Administration Guide

Introduction
What’s new
Key concepts
- Workflow
- Sequence of scans
- IPv6 support
- Solutions for specific web attacks
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Appliance vs. VMware
- Registering your FortiWeb
- Planning the network topology
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
Policies
- How operation mode affects server policy behavior
- Configuring the global object white list
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring an HTTP server policy
- Configuring traffic mirror
Configuring FTP security
- Creating an FTP command restriction rule
- Creating an FTP file check rule
- Configuring an FTP security inline profile
- Creating an FTP server pool
- Creating an FTP server policy
AD FS Proxy
- Configuring FortiWeb as an AD FS proxy
- Configuring a virtual server
- Creating an AD FS server pool
- Uploading trusted CA certificates
- Creating an AD FS server policy
- Troubleshooting
FortiView
- Topology
- Security
- Traffic
- Sessions
Backups
- backup full-config
- Restoring a previous configuration
Debug log
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Certificate-based Web UI login
Users
- Authentication styles
- Offloading HTTP authentication & authorization
- Single sign-on (SSO) (site publishing)
- Using Kerberos authentication delegation
- Offloaded authentication and optional SSO configuration
- To create an Active Directory (AD) user for FortiWeb
- Example: Enforcing complex passwords
- Tracking users
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
- Uploading trusted CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- Configuring OCSP stapling
Access control
- Restricting access to specific URLs
- Combination access control & rate limiting
- Blacklisting & whitelisting clients
- Blocking client devices with poor reputation
- Protecting against cookie poisoning and other cookie-based attacks
- Cross-Origin Resource Sharing (CORS) protection
Blocking known attacks & data leaks
- Connecting to FortiGuard services
- Receiving quarantined source IP addresses from FortiGate
- False Positive Mitigation for SQL Injection signatures
- Syntax-based SQL injection detection
- Configuring action overrides or exceptions to data leak & attack detection signatures
- Defining custom data leak & attack signatures
- Defeating cipher padding attacks on individually encrypted inputs
- Defeating cross-site request forgery (CSRF) attacks
- Addressing security vulnerabilities by HTTP Security Headers
- Enforcing page order that follows application logic
- Specifying URLs allowed to initiate sessions
Preventing zero-day attacks
- Validating parameters (“input rules”)
- Preventing tampering with hidden inputs
- Specifying allowed HTTP methods
- HTTP/HTTPS protocol constraints
- WebSocket Protocol
Protection for Man-in-the-Browser (MiTB) attacks
- Creating Man in the Browser (MiTB) Protection Rule
- Creating Man in the Browser (MiTB) Protection Policy
Protection for APIs
- Configuring JSON protection
- Configuring XML protection
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
Limiting file uploads
Anti-defacement
Rate limiting
- DoS prevention
- Preventing brute force logins
- Preventing slow and low attacks
Rewriting & redirecting
Caching
- What can be cached?
Compression
Compliance
- Database security
- Authorization
- Preventing data leaks
- Vulnerability scans
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring the integrated firewall
- Advanced settings
Monitoring your system
- Status dashboard
- Policy Status dashboard
- RAID level & disk statuses
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Monitoring currently blocked IPs
- Monitoring currently tracked devices
- FortiGuard updates
- Vulnerability scans
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring bot mitigation policy
Machine learning
- Enabling machine learning policy
- Configuring anomaly detection policy
- Configuring bot detection profiles
  - Viewing bot detection model status
  - Viewing the bot detection violations
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Frequently asked questions
- Tools
- How to troubleshoot
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: Supported RFCs, W3C, & IEEE standards
Appendix D: Regular expressions
Appendix E: How to purchase and renew FortiGuard licenses

Home FortiWeb 6.2.0 Administration Guide

6.2.0

What can be cached?

Caching generally works best with data that doesn't change. Things like static web pages, images, movies, and music all typically work well.

When content changes often, caching provides overhead by consuming RAM without its usual benefit of reduced latency. Some HTTP headers and other factors indicate dynamic content which FortiWeb will not cache.

FortiWeb will not cache responses if the request:

Method is not GET (e.g. responses to POST are not cached)
Has fields such as Cache-Control: max-age=0/no-cache/no-store/; Pragma:no-cache
Contains URL with query string
Contains body
Contains the header:
- Authorization
- Proxy-Authorization
- If-Modified-Since
- If-Unmodified-Since
- If-Match
- If-None-Match

FortiWeb will not cache if the response:

Whose status code is not 200
Has a Vary: field
Forbids caching (e.g. Cache-Control: no-cache/no-store/private)
Has no Content-Length: field (e.g. Connection:close and Transfer-Encoding: chunked)
Has no cache expiry tag (e.g. Last-Modified/Etag and Cache-Control/Expires)
Contains the header:
- WWW-Authenticate
- Proxy-Authenticate
- Set-Cookie
- Set-Cookie2

What can be cached?

Caching generally works best with data that doesn't change. Things like static web pages, images, movies, and music all typically work well.

FortiWeb will not cache responses if the request:

Method is not GET (e.g. responses to POST are not cached)
Has fields such as Cache-Control: max-age=0/no-cache/no-store/; Pragma:no-cache
Contains URL with query string
Contains body
Contains the header:
- Authorization
- Proxy-Authorization
- If-Modified-Since
- If-Unmodified-Since
- If-Match
- If-None-Match

FortiWeb will not cache if the response:

Whose status code is not 200
Has a Vary: field
Forbids caching (e.g. Cache-Control: no-cache/no-store/private)
Has no Content-Length: field (e.g. Connection:close and Transfer-Encoding: chunked)
Has no cache expiry tag (e.g. Last-Modified/Etag and Cache-Control/Expires)
Contains the header:
- WWW-Authenticate
- Proxy-Authenticate
- Set-Cookie
- Set-Cookie2

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

What can be cached?

What can be cached?

What can be cached?

What can be cached?