Administration Guide

• Introduction
• What’s new
• Key concepts
  • Workflow
  • Sequence of scans
  • IPv6 support
  • Solutions for specific web attacks
  • HTTP/2 support
  • HTTP sessions & security
  • FortiWeb high availability (HA)
  • Administrative domains (ADOMs)
  • How to use the web UI
  • Shutdown
• How to set up your FortiWeb
  • Appliance vs. VMware
  • Registering your FortiWeb
  • Planning the network topology
  • Connecting to the web UI or CLI
  • Updating the firmware
  • Changing the “admin” account password
  • Setting the system time & date
  • Setting the operation mode
  • Configuring High Availability (HA) basic settings
    • HA heartbeat & active node election
    • Synchronization
  • Replicating the configuration without FortiWeb HA (external HA)
  • Configuring the network settings
  • Configuring DNS settings
  • Configuring HA settings specifically for active-passive and standard active-active modes
  • Configuring HA settings specifically for high volume active-active mode
  • Defining your web servers & load balancers
    • Protected web servers vs. allowed/protected host names
    • Defining your protected/allowed HTTP “Host:” header names
    • Defining your web servers
    • Defining your proxies, clients, & X-headers
    • Defining your network services
    • Configuring virtual servers on your FortiWeb
    • Enabling or disabling traffic forwarding to your servers
  • Configuring FortiWeb to receive traffic via WCCP
  • Configuring basic policies
  • Testing your installation
  • Switching out of Offline Protection mode
• Policies
  • How operation mode affects server policy behavior
  • Configuring the global object white list
  • Configuring a protection profile for inline topologies
  • Generating a protection profile using scanner reports
  • Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
  • Configuring an HTTP server policy
  • Configuring traffic mirror
• Configuring FTP security
  • Creating an FTP command restriction rule
  • Creating an FTP file check rule
  • Configuring an FTP security inline profile
  • Creating an FTP server pool
  • Creating an FTP server policy
• AD FS Proxy
  • Configuring FortiWeb as an AD FS proxy
  • Configuring a virtual server
  • Creating an AD FS server pool
  • Uploading trusted CA certificates
  • Creating an AD FS server policy
  • Troubleshooting
• FortiView
  • Topology
  • Security
  • Traffic
  • Sessions
• Backups
  • backup full-config
  • Restoring a previous configuration
• Debug log
• Administrators
  • Configuring access profiles
  • Grouping remote authentication queries and certificates for administrators
  • Changing an administrator’s password
  • Certificate-based Web UI login
• Users
  • Authentication styles
  • Offloading HTTP authentication & authorization
  • Single sign-on (SSO) (site publishing)
  • Using Kerberos authentication delegation
  • Offloaded authentication and optional SSO configuration
  • To create an Active Directory (AD) user for FortiWeb
  • Example: Enforcing complex passwords
  • Tracking users
• Secure connections (SSL/TLS)
  • Offloading vs. inspection
  • Supported cipher suites & protocol versions
  • Uploading trusted CA certificates
  • How to offload or inspect HTTPS
  • Forcing clients to use HTTPS
  • HTTP Public Key Pinning
  • How to apply PKI client authentication (personal certificates)
  • Seamless PKI integration
  • Revoking certificates
  • How to export/back up certificates & private keys
  • How to change FortiWeb's default certificate
  • Configuring OCSP stapling
• Access control
  • Restricting access to specific URLs
  • Combination access control & rate limiting
  • Blacklisting & whitelisting clients
  • Blocking client devices with poor reputation
  • Protecting against cookie poisoning and other cookie-based attacks
  • Cross-Origin Resource Sharing (CORS) protection
• Blocking known attacks & data leaks
  • Connecting to FortiGuard services
  • Receiving quarantined source IP addresses from FortiGate
  • False Positive Mitigation for SQL Injection signatures
  • Syntax-based SQL injection detection
  • Configuring action overrides or exceptions to data leak & attack detection signatures
  • Defining custom data leak & attack signatures
  • Defeating cipher padding attacks on individually encrypted inputs
  • Defeating cross-site request forgery (CSRF) attacks
  • Addressing security vulnerabilities by HTTP Security Headers
  • Enforcing page order that follows application logic
  • Specifying URLs allowed to initiate sessions
• Preventing zero-day attacks
  • Validating parameters (“input rules”)
  • Preventing tampering with hidden inputs
  • Specifying allowed HTTP methods
  • HTTP/HTTPS protocol constraints
  • WebSocket Protocol
• Protection for Man-in-the-Browser (MiTB) attacks
  • Creating Man in the Browser (MiTB) Protection Rule
    • Creating an MiTB protection rule
    • Protecting the standard user input field
    • Protecting the passwords
    • Adding white list for the AJAX Request
  • Creating Man in the Browser (MiTB) Protection Policy
• Protection for APIs
  • Configuring JSON protection
    • Importing JSON schema files
    • Creating JSON protection rules
    • Creating JSON protection policy
  • Configuring XML protection
    • Importing XML schema files
    • Creating XML protection rules
    • Creating XML protection policies
    • Importing WSDL files
    • Configuring exempted URLs
    • Configuring attack logs to retain packet payloads for XML protection
    • Creating WS-Security rules
  • OpenAPI Validation
    • Use cases
    • Creating OpenAPI files
    • Creating_OpenAPI_validation_policies
  • Configuring mobile API protection
  • API gateway
    • Managing API users
    • Configuring API gateway policy
    • Configuring API gateway rules
• Limiting file uploads
• Anti-defacement
• Rate limiting
  • DoS prevention
  • Preventing brute force logins
  • Preventing slow and low attacks
• Rewriting & redirecting
• Caching
  • What can be cached?
• Compression
• Compliance
  • Database security
  • Authorization
  • Preventing data leaks
  • Vulnerability scans
• Advanced/optional system settings
  • Changing the FortiWeb appliance’s host name
  • Fail-to-wire for power loss/reboots
  • Customizing error and authentication pages (replacement messages)
  • Configuring the integrated firewall
  • Advanced settings
• Monitoring your system
  • Status dashboard
  • Policy Status dashboard
  • RAID level & disk statuses
  • Logging
  • Alert email
  • SNMP traps & queries
  • Reports
  • Monitoring currently blocked IPs
  • Monitoring currently tracked devices
  • FortiGuard updates
  • Vulnerability scans
• Bot mitigation
  • Configuring threshold based detection
  • Configuring biometrics based detection
  • Configuring bot deception
  • Configuring bot mitigation policy
• Machine learning
  • Enabling machine learning policy
  • Configuring anomaly detection policy
    • Configuring machine-learning templates
    • Viewing domain data
    • Viewing anomaly detection log
  • Configuring bot detection profiles
    • Viewing bot detection model status
    • Viewing the bot detection violations
• Fine-tuning & best practices
  • Hardening security
  • Improving performance
  • Improving fault tolerance
  • Reducing false positives
  • Regular backups
  • Downloading logs in RAM before shutdown or reboot
• Troubleshooting
  • Frequently asked questions
  • Tools
  • How to troubleshoot
  • Solutions by issue type
  • Resetting the configuration
  • Restoring firmware (“clean install”)
• Appendix A: Port numbers
• Appendix B: Maximum configuration values
• Appendix C: Supported RFCs, W3C, & IEEE standards
• Appendix D: Regular expressions
• Appendix E: How to purchase and renew FortiGuard licenses