Fortinet Document Library
Version:
7.0.1
7.0.0
6.4.2
Version:
6.4.1
6.4.0
6.3.18
Version:
6.3.17
6.3.16
6.3.15
Version:
6.3.14
6.3.13
6.3.11
Version:
6.3.10
6.3.9
6.3.7
Version:
6.3.6
6.3.5
6.3.4
Version:
6.3.3
6.3.2
6.3.1
Version:
6.3.0
6.2.5
6.2.4
Version:
6.2.3
6.2.2
6.2.1
Version:
6.2.0
6.1.2
6.1.1
Version:
5.7.0
5.6.1
5.6.0
Version:
5.6.0
Table of Contents
Introduction
What's new
Key concepts
Workflow
Sequence of scans
IPv6 support
Solutions for specific web attacks
HTTP/2 support
HTTP sessions & security
FortiWeb high availability (HA)
Administrative domains (ADOMs)
How to use the web UI
Shutdown
How to set up your FortiWeb
Appliance vs. VMware
Registering your FortiWeb
Planning the network topology
Connecting to the web UI or CLI
Updating the firmware
Changing the “admin” account password
Setting the system time & date
Setting the operation mode
Feature visibility
Configuring High Availability (HA) basic settings
HA heartbeat & active node election
Synchronization
Replicating the configuration without FortiWeb HA (external HA)
Configuring the network settings
Configuring DNS settings
Configuring HA settings specifically for active-passive and standard active-active modes
Configuring HA settings specifically for high volume active-active mode
Defining your web servers & load balancers
Protected web servers vs. allowed/protected host names
Defining your protected/allowed HTTP “Host:” header names
Defining your web servers
Defining your proxies, clients, & X-headers
Defining your network services
Configuring virtual servers on your FortiWeb
Enabling or disabling traffic forwarding to your servers
Configuring FortiWeb to receive traffic via WCCP
Configuring basic policies
Testing your installation
Switching out of Offline Protection mode
Policies
How operation mode affects server policy behavior
Configuring the global object allow list
Configuring a protection profile for inline topologies
Generating a protection profile using scanner reports
Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
Configuring client management
Configuring a server policy
Configuring traffic mirror
ADFS Proxy
Configuring FortiWeb as an ADFS proxy
Configuring a virtual server
Creating an ADFS server pool
Uploading trusted CA certificates
Creating an ADFS server policy
Troubleshooting
Configuring FTP security
Creating an FTP command restriction rule
Creating an FTP file check rule
Configuring an FTP security inline profile
Creating an FTP server pool
Creating an FTP server policy
Secure connections (SSL/TLS)
Offloading vs. inspection
Supported cipher suites & protocol versions
CA certificates
How to offload or inspect HTTPS
Forcing clients to use HTTPS
HTTP Public Key Pinning
How to apply PKI client authentication (personal certificates)
Seamless PKI integration
Revoking certificates
How to export/back up certificates & private keys
How to change FortiWeb's default certificate
Configuring OCSP stapling
Users
Authentication styles
Offloading HTTP authentication & authorization
Tracking users
Creating reCAPTCHA servers
Application delivery
Rewriting & redirecting
Compression
Site Publishing (Single sign-on)
Offloaded authentication and optional SSO configuration
Creating an Active Directory (AD) user for FortiWeb - Keytab File
Using Kerberos authentication delegation
Using Form Based Delegation
Caching
What can be cached?
Acceleration
Web protection
Blocking known attacks
Connecting to FortiGuard services
Receiving quarantined source IP addresses from FortiGate
False Positive Mitigation for SQL Injection signatures
Configuring action overrides or exceptions to data leak & attack detection signatures
Defining custom data leak & attack signatures
Defeating cipher padding attacks on individually encrypted inputs
Advanced protection
Custom Policy
Defeating cross-site request forgery (CSRF) attacks
HTTP Security Headers
Protection for Man-in-the-Browser (MiTB) attacks
Creating Man in the Browser (MiTB) Protection Rule
Creating an MiTB protection rule
Protecting the standard user input field
Protecting the passwords
Adding allow list for the AJAX Request
Creating Man in the Browser (MiTB) Protection Policy
URL encryption
Syntax-based SQL/XSS injection detection
Cookie security
Input validation
Validating parameters (“input rules”)
Preventing tampering with hidden inputs
Specifying allowed HTTP methods
Limiting file uploads
Web Shell Detection
Protocol constraints
HTTP/HTTPS protocol constraints
WebSocket Protocol
Access control
Restricting access to specific URLs
Cross-Origin Resource Sharing (CORS) protection
Anti-defacement
Bot mitigation
Configuring threshold based detection
Configuring biometrics based detection
Configuring bot deception
Configuring known bots
Configuring bot mitigation policy
Protection for APIs
Configuring JSON protection
Importing JSON schema files
Creating JSON protection rules
Creating JSON protection policy
Configuring XML protection
Importing XML schema files
Creating XML protection rules
Creating XML protection policies
Importing WSDL files
Configuring exempted URLs
Configuring attack logs to retain packet payloads for XML protection
Creating WS-Security rules
OpenAPI Validation
Use cases
Creating OpenAPI files
Creating OpenAPI validation policies
Configuring mobile API protection
API gateway
Managing API users
Configuring API gateway policy
Configuring API gateway rules
DoS protection
DoS prevention
Preventing slow and low attacks
IP Protection
GEO IP - Blocklisting & whitelisting countries & regions
IP List - Blocklisting & whitelisting clients using a source IP or source IP range
IP Reputation - Blocklisting source IPs with poor reputation
Machine learning
Enabling machine learning policy
Configuring anomaly detection policy
Configuring machine-learning templates
Viewing domain data
Overview
Tree View
Parameter View
Viewing anomaly detection log
Configuring bot detection policy
Viewing bot detection model status
Viewing the bot detection violations
Compliance
Authorization
Preventing data leaks
Vulnerability scans
Administrators
Configuring access profiles
Grouping remote authentication queries and certificates for administrators
Changing an administrator’s password
Certificate-based Web UI login
Advanced/optional system settings
Changing the FortiWeb appliance’s host name
Fail-to-wire for power loss/reboots
Customizing error and authentication pages (replacement messages)
Configuring the integrated firewall
Network address translation (NAT)
Advanced settings
Backup & restore
FortiView
Topology
Security
Traffic
Sessions
Monitoring your system
Status dashboard
Policy Status dashboard
RAID level & disk statuses
Logging
Alert email
SNMP traps & queries
Reports
Debug log
Monitoring currently blocked IPs
Monitoring currently tracked clients
FortiGuard updates
Vulnerability scans
Security Fabric
External connectors
AWS Connector
Azure Connector
OCI Connector
Fabric Connector: Single Sign On with FortiGate
Fine-tuning & best practices
Hardening security
Improving performance
Improving fault tolerance
Reducing false positives
Regular backups
Downloading logs in RAM before shutdown or reboot
Troubleshooting
Frequently asked questions
Tools
How to troubleshoot
Solutions by issue type
Resetting the configuration
Restoring firmware (“clean install”)
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses
Home
FortiWeb 6.4.2
Administration Guide
Administration Guide
Introduction
What's new
Key concepts
Workflow
Sequence of scans
IPv6 support
Solutions for specific web attacks
HTTP/2 support
HTTP sessions & security
FortiWeb high availability (HA)
Administrative domains (ADOMs)
How to use the web UI
Shutdown
How to set up your FortiWeb
Appliance vs. VMware
Registering your FortiWeb
Planning the network topology
Connecting to the web UI or CLI
Updating the firmware
Changing the “admin” account password
Setting the system time & date
Setting the operation mode
Feature visibility
Configuring High Availability (HA) basic settings
HA heartbeat & active node election
Synchronization
Replicating the configuration without FortiWeb HA (external HA)
Configuring the network settings
Configuring DNS settings
Configuring HA settings specifically for active-passive and standard active-active modes
Configuring HA settings specifically for high volume active-active mode
Defining your web servers & load balancers
Protected web servers vs. allowed/protected host names
Defining your protected/allowed HTTP “Host:” header names
Defining your web servers
Defining your proxies, clients, & X-headers
Defining your network services
Configuring virtual servers on your FortiWeb
Enabling or disabling traffic forwarding to your servers
Configuring FortiWeb to receive traffic via WCCP
Configuring basic policies
Testing your installation
Switching out of Offline Protection mode
Policies
How operation mode affects server policy behavior
Configuring the global object allow list
Configuring a protection profile for inline topologies
Generating a protection profile using scanner reports
Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
Configuring client management
Configuring a server policy
Configuring traffic mirror
ADFS Proxy
Configuring FortiWeb as an ADFS proxy
Configuring a virtual server
Creating an ADFS server pool
Uploading trusted CA certificates
Creating an ADFS server policy
Troubleshooting
Configuring FTP security
Creating an FTP command restriction rule
Creating an FTP file check rule
Configuring an FTP security inline profile
Creating an FTP server pool
Creating an FTP server policy
Secure connections (SSL/TLS)
Offloading vs. inspection
Supported cipher suites & protocol versions
CA certificates
How to offload or inspect HTTPS
Forcing clients to use HTTPS
HTTP Public Key Pinning
How to apply PKI client authentication (personal certificates)
Seamless PKI integration
Revoking certificates
How to export/back up certificates & private keys
How to change FortiWeb's default certificate
Configuring OCSP stapling
Users
Authentication styles
Offloading HTTP authentication & authorization
Tracking users
Creating reCAPTCHA servers
Application delivery
Rewriting & redirecting
Compression
Site Publishing (Single sign-on)
Offloaded authentication and optional SSO configuration
Creating an Active Directory (AD) user for FortiWeb - Keytab File
Using Kerberos authentication delegation
Using Form Based Delegation
Caching
What can be cached?
Acceleration
Web protection
Blocking known attacks
Connecting to FortiGuard services
Receiving quarantined source IP addresses from FortiGate
False Positive Mitigation for SQL Injection signatures
Configuring action overrides or exceptions to data leak & attack detection signatures
Defining custom data leak & attack signatures
Defeating cipher padding attacks on individually encrypted inputs
Advanced protection
Custom Policy
Defeating cross-site request forgery (CSRF) attacks
HTTP Security Headers
Protection for Man-in-the-Browser (MiTB) attacks
Creating Man in the Browser (MiTB) Protection Rule
Creating an MiTB protection rule
Protecting the standard user input field
Protecting the passwords
Adding allow list for the AJAX Request
Creating Man in the Browser (MiTB) Protection Policy
URL encryption
Syntax-based SQL/XSS injection detection
Cookie security
Input validation
Validating parameters (“input rules”)
Preventing tampering with hidden inputs
Specifying allowed HTTP methods
Limiting file uploads
Web Shell Detection
Protocol constraints
HTTP/HTTPS protocol constraints
WebSocket Protocol
Access control
Restricting access to specific URLs
Cross-Origin Resource Sharing (CORS) protection
Anti-defacement
Bot mitigation
Configuring threshold based detection
Configuring biometrics based detection
Configuring bot deception
Configuring known bots
Configuring bot mitigation policy
Protection for APIs
Configuring JSON protection
Importing JSON schema files
Creating JSON protection rules
Creating JSON protection policy
Configuring XML protection
Importing XML schema files
Creating XML protection rules
Creating XML protection policies
Importing WSDL files
Configuring exempted URLs
Configuring attack logs to retain packet payloads for XML protection
Creating WS-Security rules
OpenAPI Validation
Use cases
Creating OpenAPI files
Creating OpenAPI validation policies
Configuring mobile API protection
API gateway
Managing API users
Configuring API gateway policy
Configuring API gateway rules
DoS protection
DoS prevention
Preventing slow and low attacks
IP Protection
GEO IP - Blocklisting & whitelisting countries & regions
IP List - Blocklisting & whitelisting clients using a source IP or source IP range
IP Reputation - Blocklisting source IPs with poor reputation
Machine learning
Enabling machine learning policy
Configuring anomaly detection policy
Configuring machine-learning templates
Viewing domain data
Overview
Tree View
Parameter View
Viewing anomaly detection log
Configuring bot detection policy
Viewing bot detection model status
Viewing the bot detection violations
Compliance
Authorization
Preventing data leaks
Vulnerability scans
Administrators
Configuring access profiles
Grouping remote authentication queries and certificates for administrators
Changing an administrator’s password
Certificate-based Web UI login
Advanced/optional system settings
Changing the FortiWeb appliance’s host name
Fail-to-wire for power loss/reboots
Customizing error and authentication pages (replacement messages)
Configuring the integrated firewall
Network address translation (NAT)
Advanced settings
Backup & restore
FortiView
Topology
Security
Traffic
Sessions
Monitoring your system
Status dashboard
Policy Status dashboard
RAID level & disk statuses
Logging
Alert email
SNMP traps & queries
Reports
Debug log
Monitoring currently blocked IPs
Monitoring currently tracked clients
FortiGuard updates
Vulnerability scans
Security Fabric
External connectors
AWS Connector
Azure Connector
OCI Connector
Fabric Connector: Single Sign On with FortiGate
Fine-tuning & best practices
Hardening security
Improving performance
Improving fault tolerance
Reducing false positives
Regular backups
Downloading logs in RAM before shutdown or reboot
Troubleshooting
Frequently asked questions
Tools
How to troubleshoot
Solutions by issue type
Resetting the configuration
Restoring firmware (“clean install”)
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses
6.4.2
7.0.1
7.0.0
6.4.2
6.4.1
6.4.0
6.3.18
6.3.17
6.3.16
6.3.15
6.3.14
6.3.13
6.3.11
6.3.10
6.3.9
6.3.7
6.3.6
6.3.5
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.2
6.1.1
5.7.0
5.6.1
5.6.0
5.6.0
Download PDF
Copy Link
Input validation
FortiWeb
can validate parameters (input) as well as the uploaded files of your web applications.
Validating parameters (“input rules”)
Preventing tampering with hidden inputs
Limiting file uploads
Input validation
Input validation
FortiWeb
can validate parameters (input) as well as the uploaded files of your web applications.
Validating parameters (“input rules”)
Preventing tampering with hidden inputs
Limiting file uploads
Link
PDF
TOC
