Fortinet black logo

Administration Guide

Protecting a server running web applications

Protecting a server running web applications

You can use a web application firewall profile to protect a server that is running a web application, such as webmail.

Web application firewall profiles are created with a variety of options called signatures and constraints. Once these options are enabled, the action can be set to allow, monitor, or block. The severity can be set to high, medium, or low.

In the following example, the default profile will be targeted to block SQL injection attempts and generic attacks.

Note

The web application firewall feature is only available when the policy inspection mode is proxy-based.

To protect a server running web applications:
  1. Enable the web application firewall:
    1. Go to System > Feature Visibility.
    2. Under Security Features, enable Web Application Firewall.
    3. Click Apply.
  2. Edit the default web application firewall profile (Trojans and Known Exploits are blocked by default):
    1. Go to Security Profiles > Web Application Firewall and edit the default profile signature.
    2. Select SQL Injection (Extended) and edit it so that it is enabled, the Action is set to Block, and the Severity is set to High.
    3. Click OK.

    4. Enable Generic Attacks (Extended) and edit it so that it is enabled, the Action is set to Block, and the Severity is set to High.
    5. Click OK.

    6. Click OK.
  3. Apply the profile to a security policy:
    1. Go to Policy & Objects > Firewall Policy and edit the policy that allows access to the web server.
    2. For Firewall / Network Options, select the appropriate Protocol Option.
    3. For Security Profiles, enable Web Application Firewall and set it to use the default profile.
    4. Set the SSL Inspection to use the deep-inspection profile.
    5. Configure the other settings as needed.
    6. Click OK.
  4. Verify that the web application firewall blocks traffic:
    1. Use the following URL to simulate an attack on your web server and substitute the IP address of your server: http://<server IP>/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1

      An error message appears, stating that the web application firewall has blocked the traffic:

Offloading to a FortiWeb

If you have a FortiWeb, you may be able to offload the functions of the web application control to your FortiWeb. To find out if this option is available, refer to the FortiOS or FortiWeb Release Notes for information about device compatibility.

To offload to a FortiWeb:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New, and click Fabric Device.
  3. Enter the following for the device:
    1. Name (FortiWeb)
    2. FortiWeb IP address
    3. HTTPS service port
  4. Click Generate.
  5. Enter your credentials to generate the access token.
  6. Click OK.

Protecting a server running web applications

You can use a web application firewall profile to protect a server that is running a web application, such as webmail.

Web application firewall profiles are created with a variety of options called signatures and constraints. Once these options are enabled, the action can be set to allow, monitor, or block. The severity can be set to high, medium, or low.

In the following example, the default profile will be targeted to block SQL injection attempts and generic attacks.

Note

The web application firewall feature is only available when the policy inspection mode is proxy-based.

To protect a server running web applications:
  1. Enable the web application firewall:
    1. Go to System > Feature Visibility.
    2. Under Security Features, enable Web Application Firewall.
    3. Click Apply.
  2. Edit the default web application firewall profile (Trojans and Known Exploits are blocked by default):
    1. Go to Security Profiles > Web Application Firewall and edit the default profile signature.
    2. Select SQL Injection (Extended) and edit it so that it is enabled, the Action is set to Block, and the Severity is set to High.
    3. Click OK.

    4. Enable Generic Attacks (Extended) and edit it so that it is enabled, the Action is set to Block, and the Severity is set to High.
    5. Click OK.

    6. Click OK.
  3. Apply the profile to a security policy:
    1. Go to Policy & Objects > Firewall Policy and edit the policy that allows access to the web server.
    2. For Firewall / Network Options, select the appropriate Protocol Option.
    3. For Security Profiles, enable Web Application Firewall and set it to use the default profile.
    4. Set the SSL Inspection to use the deep-inspection profile.
    5. Configure the other settings as needed.
    6. Click OK.
  4. Verify that the web application firewall blocks traffic:
    1. Use the following URL to simulate an attack on your web server and substitute the IP address of your server: http://<server IP>/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1

      An error message appears, stating that the web application firewall has blocked the traffic:

Offloading to a FortiWeb

If you have a FortiWeb, you may be able to offload the functions of the web application control to your FortiWeb. To find out if this option is available, refer to the FortiOS or FortiWeb Release Notes for information about device compatibility.

To offload to a FortiWeb:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New, and click Fabric Device.
  3. Enter the following for the device:
    1. Name (FortiWeb)
    2. FortiWeb IP address
    3. HTTPS service port
  4. Click Generate.
  5. Enter your credentials to generate the access token.
  6. Click OK.