Fortinet white logo
Fortinet white logo

Cookbook

Protecting a server running web applications

Protecting a server running web applications

You can use a web application firewall profile to protect a server that is running a web application, such as webmail.

Web application firewall profiles are created with a variety of options called signatures and constraints. Once these options are enabled, the action can be set to allow, monitor, or block. The severity can be set to high, medium, or low.

In the following example, the default profile will be targeted to block SQL injection attempts and generic attacks.

Note

The web application firewall feature is only available when the policy inspection mode is proxy-based.

To protect a server running web applications:
  1. Enable the web application firewall:
    1. Go to System > Feature Visibility.
    2. Under Security Features, enable Web Application Firewall.
    3. Under Additional Features, click Show More and enable Multiple Security Profiles.
    4. Click Apply.

  2. Edit the default web application firewall profile:

    Trojans and Known Exploits are blocked by default.

    1. Go to Security Profiles > Web Application Firewall.
    2. Edit the default profile signature:
      1. Enable SQL Injection (Extended) and Generic Attacks (Extended).
      2. For both signatures, set the Action to Block and the Severity to High.
      3. Click Apply.

  3. Apply the profile to a security policy:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Edit the policy that allows access to the web server:
      1. Under Firewall / Network Options, select the appropriate Protocol Option.
      2. Under Security Profiles, enable Web Application Firewall and set it to use the default profile.
      3. Set the SSL Inspection to use the deep-inspection profile.
      4. Click OK.

  4. Verify that the web application firewall blocks traffic:
    1. Use the following URL to simulate an attack on your web server and substitute the IP address of your server: http://<server IP>/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1

      An error message appears, stating that the web application firewall has blocked the traffic:

Offloading to a FortiWeb

If you have a FortiWeb, you may be able to offload the functions of the web application control to your FortiWeb. To find out if this option is available, refer to the FortiOS or FortiWeb Release Notes for information about device compatibility.

To offload to a FortiWeb:
  1. Go to Security Fabric > Settings.
  2. Enable Fabric Devices.
  3. Enter the following for the device:
    1. Name (FortiWeb)
    2. FortiWeb IP address
    3. HTTPS service port

  4. Click Generate.
  5. Enter your credentials to generate the access token.
  6. Click OK.

Protecting a server running web applications

Protecting a server running web applications

You can use a web application firewall profile to protect a server that is running a web application, such as webmail.

Web application firewall profiles are created with a variety of options called signatures and constraints. Once these options are enabled, the action can be set to allow, monitor, or block. The severity can be set to high, medium, or low.

In the following example, the default profile will be targeted to block SQL injection attempts and generic attacks.

Note

The web application firewall feature is only available when the policy inspection mode is proxy-based.

To protect a server running web applications:
  1. Enable the web application firewall:
    1. Go to System > Feature Visibility.
    2. Under Security Features, enable Web Application Firewall.
    3. Under Additional Features, click Show More and enable Multiple Security Profiles.
    4. Click Apply.

  2. Edit the default web application firewall profile:

    Trojans and Known Exploits are blocked by default.

    1. Go to Security Profiles > Web Application Firewall.
    2. Edit the default profile signature:
      1. Enable SQL Injection (Extended) and Generic Attacks (Extended).
      2. For both signatures, set the Action to Block and the Severity to High.
      3. Click Apply.

  3. Apply the profile to a security policy:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Edit the policy that allows access to the web server:
      1. Under Firewall / Network Options, select the appropriate Protocol Option.
      2. Under Security Profiles, enable Web Application Firewall and set it to use the default profile.
      3. Set the SSL Inspection to use the deep-inspection profile.
      4. Click OK.

  4. Verify that the web application firewall blocks traffic:
    1. Use the following URL to simulate an attack on your web server and substitute the IP address of your server: http://<server IP>/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1

      An error message appears, stating that the web application firewall has blocked the traffic:

Offloading to a FortiWeb

If you have a FortiWeb, you may be able to offload the functions of the web application control to your FortiWeb. To find out if this option is available, refer to the FortiOS or FortiWeb Release Notes for information about device compatibility.

To offload to a FortiWeb:
  1. Go to Security Fabric > Settings.
  2. Enable Fabric Devices.
  3. Enter the following for the device:
    1. Name (FortiWeb)
    2. FortiWeb IP address
    3. HTTPS service port

  4. Click Generate.
  5. Enter your credentials to generate the access token.
  6. Click OK.