Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Introduction

FortiWeb is a web application firewall (WAF) that protects hosted web applications from attacks that target known and unknown exploits. Using multi-layered and correlated detection methods, FortiWeb defends applications from known vulnerabilities and zero-day threats. The Web Application Security Service from FortiGuard Labs uses information based on the latest application vulnerabilities, bots, suspicious URL and data patterns, and specialized heuristic detection engines to keep your applications safe.

FortiWeb also offers a machine-learning function that enables it to automatically detect malicious web traffic. In addition to detecting known attacks, th feature can detect potential unknown zero-day attacks to provide real-time protection for web servers.

FortiWeb allows you to configure these features:

  • Vulnerability scanning and patching
  • IP reputation, web application attack signatures, credential stuffing defense, anti-virus, and FortiSandbox Cloud powered by FortiGuard
  • Real-time attack insights and reporting with advanced visual analytics tools
  • Integration with FortiGate and FortiSandbox for ATP detection
  • Behavioral attack detection
  • Advanced false positive and negative detection avoidance

FortiWeb hardware and virtual machine platforms are available for medium and large enterprises, as well as for service providers.

Benefits

FortiWeb is designed specifically to protect web servers. It provides specialized application layer threat detection and protection for HTTP and HTTPS services, including:

  • Apache Tomcat
  • nginx
  • Microsoft IIS
  • JBoss
  • IBM Lotus Domino
  • Microsoft SharePoint
  • Microsoft Outlook Web App (OWA)
  • RPC and ActiveSync for Microsoft Exchange Server
  • Joomla
  • WordPress

FortiWeb’s integrated web-specific vulnerability scanner drastically reduces challenges associated with protecting regulated and confidential data by detecting your exposure to the latest threats, especially the OWASP Top 10 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).

FortiWeb’s HTTP firewall and denial-of-service (DoS) attack-prevention protects your web applications from attack. Using advanced techniques to provide bidirectional protection against sophisticated threats like SQL injection and cross-site scripting (XSS) attacks, FortiWeb also helps you defend against threats like identity theft, financial fraud, and corporate espionage.

FortiWeb provides the tools you need to monitor and enforce government regulations, industry best practices, and internal security policies, including firewalling and patching requirements from PCI DSS (https://www.pcisecuritystandards.org/security_standards/getting_started.php).

FortiWeb’s application-aware firewall and load balancing engine can:

  • Secure HTTP/HTTPS applications.
  • Prevent and reverse defacement.
  • Improve application stability.
  • Monitor servers for downtime & connection load.
  • Reduces response times.
  • Accelerate SSL/TLS.*
  • Accelerate compression.
  • Rewrite content on the fly.

* On VM models, acceleration is due to offloading the cryptography burden from the back-end server. On hardware models, cryptography is also hardware-accelerated via ASIC chips.

FortiWeb significantly reduces deployment costs by consolidating WAF, hardware acceleration, load balancing, and vulnerability scanning in a single platform with no per-user pricing. These features:

  • Reduce the total resources required to protect your regulated, Internet-facing data.
  • Ease the challenges associated with policy enforcement and regulatory compliance.

Architecture

FortiWeb can be deployed in a one-arm topology, but is more commonly positioned inline to intercept all incoming client connections and redistribute them to your servers. FortiWeb has TCP- and HTTP-specific firewalling capabilities. Because it's not designed to provide security to non-HTTP/HTTPS web applications, it should be deployed behind a firewall such as FortiGate that focuses on security for other protocols, including FTP and SSH.

Once FortiWeb is deployed, you can configure it from a web browser or terminal emulator on your management computer.

Scope

This document describes how to set up and configure FortiWeb. It provides instructions to complete first-time system deployment, including planning the network topology, and ongoing maintenance.

It also describes how to use the web user interface (web UI), and contains lists of default utilized port numbers, configuration limits, and supported standards.

If you are using FortiWeb-VM, this document assumes that you have already followed the instructions in the FortiWeb-VM Install Guide:

http://docs.fortinet.com/fortiweb/hardware

After completing How to set up your FortiWeb, you will have:

  • Administrative access to the web UI and/or CLI.
  • Completed firmware updates, if any.
  • Configured the system time, DNS settings, administrator password, and network interfaces will be configured.
  • Set the operation mode.
  • Configured basic logging.
  • Created at least one server policy.

You can use the rest of this document to:

  • Update the FortiWeb appliance.
  • Reconfigure features.
  • Use advanced features, such as anti-defacement.
  • Diagnose problems.

This document does not provide a reference for the CLI. For that information, see the FortiWeb CLI Reference:

http://docs.fortinet.com/fortiweb/reference

This document is intended for system administrators, not end users. If you are accessing a website protected by FortiWeb and have questions, please contact your system administrator.

Introduction

FortiWeb is a web application firewall (WAF) that protects hosted web applications from attacks that target known and unknown exploits. Using multi-layered and correlated detection methods, FortiWeb defends applications from known vulnerabilities and zero-day threats. The Web Application Security Service from FortiGuard Labs uses information based on the latest application vulnerabilities, bots, suspicious URL and data patterns, and specialized heuristic detection engines to keep your applications safe.

FortiWeb also offers a machine-learning function that enables it to automatically detect malicious web traffic. In addition to detecting known attacks, th feature can detect potential unknown zero-day attacks to provide real-time protection for web servers.

FortiWeb allows you to configure these features:

  • Vulnerability scanning and patching
  • IP reputation, web application attack signatures, credential stuffing defense, anti-virus, and FortiSandbox Cloud powered by FortiGuard
  • Real-time attack insights and reporting with advanced visual analytics tools
  • Integration with FortiGate and FortiSandbox for ATP detection
  • Behavioral attack detection
  • Advanced false positive and negative detection avoidance

FortiWeb hardware and virtual machine platforms are available for medium and large enterprises, as well as for service providers.

Benefits

FortiWeb is designed specifically to protect web servers. It provides specialized application layer threat detection and protection for HTTP and HTTPS services, including:

  • Apache Tomcat
  • nginx
  • Microsoft IIS
  • JBoss
  • IBM Lotus Domino
  • Microsoft SharePoint
  • Microsoft Outlook Web App (OWA)
  • RPC and ActiveSync for Microsoft Exchange Server
  • Joomla
  • WordPress

FortiWeb’s integrated web-specific vulnerability scanner drastically reduces challenges associated with protecting regulated and confidential data by detecting your exposure to the latest threats, especially the OWASP Top 10 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).

FortiWeb’s HTTP firewall and denial-of-service (DoS) attack-prevention protects your web applications from attack. Using advanced techniques to provide bidirectional protection against sophisticated threats like SQL injection and cross-site scripting (XSS) attacks, FortiWeb also helps you defend against threats like identity theft, financial fraud, and corporate espionage.

FortiWeb provides the tools you need to monitor and enforce government regulations, industry best practices, and internal security policies, including firewalling and patching requirements from PCI DSS (https://www.pcisecuritystandards.org/security_standards/getting_started.php).

FortiWeb’s application-aware firewall and load balancing engine can:

  • Secure HTTP/HTTPS applications.
  • Prevent and reverse defacement.
  • Improve application stability.
  • Monitor servers for downtime & connection load.
  • Reduces response times.
  • Accelerate SSL/TLS.*
  • Accelerate compression.
  • Rewrite content on the fly.

* On VM models, acceleration is due to offloading the cryptography burden from the back-end server. On hardware models, cryptography is also hardware-accelerated via ASIC chips.

FortiWeb significantly reduces deployment costs by consolidating WAF, hardware acceleration, load balancing, and vulnerability scanning in a single platform with no per-user pricing. These features:

  • Reduce the total resources required to protect your regulated, Internet-facing data.
  • Ease the challenges associated with policy enforcement and regulatory compliance.

Architecture

FortiWeb can be deployed in a one-arm topology, but is more commonly positioned inline to intercept all incoming client connections and redistribute them to your servers. FortiWeb has TCP- and HTTP-specific firewalling capabilities. Because it's not designed to provide security to non-HTTP/HTTPS web applications, it should be deployed behind a firewall such as FortiGate that focuses on security for other protocols, including FTP and SSH.

Once FortiWeb is deployed, you can configure it from a web browser or terminal emulator on your management computer.

Scope

This document describes how to set up and configure FortiWeb. It provides instructions to complete first-time system deployment, including planning the network topology, and ongoing maintenance.

It also describes how to use the web user interface (web UI), and contains lists of default utilized port numbers, configuration limits, and supported standards.

If you are using FortiWeb-VM, this document assumes that you have already followed the instructions in the FortiWeb-VM Install Guide:

http://docs.fortinet.com/fortiweb/hardware

After completing How to set up your FortiWeb, you will have:

  • Administrative access to the web UI and/or CLI.
  • Completed firmware updates, if any.
  • Configured the system time, DNS settings, administrator password, and network interfaces will be configured.
  • Set the operation mode.
  • Configured basic logging.
  • Created at least one server policy.

You can use the rest of this document to:

  • Update the FortiWeb appliance.
  • Reconfigure features.
  • Use advanced features, such as anti-defacement.
  • Diagnose problems.

This document does not provide a reference for the CLI. For that information, see the FortiWeb CLI Reference:

http://docs.fortinet.com/fortiweb/reference

This document is intended for system administrators, not end users. If you are accessing a website protected by FortiWeb and have questions, please contact your system administrator.