You can then enable or disable individual attack subtypes, or select All/None to enable or disable all subtypes associated with the main attack type. Disabling the main attack type automatically disables all associated attack subtypes.
GUI item ID
Description Enter the index number of the individual entry within the server protection exception, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in order to match the server protection exception. This option is available only if Host Status is enabled.
Host
208
Web protection
Host Status
Enable to require that the Host: field of the HTTP request to match a protected hosts entry in order to match the server protection exception. Also configure Host. Select whether URL Pattern is a Simple String (that is, a literal URL) or a Regular Expression. Depending on your selection in Type, type either: the literal URL, such as /causes-false-positives.php, that the HTTP request must contain in order to match the server protection exception. The URL must begin with a slash ( / ). a regular expression, such as ^/.*.php, matching all and only the URLs to which the server protection exception should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /bbcode.cfm. Do not include the name of the web host, such as www.example.com, which is configured separately in the Host drop-down list. To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can finetune the expression. Note: For each of the attack types, select the blue arrow to expand the entry and select or clear the individual rules contained in the entry.
Type URL Pattern
Cross-Site Scripting
Enable to omit detection of cross-site scripting (XSS) attacks, then disable individual attack subclasses that you do not want to omit, if any. Enable to omit detection of SQL injection attacks, then disable individual attack subclasses that you do not want to omit, if any. Enable to omit detection of common exploits, such as an injection attack in a language other than SQL, then disable individual attack subclasses that you do not want to omit, if any. Enable to omit detection of server errors and other sensitive messages in the requested document and HTTP headers, then disable individual information subclasses that you do not want to omit, if any, from the Information Disclosure drop-down list. Enable to omit detection of remote file inclusion, then disable individual remote file inclusion signatures that you do not want to omit, if any. Enable to omit detection of credit card numbers in the response from the server.
SQL Injection Common Exploits
Information Disclosure
Remote File Inclusion
Credit Card Detection
6 Repeat the previous steps for each entry that you want to add to the server protection exception. 7 To create exception rules from individual attack log entries, open the detail view for the log entry, and click New Protection Exception. Select the name of an existing protection exception to add the rule to. For more information on viewing attack log details, see Viewing log messages on page 331. 8 To modify a server protection exception, click its Edit icon. To remove a single entry from the exception, click its Delete icon. To remove all entries from the exception, click the Clear icon. 9 Click OK. To apply the server protection exception, select it in a server protection rule. For details, see Configuring server protection rules on page 201.
Configuring custom protection groups

Web Protection > Server Protection Rule > Custom Protection Group displays the list of custom protection groups.
209
Web protection
Custom protection groups enable you to assemble individual custom protection rules into groups. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 83: Web Protection > Server Protection Rule > Custom Protection Group tab
Delete Edit
GUI item Create New # Name Rule Count (No column heading.) Description Click to add a custom protection group. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of individual custom protection rules contained in the group. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server protection rule. Click the Edit icon to modify the entry.
Tip: Before you can configure a custom protection group, you must first configure one or more custom protection rules. For details, see Configuring custom protection rules on page 211.
To configure a custom protection group 1 Go to Web Protection > Server Protection Rule > Custom Protection Group. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
Clear Delete Edit
210
Web protection
3 In Name, type the name of the custom protection group. This field cannot be modified if you are editing an existing custom protection group. To modify the name, delete the entry, then recreate it using the new name. 4 To modify the custom protection rules associated with a protection group, click its Edit icon. To remove a single entry, click its Delete icon. To remove all entries, click the Clear icon. 5 Click OK. 6 To associate specific custom protection rules with the custom protection group, click Create New. A dialog appears.

GUI item ID Description Number automatically assigned to the new protection group.
Custom Protection Rule Select the specific custom protection rule to be applied to the protection group. For information on custom protection rules, see Configuring custom protection rules on page 211. Note: If you want to view the information associated with the custom protection rule used by this custom protection group, select the Detail link beside the custom protection rule list. A read-only version of the Edit Custom Protection Rule window opens.
8 Click OK. To apply the custom protection group, select it in a server protection rule. For details, see Configuring server protection rules on page 201.
Configuring custom protection rules

Web Protection > Server Protection Rule > Custom Protection Rule displays the list of custom protection rules that have been created. Custom protection rules enable creation of custom signatures and custom data leakage expressions, which can then be associated with custom protection groups and server protection rules. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
211
Web protection
Table 84: Web Protection > Server Protection Rule > Custom Protection Rule tab
Edit
GUI item Create New # Name (No column heading.) Description Click to add a custom protection rule. Displays the index number of the entry in the list. Displays the name of the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server protection rule. Click the Edit icon to modify the entry.
To configure a custom protection rule 1 Go to Web Protection > Server Protection Rule > Custom Protection Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears. 3 In Name, type the name of the custom protection rule. This field cannot be modified if you are editing an existing server protection rule. To modify the name, delete the entry, then recreate it using the new name.

GUI item Type Check Count Description Select the type of data that the rule applies to, Signature Creation or Data Leakage. Enter the threshold for the number of data leakage reports before triggering the action specified for this rule. Appears only if Data Leakage is selected. Select to specify that case sensitivity is used for rule checking.
Case Sensitive
212
Web protection
Configuring start page rules
Expression
Enter the string of text that defines the type of data the rule will check. To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can finetune the expression. The Action, Severity and Trigger Policy drop-down menus allow you to control what the FortiWeb unit will do when it detects a specific violation such as an attack, suspicious request or other threat. Each violation can be uniquely configured. The following actions are available for this type of attack: Alert Alert & Deny Redirect Send 403 Forbidden (only if Type is Signature Creation) Alert & Erase (only if Type is Data Leakage) Note: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For information on Action, Severity and Trigger Policy settings, see Responding to web protection rule violations on page 191.
Action, Severity and Trigger Policy
5 Click OK. 6 Repeat this procedure for each individual rule that you want to add to a custom protection group. To apply the custom protection rule, select it in a custom protection group. For details, see Configuring custom protection groups on page 209.

Web Protection > Start Pages > Start Pages displays the list of main web pages. When you select a start page group in the inline protection profile, HTTP clients must begin from a valid start page in order to initiate a valid session. For example, you may wish to specify that HTTP clients of an e-commerce web site must begin their session from either an item view or the first stage of the shopping cart checkout, and cannot begin a valid session from the third stage of the shopping cart checkout. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 85: Web Protection > Start Pages > Start Pages tab
Edit Delete
GUI item Create New # Description Click to add a group of start pages. Displays the index number of the entry in the list.
213
Web protection
Name Page Count (No column heading.)
Displays the name of the entry. Displays the number of individual URLs contained in the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline protection profile. Click the Edit icon to modify the entry.
To configure a start page group Before you configure a start page rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see Configuring protected servers on page 147. 1 Go to Web Protection > Start Pages > Start Pages. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears. 3 In Name, type the name of the start page rule. This field cannot be modified if you are editing an existing start page rule. To modify the name, delete the entry, then recreate it using the new name.

GUI item Action, Severity and Trigger Policy Description The Action, Severity and Trigger Policy drop-down menus allow you to control what the FortiWeb unit will do when it detects a specific violation such as an attack, suspicious request or other threat. Each violation can be uniquely configured. The following actions are available for this type of attack: Alert Alert & Deny Redirect Send 403 Forbidden Note: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For information on Action, Severity and Trigger Policy settings, see Responding to web protection rule violations on page 191.
5 Click OK.
214
Web protection

GUI item ID Description Enter the index number of the start page within the group of start pages, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in order to match a valid start page. This option is available only if Host Status is enabled. Enable to require that the Host: field of the HTTP request to match a protected hosts entry in order to match a valid start page. Also configure Host. Select whether URL Pattern is a Simple String (that is, a literal URL) or a Regular Expression. Depending on your selection in Type, type either: the literal URL, such as /index.php, that the HTTP request must contain in order to match the start page rule. The URL must begin with a slash ( / ). a regular expression, such as ^/*.php, matching all and only the URLs to which the start page rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm. Do not include the name of the web host, such as www.example.com, which is configured separately in the Host drop-down list. To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. Select Yes to use the page as the default for HTTP requests that either: do not specify any URL do not specify the URL of a valid start page (only if you have selected Redirect from Action)
Host
Host Status Type URL Pattern
Default
8 Repeat the previous steps for each start page that you want to add to the group of start pages. 9 To modify a start page, click its Edit icon. To remove a single start page from the group of start pages, click its Delete icon. To remove all start pages from the group of start pages, click the Clear icon. 10 Click OK. To apply the group of start pages, select it in an inline protection profile. For details, see Configuring inline protection profiles on page 268.
215
Configuring URL access policy
Web protection
Note: In order for start pages to be enforced, you must also enable Session Management on page 271 in the inline protection profile.
Attack log messages contain DETECT_START_PAGE_FAILED when this feature detects a start page violation.

Web Protection > URL Access Policy> URL Access Policy displays the list of URL access policies. URL access policies enable you to group individual URL access rules that define which HTTP requests to allow or deny based upon their host name and URL.
Note: URL access rules are evaluated after some other rules. For details, see Order of execution on page 190.
To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Tip: Before you can configure an effective URL access policy, you must configure one or more URL access rules. See Configuring URL access rules on page 218. Table 86: Web Protection > URL Access Policy> URL Access Policy tab
Edit Delete
GUI item Create New # Name URL Access Count (No column heading.) Description Click to add a URL access policy. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of individual URL access rules contained in the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline or offline protection profile. Click the Edit icon to modify the entry.
To configure a URL access policy 1 Go to Web Protection > URL Access Policy> URL Access Policy.
216
Web protection
Clear
Edit Delete 3 In Name, type the name of the policy. This field cannot be modified if you are editing an existing URL access policy. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK. 5 Click Create New. A dialog appears.

GUI item ID Description Enter the index number of the individual rule within the URL access policy, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Enter the priority for this rule in relation to other defined rules. Rules with lower priority are applied first. Choose the name of a predefined URL access rule to add to the policy. See Configuring URL access rules on page 218 for more information about defining URL access rules. Note: If you want to view the information associated with the URL Access Rule used by this policy, select the Detail link beside the Access Rule Name list. A read-only version of the URL Access Rule window opens.
Priority Access Rule Name
7 Click OK. 8 Repeat the previous two steps for each individual rule that you want to add to the URL access policy. 9 To modify an individual rule, click its Edit icon. To remove an individual rule from the URL access policy, click its Delete icon. To remove all rules from the URL access policy, click the Clear icon.
217
Web protection
10 Click OK. To apply the URL access policy, select it in an inline or offline protection profile. For details, see Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274.
Configuring URL access rules

Web Protection > URL Access > URL Access Rule displays the list of URL access rules. URL access rules define HTTP requests that will be accepted or denied based upon their host name and URL.
Caution: IP trust policy rules only block initial requests from a client. They will not block server-side redirects. For more information, see Configuring an IP list policy on page 220.
Note: URL access rules are evaluated after some other rules. For details, see Order of execution on page 190.
Use SNMP traps to notify you when a URL access rule is enforced. For details, see Configuring an SNMP community on page 68. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 87: Web Protection > URL Access Policy> URL Access Rule tab
Delete Edit
GUI item Create New # Name Count Host Description Click to add an URL access rule. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of individual rules contained in the entry. Displays the name of the host (either a web host name or IP address) in the Host: field of an HTTP request that must match in order to pass the URL access rule. Displays the action taken by FortiWeb when a violation of the access rule occurs. For information, see Responding to web protection rule violations on page 191. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an URL access policy. Click the Edit icon to modify the entry.
Action
Before you configure a URL access rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see Configuring protected servers on page 147.
218
Web protection
To configure an URL access rule 1 Go to Web Protection > URL Access Policy > URL Access Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears. 3 In Name, type the name of the URL access rule. This field cannot be modified if you are editing an existing black list rule. To modify the name, delete the entry, then recreate it using the new name.
Clear
Delete Edit 4 Configure the following:

GUI item Host Status Host Description Enable to require that the Host: field of the HTTP request to match a protected hosts entry in order to match the URL access rule. Also configure Host. Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in order to match the URL access rule. This option is available only if Host Status is enabled.
Action, The Action, Severity and Trigger Policy drop-down menus allow you to control Severity and what the FortiWeb unit will do when it detects a violation, such as an attack, Trigger Policy suspicious request or other threat. Each violation can be uniquely configured. The following actions are available for this type of attack: Pass Alert & Deny Continue For information on Action, Severity and Trigger Policy settings, see Responding to web protection rule violations on page 191.
5 Click OK.
219
Configuring an IP list policy
Web protection

GUI item ID Description Enter the index number of the individual rule within the URL access rule, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Indicate whether the text entered is a regular expression or a simple text string. Depending on your selection in URL Type, enter either: the literal URL, such as /index.php. The URL must begin with a slash ( / ). a regular expression, such as ^/*.php, matching all and only the desired URLs. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm. When you finish typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. Do not include the name of the web host, such as www.example.com, which is configured separately in the Host drop-down list for the URL access rule. Select whether the access condition is met when the HTTP request matches the regular expression (or text string), or when it does not match the regular expression (or text string).
URL Type URL Pattern
Meet this condition if:
8 Click OK. 9 Repeat the previous steps for each individual condition that you want to add to the URL access rule. 10 Click OK. To apply the URL access rule, select it in a URL access policy. For details, see Configuring URL access policy on page 216. Attack log messages contain DETECT_URLACCESS_PAGE when this feature detects a suspicious HTTP request.

Web Protection > IP List > IP List Policy displays the IP list policies. An IP list policy enables you to define whether specific source IP addresses are trusted or not trusted: Trust IPs are source IP addresses for which you explicitly allow access to your web servers because they are trusted.
220
Web protection
Black IPs are source IP addresses for which you explicitly disallow and block access to your web servers because they have failed web protection policy scans.
If a source IP address is not explicitly blacklisted in an IP list policy and it does not appear on the IP Blacklist TOP10 tab (see Viewing the top 10 IP blacklist candidates on page 223), the source IP has access to your web servers, pending additional web protection scan techniques. If a source IP addresses is explicitly designated as a trusted IP (that is, the IP address is trusted by FortiWeb), that IP can connect to your web servers and is exempt from many of the restrictions that would otherwise be applied by the web protection profile used by a server policy. For more information on the protection techniques performed by FortiWeb, and the scans performed based on the IP address, see Order of execution on page 190. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 88: Web Protection > IP List > IP List Policy tab
Delete
Edit
GUI item Create New # Name IP List Count (No column heading.) Description Click to add a new IP list policy. Displays the index number of the entry in the list. Displays the name of the IP list policy. Displays the quantity of IP list policy members associated with the policy. Each member identifies the type of client and the IP address of the client. Click the Delete icon to remove the entry. Click the Edit icon to modify the entry.
To configure IP list policies and members 1 Go to Web Protection> IP List> IP List Policy. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
221
Web protection
Clear
Edit Delete 3 In Name, type the name of the policy. This field cannot be modified if you are editing an existing IP list policy. To modify the name, delete the entry, then recreate the policy using the new name. 4 Click OK. 5 Click Create New. A dialog appears.

GUI item Type Description The first web protection technique that FortiWeb performs when it gets a request to connect to your web servers is to check the source IP address that originated the request. For more information, see Order of execution on page 190. Use the Type option to define whether the source IP address is a: a Trust IP, which is a source IP address that is trusted and allowed to access your web servers, unless it fails some other web protection technique a Black IP, which is associated with a source IP address that is not trusted, and is permanently blocked from accessing your web servers Note: Designating an IP address as a black IP will block all connections from that source IP address. If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router, making the source IP address a black IP could block innocent clients that share the same source IP address with an offending client. To detect a shared source IP address, see Viewing the top 10 IP blacklist candidates on page 223.
222
Web protection
GUI item IP Use IP Blacklist TOP10
Description The source IP address of the client that you want to add to the IP List Policy. This IP address will be treated accordingly to the Type selection. This item appears only if Type is set to Black IP. FortiWeb keeps a list of source IP addresses that are blocked from your web servers because they fail web protection configurations. These source IP addresses are candidates for formal designation as a black IP. The candidates are tracked on the IP Blacklist TOP10 tab. For more information, see Viewing the top 10 IP blacklist candidates on page 223. To add source IP addresses from the IP Blacklist TOP10 to the black list, select Use IP Blacklist Top10 and then select an IP address from the dropdown list. If Type is set to Black IP, select the severity level you want FortiWeb to use in the records and reports generated when the specified IP address attempts to access your web servers. You can configure each violation type to be either Low, Medium or High severity. Select the trigger policy you want FortiWeb to apply when the specified IP address attempts to access your web servers. Trigger policies determine who will be notified by email when the source IP address attempts to access your web servers, and whether the log message associated with the attempt is recorded in Syslog or FortiAnalyzer. For more information, see Configuring trigger policies on page 322.
Severity
Trigger Policy
7 Click OK. 8 Repeat the previous steps for each individual IP list policy member that you want to add to the IP list policy. 9 To modify an individual policy, click its Edit icon. To remove an individual policy from the IP list policy, click its Delete icon. 10 Click OK. To apply the IP list policy, select it in an inline or offline protection profile. For details, see Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274.
Viewing the top 10 IP blacklist candidates

Web Protection > IP List > IP Blacklist TOP10 displays the list of the top 10 candidates for addition to the IP address black list. IPs appear automatically on the top 10 list when they violate a protection setting, such as robot control. These are candidates for the black list but at not yet on your black list. To add one to a black list, click the Edit icon. You can also move IPs from the top 10 list using the IP List Policy tab (see To configure IP list policies and members on page 221). Blacklisted IP addresses define which source IP addresses are not permitted to connect to your web servers. The list of top 10 candidates tracks the number of times each source IP address is blocked. If an IP address is frequently the source of errors or attacks, it may be a good candidate for the IP blacklist. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
223
Configuring brute force login profiles
Web protection
Table 89: Web Protection > IP List > IP Blacklist TOP 10 tab
Edit
GUI item # Count IP Type
Description Displays the rank number of the entry in the top 10 list. Displays the number of times that connections from the IP address have been blocked due to a policy violation. Displays the source IP address of blocked connections and the name of the violated policy. Indicates whether the source IP address is for a single client (Standalone IP), or is shared by multiple clients behind a network address translation (NAT) device such as a firewall or router (Shared IP). Note: If the Type is Shared IP, blacklisting the IP could block innocent clients that share the same source IP address with an offending client. Click the Edit icon. This opens the Edit IP List Policy Member dialog box. You can then add the source IP to the black list. For details, see Configuring an IP list policy on page 220. Click to refresh the display of top 10 IP black list candidates.
Refresh

Web Protection > Brute Force Login > Brute Force Login displays the list of brute force login attack profiles. Brute force attacks attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight. For example, in brute force attacks on authentication, multiple web clients may rapidly try one user name and password combination after another in an attempt to eventually guess a correct login and gain access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL. Brute force login attack profiles track the rate at which each source IP address makes requests for specific URLs. If the source IP address exceeds the threshold, the FortiWeb unit penalizes the source IP address by blocking additional requests for the time period that you indicate in the profile. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 90: Web Protection > Brute Force Login > Brute Force Login tab
Edit Delete
224
Web protection
GUI item Create New # Name (No column heading.)
Description Click to add a brute force login attack profile. Displays the index number of the entry in the list. Displays the name of the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline protection profile. Click the Edit icon to modify the entry.
Before you configure a brute force login attack profile, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see Configuring protected servers on page 147. To configure a brute force login attack profile 1 Go to Web Protection > Brute Force Login > Brute Force Login. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears. 3 In Name, type the name of the brute force login profile. This field cannot be modified if you are editing an brute force login profile. To modify the name, delete the entry, then recreate it using the new name.

GUI item Severity Description Select the severity level you want FortiWeb to use in the records and reports generated when a violation of the brute force login profile occurs. You can configure the violation as either Low, Medium or High severity. For information on Severity and Trigger Policy settings, see Responding to web protection rule violations on page 191. Select the trigger policy you want FortiWeb to apply when a violation of the brute force login profile occurs. Trigger policies determine who will be notified by email when the profile violation occurs, and whether the log message associated with the violation are recorded. For more information, see Responding to web protection rule violations on page 191.
Trigger Policy
5 Click OK.
225
Web protection

GUI item ID Description Type the index number of the login page in the brute force login attack profile list. The index number affects the order of display only, and does not affect match order. Enable to require that the Host: field of the HTTP request to match a protected hosts entry in order to be included in the brute force login attack profiles rate calculations. Also configure Host. Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in order to match the brute force login attack profile. This option is available only if Host Status is enabled.
Host Status
Host
Request File Type the URL that the HTTP request must match to be included in the brute force login attack profiles rate calculations. When you have finished typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. Block Period Type the length of time in seconds for which the FortiWeb unit will block additional requests after a source IP address exceeds a rate threshold. The block period is shared by all clients whose traffic originates from the source IP address. The limit is 10 000 seconds. Standalone IP Type the rate threshold for source IP addresses that are single clients. Request Access Limit rates exceeding the threshold will cause the FortiWeb unit to block additional requests for the length of the time in the Block Period field. To disable the rate limit, type 0. Share IP Type the rate threshold for source IP addresses that are shared by multiple Access Limit clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb unit to block additional requests for the length of the time in the Block Period field. To disable the rate limit, type 0. Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. In addition, the rate is a total rate for all clients that use the same source IP address. For these reasons, you should usually enter a greater value for this field than for Standalone IP Access Limit.
8 Click OK. 9 Repeat the two previous steps for each individual login page that you want to add to the brute force login attack profile.
226
Web protection
Configuring robot control profiles
10 To modify a login page, click its Edit icon. To remove a single login page from the group of login pages, click its Delete icon. To remove all login pages from the group of login pages, click the Clear icon. 11 Click OK. To apply the brute force login attack profile, select it in an inline protection profile. For details, see Configuring inline protection profiles on page 268. Attack log messages contain DETECT_BRUTE_FORCE_LOGIN when this feature detects a brute force login attack.

Web Protection > Robot Control > Robot Control displays the list of robot control profiles. Search engines, link checkers, retrievals of entire web sites for a users offline use, and other automated uses of the web (sometimes called robots, spiders, web crawlers, or automated user agents) often access web sites at a more rapid rate than human users. However, it would be unusual for them to request the same URL within that time frame. Usually, web crawlers request many different URLs in rapid sequence. For example, while indexing a web site, a search engines web crawler may rapidly request the web sites most popular URLs. If the URLs are web pages, it may also follow the hyperlinks by requesting all URLs mentioned in those web pages. In this way, the behavior of web crawlers differs from a typical brute force login attack, which focuses repeatedly on one URL. You can request that robots not index and/or follow links, and disallow their access to specific URLs (see http://www.robotstxt.org/). However, misbehaving robots frequently ignore the request, and there is no single standard way to rate-limit robots. Robot control profiles can track the rate at which each source IP address makes requests. If the source IP address exceeds the threshold, the FortiWeb unit penalizes the source IP address by blocking additional requests for the time period that you indicate in the profile. Robot control profiles can also use the User-Agent: field in the HTTP header to allow legitimate robots or to block robots that are notorious for misbehaving. Robot control profiles enable you to associate predefined and custom robot control groups with rules that determine which specific robots are considered to be bad robots and which robots are allowed access to your web servers without being rate controlled or subject to parameter validation rules or server protection rules. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 91: Web Protection > Robot Control > Robot Control tab
View Clone Delete Edit

227
Web protection
GUI item Create New # Name Bad Robot
Description Click to add a robot control profile. Displays the index number of the entry in the list. Displays the name of the entry. Indicates whether the blocking feature for bad web crawlers (robots), those known to ignore no-index, no-follow and other directives, is enabled or disabled. Displays the action taken by FortiWeb when a violation of the robot control profile occurs. Identifies well-known robots (for example, Google) that are allowed and will not be rate-controlled or subject to parameter validation rules, server protection rules, or Bad Robot blocking.
Bad Robot Action Allow Robot
Standalone IP Access Displays the rate threshold for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb unit to block Limit additional requests for the length of the time in the Block Period column. 0 indicates that the rate is not limited. Share IP Access Limit Displays the rate threshold for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb unit to block additional requests for the length of the time in the Block Period column. 0 indicates that the rate is not limited. Block Period (No column heading.) Displays the length of time for which the FortiWeb unit will block additional requests after a source IP address exceeds a rate threshold. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline or offline protection profile, or if the entry is a template entry. Click the Edit icon to modify the entry. Click the View icon to view a template entry. Click the Clone icon to create a new entry that clones the settings from a predefined robot control.
Before you configure a robot control profile, you must first create robot groups, which can then be applied to the robot control profile. Robot groups are used by the profile to identify the specific robots that are allowed access to your web servers without being rate controlled or subject to parameter validation rules, server protection rules, or bad robot detection. For details, see Configuring predefined robot groups on page 230 and Configuring custom robot groups on page 232. To configure a robot control profile
Note: Alternatively, you can automatically configure a robot control profile that allows all predefined search engine types by generating a default auto-learning profile. For details, see Generating an auto-learning profile and its components on page 281.
1 Go to Web Protection > Robot Control > Robot Control. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A new dialog appears. Alternatively, click the Clone icon to create a new entry based on a predefined entry. In this case, a dialog appears with just the Name field.
228
Web protection
3 In Name, type the name of the robot control profile. This field cannot be modified if you are editing an existing robot control profile. To modify the name, delete the entry, then recreate it using the new name.

GUI item Bad Robot Description Enable to detect web crawlers that are known to ignore no-index,no-follow and other directives, then select which action the FortiWeb unit will take when it detects one.
Action, The Action, Severity and Trigger Policy drop-down menus allow you to control Severity and what the FortiWeb unit will do when it detects a bad robot violation. Each Trigger Policy violation can be uniquely configured. The following actions can be performed for this type of attack: Alert Alert & Deny Redirect Send 403 Forbidden For information on Action, Severity and Trigger Policy settings, see Responding to web protection rule violations on page 191. Note: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. Allow Robot Select a group of well-known search engines web crawlers, if any, that will be exempt from the rate limit of this robot control profile. For details about creating robot groups, see Configuring predefined robot groups on page 230. The FortiWeb unit will omit any subsequent intrusion detection features, including parameter validation rules, server protection rules, or bad robot detection. Note: If you want to view the information associated with the robot group, select the Detail link beside the Allow Robot list. A read-only version of the Edit Robot Group window opens. Attack log messages contain log messages such as DETECT_ALLOW_ROBOT_GOOGLE, DETECT_ALLOW_ROBOT_YAHOO, and DETECT_ALLOW_ROBOT_MSN, when this feature detects an allowed predefined robot. For details, see Event Log Console widget on page 48 or Viewing log messages on page 331.
229
Web protection
Allow Custom Select a group of custom robots, if any, that will be exempt from the rate limit of this robot control profile. For details about creating custom robot groups, see Robot Configuring custom robot groups on page 232. The FortiWeb unit will omit any subsequent intrusion detection features, including parameter validation rules, server protection rules, or bad robot detection. Note: If you want to view the information associated with the custom robot group, select the Detail link beside the Allow Custom Robot list. A read-only version of the Edit Custom Robot Group window opens. Attack log messages contain log messages such as DETECT_ALLOW_ROBOT: Custom-Robot-1 (where Custom-Robot-1 is the name that you configured for the robots signature) when this feature detects an allowed custom robot. For details, see Event Log Console widget on page 48 or Viewing log messages on page 331. Malicious Robot Prevention Standalone IP Type the rate limit in number of requests per second for source IP addresses Access Limit that are single clients. Request rates exceeding the threshold will cause the FortiWeb unit to block additional requests for the length of the time set in the Block Period field. To disable the rate limit, type 0. Share IP Type the rate limit in number of requests per second for source IP addresses Access Limit that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb unit to block additional requests for the length of the time set in the Block Period field. To disable the rate limit, type 0. Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. In addition, the rate is a total rate for all clients that use the same source IP address. For these reasons, you should usually enter a greater value for this field than for Standalone IP Access Limit. Block Period Type the length of time for which the FortiWeb unit will block additional requests after a source IP address exceeds its rate threshold.
5 Click OK. To apply the robot control profile, select it in an inline or offline protection profile. For details, see Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274. Attack log messages contain DETECT_MALICIOUS_ROBOT when this feature detects a misbehaving robot or any other HTTP client that exceeds the rate limit.
Configuring predefined robot groups

Web Protection > Robot Control > Robot Group displays the list of groups of predefined robots. A robot group contains one or more of the predefined robot signatures. For information on predefined robot signatures, see Viewing the list of predefined robots on page 234. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
230
Web protection
Table 92: Web Protection > Robot Control > Robot Group tab
View Clone Edit Delete

GUI item Create New # Name Count (No column heading.) Description Click to add a known robot group. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of known robots contained in the group. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a robot control profile. Click the Edit icon to modify the entry. Click the View icon to view a predefined entry. Click the Clone icon to create a new entry based on a predefined entry.
To configure a predefined robot group 1 Go to Web Protection > Robot Control > Robot Group. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A new dialog appears. Alternatively, click the Clone icon to create a new entry based on a predefined entry. In this case, a dialog appears with just the Name field.
Clear
Delete Edit 3 In Name, type the name of the robot group. This field cannot be modified if you are editing an existing robot group. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK. 5 Click Create New.
231
Web protection
A new dialog appears.

GUI item ID Description Enter the index number of the robot entry within the robot group, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Select the name of a robot. For the predefined list of well-known robots and their defining patterns, see Viewing the list of predefined robots on page 234.
Robot
7 Click OK. 8 Repeat the previous steps for each robot that you want to add to the robot group. 9 To modify a robot, click its Edit icon. To remove a single robot from the robot group, click its Delete icon. To remove all robots from the robot group, click the Clear icon. 10 Click OK. To use a robot group, you must select it in a robot control profile. For details, see Configuring robot control profiles on page 227.
Configuring custom robot groups

Web Protection > Robot Control > Custom Robot displays the list of custom robot groups. Instead of using groups of predefined well-known robots, you can configure groups of custom robot signatures. Each signature is a regular expression that the FortiWeb unit can compare to the User-Agent: field in the HTTP header in order to determine whether or not the HTTP client is a legitimate robot. Legitimate robots, such as search engine indexers, usually should be exempt from attack detection. If your organization has written its own search indexer, or uses a third-party spider not identified in the predefined list, you may need to write a custom robot signature. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 93: Web Protection > Robot Control > Custom Robot tab
Delete Edit
GUI item Create New # Description Click to add a custom robot group. Displays the index number of the entry in the list.
232
Web protection
Name Count (No column heading.)
Displays the name of the entry. Displays the number of custom robots contained in the group. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a robot control profile. Click the Edit icon to modify the entry.
To configure a group of custom robot signatures 1 Go to Web Protection > Robot Control > Custom Robot. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
Clear
Delete Edit 3 In Name, type the name of the custom robot signature set. This field cannot be modified if you are editing an existing custom robot. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK. 5 Click Create New. A dialog appears.

GUI item ID Description Type the index number of the custom robot signature within the set, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Type a name, such as Intranet-Indexer, for the signature. This name will appear in log messages where the signature was used to detect a robot.
Robot Type Name
233
Web protection
Robot Expression
Type a regular expression that matches all and only the User-Agent: fields in the HTTP header known to be produced by the custom robot. For example, if a custom robot is either: User-Agent: happy-spider User-Agent: happy-spider2.0. but not User-Agent: baiduspider, you would write a regular expression to match the first two cases, but that would not match the third. To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.
7 Click OK. 8 Repeat the previous steps for each custom robot signature that you want to add to the custom robot group. Only one group may be selected per robot control profile, so you may want to include multiple custom robots signatures in this group. 9 To modify a custom robot signature, click its Edit icon. To remove a single signature from the group, click its Delete icon. To remove all signatures from the group, click the Clear icon. 10 Click OK. To use a custom robot group, you must select it in a robot control profile. For details, see Configuring robot control profiles on page 227.
Viewing the list of predefined robots

Web Protection > Robot Control > Known Robot displays the predefined list of well-known robots. Select the blue arrow next to a robot name to expand the entry, displaying the pattern contained in the entry.
Figure 31: Viewing the list of known robots
The pattern contains a regular expression that the FortiWeb unit uses to compare the User-Agent: field in the HTTP header in order to determine whether or not the HTTP client is a well-known, legitimate robot. Legitimate robots, such as search engine indexers, should be included in a robot group and applied to a robot control profile to prevent attack detection. You apply predefined robots indirectly by first forming groups of robots, then selecting those groups in a robot control profile. For details, see Configuring predefined robot groups on page 230.
234
Web protection
Configuring allowed request method policy

Web Protection > Allow Request Method > Allow Method Policy displays the list of policies for allowed HTTP request methods. The request method policy enables you to build specific combinations of allowed HTTP request methods and specific exceptions to those combinations. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Tip: To extend the versatility of a request method policy, you can create and incorporate exceptions (see Configuring allowed method exceptions on page 237). Table 94: Web Protection > Allow Request Method > Allow Method Policy tab
Delete Edit
GUI item Create New # Name Severity Description Click to add a new HTTP request method policy. Displays the index number of the entry in the list. Displays the name of the allow method policy. Each policy is assigned a severity. When a policy violation occurs, the violation is recorded and reported with the designated severity. See Responding to web protection rule violations on page 191. Trigger policy contains information to identify who will receive an alert email when a violation occurs, and how the log message associated with the violation, if applicable, is recorded. See Responding to web protection rule violations on page 191. Identifies the name of the HTTP method exception rules associated with the policy. For more information, see Configuring allowed method exceptions on page 237. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline or offline protection profile. Click the Edit icon to modify the entry.
Trigger Policy
Allow Method Exceptions (No column heading.)
To include method exceptions, create them first. For more information, see Configuring allowed method exceptions on page 237. To configure an HTTP request method policy 1 Go to Web Protection > Allow Request Method > Allow Method Policy.
235
Web protection
3 In Name, type the name of the HTTP request method policy. This field cannot be modified if you are editing an existing allowed method exception. To modify the name, delete the entry, then recreate it using the new name. 4 Configure the following:
GUI item Name Description Enter the name of the allow method policy.
Allow Request Mark the check boxes for all HTTP request methods that you want to allow for this specific policy. Only the selected methods will be allowed on all web servers where this policy is used, unless exceptions are defined for specific URL/hosts. For more information, see Configuring allowed method exceptions on page 237. Note: If a WAF Auto Learning Profile is used in the server policy where the HTTP request method is applied (via the Web Protection Profile), you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb unit to learn about. If a method is disabled, the FortiWeb unit will reset the connection, and therefore cannot learn about the session. Severity Select the severity level you want FortiWeb to use in the records and reports generated when a violation of the HTTP request method policy occurs. You can configure the violation as either Low, Medium or High severity. For information on Severity and Trigger Policy settings, see Responding to web protection rule violations on page 191.
Trigger Policy Select the trigger policy you want FortiWeb to apply when a violation of the HTTP request method policy occurs. Trigger policies determine who will be notified by email when the policy violation occurs, and whether the log message associated with the violation are recorded. For more information, see Responding to web protection rule violations on page 191. Allow Method Select the HTTP request method exception to apply to the policy. The method exceptions define specific HTTP request methods that are allowed by specific Exceptions URLs and hosts. Note: If you want to view the information associated with the HTTP request method exceptions used by this policy, select the Detail link beside the Allow Method Exceptions list. A read-only version of the Allow Method Exceptions window opens. For more information, see Configuring allowed method exceptions on page 237.
5 Click OK. To apply the allow method policy, select it in an inline or offline protection profile. For details, see Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274.
236
Web protection
Configuring allowed method exceptions

Web Protection > Allow Request Method > Allow Method Exceptions displays the list of allowed method exceptions. While most URL and host name combinations controlled by a profile may require similar HTTP request methods, you may have some that require different methods. Instead of forming separate policies and profiles for those requests, you can configure allowed method exceptions. The method exceptions define specific HTTP request methods that are allowed by specific URLs and hosts. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 95: Web Protection > Allow Request Method > Allow Method Exceptions tab
Edit Delete
GUI item Create New # Name Allow Method Exception Count (No column heading.) Description Click to add an allowed method exception. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of individual rules contained in the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline or offline protection profile. Click the Edit icon to modify the entry.
Before you configure an allowed method exception, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see Configuring protected servers on page 147. To configure an allowed method exception 1 Go to Web Protection > Allow Request Method > Allow Method Exceptions. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
237
Web protection
Clear
Edit Delete 3 In Name, type the name of the allowed method exception. This field cannot be modified if you are editing an existing allowed method exception. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK. 5 Click Create New. A dialog appears.

GUI item ID Description Enter the index number of the individual rule within the allowed method exception, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Enable to require that the Host: field of the HTTP request to match a protected hosts entry in order to match the allowed method exception. Also configure Host. Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in order to match the allowed method exception. This option is available only if Host Status is enabled. Select whether URL Pattern is a Simple String (that is, a literal URL) or a Regular Expression.
Host Status
Host
Type
238
Web protection
Configuring hidden field protection profiles
URL Pattern
Depending on your selection in Type, enter either: the literal URL, such as /index.php, that is an exception to the generally allowed HTTP request methods. The URL must begin with a slash ( / ). a regular expression, such as ^/*.php, matching all and only the URLs which are exceptions to the generally allowed HTTP request methods. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm. For example, if multiple URLs on a host have identical HTTP request method requirements, you would type a regular expression matching all of and only those URLs. Do not include the name of the web host, such as www.example.com, which is configured separately in the Host drop-down list. To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.
Allow Method Select the check boxes for all HTTP request methods you want to allow. Exception Note: If a WAF Auto Learning Profile will be selected in the policy with an offline protection profile that uses this allowed method exception, you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb unit to learn about. If a method is disabled, the FortiWeb unit will reset the connection, and therefore cannot learn about the session.
7 Click OK. 8 Repeat the previous steps for each exception that you want to add to the allowed method exceptions. 9 To modify an exception, click its Edit icon. To remove an exception, click its Delete icon. To remove all exceptions, click the Clear icon. 10 Click OK. To apply the allowed method exception, select it in an allow method policy. For details, see Configuring allowed request method policy on page 235.

Web Protection > Hidden Fields Protection > Hidden Fields Protection displays the list of hidden field protection profiles. Hidden files are unlike other inputs, because they are not visible on a rendered web page. As such, if hidden fields are tampered with, they could go undetected. Hidden field protection profiles enable you to apply individual hidden field protection rules that FortiWeb uses to detect hidden fields that have been tampered with. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Tip: To create a hidden fields protection profile, you must first configure one or more hidden field rules. See Configuring hidden field rules on page 241. Table 96: Web Protection > Hidden Fields Protection > Hidden Fields Protection tab
GUI item Create New
Description Click to add a hidden field group.
239
Web protection
# Name Rule Count (No column heading.)
Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of individual hidden fields rules contained in the profile. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline protection profile. Click the Edit icon to modify the entry.
To configure a hidden field profile 1 Go to Web Protection > Hidden Fields Protection > Hidden Fields Protection. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
Clear
3 In Name, type the name of the hidden field profile. This field cannot be modified if you are editing an existing hidden field group. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK. 5 Click Create New. A dialog appears.
6 Select the name of a hidden field rule that you want to apply to the hidden fields protection profile from the Hidden Fields Rule drop-down list. To view the information associated with a hidden fields rule, select the Detail link. A read-only version appears. 7 Click OK. 8 Repeat the previous steps for each individual rule that you want to add to the hidden field profile.
240
Web protection
9 To modify an individual rule, click its Edit icon. To remove an individual rule from the hidden field profile, click its Delete icon. To remove all individual rules from the hidden field profile, click the Clear icon. 10 Click OK. To apply the hidden field group, select it in an inline protection profile. For details, see Configuring inline protection profiles on page 268.
Note: In order for hidden field groups to be enforced, you must also enable Session Management in the inline protection profile.
Configuring hidden field rules

Web Protection > Hidden Fields Protection > Hidden Fields Rule displays the list of hidden field rules. Like other types of parameters and inputs, hidden form inputs can be vulnerable to tampering and can be used as a vector for other attacks. Unlike other inputs, hidden form inputs are often written into an HTML page by the web server when it serves that page to the client, and are not visible on the rendered web page. As such, they are sometimes perceived as relatively safe. Like other inputs, however, hidden fields are accessible through the JavaScript document object model (DOM). As inputs, they can be used to inject invalid data into your databases or attempt to tamper with the session state. Hidden field rules prevent such tampering by caching the values of a sessions hidden inputs as they pass to the HTTP client, and verifying that they remain unchanged when the HTTP client submits a form. Unlike visible inputs, hidden field rules are for hidden inputs only. For information on constraining visible inputs, see Configuring parameter validation input rules on page 194. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 97: Web Protection > Hidden Fields Protection > Hidden Fields Rule tab
GUI item Create New # Name Edit Delete
Description Click to add a hidden field constraint. Displays the index number of the entry in the list. Displays the name of the entry. Click the Edit icon to modify the entry. Click the Delete icon to remove the entry.
241
Web protection
Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see Configuring protected servers on page 147. To configure a hidden field rule 1 Go to Web Protection > Hidden Fields Protection > Hidden Fields Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears. 3 In Name, type the name of the hidden field constraint. This field cannot be modified if you are editing an existing hidden field rule. To modify the name, delete the entry, then recreate it using the new name. 4 Configure the following:
GUI item Host status Host
Description Enable if you want the hidden field rule to apply only to HTTP requests for a specific web host. Also configure Host. Select the name of a protected host that the Host: field of an HTTP request must be in order to match the hidden field rule. This option is available only if Host status is enabled.
242
Web protection
Request URL Type the exact URL that contains the hidden form for which you want to create a hidden field rule. The URL must begin with a slash ( / ). Do not include the web host name, such as www.example.com. It is configured separately in the Host drop-down list. The Action, Severity and Trigger Policy drop-down menus allow you to control Action, Severity and what the FortiWeb unit will do when it detects a specific violation such as an Trigger Policy attack, suspicious request or other threat. Each violation can be uniquely configured. The following actions are available for this type of attack: Alert Alert & Deny Redirect Send 403 Forbidden For information on Action, Severity and Trigger Policy settings, see Responding to web protection rule violations on page 191. Note: If a WAF Auto Learning Profile will be selected in the policy with profiles that use this rule, you should select Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature.
5 Click OK. 6 Click Fetch URL, and then enter the following information in the pop-up dialog that appears:
GUI item Pserver Port Description Select the IP address of the physical server that hosts the web site with the hidden field. Type the TCP port number on which the physical server listens for HTTP connections.
The pop-up dialog also includes a Fetch URL button. Click it to retrieve the web page you specified in Request URL. Another pop-up dialog appears, displaying a list of hidden inputs that the FortiWeb unit found in that web page, and the URLs to which those hidden inputs will be posted when a client submits the form.
Figure 32: Fetch URL dialog
243
Configuring URL rewriting policy
Web protection
Entries in the list are color-coded by the recommended course of action: Blue: The URL/hidden field exists in the requested URL, but you have not yet configured it in the hidden field rule.You may want to add it to the hidden field rule. Red: The URL/hidden field does not exist in the requested URL, yet it is currently configured in the hidden field rule. You may want to remove it from the hidden field rule. Black: The URL/hidden field exists in both the requested URL and your hidden field rule. For each entry that you want to be in the hidden field rule, in the Status column, select its check box.
Note: In addition to new items, select the check boxes of any previously configured items that you want to keep in the hidden field rule. If you do not, they will be deleted.
Click OK to save the entries in the dialog. 7 If there are any additional hidden fields or post URLs that you want to manually add to the hidden field rule, click Create New. A dialog appears. Enter the name of the post URL or hidden field. 8 Repeat the previous steps for each post URL or hidden field that you want to manually add to the hidden field rule. 9 To modify an individual rule, click its Edit icon. To remove an individual rule from the hidden field rule, click its Delete icon. To remove all individual rules from the hidden field rule, click the Clear icon. 10 Click OK. To apply the hidden field rule, select it in a hidden fields protection profile. For details, see Configuring hidden field protection profiles on page 239.

Web Protection > URL Rewriting Policy > URL Rewriting Policy displays the list of URL rewriting policies.
Caution: When configuring URL rewriting policy, check to see whether there are any HTTP conversion policies in use that might conflict with the URL rewriting policy. If conflicts occur, the URL rewriting policy takes priority over the HTTP conversion policy. See Configuring HTTP conversion policy on page 141.
Tip: To create an effective URL rewriting policy, you must first configure one or more URL rewriting rules. See Configuring URL rewriting rules on page 246.
244
Web protection
Table 98: Web Protection > URL Rewriting Policy > URL Rewriting tab
Edit Delete
GUI item Create New # Name (No column heading.) Description Click to add a URL rewriting group. Displays the index number of the entry in the list. Displays the name of the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline protection profile. Click the Edit icon to modify the entry.
URL Rewriting Count Displays the number of individual rules contained in the entry.
Before you can configure a URL rewriting policy, you must first configure the URL rewriting rules that you want to include in the policy. For details, see Configuring URL rewriting rules on page 246. To configure a URL rewriting policy 1 Go to Web Protection > URL Rewriting Policy > URL Rewriting Policy. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
Clear Edit Delete 3 In Name, enter the name of the URL rewriting group. This field cannot be modified if you are editing an existing URL rewriting group. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK. 5 Click Create New. A dialog appears.
245
Web protection

GUI item ID Description Type the index number of the entry, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. The number must be between 1 and 99,999 and must be unique for each entry in the group. Type the order of evaluation for this rule in the group, starting from 0. To create an entry with the highest match priority, enter 0. For lower-priority matches, enter larger numbers. Note: Rule order affects URL rewriting rule matching and behavior. The search begins with the smallest Priority number (greatest priority) rule in the list and progresses in order towards the largest number in the list. Matching rules are determined by comparing the rule and the connections content. If no rule matches, the connection remains unchanged. When the FortiWeb unit finds a matching rule, it applies the matching rule's specified actions to the connection. Select the name of an existing URL rewriting rule that you want to include in the group. If you want to view the information associated with a URL rewriting rule, select the Detail link. A read-only version appears.
Priority
Rewriting Rule Name
7 Click OK. 8 Repeat the previous steps for each individual rule that you want to add to the URL rewriting policy. 9 To modify an individual rule, click its Edit icon. To remove an individual rule from the URL rewriting policy, click its Delete icon. To remove all individual rules from the URL rewriting policy, click the Clear icon. 10 Click OK. To apply the URL rewriting policy, select it in an inline protection profile. For details, see Configuring inline protection profiles on page 268.
Configuring URL rewriting rules

Web Protection > URL Rewriting Policy> URL Rewriting Rule displays the list of URL rewriting rules. URL rewriting rules can: rewrite the URL line or the Referer: field in the HTTP header redirect requests to another web site
Similar to error message cloaking, URL rewriting can be useful to prevent the disclosure of underlying technology or web site structures to HTTP clients. For example, when visiting a blog web page, its URL might be: http://www.example.com/wordpress/?feed=rss2 Simply knowing the file name, that the blog uses PHP, its compatible database types, and the names of parameters via the URL could help an attacker craft an appropriate attack for that platform. By rewriting the URL to something more human-readable and less platformspecific, the details can be hidden, such as: http://www.example.com/rss2
Note: URLs in the HTML body are not rewritten.
246
Web protection
Note: URL rewrites are applicable when the FortiWeb unit operates in reverse proxy mode and true transparent proxy mode without HTTPS.
Table 99: Web Protection > URL Rewriting Policy > URL Rewriting Rule tab
Delete Edit
GUI item Create New # Name (No column heading.) Description Click to add a URL rewriting rule. Displays the index number of the entry in the list. Displays the name of the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a URL rewriting set. Click the Edit icon to modify the entry.
URL Rewriting Count Displays the number of URL rewriting items contained in the entry.
To configure a URL rewrite rule 1 Go to Web Protection > URL Rewriting Policy> URL Rewriting Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
Clear
Edit Delete
247
Web protection
3 In Name, enter the name of the URL rewriting rule. This field cannot be modified if you are editing an existing URL rewriting rule. To modify the name, delete the entry, then recreate it using the new name. 4 From the Action list, select which of the following actions you want the FortiWeb unit to take when it receives a matching request: Rewrite HTTP Header: Rewrite header fields (Host:, request URL, and Referer: fields), as specified in the URL Rewriting Condition Table. Redirect: Send a 302 (Moved Temporarily) response to the client, with a new Location: field in the HTTP header. Send 403 Forbidden: Send a 403 (Forbidden) response to the client. Rewrite HTTP Body: Rewrite URLs in body of responses. The contents of the URL Rewriting Condition Table vary with the Action selection. 5 Click OK and configure the following information. 6 In the fields below the URL Rewriting Condition Table, enter the following information, which varies depending on the selection made in the Action list:
GUI item Redirect Description Location Type the value for the Location: field in the HTTP header for the 302 response. No options available. Replacement Type the replacement value for the specific HTTP content in the body of responses. For an example, see URL rewriting examples on page 250.
Send 403 Forbidden Rewrite HTTP Body
248
Web protection
GUI item
Description
Rewrite HTTP Header Note: If a check box beside an option is available but you do not configure it, the FortiWeb unit will preserve the value from the clients request when rewriting it. Host This is the replacement value for the Host: field. Type the name of the host, such as store.example.com, to which the request will be redirected. This field supports back references such as $0 to the parts of the original request that matched any capture groups that you entered in Regular Expression for each object in the condition table. (A capture group is a regular expression, or part of one, surrounded in parentheses.) Use $n (0 <= n <= 9) to invoke a substring, where n is the order of appearance of the regular expression, from left to right, from outside to inside, then from top to bottom. For example, regular expressions in the condition table in this order: (a)(b)(c(d))(e)(f) would result in variables with the following values: $0: a $1: b $2: cd $3: d $4: e $5: f For an example, see URL rewriting examples on page 250. URL This is the replacement value for the URL field. Type the string, such as /catalog/item1, that will replace the request URL. Do not include the name of the web host, such as www.example.com, nor the protocol. Like Host, this field supports back references such as $0 to the parts of the original request that matched any capture groups that you entered in Regular Expression for each object in the condition table. For an example, see URL rewriting examples on page 250. Referer This is the replacement value for the Referer: field. Select the referer URL that will be used when rewriting the Referer: field in the HTTP header. This option is available only if Action is Rewrite HTTP Header.
7 Click OK. 8 Click Create New. A dialog appears.
249
Web protection

GUI item ID Description Type the index number of the individual entry in the URL rewriting condition table. The index number is an identifier only, and does not affect the display order or match order. The number must be between 1 and 99,999 and must be unique for each entry. Select which part of the HTTP request will be tested for a match: HTTP Host HTTP Request URL HTTP Referer If the request must meet multiple conditions (for example, it must contain both a matching Host: field and a matching URL), add each object match condition to the condition table separately.
Object
If no Referer Select either: field in HTTP Do not meet this condition header Meet this condition Requests can lack a Referer: field for several reasons, such as if the user manually types the URL, and the request does not result from a hyperlink from another web site, or if the URL resulted from an HTTPS connection. (See the RFC 2616 section on the Referer: field.) In those cases, the field cannot be tested for a matching value. This option appears only if Object is HTTP Referer. Regular Expression Depending on your selection in Object and Meet this condition, type a regular expression that defines either all matching or all non-matching Host: fields, URLs, or Referer: fields. Then, also configure Meet this condition. For example, for the URL rewriting rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in Meet this condition, select Match this condition. The pattern is not required to begin with a slash ( / ). When you have finished typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. Indicate how to use Regular Expression when determining whether or not this URL rewriting condition has been met. Object does not match the regular expression: If the regular expression does not match the request object, the condition is met. Object matches the regular expression: If the regular expression does match the request object, the condition is met. If all conditions are met, the FortiWeb unit will do your selected Action.
Meet this condition if
10 Click OK. 11 Repeat the previous steps for each condition that you want to add to the URL rewriting rule. 12 To modify an individual condition, click its Edit icon. To remove an individual condition from the URL rewriting rule, click its Delete icon. To remove all individual conditions from the URL rewriting rule, click the Clear icon. 13 Click OK. To apply the URL rewrite rule, you must first add it to a URL Rewriting Policy. For details, see Configuring URL rewriting policy on page 244.
URL rewriting examples

The following topics provide examples using regular expressions and variables to rewrite URLs. Rewriting URLs using regular expressions Rewriting URLs using variables
250
Web protection
Rewriting URLs using regular expressions

Example.edu is a large university. Professors of example.edu use a mixture of WordPress and Movable Type software for their course web pages to keep students updated. In addition, the campus bookstore and software store use custom shopping cart software. The URLs of these web applications contain clues about the underlying vendors, databases and scripting languages. Because it is a large organization with many mobile users and guests, and an Internet connection with large bandwidth, the university is therefore a frequent target of attacks. Its network administrators want to hide the underlying technology to make it more difficult for attackers to craft platform-specific attacks. Example.edu also wants to make clients bookmarked URLs more permanent, so that clients will not need to repair them if the university switches software vendors. Because it has so many URLs, the university uses regular expressions to rewrite sets of similar URLs, rather than configuring rewrites for each URL individually. More specific URL rewrite rules are selected first in the URL rewriting group, before general ones, due to the affects of the matching order on which rewrite rule is applied.
Table 100: Example URL rewrites using regular expressions Regular Expression in URL URL match condition Example URL in clients request Result
^/cgi/python/ustore/p /store/checkout ayment.html$ ^/ustore*$ /Wordpress/(.*) /(.*)\.xml /store/view /blog/$0 /$0
/cgi/python/ustore/pa /store/checkout yment.html /ustore/viewItem.asp /store/view ?id=1&img=2 /wordpress/10/11/24 /blog/10/11/24 /index.xml /index
Rewriting URLs using variables

Example.com has a web site that uses ASP, but the administrator wants it to appear that the web site uses PHP. To do this, she configures a rule that changes any requested file's suffix which is ".asp" into ".php". The condition table contains two match conditions, in this order: 1 The Host: may be anything. 2 The request URL must end in .asp. If both of those are true, the request is rewritten. The administrator does not want to rewrite matching requests into a single URL. Instead, she wants each rewritten URL to re-use parts of the original request. To assemble the rewritten URL by re-using the original requests file path and Host:, the administrator uses two variables: $0 and $1. Each variable refers to a part of the original request. The parts are determined by which capture group was matched in the Regular Expression field of each condition table object. $0: The text that matched the first capture group (.*). In this case, because the object is the Host: field, the matching text is the host name, www.example.com. $1: The text that matched the second capture group, which is also (.*). In this case, because the object is the request URL, the matching text is the file path, news/local.
251
Configuring HTTP protocol constraint profiles
Web protection
Table 101: Example URL rewrite using regular expressions and variables Example request URL Rewriting Condition Replacement URL Table Result
www.example.com HTTP Host /news/local.asp HTTP URL
(.*) /(.*)\.asp
Host URL
$0 /$1.php
www.example.com /news/local.php

Web Protection > HTTP Protocol Constraints > HTTP Protocol Constraints displays the list of HTTP protocol constraint profiles. Use HTTP protocol constraints to prevent vulnerability to attacks such as buffer overflows in web servers that do not restrict elements of the HTTP protocol, such as its header lines, to acceptable lengths.
Tip: If you plan to add HTTP constraints exceptions to your HTTP protocol constraints profile, configure the exceptions first. See Configuring HTTP protocol constraint exceptions on page 254
Table 102: Web Protection > HTTP Protocol Constraints > HTTP Protocol Constraints tab
View Clone
Delete Edit
GUI item Create New # Name Header Length Content Length Description Click to add an HTTP protocol constraint. Displays the index number of the entry in the list. Displays the name of the entry. Displays the maximum acceptable length in bytes of the HTTP header. Displays the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header. Displays the maximum acceptable length in bytes of the HTTP body. Displays the maximum acceptable length in bytes of parameters in the URL or, for HTTP POST requests, in the HTTP body. Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.
Body Length Parameter Length
252
Web protection
Header Line Length (No column heading.)
Displays the maximum acceptable length in bytes of each line in the HTTP header. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline or offline protection profile. Click the Edit icon to modify the entry. Click the View icon to view the predefined entry. Click the Clone icon to create a new entry based on a predefined protocol constraint.
To configure an HTTP protocol constraint 1 Go to Web Protection > HTTP Protocol Constraints > HTTP Protocol Constraints. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears. Alternatively, click the Clone icon to make a new entry based on a predefined entry. In this case, a dialog appears with only a Name field. 3 In Name, type the name of the protocol constraint. This field cannot be modified if you are editing an existing protocol restraint. To modify the name, delete the entry, then recreate it using the new name.
Note: Enter 0 for any numerical parameter to disable that parameter check.
253
Web protection
GUI item Name
Description The name of the protocol constraint. This field cannot be modified if you are editing an existing protocol constraint. To modify the name, delete the entry, then recreate it using the new name. The Action, Severity and Trigger Action drop-down menus allow you to control what the FortiWeb unit will do when it detects a specific HTTP protocol violation. Each violation can be uniquely configured. For information on Action, Severity and Trigger Action settings, see Responding to web protection rule violations on page 191. Type the maximum acceptable length in bytes of the HTTP header. Type the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header. Type the maximum acceptable length in bytes of the HTTP body. Type the maximum acceptable length in bytes of parameters in the URL or, for HTTP POST requests, HTTP body. Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included. Type the maximum acceptable length in bytes of each line in the HTTP header.
Action, Severity and Trigger Action
Header Length Content Length
Header Line Length
HTTP Request Length Type the maximum acceptable length in bytes of the HTTP request. URL Parameter Length Type the maximum acceptable length of an URL parameter (including the name and value). Illegal HTTP Version Number of Cookies In Request Number of Header Lines In Request Illegal HTTP Request Method Number of URL Parameters Illegal Host Name Enable to check for illegal HTTP version numbers. If the HTTP version is not "HTTP/1.0" or "HTTP/1.1", it is considered illegal. Type the maximum acceptable number of cookies in an HTTP request. Type the maximum acceptable number of lines in the HTTP header. Enable to check for illegal HTTP version numbers. Type the maximum number of URL parameters. Enable to check for illegal characters in the Host: line of the HTTP header, such as NULL characters or encoded characters. For example, characters such as "0x0" or "%00*" are considered illegal. Select the HTTP Constraints Exception that you want to apply to this policy. For more information, see Configuring HTTP protocol constraint exceptions on page 254. If you want to view the information associated with a exception, select the Detail link. A read-only version appears.
Exception Name
5 Click OK. To apply the HTTP protocol constraint profile, select it in an inline or offline protection profile. For details, see Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274.
Configuring HTTP protocol constraint exceptions

Web Protection > HTTP Protocol Constraints > HTTP Constraints Exceptions displays the list of HTTP protocol constraint exceptions. Exceptions may be useful if you know that some HTTP protocol constraints, during normal use, will cause false positives by matching an attack signature. Exceptions define HTTP constraints that will not be subject to HTTP protocol constraint policy.
254
Web protection
For example, if no exceptions are defined, FortiWeb executes the HTTP protocol constraint policy as defined in Configuring HTTP protocol constraint profiles on page 252. But, if you select Header Length Check as a HTTP protocol constraint exception for a specific host, FortiWeb would ignore the HTTP header length check when executing the web protection profile for that host. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 103: Web Protection > HTTP Protocol Constraints > HTTP Constraint Exception tab
Delete Edit
GUI item Create New # Name (No column heading.) Description Click to add a server protection exception. Displays the index number of the entry in the list. Displays the name of the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a server protection rule. Click the Edit icon to modify the entry.
Exception Rule Count Displays the number of individual exceptions contained in the entry.
To configure a HTTP constraint exception 1 Go to Web Protection > HTTP Protocol Constraints > HTTP Constraints Exception. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
3 In Name, type the name of the server protection exception. This field cannot be modified if you are editing an existing server protection exception. To modify the name, delete the entry, then recreate it using the new name. 4 Click OK.
255
Web protection

GUI item ID Host Status Description Displays the index number of the entry in the list. Enable to apply this HTTP constraint exception only to HTTP requests for specific web hosts. Also configure Host. Disable to apply the exceptions to all web hosts. Select the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies. Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
Host Request Type
256
Web protection
Configuring authentication policy
URL Pattern
Depending on your selection in the Request Type field, enter either: the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ). a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm. Do not include the name of the web host, such as www.example.com, which is configured separately in the Host dropdown list. To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can finetune the expression. Type the maximum acceptable length in bytes of the HTTP header. Type the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header. Type the maximum acceptable length in bytes of the HTTP body. Type the maximum acceptable length in bytes of parameters in the URL or, for HTTP POST requests, HTTP body. Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included. Type the maximum acceptable length in bytes of each line in the HTTP header.
Header Length Content Length
Header Line Length
HTTP Request Length Type the maximum acceptable length in bytes of the HTTP request. URL Parameter Length Type the maximum acceptable length of an URL parameter (including the name and value). Number of Cookies In Request Number of Header Lines In Request Illegal HTTP Request Method Number of URL Parameters Illegal Host Name Type the maximum acceptable number of cookies in an HTTP request. Type the maximum acceptable number of lines in the HTTP header. Enable to check for illegal HTTP version numbers. Type the maximum number of URL parameters. Enable to check for illegal characters in the Host: line of the HTTP header, such as NULL characters or encoded characters. For example, characters such as "0x0" or "%00*" are considered illegal.
7 Click OK. To apply the HTTP protocol constraint exception, select it in the HTTP Protocol Constraint profile. For details, see Configuring HTTP protocol constraint profiles on page 252.

If a web site does not support RFC 2617 HTTP authentication on its own and does not provide HTML form-based authentication, you can use a FortiWeb unit to authenticate HTTP clients before they are permitted to access a web page or web site.
Note: Authentication applies when the FortiWeb unit operates in reverse proxy mode or true transparent proxy mode without HTTPS.
When HTTP authentication is configured:
257
Web protection
If the clients initial request does not already include an Authorization: field in its HTTP header, the FortiWeb unit replies with an HTTP 401 (Authorization Required) response. The response includes a WWW-Authenticate: field in the HTTP header that indicates which style of authentication to use (basic, digest, or NTLM) and the name of the realm (usually the name, such as Restricted Area, of a set of URLs that can be accessed using the same set of credentials). The browser then prompts its user to enter a user name and password. (The prompt may include the name of the realm, in order to indicate to the user which login is valid.) The browser includes these in the Authorization: field of the HTTP header when repeating its request.
Figure 33: An HTTP authentication prompt in the Google Chrome browser
Valid user name formats vary by the authentication server. For example: For a local user, enter a user name in the format username. For LDAP authentication, enter a user name in the format required by the directorys schema. For NTLM authentication, enter a user name in the format DOMAIN/username. the locally defined set of user accounts a set of user objects on a lightweight directory access protocol (LDAP) directory user accounts on an NT LAN Manager (NTLM) server
The FortiWeb unit compares the supplied credentials to:
If the client authenticates successfully, the FortiWeb unit forwards the original request to the server. If the client does not authenticate successfully, the FortiWeb unit repeats its HTTP 401 response to the client, asking again for valid credentials. Once the client has authenticated with the FortiWeb unit, if the server applies no other restrictions and the resource is found, it returns the requested resource to the client. If the clients browser is configured to do so, it can cache the realm along with the supplied credentials, automatically re-supplying the user name and password for each request with a matching realm. This provides convenience to the user. Otherwise, the user would have to re-enter their user name and password for every request.
Caution: Advise users to clear their cache and close their browser after an authenticated session to ensure that no one else can access the web site using their credentials. Browsers often cache credentials until manually cleared, or until cleared automatically by closing a browser tab or window. This is because, without a web application with its own notion of sessions, the HTTP protocol itself is essentially stateless, it relies only on these cached credentials, and there is no other way to log out.
258
Web protection
Caution: HTTP authentication is not secure. All user names and data (and, depending on the authentication style, passwords) are sent in clear text. If you require encryption and other security features in addition to authorization, use HTTP authentication with SSL/TLS. Tip: Alternatively or in addition to HTTP authentication, with SSL connections, you can require that clients present a valid personal certificate. For details, see Certificate Verification on page 127.
HTTP authentication policy workflow

To configure HTTP authentication, you must at a minimum: 1 Configure users and user groups. See User creation workflow on page 107. 2 Configure an authentication rule to select the set of URLs that is the authentication realm, the authorization type, and associate a user group. See Configuring authentication rules on page 261. 3 Group sets of authentication rules into authentication profiles. See Configuring authentication policy on page 259. 4 Select the authentication profile in an inline protection profile that is used by a server policy. See Configuring inline protection profiles on page 268.

Web Protection > Authentication Policy > Authentication Policy displays the list of HTTP authentication profiles. Authentication policies are used by the HTTP authentication feature to authorize HTTP requests. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 104: Web Protection > Authentication Policy > Authentication Policy tab
Delete Edit
GUI item Create New # Name Count (No column heading.) Description Click to add an authentication policy. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of individual rules contained in the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an inline protection profile. Click the Edit icon to modify the entry.
259
Web protection
Tip: Before you can configure an authentication policy, you must first configure the authentication rules that you want to include in the policy. For details, see Configuring authentication rules on page 261.
To configure an authentication policy 1 Go to Web Protection > Authentication Policy > Authentication Policy. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears. 3 In Name, type the name of the authentication policy. This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name.
Clear
Delete Edit 4 Configure the following:

GUI item LDAP Cache LDAP Cache Timeout Alert Type Description Enable if you want the LDAP query result caching. Enter the LDAP cache timeout duration, in seconds. The default timeout is 300 seconds. This field appears only when you enable LDAP Cache. Select the instances when alerts will be issued for HTTP authentication attempts: None: No alerts are issued for HTTP authentication. Failed Only: Alerts are issued only for HTTP authentication failures. Successful Only: Alerts are issued for successful HTTP authentication. All: Alerts are issued for all failed and successful HTTP authentication.
260
Web protection
GUI item ID
Description Type the index number of the individual rule within the authentication policy, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number. Select the name of an existing authentication rule.
Auth Rule
8 Click OK. 9 Repeat the previous steps for each individual rule that you want to add to the authentication policy. 10 To modify an individual rule, click its Edit icon. To remove an individual rule from the authentication policy, click its Delete icon. To remove all individual rules from the authentication policy, click the Clear icon. 11 Click OK. To apply the authentication policy, select it in an inline protection profile. For details, see Configuring inline protection profiles on page 268.
Configuring authentication rules

Web Protection > Authentication Policy > Authentication Rule displays the list of authentication rules. Authentication rules are used by the HTTP authentication policy to define sets of request URLs that will be authorized for each user group.
Tip: Before you can configure an authentication rule set, you must first configure any user groups that you want to include. For details, see Grouping users on page 114.
If you want to apply rules only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see Configuring protected servers on page 147. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 105: Web Protection > Authentication Policy > Authentication Rule tab
Edit Delete
GUI item Create New # Name Count (No column heading.) Description Click to add an authentication rule. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of individual rules contained in the entry. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in an authentication policy. Click the Edit icon to modify the entry.
261
Web protection
To configure an authentication rule 1 Go to Web Protection > Authentication Policy > Authentication Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
Clear
Delete Edit 3 In Name, type the name of the authentication rule. This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name. 4 If you want to require that the Host: field of the HTTP request to match a protected hosts entry in order to match the HTTP authentication rule, enable Host Status, then, from Host, select which protected hosts entry (either a web host name or IP address) the Host: field of the HTTP request must be. 5 Click OK. 6 Click Create New. A dialog appears.

GUI item ID Description Type the index number of the individual rule within the group of authentication rules, or keep the fields default value of auto to let the FortiWeb unit automatically assign the next available index number.
262
Web protection
Configuring file upload restriction policy
Auth Type
Select which type of HTTP authentication to use: Basic: Clear text, Base64-encoded user name and password. Supports all user queries except NTLM. NTLM users will be ignored if included in the user group. Digest: Hashed user name, realm, and password. Only local users are supported. Other types are ignored if included in the user group. NTLM: Encrypted user name and password. Only NTLM queries are supported. Other types are ignored if included in the user group. For more information on available user types, see User Type on page 116. Select the name of a user group that is authorized to use the URL in Auth Path. Type the realm, such as Restricted Area, to which the Auth Path belongs. The realm is often used by users browsers: It may appear in the browsers prompt for the users credentials. Especially if a user has multiple logins, and only one login is valid for that specific realm, displaying the realm helps to indicate which user name and password should be supplied. After authenticating once, the browser may cache the authentication credentials for the duration of the browser session. If the user requests another URL from the same realm, the browser often will automatically resupply the cached user name and password, rather than asking the user to enter them again for each request. The realm may be the same for multiple authentication rules, if all of those URLs permit the same user group to authenticate. For example, the user group All_Employees could have access to the Auth Path URLs /wiki/Main and /wiki/ToDo. These URLs both belong to the realm named Intranet Wiki. Because they use the same realm name, users authenticating to reach /wiki/Main usually will not have to authenticate again to reach /wiki/ToDo, as long as both requests are within the same browser session. This field does not appear if Auth Type is NTLM, which does not support HTTPstyle realms. Type the literal URL, such as /employees/holidays.html, that a request must match in order to trigger HTTP authentication.
User Group User Realm
Auth Path
8 Click OK. 9 Repeat the previous steps for each individual rule that you want to add to the group of authentication rules. 10 To modify an individual rule, click its Edit icon. To remove an individual rule from the group of authentication rules, click its Delete icon. To remove all individual rules from the group of authentication rules, click the Clear icon. 11 Click OK. To apply the authentication rule, select it in an authentication policy. For details, see Configuring authentication policy on page 259.

Web Protection > File Upload Restriction > File Upload Restriction Policy displays the list of file upload restriction policies that the FortiWeb unit uses to limit the types of files that can be uploaded to your web servers. The file upload restriction policies are composed of individual rules. The rules identify the host and/or URL to which the restriction applies and the specific types of files that are allowed.
Tip: To create an effective file upload restriction policy, you must first configure one or more file upload restriction rules. See Configuring file upload restriction rules on page 265.
263
Web protection
Table 106: Web Protection > File Upload Restriction > File Upload Restriction Policy tab
Delete Edit
GUI item Create New # Name Count (No column heading.) Description Click to add a file upload restriction policy. Displays the index number of the entry in the list. Displays the name of the entry. Displays the number of file upload restriction rules used by the policy. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy. Click the Edit icon to modify the entry.
To configure a file upload restriction policy 1 Go to Web Protection > File Upload Restriction > File Upload Restriction Policy. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
Clear
Edit Delete 3 In Name, type the name of the file upload restriction rule. This field cannot be modified if you are editing an existing policy. To modify the name, delete the entry, then recreate it using the new name.
264
Web protection

GUI item Action Description Select the action you want FortiWeb to perform when the policy is violated: Alert: Accept the file upload and generate an alert and/or log message. Alert & Deny: Block the file upload and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. Select the severity level you want FortiWeb to use in the records and reports generated when the specified policy is violated. You can configure each violation to be either Low, Medium or High severity. Select the trigger policy you want FortiWeb to apply when the specified policy is violated. Trigger policies determine who will be notified by email when the policy is violated, and whether the log message associated with the violation is recorded in Syslog or FortiAnalyzer. For more information, see Configuring trigger policies on page 322.
Severity
Trigger Policy

ID File Upload Restriction Rule Displays the index number of the rule associated with the policy. Select an existing file upload restriction rule that you want to use in the policy. If you are unsure what specific file types are allowed by the rule, select the Detail link next to the rule name.
8 Click OK. The new file upload restriction rules appear in the list. 9 Repeat the previous steps for each rule that you want to add to the file upload restriction policy. 10 To modify an individual rule, click its Edit icon. To remove an individual rule from the group of rules, click its Delete icon. To remove all individual rules from the group of rules, click the Clear icon. 11 Click OK. To apply the file upload restriction policy, select it in an inline or offline protection profile. For details, see Configuring inline protection profiles on page 268.
Configuring file upload restriction rules

Web Protection > File Upload Restriction > File Upload Restriction Rule displays the list of file upload restriction rules. The rules define the specific host and request URL for which upload restrictions apply, and define the specific file types that are allowed to be uploaded to that host or URL.
265
Web protection
Detection and restriction is performed by scanning HTTP PUT and POST URL request methods submitted to your web servers. For example, if you want to allow only specific types of files to be uploaded to a host or a URL called /fileuploads (for example, MP3 audio files, PDF text files and GIF and JPG picture files), you can create a file upload restriction policy that contains rules that define only those specific file types. When FortiWeb receives an HTTP PUT or POST request for the host or /fileuploads URL, it scans the HTTP request and allows only the specified file types to be uploaded. FortiWeb will block file uploads for any HTTP request that contains a file type other than those specified in the upload restriction policy. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see About permissions on page 80.
Table 107: Web Protection > File Upload Restriction > File Upload Restriction Rule tab
Edit
GUI item Create New # Name Host Description Click to add a file upload restriction rule. Displays the index number of the entry in the list. Displays the name of the file upload restriction rule. Displays the IP address or fully qualified domain name (FQDN) of the real or virtual host as it appears in the Host: field of HTTP header of requests to which the entry applies. Displays the URL, such as /fileuploads, as it appears in the HTTP PUT or POST request to which the entry applies. Displays the number of individual file types allowed by the rule. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a parameter validation rule. Click the Edit icon to modify the entry.
Request URL Count (No column heading.)
To configure a file upload restriction rule 1 Go to Web Protection > File Upload Restriction > File Upload Restriction Rule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon.
266
Web protection
A dialog appears.
Clear
Delete 3 In Name, type the name of the file upload restriction rule. This field cannot be modified if you are editing an existing rule. To modify the name, delete the entry, then recreate it using the new name. 4 Configure the following:
GUI item Host Status Description Enable to apply this file upload restriction rule only to HTTP requests for specific web hosts. Also configure Host. Disable to match the file upload restriction rule based upon the other criteria, such as the URL, but regardless of the Host: field. Select the IP address or FQDN of a protected host. Enter the literal URL, such as /fileupload, to which the file upload restriction applies. The URL must begin with a slash ( / ). Do not include the name of the host, such as www.example.com, which is configured separately in the Host drop-down list.
Host Request URL
5 Click OK. 6 Click Add File Types. A dialog appears.
267
Configuring inline protection profiles
Web protection
GUI item File Types Allow File Types
Description This column lists the common file types that could be uploaded to a web server. This column lists the specific file types that selected for the upload restriction rule. FortiWeb will allow uploading the file types in this column to a web server, once the upload restriction rule is applied. Uploading of file types not included in this column will not be allow by FortiWeb.
Right and left The selection arrows enable you to move file types between the File Types and Allow File Types columns. selection Select a file type in the left column and click the right arrow to move the selected arrows file type to the Allow File Types column. Repeat as required for the file upload restriction rule you are creating.
8 Click OK. The selected file types appear in the list at the bottom of the rule window.
ID Allow File Types (No column heading.) Displays the index number of the entry in the list. Displays the list of file types associated with the file upload restriction rule. These are the file types that FortiWeb will allow to be uploaded to the Request URL and Host (if specified). Click the Delete icon to remove the entry in the associated row. Click Clear to remove all file types from the rule.
9 Click OK. To add the file upload restriction rule to a policy, select it in a file upload restriction policy. The policies are then used by web protection policies to detect and restrict specific file uploads based on the specified file types and host or URL. For more information, see Configuring file upload restriction policy on page 263.

Inline protection profiles are a set of attack protection settings. The FortiWeb unit applies the profile when a connection matches a server policy that includes the protection profile. You can use inline protection profiles in server policies for any mode except offline protection.
Inline protection profile workflow

Before configuring an inline protection profile, first configure any of the following that you want to include in the profile: a file upload restriction policy (see Configuring file upload restriction policy on page 263) an allowed method policy (see Configuring allowed request method policy on page 235) a URL access policy (see Configuring URL access policy on page 216) a server protection rule (see Configuring server protection rules on page 201) a page access rule (see Configuring page access rules on page 198) a parameter validation rule (see Configuring HTTP parameter validation rules on page 192) a hidden fields group (see Configuring hidden field protection profiles on page 239) a start pages policy (see Configuring start page rules on page 213)
268
Web protection
a brute force login attack profile (see Configuring brute force login profiles on page 224) a robot control profile (see Configuring robot control profiles on page 227) an IP list policy (see Configuring an IP list policy on page 220) a URL rewriting rule (see Configuring URL rewriting rules on page 246) an HTTP authentication policy (see Configuring authentication policy on page 257) lastly, select the inline protection policy in a server policy
Configuring an inline protection profile

Web Protection > Web Protection Profile > Inline Protection Profile displays the list of web protection profiles that can be included in server policies when the FortiWeb unit is operating in any mode except offline protection.
Note: Inline web protection profiles can be configured at any time, but can be selected in a policy only while the FortiWeb unit is operating in a mode that supports them. For details, see Table 45, Policy behavior by operation mode, on page 119.
Tip: To increase the scope of an inline protection rule, first configure the policies and rules used by the inline rule. See Web protection profile workflow on page 189. Table 108: Web Protection > Web Protection Profile > Inline Protection Profile tab
View Clone Delete Edit

GUI item Create New # Name Description Click to add an inline protection profile. Displays the index number of the entry in the list. Displays the name of the entry.
Session Management Indicates whether session management by the FortiWeb unit is enabled or disabled. For more information about session management, see Session Management on page 271. HTTP Conversion Indicates whether the FortiWeb unit will translate the IP addresses in the Host:, Referer: and Location: fields of HTTP requests and responses, replacing the virtual servers IP address with that of the real server, and vice versa. For details, see HTTP Conversion on page 272. Indicates whether cookie poisoning prevention is enabled or disabled.
Cookie Poison
269
Web protection
Cookie Poison Action Displays the action that the FortiWeb unit will take when cookie poisoning is detected. Alert: Accept the connection and generate an alert and/or log message. Alert & Deny: Block the connection and generate an alert and/or log message. Remove Cookie: Accept the connection, but remove the poisoned cookie from the datagram, preventing it from reaching the web server, and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. Server Protection Rule Page Access Rule Displays the name of the server protection rule that will be applied to matching HTTP requests. For details on server protection rules, see Configuring server protection rules on page 201. Displays the name of the page access rule that will be applied to matching HTTP requests. For details on page access rules, see Configuring page access rules on page 198.
Parameter Validation Displays the name of the parameter validation rule that will be applied to matching HTTP requests. For details on parameter validation rules, see Rule Configuring HTTP parameter validation rules on page 192. Start Pages Displays the name of the start pages that HTTP requests must use in order to initiate a valid session. For details on start pages, see Configuring start page rules on page 213. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy. Click the Edit icon to modify the entry. Click the View icon to view a predefined entry. Click the Clone icon to create a new entry based on a predefined entry. You can clone global protection profiles as well as custom protection profiles.
To configure an inline protection profile 1 Go to Web Protection > Web Protection Profile > Inline Protection Profile. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears. Alternatively, click the Clone icon to create an entry populated with settings from a predefined profile. In this case, a dialog opens with just the Name field.
270
Web protection

GUI item Name Description Type the name of the inline protection profile. This field cannot be modified if you are editing an existing inline protection profile. To modify the name, delete the entry, then recreate it using the new name.
Session Management Enable to track the states of HTTP sessions using a cookie named FORTIWAFSID. Also configure Session Timeout. This feature requires that the client support cookies. Note: You must enable this option: to enforce the Start Pages, Page Access Rule, and Hidden Fields Protection Rule features, if any of those options are enabled. if you want to include this profiles traffic in the traffic log, in addition to enabling traffic logs in general. For more information, see Enabling logging on page 327. Note: Session management is automatically enabled for policies whose Load Balancing Algorithm is HTTP session based Round Robin. If only those types of policies use this protection profile, session management will already be enabled, and therefore you do not need to enable this option.
271
Web protection
GUI item Session Timeout HTTP Conversion
Description Type the HTTP session timeout in seconds. This option appears only if Session Management is enabled. Enable to: For forward traffic from clients, replace the virtual servers IP address in the Host: and Referer: field in the HTTP header with that of the real servers IP address. For reply traffic from servers, including traffic that has been redirected, replace the real servers IP address in the Location: field with that of the virtual servers IP address. This may be useful if your real servers reject HTTP requests whose Host: and Referer: field does not match their own IP address. It is also useful if the real server is behind network address translation (NAT) and redirects requests to its private network IP address, which clients cannot directly access. However, it increases load on the FortiWeb unit, and should not be enabled unless required. Note: Do not enable this option if the real server has multiple virtual hosts. Note: The FortiWeb unit does not support this option if the operation mode is offline protection, true transparent proxy mode with HTTPS, or transparent inspection mode. Enable to include the X-Forwarded-For: HTTP header on connections forwarded to your web servers. Behavior varies by the header already provided by the HTTP client or web proxy, if any: Header absent: Add the header, using the source IP address of the connection. Header present: Verify that the source IP address of the connection is present in this headers list of IP addresses. If it is not, append it. This option can be useful, for example, for web servers that log or analyze clients IP addresses, and support the X-Forwarded-For: header. When this option is disabled, from the web servers perspective, all connections appear to be coming from the FortiWeb unit, which performs network address translation (NAT). But when enabled, the web server can instead analyze this header to determine the source and path of the original client connection. Enable to detect cookie poisoning, then select which of the following actions the FortiWeb unit will take if cookie poisoning is detected: Alert: Accept the connection and generate an alert and/or log message. Alert & Deny: Block the connection and generate an alert and/or log message. Remove Cookie: Accept the connection, but remove the poisoned cookie from the datagram before it reaches the web server, and generate an alert and/or log message. For more information on logging and alerts, see Configuring and enabling logging on page 323. When enabled, each cookie is accompanied by a cookie named <cookie_name>_fortinet_waf_auth, which tracks the cookies original value when set by the web server. If the cookie returned by the client does not match this digest, the FortiWeb unit will detect cookie poisoning. Select an existing file upload restriction policy, if any, that will be applied to matching HTTP requests. Select an existing allow method policy, if any, that will be applied to matching HTTP requests. Attack log messages contain DETECT_ALLOW_METHOD_FAILED when this feature detects a non-allowed HTTP request method. Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. Attack log messages contain DETECT_URL_ACCESS_ALERT_DENY when this feature detects a URL matched by this policy.
X-Forwarded-for Support
Cookie Poison
File Upload Restriction Allow Request Method
URL Access Policy
272
Web protection
GUI item Server Protection Rule
Description Select the name of the server protection rule, if any, that will be applied to matching HTTP requests. If enabled, server protection rules can scan AMF3 requests. For more information, see Enable AMF3 Protocol Detection on page 274. Attack log messages for this feature vary by which type of attack was detected. For a list, see Configuring server protection rules on page 201. Select the name of the page access rule, if any, that will be applied to matching HTTP requests. This option appears only if Session Management is enabled. Attack log messages contain DETECT_PAGE_RULE_FAILED when this feature detects a request for a URL that violates the required sequence of URLs within a session.
Page Access Rule
Parameter Validation Select the name of the parameter validation rule, if any, that will be applied to matching HTTP requests. Rule Attack log messages contain DETECT_PARAM_RULE_FAILED when this feature detects a parameter rule violation. Hidden Fields Protection Rule Start Pages Select the name of a hidden fields group, if any, that will be applied to matching HTTP requests. This option appears only if Session Management is enabled. Select the name of the start page group, if any, that HTTP requests must use in order to initiate a valid session. This option appears only if Session Management is enabled. Attack log messages contain DETECT_START_PAGE_FAILED when this feature detects a start page violation. Select the name of a brute force login attack profile, if any, that will be applied to matching HTTP requests. Attack log messages contain DETECT_BRUTE_FORCE_LOGIN when this feature detects a brute force login attack. Select the name of a robot control profile, if any, that will be applied to matching HTTP requests. Attack log messages contain DETECT_MALICIOUS_ROBOT when this feature detects a misbehaving robot or any other HTTP client that exceeds the rate limit.
Brute Force Login
Robot Control
URL Rewriting Policy Select the name of a URL rewriting rule set, if any, that will be applied to matching HTTP requests. HTTP Protocol Constraints Select the name of an HTTP parameter constraint, if any, that will be applied to matching HTTP requests. Attack log messages contain HTTP_HEADER_LEN_OVERFLOW or HTTP_HEADER_LINE_LEN_OVERFLOW when this feature detects an HTTP request that does not comply with the constraints. Select the name of an IP list policy, if any, that will be applied to matching HTTP requests.
IP List
HTTP Authentication Select the name of an HTTP authentication rule, if any, that will be applied to matching HTTP requests. If the HTTP client fails to Policy authenticate, it will receive an HTTP 403 (Access Forbidden) error message. Redirect URL Type a URL including the FQDN/IP and path, if any, to which an HTTP client will be redirected if their HTTP request violates any of the rules in this profile. For example, you could enter www.example.com/products/. If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb unit will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP 403 (Access Forbidden) or 404 (File Not Found) error message.
273
Configuring offline protection profiles
Web protection
GUI item Redirect URL With Reason
Description Enable to include the reason for redirection as a parameter in the URL, such as reason=DETECT_PARAM_RULE_FAILED, when traffic has been redirected using Redirect URL. The FortiWeb unit also adds fortiwaf=1 to the URL to detect and cancel a redirect loop (when the redirect action recursively triggers an attack event). Caution: If you specify a redirect URL that is protected by the FortiWeb unit, you should enable this option to prevent infinite redirect loops. By default, this option is disabled. Enable to scan requests that use action message format 3.0 (AMF3) for: cross-site scripting (XSS) attacks SQL injection attacks common exploits if you have enabled those in your selected server protection rule. AMF3 is a binary format that can be used by Adobe Flash clients to send input to server-side software. Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb unit to be unable to scan AMF3 requests for attacks.
Enable AMF3 Protocol Detection
URL Rewriting Policy Select the name of a URL rewriting rule set, if any, that will be applied to matching HTTP requests. For details, see Configuring URL rewriting policy on page 244. HTTP Authentication Select the name of an HTTP authentication rule, if any, that will be applied to matching HTTP requests. For details, see Configuring Policy authentication policy on page 257. If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message.
Tip: Click Detail beside any field to open a dialog that lets you view and modify the associated policy.
4 Click OK. If you will use this offline protection profile in conjunction with an auto-learning profile in order to indicate which attacks and other aspects should be discovered, also configure the auto-learning profile. For details, see Applying auto-learning profiles on page 278. To apply the inline protection profile, select it in a server policy. For details, see Configuring server policies on page 118.

Use offline protection profiles when you want to preview the effects of some web protection features without affecting traffic or network topology. Offline protection profiles in server policies apply only when the FortiWeb unit is operating in offline protection mode.
Offline protection profile workflow

Before configuring an offline protection profile, first configure any of the following that you want to include in the profile: a file upload restriction policy (see Configuring file upload restriction policy on page 263) an allowed method policy (see Configuring allowed request method policy on page 235) a URL access policy (see Configuring URL access policy on page 216)
274
Web protection
a server protection rule (see Configuring server protection rules on page 201) a parameter validation rule (see Configuring HTTP parameter validation rules on page 192) a robot control profile (see Configuring robot control profiles on page 227) an IP list policy (see Configuring an IP list policy on page 220) lastly, select the offline protection policy in a server policy
Configuring an offline protection profile

Web Protection > Web Protection Profile > Offline Protection Profile displays the list of offline protection profiles. An offline protection profile is designed for use only in offline protection mode. Offline protection profiles cannot be guaranteed to block attacks. They attempt to reset the connection, but due to variable speeds of different routing paths, the reset request may arrive after the attack has finished. Their primary purpose is to detect attacks, especially for use in conjunction with auto-learning profiles. In fact, if used in conjunction with autolearning profiles, you should configure the offline protection profile to log but not block attacks in order to gather complete session statistics for the auto-learning feature. Unlike inline protection profiles, offline protection profiles do not support HTTP conversion, cookie poisoning detection, start page rules, and page access rules.
Note: Offline web protection profiles can be configured at any time, but can only be selected in a policy while the FortiWeb unit is operating in a offline mode. For details, see Table 45, Policy behavior by operation mode, on page 119.
Table 109: Web Protection > Web Protection Profile > Offline Protection Profile tab
Clone View Delete Edit

GUI item Create New # Name Description Click to add an offline protection profile. Displays the index number of the entry in the list. Displays the name of the entry.
Session Management Indicates whether session management by the FortiWeb unit is enabled or disabled. For more information about session management, see Configuring offline protection profiles on page 274. Server Protection Rule Displays the name of the server protection rule that will be applied to matching HTTP requests. For details on server protection rules, see Configuring server protection rules on page 201.
275
Web protection
Parameter Validation Displays the name of the parameter validation rule that will be applied to matching HTTP requests. For details on parameter validation rules, see Rule Configuring HTTP parameter validation rules on page 192. (No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy. Click the Edit icon to modify the entry. Click the View icon to view a predefined entry. Click the Clone icon to create a new entry based on a predefined entry. You can clone global protection profiles as well as custom protection profiles.
To configure an offline protection profile 1 Go to Web Protection > Web Protection Profile > Offline Protection Profile. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears. Alternatively, click the Clone icon to create an entry populated with settings from a predefined profile. In this case, a dialog opens with just the Name field.

GUI item Name Description Type the name of the offline protection profile. This field cannot be modified if you are editing an existing offline protection profile. To modify the name, delete the entry, then recreate it using the new name. Enable to track the states of HTTP sessions using a cookie named FORTIWAFSID, which is required if you will select a WAF Auto Learning Profile in the policy with this offline protection profile. Also configure Session Timeout. This feature requires that the client support cookies. Note: You must enable this option if you want to include the profiles traffic in the traffic log, in addition to enabling traffic logs in general. For more information, see Enabling logging on page 327.
Session Management
276
Web protection
Session Timeout
Enter the HTTP session timeout in seconds. This option appears only if Session Management is enabled.
Session Key Word Enter the name of the session ID cookie, if any, that will be used by the application to track the session when working in offline or either of the transparent modes. By default, FortiWeb tracks the following session ID cookies: ASPSESSIONID, PHPSESSIONID and JSESSIONID. Use this field to create your own unique session ID tracking key word. This option appears only if Session Management is enabled. File Upload Select an existing file upload restriction policy, if any, that will be applied to Restriction Policy matching HTTP requests. Allow Request Method Policy Select an existing allow request method policy, if any, that will be applied to matching HTTP requests. Attack log messages contain DETECT_ALLOW_METHOD_FAILED when this feature detects a non-allowed HTTP request method. Note: If a WAF Auto Learning Profile will be selected in the policy with this profile, you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb unit to learn about. If a method is disabled, the FortiWeb unit will reset the connection, and therefore cannot learn about the session.
URL Access Policy Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. Attack log messages contain DETECT_URL_ACCESS_ALERT_DENY when this feature detects an URL that matches this policy. Note: Do not select an URL access policy if this offline protection profile will be used in a policy with WAF Auto Learning Profile. Selecting an URL access policy will cause the FortiWeb unit to reset the connection when it detects a request with a blocked URL and Host: field combination, resulting in incomplete session information for the auto-learning feature. Server Protection Rule Select the name of the server protection rule, if any, that will be applied to matching HTTP requests. Attack log messages for this feature vary by which type of attack was detected. For a list, see Configuring server protection rules on page 201. Note: If a WAF Auto Learning Profile will be selected in the policy with this profile, you should select a server protection rule whose Action is Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. Select the name of the parameter validation rule, if any, that will be applied to matching HTTP requests. Attack log messages contain DETECT_PARAM_RULE_FAILED when this feature detects a parameter rule violation. Note: If a WAF Auto Learning Profile will be selected in the policy with this profile, you should select a parameter validation rule whose Action is Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. Select the name of a hidden fields group, if any, that will be applied to matching HTTP requests. This option appears only if Session Management is enabled. Select the name of a robot control profile, if any, that will be applied to matching HTTP requests. Attack log messages contain DETECT_MALICIOUS_ROBOT when this feature detects a misbehaving robot or any other HTTP client that exceeds the rate limit. Note: If a WAF Auto Learning Profile will be selected in the policy with this profile, you should select a robot control rule whose Action is Alert. If the Action is Alert & Deny, the FortiWeb unit will reset the connection when it detects an attack, resulting in incomplete session information for the autolearning feature. Select the name of an HTTP protocol constraint, if any, that will be applied to matching HTTP requests.
Parameter Validation Rule
Hidden Fields Protection Rule Robot Control
HTTP Protocol Constraints
277
Applying auto-learning profiles
Web protection
IP List Policy
Select the name of an IP list policy, if any, that will be applied to matching HTTP requests.
Enable AMF3 Enable to scan requests that use action message format 3.0 (AMF3) for: Protocol Detection cross-site scripting (XSS) attacks SQL injection attacks common exploits if you have enabled those in your selected server protection rule. AMF3 is a binary format that can be used by Adobe Flash clients to send input to server-side software. Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb unit to be unable to scan AMF3 requests for attacks.
Tip: Click Detail beside any field to open a dialog that lets you view and modify the policy.
4 Click OK. If you will use this offline protection profile in conjunction with an auto-learning profile in order to indicate which attacks and other aspects should be discovered, also configure the auto-learning profile. For details, see Applying auto-learning profiles on page 278. To apply the offline protection profile, select it in a policy. For details, see Configuring server policies on page 118.

Auto-learning profiles are designed to be used in conjunction with an inline or offline protection profile. Those profiles detect attacks. Only if attacks are detected can the autolearning profile accumulate auto-learning data and generate its report. As a result, when you create a server policy, you must include an auto-learning profile as well as an inline or offline protection profile. Auto-learning profiles are useful when you want to collect information about the HTTP sessions on your unique network in order to design inline or offline protection profiles suited for them. Auto-learning profiles gather data on the HTTP requests that your FortiWeb unit is handling. They track your web servers response to each request, such as 401 Unauthorized or 500 Internal Server Error, to learn about whether the request is legitimate or a potential attack attempt. Such data is used for auto-learning reports, and can serve as the basis for generating inline protection profiles or offline protection profiles (see Generating a profile from autolearning data on page 289). This reduces much of the research and guesswork about what HTTP request methods, data types, and other types of content that your web sites and web applications use when designing an appropriate defense. Also, see Viewing auto-learning reports on page 282.
Auto-learning profile workflow

Before configuring an auto-learning profile, first configure any of the following that you want to include in the profile: a data type group (see Grouping predefined data types on page 150) a suspicious URL rule (see Grouping suspicious URLs on page 154)
278
Web protection
one or more URL replacers and a custom application policy (see Custom application workflow on page 160) lastly, select the auto-learning profile in a server policy
Configuring auto-learning profiles

Web Protection > Web Protection Profile > Auto Learning Profile displays the list of autolearning profiles. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Auto Learn Configuration category. For details, see About permissions on page 80.
Note: Use auto-learning profiles with profiles whose Action is Alert. If Action is Alert & Deny, the FortiWeb unit will reset the connection, preventing the autolearning feature from gathering complete data on the session. Table 110: Web Protection > Web Protection Profile > Auto Learning Profile tab
Clone
Delete Edit
GUI item Create New # Name Data Type Group Description Click to add an auto-learning profile. Displays the index number of the entry in the list. Displays the name of the entry. Displays the name of a data type group. The auto-learning profile will learn about the names, length, and required presence of these types of parameter inputs. For details, see Grouping predefined data types on page 150.
Suspicious URL Rule Displays the name of a suspicious URL rule. The auto-learning profile will learn about attempts to access these types of URLs that may indicate an attempt to gain administrative or other unauthorized access to the web server or web application. For details, see Grouping suspicious URLs on page 154. (No column heading.) Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a policy. Click the Edit icon to modify the entry.
To configure an auto-learning profile

Note: Alternatively, you could generate a default auto-learning profile and its required components, and then modify them. For details, see Generating an auto-learning profile and its components on page 281.
1 Go to Web Protection > Web Protection Profile > Auto Learning Profile. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
279
Web protection
Alternatively, click the Clone icon to create an entry populated with settings from a predefined profile. In this case, a dialog opens with just the Name field.

GUI item Name Description Type the name of the auto-learning profile. This field cannot be modified if you are editing an existing auto-learning profile. To modify the name, delete the entry, then recreate it using the new name. Select the name of a data type group to use, if any. The auto-learning profile will learn about the names, length, and required presence of these types of parameter inputs. For details, see Grouping predefined data types on page 150. Select the name of a suspicious URL rule to use, if any. The auto-learning profile will learn about attempts to access URLs that are typically used for web server or web application administrator login, such as /admin.php. Requests from clients for these types of URLs are considered a possible attempt at either vulnerability scanning or administrative login attacks, and therefore potentially malicious. For details, see Grouping suspicious URLs on page 154. Enter the threshold for the number of attacks of each type over which the auto-learning profile will not add the attack to the server protection rules (see Configuring server protection rules on page 201). This means that, if the attach is higher than the threshold, FortiWeb deems this behavior as normal to the web applications behavior. Enter the threshold of the percentage of attacks to total hits over which the auto-learning profile adds the attack to the server protection exceptions (see Configuring server protection exceptions on page 207).
Data Type Group
Suspicious URL Rule
Server Protection Threshold
Server Protection Exception Threshold
Application Policy Select an existing application policy from the drop-down list. For details, see Configuring custom application policies on page 160.
4 Click OK. To apply the auto-learning profile, select it in a policy with an inline or offline protection profile. For details, see Configuring server policies on page 118.
Note: Use auto-learning profiles with offline protection profiles whose Action is Alert. If Action is Alert & Deny, the FortiWeb unit will reset the connection, preventing the autolearning feature from gathering complete data on the session.
Once the policy has begun to match connections and accumulate data, you can view the current statistics any time by displaying the auto-learning report. For details, see Viewing auto-learning reports on page 282.
280
Auto learn
Generating an auto-learning profile and its components
Auto learn
This chapter describes the Auto Learn menu and explains how to generate a default autolearning profile and its required components, and how to use reports generated from autolearning. Auto-learning gathers information about the URLs and other characteristics of HTTP sessions that the FortiWeb unit frequently sees passing to your real servers. It tracks your web servers response to each request, such as 401 Unauthorized or 500 Internal Server Error, to learn about whether the request is legitimate or a potential attack attempt. It then generates reports based upon this information. By learning about your typical traffic, the FortiWeb unit can help you to quickly make profiles designed specifically for your unique HTTP traffic. This chapter includes the following topics: Generating an auto-learning profile and its components Viewing auto-learning reports Generating a profile from auto-learning data
Generating an auto-learning profile and its components

The auto-learning feature enables you to generate an auto-learning profile and all of its required components. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Autolearn Configuration category. For details, see About permissions on page 80. Generated auto-learning profile components include: data type groups suspicious URL rules groups server protection rule robot control profile and robot groups inline or offline protection profile
To generate an auto-learning profile 1 Go to Auto Learn > Default Auto Learn Profile > Default Auto Learn Profile.
Figure 34: Generating a default auto-learning profile
2 In Profile Name, type a name prefix, such as gen-autolearn.
281
Viewing auto-learning reports
Auto learn
3 Select an operation mode option from the drop-down list. 4 Click Generate Profile. The FortiWeb unit will automatically suffix a dash ( - ) to the profile name followed by a number indicating the year, month, day, and time on which the profile and its associated components were generated. All associated components thereby have identical suffixes, and can be easily identified for modification. In the generated components, all options are enabled that are required to guarantee a complete data set for the purpose of the report generated by the auto-learning profile. This is regardless of whether the web server is Apache, IIS, or Apache Tomcat, and assumes that you want to learn about all parameters and allow web crawlers from the popular search engines Google, Yahoo!, and MSN. The server protection rule will use only attack definitions that do not cause false positives (that is, they do not use the extended rule set). The offline protection or inline protection profile will track all HTTP request methods, and apply a session timeout of 1 200 seconds. The FortiWeb unit will log, but not block, detected attacks. To improve performance, you can modify the generated groups and profiles. For example, if you only operate one type of web server, or if you know that you do not need to watch for a specific data type, you could modify the generated data type group and suspicious URL rule group. The FortiWeb unit would then not expend resources to look for those things. For details, see Grouping predefined data types on page 150 and Grouping suspicious URLs on page 154. To use all attack definitions, or if you want to make one of the search engines crawlers subject to attack detection, you could modify the generated robot control profile and server protection rule. For details, see Configuring robot control profiles on page 227 and Configuring server protection rules on page 201. To apply a generated auto-learning profile, select it and its associated inline or offline protection profile in a policy. For details, see Configuring server policies on page 118.

Auto Learn > Auto Learn Report > Auto Learn Report displays the list of reports that the FortiWeb unit has generated from information gathered by auto-learning profiles. For information on configuring auto-learning profiles, see Applying auto-learning profiles on page 278. Reports generated from auto-learning profile data can help you to learn about the nature of your network. They can also help you to know whether or not the auto-learning profile has collected sufficient amounts of data. When the auto-learning feature has gathered a satisfactory amount of information, you can use the data to generate web profiles as a basis for configuration of your FortiWeb unit. Auto-learning reports may also serve to inform you about the types of normal HTTP requests and attacks occurring on your network.
Note: Auto-learning reports require that your web browser have the Adobe Flash Player plug-in.
To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Autolearn Configuration category. For details, see About permissions on page 80.
282
Auto learn
Table 111: Auto Learn > Auto Learn Report > Auto Learn Report tab
GUI item Name Detail Purge Data
Description Display the name of the auto-learning profile whose gathered information was used to generate the report. Click to view the report, to create a PDF version of the report, or to generate a web profile based upon the data gathered for the report. Click to remove data gathered by this auto-learning profile. Subsequent reports and any profiles generated from them will include only data gathered by the auto-learning profile after you click this icon. Note. When a report is open, you can clear data for individual nodes by rightclicking the node in the left-hand pane and selecting Clear Data. Data is also cleared automatically if you delete the policy that uses the auto-learning profile.
To view a report generated from auto-learning data 1 Go to Auto Learn > Auto Learn Report > Auto Learn Report. 2 In the row corresponding to the auto-learning profile whose data you want to view, click the Detail icon. The report page appears with two panes: The left-hand pane lets you navigate through the web sites and URLs that are the subjects of the report. The right-hand pane includes tabs that display report, charts, and buttons that enable you to adjust any profile generated from the data.
If a tab contains multiple pages of results, click the arrows at the bottom of the tab, such as next > and << first, to move forward or backwards through the pages of results.
283
Auto learn
Figure 35: Parts of auto-learning reports
Expansion icons Click to collapse this pane.
Host Requested file Common part of URL Auto-learning profile
Using the navigation pane

You can change the display and content of data in the left-hand navigation pane. To do so, right-click the name of an item, then click a pop-up menu option:
Pop-up option name Refresh the Tree Filter the Tree Description Select to update the display in the navigation pane. Select to show or hide HTTP sessions in the report by their HTTP request method and/or other attributes. A pop-up dialog appears. See Figure 36. Select to expand the item and all of its subitems. This option has no effect when right-clicking the name of the autolearning profile. Each URL on an auto-learning report includes the right-click menu option Stop Learning. By selecting this option for a URL that you know is complex and hard to track effectively or that may generate inaccurate data, you reduce processing resources. FortiWeb not longer gathers report data for a stopped URL. Right-click the URL again and select Start Learning to reverse the stop action. Select to empty auto-learning data for this item. This may be useful if you know that the inputs required by a specific page have changed since you initially began learning about a web sites parameters, and you want to eliminate obsolete data from the auto-learning report and any profiles that are generated from it.
Expand Current Node
Stop Learning
Clean Data
If you select Filter the Tree, the following dialog appears.
284
}
Navigation pane
Display pane
Auto learn
Figure 36: Filtering an auto-learning report
To show only specific nodes in the URL tree and hide the rest, select which attributes that a node or its subnode must satisfy in order to be included. For example, to include only parts of the URL tree pertaining to HTTP POST requests to Java server pages (JSP files), you would enter .jsp in the Search field under URL and enable POST under HTTP Method. In the navigation pane, to view statistics for a subset of sessions with specific hosts and their URLs, click the expand icon ( + ) next to an item to expand it, then click the name of the subitem whose statistics you want to view. Depending on the level in the navigation tree, an item may be either an auto-learning profile observing multiple hosts, a single host, a common part of a path contained in multiple URLs, or a single requested file. This enables you to view: statistics specific to each requested URL totals for a group of URLs with a common path totals for all requested URLs on the host totals for all requests on all hosts observed by the auto-learning profile
Using the report display pane

Tabs, statistics and charts appear on the report display (right-hand) pane. Their appearance varies depending on which level you selected in the navigation tree.
Note: If URL rewriting is configured, the trees URL is the one requested by the client, not the one to which it was rewritten before passing to the server.
The report display pane contains several feature buttons above the report. Click Refresh in the right-hand pane to update the display with current statistics.
285
Auto learn
Click Generate Config in the right-hand pane to generate a web protection policy from the auto-learn profile. For information on editing the auto-learn profile before generating a new web protection policy, see Generating a profile from auto-learning data on page 289.
Click Generate PDF in the right-hand pane to get a PDF copy of the report. A pop-up dialog appears. Enter the PDF a name and click OK.
Overview tab
The Overview tab provides a statistical summary for all sessions established with the host during the use of the auto-learning profile, or since its auto-learning data was last cleared, whichever is shorter.
Figure 37: Overview tab
Under Item in the table, the Hits Count link opens Visits tab. The Attack Count opens the Attacks tab. The Overview tab includes several buttons that can edit the generated report. (Also see Generating a profile from auto-learning data on page 289.) The Edit Allow Method button appears only when you select a profile in the navigation pane. It opens a pop-up dialog where you can select which HTTP request methods to allow in the generated profile. Select the Off or On options in the Status drop-down list. The Edit Protected Servers button appears only when you select the auto-learn profile in the navigation pane. It opens a dialog where you can select or deselect IP addresses and/or domain names that will be members of the generated protected servers group.
286
Auto learn
The Edit URL Page button appears only when you select a URL in the navigation pane. It opens a dialog where you can specify that the currently selected URL will be included in start pages and IP list rules in the generated profile. You can also select an action to take if there is a rule violation. The choices are: Alert & Deny: Block the connection and generate an alert and/or log message. Continue: Allow the request, applying any subsequent rules defined in the web protection profile. Pass: Allow the request. Similar to alert but does not generate an alert and/or log message.
Attacks tab
The Attacks tab provides statistics in both tabular and graphical format on sessions that contained one of the types of attacks that the web profile selected in the associated policy was configured to detect. Sometimes, auto-learning reports may contain fewer attacks than you see in the FortiWeb units attack logs. For details, see About the attack count on page 289.
Figure 38: Auto-learning report Attacks tab
The inclusion of the Action and Enable columns varies with the level of the item selected in the navigation pane. Use the Enable drop-down lists to turn auto-learning on or off for a specific attack type. The default is on. Use the Action drop-down lists to change how the FortiWeb units reacts to a specific attack type. The choices are: Alert: Accept the connection and generate an alert and/or log message.
287
Auto learn
Alert & Deny: Block the connection and generate an alert and/or log message. Send 403 Forbidden: Reply with an HTTP 403 (Access Forbidden) error message and generate an alert and/or log message. Redirect: Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message.
Visits tab
The Visits tab provides statistics in both tabular and graphical format on the HTTP request methods used. When you select an auto-learning profile in the navigation pane, this tab includes a set of bar charts that give statistics about the most used and least used URLs, plus suspicious URLs. When you select a host IP in the navigation pane, the report includes a set of tables that give statistics on HTTP return codes in the 400 and 500 series. The Visits tab includes several buttons that can edit the generated report. (Also see Generating a profile from auto-learning data on page 289.) The Edit Allow Method button appears only when you select a profile in the navigation pane. It opens a pop-up dialog where you can select which HTTP request methods to allow in the generated profile. Select the Off or On options in the Status drop-down list. The Edit URL Access button appears only when you select a profile in the navigation pane.It opens a pop-up dialog where you can choose the start pages related to a protected server. The Edit Start Page button appears only when you select a profile in the navigation pane. It opens a pop-up dialog where you can choose the URL access rules related to a protected server. The Edit Exception Method button appears when you select a URL in the navigation pane. It opens a pop-up dialog where you can select which HTTP request methods to treat as exceptions for that URL. Select the Off or On options in the Status drop-down list.
Parameters tab
The Parameters tab provides tabular statistics on the parameters and their values as they appeared in HTTP requests, as well as applicable URL replacements. This tab appears only for items that are leaf nodes in the navigation tree; that is, they represent a single complete URL as it appeared in a real HTTP request, and therefore could have had those exact associated parameters. Percentages in the TypeMatch and Required columns indicate how likely the parameter with that name is of that exact data type, and whether or not the web application requires that input for that URL. The MinLen and MaxLen columns indicate the likely valid range of length for that inputs value. Together the columns provide information on what is likely the correct configuration of a profile for that URL.
Cookies tab
The Cookies tab provides tabular statistics on the name, value, expiry date, and path of each cookie crumb that appeared in HTTP requests. This tab appears only for hosts that use cookies. This tab does not appear at the policy level of the navigation tree.
288
Auto learn
Generating a profile from auto-learning data
About the attack count

Sometimes, auto-learning reports may contain fewer attacks than you see in the FortiWeb units attack logs. Possible causes include: The attack was attempted, but was targeted towards a URL that did not actually exist on the server (that is, it resulted in an HTTP 404 File Not Found reply code). Because the URL did not exist, the auto-learning report does not include it in its tree of requested URLs. In other words, the attack was not counted in the report because it did not result in an actual page hit. The attack was attempted, and the URL existed, but the FortiWeb unit was configured to block the attack (Alert & Deny), resulting in an unsuccessful connection attempt. Unsuccessful connections do not result in an actual page hit and have incomplete session data, and therefore are not included in auto-learning reports.
To ensure that auto-learning reports have complete session data, you should log but not block attacks (that is, select Alert instead) while gathering auto-learning data.

When viewing a report generated from auto-learning data, you can generate an inline protection profile or an offline protection profile suitable for the HTTP sessions observed. If some observed sessions are not indicative of typical traffic and you do not want to include elements in the generated profile, or you want to select an action other than the default for a type of observed attack, you can selectively change the action for that type of attack. In addition to the generated profile itself, the FortiWeb unit also generates all rules and other auxiliary configurations that the profile depends upon. For example, if the FortiWeb unit observed HTTP PUT requests with required parameters of a password and a user name that is an email address, when generating a profile, it would also generate the parameter validation rules and input rules that the profile requires, using the data types and maximum lengths of the arguments observed in the HTTP sessions. Generated profiles and auxiliary configurations are editable. They can be adjusted or used as the basis for additional configuration. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Autolearn Configuration category. For details, see About permissions on page 80. To configure a profile using auto-learning data 1 Go to Auto Learn > Auto Learn Report > Auto Learn Report. 2 In the row corresponding to the auto-learning profile whose data you want to view, click Detail. The report appears.
289
Auto learn
Figure 39: Viewing an auto-learning report
Expansion icons Click to collapse this pane.
Host Requested file Common part of URL Auto-learning profile 3 In the left-hand pane, if you want to adjust the actions that will appear in the generated profile for the subset of sessions handled for specific web hosts and their URLs, click the expand icon ( + ) next to an item to expand the item, then click the name of the subitem whose actions you want to affect. Statistics and charts appear on the right-hand pane. The content of the report and the available buttons varies depending on the selected node in the navigation tree. If a tab contains multiple pages of results, click the arrows at the bottom of the tab, such as next > and << first, to move forward or backwards through the pages of results. 4 For most selected items in the left-hand navigation pane, the report provides buttons and drop-down lists to help you configure a profile for generation. Select the following as applicable:
Table 112: Auto Learn report features GUI item Overview tab Edit Protected Servers Click to open a pop-up dialog. Enable or disable the IP addresses and/or domain names that will be members of the generated protected servers group. For details, see Configuring protected servers on page 147. This appears only if you have selected the name of the autolearning profile in the navigation pane. Description
290
}
Navigation pane
Display pane
Auto learn
Edit URL Page
Click to open a pop-up dialog. Enable or disable whether the currently selected URL will be included in start pages and IP list rules in the generated profile. This appears only if you have selected a URL in the navigation pane. For more information on those rule types, see Configuring start page rules on page 213, Configuring URL access policy on page 216 and Configuring URL access rules on page 218. Select from the Enable drop-down list to enable or disable detection of each type of attack, and select from Action which action that the generated profile will take. The availability of these lists varies with the level of the item selected in the navigation pane. For details, see Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274. Click to open a pop-up dialog. Change the Status option to select which HTTP request methods to allow in the generated profile. This appears only if you have selected a profile in the navigation pane. For details, see Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274.
Attacks Action and Enable
Visits Edit Allow Method
Edit URL AccessClick to open a pop-up dialog. This appears only if you have selected a profile in the navigation pane. For details, see Configuring URL access policy on page 216. Edit Start Page Click to open a pop-up dialog. This appears only if you have selected a profile in the navigation pane. For details, see Configuring start page rules on page 213. Edit Exception Method Click to open a pop-up dialog. This appears only if you have selected a URL in the navigation pane. For details, see Configuring allowed method exceptions on page 237. Type the data type and maximum length of the parameter, and indicate whether or not the parameter is required input. These settings will appear in the generated parameter validation rule and input rules. For details, see Configuring parameter validation input rules on page 194 and Configuring HTTP parameter validation rules on page 192.
Parameters Set
5 In the right-hand pane, click Generate Config. The following pop-up dialog appears:
Figure 40: Generating an inline or offline profile from auto-learning data
6 In Profile Name, type a name prefix, such as generated-profile. The FortiWeb unit will automatically add a dash ( - ) to the profile name followed by a number indicating the year, month, day, and time on which the profile was generated in order to indicate the data on which the profile was based.
291
Auto learn
7 From Profile Type, select which type of web profile you want to generate, either Inline (to generate an inline protection profile) or Offline (to generate an offline protection profile). 8 Click OK. The generated profile appears in the list of either inline or offline protection profiles, depending on its type. Adjust it if necessary. For details, see Configuring inline protection profiles on page 268 or Configuring offline protection profiles on page 274.
Note: You may also need to adjust configuration items used by the generated profile, such as input rules. The generated configuration items will be based upon auto-learning data current at the time that the profile is generated, which may have changed while you were reviewing the auto-learning report.
If you do not configure any settings, by default, the FortiWeb unit will generate a profile that allows the HTTP GET method and any other methods whose usage exceeded the threshold, and will add the remaining methods to an allowed method exception. It will also create start page rules and trust IP rules for the top 10 most commonly requested URLs, and create black IP rules for the top 10 most commonly requested suspicious URLs. To apply the generated profile, select it in a policy. For details, see Configuring server policies on page 118. If you are done collecting auto-learning data, for performance reasons, you may also want to deselect the auto-learning profile in all policies.
292
Web anti-defacement
Configuring anti-defacement
Web anti-defacement
This chapter describes the Web Anti-Defacement menu, which configures the FortiWeb unit to monitor web sites for defacement attacks and to fix attack damage. This chapter includes: Configuring anti-defacement Reverting a web site to a backup revision
Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-Defacement displays the list of web sites for which you have configured anti-defacement protection. Anti-defacement monitors a web sites files for any changes at specified time intervals. If it detects a change that could indicate a defacement attack, the FortiWeb unit can notify you and quickly react by automatically restoring the web site contents to the previous backup revision.
Caution: When you intentionally modify the web site, you must disable the Enable Monitor and Restore Changed Files Automatically options; otherwise, the FortiWeb unit sees your changes as a defacement attempt and undoes them.
To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Anti-Defacement Management category. For details, see About permissions on page 80.
Table 113: Web Anti-Defacement > Web Anti-Defacement > Web Site with Anti-Defacement tab
View Edit Delete Revert site

GUI item Create New Refresh ID Name Hostname/IP Monitor Description Click to add a web site that the FortiWeb unit will monitor for defacement. Click to refresh the tabs display, including the current Connected status. The index number of the entry in the list. A descriptive name for the web site. The IP address or fully qualified domain name (FQDN) of the real server on which the web site is hosted. Indicates whether or not anti-defacement is currently enabled for the web site. Green icon: Anti-defacement is enabled. Flashing yellow-to-red icon: Anti-defacement is disabled.
293
Web anti-defacement
Connected
Indicates the connection results of the FortiWeb units most recent attempt to connect to the web sites server. Green check mark icon: The connection was successful. Red X mark icon: The FortiWeb unit was unable to connect. Verify the IP address/FQDN and login credentials of your anti-defacement configuration. If these are valid, verify that connectivity has not been interrupted by dislodged cables, routers, or firewalls. Displays the total number of files on the web site. Displays the total number of files that have been backed up onto the FortiWeb unit for recovery purposes. Those files that you choose not to monitor will not be backed up. Displays the total number of files that have changed. Click the View icon display the web sites anti-defacement configuration and backup statistics, including disk usage. Click the Edit icon to modify an entry. Click the Delete icon to remove an entry. Click the Revert site icon to revert the web site to a backup revision. See Reverting a web site to a backup revision on page 297.
Total Files Total Backup
Total Changed (No column heading.)
Before configuring a web site for anti-defacement protection, you must have the following information ready: FQDN or IP address of the web sites server root folder of the web site connection type (FTP, SSH, or Windows Share) and the credentials you use to access the root folder of the web site alert email address To configure anti-defacement 1 Go to Web Anti-Defacement > Web Anti-Defacement > Web Site with AntiDefacement. 2 Click Create New to add a new entry, or click the Edit icon to edit an existing entry. A dialog appears.
294
Web anti-defacement
3 Configure the following settings:

GUI item Web Site Name Description Type a name for the web site. This name will not be used when monitoring the web site, nor will it be referenced in any other part of the configuration, and therefore can be any identifier that is useful to you. It does not need to be the web sites FQDN or virtual host name. Enter a comment. The comment may be up to 63 characters long. This field is optional. Enable to monitor the web sites files for changes, and to download backup revisions that can be used to revert the web site to its previous revision if the FortiWeb unit detects a change attempt. Note: While you are intentionally modifying the web site, you must turn off this option and Restore Changed Files Automatically. Otherwise, the FortiWeb unit will detect your changes as a defacement attempt, and undo them. Type the IP address or FQDN of the real server on which the web site is hosted. This will be used when connecting by SSH or FTP to the web site to monitor its contents and download backup revisions, and therefore could be different from the real or virtual web host name that may appear in the Host: field of HTTP headers. Select which protocol (FTP, SSH, or Windows Share) to use when connecting to the web site in order to monitor its contents and download web site backups. Enter the TCP port number on which the web sites real server listens. The standard port number for FTP is 21; the standard port number for SSH is 22. This field appears only if Connect Type is FTP or SSH. Type the name of the shared folder on the web server. This field appears only if Connect Type is Windows Share.
Description Enable Monitor
Hostname/IP
Connect Type FTP/SSH Port
Windows Share Name
295
Web anti-defacement
Folder of Web Site User Name Password Alert Email Address Monitor Interval for Root Folder
Type the path to the web sites folder, such as public_html, on the real server. The path is relative to the initial location when logging in with the user name that you specify in User Name. Enter the user name, such as fortiweb, that the FortiWeb unit will use to log in to the web sites real server. Enter the password for the user name you entered in User Name. Type the recipient email address (MAIL TO:) to which the FortiWeb unit will send an email when it detects that the web site has changed. Enter the time interval in seconds between each monitoring connection from the FortiWeb unit to the web server. During this connection, the FortiWeb unit examines Folder of Web Site (but not its subfolders) to see if any files have been changed by comparing the files with the latest backup. If it detects any file changes, the FortiWeb unit will download a new backup revision. If you have enabled Restore Changed Files Automatically, the FortiWeb unit will revert the files to their previous version. For details, see About web site backups on page 297. Enter the time interval in seconds between each monitoring connection from the FortiWeb unit to the web server. During this connection, the FortiWeb unit examines subfolders to see if any files have been changed by comparing the files with the latest backup. If any file change is detected, the FortiWeb unit will download a new backup revision. If you have enabled Restore Changed Files Automatically, the FortiWeb unit will revert the files to their previous version. For details, see About web site backups on page 297. Type how many folder levels deep to monitor for changes to the web sites files. Files in subfolders deeper than this level will not be backed up.
Monitor Interval for Other Folder
Maximum Depth of Monitored Folders
Skip Files Larger Type a file size limit in kilobytes (KB) to indicate which files will be included in the web site backup. Files exceeding this size will not be backed up. The default Than file size limit is 10 240 KB. Note: Backing up large files can impact performance. Skip Files With Type zero or more file extensions, such as iso, avi, to exclude from the web These Extensions site backup. Separate each file extension with a comma. Note: Backing up large files, such as video and audio, can impact performance. Restore Changed Enable to automatically restore the web site to the previous revision number when it detects that the web site has been changed. Files Disable to do nothing. In this case, you must manually restore the web site to a Automatically previous revision when the FortiWeb unit detects that the web site has been changed. See Reverting a web site to a backup revision on page 297. Note: While you are intentionally modifying the web site, you must turn off this option and Enable Monitor. Otherwise, the FortiWeb unit will detect your changes as a defacement attempt, and undo them.
4 Click Test Connection to test the connection between the FortiWeb unit and the web server. 5 Click OK. The FortiWeb unit connects to the web site and downloads the first backup copy revision. (It may subsequently download additional revisions. See About web site backups on page 297.) When a defacement attack occurs, the damaged/changed files will be restored automatically if you enabled Restore Changed Files Automatically. Otherwise, when the FortiWeb unit notifies you of the attack, you must manually revert the web site to one of the backup revisions. For details, see Reverting a web site to a backup revision on page 297.
296
Web anti-defacement
Reverting a web site to a backup revision
About web site backups

When a FortiWeb unit is configured to protect a web site using the web anti-defacement feature, it will periodically download a backup copy of that web sites files automatically. It will create a new backup revision in the following cases: When the FortiWeb unit initiates monitoring for the first time, the FortiWeb unit will download a backup copy of the web sites files and store it as the first revision.
Note: Backup copies will omit files exceeding the file size limit and/or matching the file extensions that you have configured the FortiWeb unit to omit. See Configuring antidefacement on page 293.
If the FortiWeb unit could not successfully connect during a monitor interval, it will create a new revision the next time that it re-establishes the connection.

If you do not enable automatic recovery of changed files (see Restore Changed Files Automatically), after a defacement attack, you can still manually revert the defaced web site to any known good backup revision that the FortiWeb unit has downloaded. FortiWeb units automatically make backups of web sites periodically that they have been configured to protect using the anti-defacement feature. For details about web site backup, see About web site backups on page 297. To revert a web site to a backup revision 1 Go to Web Anti-Defacement > Web Anti-Defacement > Web Site with AntiDefacement.
Revert site 2 In the row corresponding to the web site you want to revert, click the Revert site icon. A dialog appears listing previous site backup copies.
Revert to this time 3 In the row corresponding to the copy that you want to restore, click the Revert to this time icon. 4 Click OK.
297
Web anti-defacement
298
Web vulnerability scans

Web vulnerability scanning can detect known vulnerabilities on your web servers and web applications, helping you to design protection profiles that are an efficient use of processing resources. Vulnerability scans may also be required for compliance with some regulations and certifications. The vulnerability scan is configured and controlled through web vulnerability scan policies. The vulnerability scan policy determines which servers/applications to scan, what specific vulnerabilities to scan for and when to perform the scan. When a policy is applied, the vulnerability scan starts from an initial directory, authenticates if enabled to do so, then scans for vulnerabilities in web pages located in the same directory or subdirectory as the initial URL. After performing the scan, the FortiWeb unit generates a report from the scan results. This chapter includes the following topics: Preparing for the vulnerability scan Configuring web vulnerability scan policies Configuring web vulnerability scan profiles Configuring web vulnerability scan schedules Viewing scan history and reports
Web vulnerability scan workflow

The following is the sequence of steps to prepare, define, run, and obtain a report for a web vulnerability scan. 1 Optionally, configure an email policy in advance so that you can include it in the scan profile. This way, scan reports are sent to recipients automatically. See Log configuration workflow on page 313. 2 Prepare for the scan. See Preparing for the vulnerability scan on page 300. 3 Create a scan profile. The profile defines the specific vulnerabilities to scan. See Configuring web vulnerability scan profiles on page 303. 4 Create a scan schedule, unless you plan to execute the scan immediately. The schedule defines the frequency the scan will be run. See Configuring web vulnerability scan schedules on page 308. 5 Create a scan policy. The policy integrates a scan profile and schedule, which enables pre-configuration of multiple scan scenarios. See Configuring web vulnerability scan policies on page 300. 6 Start a vulnerability scan manually, or wait for a scheduled vulnerability scan to run automatically. See Starting and stopping a web vulnerability scan on page 302. 7 View or download a vulnerability scan report. The report provides details and analysis of the scan results. See Viewing scan history and reports on page 309.
Tip: Create and run web vulnerability scans early in the configuration of your FortiWeb unit. Use the reports to locate vulnerabilities and fine tune your protection settings.
299
Preparing for the vulnerability scan
Preparing for the vulnerability scan

For best results, before running a vulnerability scan, you should prepare the network and target hosts for the vulnerability scan.
Live web sites

Fortinet strongly recommends that you do not scan for vulnerabilities on live web sites. Instead, duplicate the web site and its database in a test environment and perform the scan in that environment. For more information, see Scan Mode on page 306
Network accessibility
You may need to configure each target host and any intermediate NAT or security devices to allow the vulnerability scan to properly reach the target hosts.
Traffic load
If you do not plan to rate limit the vulnerability scan, be aware that some web servers could perceive its rapid rate of requests as a denial of service (DoS) attack. You may need to configure the web server to omit rate limiting for connections originating from the IP address of the FortiWeb unit. Rapid access also can result in degraded network performance during the scan. For more information, see Delay Between Each Request on page 307
Scheduling
You should work with the owners of target hosts to schedule an appropriate time to run the vulnerability scan. For example, you might schedule to avoid peak traffic hours, to restrict unrelated network access, and to ensure that the target hosts will not be powered off during the vulnerability scan.
Configuring web vulnerability scan policies

Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy enables you to configure web vulnerability scan (WVS) policies. The WVS policies define the type of scan to perform (an immediate scan or a scheduled scan), the WVS profile to use (the scan details), the format of the WVS report and who is to receive a copy of the report. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see About permissions on page 80.
Tip: Before you can create an effective web vulnerability scan policy, you must first configure a web vulnerability scan profile. See Configuring web vulnerability scan profiles on page 303. If the scan will run on a set schedule, first create a web vulnerability scan schedule. See Configuring web vulnerability scan schedules on page 308.
300
Table 114: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy tab
Status Delete Edit Start/Stop

GUI item Create New # Name Description Click to add a new web vulnerability scan policy. Displays the index number of the entry in the list. Displays the name of the policy. Click the blue arrow beside the policy name to expand the entry and display a summary of the scan associated with the policy. Displays the type of schedule used by the policy. If the policy uses a WVS schedule the name of the schedule is shown, otherwise Run Now is shown. Displays the name of the scan profile used by the policy. Status indicates whether the scan is idle (the status indicator is solid green) or running (the status indicator is flashing red and yellow). Click the Delete icon to remove the entry. Click the Edit icon to modify the entry. The Start/Stop icon appears only if the policy is configured as Run Now. If so, the icon changes depending on the current status of the scan: Stop appears if the scan associated with the policy is in progress. Start appears if the scan associated with the policy is not in progress. For more information on starting and stopping a scan, see Starting and stopping a web vulnerability scan on page 302.
Schedule Profile (No column heading.)
To configure a web vulnerability scan policy 1 Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
301

GUI item Name Description Type the name of the policy. This field cannot be modified if you are editing an existing WVS policy. To modify the name, delete the entry, then recreate it using the new name. Select the type of WVS scan to be performed by this policy. Run Now - The scan can be manually started at any time by the user. For more information, see Starting and stopping a web vulnerability scan on page 302 Schedule - The scan is performed according to the schedule defined in the Schedule field below. Displayed only if Schedule is selected as the Type. Select the predefined schedule to use for the scan. For more information on configuring WVS schedules, see Configuring web vulnerability scan schedules on page 308. Select the predefined profile to associate with the policy. The profile defines the specific details of the web vulnerability scan. For more information on configuring WVS profiles, see Configuring web vulnerability scan profiles on page 303.
Type
Schedule
Profile
Report Format Select the file formats for the WVS report. You can choose to generate reports in the following formats: HTML MHT (MIME HTML, which can be included in email) PDF RTF (Rich Text Format) TXT (plain text) Email Select the predefined email policy to associate with the WVS Policy. The email policy determines who receives the WVS report via email. For more information on configuring email policy, see Configuring email policies on page 317.
4 Click OK.
Starting and stopping a web vulnerability scan

You can manually start and stop a scan if the schedule type associated with the WVS Policy is set to Run Now. You cannot manually start a scan that has a set schedule. To start a scan 1 Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy.
302
Configuring web vulnerability scan profiles
2 In the WVS policy list, choose a policy and verify the Schedule column says Run Now and the status indicator is green (idle). If Schedule is not set to Run Now, the WVS scan runs on a set schedule. You cannot manually start a scan that has a set schedule. For more information, see Configuring web vulnerability scan policies on page 300. 3 Click the Start icon associated with the WVS policy. The vulnerability scan connects to the starting point configured in the WVS Profile and, if enabled to do so, authenticates. The status indicator flashes red and yellow while the scan is running. 4 When the scan is finished the status indicator returns to green (idle). 5 Click the blue arrow beside the policy name to expand the scan results. If an email policy is defined for the scan, a detailed scan report is distributed accordingly. 6 If required, view or download a full report of the scan results. For more information, see Viewing scan history and reports on page 309. To stop a scan 1 Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy. 2 Verify the status indicator is running (flashing red and yellow). 3 Click the Stop icon associated with the WVS policy. 4 The vulnerability scan stops. The status indicator returns to green (idle). You can expand the policy name to view a summary of the scan results to the point where the scan was stopped.

Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Profile enables you to configure web vulnerability scan (WVS) profiles. A WVS profile defines the web server to scan, as well as the specific vulnerabilities to scan for. The WVS profiles are associated with WVS policies, which determine when to perform the scan and how to publish the results of the scan defined by the profile. You can define multiple profiles, depending on scanning requirements, and apply the profiles to WVS policies as required. For more information, see Configuring web vulnerability scan policies on page 300. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see About permissions on page 80.
Table 115: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Profile tab
Edit
303
GUI item Create New # Name Target Server Scan Mode
Description Click to add a new web vulnerability scan profile. Displays the index number of the entry in the list. Displays the name of the profile. Displays the hostname/IP or URL to be scanned. Indicates whether the scan used Basic Mode (use HTTP GET only and omit both user-defined and predefined sensitive URLs) or Enhanced Mode (use both HTTP POST and GET, excluding only user-defined URLs). Click the Delete icon to remove the entry. Click the Edit icon to modify the entry.
To configure a vulnerability scan profile 1 Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Profile. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. 3 A dialog appears.
304

GUI item Name Description Type the name of the profile. This field cannot be modified if you are editing an existing WVS profile. To modify the name, delete the entry, then recreate it using the new name.
305
Hostname/IP or URL
Type the fully qualified domain name (FQDN), IP address, or full URL to indicate which directory of the web site you want to scan. Behavior of the scan varies by the type of the entry: A FQDN/IP such as www.example.com. Assume HTTP and scan the entire web site located on this host. A partial URL such as https://webmail.example.com/dir1/. Use the protocol specified in the URL, and scan the web pages located in this directory of the web site. Other directories will be ignored. A full URL such as http://example.com/dir1/start.jsp. Use the protocol specified in the URL, starting from the web page in the URL, and scan all local URLs reachable via links from this web page that are located within the same subdirectory. Links to external web sites and redirects using HTTP 301 (Moved Permanently) or 302 (Moved Temporarily or Found) will not be followed. Unless you will enter an IP address for the host, you must have configured a DNS server that the FortiWeb unit can use to query for the FQDN. For details, see Configuring the DNS settings on page 58. Note: This starting point for the scan can be overridden if the web server automatically redirects the request after authentication. See Login with HTTP Authentication and Login with specified URL/data on page 307. Enable detection of any of the following vulnerabilities that you want to include in the scan report: Common Web Server Vulnerability (outdated software and software with known memory leaks, buffer overflows, and other problems) XSS (Cross-site Scripting) SQL Injection Source-code Disclosure OS Commanding For a description of vulnerabilities, see Configuring server protection rules on page 201. Select whether the scan job will use Basic Mode (use HTTP GET only and omit both user-defined and predefined sensitive URLs) or Enhanced Mode (use both HTTP POST and GET, excluding only user-defined URLs). Also configure Exclude scanning following URLs. Basic Mode will avoid alterations to the web sites databases, but only if all inputs always uses POST requests. It also omits testing of the following URLs, which could be sensitive: /formathd /formatdisk /shutdown /restart /reboot /reset Caution: Fortinet strongly recommends that you do not scan for vulnerabilities on live web sites, even if you use Basic Mode. Instead, duplicate the web site and its database into a test environment, and then use Enhanced Mode with that test environment. Basic Mode cannot be guaranteed to be non-destructive. Many web sites accept input through HTTP GET requests, and so it is possible that a vulnerability scan could result in database changes, even though it does not use POST. In addition, Basic Mode cannot test for vulnerabilities that are only discoverable through POST, and therefore may not find all vulnerabilities. Type the number of seconds for the vulnerability scanner to wait for a response from the web site before it assumes that the request will not successfully complete, and continues with the next request in the scan. It will not retry requests that time out.
Scan
Scan Mode
Request Timeout
306
Delay Between Each Request
Type the number of seconds to wait between each request. Some web servers may rate limit the number of requests, or black list clients that issue continuous requests and therefore appear to be a web site harvester or denial of service (DoS) attacker. Introducing a delay can be useful to prevent the vulnerability scanner from being blacklisted or rate limited, and therefore slow or unable to complete its scan.
Login Option Login with HTTP Enable to use basic HTTP authentication if the web server returns Authentication HTTP 401 (Unauthorized) to request authorization. Also configure User and Password. Alternatively, configure Login with specified URL/data. After authentication, if the web server redirects the request (HTTP 302), the FortiWeb unit will use this new web page as its starting point for the scan, replacing the URL that you configured in Hostname/IP or URL. Note: If a web site requires authentication and you do not configure the vulnerability scan to authenticate, the scan results will be incomplete. User Password Login with specified URL/data Enter the user name to provide to the web site if it requests HTTP authentication. Enter the password of the user name. Enable to authenticate if the web server does not use HTTP 401, but instead provides a web page with a form that allows the user to authenticate using HTTP POST. Also configure Authenticate URL and Authenticate Data. After authentication, if the web server redirects the request (HTTP 302), the FortiWeb unit will use this new web page as its starting point for the scan, replacing the URL that you configured in Hostname/IP or URL. Note: If a web site requires authentication and you do not configure the vulnerability scan to authenticate, the scan results will be incomplete. Type the URL, such as /login.jsp, that the vulnerability scan will use to authenticate before beginning the scan. Type the parameters, such as userid=admin&password=Re2b8WyUI, that will be accompany the HTTP POST request to the authentication URL, and contains the values necessary to authenticate. Typically, this string will include user name and password parameters, but may contain other variables, depending on the web page. Select this option to automatically follow links leading from the initial starting point that you configured in Hostname/IP or URL. The vulnerability scanner will stop following links when it has scanned the number of URLs configured in Crawl URLs Limit. Alternatively, select Specify URLs for scanning. Type the maximum number of URLs to scan for vulnerabilities while automatically crawling links leading from the initial starting point. Note: The actual number of URLs scanned could exceed this limit if the vulnerability scanner reaches the limit but has not yet finished crawling all links on a page that it has already started to scan.
Authenticate URL Authenticate Data
Scan Website URLs Option Crawl entire website automatically
Crawl URLs Limit
307
Configuring web vulnerability scan schedules
Specify URLs for scanning
Select this option to manually specify which URLs to scan, such as /login.do, rather than having the vulnerability scanner automatically crawl the web site. Enter each URL on a separate line in the text box. You can enter up to 10 000 URLs.
Enable to exclude specific URLs, such as /addItem.cfm, from Exclude the vulnerability scan. Enter each URL on a separate line in the scanning following URLs text box. This may be useful to accelerate the scan if you know that some URLs do not need scanning. It could also be useful if you are scanning a live web site and wish to prevent the scanner from inadvertently adding information to your databases. You can enter up to 1 000 URLs.
5 Click OK. You can now apply the WVS Profile to a WVS Policy. For more information, see Configuring web vulnerability scan policies on page 300.
Configuring web vulnerability scan schedules

Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Schedule enables you to configure web vulnerability scan (WVS) schedules. A WVS schedule defines when the scan will occur and whether the scan is a one time or a recurring event. You can define multiple schedules, depending on scanning requirements, and apply the schedules to WVS policies as required. For more information, see Configuring web vulnerability scan policies on page 300. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see About permissions on page 80.
Table 116: Web Vulnerability Scan > Web Vulnerability Scan >Web Vulnerability Scan Schedule tab
Edit
GUI item Create New # Name Type Time Date Day Description Click to add a new web vulnerability scan schedule. Displays the index number of the entry in the list. Displays the name of the schedule. Displays the type of schedule: One Time or Recurring. Displays the time that the scan is scheduled to run. Displays a value only when the schedule type is One Time. Identifies the date on which the one time vulnerability scan is scheduled to run. Displays values only when the schedule type is Recurring. Identifies the days of the week on which the recurring vulnerability scan is scheduled to run. Click the Delete icon to remove the entry. Click the Edit icon to modify the entry.
308
Viewing scan history and reports
To configure a vulnerability scan schedule 1 Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Schedule. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.

GUI item Name Description Displays the name of the schedule. This field cannot be modified if you are editing an existing WVS schedule. To modify the name, delete the entry, then recreate it using the new name. Select the type of schedule. One Time: the vulnerability scan will be run one time only at the time and date specified below. Recurring: the vulnerability scan will be run on the days of the week and the time specified below. Displays the time that the scan is scheduled to run. This field displays values only if Type is set to One Time. Identifies the date on which the one time vulnerability scan is scheduled to run. This field displays values only if Type is set to Recurring. Identifies one or more days of the week on which the recurring vulnerability scan is scheduled to run.
Type
Time Date Day
4 Click OK. You can now apply the WVS Schedule to a WVS Policy. For more information, see Configuring web vulnerability scan policies on page 300.

After a web vulnerability scan completes, the FortiWeb unit generates a report summarizing and analyzing the results of the scan. Web Vulnerability Scan > Web Vulnerability Scan > Scan History enables you to view an historical archive of WVS reports. You can choose a WVS report from the archive and view the report or download and save the report. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see About permissions on page 80.
309
Table 117: Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan History tab
View the scan report Download report file Delete the scan report
GUI item # Target Server URLs Found Alerts Found Scan Time Scan Mode Description Displays the index number of the entry in the list. Displays the base URL that was scanned for vulnerabilities. Click to view the scan report associated with this server. Displays the number of URLs below the base URL that were scanned for vulnerabilities. Displays the total number of vulnerabilities discovered during the scan. Displays the date and time that the scan was performed. Indicates whether the scan job used Basic Mode (use HTTP GET only and omit both user-defined and predefined sensitive URLs) or Enhanced Mode (use both HTTP POST and GET, excluding only user-defined URLs). Click the View the scan report icon to view a report that summarizes and analyzes the results of the associated vulnerability scan. For more information, see About web vulnerability scan reports on page 310. Click the Download report file icon to open or save the associated report. Click the Delete the scan report icon to remove the report.
About web vulnerability scan reports

The web vulnerability scan report is divided into sections for a summary, vulnerabilities and server information. While viewing the Application Vulnerabilities section of the report, if any vulnerabilities are detected, such as cross-site scripting or SQL injection, the vulnerability is described for each URL on which it is detected. The report provides the following information for each vulnerability: type severity URI method response header response body
To view the web servers response to the request for that part of the scan, click View.
310
If after viewing the response you determine that the result is a false positive, click False Positive. The false positive status will be saved and visible in any subsequent printout or view of the report, helping to remind you that particular item should be ignored.
Figure 41: Viewing a vulnerability report
http://www.example.com/
311
312
Logs and reports
About logging
Logs and reports

Use the Log & Report menu to configure logging, reports, and alert email. It also enables you to view locally stored log messages using the web-based manager, to download log messages for further processing or analysis and to generate reports. FortiWeb units provide extensive logging capabilities for traffic, system and network protection functions. Detailed log information enables you to analyze network activity to identify security issues and reduce network misuse and abuse. This chapter includes the following topics: About logging Log message field descriptions Configuring and enabling logging Viewing log messages Downloading log messages Configuring and generating reports. Viewing and downloading reports
Log configuration workflow

The following lists steps to configure log policy, settings, and reports. 1 Set log policies. See Configuring log alert policies on page 316. 2 Create one or more trigger policies. See Configuring trigger policies on page 322. 3 Set global log options. See Configuring and enabling logging on page 323. Once you complete the above steps, you can begin viewing attack, event, and traffic logs, and creating custom reports.
Tip: Consider creating log alert and trigger policies early in the configuration of your FortiWeb unit. A web vulnerability scan policy, and many XML protection and web protection rules can reference these policies and alert to key personnel to problems.
About logging
FortiWeb units can log many different network activities and traffic including: overall network traffic system-related events including system restarts and HA activity matches of policies whose Action include Alert
For more information about log types, see Log types on page 314. You can select a priority level that log messages must meet in order to be recorded. For more information, see Log priority levels on page 314. A FortiWeb unit can save log messages to its memory, or to a remote location such as a Syslog server or FortiAnalyzer unit. For more information, see Configuring and enabling logging on page 323. The FortiWeb unit can also use log messages as the basis for reports. For more information, see Configuring and generating reports on page 344.
313
Log message field descriptions
Logs and reports
Event and attack log messages are also displayed in the system status dashboard. For more information, see Viewing system status on page 41.
Log types
FortiWeb units can record the following categories of log messages:
Table 118: Log types Log file type Event Traffic Attack Description Displays administration events such as downloading a backup copy of the configuration. Displays traffic flow information such as HTTP requests and, if a reply was permitted by the policy, HTTP responses. Displays attack and intrusion attempt events. Caution: Avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.
Log priority levels

Each log message contains a field that indicates the priority of the log message, such as pri=warning.
Table 119: Log severity levels Levels 0 - Emergency 1 - Alert 2 - Critical 3 - Error 4 - Warning 5 - Notification 6 - Information Description The system has become unusable. Immediate action is required. Functionality is affected. An error condition exists and functionality could be affected. Functionality could be affected. Information about normal events. General information about system operations.
For each location where the FortiWeb unit can store log files (disk, memory, Syslog or FortiAnalyzer), you can define a priority threshold. The FortiWeb unit will store all log messages equal to or exceeding the log priority level you select.
Caution: Avoid recording log messages using low log priority thresholds such as information or notification to the local hard disk for an extended period of time. A low log priority threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.
For example, if you select Error, the FortiWeb unit will store log messages whose log priority level is Error, Critical, Alert, or Emergency. For more information, see Configuring global log settings on page 324.

Table 120, Log message fields, on page 315 describes the fields that are available for each type of log message. The specific fields that appear in a log message depends on selections you make. For more information, see Viewing log messages on page 331.
314
Logs and reports
For a detailed description of each FortiWeb log message, see the FortiWeb Log Message Reference.
Table 120: Log message fields Log message field Date Time ID Description Displays the date that the log message was recorded. Displays the time that the log message was recorded. Displays a 10-digit number that identifies the log message. The log message number consists of: the first two digits represent the log type. the second two digits represent the log subtype. the fifth digit is reserved for future use and is always set to 0 (zero) the last five digits is a static identifier assigned to each individual log message. A unique 12-digit number assigned to each individual log message generated by the FortiWeb unit. Displays the type of log that occurred: event, attack or traffic. Displays the log subtype, which provides additional information to identify the cause of the log message. x x x Used with log type: Event Attack Traffic x x x x x x Sample content 2010-11-28 15:38:01 0116080121
MSG ID
000044866169
Type
event attack traffic Subtype identify the area in which activity occurred. Numerous Subtypes are defined for events, protection rule violations (attacks) or traffic. For more information, see the FortiWeb Log Message Reference. emergency alert critical error warning notice information debug FV-1AA2B34567890 (GMT-5:00)Eastern Time (US & Canada)" admin
Subtype
Level
Displays the log priority level (log level) associated with the situation for which the log message was created.
Device ID Time Zone User
Displays the identification number of the x device from which the log message originated. Displays the timezone in which the device is located. x
x x
x x
Displays the login name of the user that x performed the action that caused the event log to be created. Displays the type of user interface used when the log was created. Displays the action associated with the log. x x
User Interface Action
GUI(10.0.0.22) login monitor backup download upgrade
315
Configuring log alert policies
Logs and reports
Table 120: Log message fields Log message field Status Description Displays the result of the action. x Used with log type: Event Attack Traffic Sample content alert succeed failure name_invalid x x x x TCP HTTP HTTPS 10.0.0.0 3471 10.0.0.1 8080 server policy name get x x x /image/example example.com web_browser_information 1ABC123ABC123 unknown x alert deny return 403 error redirect high medium low trigger policy name x descriptive text
Reason Protocol Service
Displays the reason for the status. The protocol used by the web traffic The IP network service that defines the TCP port number on which the virtual server receives traffic. The web traffic source IP address. The web traffic source port number. The web traffic destination IP address. The web traffic destination port number. The name of the policy in use when the log was created. The http request method which are allowed to pass through the FortiWeb unit. The URL address for the HTTP request. The host home page of the HTTP request. The web browser used for the HTTP request.
Source Source Port Destination Destination Port Policy HTTP method URL HTTP Host HTTP Agent
x x x x x x x x x x x
x x x x x
HTTP Session ID The serial number of the session associated with the HTTP request (if known). Action The action that was specified within the policy.
Severity Level
The severity level associated with an attack. Severity level is user-defined per violation. The name of the trigger policy used for email alerts and Syslog. The detail message describing the reason that x the log message was created.
Trigger Policy Message
x x

To stay aware of problems and track activities, you can configure log-based alerts in the form of system email, Syslog messages, and FortiAnalyzer messages, combined with email triggers. This section includes the following topics: Configuring email policies Configuring Syslog policies Configuring FortiAnalyzer policies Configuring trigger policies
316
Logs and reports
Configuring email policies

Log&Report > Log Policy > Email Policy enables you to create policies that are used by protection rules to alert specific administrators or other personnel when an alert condition occurs, such as a system failure or network attack. An email policy includes email address information for selected recipients and it sets the frequency that emails will be sent to those recipients. The email policies are attached to FortiWeb protection policies that monitor for occurrences of certain violations. When the protection policy detects a violation, an alert email is distributed if the violation control conditions are met. For example, you might configure a server protection rule to monitor for SQL-injection violations and take specific actions if those types of violations occur. The specific actions can include sending an alert email, in which case the email is sent to the individuals identified in the email policy attached to the trigger policy used for the SQL-injection violation. The trigger policy could also include recording the violation in Syslog or FortiAnalyzer according to the policies attached to the trigger policy used for the SQL violation. For more information on Syslog or FortiAnalyzer policy, see Configuring Syslog policies on page 319 and Configuring FortiAnalyzer policies on page 321. The alert email policy also enables you to define the interval that emails are sent if the same alert condition persists following the initial occurrence. For example, you might configure the FortiWeb unit to send only one alert message for each 15-minute interval after warning-level log messages begin to be recorded. In that case, if the alert condition continues to occur for 35 minutes after the first warning-level log message, the FortiWeb unit would send a total of three alert email messages, no matter how many warning-level log messages were recorded during that period of time. Intervals are configured separately for each severity level of log messages. For more information on the severity levels of log messages, see Log priority levels on page 314. Before you can send alerts, you must enable alert email for the log type that you want to use as a trigger. For details, see Enabling logging on page 327. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Log & Report category. For details, see About permissions on page 80.
Table 121: Log&Report > Log Policy > Email Policy tab
Delete Edit GUI item Create New # Policy Name (No column heading.) Description Click to add a new email policy. Displays the index number of the entry in the list. Displays the name of the email policy. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a protection profile. Click the Edit icon to modify the entry.
317
Logs and reports
To configure email policies 1 Go to Log&Report > Log Policy > Email Policy 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.

GUI item Policy Name Description Type the name of the email policy. This field cannot be modified if you are editing an existing email policy. To modify the name, delete the entry, then recreate it using the new name. Enter the fully qualified domain name (FQDN) or IP address of the SMTP relay or server that the FortiWeb unit will use to send alerts and generated reports. Caution: If you enter a domain name, you must also configure the FortiWeb unit with at least one DNS server. Failure to configure a DNS server may cause the FortiWeb unit to be unable to resolve the domain name, and therefore unable to send the alert. For information on configuring use of a DNS server, see Configuring the DNS settings on page 58. Enter the sender email address that the FortiWeb unit will use when sending alert email messages. Enter one to three recipient email addresses, one per field. Enable to authenticate with the SMTP relay when sending alerts.
SMTP server
Email from Email to Authentication
318
Logs and reports
SMTP user
Enter the user name of the account on the SMTP relay that will be used to send alerts. This option is available only if Authentication is enabled. Enter the password of the account on the SMTP relay that will be used to send alerts. This option is available only if Authentication is enabled. Click to save the alert configuration and send a sample alert to the recipient. Select the priority threshold that log messages must meet or exceed in order to cause an alert. For more information on log levels, see Log priority levels on page 314. Enter the number of minutes between each alert if an alert condition of severity level Emergency continues to occur after the initial alert. Enter the number of minutes between each alert if an alert condition of severity level Alert continues to occur after the initial alert. Enter the number of minutes between each alert if an alert condition of severity level Critical continues to occur after the initial alert. Enter the number of minutes between each alert if an alert condition of severity level Error continues to occur after the initial alert. Enter the number of minutes between each alert if an alert condition of severity level Warning continues to occur after the initial alert. Enter the number of minutes between each alert if an alert condition of severity level Notification continues to occur after the initial alert. Enter the number of minutes between each alert if an alert condition of severity level Information continues to occur after the initial alert. Enter the number of minutes between each alert if an alert condition of severity level Debug continues to occur after the initial alert.
Password
Apply & Test Log Level
Emergency Alert Critical Error Warning Notification Information Debug
4 Click OK. The FortiWeb unit saves the configuration and returns to the Email Policy tab.
Configuring Syslog policies

Log&Report > Log Policy > Syslog Policy enables you to create policies that are used by protection rules to store log messages remotely on a Syslog server. For example, once you create a Syslog policy, it can be used by a trigger policy, which in turn can be applied to a trigger action in a protection rule.
Note: Logs stored remotely cannot be viewed from the FortiWeb web-based manager. If you require the ability to view logs from the web-based manager, also enable local storage. For details, see Enabling logging on page 327.
Before you can log remotely, you must enable alert email for the log type that you want to use as a trigger. For details, see Enabling logging on page 327. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Log & Report category. For details, see About permissions on page 80.
319
Logs and reports
Table 122: Log&Report > Log Policy > Syslog Policy tab
Edit GUI item Create New # Policy Name (No column heading.) Description Click to add a new Syslog policy. Displays the index number of the entry in the list. Displays the name of the Syslog policy. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a protection profile. Click the Edit icon to modify the entry.
To configure Syslog policies 1 Go to Log&Report > Log Policy > Syslog Policy. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.

GUI item Policy Name Description Type the name of the Syslog policy. This field cannot be modified if you are editing an existing Syslog policy. To modify the name, delete the entry, then recreate it using the new name. Enter the IP address of the remote Syslog server. Enter the listening port number of the Syslog server. The default is 514. Enable to send log messages in comma-separated value (CSV) format.
Name/IP Port Enable CSV format
4 Click OK. 5 To verify logging connectivity, from the FortiWeb unit, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message. If the remote host does not receive the log messages, verify the FortiWeb units network interfaces (see Configuring the network and VLAN interfaces on page 50) and static routes (see Configuring static routes on page 105), and the policies on any intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host, try using the execute traceroute command to determine the point where connectivity fails. For details, see the FortiWeb CLI Reference.
320
Logs and reports
Configuring FortiAnalyzer policies

Log&Report > Log Policy > FortiAnalyzer Policy enables you to create policies that are used by protection rules to store log messages remotely on a FortiAnalyzer unit. For example, once you create a FortiAnalyzer policy, it can be used by a trigger policy, which in turn can be applied to a trigger action in a protection rule.
Note: Logs stored remotely cannot be viewed from the web-based manager of the FortiWeb unit. If you require the ability to view logs from the web-based manager, also enable local storage. For details, see Enabling logging on page 327.
Before you can log remotely, you must enable alert email for the log type that you want to use as a trigger. For details, see Enabling logging on page 327. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Log & Report category. For details, see About permissions on page 80.
Table 123: Log&Report > Log Policy > FortiAnalyzer Policy tab
Delete Edit GUI item Create New # Policy Name (No column heading.) Description Click to add a new FortiAnalyzer policy. Displays the index number of the entry in the list. Displays the name of the FortiAnalyzer policy. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a protection profile. Click the Edit icon to modify the entry.
To configure FortiAnalyzer policies 1 Go to Log&Report > Log Policy > FortiAnalyzer Policy. 2 Click Create New, or, in the row corresponding to an entry that you want to modify, click the Edit icon. A dialog appears.
321
Logs and reports
GUI item Policy Name
Description Type the name of the FortiAnalyzer policy. This field cannot be modified if you are editing an existing FortiAnalyzer policy. To modify the name, delete the entry, then recreate it using the new name. Enter the IP address of the remote FortiAnalyzer unit.
IP Address
4 Click OK. 5 Confirm with the FortiAnalyzer administrator that the FortiWeb unit has been added to the FortiAnalyzer units device list, allocated sufficient disk space quota, and assigned permission to transmit logs to the FortiAnalyzer unit. For details, see the FortiAnalyzer Administration Guide. 6 To verify logging connectivity, from the FortiWeb unit, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message. If the remote host does not receive the log messages, verify the FortiWeb units network interfaces (see Configuring the network and VLAN interfaces on page 50) and static routes (see Configuring static routes on page 105), and the policies on any intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host, try using the execute traceroute command to determine the point where connectivity fails. For details, see the FortiWeb CLI Reference.
Configuring trigger policies

Log&Report > Log Policy > Trigger Policy enables you to create policies that are used by protection rules to trigger alert emails and to generate Syslog and FortiAnalyzer records. For example, if you create a trigger policy that uses an email policy and a Syslog policy, that trigger policy can be applied as a trigger action to specific violations in a protection rule. Alert email and Syslog records will be created according to the trigger policy when a rule violation occurs. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Log & Report category. For details, see About permissions on page 80.
Table 124: Log&Report > Log Policy > Trigger Policy tab
Delete Edit GUI item Create New # Policy Name (No column heading.) Description Click to add a new Syslog policy. Displays the index number of the entry in the list. Displays the name of the trigger policy. Click the Delete icon to remove the entry. This icon does not appear if the entry is currently selected for use in a protection profile. Click the Edit icon to modify the entry.
To configure trigger policies 1 Go to Log&Report > Log Policy > Trigger Policy.
322
Logs and reports
Configuring and enabling logging

GUI item Policy Name Description Type the name of the trigger policy. This field cannot be modified if you are editing an existing Syslog policy. To modify the name, delete the entry, then recreate it using the new name. Select the email policy that you want to associate with the trigger action policy. This email policy will be used by all protection rule violations when applied to the protection rule trigger action. Select the Syslog policy that you want to associate with the trigger action policy. This Syslog policy will be used by all protection rule violations when applied to the protection rule trigger action. Select the FortiAnalyzer policy that you want to associate with the trigger action policy. This FortiAnalyzer policy will be used by all protection rule violations when applied to the protection rule trigger action.
Email Policy
Syslog Policy
FortiAnalyzer Policy
4 Click OK.

To diagnose problems or track actions that the FortiWeb unit performs as it receives and processes traffic, configure the FortiWeb unit to record log messages. You can configure the FortiWeb unit to store log messages either locally (that is, in RAM or to the hard disk) and or remotely (that is, on a Syslog server or FortiAnalyzer unit). Your choice of storage location may be affected by several factors, including the following. Rebooting the FortiWeb unit clears logs stored in memory. Logging only locally may not satisfy your requirements for off-site log storage. Attack logs and traffic logs cannot be logged to local memory. Very frequent logging may cause undue wear when stored on the local hard drive. A low severity threshold is one possible cause of frequent logging. For more information on severity levels, see Log priority levels on page 314. Very frequent logging, such as when the severity level is low, may rapidly consume all available log space when stored in memory. If the available space is consumed, and if the FortiWeb unit is configured to do so, it may store any new log message by overwriting the oldest log message. For high traffic volumes, this may occur so rapidly that you cannot view old log messages before they are replaced. For more information on severity levels, see Log priority levels on page 314.
323
Logs and reports
Usually, fewer log messages can be stored in memory. Logging to a Syslog server or FortiAnalyzer unit may provide you with additional log storage space.
For information on viewing locally stored log messages, see Viewing log messages on page 331. This section includes the following topics: Configuring global log settings Enabling logging Obscuring sensitive data in the logs
Configuring global log settings

Log&Report > Log Config > Global Log Settings displays the settings used to store log information and alert users that logs have occurred. Depending on the type of log, log messages can be stored on local hard disk, local memory, Syslog server or FortiAnalyzer unit as show in Table 125.
Table 125: Log storage Storage area Local disk Local memory Syslog server FortiAnalyzer Log type Event logs yes yes yes yes Traffic logs yes no yes yes Attack logs yes no yes yes
Use alert emails to notify users when problems occur. Distribution of alert emails is managed though email policies that define who receives the alert emails and the frequency that the alert emails are sent.
Caution: Avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.
To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Log & Report category. For details, see About permissions on page 80. To configure log settings 1 Go to Log&Report > Log Config > Global Log Settings.
324
Logs and reports
Table 126: Global Log Settings GUI item Disk Description Enable to record log messages to the local hard disk on the FortiWeb unit. If the FortiWeb unit is logging to its hard disk, you can use the web-based manager to view log messages that are stored locally on the FortiWeb unit. For details, see Viewing log messages on page 331. Before you can log to the hard disk, you must first enable logging. For details, see Enabling logging on page 327. For logging accuracy, you should also verify that the FortiWeb units system time is accurate. For details, see Configuring system time on page 100. Expand the disk storage configuration to display additional options: Log Level: Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. Caution: Avoid recording log messages using low severity thresholds such as information or notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. For information about severity levels, see Log priority levels on page 314. When log disk is full: Select what the FortiWeb unit will do when the local disk is full and a new log message occurs, either: Do not log: discards the new log message. Overwrite oldest logs: deletes the oldest log file in order to free disk space, and store the new log message. Log rolling settings: Enter the maximum file size of the current log file. When a log file reaches the size limit, the FortiWeb unit will rotate the current log file: that is, it renames the current log file (elog.log) with a file name indicating its sequential relationship to other log files of that type (elog2.log, and so on.), then creates a new current log file. The log file size limit must be between 10 MB and 1 000 MB
325
Logs and reports
Memory
Enable to record log messages in the local random access memory (RAM) of the FortiWeb unit. Note: Only event logs can be stored in the local memory. Attack and traffic logs cannot be stored in memory If the FortiWeb unit is logging to memory, you can use the web-based manager to view log messages that are stored locally on the FortiWeb unit. For details, see Viewing log messages on page 331. Caution: Log messages stored in memory should not be regarded as permanent. All log entries stored in memory are cleared when the FortiWeb unit restarts. When available memory space for log messages is full, the FortiWeb unit will store any new log message by overwriting the oldest log message. Before you can record event logs to the local memory, you must first enable logging. For details, see Enabling logging on page 327. For logging accuracy, you should also verify that the FortiWeb units system time is accurate. For details, see Configuring system time on page 100. Expand the memory storage configuration to display additional options: Log Level: Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see Log priority levels on page 314. Enable to store log messages remotely, on a Syslog server. Warning: Enabling Syslog could result in excessive log messages being recorded in Syslog. Syslog entries are controlled by Syslog policies and trigger actions associated with various types of violations. If the Syslog option is enabled, but a trigger action has not been selected for a specific type of violation, every occurrence of that violation will be recorded in Syslog and transmitted to the Syslog server. For more information, see Responding to web protection rule violations on page 191. Note: Logs stored remotely cannot be viewed from the FortiWeb web-based manager. Before you can store logs on a remote location you must first enable logging. For details, see Enabling logging on page 327. For logging accuracy, you should also verify that the FortiWeb units system time is accurate. For details, see Configuring system time on page 100. Expand the Syslog storage configuration to display additional options: Syslog Policy: Select the policy to use when storing log information remotely. The Syslog policy includes the address information for the remote Syslog server For more information see Configuring Syslog policies on page 319. Log Level: Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see Log priority levels on page 314. Facility: Select the facility identifier that the FortiWeb unit will use to identify itself when sending log messages to the first Syslog server. To easily identify log messages from the FortiWeb unit when they are stored on the Syslog server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier
Syslog
326
Logs and reports
Alert Mail
Enable to generate alert email when log messages are created. Warning: Enabling Alert Email could result in excessive alert email. Distribution of alert emails is controlled by email policies and trigger actions associated with various types of violations. If the Alert Mail option is enabled, but a trigger action has not been selected for a specific type of violation, every occurrence of that violation will result in an alert email to the individuals associated with the policy selected in the Email Policy field. For more information, see Responding to web protection rule violations on page 191. Expand the Alert Mail configuration to display additional options: Email Policy: Select the email policy to use for alert emails. For more information see Configuring email policies on page 317. Alert Mail is not available for the traffic logs.
FortiAnalyzer Enable to store log messages remotely, on a FortiAnalyzer unit. Warning: Enabling FortiAnalyzer could result in excessive log messages being recorded in FortiAnalyzer. FortiAnalyzer entries are controlled by FortiAnalyzer policies and trigger actions associated with various types of violations. If the FortiAnalyzer option is enabled, but a trigger action has not been selected for a specific type of violation, every occurrence of that violation will be recorded in FortiAnalyzer. For more information, see Responding to web protection rule violations on page 191. Note: Logs stored remotely cannot be viewed from the FortiWeb web-based manager. Before you can store logs on a remote location you must first enable logging. For details, see Enabling logging on page 327. For logging accuracy, you should also verify that the FortiWeb units system time is accurate. For details, see Configuring system time on page 100. Expand the FortiAnalyzer storage configuration to display additional options: FortiAnalyzer Policy: Select the policy to use when storing log information remotely. The FortiAnalyzer policy includes the address information for the remote Syslog server. For more information see Configuring FortiAnalyzer policies on page 321. Log Level: Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see Log priority levels on page 314.
3 Click Apply.
Enabling logging
Log&Report > Log Config > Other Log Settings allows you to enable or disable logging for each log type. For more information on log types, see Log types on page 314. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Log & Report category. For details, see About permissions on page 80. To enable logging 1 Go to Log&Report > Log Config > Other Log Settings.
327
Logs and reports
2 Enable one or more of the following:
Table 127: Configuring Other Log Settings GUI item Enable Attack Log Retain Packet Payload For Description Enable to log violations of attack policies, such as server protection rules. Under Retain Packet Payload For, mark the corresponding check box for each of the attack types or validation failures that are detected using a regular expression, such as XSS Attack Detection or Parameter Rule Violation, if you want to retain the offending packet payload with its log message. Packet retention is enabled by default for all message types, except custom signature detection. Packet payloads supplement the log message by providing the actual data that triggered the regular expression, which may help you to finetune your regular expressions to prevent false positives, or to examine changes to attack behavior for subsequent forensic analysis. The FortiWeb unit retains only the first 4 KB of data from the offending HTTP request payload that triggered the log message. Packet payloads are accessible from the Packet Log column when viewing an attack log using the web-based manager. For details, see Viewing log messages on page 331. If packet payloads could contain sensitive information, you may need to obscure those elements. For details, see Obscuring sensitive data in the logs on page 329. Enable to log system events, such as user activity or rebooting the FortiWeb unit.
Enable Event Log
328
Logs and reports
Persistent Server Session Threshold
Select a threshold level that will trigger an event log when the actual number of persistent server sessions reaches the defined percentage (50% to 90%) of the total number of persistent server sessions allowed for the FortiWeb unit. The default setting is 80%. For example, if Persistent Server Session Threshold is set to 50%, and the allowed number of persistent server sessions is 15,000, an event log is triggered when the actual number of persistent sessions reaches 50% of the allowed number, or 7,500 persistent server sessions. For more information on the total persistent server sessions, see Appendix B: Maximum values on page 397. Enable to log traffic events such as HTTP requests and responses, and the expiration of HTTP sessions. If you do not need traffic data, disable this feature to increase system performance. If you want to retain regular traffic packet payloads, mark Enable Packet Log. Unlike attack packet payloads, only request direction traffic packets are retained, and only the first 4 KB of the payload if it is larger. Note: Retaining traffic packet payloads is resource intensive. Only enable this option when absolutely necessary. Packet payloads are accessible from the Packet Log column when viewing a log using the web-based manager. For details, see Viewing packet log details on page 336.
Enable Traffic Log
Enable Packet Log
3 Click Apply.
Obscuring sensitive data in the logs

If enabled to do so, a FortiWeb unit will hide some predefined data types, including user names and passwords, that could appear in the packet payloads accompanying a log message. You can also define your own sensitive data types, such as ages or other identifying numbers, using regular expressions.
Note: Sensitive data definitions are not retroactive. They will hide strings in subsequent log messages, but will not affect existing ones.
To exclude custom sensitive data from log packet payloads 1 Go to Log&Report > Log Config > Log Custom Sensitive Rule.
Delete Edit 2 On the right side of the tab, select one or both of the following: Enable Predefined Rules: Use the predefined credit card number and password data types. Enable Custom Rules: Use your own regular expressions to define sensitive data. 3 Click Create New. A dialog appears.
329
Logs and reports
4 Give the rule a name. 5 Select either General Mask (a regular expression that will match any substring in the packet payload) or Field Mask (a regular expression that will match only the value of a specific form input). In the field next to General Mask, type a regular expression that matches all the strings or numbers that you want to obscure in the packet payloads. For example, to hide a parameter that contains the age of users under 14, you could enter: age\=[1-13] Valid expressions must not start with an asterisk ( * ). The maximum length is 21 characters. For Field Mask, in the left-hand field (Field Name), type a regular expression that matches all and only the input names whose values you want to obscure. (The input name itself will not be obscured. If you wish to do this, use General Mask instead.) Then, in the right hand field (Field Value), type a regular expression that matches all input values that you want to obscure. Valid expressions must not start with an asterisk ( * ). The maximum length is 22 characters. For example, to hide a parameter that contains the age of users under 14, for Field Name, you would enter age, and for Field Value, you could enter [1-13].
Caution: Field masks using asterisks are greedy: a match for the parameters value will obscure it, but will also obscure the rest of the parameters in the line. To avoid this, enter an expression whose match terminates with, but does not consume, the parameter separator. For example, if parameters are separated with an ampersand ( & ), and you want to obscure the value of the Field Name username but not any of the parameters that follow it, you could enter the Field Value: .*?(?=\&) This would result in: username****&age=13&origurl=%2Flogin
330
Logs and reports
Viewing log messages
Tip: To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression.
6 Click OK. The expression appears in the list of regular expressions that define sensitive data that will be obscured in the logs. When viewing new log messages, data types matching your expression will be replaced with a string of * characters equal in length to the sensitive data.

If you have configured the FortiWeb unit to store log messages locally (that is, to memory or the hard disk), you can view the log messages currently stored in each file. Log messages are in human-readable format, where each logs name, such as Source (src in Raw view), indicates its contents. Exceptions include the attack logs Message (msg) field, which contains a code such as DETECT_PARAM_RULE_FAILED that indicates which feature detected the attack. For each features attack detection code, see the features description located in applicable chapters of this Administration Guide.
Note: Not all detected attacks may be blocked, redirected, or sanitized. For example, while using auto-learning, you can configure protection profiles with an action of Alert (log but not deny), allowing the connection to complete in order to gather full autolearning data. To determine whether or not an attack attempt was permitted to reach a web server, show the Action column. For details, see Displaying and arranging log columns on page 338.
When viewing log messages, you can customize aspects of the display to focus on log messages and fields that match your criteria. For more information, see Customizing the log view on page 337. For attack logs and traffic logs, you can view detailed information about each log and the packet payload. For more information, see Viewing log message details on page 335. For attack logs, you can perform a quick or advanced search for specific logs. For more information, see Searching attack logs on page 341. The logs associated with attacks that are blocked by FortiWeb are highlighted to distinguish them from other attacks that are not blocked. This section includes the following topics: Selecting a log type to view Viewing log message details Viewing packet log details Customizing the log view Searching attack logs
331
Logs and reports
Selecting a log type to view

Log&Report > Log Access enables you to select the type of log message to view, if log messages are stored locally on the hard disk or in the local random access memory (RAM) of the FortiWeb unit.
Note: In addition to locally stored log messages, event log messages and attack log messages can also be viewed in the system status dashboard. For more information, see Viewing system status on page 41.
To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Log & Report category. For details, see About permissions on page 80.
Table 128: Log&Report > Log Access > Event tab Refresh Log Search Log Message Aggregation Clear All Filters Raw (or Formatted) Column Settings
Previous page Next page
Note: The columns and type of information displayed depends on which log type tab is selected.
GUI item Data Source (not shown)
Description Visible only when the Event tab is selected. Data Source enables you to view event logs that are stored in the FortiWeb units random access memory (RAM), or event log files stored on the FortiWeb units hard disk. Select either Memory to display the most recent logs stored in the FortiWeb units memory, or Disk to display a list of the historical log files that are stored on the FortiWeb units hard disk. For information on configuring event log storage location, see Configuring global log settings on page 324. FortiWeb always stores attack and traffic logs on disk, so there is no data source selection on the Attack or Traffic tabs. Click to view the previous page. Click to view the next page. Click the black arrow to changed the number of rows of log entries to display per page. Enter a log entry number, then press Enter to go to that entry. The number following the slash ( / ) is the total number of entries in the log file. Click this icon to display or hide the columns that correspond to log fields, or change the order in which they appear on the page. For more information, see Displaying and arranging log columns on page 338.
Previous page Next page View n per page Line Column Settings
332
Logs and reports
Raw or Formatted
These icons let you to toggle between a Raw and Formatted view of the log information. The raw view displays the log message as it actually appears in the log file. The formatted view displays the log message in a columnar format. Click to switch the log information view to that opposite of what is currently displayed. For details on both view types, see Customizing the log view on page 337. Click this icon to clear all log view filters. For details on log view filters, see Filtering log messages on page 339. Visible only when the Attack tab is selected. Enables you to view only the attack logs associated with specific categories, including: HTTP Host, URL, Source IP or Subtype. For more information, see Grouping similar attack log messages on page 340. Visible only when the Attack tab is selected. Enables you to perform searches for attack logs using advanced search criteria. For more information, see Searching attack logs on page 341. Visible only when the Attack tab is selected. Enables you to update the attack log list by adding any new logs that were created since the log list was opened.
Clear All Filters Log Message Aggregation
Log Search
Refresh
To view log messages 1 Go to Log&Report > Log Access. 2 Click the tab corresponding to the type of log file that you want to view (Event, Attack, or Traffic). For Attack logs, go to step 3 For Event logs, go to step 6 For Traffic logs, go to step 10 For more information on log types, see Log types on page 314.
Tip: If there are no traffic logs, verify that you have enabled Session Management in the profiles whose traffic you want to log.
3 To view Attack logs, select Log&Report > Log Access > Attack. Log messages associated with attacks that have been blocked by FortiWeb are highlighted to distinguish them from other attacks that are not blocked.
Blocked attack
4 If you want to view the historical attack log files that are stored on local hard disk, select the Log Management link at the top-right of the attack log list. 5 Go to step .
333
Logs and reports
6 To view Event log messages, select Log&Report > Log Access > Event. For Event logs only, you can select the log data storage location (disk or memory) and then select from which data source location you want to view the log information. For more information on configuring the FortiWeb unit to store log messages locally, see Configuring and enabling logging on page 323.
Note: Only event logs are stored in local memory. Attack and traffic logs are stored on disk.
7 To view event log messages stored in local random access memory (RAM), select Memory as the Data Source.
Data Source: Memory Event log messages
8 If you want to view historical event log files stored on the local hard disk, select Disk as the Data Source. 9 Go to step . 10 To view Traffic logs, select Log&Report > Log Access > Traffic.
334
Logs and reports
11 If you want to view the historical traffic log files that are stored on local hard disk, select the Log Management link at the top-right of the traffic log list. Historical log files are stored on the local hard disk. You can view the log messages associated with any historical log file, download the entire log file or clear the log file from the disk.
View log messages Download log file Historical log file Clear Log file
12 Click one of: View to display all log messages associated with a specific log file. Download to download the log file to your management computer, then select either Normal format (raw, plain text logs) or CSV format (comma-separated value). If you would like to password-encrypt the log files before downloading them, enable Encryption and type a password in Password. Click OK to begin the download to your management computer. Raw, unencrypted logs can be viewed with a plain text editor. CSV-formatted, unencrypted logs can be viewed with a spreadsheet application, such as Microsoft Excel or OpenOffice Calc. Clear to remove the log file from the local hard disk. 13 If you want to download log messages that were generated within a specific date range, select the Download tab. For more information, see Downloading log messages on page 343.
Viewing log message details

When viewing attack log messages or traffic log messages, you can view detailed information about each message directly within the web-based manager window. You can then use this detailed information to create new protection exceptions based on an attack log entry.
335
Logs and reports
Table 129: Viewing log message details Log message detail display Log message detail
GUI item Detail icon
Description This item is available only when accessing attack and traffic logs. There are no details associated with event logs. Select Detail to display all recorded information about a specific log stored in the FortiWeb units hard disk. To download the log information, see Viewing log messages on page 331. Provides detailed information about the selected log message.
Detail display area
Viewing packet log details

If you have enabled retention of attack and traffic logs in log configuration, you can view detailed information about each packet log directly within the web-based manager window. Packet logs display decoded packet payload information. This information supplements the log message by providing the actual data that triggered the regular expression, which may help you to fine-tune your regular expressions to prevent false positives, or aid in forensic analysis. For information on enabling attack and traffic logs, see Enabling logging on page 327.
336
Logs and reports
Table 130: Viewing Packet Log details Packet Log detail display Packet Log icon
GUI item Packet Log
Description This icon is available only when accessing event and traffic logs. Select Packet Log to display all recorded information about the packet payload for a specific log stored in the FortiWeb units hard disk. To download the log information, see Viewing log messages on page 331. Provides detailed packet information about the selected log message.
Packet Log display area
Customizing the log view

Log messages can be displayed in either raw or formatted view: Raw view displays log messages exactly as they appear in the log file. Formatted view displays log messages in a columnar format. Each log field in a log message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison. When displaying log messages in formatted view, you can customize the log view by hiding, displaying and arranging columns and/or by filtering columns, refining your view to include only those log messages and fields that you want to see.
To display logs in raw or formatted view 1 Go to the tab corresponding to the type of log file that you want to view, such as Log&Report > Log Access > Event. 2 Click the Formatted or Raw icon, depending on which log information view is currently displayed. If you click the Formatted icon, options appear that enable you to display and arrange log columns and/or filter log columns.
Figure 42: Viewing log messages (formatted)
337
Logs and reports
Figure 43: Viewing log messages (raw)
Displaying and arranging log columns

When viewing logs in Formatted view, you can display, hide and re-order columns to display only relevant categories of information in your preferred order. For most columns, you can also filter data within the columns to include or exclude log messages which contain your specified text in that column. For more information, see Filtering log messages on page 339.
Figure 44: Displaying and arranging log columns
To display or hide columns 1 Go to the tab corresponding to the type of log file that you want to view, such as Log&Report > Log Access > Event. 2 Click the Column Settings icon. Lists of available and displayed columns for the log type appear. 3 Select which columns to hide or display: In the Available fields area, select the names of individual columns you want to display, then click the single right arrow to move them to the Show these fields in this order area. In the Show these fields in this order area, select the names of individual columns you want to hide, then click the single left arrow to move them to the Available fields area. 4 Click OK. To change the order of the columns 1 Go to the tab corresponding to the type of log file that you want to view, such as Log&Report > Log Access > Event. 2 Click the Column Settings icon. Lists of available and displayed columns for the log type appear.
338
Logs and reports
3 In the Show these fields in this order area, select a column name whose order of appearance you want to change. 4 Click Move Up or Move Down to move the column in the ordered list. Placing a column name towards the top of the Show these fields in this order list will move the column to the left side of the Formatted log view. 5 Click OK.
Filtering log messages

When viewing log messages in formatted view, you can filter columns to display only those log messages that do or do not contain your specified content in that column. By default, most column headings contain a gray filter icon, which becomes green when a filter is configured and enabled.
Note: Filters do not appear in Raw view.
Figure 45: Filter icons
Filter in use (green-color icon)
Filter not in use
To filter log messages by column contents 1 In the heading of the column that you want to filter, click the Filter icon. The applicable filter window appears. 2 If you want to exclude log messages with matching content in this column, mark the check box named NOT. If you want to include log messages with matching content in this column, clear the check box named NOT. 3 Enter the value that matching log messages must contain. The value type varies with the filter you select, such as date values, time values, and so on. Matching log messages will be excluded or included in your view based upon whether you have marked or cleared NOT. 4 For date and time filters, you can specify a range. Select the From and To check boxes and enter a value in the associated field. 5 Click OK. A columns filter icon is green when the filter is currently enabled. To clear a filter 1 In the heading of the column whose filter you want to clear, click the Filter icon. The filter window appears. A columns filter icon is green when the filter is currently enabled.
339
Logs and reports
2 To disable the filter on this column, click Clear Filter. Alternatively, to clear the filters on all columns, click the Clear All Filters icon. 3 Click OK. A columns filter icon is gray when the filter is currently disabled.
Grouping similar attack log messages

When viewing attack log messages, especially if there are many attacks of the same kind, to the same URL, or to the same web host, you may find it easier to view the log messages when these log messages are grouped by one of those similarities, rather than by sequential order. This action is called log message aggregation. To group similar attack log messages 1 Go to Log&Report > Log Access > Attack. 2 Click the Log Message Aggregation icon. A dialog appears.
Figure 46: Selecting the log message grouping type
3 In Available fields, select which aspect you want to use when grouping the log messages, then click the right arrow to move it to the Aggregate log by these fields area. 4 Click OK. Attack log messages are no longer in sequential order, but are instead grouped by the similar aspect you selected. To view log messages in a group, click the arrow in that column to expand the set.
Figure 47: Attack log messages viewed when grouped by attack subtype
See Aggregate attack types on page 34 for example uses of aggregation.
340
Logs and reports
Searching attack logs

When viewing attack logs, you may find it easier to locate a specific log using the attack log search function. You can perform an attack log quick search or an advanced search.
Figure 48: Initiating an attack log search Search icon
Table 131: Setting up an attack log search Search results Back Reset search Generate Log Detail PDF Advanced search Log search Keyword
GUI item Quick search keywords
Description Enter the keywords you want to search for. These keywords will be used for a quick search or an advanced search. You can enter one keyword or multiple keywords. If a keyword consists of multiple words separated by a space, use quotation marks ( ) to encapsulate the words as one keyword. If quotation marks are not used, the search will treat each word as an individual keyword. A quick search returns all results that include the specified keyword. For example, entering allow as a keyword will provide results such as: allow_host and waf_allow_method. Select the Log Search icon to initiate a quick search for the specified keywords. A quick search is very broad, searching for the keyword in attack log fields, including: subtype, source, destination, source port, destination port, HTTP method, action, policy, service, HTTP host, URL and message. To obtain more precise search results, use the Advanced search option. Select Advanced Search to open the Search Dialog. Click the blue expand arrow to see all the criteria parameters. An advanced search enables you to search for precise terms. It provides results for exact keyword matches, and allows you to search for terms within specific fields of an attack log, including: time and date, sub type, source, destination, source port, destination port, HTTP method, action, policy, service and HTTP host. Displayed only after a search is complete. Select to generate a PDF file with details of the selected attack logs. You can generate PDF only for attack logs shown on the current page (maximum of 30 per page). Once the PDF is generated for the current page, if required, proceed to the next pages and select additional logs for PDF generation. Select to clear the quick search keyword field. Select to return to the full list of attack logs. Displays the list of the attack logs that match the search parameters.
Quick log search
Advanced Search
Generate Log Detail PDF
Reset search Back Search results
341
Logs and reports
To search for an attack log 1 At the top of the Attack log window, click the Log Search icon. 2 To perform a quick search, go to step 3. To perform an advanced search, go to step 5. 3 Enter the term you want to search in the Keyword box. 4 Select the Log Search icon to initiate the quick search. Continue with step 9. 5 Select Advanced Search to open the Search Dialog.
6 Click the blue arrow to expand the list of search parameters. 7 Enter the advanced search parameters:
GUI item Keyword(s) Description Keywords are optional for an advanced search. Enter the exact keywords you want to search for. Unlike a quick search, an advanced search returns only the results that exactly match the specified keywords. For example, entering allow as a keyword will not provide results such as allow_host and waf_allow_method. You must enter the exact terms. If a keyword consists of multiple words separated by a space, use quotation marks ( ) to encapsulate the words as one keyword. If quotation marks are not used, the search will treat each word as an individual keyword. Note: If you entered keywords in the quick search field before opening the advanced Search Dialog, those keywords are retained when the dialog opens, and will be used as part of the parameters for the advanced search. Remove the keyword if it does not apply to your advanced search.
342
Logs and reports
Downloading log messages
From/To Hour Minute all/any
Select the date and time range that contains the attack log that you are searching for. Note: The date fields default to the current date. Ensure the date fields are set to the actual date range that you want to search. Select all if you want to search for all terms specified in the fields shown below the all/any options. For example, if terms are entered in Sub Type and Action, the search results display only the attack logs matching both of those terms. Select any if you want to search for any one of the terms specified in the fields shown below the all/any options. For example, if terms are entered in Sub Type, Source, Action and Policy, the search results display the attack logs that match any of those terms. Select not if you want to search for conditions that exclude a specific term. For example, if an IP address is entered in the Source field, and not is selected, the search results exclude all attack logs with that source IP address. Lists the fields of an attack log that can be searched for specific terms. Enter the exact terms the appropriate log fields: Sub Type Source Destination Source Port Destination Port HTTP Method Action Policy Service HTTP Host To exclude log records that match a criterion, mark its Not check box,
not
Log fields
Note: Search results include only exact matches for keywords and terms entered in the advanced Search Dialog. Ensure that the keywords and terms are accurate and relevant to the search and that the date and time fields cover the actual range you want to search.
8 Select OK to initiate the search. 9 The results that match the given search criteria appear in the Search Results. 10 To generate a detailed report of the attack log search results in PDF format, select the Generate Log Detail PDF icon.
Note: A Log Detail report can be generated only for one page of results (30 logs) at a time. After generating a report for one page of results, move to the next page and generate another report, if required.
11 Select Back to return to the full list of attack logs.
Downloading log messages

Log&Report > Log Access >Download enables you to download a specific range of event, attack or traffic logs from the FortiWeb hard disk to your local computer. You can select the log type to download, the start date and time, and the end date and time.
Note: If you want to download an entire event log file (elog), attack log file (alog) or traffic log file (tlog) stored on the FortiWeb hard disk, see Viewing log messages on page 331.
343
Configuring and generating reports
Logs and reports
To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Log & Report category. For details, see About permissions on page 80. To download log messages 1 Go to Log&Report > Log Access >Download. 2 Configure the following:
GUI item Log Type System Time Time Zone
Description Select the type of logs to download. Displays the date and time according to the FortiWeb units clock at the time that this tab was loaded, or when you last clicked the Refresh button. Select the time zone in which the FortiWeb unit is located.
Automatically adjust Select the check box to have the system time adjusted twice annually to reflect changes between standard time daylight savings time. (Not all clock for daylight jurisdictions recognize daylight savings time.) saving changes Start Time Choose the starting point for the log download by selecting the year, month and day as well as the hour, minute and second that defines the first of the log messages to download. Choose the end point for the log download by selecting the year, month and day as well as the hour, minute and second that defines the last of the log messages to download.
End Time
3 Click Download. 4 If a file download dialog appears, click Save and then choose the directory where you want to save the downloaded log file. The log files are downloaded to the specified directory in a compressed file format (TGZ). You can use commercial file compression and text editing tools to extract and open the compressed log file.

Log&Report > Report Config > Report Config enables you to configure and generate reports.
344
Logs and reports
When generating a report, FortiWeb units collate information collected from log files and present the information in tabular and graphical format. In addition to log files, FortiWeb units require a report profile in order to generate a report. A report profile is a group of settings that contains the report name, file format, subject matter, and other aspects that the FortiWeb unit considers when generating the report. FortiWeb units can generate reports automatically, according to the schedule that you configure in the report profile, or manually, when you click the Run now icon in the report profile list. You may want to create one report profile for each type of report that you will generate on demand or periodically, by schedule.
Note: Generating reports can be resource intensive. To avoid email processing performance impacts, you may want to generate reports during times with low traffic volume, such as at night or weekends. For more information on scheduling the generation of reports, see Configuring the schedule of a report profile on page 351.
Before you generate a report, collect log data that will be the basis of the report. For information on enabling logging to the local hard disk, see Configuring and enabling logging on page 323. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Log & Report category. For details, see About permissions on page 80.
Table 132: Log&Report > Report Config > Report Config tab
Delete Edit Run now
GUI item Create New Delete
Description Click to add a new report profile. For more information, see Configuring a report profile on page 346. In the left column, mark the check boxes of the report profiles that you want to remove, then click the Delete icon. Alternatively, click the Delete icon in the row corresponding to each report profile that you want to remove. To remove all report profiles, mark the check box in the column heading to select all report profiles, then click the Delete icon. To remove individual report profiles, mark the check box corresponding to each report profile that you want to remove, then click the Delete icon. Displays the name of the report profile. Displays the title of this report.
(Check box in column heading.) Report Title
345
Logs and reports
Schedule
Displays the scheduled frequency when the FortiWeb unit generates the report. If this report is not scheduled to be periodically generated according to the schedule configured in the report profile, but instead will be generated only on demand, when you manually click the Run now icon, None appears in this column. Click the Delete icon it to remove the report profile. Click the Edit icon to modify the report profile. For more information, see Configuring a report profile on page 346. Click the Run now icon to immediately generate a report using this report profile. This option can be used with both scheduled and on demand report profiles, and occurs independently of any automatic report generation schedules you may have configured. For more information, see Configuring the schedule of a report profile on page 351. To view the resulting report, see Viewing and downloading reports on page 353.
Action
Configuring a report profile

You can create report profiles to define what information will appear in generated reports. To access this part of the web-based manager, your administrators account access profile must have Read and Write permission to items in the Log & Report category. For details, see About permissions on page 80. To configure a report profile 1 Go to Log&Report > Report Config > Report Config. 2 Click Create New to add a report profile, or click the Edit icon to modify an existing report profile. A multisection dialog appears.
Figure 49: New report dialog
3 In Report Name, enter a name for the report profile. Report names cannot include spaces. 4 If you are creating or cloning a new report profile, select from Type either to run the report immediately after configuration (On Demand) or run the report at configured intervals (On Schedule).
Note: For on-demand reports, the FortiWeb unit does not save the report profile after the generating the report. If you want to save the report profile, but do not want to generate the report at regular intervals, select On Schedule, but then in the Schedule section, select Not Scheduled.
346
Logs and reports
Note: You cannot change the Type when editing a report profile. To change the scheduled/on demand Type, create a new report profile instead.
5 In Report Title, enter a name that will appear in the title area of the report. The title may include spaces. 6 In Description, enter a comment or other description. 7 Click the blue expand arrow next to each section, and configure the following:
Name of the section Properties Description Select to add logos, headers, footers and company information to customize the report. For more information, see Configuring the headers, footers, and logo of a report profile on page 347. Select the time span of log messages from which to generate the report. You can also create a data filter to include in the report only those logs that match a set of criteria.For more information, see Configuring the time period and log filter of a report profile on page 348. Select one or more subject matters to include in the report. For more information, see Configuring the query selection of a report profile on page 349. Select the number of top items to include in ranked report subtypes, and other advanced features. For more information, see Configuring the advanced options of a report profile on page 350. Select when the FortiWeb unit will run the report, such as weekly or monthly. For more information, see Configuring the schedule of a report profile on page 351. This section is available only if Type is On Schedule. Select the file formats and destination email addresses, if any, of reports generated from this report profile. For more information, see Configuring the output of a report profile on page 352.
Report Scope
Report Types
Report Format
Schedule
Output
8 Click OK when you complete the applicable sections. On-demand reports are generated immediately; scheduled reports, if you have configured a schedule, are generated at those intervals. For information on viewing generated reports, see Viewing and downloading reports on page 353.
Configuring the headers, footers, and logo of a report profile

When configuring a report profile, you can provide text and logos to customize the appearance of reports generated from the profile.
Table 133: Properties section of a report profile
GUI item Company Name Header Comment
Description Enter the name of your company or other organization. Enter a title or other information to include in the header.
347
Logs and reports
Footer Comment
Select which information to include in the footer: Report Title: Use the text from Report Name. Custom: Use other text that you type into the field to the right of this option. Select either No Logo to omit the title page logo. Select Custom to include a logo, then click Select to locate the logo file, and click Upload to save it to the FortiWeb units hard disk for use in the report title page. Select either No Logo to omit the header logo. Select Custom to include a logo, then click Select to locate the logo file, and click Upload to save it to the FortiWeb units hard disk for use in the report header. The header logo will appear on every page in PDF- and Microsoft Word (RTF)-formatted reports, and at the top of the page in HTML-formatted reports.
Title Page Logo
Header Logo
When adding a logo to the report, select a logo file format that is compatible with your selected file format outputs. If you select a logo that is not supported for a file format, the logo will not appear in that output. For example, if you provide a logo graphic in WMF format, it will not appear in PDF or HTML output.
Table 134: Report file formats and their supported logo file formats PDF reports RTF reports HTML reports JPG, PNG, GIF JPG, PNG, GIF, WMF JPG, PNG, GIF
Configuring the time period and log filter of a report profile

When configuring a report profile, you can select the time span of log messages from which to generate the report. You can also filter out log messages that you do not want to include in the report.
Table 135: Time Period section of a report profile
GUI item Time Period
Description Select the time span of the report, such as This Month or Last N Days. Alternatively, select and configure From Date and To Date. Enter the number N of the unit of time. This option appears only when you have selected Last N Hours, Last N Days, or Last N Weeks from Time Period, and therefore must define N. Select and configure the beginning of the time span. For example, you may want the report to include log messages starting from May 5, 2006 at 6 PM. You must also configure To Date. To Date Hour Select to configure the end of the time span. For example, you may want the report to include log messages up to May 6, at 12 AM. You must also select and configure From Date.
Past N Hours Past N Days Past N Weeks From Date Hour
348
Logs and reports
Table 136: Data Filter section of a report profile
GUI item None
Description Select this option to include all log messages within the time span.
Include logs that match the Select this option to include only the log messages within the time span whose values match your filter criteria, then select whether log following criteria messages must meet every configured criteria (all) or if meeting any one of them is sufficient (any), and configure the following criteria. Priority: Mark the check box to filter by log severity threshold (in raw logs, the pri field), then select the name of the severity and whether to include logs that are greater than or equal to (>=), equal to (=), or less than or equal to (<=) that severity. Source(s): Type the source IP address (in raw logs, the src field) that log messages must match. Destination(s): Type the destination IP address (in raw logs, the dst field) that log messages must match. Http Method(s): Type the HTTP method (in raw logs, the http_method field) that log messages must match. User(s): Type the administrator account name (in raw logs, the user field) that log messages must match. Action(s): Type the firewall action (in raw logs, the action field) that log messages must match. Subtype(s): Type the subtype (in raw logs, the subtype field) that log messages must match. Policy(s): Type the policy name (in raw logs, the policy field) that log messages must match. Service(s): Type the source IP address (in raw logs, the src field) that log messages must match. Message(s): Type the message (in raw logs, the msg field) that log messages must match. Day of Week: Mark the check boxes for the days of the week whose log messages you want to include. To exclude the log messages which match a criterion, mark its not check box, located on the right-hand side of the criterion.
Configuring the query selection of a report profile

When configuring a report profile, you can select one or more queries or query groups that define the subject matter of the report.
349
Logs and reports
Each query group contains multiple individual queries, each of which correspond to a chart that will appear in the generated report. You can select all queries within the group by marking the check box of the query group, or you can expand the query group and then individually select each query that you want to include. For example: If you want the report to include charts about both normal traffic and attacks, you might enable both of the query groups Attack Activity and Event Activity. If you want the report to specifically include only a chart about top system event types, you might expand the query group Event Activity, then enable only the individual query Top Event Types.
Figure 50: Report Type(s) section of a report profile
Configuring the advanced options of a report profile

When configuring a report profile, you can configure various advanced options that affect how many log messages are used to formulate ranked report subtypes, and how results will be displayed.
Table 137: Report Format section of a report profile
GUI item Include reports with no matching data
Description Enable to include reports for which there is no data. In this instance, a blank report appears in the summary. You might enable this option to verify inclusion of report types selected in the report profile when filter criteria or absent logs would normally cause the report type to be omitted.
350
Logs and reports
Ranked Reports
Ranked reports (top x, or top y of top x) can include a different number of results per cross-section, then combine remaining results under Others. For example, in Top Sources By Top Destination, the report includes the top x destination IP addresses, and their top y source IP addresses, then groups the remaining results. You can configure both x and y in the Advanced section of Report Format In Ranked Reports, (top n report types, such as Top Attack Type), you can specify how many items from the top rank will be included in the report. For example, you could set the Top Attack URLs report to include up to 30 of the top n denied URLs by entering 30 for values of the first variable 1.. 30. Some ranked reports rank not just one aspect, but two, such as Top Sources By Top Destination: this report ranks top source IP addresses for each of the top destination IP addresses. For these double ranked reports, you can also configure the rank threshold of the second aspect by entering the second threshold in values of the second variable for each value of the first variable 1..30. Enable to include a summary of the report profile settings. Enable to include a table of contents for the report.
Include Summary Information Include Table of Contents
Note: Reports that do not include Top in their name display all results. Changing the Ranked Reports values will not affect these reports.
Configuring the schedule of a report profile

When configuring a report profile, you can select whether the FortiWeb unit will generate the report on demand or according to the schedule that you configure.
Note: Generating reports can be resource-intensive. To improve performance, schedule reports during times when traffic volume is low, such as at night or during weekends. Table 138: Schedule section of a report profile
GUI item Schedules
Description Not Scheduled Select if you do not want the FortiWeb unit to generate the report automatically according to a schedule. If you select this option, the report will only be generated on demand, when you manually click the Run now icon from the report profile list. For more information, see Configuring and generating reports on page 344. Daily These Days Select to generate the report each day. Also configure Time. Select to generate the report on specific days of each week, then mark the check boxes for those days. Also configure Time.
351
Logs and reports
These Dates
Select to generate the report on specific date of each month, then enter those date numbers. Separate multiple date numbers with a comma. Also configure Time. For example, to generate a report on the first and 30th day of every month, enter 1,30. Select the time of the day when the report will be generated. This option does not apply if you have selected Not Scheduled.
Time
Configuring the output of a report profile

When configuring a report profile, you can select one or more file formats in which to save reports generated from the profile. You can also configure the FortiWeb unit to email the reports to specific recipients.
Table 139: Output section of a report profile
GUI item File Output
Description Enable file formats that you want to generate and store on the FortiWeb units hard drive. HTML file format reports will always be generated (indicated by the permanently enabled check box), but you may also choose to generate reports in: PDF MS Word plain text (Text), and MIME HTML (MHT, which can be included in email) Enable file formats that you want to generate for an email that will be mailed to the recipients defined by the email policy. Select the predefined email policy that you want to associate with the report output. This email policy determines who receives the report email. For more information on configuring email policy, see Configuring email policies on page 317. Type the subject line of the email. Type the message body of the email. Type a file name that will be used for the attached reports.
Email Output Email Policy
Email Subject Email Body Email Attachment Name Compress Report Files
Enable to enclose the generated report formats in a compressed archive, as a single attachment.
352
Logs and reports
Viewing and downloading reports

Log&Report > Report Browse > Report Browse displays a list of reports that have been generated from the report profiles. You can view, delete, and/or download generated reports. FortiWeb units can generate reports automatically, according to the schedule that you configure in the report profile, and/or manually, when you click the Run now icon the Log&Report > Report Browse > Report Config tab. For more information, see Configuring and generating reports on page 344.
Table 140: Log&Report > Report Browse > Report Browse tab
Go to the last page Go to next page Go to previous page Go to the first page
Rename Delete
GUI item Refresh Delete Description Click to refresh the display with the current list of completed, generated reports. In the column containing check boxes, in each row corresponding to a report that you want to delete, mark the check box, then click the Delete icon. Click to display the first page in the list of generated reports. This icon is gray and disabled if you are currently on the first page. Click to display the previous page. This icon is gray and disabled if you are currently on the last page.
Go to first page Go to next page
(Text field with no label.) Type a page number, then press Enter to display in the list of generated reports. This field cannot be modified if there is only one page in the list of generated reports. Go to previous page Go to the last page (Check box with no column heading.) Click to display the next page. This icon is gray and disabled if you are currently on the first page. Click to display the last page in the list of generated reports. This icon is gray and disabled if you are currently on the last page. In the column containing check boxes, in each row corresponding to a report that you want to delete, mark the check box, then click the Delete icon.
353
Logs and reports
Report Files
Displays the name of the generated report, the date and time at which it was generated, and, if necessary to distinguish it from other reports generated at that time, a sequence number. For example, Report_1-2008-03-31-2112_018 is a report named Report_1, generated on March 31, 2008 at 9:12 PM. It was the nineteenth report generated at that date and time (the first report generated at that time did not have a sequence number). To view the report in HTML format, click the name of the report. The report appears in a pop-up window. To view only an individual section of the report in HTML format, click the blue triangle next to the report name to expand the list of HTML files that comprise the report, then click one of the file names. Displays the data and time when the FortiWeb unit started to generate the report. Displays the date and time when the FortiWeb unit completed the generated report. Displays the file size in bytes of each of the HTML files that comprise an HTML-formatted report. This column is empty for the overall report, and contains sizes only for its component files. Click the name of an alternative file format, if any were configured to be generated by the report profile, to download the report in that file format. Click the Delete icon to remove the report. Click Rename to rename a generated report. Note: To reduce the amount of hard disk space consumed by reports, regularly download then delete generated reports from the FortiWeb unit.
Started Finished Size (bytes)
Other Formats Action
354
Fine tuning and best practices
Avoiding problems

This chapter is a collection of fine-tuning and best practice tips and guidelines to help you configure the most secure and reliable operation of your FortiWeb units. This chapter includes: Avoiding problems Tuning security Tuning high availability (HA) Tuning policy Tuning performance
Avoiding problems
As you configure your FortiWeb unit and integrate it effectively into your network, take care not to create problems and setbacks. FortiWeb includes powerful commands and optionsfeatures needed for efficient managementthat, if misused or mistimed, can undo your hard work. Here is a list of tips to avoid problems: Set operation mode Once the FortiWeb unit is setup and integrated with your network, there is little reason to change its operation mode. Do not do so unless you have a compelling reason. If you must change the mode, first back up your configuration. Changing between very different modes deletes any policies not applicable to the new mode, all static routes, all v-zone IPs and all VLAN settings. (You can switch between the two types of transparent mode without encountering these problems.) See Configuring the operation mode on page 71. Perform backups Perform backups before executing potential configuration altering actions: Before upgrading the firmware, always perform a full backup, including configurations. Back up your configuration before running CLI commands that can change your settings, such as execute factoryreset and execute restore. Back up your configuration before clicking the Reset button in the System Information console on the dashboard. Back up your configuration before changing operation mode. manual as shown in Figure 51 (see Backing up and restoring configurations on page 96.) via FTP as shown in Figure 52 (see Configuring an FTP backup and schedule on page 98) To lessen the impact on performance, set the FTP backup time to off-peak hours or weekends.
There are two backup methods available:
355
Avoiding problems
Figure 51: Backup & Restore under System > Maintenance
Figure 52: FTP Backup under System > Maintenance
Download log messages Event log messages stored in memory are cleared when the FortiWeb unit shuts down. Use the log download feature to save the log before shutting down. See Downloading log messages on page 343.
356
Tuning security
Disable web anti-defacement If you use the web anti-defacement feature, make sure you turn it off before you change your site during updates; otherwise, the feature may undo all your changes. On the Web Site with Anti-Defacement tab, select the Edit icon next to the applicable web site. On the edit dialog, clear the check box next to Enable Monitor and Restore Changed Files Automatically. Enable this option later when you complete your site updates. (See Configuring anti-defacement on page 293.)
Tuning security
FortiWeb is designed to enhance the security of your web sites and web servers, and when fully configured, it can automatically plug holes commonly used by attackers to compromise a system. This section lists tips for further enhancing security. Administrator security As soon as possible during initial FortiWeb setup, give the default administrator, admin, a password. This administrator has the highest level of permissions available and access to this administrator should be limited to as few people as possible. Change all administrator passwords regularly. Set a policysuch as every 60 days and follow it. (To see the dialog in Figure 53, click the Edit Password icon to reveal the password dialog.)
Figure 53: Edit Password under System > Admin > Administrator
Instead of allowing administrative access to the FortiWeb unit from any source, restrict it to trusted internal hosts. See Figure 54 and Configuring trusted hosts on page 78.
357
Tuning security
Figure 54: Edit Administrator under System > Admin > Administrators
Do not use the default administrator access profile for all new administrators. Create one or more access profiles with limited permissions tailored to the responsibilities of the new administrator accounts. See Configuring access profiles on page 78. By default, an administrator login that is idle for more than five minutes times out. You can change this to a longer period on the Administrators Settings dialog shown in Figure 55, but Fortinet does not recommend it. A web-based manager GUI or CLI session left unattended lets anyone change your settings. Administrator passwords should be at least six characters long and include both numbers and letters. For additional security, select the Enable Strong Passwords option on the Administrators Settings dialog, shown in Figure 55, to force the use of stronger passwords. See Configuring the web-based managers global settings on page 82.
358
Tuning security
Figure 55: Settings under System > Admin
Restrict the interface used for administrative access (usually port1) to just the access protocols needed, as shown in Figure 56.
Figure 56: Edit Interface under System > Network
Use only the most secure protocols. Disable Telnet. Disable ping except during troubleshooting. Use HTTP only if the network interface connects to a trusted private network. See Configuring the network and VLAN interfaces on page 50.
359
Tuning security
Data security To protect your web servers, install the FortiWeb unit or units between the web servers and a general purpose firewall. FortiWeb units do not replace firewalls. Make sure web traffic cannot bypass the FortiWeb unit in a complex network environment. Restrict the interfaces used for non-administrative access to just the access protocols your applications need, as shown in Figure 56. For example, disable Telnet: it is insecure and rarely needed. Disable ping except during troubleshooting. See Configuring the network and VLAN interfaces on page 50. If enabled to do so, a FortiWeb unit will hide selected data types, including user names and passwords, that could appear in the packet payloads accompanying a log message. You can also define your own sensitive data types, such as ages or other identifying numbers, using regular expressions and hide them too. See Obscuring sensitive data in the logs on page 329. FortiWeb does not encrypt or obfuscate user passwords when downloading a configuration backup file. If you have local user accounts, the passwords will be in plain text. Store configuration backup files in a secure location. Upgrade to the latest available firmware to take advantage of new definitions for predefined robots, data types, suspicious URLS, and attack signatures. There are two methods available: manual, as shown in Figure 57 (see Uploading signature updates on page 101) scheduled, as shown in Figure 58 (see Scheduling signature updates on page 102)
Figure 57: Update Signature under System > Maintenance
360
Tuning high availability (HA)
Figure 58: Auto Update under System > Maintenance
Tuning high availability (HA)

To enhance availability, set up two FortiWeb units to act as an active-passive high availability (HA) pair. If your primary FortiWeb unit fails, the backup FortiWeb unit can continue processing web traffic with only a minor interruption. For details, see Configuring high availability (HA) on page 61.
Figure 59: HA-Config under System > Config
Keep these points in mind when setting up an HA pair:

361
Tuning policy
Isolate HA interface connections from your overall network. Heartbeat and synchronization packets contain sensitive configuration information and can consume considerable network bandwidth. For best results, directly connect the two HA interfaces using a crossover cable. If your system uses switches instead of crossover cables to connect the HA heartbeat interfaces, those interfaces must be reachable by Layer2 Multicast. For details, see the FortiWeb Install and Setup Guide.
When configuring an HA pair, pay close attention to the options ARP packets numbers and ARP packet interval as shown in Figure 59. The FortiWeb unit broadcasts ARP packets to the network to ensure timely failover. This broadcast can slow performance; so, set the value of ARP packets numbers no higher than needed. When the FortiWeb unit broadcasts ARP packets, it does so at regular intervals. For performance reasons, set the value for ARP packet interval no greater than required. Some experimentation may be needed to set these options at their optimum value. See Configuring high availability (HA) on page 61.
Set an SNMP HA heartbeat alert

Use SNMP to generate a message if the HA heartbeat fails.
Figure 60: SNMP community setting under System > Config > SNMP
Configure an SNMP community and select the HA heartbeat failed option in the SNMP Event list, as shown in Figure 60. For details, see Configuring the SNMP agent on page 66.
Tuning policy
The backbone of a FortiWeb unit's web site protection is the application of server policies. Here are a few tips to help avoid problems and increase performance: Disable or delete policies and policy settings with care. Any changes made to policies take effect immediately. Verify that all physical web servers are covered by a policy. If a server has no associated policy or all policies for it are disabled, FortiWeb will not monitor web traffic to that web server. In reverse proxy mode, FortiWeb will block traffic to servers without an enabled policy. The FortiWeb unit applies the many types of rules, policies and data scans in a set order. (See Order of execution on page 190.) Within certain policies, such as URL access policy, FortiWeb executes the rules in the priority you assign. Review the logic of your web protection policies to make sure they deliver the web protection you expect.
362
Tuning performance
When you have multiple policies or rules that apply to one configuration item (for example, a server), make sure they are processed in order from the most specific to most general. For example, arrange to have specific server policies at the top of the list. Policy matches are checked from the top of the list, downward. For example, a very general policy matches all connection attempts. But if you create a policy that contains exceptions, you want it processed before the general policy. For example, when creating a content filter for XML protection profiles, arrange the priority of content filter rules from most specific to most general, as shown in Figure 61, because only the first matching content filter rule is applied. This prevents general content filter rules, which match a wide range of traffic and whose action is Accept or Deny, from superseding and effectively masking other content filter rules whose action is Alert. See Configuring content filter rules on page 166.
Figure 61: Edit Content Filter under XML Protection > Content Filter
Tuning performance
When configuring your FortiWeb unit and its features, there are many settings and practices that can yield better performance. System performance Verify that the system time and time zone are correct. Many features rely on a correct system time. See Configuring system time on page 100. To reduce latency associated with DNS queries, use a DNS server on your local network as your primary DNS. See Configuring the DNS settings on page 58. Where applicable, create one or more VLAN interfaces. VLANs reduce the size of a broadcast domain and the amount of broadcast traffic received by network hosts, thus improving network performance. See Adding a VLAN subinterface on page 53.
Log and report performance If you do not need a traffic log, turn off that feature to reduce the use of system resources. See Enabling logging on page 327. Reduce repetitive log messages. Use the alert email policy, as shown in Figure 62, to define the interval that emails are sent if the same condition persists following the initial occurrence. See Configuring email policies on page 317.
363
Tuning performance
Figure 62: Email Policy under Log&Report > Log Policy
Avoid recording log messages using low severity thresholds, such as information or notification, to the local hard disk for an extended period of time. Excessive logging frequency saps system resources and can cause undue wear on the hard disk and may cause premature failure. See Configuring global log settings on page 324. Generating reports can be resource intensive. To avoid performance impacts, consider scheduling report generation during times with low traffic volume, such as at night and on weekends. See Figure 63 and Configuring the schedule of a report profile on page 351.
364
Tuning performance
Figure 63: Report Config under Log&Report
Feature configuration performance Each URL on an auto-learning report includes the right-click menu option Stop Learning. By selecting this option for a URL that you know is complex and hard to track effectively or that may generate inaccurate data, you reduce processing resources. See Viewing auto-learning reports on page 282. FortiWeb not longer gathers report data for a stopped URL. Once you have collected enough auto-learning data for generating protection profiles, consider turning off the auto-learning function to save resources. To do so, deselect the auto-learning profile in applicable server policies. See Configuring server policies on page 118. If you have enabled the server health check feature as part of a server farm and one of the servers is down for an extended period, you may improve the performance of your FortiWeb unit by disabling the physical server, rather than allowing the server health check to continue to checking for the server's responsiveness. See Configuring server health checks on page 143. Tune the list of predefined data type groups to include just those the FortiWeb unit is likely to encounter when gathering data for an auto-learning report. By pruning the list shown in Figure 64, you reduce the resources used by the FortiWeb unit. See Grouping predefined data types on page 150.
365
Tuning performance
Figure 64: Data Type Group under Server Policy > Predefined Pattern
When configuring a suspicious URL rule, clear one or more server type options if you do not operate all three web servers, as shown in Figure 65. By pruning the list, you reduce the resources used by the FortiWeb unit when applying the rule. See Grouping suspicious URLs on page 154.
Figure 65: Suspicious URL Rule under Server Policy > Predefined Pattern
When you configure a server protection rule as part of a web protection profile, consider limiting the scope and application of the Information Disclosure options shown in Figure 66. (Click the blue arrow next to Information Disclosure to see the list.) Do you need to watch for all the information types? If not, clear applicable options to increase performance. See Configuring server protection rules on page 201.
366
Tuning performance
Figure 66: Server Protection Rule under Web Protection > Server protection Rule
The the Information Disclosure feature can potentially require the FortiWeb unit to rewrite the header and body of every request from a server, resulting in reduced performance. Fortinet recommends enabling this feature only to help you identify information disclosure through logging, and until you can reconfigure the server to omit such sensitive information. Clear the All / None option to disable the feature. If you use the web anti-defacement feature, tune your configuration to avoid backing up overly large files. See Figure 67 and Configuring anti-defacement on page 293.
367
Tuning performance
Figure 67: Web Anti-Defacement under Web Anti-Defacement
Unless you need to back up large files, reduce the setting for the Skip Files Larger Than option from the default of 10 240 KB. Use the Skip Files With These Extensions option to exclude specific types of large files, such as compressed files and video clips.
Troubleshooting tip
Packet capture can be useful for troubleshooting but can be resource intensive. (See Debug the packet flow on page 378.) To minimize the performance impact on your FortiWeb unit, use packet capture only during periods of minimal traffic. Use a serial console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished.
368
Troubleshooting
Establish a system baseline
Troubleshooting
This chapter provides guidelines to help you determine why your FortiWeb unit is behaving unexpectedly. It includes general troubleshooting methods and specific troubleshooting tips using both the command line interface (CLI) and the web-based manager. Some CLI commands provide troubleshooting information not available through the webbased manager. The web-based manager is better suited for viewing large amounts of information on screen, reading logs and archives, and viewing status through the dashboard. This chapter includes: Establish a system baseline Check traffic flow Define the problem Search for a known solution Create a troubleshooting plan Gather system information Troubleshoot connectivity issues Troubleshoot resource issues Troubleshoot user and admin login issues Troubleshoot bootup issues Contact Fortinet customer support for assistance
Establish a system baseline

Before you can clearly define an abnormal operation, you need to know what the normal operating status is. You can create a repository of this baseline information by keeping logs, and by regularly running information gathering commands and saving the output. When there is a problem, this regular operation data helps you determine what has changed. It is a good idea to back up the FortiWeb unit's configuration regularly. If you accidently change something, the backup can help you restore normal operation quickly and easily. Backups also can aid in troubleshooting. For details, see Backing up and restoring configurations on page 96.
Check traffic flow

One of your first tests should be to establish if the FortiWeb unit is actually monitoring or inspecting web traffic on your web servers. Before going further, make these basic configuration and traffic flow checks: Is there a server policy applied to the web server or servers FortiWeb was installed to protect? Your FortiWeb unit will not allow traffic to a web server without a server policy for that server if the operation mode is reverse proxy.
369
Define the problem
Troubleshooting
If a server policy exists for the web server, does the server policy reference an autolearning profile? If yes, check your auto-learning report to see if the profile is gathering data. Go to Auto Learn > Auto Learn Report and click the Detail icon to view the report. If no, create an auto-learning profile and see if it gathers data. When an auto-learning profile is in effect, it should gather data if you have web traffic.
If your system utilizes secure connections (HTTPS and SSL) and there is no traffic flow, is there a problem with your certificate? If you run a test attack from a browser aimed at your web site, does it show up in the attack log? To execute a simple attack, append the cmd.exe command to your site's URL, for example www.example.com/cmd.exe Under normal circumstances, you should see a new common exploit entry, such as a start page violation, in the Attack Log widget of the system dashboard.
If your server policies are correct and your certificate, if applicable, is valid, then move on to Define the problem on page 370, and be sure to look for connectivity problems as described in Troubleshoot connectivity issues on page 373.
Define the problem

Before you can solve a problem, you need to understand it. Often this step can be the longest in this process. Before starting to troubleshoot a problem, answer these questions: Where and when did the problem occur? Has it ever worked before? If the unit never worked properly, you may not want to spend time troubleshooting something that could well be defective. Does your configuration rely on HTTPS or SSL? If yes, make sure your certificate is loaded and valid. Where does the problem lie? Be specific. Do not assume the problem being experienced is the actual problem. First determine if the FortiWeb unit's problem lies elsewhere before starting to troubleshoot the unit. Is it a connectivity issue? Can your FortiWeb unit communicate with your network and the Internet? Is there connection to a DNS server? Is there more than one thing not working? Make a list. Is it partly working? If so, what parts are working? Make a list. Can the problem be reproduced at will or is it intermittent? An intermittent problem can be difficult to troubleshoot due to the difficulty reproducing the issue. Are the servers covered by server policy working? Has a policy been disabled? Check the Server Status widget on the dashboard.
370
Troubleshooting
Search for a known solution
Is your system overloaded? View the Resource Monitor on the dashboard. View the traffic log. (If there is no traffic log, someone likely turned that feature off. See Enabling logging on page 327.)
Is your system under attack? View the Attack Event History on the dashboard. View the attack log. What has changed? Do not assume that nothing has changed in the network. Use the FortiWeb event log to see if something changed in the configuration. If something did change, see what the effect is when you roll back the change.
After determining the scope of the problem and isolating it, what servers does if affect?
Once the problem is defined, you can search for a solution and then create a troubleshooting plan to solve it.
Search for a known solution

You can save time and effort during the troubleshooting process by checking if other FortiWeb administrators experienced a similar problem before. First check within your organization. Next, access the Fortinet online resources that provide valuable information about FortiWeb technical issues.
Technical documentation
FortiWeb installation guides, administration guides, quick start guides, and other technical documents are available online at: http://docs.fortinet.com/fweb.html Also check the release notes for your FortiWeb unit.
Knowledge Base
The Fortinet Knowledge Base includes a variety of articles, white papers, and other documentation providing technical insight into a range of Fortinet products at: http://kb.fortinet.com
Fortinet technical discussion forums

Administrators can exchange experiences and tips related to their Fortinet products through an online technical forum at: http://support.fortinet.com/forum
Fortinet training services online campus

The Fortinet Online Campus hosts a collection of tutorials and training materials which can help increase your knowledge of the Fortinet products at: http://campus.training.fortinet.com
Create a troubleshooting plan

Once you fully define the problem or problems, begin creating a troubleshooting plan. The plan should list all possible causes of the problems that you can think of, and how to test for each cause.
371
Gather system information
Troubleshooting
The plan will act as a checklist so that you know what you have tried and what is left to check. The checklist is helpful if more than one person will be troubleshooting: without a written plan, people can become easily confused and steps skipped. Also, if you have to pass the problem-solving to someone else, providing a detailed list of what data you gathered and what solutions you tried demonstrates professionalism. Be ready to add steps to your plan as needed. After you are part way through, you may discover that you forgot some tests, or a test you performed discovered new information. This is normal.
Check your access

Make sure your administrator account has the permissions you need to run all diagnostic tests and to make configuration changes. Also, you may need access to other networking equipment such as switches, routers, and servers to help you test. If you do not normally have access to this equipment, contact your network administrator for assistance.
Tip: Check to make sure the FortiWeb units attack signature update license has not expired. You should be working with the latest attack signatures and other updates.
Gather system information

Your FortiWeb unit provides many features to aid in troubleshooting and performance monitoring. Use the web-based manager's dashboard and the CLI commands to define the scope and details of your problem. Keep track of the information you gatherFortinet customer support may request it if you contact them for assistance.
Table 141: Web-based manager information gathering features System > Status > Status Displays the firmware version, serial number, host name, HA status, and up-time in the System Information widget. Displays CPU usage and memory usage in the System Resources widget. Shows server connectivity status in the Server Status column. System > Network > Interface Router > Static > Static Route Server Policy > Policy > Policy Logs&Report >Log Access Displays details about each configured system interface (port). Displays a list of configured static routes including their IPs, masks, and gateways. Show server status in the Enable and Status columns. Provides access to the event, traffic, and attack logs. For the attack and traffic logs, use the Packet Log and Detail icons to drill in to any entry for greater detail. Provides access to preconfigured log reports.
Logs&Report >Report Browse
Table 142: CLI information gathering features diagnose debug crashlog Displays details on application proxies that have backtraces, show traps, and registration dumps. diagnose debug flow <params> Traces the flow of packets through the FortiWeb unit.
diagnose hardware cpu list Displays a list of specifications and settings for each CPU in the unit. diagnose hardware interrupts list Displays a list of specifications and settings for all interrupts for each CPU.
diagnose hardware mem list Displays memory usage details.
372
Troubleshooting
Troubleshoot connectivity issues
diagnose hardware nic list Displays a list of specifications and settings for the specified <interface> network interface port. diagnose network arp list diagnose network route list diagnose network sniffer packet <params> diagnose system top <params> execute ping <dest> execute time execute traceroute <dest> get log <log-type> get log reports <name> get router all get system interface get system performance get system status Displays the contents of the address resolution protocol (ARP) table. Displays all routes in the routing table including their type, source, and other data. Performs a packet trace on a specified network interface. Displays a list of the most system-intensive processes. Tests connectively to other devices on your network or elsewhere. Displays the system time. Traces the route of packets between your FortiWeb unit and a specified server. Retrieves the log type specified: event-log, traffic-log, attack-log. Provides access to the named log report. Displays a list of configured static routes including their IPs, masks, and gateways. Displays details about each configured system interface (port). Displays CPU usage, memory usage, and up-time. Provides the firmware version, serial number, bios, host name, and HA status.
The above CLI commands explain how to display data. Many of these commands also have options for modifying data. For CLI command syntax details for these and other commands, see the FortiWeb CLI Reference. Before using a diagnose debug command, make sure to enable the debug feature by entering: diagnose debug enable
Check port assignments

There are 65 535 ports available for each of the TCP and UDP stacks that applications can use when communicating with each other. If someone recently changed a FortiWeb or network port, that may be part of your problem. For a list of ports used by FortiWeb, see Appendix E: Ports used by FortiWeb on page 403. In addition, some ports may be assigned to other Fortinet appliances on your network. See the Fortinet Knowledge Base article, "Traffic Types and TCP/UDP Ports used by Fortinet Products" at: http://kb.fortinet.com

This section includes troubleshooting questions related to connectivity issues. Are all cables and interfaces connected properly? See Check hardware connections on page 374. Are you experiencing packet loss or device connectivity problems? See Run ping and traceroute on page 374.
373
Troubleshooting
Are there routes in the routing table for default and static routes? Do all connected subnets have a route in the routing table? See Verify the contents of the routing table on page 377. Are the ARP table entries correct for the next-hop destination? See Verify the contents of the ARP table on page 377. Is traffic entering the FortiWeb unit and, if so, does it arrive on the expected interface? Is the traffic exiting the FortiWeb unit to the expected destination? Is the traffic being sent back to the originator? Perform a sniffer trace. See Perform a sniffer trace on page 377. Debug the packet flow. See Debug the packet flow on page 378.
Check hardware connections

If there is no traffic flowing from the FortiWeb unit, it may be a hardware problem. To check hardware connections Ensure the network cables are properly plugged in to the interfaces on the FortiWeb unit. Ensure there are connection lights for the network cables on the unit. Change the cable if the cable or its connector are damaged or you are unsure about the cables type or quality. Connect the FortiWeb unit to different hardware to see if that makes a difference. In the web-based manager, select Status > Network > Interface and ensure the link status is up (up arrow on green circle) for the interface. If the status is down (down arrow on red circle), click Bring Up next to it in the Status column. You can also enable an interface in CLI, for example: config system interface edit port2 set status up end If any of these checks solve the problem, it was a hardware connection issue. You should still perform some basic software tests to ensure complete connectivity. If the hardware connections are correct and the unit is powered on but you cannot connect using the CLI or web-based manager, you may be experiencing bootup problems. See Troubleshoot bootup issues on page 381.
Run ping and traceroute

Ping and traceroute are useful tools in network troubleshooting. Both tools accept either IP addresses or fully-qualified domain names as parameters. This can help you determine why particular services, such as email or web browsing, are not working properly.
Note: If ping does not work, you likely have it disabled on at least one of the interface settings, and firewall policies for that interface.
Both ping and traceroute require particular ports to be open on firewalls to function. Since you typically use these tools to troubleshoot, you can allow them in the firewall policies and on interfaces only when you need them, and otherwise keep the ports disabled for added security.
374
Troubleshooting
Check connections with ping

The ping command sends a small data packet to the destination and waits for a response. The response has a timer that may expire, indicating the destination is unreachable. Ping is part of Layer-3 on the OSI Networking Model. Ping sends Internet Control Message Protocol (ICMP) echo request packets to the destination, and listens for echo response packets in reply. However, many public networks block ICMP packets because ping can be used in a denial of service (DoS) attack, or by an attacker to find active locations on the network. By default, FortiWeb units have ping enabled. If ping does not work from your FortiWeb unit, make sure it was not disabled. Go to System >Network >Interface. Examine the list of allowed protocols in the Access column for the port used by the web-based manager (usually port1). If ping is not in the list, add it. To enable ping 1 Go to System >Network >Interface. 2 Click the Edit icon in the applicable row. A dialog appears. 3 Select PING on the Edit Interface dialog. 4 Click OK.
What ping can tell you

Beyond the basic connectivity information, ping tells you the amount of packet loss (if any), how long it takes the packet to make the round trip, and the variation in that time from packet to packet. If ping shows any packet loss, you should investigate: possible ECMP, split horizon, or network loops cabling to ensure no loose connections hardware to ensure cabling is correct all equipment between the two locations to determine they are properly connected addresses and routes to ensure all IP addresses and routing information along the route is configured as expected firewalls to ensure they are set to allow ping to pass through
If ping shows total packet loss, you should investigate:
How to use ping

You can ping from the FortiWeb unit in the CLI Console widget of the web-based manager or through CLI. For example: execute ping 172.20.120.169 See the execute ping command in the FortiWeb CLI Reference for an explanation of the command output and see execute ping-options for a description of the many options to tailor the ping response to your needs. If the FortiWeb web-based manager and CLI are not available, you can run ping on a Windows or Linux PC.
375
Troubleshooting
To ping a device from a Windows PC 1 Open a command window. In Windows XP, select Start > Run, enter cmd, and select OK. In Windows 7, select the Start icon, enter cmd in the search box, and select cmd.exe from the list.
2 In the command window, enter the ping command and an IP address, for example: ping 172.20.120.169 Ping options include: -t, to send packets until you press Control-C -a, to resolve addresses to domain names where possible -n x, where x is an integer stating the number of packets to send To ping a device from a Linux PC 1 Go to a command line prompt. 2 Enter: /bin/etc/ping 172.20.120.169
Check routes with traceroute

Traceroute sends ICMP packets to test each hop along the route. It sends three packets, and then increases the time to live (TTL) setting by one each time. This effectively allows the packets to go one hop farther along the route. This explains why most traceroute commands display their maximum hop count before they start tracing the routethat is the maximum number of steps it will take before declaring the destination unreachable. Also the TTL setting may result in steps along the route timing out due to slow responses. There are many possible reasons for this to occur. Traceroute by default uses UDP with destination ports numbered from 33434 to 33534. The traceroute utility usually has an option to specify use of ICMP echo request (type 8) instead, as used by the Windows tracert utility. If you have a firewall and you want traceroute to work from both machines (Unix-like systems and Windows) you will need to allow both protocols inbound through your firewall (UDP with ports from 33434 to 33534 and ICMP type 8).
What traceroute can tell you

Where ping only tells you if the signal reached its destination and came back successfully, traceroute shows each step of its journey to its destination and how long each step takes. If ping finds an outage between two points, use traceroute to locate exactly where the problem is. The traceroute output can identify other problems, such as an inability to connect to a DNS server.
How to use traceroute

You can run a route trace from the FortiWeb unit in the CLI Console widget of the webbased manager or through CLI, for example: execute traceroute docs.fortinet.com See the execute traceroute command in the FortiWeb CLI Reference for an explanation of the command output. If the FortiWeb web-based manager and CLI are not available, you can trace a route on a Windows or Linux PC.
376
Troubleshooting
To use traceroute on a Windows PC 1 Open a command window. In Windows XP, select Start > Run, enter cmd, and select OK. In Windows 7, select the Start icon, enter cmd in the search box, and select cmd.exe from the list.
2 Enter the tracert command to trace the route from the host PC to the destination web site, for example: tracert fortinet.com In the tracert output, the first, or left column, is the hop count, which cannot go over 30 hops. The second, third, and fourth columns are how long each of the three packets takes to reach this stage of the route. These values are in milliseconds and normally vary quite a bit. Typically a value of <1ms indicates a local connection. The fifth, or far right column, is the domain name of that device and its IP address or possibly just the IP address. To use traceroute on a Linux PC 1 Go to a command line prompt. 2 Enter: /bin/etc/traceroute fortinet.com The Linux traceroute output is very similar to the MS Windows tracert output.
Verify the contents of the routing table

When you have little connectivity, a good place to look for information is the routing table. The routing table is where the FortiWeb unit stores currently used static routes. If a route is in the routing table, it saves the time and resources of a lookup. If a route was not used for a while and a new route needs to be added, the oldest, least-used route is bumped if the routing table is full. This ensures the most recently used routes stay in the table. To check the routing table in the CLI, enter: diagnose network route list
Verify the contents of the ARP table

When you have poor connectivity, another good place to look for information is the address resolution protocol (ARP) table. A functioning ARP is especially important in highavailability configurations. To check the ARP table in the CLI, enter: diagnose network arp list
Perform a sniffer trace

When troubleshooting networks and routing in particular, it helps to look inside the headers of packets to determine if they are traveling along the route you expect. Packet sniffing is also called a network tap, packet capture, or logic analyzing.
377
Troubleshoot resource issues
Troubleshooting
What can sniffing packets tell you

Packet sniffing can tell you if the traffic is reaching its destination, what the port of entry is on the FortiWeb unit, if the ARP resolution is correct, and if the traffic is being sent back to the source as expected. Packet sniffing can also tell you if the FortiWeb unit is silently dropping packets.
Note: If you configure virtual IP addresses on your FortiWeb unit, it will use those addresses in preference to the physical IP addresses. You will notice this when you are sniffing packets because all traffic will use the virtual IP addresses. This is due to the ARP update that is sent out when the virtual IP address is configured.
To sniff packets The general form of the internal FortiWeb packet sniffer command is: diagnose network sniffer packet <interface_name> <filter_str> <verbose-level> <count_int> This example checks network traffic on port1, with no filter, and captures 10 packets: diagnose network sniffer packet port1 none 1 10 See the FortiWeb CLI Reference for an explanation of the command and its parameters.
Debug the packet flow

If you have determined that network traffic is not entering and leaving the FortiWeb unit as expected, debug the packet flow using CLI. This operation requires you to enter several debug commands to set the policy to use and then to set the server IP to apply the policy to, for example: diagnose debug enable diagnose debug flow filter policy policy-name Policy1 diagnose debug flow filter policy source-ip 172.20.120.27 See the FortiWeb CLI Reference for an explanation of the command and its parameters.
Troubleshoot resource issues

This section includes troubleshooting questions related to sluggish or stalled performance. Is a process hogging system resources? Check for a misbehaving process. See Look for system-intensive processes on page 378. Is a server under attack? See Prepare for attacks on page 379. Has there been a sustained spike in HTTP traffic related to a specific policy? See Monitor traffic on page 379.
Look for system-intensive processes

Use the CLI to view a list of the most system-intensive processes. This may show processes that are hogging resources. For example: diagnose system top 10 The above command generates a report of processes every 10 seconds. The report provides the process names, their process ID (pid), status, CPU usage, and memory usage.
378
Troubleshooting
Troubleshoot user and admin login issues
The report continues to refresh and display in the CLI window until you enter q (quit).
Monitor traffic
Heavy or unusual traffic loads can cause problems. In the FortiWeb unit's web-based manager, you can view traffic two ways: Monitor current HTTP traffic on the dashboard. Go to System >Status > Status and examine the graphs in the Policy Summary widget. Examine traffic history in the traffic log. Go to Logs&Report >Log Access >Traffic.
Prepare for attacks

A prolonged denial of service (DoS) or brute-force login attack (to name just a few attack types) can bring a system to a standstill, if your unit is not prepared for it. In the FortiWeb unit's web-based manager, you can watch for attacks in two ways: Monitor current HTTP traffic on the dashboard. Go to System >Status > Status and examine the attack event history graph in the Policy Summary widget. Examine attack history in the traffic log. Go to Logs&Report >Log Access >Attack.
If attacks occur, use the FortiWeb unit's rich feature set to configure attack defenses. For a list of attack types and suggested defenses, see Characteristics of XML threats on page 15 and Characteristics of HTTP threats on page 16.

A common problem is the inability of users or administrators to log in. There are a number of potential reasons for these problems. Once the source of the problem is found, the administrator should follow the appropriate policies to resolve the problems, notifying affected users if warranted.
Use correct user name and password combination for user

This may be obvious, but it should be the first thing to check. While there are valid reasons for users to forget login information or enter the wrong information, it may actually be someone trying to use someone else's credentials to gain illegal access to the company network. If this is the case, you do not want to waste time on any additional troubleshooting. Also if this is the case, it will generally be a single user with problems instead of a group of users.
Check user authentication policies

In FortiWeb, users and organized into groups. Groups are part of authentication policies. If several users have authentication problems, it is possible someone changed authentication policy or user group memberships. If a user is legitimately having an authentication policy, you need to find out where the problem lies. To troubleshoot user access 1 In the web-based manager, go to User > User Group and examine each group to locate the name of the problem user. 2 Note the user group to which the affected users belong, especially if multiple affected users are part of one group. If the user is not a group member, there is no access.
379
Troubleshooting
3 Go to Web Protection > Authentication Policy > Authentication Rule and determine which rule contains the problem user group. If the user group is not part of a rule, there is no access. 4 Go to Web Protection > Authentication Policy > Authentication Policy and locate the policy that contains the rule governing the problem user group. If the rule is not part of a policy, there is no access. 5 Go to Web Protection > Web Protection Profile > Inline Protection Profile and determine which profile contains the related authentication policy. If the policy is not part of a profile, there is no access. 6 Make sure that inline protection profile is included in the server policy that applies to the server the user is trying to access. If the profile is not part of the server policy, there is no access. Authentication involves user groups, authentication rules and policy, inline protection policy, and finally, server policy. If a user is not in a user group used in the policy for a specific server, the user will have no access.
Change an administrator's password

Any manager with write privileges to Admin Users in their access profile (admingrp in the CLI) can reset an administrator password, if they know the current password. Sometimes administrators forget their passwords. There is just one administrator with the authority to reset other administrators passwords without knowing their current password. That is the default administrator, admin.
Trusted hosts for admin account will not allow current IP

A trusted host is a secure location where an administrator logs in. For example, on a secure network an administrator can to log in from an internal subnet but not from the Internet. If an external administrator login is required, a secure VPN tunnel can be established with a set IP address or range of addresses that are entered as a trusted host address. Trusted host login issues occur when an administrator attempts to log in from an IP address that is not included in the trusted host list. To verify trusted host login issues 1 Record the IP address where the administrator is attempting to log in to the FortiWeb unit. 2 Log in to the web-based manager and go to System > Admin> Administrators. 3 Select the administrator account in question and click the Edit icon. 4 Compare the list of trusted hosts to the problem IP address. If there is a match, the problem is not due to trusted hosts. 5 If there is no match and the new address is valid (secure), add it to the list of trusted hosts. 6 Select OK. If the problem was due to trusted hosts, the administrator can now log in.
380
Troubleshooting
Troubleshoot bootup issues
Troubleshoot bootup issues

This section addresses problems you may experience in rare cases when powering on your FortiWeb unit. If you continue to have problems, please contact customer support for assistance.
Note: It is rare that units experience any of the symptoms listed here. Fortinet hardware is reliable with a long expected operation life.
When you cannot connect to the FortiWeb unit through the network using CLI or the webbased manager, connect a PC directly to the FortiWeb unit's management console using a serial connection. (The cable varies with the FortiWeb model. See the model's Quick Start Guide for details.) Open a terminal emulation interface, such as HyperTerminal, to act as the console. The issues covered in this section all refer to various potential bootup issues. Once you have a direct cable link to the FortiWeb unit, work through the following steps and keep a copy of the console's output messages. If you have multiple problems, go the problem closest to the top of the list first, and work your way down. A. Do you see the boot options menu B. Do you have problems with the console text C. Do you have visible power problems D. You have a suspected defective FortiWeb unit
A. Do you see the boot options menu

1 Do you see the boot options menu? If no, ensure your serial communication parameters are set to no flow control, check that the correct baud rate is correctly set (usually 9600, data bits 8, parity none, stop bits 1), and reboot the FortiWeb unit by powering off and on. If that fixes your problem, you are done. If it does not fix your problem, go to C. Do you have visible power problems.
B. Do you have problems with the console text

1 Do you see any console messages? If no, go to C. Do you have visible power problems. If yes, continue. 2 Are there console messages but text is garbled on the screen? If yes, ensure your console communication settings are correct for your unit (such as, baud rate 9600, data bits 8, parity none, stop bits 1). Check the FortiWeb Quick Start Guide for settings specific to your model. If that fixes the problem, you are done. 3 Do the console messages stop before the prompt: Press Any Key to Download Boot Image? If yes, go to D. You have a suspected defective FortiWeb unit. If no, follow the console instruction Press any key to Download Boot Image and go to the next step. 4 When pressing a key, do you see one of the following messages?
381
Contact Fortinet customer support for assistance
Troubleshooting
[G] [F] [B] [Q] [H]
Get Firmware image from TFTP server Format boot device Boot with backup firmware and act as default Quit menu and continue to boot with default firmware Display this list of options
If yes, go to D. You have a suspected defective FortiWeb unit. If no, ensure you serial communication parameters are set to no flow control, check that the correct baud rate is set. To find the unit's current baud rate using CLI, enter these commands: config system console get Change settings if needed and reboot the FortiWeb unit by powering off and on. 5 Did the reboot fix the problem? If that fixes your problem, you are done. If that does not fix your problem, go to D. You have a suspected defective FortiWeb unit.
C. Do you have visible power problems

1 Is there any LED on the FortiWeb unit? If no, ensure power is on. If that fixes the problem you are done. If not, continue. If yes, continue. 2 Do you have an external power adapter? If no, go to D. You have a suspected defective FortiWeb unit. If yes, try replacing the power adapter. 3 Is the power supply defective? If no, go to D. You have a suspected defective FortiWeb unit. If yes, replace the power supply and begin the tests again at A. Do you see the boot options menu.
D. You have a suspected defective FortiWeb unit

If you followed the previous steps and determined there is a good chance your unit is defective, contact Fortinet customer support.

After you define your problem, researched a solution, created a plan, and executed that plan, and if you have not solved the problem, it is time to contact Fortinet customer support for assistance. To receive technical support and service updates, your Fortinet product must be registered. Registration, support programs, assistance, and regional phone contacts are available at the following URL: https://support.fortinet.com
382
Troubleshooting
When you are registered and ready to contact support: 1 Prepare the following information first: your contact information the firmware version a recent server policy configuration access to recent event, traffic and attack logs a network topology diagram and IP addresses a list of troubleshooting steps performed so far and the results provide all console messages and output if you suspect a hard disk issue, provide your evidence
For bootup problems:
2 Document the problem and the steps you took to define the problem. 3 Open a support ticket. For details on using the Fortinet support portal and providing the best information, see the Knowledge Base article, "Fortinet Support Portal for Product Registration, Contract Registration, Ticket Management, and Account Management" at: http://kb.fortinet.com
383
Troubleshooting
384
Installing new firmware
Testing new firmware before installing it

Fortinet periodically releases FortiWeb firmware updates to include enhancements and address issues. After you have registered your FortiWeb unit, FortiWeb firmware is available for download at http://support.fortinet.com. Installing new firmware can overwrite attack signature packages using the versions of the packages that were current at the time that the firmware image was built. To avoid repeat updates, update the firmware before updating your FortiGuard packages. New firmware can also introduce new features which you must configure for the first time. For late-breaking information specific to the firmware release version, see the Release Notes available with that release.
Note: In addition to major releases that contain new features, Fortinet releases patch releases that resolve specific issues without containing new features and/or changes to existing features. It is recommended to download and install patch releases as soon as they are available. Note: Before you can download firmware updates for your FortiWeb unit, you must first register your FortiWeb unit with Fortinet Technical Support. For details, go to http://support.fortinet.com/ or contact Fortinet Technical Support.
This chapter includes the following topics: Testing new firmware before installing it Installing firmware Installing backup firmware Restoring firmware

You can test a new firmware image by temporarily running it from memory, without saving it to disk. By keeping your existing firmware on disk, if the evaluation fails, you do not have to re-install your previous firmware. Instead, you can quickly revert to your existing firmware by simply rebooting the FortiWeb unit. To test a new firmware image 1 Download the firmware file from the Fortinet Technical Support web site, https://support.fortinet.com/. 2 Connect your management computer to the FortiWeb console port using a RJ-45-toDB-9 serial cable or a null-modem cable. 3 Initiate a connection from your management computer to the CLI of the FortiWeb unit. For details, see the FortiWeb Install and Setup Guide. 4 Connect port1 of the FortiWeb unit directly or to the same subnet as a TFTP server. 5 Copy the new firmware image file to the root directory of the TFTP server.
385
6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach the TFTP server. To use the FortiWeb CLI to verify connectivity, enter the following command: execute ping 192.168.1.168 where 192.168.1.168 is the IP address of the TFTP server. 7 Enter the following command to restart the FortiWeb unit: execute reboot 8 As the FortiWeb units starts, a series of system startup messages appear. Press any key to display configuration menu........ 9 Immediately press a key to interrupt the system startup.
Note: You have only three seconds to press a key. If you do not press a key soon enough, the FortiWeb unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears: [G]: [F]: [B]: [Q]: [H]: Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options.
Enter G,F,B,Q,or H: Please connect TFTP server to Ethernet port "1". 10 Type G to get the firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 11 Type the IP address of the TFTP server and press Enter. The following message appears: Enter local address [192.168.1.188]: 12 Type a temporary IP address that can be used by the FortiWeb unit to connect to the TFTP server. The following message appears: Enter firmware image file name [image.out]: 13 Type the firmware image file name and press Enter. The FortiWeb unit downloads the firmware image file from the TFTP server and displays a message similar to the following: Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? 14 Type R. The FortiWeb image is loaded into memory and uses the current configuration, without saving the new firmware image to disk. 15 To verify that the new firmware image has been loaded, log in to the CLI and type: get system status
386
Installing firmware
16 Test the new firmware image. If the new firmware image operates successfully, you can install it to disk, overwriting the existing firmware, using the procedure Installing firmware on page 387. If the new firmware image does not operate successfully, reboot the FortiWeb unit to discard the temporary firmware and resume operation using the existing firmware.
Installing firmware
You can use either the web-based manager or the CLI to upgrade or downgrade the firmware of the FortiWeb unit. Firmware changes are either: an upgrade to a newer version a reversion to an earlier version
The firmware version number is used to determine if you are upgrading or reverting your firmware image. For example, if your current firmware version is FortiWeb-1000B 4.00,build0194,100119, changing to FortiWeb-1000B 4.00,build0192,091210, an earlier build number and date, indicates that you are reverting.
Caution: Back up your configuration before beginning this procedure. Reverting to an earlier firmware version could reset the configuration, including the IP addresses of network interfaces. For information on backups, see Backing up and restoring configurations on page 96. For information on reconnecting to a FortiWeb unit whose network interface configuration has been reset, see the FortiWeb Install and Setup Guide.
If you are installing a firmware version that requires a different size of system partition, you may be required to format the boot device before installing the firmware by re-imaging the boot device. In that case, do not install the firmware using this procedure. Instead, see Restoring firmware on page 391. To install firmware using the web-based manager 1 Download the firmware file from the Fortinet Technical Support web site, https://support.fortinet.com/. 2 Log in to the web-based manager of the FortiWeb unit as the admin administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. 3 Go to System > Status > Status.
387
Installing firmware
Figure 68: System Information widget
4 In the System Information widget, in the Firmware Version row, click Update. A browse window appears. 5 Click Browse to locate and select the firmware file that you want to install, then click OK. 6 Click OK. Your management computer uploads the firmware image to the FortiWeb unit. The FortiWeb unit installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection. If you are downgrading the firmware to a previous version, the FortiWeb unit reverts the configuration to default values for that version of the firmware. Either reconfigure the FortiWeb unit or restore the configuration file. For details, see the FortiWeb Install and Setup Guide and Backing up and restoring configurations on page 96. 7 Clear the cache of your web browser and restart it to ensure that it reloads the webbased manager and correctly displays all interface changes. For details, see your browser's documentation. 8 To verify that the firmware was successfully installed, log in to the web-based manager and go to System > Status > Status. Text appearing in the Firmware Version row indicates the currently installed firmware version. 9 Update the attack definitions.
Note: Installing firmware replaces the current attack definitions with those included with the firmware release that you are installing. After you install the new firmware, make sure that your attack definitions are up-to-date. For more information, see Uploading signature updates on page 101.
To install firmware using the CLI 1 Download the firmware file from the Fortinet Technical Support web site, https://support.fortinet.com/. 2 Connect your management computer to the FortiWeb console port using a RJ-45-toDB-9 serial cable or a null-modem cable. 3 Initiate a connection from your management computer to the CLI of the FortiWeb unit, and log in as the admin administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. For details, see the FortiWeb Install and Setup Guide. 4 Connect port1 of the FortiWeb unit directly or to the same subnet as a TFTP server. 5 Copy the new firmware image file to the root directory of the TFTP server.
388
Installing backup firmware
6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach the TFTP server. To use the FortiWeb CLI to verify connectivity, enter the following command: execute ping 192.168.1.168 where 192.168.1.168 is the IP address of the TFTP server. 7 Enter the following command to download the firmware image from the TFTP server to the FortiWeb unit: execute restore image tftp <name_str> <tftp_ipv4> where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image tftp image.out 192.168.1.168 One of the following message appears: This operation will replace the current firmware version! Do you want to continue? (y/n) or: Get image from tftp server OK. Check image OK. This operation will downgrade the current firmware version! Do you want to continue? (y/n) 8 Type y. The FortiWeb unit downloads the firmware image file from the TFTP server. The FortiWeb unit installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection. If you are downgrading the firmware to a previous version, the FortiWeb unit reverts the configuration to default values for that version of the firmware. Either reconfigure the FortiWeb unit or restore the configuration file. For details, see the FortiWeb Install and Setup Guide and Backing up and restoring configurations on page 96. 9 To verify that the firmware was successfully installed, log in to the CLI and type: get system status The firmware version number is displayed. 10 Update the attack definitions.

You can install backup firmware which can be loaded if the primary firmware fails. To install backup firmware 1 Download the firmware file from the Fortinet Technical Support web site, https://support.fortinet.com/. 2 Connect your management computer to the FortiWeb console port using a RJ-45-toDB-9 serial cable or a null-modem cable.
389
3 Initiate a connection from your management computer to the CLI of the FortiWeb unit, and log in as the admin administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. For details, see the FortiWeb Install and Setup Guide. 4 Connect port1 of the FortiWeb unit directly or to the same subnet as a TFTP server. 5 Copy the new firmware image file to the root directory of the TFTP server. 6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach the TFTP server. To use the FortiWeb CLI to verify connectivity, enter the following command: execute ping 192.168.1.168 where 192.168.1.168 is the IP address of the TFTP server. 7 Enter the following command to restart the FortiWeb unit: execute reboot 8 As the FortiWeb units starts, a series of system startup messages appear. Press any key to display configuration menu........ 9 Immediately press a key to interrupt the system startup.
Note: You have only 3 seconds to press a key. If you do not press a key soon enough, the FortiWeb unit reboots and you must log in and repeat the execute reboot command.
Enter G,F,B,Q,or H: Please connect TFTP server to Ethernet port "1". 10 Type G to get the firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 11 Type the IP address of the TFTP server and press Enter. The following message appears: Enter local address [192.168.1.188]: 12 Type a temporary IP address that can be used by the FortiWeb unit to connect to the TFTP server. The following message appears: Enter firmware image file name [image.out]: 13 Type the firmware image file name and press Enter. The FortiWeb unit downloads the firmware image file from the TFTP server and displays a message similar to the following: Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?
390
Restoring firmware
14 Type B. The FortiWeb unit saves the backup firmware image and restarts. When the FortiWeb unit restarts, it is running the primary firmware. To use backup firmware as the primary firmware 1 Connect your management computer to the FortiWeb console port using a RJ-45-toDB-9 serial cable or a null-modem cable. 2 Initiate a connection from your management computer to the CLI of the FortiWeb unit, and log in as the admin administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. For details, see the FortiWeb Install and Setup Guide. 3 Enter the following command to restart the FortiWeb unit: execute reboot 4 As the FortiWeb units starts, a series of system startup messages appear. Press any key to display configuration menu........ Immediately press a key to interrupt the system startup.
Enter G,F,B,Q,or H: Please connect TFTP server to Ethernet port "1". 5 Type B to reboot and use the backup firmware.
Restoring firmware
Restoring the firmware can be useful if: you are unable to connect to the FortiWeb unit using the web-based manager or the CLI you want to install firmware without preserving any existing configuration a firmware version that you want to install requires a different size of system partition (see the Release Notes accompanying the firmware) a firmware version that you want to install requires that you format the boot device (see the Release Notes accompanying the firmware)
Unlike installing firmware, restoring firmware re-images the boot device, including the signatures that were current at the time that the firmware image file was created.Also, restoring firmware can only be done during a boot interrupt, before network connectivity is available, and therefore requires a local console connection to the CLI. It cannot be done through a network connection.
391
Restoring firmware
Caution: Back up your configuration before beginning this procedure, if possible. Restoring firmware resets the configuration, including the IP addresses of network interfaces. For information on backups, see Backing up and restoring configurations on page 96. For information on reconnecting to a FortiWeb unit whose network interface configuration has been reset, see the FortiWeb Install and Setup Guide.
To restore the firmware 1 Download the firmware file from the Fortinet Technical Support web site, https://support.fortinet.com/. 2 Connect your management computer to the FortiWeb console port using a RJ-45-toDB-9 serial cable or a null-modem cable. 3 Initiate a local console connection from your management computer to the CLI of the FortiWeb unit, and log in as the admin administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. For details, see the FortiWeb Install and Setup Guide. 4 Connect port1 of the FortiWeb unit directly or to the same subnet as a TFTP server. 5 Copy the new firmware image file to the root directory of the TFTP server. 6 Verify that the TFTP server is currently running, and that the FortiWeb unit can reach the TFTP server. To use the FortiWeb CLI to verify connectivity, enter the following command: execute ping 192.168.1.168 where 192.168.1.168 is the IP address of the TFTP server. 7 Enter the following command to restart the FortiWeb unit: execute reboot 8 As the FortiWeb units starts, a series of system startup messages appear. Press any key to display configuration menu........ 9 Immediately press a key to interrupt the system startup.
Enter G,F,B,Q,or H: Please connect TFTP server to Ethernet port "1". 10 If the firmware version requires that you first format the boot device before installing firmware, type F. Format the boot disk before continuing.
392
Restoring firmware
11 Type G to get the firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 12 Type the IP address of the TFTP server and press Enter. The following message appears: Enter local address [192.168.1.188]: 13 Type a temporary IP address that can be used by the FortiWeb unit to connect to the TFTP server. The following message appears: Enter firmware image file name [image.out]: 14 Type the file name of the firmware image and press Enter. The FortiWeb unit downloads the firmware image file from the TFTP server and displays a message similar to the following: Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? 15 Type D. The FortiWeb unit downloads the firmware image file from the TFTP server. The FortiWeb unit installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection. The FortiWeb unit reverts the configuration to default values for that version of the firmware. 16 To verify that the firmware was successfully installed, log in to the CLI and type: get system status The firmware version number is displayed. 17 Either reconfigure the FortiWeb unit or restore the configuration file. For details, see FortiWeb Install and Setup Guide and Backing up and restoring configurations on page 96. 18 Update the attack definitions.
393
Restoring firmware
394
Appendix A: Supported RFCs, W3C and IEEE standards

The current release of FortiWeb supports the following IETF RFC, W3C standards and IEEE standards.
RFC
RFC 1213 Management Information Base for Network Management of TCP/IP-based internets: MIBII - see reference 1 RFC 2616 Hypertext Transfer Protocol -- HTTP/1.1 - see reference 1, reference 2 RFC 2617 HTTP Authentication: Basic and Digest Access Authentication - see reference 1 RFC 2665 Definitions of Managed Objects for the Ethernet-like Interface Types - see reference 1
W3C standards
extensible markup language (XML) 1.0 (Third Edition) XML Current Status: http://www.w3.org/standards/techs/xml#w3c_all W3C Recommendation 04 February 2004: http://www.w3.org/TR/2004/REC-xml-20040204 see reference 1, reference 2 XML Schema Current Status: http://www.w3.org/standards/techs/xmlschema#w3c_all) see reference 1 XML Schema Part 0: Primer Second Edition, W3C Recommendation 28 October 2004: http://www.w3.org/TR/2004/REC-xmlschema-0-20041028/ XML Schema Part 1: Structures Second Edition, W3C Recommendation 28 October 2004: http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/ XML Schema Part 2: Datatypes Second Edition, W3C Recommendation 28 October 2004: http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/ W3C Note 08 May 2000 http://www.w3.org/TR/2000/NOTE-SOAP-20000508/ see reference 1
XML Schema v1.0
simple object access protocol (SOAP) 1.1
web services description language (WSDL) 1.0
395
W3C Note 15 March 2001 http://www.w3.org/TR/wsdl see reference 1 XML Encryption Current Status http://www.w3.org/standards/techs/xmlenc#w3c_all see reference 1 XML Encryption Syntax and Processing http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/ XML Signature Current Status http://www.w3.org/standards/techs/xmlsig#w3c_all see reference 1 XML Signature Syntax and Processing http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
XML encryption
XML signature
IEEE standards
spanning tree protocol IEEE 802.1d see reference 1 virtual LANs IEEE 802.1q see reference 1
396
Appendix B: Maximum values
Interpreting maximum values

This table shows maximum configurable values for FortiWeb Version 4.0 MR2. All performance values are assumed to mean up to and depend on your configuration. The maximum number of persistent server sessions per policy is limited by the units RAM.
Table 143: Maximum configurable values FortiWeb model FortiWeb-400B Maximum policies per unit Default RAM Maximum persistent server sessions per policy Maximum persistent server sessions per unit Maximum HTTP transactions per second Network Interfaces (ports) VLAN Interfaces Maximum servers per server farm 20 1 GB 8 000 20 000 10 000 4 32 20 FortiWeb-1000B 40 2 GB 15 000 40 000 22 000 4 32 20 FortiWeb-1000C 60 3 GB 20 000 60 000 27 000 4 32 20 FortiWeb-3000C 100 6 GB 50 000 100 000 40 000 6 32 20
FortiWeb-VM
For a FortiWeb-VM virtual appliance running in a VMware image, the maximum number of server sessions varies with the amount of memory available to FortiWeb-VM on the VMware server. To see the maximum allowed sessions, do the following: 1 Open the web-based manager. 2 Go to Server Policy > Policy. 3 Either click Create New or edit an existing policy. 4 Look at the minimum-maximum range indicator next to the Persistent Server Sessions option. That number tells you the maximum server sessions for your installation. The number of network interfaces (ports) for FortiWeb-VM is 4. For installation instructions, see the FortiWeb-VM Install Guide.

Some of the values in Table 143 need explanation to fully understand their application.
397
Persistent server sessions

You can set the value of maximum persistent server sessions per policy to a lower number (to a fixed minimum) when configuring a server policy by using the Persistent Server Sessions option. FortiWeb distributes the number of persistent server sessions evenly across the physical servers protected by the server policy. For details, see Configuring server policies on page 118. You cannot maximize both the number of allowed policies and the number of persistent server sessions per policy. The maximum persistent server sessions per unit sets the overall limit. For example, the FortiWeb-400B allows 20 server policies and up to 8 000 persistent server sessions per policy. That does not mean you can have 160 000 persistent server sessions running at one time. The upper limit is 20 000.
Network and VLAN interfaces

You can set up VLAN interfaces across the network interfaces in any arrangement. For example, on a unit with four network interfaces you could distribute them evenly at 8 per interface or apply all 32 to one network interface.
398
Appendix C: SNMP MIB support

The FortiWeb SNMP agent supports the following management information blocks (MIBs):
Table 144: FortiWeb MIBs MIB or RFC Fortinet Core MIB Description This Fortinet-proprietary MIB enables your SNMP manager to query for system information and to receive traps that are common to multiple Fortinet devices. This Fortinet-proprietary MIB enables your SNMP manager to query for FortiWeb-specific information and to receive FortiWeb-specific traps. The FortiWeb SNMP agent supports MIB II groups, except: There is no support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10). Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP, and so on.) do not accurately capture all FortiWeb traffic activity. More accurate information can be obtained from the information reported by the FortiWeb MIB. The FortiWeb SNMP agent supports Ethernet-like MIB information, except the dot3Tests and dot3Errors groups.
FortiWeb MIB RFC-1213 (MIB II)
RFC-2665 (Ethernetlike MIB)
You can obtain these MIB files from the Fortinet Technical Support web site, https://support.fortinet.com/. To communicate with your FortiWeb units SNMP agent, you must first compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager, you do not have to compile them again. To view a trap or querys name, object identifier (OID), and description, open its MIB file in a plain text editor. All traps sent include the message, the FortiWeb units serial number, and host name. For instructions on how to configure traps and queries, see Configuring the SNMP agent on page 66.
399
400
Appendix D: Language support & regular expressions

Languages currently supported by the web-based manager are: English simplified Chinese Japanese traditional Chinese
Characters such as , , symbols, and ideographs are sometimes acceptable input. Support varies by the nature of the item being configured. For example, the host name must not contain special characters, and so the web-based manager and CLI will not accept most symbols and non-ASCII encoded characters as input when configuring the host name. This means that languages other than English often are not supported. However, some configuration items, such as names and comments, may use the language of your choice. To use other languages in those cases, you must use an encoding that supports it. Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings into UTF-8 before it is stored. If your input method encodes some characters differently than in UTF-8, your configured items may not display or operate as expected. Regular expressions are especially impacted. The matching feature uses the UTF-8 character values. If you enter a regular expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8, matches may not be what you expect. For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as yen symbols ( ) and vice versa. A regular expression intended to match HTTP requests containing money values with a yen symbol therefore may not work if the symbol is entered using the wrong encoding. For best results, you should: use UTF-8 encoding, or use only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and other encodings, or for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients
Note: HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by the clients operating system or input language. If you cannot predict the clients encoding, only English portions of the request may match, because regardless of the encoding, the values for English characters tend to be encoded identically. For example, English words may be legible regardless of interpreting a web page as either ISO 8859-1 or as GB2312, whereas simplified Chinese characters might only be legible if the page is interpreted as GB2312.
401
In order to configure your FortiWeb unit using other encodings, you may need to switch language settings on your management computer, including for your web browser or Telnet/SSH client. For instructions on how to configure your management computers operating system language, locale, or input method, see its documentation.
Note: If you choose to configure parts of the FortiWeb unit using non-ASCII characters, verify that all systems interacting with the FortiWeb unit also support the same encodings. You should also use the same encoding throughout the configuration if possible in order to avoid needing to switch the language settings of your web browser or Telnet/SSH client while you work.
In a similar fashion, your web browser or CLI client should usually interpret display output as encoded using UTF-8. If it does not, your configured items may not display correctly in the web-based manager or CLI. Exceptions include items such as regular expressions that you may have configured using other encodings in order to match the encoding of HTTP requests that the FortiWeb unit receives. For information on configuring the display language of the web-based manager, see Configuring the web-based managers global settings on page 82.
402
Appendix E: Ports used by FortiWeb

The following tables list the default port assignments used by FortiWeb.
Table 145: Default ports used by FortiWeb for outgoing traffic Port number 21 25 53 69 123 137, 138, 139 162 389 443 445 514 636 1812 5055 5056 Port type TCP TCP UDP/TCP UDP UDP UDP UDP TCP TCP TCP UDP TCP UDP UDP UDP Default uses Web anti-defacement backup (Windows share) SMTP DNS Back up, restore, update during bootup NTP synchronization Web site anti-defacement backup SNMP traps LDAP FDS firmware updates NTLM, web site anti-defacement backup Syslog LDAPS RADIUS HA heartbeat HA configuration synchronization
Table 146: Default ports FortiWeb uses for incoming traffic and listening Port number 22 23 80 161 443 8333 Port type TCP TCP TCP UDP TCP TCP Default uses SSH administrative access, CLI access Telnet administrative access HTTP administrative access, predefined HTTP service SNMP queries HTTPS administrative access, predefined HTTPS service FortiWeb conf-sync remote connection
Take care when reassigning ports. Many UDP and TCP port numbers have internationally recognized IANA port assignments and are commonly associated with specific applications or protocols.
403
404
Index
Index
Symbols _email, 21
_fortinet_waf_auth, 272 _fqdn, 21 _index, 21 _int, 21 _ipv4, 21 _ipv4/mask, 21 _ipv4mask, 21 _ipv6, 21 _ipv6mask, 21 _name, 21 _pattern, 21 _str, 21 _url, 21 _v4mask, 21 _v6mask, 21 alert email, 313, 316 enabling, 296, 317 algorithm, 176 allow method exception, 237 alphanumeric, 153 anonymous, 111 ANSI, 153 ANSI escape code, 153 anti-defacement, 293, 294 performance, 367 Apache, 155, 282 Tomcat, 155, 282 ARP, 377 packets, 362 ASCII, 401, 402 attack count in auto-learning report, 289 log, 33, 289, 328 log aggregation, 34 log search, 341 protection, 184 signatures, 101, 360 attacks, 29 Attacks tab, 287 attributes, XML, 170, 172 authentication, 257, 259, 261, 307 supporting modes, 71 Authorization, 191, 258 auto-learning, 281 performance, 284, 365 profile, 278, 279 reports, 282
Numerics
301 Moved Permanently, 306 302 Moved Temporarily, 248, 306, 307 401 Authorization Required, 258 401 Unauthorized, 278, 281, 307 403 Forbidden, 192, 248, 273, 288 404 File Not Found, 273, 289 500 Internal Server Error, 278, 281 5055, 65 5056, 65
A
access profile, 77, 78, 80 access protocols, 359 action message format (AMF), 274, 278 actions, 31 Active Directory, 113 active-passive, 61 address resolution protocol (ARP), 64 administrative access, 82 interface settings, 52 restricting, 51, 52, 75, 77, 78 administrator "admin" account, 387, 390, 392 password, 77 trusted host, 77 Adobe Flash, 25 aggregation, 34 AJAX, 163 alert, 167, 168, 187, 188, 192, 270, 272, 287 false positives, 31 tuning, 31
B
back up web site, 297 backup, 96, 98, 355 firmware, 389 partition, 98 Backup HA unit, 61 Base64, 88 Basic Mode, 306 bind DN, 111 black IP, 221, 292 Block Period, 230 boot interrupt, 391 bootup, 381 bridge, 55, 119, 120, 123 bridge protocol data unit (BPDU), 57 broadcast, 64 browser, 25, 92, 127 brute force login attack, 224 buffer overflow, 170, 252, 306 bypass, 129
405
Index
C
certificate, 84, 126, 139 default, 85 local, 85 operation modes, 88 personal, 127 server, 85 signing chain, 89, 92, 127 signing request, 85, 86 trust, 89, 92, 127 user, 127 warning, 92, 127 certificate authority (CA), 86, 88, 90, 92, 95, 96, 127 certificate revocation list (CRL), 90, 95, 127 chain of trust, 127 character data (CDATA), 172 character entity references, 172 Chinese, 83 CIDR, 21 Cisco discovery protocol (CDP), 54 CLI, 42, 45, 75, 78 commands, 372 Console widget, 43, 45 prompt, 45 CLI commands debug, 378 diagnose, 377 network, 377 packet, 378 sniffer, 378 cloaking, 192 clock, 44, 101 cluster, 135 ColdFusion, 205 color code, 153 column view logs, 338 command line interface (CLI), 14, 20 command prompt, 45 comma-separated value (CSV), 153, 320, 335 Common Exploits, 204 community, 66, 67, 68 compliance, 299 configure DoS, 70 connectivity, 373 contact information, SNMP, 67 content filter, 363 content routing, 120, 123, 136 examples, 141 HTTP, 120, 123, 136 WSDL, 136 XPath, 136 Content-Length, 191, 252, 254, 257 Content-Type, 188 conventions, 19 cookie, 121, 189, 191, 271, 272, 276 country code, 153 cp1252, 401 CPU usage, 47, 69 credit card number, 153, 206, 209
cross-site request forgery (CSRF), 198, 204 cross-site scripting (XSS), 101, 102, 201, 204, 209, 274, 278, 306 CSR submit, 88 custom robot signature, 232 customize dashboard, 42
D
dashboard, 28, 41 customize, 42 data constraints, 170 data leak, 201, 206 dates, 153 daylight savings time (DST), 100 debug command, 378 decrypt, 126 defacement, web site, 293 default administrator account, 80, 387, 390, 392 route, 105 delete items, 15 denial of service (DoS), 70, 300, 307 deployment mode, 37 DETECT_ALLOW_HOST_FAILED, 125, 150 DETECT_ALLOW_METHOD_FAILED, 272, 277 DETECT_ALLOW_ROBOT, 230 DETECT_ALLOW_ROBOT_GOOGLE, 229 DETECT_ALLOW_ROBOT_MSN, 229 DETECT_ALLOW_ROBOT_YAHOO, 229 DETECT_BLACK_PAGE, 220, 273, 277 DETECT_BRUTE_FORCE_LOGIN, 227, 273 DETECT_MALICIOUS_ROBOT, 230, 273, 277 DETECT_PAGE_RULE_FAILED, 201, 273 DETECT_PARAM_RULE_FAILED, 194, 273, 277 DETECT_RESPONSE_INFORMATION_DISCLOSURE, 205 DETECT_RESPONSE_INFORMATION_disclosure credit card leakage, 206 DETECT_SQL_INJECTION, 204 DETECT_START_PAGE_FAILED, 216, 273 DETECT_URL_ACCESS_ALERT_DENY, 272, 277 DETECT_XSS_ATTACK, 204 diagnose command, 377 Diffie-Hellman exchange, 139 digital certificate requests, 84 distinguished name (DN), 85, 90, 91, 94, 95 DNS server, 59, 318 test connection, 376 document object model (DOM), 241 document type description (DTD), 171, 172 documentation conventions, 19 Release Notes, 391 domain name local, 45, 58, 59 DoS, 70 dotted decimal, 21 down, 51
406
Index
down time, 66 downgrade, 387 DSA, 88
FTP, 98, 105, 294 backup, 355 FTP backup, 98 fully qualified domain name (FQDN), 21, 87
E
elements, XML, 170, 172 email alert, 296, 317 encoding, 83, 401 encrypt, 126 Enhanced Mode, 306 escape codes, 153 Ethernet, 399 event log, 328 console, 42 event, SNMP, 69 expected input, 20 extended signature set, 31 external entity attack, 185, 187 external schema reference, 185, 187
G
gateway, 105, 106 GB2312, 401 general entity reference, 172 Google, 282 graphical user interface (GUI), 25 gratuitous ARP, 64 greedy, 330 group ID, 63 group name HA, 64
H
Backup, 61 group name, 64 heartbeat interface, 65 interface monitoring, 65 Master, 61 mode setting, 63 Master, 63 Slave, 63 Standalone, 63 pair, 61 port monitor, 65 hard disk, 334 logging to, 325 hardware problems, 374 health check, server, 132, 134, 136, 144 heartbeat interface, 65 heartbeat, HA, 64 interface, 65 hexadecimal, 153 high availability (HA), 61, 313 mode, 43 status, 43 hit, 289 Host, 125, 147, 148, 149, 191, 242, 246, 250, 269 host name, 42, 45, 399 HTTP, 52, 144, 145 headers, 147 port number, 82 HTTP authentication, 257, 259, 261 HTTP Content Routing, 120, 123, 136 HTTP_HEADER_LEN_OVERFLOW, 273 HTTP_HEADER_LINE_LEN_OVERFLOW, 273 HTTPS, 51, 52, 84, 87 port number, 82 hypertext markup language (HTML), 153 HA
F
fail-open, 58 false positive, 31, 206, 207, 254, 311, 328, 336 file size limit, 179 files extensions, 368 large, 367 filter clear, 339 icon, 339 logs, 339 firewall, 360 firmware backup, 389 change, 43 downgrade, 387 install, backup firmware image, 389 restore, 391 test, 385 upgrade, 387 version, 42, 44 Flash, 274, 278 forensic analysis, 328, 336 forgotten password, 76 formatted view, logs, 338 formatting the boot device, 391 FortiAnalyzer, 323, 327 FortiGuard Distribution Network (FDN), 102, 103 FortiGuard Distribution Server (FDS), 103 Fortinet Knowledge Base, 18 Technical Documentation, 18 comments, 19 conventions, 19 Technical Support, 18, 399 Training Services, 18 FORTIWAFSID, 271, 276 FortiWeb-VM, 397
I
ICMP, 52, 56, 58, 399
407
Index
ICMP ECHO, 144, 320, 322 idle, 83 IEEE 802.1d, 56, 396 IEEE 802.1q, 53, 55, 396 IIS, 155 index number, 21 information disclosure, 366 injection attack, 204, 209 input constraints, 20 input method, 402 installation, 14 interface administrative access, 52 monitoring, HA, 65 interval health check, 145 inter-VLAN routing, 53, 55 IP address, 78 IP-based forwarding, 105 ISO 8859-1, 401
J
Japanese, 83 JavaScript, 45, 121, 163, 241
K
key, 176 file, 175 management group, 188 key size, certificate, 88 key type, certificate, 87
log, 100 attack log, 328 column view, 338 event log, 328 filter, 339 formatted view, 338 level, 314 message aggregation, 340 message details, 335 messages cleared, 356 packet log details, 336 raw view, 339 rotate, 325 storing, 323 Syslog, 326 to memory, 326 to the hard disk, 325 traffic log, 329 types, 314, 327 log details, 336 log filter clear, 339 log in problems, 379 log level, 314 loop, 56, 57 lost password, 76
M
MAIL TO, 296 management information block (MIB), 66, 399 manager, SNMP, 66, 68, 69, 399 markup, 153 Master HA unit, 61 maximum transmission unit (MTU), 53 maximum values, 397 media access control (MAC) address, 52, 56, 57 memory leak, 306 memory usage, 47, 69 memory, log to, 326 MIB RFC 1213, 399 RFC 2665, 399 Microsoft Active Directory, 113 Excel, 335 IIS, 154, 155 Internet Explorer, 25 minimum cost path, 56 mode deployment, 37 HA, 63 monitor, 38 offline protection, 71, 119 reverse proxy, 53, 71, 119 transparent inspection, 72, 119 true transparent proxy, 58, 72, 119 monitor mode, 38 Mozilla Firefox, 25 MS Windows, 377 MSN, 282
L
language, 26, 83, 401, 402 web-based manager, 83 Layer 2, 53, 56, 57 Layer 3, 53 LDAP bind, 111 password, 111 LDAPS, 110 lightweight directory access protocol (LDAP), 258 limit file size, 179 rate, 227 link checker, 227 Linux, 377 load balancing, 120, 123 algorithm, 136 deployment mode, 37 weight, 136 local console access, 45, 78 local domain name, 45, 58, 59 locale, 402 Location, 248, 269, 272
408
Index
multicast, 65
N
navigation pane, 284 netmask administrator account, 77 network address translation (NAT), 56, 119, 224, 226, 228, 230 network interface status, 51 Network Time Protocol (NTP), 100 next-hop router, 105, 106 no-follow, 228 no-index, 228 notification, 293, 296, 317 NT LAN Manager (NTLM), 113, 258
O
object identifier (OID), 399 offline protection mode, 44, 71, 119, 125 switching from, 35 offloading, 85, 126 one-arm, 129 online certificate status protocol (OCSP), 90, 96, 127 operation mode, 43, 44, 126, 355 supported features in, 72 switching, 35, 71 order of execution, 190 oversized payload, 170 Overview tab, 286
policy maximum number, 398 server, 117 port monitor, HA, 65 number, 26, 65, 69, 82, 120, 124, 125, 126 numbers, 373 SNMP, 69 UDP ports 33434-33534, 376 postal code, 153 power interruption, 58 power on, 381 predefined data type, 365 primary heartbeat interface, 65 processing flow, 190 processing instruction (PI), 172 prompt, 46 protocol, 359, 360 proxy, 272
Q
query anonymous, 111 DNS, 58 report, 349 SNMP, 66, 69, 399
R
RAID, 74 random access memory (RAM), 47, 326, 332, 334 rapid spanning tree protocol (RTSP), 56 rate limit, 227, 307 raw view, logs, 339 reachable, 105 read & write administrator, 103 really simple syndication (RSS), 163 recursive payload, 170 redirect, 246, 248 Referer, 246, 249, 250, 269, 272 regular expression, 21, 151, 154, 156, 196, 198, 200, 209, 215, 220, 226, 232, 234, 239, 250, 328 GB2312 encoding, 83 tuning, 31 validator, 31 Release Notes, 391 remove items, 15 report download, 353, 354 HTML format, 352 MS Word format, 352 on demand, 345, 351 PDF format, 352 periodically generated, 345 query, 349 schedule, 351 time span, 348 view, 353 vulnerability scan, 299, 309
P
packet, 336 packet capture, 368 packet command, 378 packet payload, 32, 328 pair, 61 partition, 98, 387, 391 password, 77, 380 encrypt log files, 335 forgotten, 76 LDAP bind, 111 lost, 80 plain, 360 reset, 76, 80 strong, 358 weak, 153 pattern, 21 payload, 336 PCI DSS, 206 PDF report, 352 performance, 41, 150, 205, 363 permissions, 77, 78, 80 access, 372 persistent server sessions, 398 phone number, 153 ping, 52, 56, 58, 144, 320, 322, 374 PKCS #10, 88 PKCS #12, 88
409
Index
representational state transfer (REST), 188 reset password, 80 resolution, 25 retry health check, 145 reverse proxy, 44 reverse proxy mode, 44, 53, 71, 119, 125 reverting web site, 297 rewrite, 246 RFC 1213, 399 2616, 250 2617, 257 2665, 399 robot, 227 root folder of a web site, 296 Schema file, 180 route by web service operations, 136, 173 by XPath, 136 content, 136 default, 105 static, 74, 105 RSA, 88 RTF bookmarks, 153 RTF report, 352 rule violation severity, 191
S
scheduling, 100, 164, 165 schema compressed, 179 file, 178 poisoning attack, 185, 187 verification, 178 search attack log, 341 search engine, 227 secondary heartbeat interface, 65 Secure Shell (SSH), 45, 51, 52, 78, 294 security, 357 sensitive information, 201 sequence of scans, 190 serial number, 44, 399 certificate, 85, 90, 91, 94, 95 serial port parameters, 381 server, 191, 205 farm, 119, 135 health check, 132, 134, 136, 144, 365 maximum sessions, 398 protection rules, 201 status, 132, 134, 136, 144 server farm, 50 status, 50 session timeout, 124 Session-Id, 277 Set-Cookie, 121 Setup Wizard, 104
severity level, 349 levels, 30 rule violation, 191 Shift-JIS, 401 signature set, 31 signing chain, 89, 92, 127 simple certificate enrollment protocol (SCEP), 88, 91, 93, 95 simple network management protocol (SNMP), 52, 66, 68, 69 Agent, 67 agent, 399 community, 67 contact information, 67 OID, 399 query, 69 RFC 12123, 399 RFC 2665, 399 system name, 45 simple object access protocol (SOAP), 163 sniffer command, 378 Social Insurance Number (SIN), 153 Social Security Number (SSN), 153 source code disclosure, 306 spanning tree protocol (STP), 56, 57 special characters, 45, 401 spider, 227 SQL injection, 102, 188, 201, 204, 209, 274, 278, 306 injection, blind, 204 statements, 153 SSL, 13, 38, 85, 100, 110, 126, 139 certificate, 126, 139 hardware accelerated, 126 offload, 126 on the web servers, 74 Start Learning, 284 STARTTLS, 110, 111 state name, 153 static route, 74, 105 status FortiWeb, 41 server, 132, 134, 136, 144 storing logs, 323 STP, 56 string, 21 subject information, certificate, 86 submit CSR, 88 subnet, 52, 55 SYN flood, 70 sync interval, 101 syntax, 20 Syslog, 323, 326 system resource usage, 42 system time, 42, 44, 100
T
TCP, 144 session timeout, 124 SYN flood, 70
410
Index
Telnet, 45, 53, 78, 359 text node, 172 text/xml, 188 TFTP, 385, 392 throughput, 47 time, 44, 100, 153 time to live (TTL), 376 timeout, 124, 306 health check, 144, 145 idle, 83 TLS, 126, 139 Tomcat, 155 traceroute, 320, 322, 374, 376 tracert, 377 traffic flow, 379 traffic log, 329 delay, 333 traffic volume, 47 transparent inspection mode, 44, 72, 119 transport layer security (TLS), 91 trap, 66, 69, 399 SNMP, 399 triggers, 30 troubleshooting, 369 bootup, 381 connectivity, 373 debug packet flow, 378 hardware, 374 packet sniffing, 377 plan, 371 resources, 378 routing table, 377 Syslog, 320, 322 traffic flow, 369 true transparent proxy mode, 44, 58, 72, 119 trust IP, 220, 292 trusted client, 221 trusted host, 77, 78, 357, 380 tunneling, 103
virtual host, 149 virtual LAN, 53 virtual MAC, 64 virtual network interface, 56, 58 virtual server, 119, 120, 123 VLAN, 50, 53 VLAN trunk, 55 vulnerability scan, 299 false positive, 311 preparation, 300 rate limit, 307 report, 299, 309 timeout, 306 v-zone, 55, 119, 120, 123
W
W3C SOAP, 163 WSDL, 181, 183 XML, 163 XML encryption, 188 XML Schema, 172 XML signatures, 187 web anti-defacement, 367 web browser, 25 web crawler, 227 web proxy, 103 web service definition language (WSDL), 136, 181, 183 content routing, 120, 123, 173 file, 181 scan, 181 scanning attack, 185, 187 verification, 187 web traffic, 369 web-based manager language, 83 widget, 28, 41 wiki code, 153 wild cards, 21 WSDL verification, 187 WVS report format, 302 WWW-Authenticate, 258
U
UDP, 65 UK vehicle registration, 153 Unicode, 401 uniform resource identifier (URI), 153 up, 51 upgrade, 387 uptime, 42 US-ASCII, 45, 401, 402 user authentication supporting modes, 71 User-Agent, 191, 227, 232, 234 UTF-8, 83, 401
X
X.509, 88 X-Forwarded-For, 272 XML, 163 attributes, 170, 172 decryption, 187, 188 elements, 170, 172 encryption, 188 namespace (XMLNS), 172 signature, 187, 188 XMLHttpRequest, 163 XPath, 120, 123, 136, 188 content filter rule, 166, 167, 168 expression, 138
V
validator, 31 value parse error, 21 VBScript, 153
411
Index
Y
Yahoo!, 282
Z
ZIP code, 153
412
www.fortinet.com
www.fortinet.com

Fortiweb Admin 40 Mr2

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Fortiweb Admin 40 Mr2

Загружено:

Авторское право:

Доступные форматы

FortiWeb Web Application Firewall

Version 4.0 MR2 Administration Guide

Whats new ............................................................................................. 23 About the web-based manager............................................................. 25 Deployment guidelines.......................................................................... 27

What else can you do? ................................................................................................. 39

Users and user groups ........................................................................ 107

Server policy......................................................................................... 117

XML protection ..................................................................................... 163

Web protection ..................................................................................... 189

Auto learn ............................................................................................. 281

Generating a profile from auto-learning data ........................................................... 289

Web anti-defacement ........................................................................... 293

Web vulnerability scans ...................................................................... 299

Logs and reports.................................................................................. 313

331 332 335 336 337 338 339 340 341

Viewing and downloading reports............................................................................. 353

Fine tuning and best practices ........................................................... 355

Contact Fortinet customer support for assistance.................................................. 382

Installing new firmware ....................................................................... 385

Registering your Fortinet product

Characteristics of XML threats

Characteristics of HTTP threats

XML Parameter Tampering Inadvertent XML DoS

External Entity Attack

Similar to schema poisoning

Characteristics of HTTP threats

Characteristics of HTTP threats

Credit card theft

SYN Flood DoS Attack

Brute force login attack

Customer service & technical support

HTTP protocol attack

Customer service & technical support

Fortinet Knowledge Base

Fortinet Tools and Documentation CD

Comments on Fortinet technical documentation

Cautions, Notes, & Tips

Table 3: Typographical conventions in Fortinet technical documentation Convention Example

Emphasis File content

Hyperlink Keyboard entry Navigation Publication

Command syntax conventions

About the web-based manager

About the web-based manager

URL for access

About the web-based manager

Single administrator mode

For details, see Security Settings on page 84.

Phase 1: Examine the initial configuration

Phase 1: Examine the initial configuration

Figure 2: Service Status and Policy Sessions widgets

Check dynamic data on the dashboard

Phase 1: Examine the initial configuration

Figure 3: Policy Summary widget

Figure 4: Attack Log Console widget

Check your auto-learning data

Phase 2: Monitor and tune the configuration

Figure 5: Auto Learn Report Overview tab

Phase 2: Monitor and tune the configuration

Phase 2: Monitor and tune the configuration

Figure 6: Dialog showing actions, severity and triggers

Figure 7: Extended signature set option

Phase 2: Monitor and tune the configuration

Figure 8: Regular expression validator dialog

Define logs, reports and email alerts