Fortinet black logo

User Guide

Home FortiWeb Cloud User Guide

Security

Security

The following security features are provided by FortiWeb Cloud:

  • When Block Mode is enabled, FortiWeb Cloud blocks requests if they trigger violations. Your application server does not receive these requests.
  • When Block Mode is disabled (that is, the Monitor mode), FortiWeb Cloud only monitors violations and generates logs for them. FortiWeb Cloud does not block the malicious requests. You can view the attack logs in FortiView or Attack Logs.

You can add exceptions in Attack Logs so that the requests from the specified URL or parameter will not be detected as attack again. See Log Settings for more information.

You can also add exceptions in the following three security modules:

You can use the URL Access in Access Rules to define which HTTP requests FortiWeb Cloud accepts or denies based on their Host: name and URL, as well as the origin of the request. See URL Access for more information.

You can also add URL filters in Custom Rules to match the requests with specified URLs. See Custom Rule for more information.

No. FortiWeb Cloud does not charge for inbound traffic, so additional charges will not be incurred related to DDoS attacks. An advantage of deploying FortiWeb Cloud in public cloud (AWS, Azure, and Google Cloud) is that FortiWeb Cloud enjoys the protection of the volumetric DDoS protections provided by those platforms. FortiWeb Cloud also provides additional DDoS protections for Network and transport layer (TCP/IP) and Application layer (HTTP or HTTPS) DDoS attacks (see DDoS prevention).

FortiWeb Cloud provides Templates for you to create configuration templates and apply them to multiple applications. For more information, see Templates.

FortiWeb Cloud executes the security rules in a certain sequence. See Sequence of scans.

The MITB Protection restricts AJAX requests to external domains. If you come across this warning, it could be because the request has triggered the MITB rules. If you are confident in its safety, you have the option to add this link to the External Domain allowlist in MITB Protection. For more information, see MITB Protection.

DDoS attacks can be prevented at Application layer (HTTP or HTTPS) and Network layer (TCP/IP).

As public cloud platforms already execute basic Network layer TCP Flood Prevention checks affront, when traffic comes into FortiWeb Cloud, it only detects DDoS attacks at Application layer (HTTP or HTTPS).

Please verify if the Block Mode is currently enabled.

By default, after an application is onboarded, the Block Mode is in Disabled status. You need to enable it first for the WAF modules to take effect.

On Applications page, you can turn on/off the Block Mode for each application. However, before enabling Block Mode, it is important to perform several checks. For more detailed information on Block Mode, see Understanding block mode and action.

The website (https://www.fortiguard.com/services/ws) maintains an up-to-date database of IP reputation. However, it's important to note that FortiWeb Cloud may still be using data from a few days ago, resulting in a latency in the database update.

Therefore, when the database in FortiWeb Cloud is updated, this IP address will be removed from the Bad Reputation IP list. If you have confidence in the trustworthiness of this IP address and don't wish to wait for the database update, you have the option to manually add this IP address to the Trust IP list in the IP Protection settings.

Turn on Advanced Threat Protection in File Protection, then FortiWeb Cloud will send files that meet the configured conditions to FortiSandbox for evaluation.

This option works only if your application is hosted on AWS or Azure. Refer to https://docs.fortinet.com/document/fortiweb-cloud/latest/user-guide/748121/file-protection.

IPs in Trust IP list will be fully trusted by FortiWeb Cloud without undergoing any additional scanning, while the IPs in Allow-Only list is only trusted by the IP Protection module and will be forwarded to other modules for security checks.

It is important to note that there are other considerations regarding these lists. For more comprehensive details, refer to the description of the "Type" option in IP Protection.

To allow certain IPs from a restricted country, you can configure the following steps in Access Rules > IP Protection:

  1. Block the country through GEO IP Block. This will prevent access from IP addresses originating from the specified country.
  2. Add IPs to Allow-Only IP List. This ensures that the IP Protection module will trust and forward these IPs to other modules for additional security checks. If you have complete trust in these IP addresses, you can include them in the Trust IP list, so these IPs will bypass any further security checks and be directly permitted.

By combining these steps, you can effectively block access from the restricted country while allow specific IPs.

For more comprehensive details, refer to IP Protection.

Previous
Next

Security

The following security features are provided by FortiWeb Cloud:

  • When Block Mode is enabled, FortiWeb Cloud blocks requests if they trigger violations. Your application server does not receive these requests.
  • When Block Mode is disabled (that is, the Monitor mode), FortiWeb Cloud only monitors violations and generates logs for them. FortiWeb Cloud does not block the malicious requests. You can view the attack logs in FortiView or Attack Logs.

You can add exceptions in Attack Logs so that the requests from the specified URL or parameter will not be detected as attack again. See Log Settings for more information.

You can also add exceptions in the following three security modules:

You can use the URL Access in Access Rules to define which HTTP requests FortiWeb Cloud accepts or denies based on their Host: name and URL, as well as the origin of the request. See URL Access for more information.

You can also add URL filters in Custom Rules to match the requests with specified URLs. See Custom Rule for more information.

No. FortiWeb Cloud does not charge for inbound traffic, so additional charges will not be incurred related to DDoS attacks. An advantage of deploying FortiWeb Cloud in public cloud (AWS, Azure, and Google Cloud) is that FortiWeb Cloud enjoys the protection of the volumetric DDoS protections provided by those platforms. FortiWeb Cloud also provides additional DDoS protections for Network and transport layer (TCP/IP) and Application layer (HTTP or HTTPS) DDoS attacks (see DDoS prevention).

FortiWeb Cloud provides Templates for you to create configuration templates and apply them to multiple applications. For more information, see Templates.

FortiWeb Cloud executes the security rules in a certain sequence. See Sequence of scans.

The MITB Protection restricts AJAX requests to external domains. If you come across this warning, it could be because the request has triggered the MITB rules. If you are confident in its safety, you have the option to add this link to the External Domain allowlist in MITB Protection. For more information, see MITB Protection.

DDoS attacks can be prevented at Application layer (HTTP or HTTPS) and Network layer (TCP/IP).

As public cloud platforms already execute basic Network layer TCP Flood Prevention checks affront, when traffic comes into FortiWeb Cloud, it only detects DDoS attacks at Application layer (HTTP or HTTPS).

Please verify if the Block Mode is currently enabled.

By default, after an application is onboarded, the Block Mode is in Disabled status. You need to enable it first for the WAF modules to take effect.

On Applications page, you can turn on/off the Block Mode for each application. However, before enabling Block Mode, it is important to perform several checks. For more detailed information on Block Mode, see Understanding block mode and action.

The website (https://www.fortiguard.com/services/ws) maintains an up-to-date database of IP reputation. However, it's important to note that FortiWeb Cloud may still be using data from a few days ago, resulting in a latency in the database update.

Therefore, when the database in FortiWeb Cloud is updated, this IP address will be removed from the Bad Reputation IP list. If you have confidence in the trustworthiness of this IP address and don't wish to wait for the database update, you have the option to manually add this IP address to the Trust IP list in the IP Protection settings.

Turn on Advanced Threat Protection in File Protection, then FortiWeb Cloud will send files that meet the configured conditions to FortiSandbox for evaluation.

This option works only if your application is hosted on AWS or Azure. Refer to https://docs.fortinet.com/document/fortiweb-cloud/latest/user-guide/748121/file-protection.

IPs in Trust IP list will be fully trusted by FortiWeb Cloud without undergoing any additional scanning, while the IPs in Allow-Only list is only trusted by the IP Protection module and will be forwarded to other modules for security checks.

It is important to note that there are other considerations regarding these lists. For more comprehensive details, refer to the description of the "Type" option in IP Protection.

To allow certain IPs from a restricted country, you can configure the following steps in Access Rules > IP Protection:

  1. Block the country through GEO IP Block. This will prevent access from IP addresses originating from the specified country.
  2. Add IPs to Allow-Only IP List. This ensures that the IP Protection module will trust and forward these IPs to other modules for additional security checks. If you have complete trust in these IP addresses, you can include them in the Trust IP list, so these IPs will bypass any further security checks and be directly permitted.

By combining these steps, you can effectively block access from the restricted country while allow specific IPs.

For more comprehensive details, refer to IP Protection.

Previous
Next