Administration Guide

Introduction
What’s new
Key concepts
- Workflow
- Sequence of scans
- IPv6 support
- Solutions for specific web attacks
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Appliance vs. VMware
- Registering your FortiWeb
- Planning the network topology
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
Policies
- How operation mode affects server policy behavior
- Configuring the global object white list
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring an HTTP server policy
- Configuring traffic mirror
Configuring FTP security
- Creating an FTP command restriction rule
- Creating an FTP file check rule
- Configuring an FTP security inline profile
- Creating an FTP server pool
- Creating an FTP server policy
AD FS Proxy
- Configuring FortiWeb as an AD FS proxy
- Configuring a virtual server
- Creating an AD FS server pool
- Uploading trusted CA certificates
- Creating an AD FS server policy
- Troubleshooting
FortiView
- Topology
- Security
- Traffic
- Sessions
Backups
- backup full-config
- Restoring a previous configuration
Debug log
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Certificate-based Web UI login
Users
- Authentication styles
- Offloading HTTP authentication & authorization
- Single sign-on (SSO) (site publishing)
- Using Kerberos authentication delegation
- Offloaded authentication and optional SSO configuration
- To create an Active Directory (AD) user for FortiWeb
- Example: Enforcing complex passwords
- Tracking users
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
- Uploading trusted CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- Configuring OCSP stapling
Access control
- Restricting access to specific URLs
- Combination access control & rate limiting
- Blacklisting & whitelisting clients
- Blocking client devices with poor reputation
- Protecting against cookie poisoning and other cookie-based attacks
- Cross-Origin Resource Sharing (CORS) protection
Blocking known attacks & data leaks
- Connecting to FortiGuard services
- Receiving quarantined source IP addresses from FortiGate
- False Positive Mitigation for SQL Injection signatures
- Syntax-based SQL injection detection
- Configuring action overrides or exceptions to data leak & attack detection signatures
- Defining custom data leak & attack signatures
- Defeating cipher padding attacks on individually encrypted inputs
- Defeating cross-site request forgery (CSRF) attacks
- Addressing security vulnerabilities by HTTP Security Headers
- Enforcing page order that follows application logic
- Specifying URLs allowed to initiate sessions
Preventing zero-day attacks
- Validating parameters (“input rules”)
- Preventing tampering with hidden inputs
- Specifying allowed HTTP methods
- HTTP/HTTPS protocol constraints
- WebSocket Protocol
Protection for Man-in-the-Browser (MiTB) attacks
- Creating Man in the Browser (MiTB) Protection Rule
- Creating Man in the Browser (MiTB) Protection Policy
Protection for APIs
- Configuring JSON protection
- Configuring XML protection
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
Limiting file uploads
Anti-defacement
Rate limiting
- DoS prevention
- Preventing brute force logins
- Preventing slow and low attacks
Rewriting & redirecting
Caching
- What can be cached?
Compression
Compliance
- Database security
- Authorization
- Preventing data leaks
- Vulnerability scans
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring the integrated firewall
- Advanced settings
Monitoring your system
- Status dashboard
- Policy Status dashboard
- RAID level & disk statuses
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Monitoring currently blocked IPs
- Monitoring currently tracked devices
- FortiGuard updates
- Vulnerability scans
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring bot mitigation policy
Machine learning
- Enabling machine learning policy
- Configuring anomaly detection policy
- Configuring bot detection profiles
  - Viewing bot detection model status
  - Viewing the bot detection violations
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Frequently asked questions
- Tools
- How to troubleshoot
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: Supported RFCs, W3C, & IEEE standards
Appendix D: Regular expressions
Appendix E: How to purchase and renew FortiGuard licenses

Home FortiWeb 6.2.1 Administration Guide

6.2.1

Configuring XML protection

XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML code to attack web servers. You can configure FortiWeb to examine client requests for anomalies in XML code. FortiWeb can also attempt to validate the structure of XML code in client requests using trusted XML schema files. Configuring XML protection can help to ensure that the content of requests containing XML does not contain any potential attacks.

XML protection is available in Reverse Proxy, True Transparent Proxy, and WCCP operating modes.

This section consists of instructions for the following steps:

Importing XML schema files. For details, see Importing XML schema files.
Creating XML protection rules. For details, see Creating XML protection rules.
Creating XML protection policies. For details, see Creating XML protection policies.
Creating WSDL files. For details, see Importing WSDL files
Configuring exempted URLs. For details, see Configuring exempted URLs.
Creating WS-Security rules. For details, see Creating WS-Security rules.
Selecting an XML protection policy in a web protection profile. For details, see To select an XML protection policy in a web protection profile.
Configuring attack logs to retain packet payloads for XML protection. For details, see Configuring attack logs to retain packet payloads for XML protection.

To configure XML protection, you must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.