Frequently asked questions
Administration
How do I recover the password of the admin account?
What is the maximum number of ADOMs I can create?
How do I upload and validate a license for FortiWeb-VM?
How do I troubleshoot a high availability (HA) problem?
FortiGuard
Why did the FortiGuard service update fail?
Access control and rewriting
Why is URL rewriting not working?
How do I create a custom signature that erases response packet content?
How do I reduce false positives and false negatives?
Why is FortiWeb not forwarding non-HTTP traffic (for example, RDP, FTP) to back-end servers even though set ip-forward is enabled?
How do I prevent cross-site request forgery (CSRF or XSRF) with a custom rule?
Why does my Advanced Protection rule that has both Signature Violation and HTTP Response Code filters not detect any violations?
What's the difference between the Packet Interval Timeout and Transaction Timeout filters in an Advanced Protection rule?
What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?
Why is the Signature Violation filter I added to my Advanced Protection custom rule not working?
Why don't my back-end servers receive the virtual server IP address as the source IP?
Logging and packet capture
Why do I not see HTTP traffic in the logs?
Why do I see HTTP traffic in the logs but not HTTPS traffic?
How do I store traffic log messages on the appliance hard disk?
Why is the most recent log message not displayed in the Aggregated Attack log?
How can I sniff FortiWeb packets (packet capture)?
How do I trace packet flow in FortiWeb?
Why is the number of cookies reported in my attack log message different from the number of cookies that message detail displays?
Why does the attack log message display the virtual server IP address as the destination IP instead of the IP address of the back-end server that was the target of the attack?
Security
How do I detect which cipher suite is used for HTTPS connections?
How can I strengthen my SSL configuration?
Why can’t a browser connect securely to my back-end server?
Performance
How do I use performance tests to determine maximum performance?
How can I measure the memory usage of individual processes?
IPMI (FortiWeb 3000E and 4000E only)
Upgrade
How do I reformat the boot device (flash drive) when I restore or upgrade the firmware?
How do I set up RAID for a replacement hard disk?
How do I recover the password of the admin account?
If you forget the password of the admin
administrator, you cannot recover it.
However, you can use the local console to reset the password. For details, see Resetting passwords.
Alternatively, you can reset the FortiWeb appliance to its default state (including the default administrator account and password) by restoring the firmware. For details, see Restoring firmware (“clean install”).
What is the maximum number of ADOMs I can create?
The maximum number of Administrative domains (ADOMs) you can define depends on the appliance model and, in the case of virtual appliances, the amount of vRAM allocated to FortiWeb.
For details, see Per appliance configuration maximums - ADOMs, server policies, Virtual IPs, server objects, and domains in ML policies.
How do I upload and validate a license for FortiWeb-VM?
FortiWeb-VM includes a free 15-day trial license that includes all features except:
- High availability (HA)
- FortiGuard updates
- Technical support
Once the trial expires, most functionality is disabled. You need to purchase a license to continue using FortiWeb-VM.
When you purchase a license for FortiWeb-VM, Fortinet Customer Service & Support (https://support.fortinet.com) provides a license file that you can use to convert the trial license to a permanent, paid license.
You can upload the license via the web UI. The uploading process does not interrupt traffic or trigger an appliance reboot.
FortiWeb-VM requires an Internet connection to periodically re-validate its license. It cannot be evaluated in offline, closed network environments. If FortiWeb-VM cannot contact Fortinet’s FDN for 24 hours, it locks access to the web UI and CLI. |
For detailed instructions for accessing the web UI and uploading the license, see the FortiWeb-VM Install Guide:
http://docs.fortinet.com/fortiweb/hardware
To upload the license
- Go to the FortiWeb-VM web UI.
- Log in to the web UI as the
admin
user. - Go to System > Status > Status. The FortiGuard Information widget contains the link you use to upload a license file.
- Click Update.
- Browse to the license file (
.lic
) you downloaded earlier from Fortinet, then click OK. - In the message box, click Refresh.
- Log in again.
- To verify that the license was uploaded successfully, log in to the web UI again, then view the FortiGuard Information widget. The VM License row should say Valid.
For hypervisor deployments, the URL is the default IP address of port1
of the virtual appliance, such as https://192.168.1.99/
.
For FortiWeb-VM deployed on AWS, the URL is the public DNS address displayed in the instance information for the appliance in your AWS console.
For hypervisor deployments, by default, the admin
user does not use a password.
For AWS deployments, by default, the password is the AWS instance ID.
FortiWeb connects to Fortinet to validate its license. In most cases, the process is complete within a few seconds. A message appears:
License has been uploaded. Please wait for authentication with registration servers.
If you uploaded a valid license, the following message is displayed:
License has been successfully authenticated with registration servers.
The web UI logs you out. The login dialog reappears.
Also view the System Information widget. The Serial Number row should have a number that indicates the maximum number of vCPUs that can be allocated according to the FortiWeb-VM software license, such as FVVM020000003619 (where “VM02” indicates a limit of 2 vCPUs).
How do I troubleshoot a high availability (HA) problem?
If a high availability (HA) cluster is not behaving as expected, use the following troubleshooting steps to help find the source of the problem:
- Ensure the physical connections are correct:
- Ensure that the physical interfaces that FortiWeb monitors to check the status of appliances in the cluster (Port Monitor in HA configuration) are in the same subnet.
- Ensure that the HA heartbeat link ports are connected through crossover cables. Although the feature works if you use switches make the connection, Fortinet recommends a direct connection.
- Ensure that the cluster members have the same Group ID value, and that no other HA cluster uses this value.
- Specify different Device Priority values for each member of the cluster and select the Override option. This configuration ensures that the higher priority appliance (the one with the lowest value) is maintained is the master as often as possible.
|
Displays information about current HA cluster members, including:
Helps confirm if the 2 appliances are part of the same cluster and which one is the master. |
execute ha md5sum |
Retrieves the CLI system configuration MD5 from the 2 appliances in a HA cluster. Helps confirm whether HA configuration is synchronized. |
execute ha disconnect |
Run on master appliance to disconnect slave without disconnecting cables. You can then connect to the slave as if it were a standalone appliance for troubleshooting purposes. |
execute ha manage |
If the Override option is selected, you can run this command on the master appliance to assign a higher priority to the slave appliance, which manually triggers a HA failover. You specify the serial number of the slave appliance and the new priority. For example: execute ha manage FV-1KC3R11111111 1 |
|
Manually triggers configuration synchronization:
Also refreshes the md5sum value, which you use to confirm synchronization status. |
|
Manually triggers synchronization of a database file:
You can only trigger this type of synchronization manually. |
|
Use to stop or start synchronization during debugging. |
diagnose debug application hasync 1 |
Configures the debug logs for HA synchronization to display messages about the automatic configuration synchronization process, commands that failed, and the full configuration synchronization process. Run on both members of the HA cluster to confirm configuration synchronization and communication between the appliances. Alternatively, use the following command to configure HA synchronization debug logs to display all messages:
Before you run this command, run the following commands to turn on debug log output and enable timestamps: diagnose debug enable diagnose debug console timestamp enable |
diagnose debug application hatalk 1 |
Configures the debug logs for HA heartbeat links to display messages about the heartbeat signal, HA failover, and the uptime of the members of the HA cluster. Alternatively, use the following command to configure HA heartbeat debug logs to display all messages: diagnose debug application hatalk -1 Before you run this command, run the following commands to turn on debug log output and enable timestamps: diagnose debug enable diagnose debug console timestamp enable |
get system status
diagnose debug application hatalk 1
diagnose debug application hasync 1
execute ha sync waf
execute ha md5sum
For detailed information about these commands, see the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/
For detailed information about HA topology and configuration, see HA heartbeat and FortiWeb high availability (HA) .
How do I upload a file to or download a file from FortiWeb?
To upload a file
- To enable the file uploading and downloading functionality, use the CLI to enter the following commands:
- In the web UI, go to System > Maintenance > Backup & Restore, and select the Backup & Restore tab.
- To maintain security, use the following CLI commands to disable the file uploading functionality:
config system settings
set enable-file-upload enable
end
At the bottom of the page, under GUI File Download/Upload, click Upload to navigate to a file and select it, and then click Upload to copy it to FortiWeb.
When the upload is complete, the file is displayed in the File Name list.
config system settings
set enable-file-upload disable
end
To download a file
- To enable the file uploading and downloading functionality, use the CLI to enter the following commands:
- In the web UI, go to System > Maintenance > Backup & Restore, and select the Backup & Restore tab.
- At the bottom of the page, under GUI File Download/Upload, click the download icon for the file you want to download.
- To maintain security, use the following CLI commands to disable the file uploading functionality:
config system settings
set enable-file-upload enable
end
config system settings
set enable-file-upload disable
end
Why did the FortiGuard service update fail?
If your automatic FortiGuard service update is not successful, complete the following troubleshooting steps:
- Ensure that your firewall rules allow FortiWeb to access the Internet via TCP port 443.
- Ensure FortiWeb can communicate with the DNS server.
- Because the size of the virus signature database exceeds 200MB, an unstable network can interrupt the TCP session that downloads the database. If the download fails for this reason, obtain the latest version of the virus signature database from
support.fortinet.com
and perform the update manually. For details, see Uploading signature & geography-to-IP updates. - If the previous steps do not solve the problem, use the following commands to obtain additional information:
This is the port that FortiWeb uses to poll for and download FortiGuard service updates from the FortiGuard Distribution Network (FDN).
When it performs the initial FortiGuard service update, FortiWeb requires access to the DNS server to resolve the domain name fds.fortinet.com
to the appropriate host name.
FortiWeb resumes automatic updates of the database at the next scheduled time.
diagnose debug enable
diagnose debug application fds 7
If you need to contact Fortinet Technical Support for assistance, provide the output of these diagnose debug commands and a configuration file.
For more information about these commands, see the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/
For additional methods for verifying FortiGuard connectivity, see Connecting to FortiGuard services.
Why is URL rewriting not working?
If FortiWeb is not rewriting URLs as expected, complete the following troubleshooting steps:
- Ensure the value of Action Type is correct.
- Ensure that you have added items to the URL Rewriting Condition Table.
- If one of your conditions uses a regular expression, ensure that the expression is valid. Click the >> (double arrow) button beside the Regular Expression field to test the value.
- Go to System > Config > Advanced and adjust the value of Maximum Body Cache Size.
- Ensure that FortiWeb supports the page’s Content-Type, which specifies its MIME type. FortiWeb supports the following Content-Type values only:
Request Action rewrites HTTP requests from clients, and Response Action rewrites responses to clients from the web server.
For an online guide for regular expressions, go to:
http://www.regular-expressions.info/reference.html
For an online library of regular expressions, go to:
URL body rewriting does not work when the page is larger than the cache buffer size. The default size is 64KB.
To adjust the buffer using the CLI, use a command like the following example:
config global
config sys advanced
set max-cache-size 1024
end
end
- text/html
- text/plain
- text/javascript
- application/xml
- text/xml
- application/javascript
- application/soap+xml
- application/x-javascript
- application/json
- application/rss+xml
How do I create a custom signature that erases response packet content?
- Create a custom signature rule that includes the following values:
Direction Response Expression Either a simple string or a regular expression that matches the response to erase. Action Alert & Erase
The erase action replaces the content specified by Expression with
xxx
. - Add an appropriate target:
-
RESPONSE_BODY
- RESPONSE_HEADER
-
RESPONSE_STATUS
The RESPONSE_STATUS is not erased in the raw packet.
If the target is RESPONSE_HEADER or RESPONSE_STATUS, the body of the response is still displayed.
For detailed custom signature creation instructions, see Defining custom data leak & attack signatures.
How do I reduce false positives and false negatives?
If FortiWeb is identifying legitimate requests as attacks (false positives), complete the following troubleshooting steps:
- If your web protection profile uses a signature policy in which the extended version of a signature set is enabled (for example, Cross Site Scripting), disable it.
- Specify the appropriate URL as an exception in the signature configuration. To create this exception, click either the Exception link in the Message field of the attack log item or Advanced Mode in the Edit Signature Policy dialog box.
- If the configuration changes do not solve the problem, capture the packet that FortiWeb has incorrectly identified as an attack and contact Fortinet Technical Support for assistance.
The extended signature sets detect a wider range of attacks but are also more likely to generate false positives.
For details, see Blocking known attacks & data leaks.
For details, see Configuring action overrides or exceptions to data leak & attack detection signatures.
Fortinet can resolve the issue by modifying the attack signature.
If FortiWeb is identifying attacks as legitimate requests (false negatives), complete the following troubleshooting steps:
- Use the Advanced Mode option to ensure that the signature policy that your web protection profile uses has the following configuration:
- All the appropriate signatures are enabled.
- The enabled signatures do not have exceptions that permit the attack packets.
Fortinet can resolve the issue by adding an attack signature. In the meantime, you can resolve the problem by creating a custom signature. For details, see Defining custom data leak & attack signatures.
For additional information about reducing false positives, see Reducing false positives.
Why is FortiWeb not forwarding non-HTTP traffic (for example, RDP, FTP) to back-end servers even though set ip-forward is enabled?
The config router setting command allows you to change how FortiWeb handles non-HTTP/HTTPS traffic when it is operating in Reverse Proxy mode.
When the setting ip-forward
is enabled, for any non-HTTP/HTTPS traffic with a destination other than a FortiWeb virtual server (for example, a back-end server), FortiWeb acts as a router and forwards it based in its destination address.
However, any non-HTTP/HTTPS traffic destined for a virtual server on the appliance is dropped.
Therefore, if you require clients need to reach a back-end server using FTP or another non-HTTP/HTTPS protocol, ensure the client uses the back-end server's IP address.
For more detailed information about this setting and a configuration that avoids this problem, see the “Router setting” topic in the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/
How do I prevent cross-site request forgery (CSRF or XSRF) with a custom rule?
A cross-site request forgery attack takes advantage of the trust that a site has in a client’s browser to execute unwanted actions on a web application.
To add an advanced access control rule that detects cross-site request forgery (CSRF)
- Go to Web Protection > Advanced Protection > Custom Policy, and select the Custom Rule tab.
- Click Create New.
- Configure the action and trigger settings for the rule.
- Click Create New to add a rule entry.
- For Filter Type, select HTTP Header, and then click OK.
- Configure these settings:
Header Name Referer Header Value Type Regular Expression Header Value A regular expression that matches the address of your website.
For example, if your website is http://211.24.155.103/, use the following expression:
^http://211\.24\.155\.103.*
- Click OK to save the rule entry, and then click OK to save the rule.
- Go to Web Protection > Advanced Protection > Custom Policy, and select the Custom Policy tab to group the custom rule into a policy.
- To apply the policy, select it as the Custom Policy in a protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
For detailed information on these settings, see Combination access control & rate limiting.
For details about creating policies, see Combination access control & rate limiting.
Attack log messages contain Custom Access Violation
when this feature detects an unauthorized access attempt.
Why does my Advanced Protection rule that has both Signature Violation and HTTP Response Code filters not detect any violations?
When you use Web Protection > Advanced Protection > Custom Policy > the Custom Rule tab to create a custom rule, FortiWeb links items in the list of filters with an AND operator. It uses the rule to evaluate both requests and responses. When the rule has both a Signature Violation and a HTTP Response Code filter, a malicious request violates the signature filter and the corresponding response matches the response code filter. But neither the request nor the response can violate both filters at the same time to generate a match.
To solve this problem, create a separate custom rule for each type of filter. For details, see Combination access control & rate limiting.
What's the difference between the Packet Interval Timeout and Transaction Timeout filters in an Advanced Protection rule?
Both Packet Interval Timeout and Transaction Timeout protect against DoS attacks. In most cases, the attacks are some form of slow HTTP attack.
Packet Interval Timeout evaluates the time period between packets that arrive from either the client or server (request or response packets). If the time exceeds the maximum the timeout specifies, FortiWeb takes the action specified in the rule.
However, other types of slow attacks can keep the server occupied and still maintain a minimal data flow. For example, if an attack sends a byte of data per second, it can continue a GET request indefinitely but stay within the Packet Interval Timeout.
The Transaction Timeout evaluates the time period for a transaction—a GET or POST request and its complete reply. In most cases, a transaction lasts no longer than a few milliseconds or, for slower applications, a few seconds.
To detect the widest range of attacks, specify both Packet Interval Timeout and Transaction Timeout filters when you create an Advanced Protection rule.
For details, see Combination access control & rate limiting.
What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?
The waf custom-access rule
command allows you to configure custom access rules, which can include Signature Violation filters. When you configure the signature-class
option, use one of the following IDs to specify the category of signature to match:
Cross Site Scripting | 01000000 |
Cross Site Scripting (Extended) | 02000000 |
SQL Injection | 03000000 |
SQL Injection (Extended) | 04000000 |
Generic Attacks | 05000000 |
Generic Attacks (Extended) | 06000000 |
Known Exploits | 09000000 |
For example, the following command creates a custom rule that detects SQL injection attacks, such as blind SQL injection:
config waf custom-access rule
edit "sql-inject"
set action block-period
set severity High
set trigger "notification-servers1"
config signature-class
edit 03000000
set status enable
next
end
next
end
config waf custom-access policy
edit "sql-inject-policy"
config rule
edit 1
set rule-name "sql-inject"
next
end
next
end
For more information on the waf custom-access rule
command, see the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/
Why is the Signature Violation filter I added to my Advanced Protection custom rule not working?
To add a Signature Violation filter to an Advanced Protection custom rule, you select Signature Violation as the filter type.
However, for the filter to work, the following configuration steps are also required:
- In the Edit Custom Rule dialog box, select at least one signature category. By default, no categories are selected. When you select a category, FortiWeb prompts you to enable all or some of the signatures in the category.
- Ensure that the signatures that correspond to the categories you selected in the rule are enabled in the signature policy (Web Protection > Known Attacks > Signatures).
You select the custom policy that contains the rule and corresponding signature set when you create a protection profile.
For details, see Combination access control & rate limiting and Blocking known attacks & data leaks.
Why don't my back-end servers receive the virtual server IP address as the source IP?
When the operation mode is Reverse Proxy, the server pool members receive the IP address of the FortiWeb interface the connection uses. If the back-end servers need to know the IP address of the client where the request originated, configure a X-Forwarded-For rule for the appropriate profile. For details, see Defining your proxies, clients, & X-headers.
Why do I not see HTTP traffic in the logs?
Successful HTTP traffic logging depends on both FortiWeb configuration and the configuration of other network devices. If you do not see HTTP traffic in the traffic log, ensure that the configuration described in the following tables is correct.
Reverse Proxy mode
Configuration | What to look for | See |
---|---|---|
Logging |
Ensure logging is enabled and configured. By default, logging is not enabled. |
Configuring logging |
Servers | Ensure that the IP address of your physical server and the IP address of your virtual server are correct. |
Defining your web servers
|
Server policy | Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as members of a server pool). | Configuring an HTTP server policy |
Network interfaces |
Go to System > Network > Interface and ensure the ports for inbound and outbound traffic are up. Use sniffing (packet capture) to ensure that you can see traffic on both inbound and outbound network interfaces. Ensure that the network interfaces are configured with the correct IP addresses. In a typical configuration, port1 is configured for management (web UI access) and the remaining ports associated with the required subnets. |
Configuring the network interfaces How can I sniff FortiWeb packets (packet capture)? (overview) or Packet capture |
VLANs (if used) | Make sure that the VLAN is associated with the correct physical port (Interface setting). | Adding VLAN subinterfaces |
Firewalls & routers | Communications between the FortiWeb appliance, clients, protected web servers, and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers. | Appendix A: Port numbers |
Load balancers | If the load balancer is in front of FortiWeb, the physical IP addresses on it are the FortiWeb virtual IP addresses. If the Load Balancer is behind the FortiWeb, the FortiWeb physical server is the virtual IP for the load balancer's virtual IP. | External load balancers: before or after? |
Web server | Ensure that the web server is up and running by testing it without FortiWeb on the network. | Checking routing |
Transparent modes
Configuration | What to look for | See |
---|---|---|
Logging |
Ensure logging is enabled and configured. By default, logging is not enabled. |
Configuring logging |
Server/server pool | Ensure that the configuration for the physical server in the server pool contains the correct IP address. | |
Server policy | Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as a member of a server pool). | Configuring an HTTP server policy |
Bridge (v-zone) |
Ensure the v-zone is configured using the correct FortiWeb ports. In the list of network interfaces (Global > System > Network > Interface), the Status column identifies interfaces that are members of a v-zone. To ensure that the bridge is forwarding traffic, in the list of v-zones, under Interface, look for the status “forwarding” following the names of the ports. |
Configuring a bridge (V-zone) |
VLANs (if used) | Make sure that the VLAN is associated with the correct physical port (Interface setting). | Adding VLAN subinterfaces |
Firewalls & routers | Communications between the FortiWeb appliance, clients, protected web servers, and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers. | Appendix A: Port numbers |
Web server | Ensure that the web server is up and running by testing it without FortiWeb on the network. | Checking routing |
Offline mode
Configuration | What to look for | See |
---|---|---|
Logging |
Ensure logging is enabled and configured. By default, logging is not enabled. |
Configuring logging |
Server/server pool | Ensure that the configuration for the physical server in the server pool contains the correct IP address. | |
Server policy | Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as members of a server pool). | Configuring an HTTP server policy |
Bridge (v-zone) |
Ensure the v-zone is configured using the correct FortiWeb ports. In the list of network interfaces (Global > System > Network > Interface), the Status column identifies interfaces that are members of a v-zone. To ensure that the bridge is forwarding traffic, in the list of v-zones, under Interface, look for the status “forwarding” following the names of the ports. |
Configuring a bridge (V-zone) |
VLANs (if used) | Make sure that the VLAN is associated with the correct physical port (Interface setting). | Adding VLAN subinterfaces |
Network interfaces | Use sniffing (packet capture) to ensure that you can see traffic on both inbound and outbound network interfaces. |
Configuring the network interfaces How can I sniff FortiWeb packets (packet capture)? (overview) or Packet capture |
Web server | Ensure that the web server is up and running by testing it without FortiWeb on the network. | Checking routing |
Why do I see HTTP traffic in the logs but not HTTPS traffic?
Use the following steps to troubleshoot HTTPS traffic logging:
- Ensure FortiWeb has the certificates it needs to offload or inspect HTTPS.
- Use sniffing (packet capture) to look for errors in HTTPS traffic.
For details, see How to offload or inspect HTTPS.
For details, see How can I sniff FortiWeb packets (packet capture)? (overview) or Packet capture.
How do I store traffic log messages on the appliance hard disk?
You can configure FortiWeb to store traffic log messages on its hard disk.
In most environments, and especially environments with high traffic volume, enabling this option for long periods of time can cause the hard disk to fail prematurely. Do not enable it unless it is necessary and disable it as soon as you no longer need it.
For information on configuring logging to the hard disk using the web UI, see Configuring logging.
To enable logging to the hard disk via the CLI, log in using an account with either w
or rw
permission to the loggrp
area and enter the following commands:
config log traffic-log
set disk-log enable
Use the following commands to verify the new configuration:
get log traffic-log
A response that is similar to the following message is displayed:
status : enable
packet-log : enable
disk-log : enable
Alternatively, use the following command to display a sampling of traffic log messages:
diagnose log tlog show
A response that is similar to the following message is displayed:
Total time span is 39.252285 seconds
Time spent on waiting is 13.454448 seconds
Time spent on preprocessing is 3.563218 seconds
traffic log processed: 69664
where:
-
Total time span
is the total amount of time of the logd process handle logs (that is, receiving messages from other process, filtering messages, outputting in standard format, writing the logs to the local database, and so on) -
Time spent on waiting
is the amount of time of the logd process waited to receive messages from other processes -
Time spent on preprocessing
is the amount of time the logd process spent filtering and format i ng messages -
traffic log processed
is the total number of logs that the logd process handled in this cycle
For more information about the config log traffic-log
and diagnose log tlog show
commands, see the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/
Why is the most recent log message not displayed in the Aggregated Attack log?
If recent log messages do not appear in the Aggregated Attack log as expected, complete the following troubleshooting steps:
- Use the dashboard to see if the appliance is busy.
- Rebuild the logging database.
When FortiWeb generates an attack log, the appliance writes it to and reads it from the hard disk and then updates the logging database.
The process that retrieves Aggregated Attack log information from the database (indexd) has a lower priority than the processes that analyze and direct traffic. Therefore, increased demand for FortiWeb processing resources (for example, when traffic levels increase) can delay updates to the log.
Events such as a power outage can corrupt the logging database. Use the following command to rebuild it:
exec db rebuild
This command deletes and rebuilds the database. It does not delete any logs on the hard disk and no log information is lost.
How can I sniff FortiWeb packets (packet capture)?
Use the diagnose network sniffer
command to perform a packet trace on one or more interfaces.
For example, the following command captures TCP port 80 traffic arriving at or departing from 192.168.1.1, for all network interfaces. The value 3
specifies the verbosity level (3
captures the most detail):
diagnose network sniffer any 'tcp and port 80 and host 192.168.1.1' 3
For instructions on using this command and its output, see Packet capture.
The following steps are an overview of the process:
- Use a terminal emulator such as SecureCRT or Putty, connect to the appliance via SSH or Telnet, run the sniffer command, and save the output to a file (for example,
detail_output.log
). - Install a Perl interpreter and Wireshark (or equivalent application) on your PC.
- To convert the packet capture command to a format that Wireshark can use, run the following command:
perl ./fgt2eth.pl -in detail_ouput.log -out converted.cap
(You can run the Perl script in Windows or Linux.)
To download
fgt2eth.pl
, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer (http://kb.fortinet.com/kb/documentLink.do?externalId=11186).The fgt2eth.pl
script is provided as-is, without any implied warranty or technical support.
A terminal emulator is required because the console is too slow for this task and cannot display all of the output.
How do I trace packet flow in FortiWeb?
Use the following steps to use the console to view packet flow information for a specified client IP when it accesses a virtual server IP:
- Using the CLI, use the following command to turn on debug log output:
- Use a command similar to the following to limit the debug logs to those that match a specific client IP address:
- Use the following command to include details from each module that processes the packet:
- Use the following command to start the flow trace:
diagnose debug enable
diagnose debug flow filter client-ip 172.22.6.232
diagnose debug flow filter module-detail status on
diagnose debug flow trace start
The following output is an example of the results of these commands:
Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_IP_INTELLIGENCE, Execution:3, Process error:6, Action:ACCEPT
Module name:WAF_KNOWN_ENGINES, Execution:4, Process error:0, Action:ACCEPT
Module name:HSTS_HEADER_PROCESS, Execution:4, Process error:5, Action:ACCEPT
Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:2, Action:ACCEPT
Module name:WAF_CLIENT_MANAGEMENT, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_DOS_HTTP_FLOOD, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_DOS_MALICIOUS_IP, Execution:4, Process error:8, Action:ACCEPT
Module name:HTTP_ACCLIMIT_LIMIT, Execution:4, Process error:-1, Action:ACCEPT
Module name:WAF_GLOBAL_WHITE_LIST, Execution:4, Process error:-1, Action:ACCEPT
Module name:WAF_GLOBAL_WHITE_LIST, Execution:4, Process error:-1, Action:ACCEPT
Module name:WAF_URL_ACCESS_POLICY, Execution:4, Process error:8, Action:ACCEPT
Module name:HTTP_CONSTRAINTS, Execution:4, Process error:2, Action:ACCEPT
Module name:WAF_COOKIE_POISON, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_CUSTOM_ACCESS_POLICY, Execution:4, Process error:6, Action:ACCEPT
Module name:WAF_HTTP_STATISTIC, Execution:4, Process error:0, Action:ACCEPT
For additional information on these commands (for example, to specify debug logs for a specific flow direction), see the FortiWeb CLI Reference:
Why is the number of cookies reported in my attack log message different from the number of cookies that message detail displays?
When FortiWeb generates an attack log message because a request exceeds the maximum number of cookies it permits, the message value includes the number of cookies found in the request. In addition, the message details include the actual cookie values.
For performance reasons, FortiWeb limits the size of the attack log message. If the amount of cookie value information exceeds the limit for cookies in the attack log, the appliance displays only some of the cookies the message detail.
Why does the attack log message display the virtual server IP address as the destination IP instead of the IP address of the back-end server that was the target of the attack?
In some cases, FortiWeb blocks attacks before the packet is routed to a server pool member. When this happens, the destination IP is the virtual server IP.
How do I detect which cipher suite is used for HTTPS connections?
Use sniffing (packet capture) to capture SSL/ TLS traffic and view the “Server hello” message, which includes cipher suite information.
For more HTTPS troubleshooting information, see Supported cipher suites & protocol versions and Checking the SSL/TLS handshake & encryption.
How can I strengthen my SSL configuration?
The following configuration changes can make SSL more effective in preventing attacks and can improve your website's score for third-party testing tools (for example, the SSL server test provided by Qualys SSL Labs).
Which configuration changes you make depends on your environment. For example, some older clients do not support SHA256.
- For your website certificate, do the following:
- If it uses the SHA1 hashtag function, replace it with one that uses SHA256.
- Ensure that its key size is 2048-bit.
- For the server policy (Reverse Proxy mode) or server pool member configuration (True Transparent Proxy mode), specify the following values in the advanced SSL settings:
- Select Add HSTS Header, and then for Max. Age, enter
15552000
. - For SSL/TLS Encryption Level, select High.
- Select Disable Client-Initiated SSL Renegotiation.
For details, see Configuring an HTTP server policy.
- Select Add HSTS Header, and then for Max. Age, enter
- Use the following CLI command to set the Diffie-Hellman key exchange parameters to 2048 or greater:
config system global
set dh-params 2048
The command is available in FortiWeb 5.3.6 and higher only. For additional information on using CLI commands, see the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/
Why can’t a browser connect securely to my back-end server?
If a browser cannot communicate with a back-end server using SSL or TLS, use the following troubleshooting steps to resolve the problem:
- Without connecting via FortiWeb, ensure that you can access the server using HTTPS.
- Ensure that your browser supports HTTP Strict Transport Security (HSTS). For example, following web page provides compatibility tables for various web browser versions:
- Ensure that the FortiWeb response includes the strict transport security header.
- Use the following cEnsure that the server certificate is trusted:
http://caniuse.com/stricttransportsecurity
To add this header, select Add HSTS Header in the server policy or server pool configuration. For details, see Configuring an HTTP server policy or Creating an HTTP server pool.
- If the certificate is signed by intermediate certificate authority (CA), the intermediate CA is signed by a root CA.
- The root CA is listed in your browser’s store of trusted certificates.
- The domain name or IP address is consistent with the certificate subject.
For details, see Uploading a server certificate.
How do I use performance tests to determine maximum performance?
Use these performance tests and the dashboard's System Resources widget to determine where the appliance reaches its maximum capacity (bottleneck):
Requests per second (RPS), connections per second (CPS) | Rate of requests or connections maintains CPU Usage at 100% |
Concurrent connections | Number of connections maintains Memory Usage at 90% |
Throughput test | Throughput maintains the value of CPU Usage at 100%. (A pair of gigabit ports provide bandwidth of up to 2 Gbps.) |
If your CPU and memory values do not reach the specified values, adjust your client and server test configuration until you can determine maximum performance.
How can I measure the memory usage of individual processes?
The diagnose policy
command allows you to view the memory usage associated with all server policies or a specific policy. For example:
diagnose policy memory all
The diagnose hardware mem
command allows you to display the usage statistics of ephemeral memory (RAM), including swap pages and shared memory (Shmem). For example, to display total memory usage:
diagnose hardware mem list
For additional information on these commands, see the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/
How do I reformat the boot device (flash drive) when I restore or upgrade the firmware?
Follow the instructions provided in Restoring firmware (“clean install”).
For If the firmware version requires that you first format the boot device before installing firmware, type F. Format the boot disk before continuing., type F
to format the boot device (flash drive), and then enter Y
to confirm your selection.
After a few minutes, the reformatting process is complete. Continue with the instructions for retrieving the firmware image from the TFTP server.
During the system boot, Fortinet highly recommends that you verify the disk integrity. To perform this task, when the prompt Press [enter] key for disk integrity verification
is displayed, press Enter.
After the firmware restore is complete, use the get system status
CLI command to verify the system version. For additional information on using the CLI, see the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/
How do I set up RAID for a replacement hard disk?
The procedures applies to all models except 100D, 400B, 400C, and 400D.
- Power off the FortiWeb.
- Remove the hard disk from FortiWeb and install the new hard disk.
- Power on the FortiWeb.
- Use the following command to initialize RAID:
- Enter
y
to confirm the initialization. - Use the following command to check the RAID status:
execute create-raid level raid1
FortiWeb reboots and starts the RAID initialization. The process can take a few hours to complete.
diagnose hardware raid list
If the process is successful, a message similar to the following is displayed:
level size(M) disk-number
raid1 1877665 0(OK),1(OK),2(Not Present),3(Not Present)
edited on: 2016-01-25 00:48
If FortiWeb is unable to write log messages to the disk, a message similar to the following is displayed:
level size(M) disk-number
raid1 1877665 0(Not Present),1(Not Present),2(Not Present),3(Not Present)
For additional information on using these CLI commands, see the FortiWeb CLI Reference: