Fortinet white logo
Fortinet white logo

Administration Guide

Frequently asked questions

Frequently asked questions

Administration

How do I recover the password of the admin account?
What is the maximum number of ADOMs I can create?
How do I upload and validate a license for FortiWeb-VM?
How do I troubleshoot a high availability (HA) problem?

FortiGuard

Why did the FortiGuard service update fail?

Access control and rewriting

Why is URL rewriting not working?
How do I create a custom signature that erases response packet content?
How do I reduce false positives and false negatives?
Why is FortiWeb not forwarding non-HTTP traffic (for example, RDP, FTP) to back-end servers even though set ip-forward is enabled?
How do I prevent cross-site request forgery (CSRF or XSRF) with a custom rule?
Why does my Advanced Protection rule that has both Signature Violation and HTTP Response Code filters not detect any violations?
What's the difference between the Packet Interval Timeout and Transaction Timeout filters in an Advanced Protection rule?
What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?
Why is the Signature Violation filter I added to my Advanced Protection custom rule not working?
Why don't my back-end servers receive the virtual server IP address as the source IP?

Logging and packet capture

Why do I not see HTTP traffic in the logs?
Why do I see HTTP traffic in the logs but not HTTPS traffic?
How do I store traffic log messages on the appliance hard disk?
Why is the most recent log message not displayed in the Aggregated Attack log?
How can I sniff FortiWeb packets (packet capture)?
How do I trace packet flow in FortiWeb?
Why is the number of cookies reported in my attack log message different from the number of cookies that message detail displays?
Why does the attack log message display the virtual server IP address as the destination IP instead of the IP address of the back-end server that was the target of the attack?

Security

How do I detect which cipher suite is used for HTTPS connections?
How can I strengthen my SSL configuration?
Why can’t a browser connect securely to my back-end server?

Performance

How do I use performance tests to determine maximum performance?
How can I measure the memory usage of individual processes?

IPMI (FortiWeb 3000E and 4000E only)

Frequently asked questions

Upgrade

How do I reformat the boot device (flash drive) when I restore or upgrade the firmware?
How do I set up RAID for a replacement hard disk?

How do I recover the password of the admin account?

If you forget the password of the admin administrator, you cannot recover it.

However, you can use the local console to reset the password. For details, see Resetting passwords.

Alternatively, you can reset the FortiWeb appliance to its default state (including the default administrator account and password) by restoring the firmware. For details, see Restoring firmware (“clean install”).

What is the maximum number of ADOMs I can create?

The maximum number of Administrative domains (ADOMs) you can define depends on the appliance model and, in the case of virtual appliances, the amount of vRAM allocated to FortiWeb.

For details, see Per appliance configuration maximums - ADOMs, server policies, Virtual IPs, server objects, and domains in ML policies.

How do I upload and validate a license for FortiWeb-VM?

FortiWeb-VM includes a free 15-day trial license that includes all features except:

  • High availability (HA)
  • FortiGuard updates
  • Technical support

Once the trial expires, most functionality is disabled. You need to purchase a license to continue using FortiWeb-VM.

When you purchase a license for FortiWeb-VM, Fortinet Customer Service & Support (https://support.fortinet.com) provides a license file that you can use to convert the trial license to a permanent, paid license.

You can upload the license via the web UI. The uploading process does not interrupt traffic or trigger an appliance reboot.

FortiWeb-VM requires an Internet connection to periodically re-validate its license. It cannot be evaluated in offline, closed network environments. If FortiWeb-VM cannot contact Fortinet’s FDN for 24 hours, it locks access to the web UI and CLI.

For detailed instructions for accessing the web UI and uploading the license, see the FortiWeb-VM Install Guide:

http://docs.fortinet.com/fortiweb/hardware

To upload the license
  1. Go to the FortiWeb-VM web UI.
  2. For hypervisor deployments, the URL is the default IP address of port1 of the virtual appliance, such as https://192.168.1.99/.

    For FortiWeb-VM deployed on AWS, the URL is the public DNS address displayed in the instance information for the appliance in your AWS console.

  3. Log in to the web UI as the admin user.
  4. For hypervisor deployments, by default, the admin user does not use a password.

    For AWS deployments, by default, the password is the AWS instance ID.

  5. Go to System > Status > Status. The FortiGuard Information widget contains the link you use to upload a license file.
  6. Click Update.
  7. Browse to the license file (.lic) you downloaded earlier from Fortinet, then click OK.
  8. FortiWeb connects to Fortinet to validate its license. In most cases, the process is complete within a few seconds. A message appears:

    License has been uploaded. Please wait for authentication with registration servers.

  9. In the message box, click Refresh.
  10. If you uploaded a valid license, the following message is displayed:

    License has been successfully authenticated with registration servers.

    The web UI logs you out. The login dialog reappears.

  11. Log in again.
  12. To verify that the license was uploaded successfully, log in to the web UI again, then view the FortiGuard Information widget. The VM License row should say Valid.
  13. Also view the System Information widget. The Serial Number row should have a number that indicates the maximum number of vCPUs that can be allocated according to the FortiWeb-VM software license, such as FVVM020000003619 (where “VM02” indicates a limit of 2 vCPUs).

How do I troubleshoot a high availability (HA) problem?

If a high availability (HA) cluster is not behaving as expected, use the following troubleshooting steps to help find the source of the problem:

  1. Ensure the physical connections are correct:
  • Ensure that the physical interfaces that FortiWeb monitors to check the status of appliances in the cluster (Port Monitor in HA configuration) are in the same subnet.
  • Ensure that the HA heartbeat link ports are connected through crossover cables. Although the feature works if you use switches make the connection, Fortinet recommends a direct connection.
  • Ensure the following HA configuration is correct:
    • Ensure that the cluster members have the same Group ID value, and that no other HA cluster uses this value.
    • Specify different Device Priority values for each member of the cluster and select the Override option. This configuration ensures that the higher priority appliance (the one with the lowest value) is maintained is the primary as often as possible.
  • Use the following commands to collect information about the HA cluster:

    get system status

    get global system status (if ADOMs are enabled)

    Displays information about current HA cluster members, including:

    • HA mode
    • HA Status
    • Serial number
    • Priority
    • HA role

    Helps confirm if the 2 appliances are part of the same cluster and which one is the primary.

    execute ha md5sum

    Retrieves the CLI system configuration MD5 from the 2 appliances in a HA cluster.

    Helps confirm whether HA configuration is synchronized.

    execute ha disconnectRun on primary appliance to disconnect secondary without disconnecting cables. You can then connect to the secondary as if it were a standalone appliance for troubleshooting purposes.
    execute ha manage

    If the Override option is selected, you can run this command on the primary appliance to assign a higher priority to the secondary appliance, which manually triggers a HA failover.

    You specify the serial number of the secondary appliance and the new priority. For example:

    execute ha manage FV-1KC3R11111111 1

    execute ha synchronize config

    execute ha synchronize irdb

    execute ha synchronize waf

    Manually triggers configuration synchronization:

    • config—Only the core CLI configuration file (fwb_system.conf) and auxiliary files such as X.509 certificates.
    • irdb—Only the IP Reputation Database (IRDB).
    • waf—Entire configuration, including CLI configuration, system files, and databases.

    Also refreshes the md5sum value, which you use to confirm synchronization status.

    execute ha synchronize avupd

    execute ha synchronize geodb

    Manually triggers synchronization of a database file:

    • avupd—The FortiGuard Antivirus service package.
    • geodb—The geography-to-IP address mappings.

    You can only trigger this type of synchronization manually.

    execute ha synchronize start

    execute ha synchronize stop

    Use to stop or start synchronization during debugging.
    diagnose debug application hasync 1

    Configures the debug logs for HA synchronization to display messages about the automatic configuration synchronization process, commands that failed, and the full configuration synchronization process.

    Run on both members of the HA cluster to confirm configuration synchronization and communication between the appliances.

    Alternatively, use the following command to configure HA synchronization debug logs to display all messages:

    diagnose debug application hasync -1

    Before you run this command, run the following commands to turn on debug log output and enable timestamps:

    diagnose debug enable

    diagnose debug console timestamp enable

    diagnose debug application hatalk 1

    Configures the debug logs for HA heartbeat links to display messages about the heartbeat signal, HA failover, and the uptime of the members of the HA cluster.

    Alternatively, use the following command to configure HA heartbeat debug logs to display all messages:

    diagnose debug application hatalk -1

    Before you run this command, run the following commands to turn on debug log output and enable timestamps:

    diagnose debug enable

    diagnose debug console timestamp enable

  • If your HA cluster is deployed in a custom environment, following commands provide useful information for troubleshooting (run on both members of the cluster):
  • get system status

    diagnose debug application hatalk 1

    diagnose debug application hasync 1

    execute ha sync waf

    execute ha md5sum

    For detailed information about these commands, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    For detailed information about HA topology and configuration, see HA heartbeat and FortiWeb high availability (HA) .

    How do I upload a file to or download a file from FortiWeb?

    To upload a file
    1. To enable the file uploading and downloading functionality, use the CLI to enter the following commands:
    2. config system settings

      set enable-file-upload enable

      end

    3. In the web UI, go to System > Maintenance > Backup & Restore, and select the Backup & Restore tab.
    4. At the bottom of the page, under GUI File Download/Upload, click Upload to navigate to a file and select it, and then click Upload to copy it to FortiWeb.

      When the upload is complete, the file is displayed in the File Name list.

    5. To maintain security, use the following CLI commands to disable the file uploading functionality:
    6. config system settings

      set enable-file-upload disable

      end

    To download a file
    1. To enable the file uploading and downloading functionality, use the CLI to enter the following commands:
    2. config system settings

      set enable-file-upload enable

      end

    3. In the web UI, go to System > Maintenance > Backup & Restore, and select the Backup & Restore tab.
    4. At the bottom of the page, under GUI File Download/Upload, click the download icon for the file you want to download.
    5. To maintain security, use the following CLI commands to disable the file uploading functionality:
    6. config system settings

      set enable-file-upload disable

      end

    Why did the FortiGuard service update fail?

    If your automatic FortiGuard service update is not successful, complete the following troubleshooting steps:

    1. Ensure that your firewall rules allow FortiWeb to access the Internet via TCP port 443.
    2. This is the port that FortiWeb uses to poll for and download FortiGuard service updates from the FortiGuard Distribution Network (FDN).

    3. Ensure FortiWeb can communicate with the DNS server.
    4. When it performs the initial FortiGuard service update, FortiWeb requires access to the DNS server to resolve the domain name fds.fortinet.com to the appropriate host name.

    5. Because the size of the virus signature database exceeds 200MB, an unstable network can interrupt the TCP session that downloads the database. If the download fails for this reason, obtain the latest version of the virus signature database from support.fortinet.com and perform the update manually. For details, see Uploading signature & geography-to-IP updates.
    6. FortiWeb resumes automatic updates of the database at the next scheduled time.

    7. If the previous steps do not solve the problem, use the following commands to obtain additional information:
    8. diagnose debug enable

      diagnose debug application fds 7

      If you need to contact Fortinet Technical Support for assistance, provide the output of these diagnose debug commands and a configuration file.

      For more information about these commands, see the FortiWeb CLI Reference:

      https://docs.fortinet.com/product/fortiweb/

      For additional methods for verifying FortiGuard connectivity, see Connecting to FortiGuard services.

    Why is URL rewriting not working?

    If FortiWeb is not rewriting URLs as expected, complete the following troubleshooting steps:

    1. Ensure the value of Action Type is correct.
    2. Request Action rewrites HTTP requests from clients, and Response Action rewrites responses to clients from the web server.

    3. Ensure that you have added items to the URL Rewriting Condition Table.
    4. If one of your conditions uses a regular expression, ensure that the expression is valid. Click the >> (double arrow) button beside the Regular Expression field to test the value.
    5. For an online guide for regular expressions, go to:

      http://www.regular-expressions.info/reference.html

      For an online library of regular expressions, go to:

      http://regexlib.com

    6. Go to System > Config > Advanced and adjust the value of Maximum Body Cache Size.
    7. URL body rewriting does not work when the page is larger than the cache buffer size. The default size is 64KB.

      To adjust the buffer using the CLI, use a command like the following example:

      config global

      config sys advanced

      set max-cache-size 1024

      end

      end

    8. Ensure that FortiWeb supports the page’s Content-Type, which specifies its MIME type. FortiWeb supports the following Content-Type values only:
    • text/html
    • text/plain
    • text/javascript
    • application/xml
    • text/xml
    • application/javascript
    • application/soap+xml
    • application/x-javascript
    • application/json
    • application/rss+xml

    How do I create a custom signature that erases response packet content?

    1. Create a custom signature rule that includes the following values:
      DirectionResponse
      ExpressionEither a simple string or a regular expression that matches the response to erase.
      Action

      Alert & Erase

      The erase action replaces the content specified by Expression with xxx.

    2. Add an appropriate target:
    • RESPONSE_BODY

    • RESPONSE_HEADER
    • RESPONSE_STATUS

      The RESPONSE_STATUS is not erased in the raw packet.

    If the target is RESPONSE_HEADER or RESPONSE_STATUS, the body of the response is still displayed.

  • Add the rule to a custom signature group, and then add the group to a signature policy that you can add to an inline or Offline Protection profile.
  • For detailed custom signature creation instructions, see Defining custom data leak & attack signatures.

    How do I reduce false positives and false negatives?

    If FortiWeb is identifying legitimate requests as attacks (false positives), complete the following troubleshooting steps:

    1. If your web protection profile uses a signature policy in which the extended version of a signature set is enabled (for example, Cross Site Scripting), disable it.
    2. The extended signature sets detect a wider range of attacks but are also more likely to generate false positives.

      For details, see Blocking known attacks .

    3. Specify the appropriate URL as an exception in the signature configuration. To create this exception, click either the Exception link in the Message field of the attack log item or Advanced Mode in the Edit Signature Policy dialog box.
    4. For details, see Configuring action overrides or exceptions to data leak & attack detection signatures.

    5. If the configuration changes do not solve the problem, capture the packet that FortiWeb has incorrectly identified as an attack and contact Fortinet Technical Support for assistance.
    6. Fortinet can resolve the issue by modifying the attack signature.

    If FortiWeb is identifying attacks as legitimate requests (false negatives), complete the following troubleshooting steps:

    1. Use the Advanced Mode option to ensure that the signature policy that your web protection profile uses has the following configuration:
    • All the appropriate signatures are enabled.
    • The enabled signatures do not have exceptions that permit the attack packets.
  • If your signature configuration is correct, capture the packet that FortiWeb did not identify as an attack and contact Fortinet Technical Support for assistance.
  • Fortinet can resolve the issue by adding an attack signature. In the meantime, you can resolve the problem by creating a custom signature. For details, see Defining custom data leak & attack signatures.

    For additional information about reducing false positives, see Reducing false positives.

    Why is FortiWeb not forwarding non-HTTP traffic (for example, RDP, FTP) to back-end servers even though set ip-forward is enabled?

    The config router setting command allows you to change how FortiWeb handles non-HTTP/HTTPS traffic when it is operating in Reverse Proxy mode.

    When the setting ip-forward is enabled, for any non-HTTP/HTTPS traffic with a destination other than a FortiWeb virtual server (for example, a back-end server), FortiWeb acts as a router and forwards it based in its destination address.

    However, any non-HTTP/HTTPS traffic destined for a virtual server on the appliance is dropped.

    Therefore, if you require clients need to reach a back-end server using FTP or another non-HTTP/HTTPS protocol, ensure the client uses the back-end server's IP address.

    For more detailed information about this setting and a configuration that avoids this problem, see the “Router setting” topic in the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    How do I prevent cross-site request forgery (CSRF or XSRF) with a custom rule?

    A cross-site request forgery attack takes advantage of the trust that a site has in a client’s browser to execute unwanted actions on a web application.

    To add an advanced access control rule that detects cross-site request forgery (CSRF)
    1. Go to Web Protection > Advanced Protection > Custom Policy, and select the Custom Rule tab.
    2. Click Create New.
    3. Configure the action and trigger settings for the rule.
    4. For detailed information on these settings, see Custom Policy.

    5. Click Create New to add a rule entry.
    6. For Filter Type, select HTTP Header, and then click OK.
    7. Configure these settings:
      Header NameReferer
      Header Value TypeRegular Expression
      Header Value

      A regular expression that matches the address of your website.

      For example, if your website is http://211.24.155.103/, use the following expression:

      ^http://211\.24\.155\.103.*

    8. Click OK to save the rule entry, and then click OK to save the rule.
    9. Go to Web Protection > Advanced Protection > Custom Policy, and select the Custom Policy tab to group the custom rule into a policy.
    10. For details about creating policies, see Custom Policy.

    11. To apply the policy, select it as the Custom Policy in a protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
    12. Attack log messages contain Custom Access Violation when this feature detects an unauthorized access attempt.

    Why does my Advanced Protection rule that has both Signature Violation and HTTP Response Code filters not detect any violations?

    When you use Web Protection > Advanced Protection > Custom Policy > the Custom Rule tab to create a custom rule, FortiWeb links items in the list of filters with an AND operator. It uses the rule to evaluate both requests and responses. When the rule has both a Signature Violation and a HTTP Response Code filter, a malicious request violates the signature filter and the corresponding response matches the response code filter. But neither the request nor the response can violate both filters at the same time to generate a match.

    To solve this problem, create a separate custom rule for each type of filter. For details, see Custom Policy.

    What's the difference between the Packet Interval Timeout and Transaction Timeout filters in an Advanced Protection rule?

    Both Packet Interval Timeout and Transaction Timeout protect against DoS attacks. In most cases, the attacks are some form of slow HTTP attack.

    Packet Interval Timeout evaluates the time period between packets that arrive from either the client or server (request or response packets). If the time exceeds the maximum the timeout specifies, FortiWeb takes the action specified in the rule.

    However, other types of slow attacks can keep the server occupied and still maintain a minimal data flow. For example, if an attack sends a byte of data per second, it can continue a GET request indefinitely but stay within the Packet Interval Timeout.

    The Transaction Timeout evaluates the time period for a transaction—a GET or POST request and its complete reply. In most cases, a transaction lasts no longer than a few milliseconds or, for slower applications, a few seconds.

    To detect the widest range of attacks, specify both Packet Interval Timeout and Transaction Timeout filters when you create an Advanced Protection rule.

    For details, see Custom Policy.

    What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?

    The waf custom-access rule command allows you to configure custom access rules, which can include Signature Violation filters. When you configure the signature-class option, use one of the following IDs to specify the category of signature to match:

    Cross Site Scripting 01000000
    Cross Site Scripting (Extended) 02000000
    SQL Injection 03000000
    SQL Injection (Extended) 04000000
    Generic Attacks 05000000
    Generic Attacks (Extended) 06000000
    Known Exploits 09000000

    For example, the following command creates a custom rule that detects SQL injection attacks, such as blind SQL injection:

    config waf custom-access rule

    edit "sql-inject"

    set action block-period

    set severity High

    set trigger "notification-servers1"

    config signature-class

    edit 03000000

    set status enable

    next

    end

    next

    end

    config waf custom-access policy

    edit "sql-inject-policy"

    config rule

    edit 1

    set rule-name "sql-inject"

    next

    end

    next

    end

    For more information on the waf custom-access rule command, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Why is the Signature Violation filter I added to my Advanced Protection custom rule not working?

    To add a Signature Violation filter to an Advanced Protection custom rule, you select Signature Violation as the filter type.

    However, for the filter to work, the following configuration steps are also required:

    • In the Edit Custom Rule dialog box, select at least one signature category. By default, no categories are selected. When you select a category, FortiWeb prompts you to enable all or some of the signatures in the category.
    • Ensure that the signatures that correspond to the categories you selected in the rule are enabled in the signature policy (Web Protection > Known Attacks > Signatures).

    You select the custom policy that contains the rule and corresponding signature set when you create a protection profile.

    For details, see Custom Policy and Blocking known attacks .

    Why don't my back-end servers receive the virtual server IP address as the source IP?

    When the operation mode is Reverse Proxy, the server pool members receive the IP address of the FortiWeb interface the connection uses. If the back-end servers need to know the IP address of the client where the request originated, configure a X-Forwarded-For rule for the appropriate profile. For details, see Defining your proxies, clients, & X-headers.

    Why do I not see HTTP traffic in the logs?

    Successful HTTP traffic logging depends on both FortiWeb configuration and the configuration of other network devices. If you do not see HTTP traffic in the traffic log, ensure that the configuration described in the following tables is correct.

    Reverse Proxy mode
    Configuration What to look for See
    Logging

    Ensure logging is enabled and configured.

    By default, logging is not enabled.

    Configuring logging
    Servers Ensure that the IP address of your physical server and the IP address of your virtual server are correct.

    Defining your web servers

    Configuring virtual servers on your FortiWeb

    Server policy Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as members of a server pool). Configuring a server policy
    Network interfaces

    Go to System > Network > Interface and ensure the ports for inbound and outbound traffic are up.

    Use sniffing (packet capture) to ensure that you can see traffic on both inbound and outbound network interfaces.

    Ensure that the network interfaces are configured with the correct IP addresses. In a typical configuration, port1 is configured for management (web UI access) and the remaining ports associated with the required subnets.

    Configuring the network interfaces

    How can I sniff FortiWeb packets (packet capture)? (overview) or Packet capture

    VLANs (if used) Make sure that the VLAN is associated with the correct physical port (Interface setting). Adding VLAN subinterfaces
    Firewalls & routers Communications between the FortiWeb appliance, clients, protected web servers, and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers. Appendix A: Port numbers
    Load balancers If the load balancer is in front of FortiWeb, the physical IP addresses on it are the FortiWeb virtual IP addresses. If the Load Balancer is behind the FortiWeb, the FortiWeb physical server is the virtual IP for the load balancer's virtual IP. External load balancers: before or after?
    Web server Ensure that the web server is up and running by testing it without FortiWeb on the network. Checking routing
    Transparent modes
    Configuration What to look for See
    Logging

    Ensure logging is enabled and configured.

    By default, logging is not enabled.

    Configuring logging
    Server/server pool Ensure that the configuration for the physical server in the server pool contains the correct IP address.

    Defining your web servers

    Creating an HTTP server pool

    Server policy Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as a member of a server pool). Configuring a server policy
    Bridge (v-zone)

    Ensure the v-zone is configured using the correct FortiWeb ports.

    In the list of network interfaces (Global > System > Network > Interface), the Status column identifies interfaces that are members of a v-zone.

    To ensure that the bridge is forwarding traffic, in the list of v-zones, under Interface, look for the status “forwarding” following the names of the ports.

    Configuring a bridge (V-zone)
    VLANs (if used) Make sure that the VLAN is associated with the correct physical port (Interface setting). Adding VLAN subinterfaces
    Firewalls & routers Communications between the FortiWeb appliance, clients, protected web servers, and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers. Appendix A: Port numbers
    Web server Ensure that the web server is up and running by testing it without FortiWeb on the network. Checking routing
    Offline mode
    Configuration What to look for See
    Logging

    Ensure logging is enabled and configured.

    By default, logging is not enabled.

    Configuring logging
    Server/server pool Ensure that the configuration for the physical server in the server pool contains the correct IP address.

    Defining your web servers

    Creating an HTTP server pool

    Server policy Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as members of a server pool). Configuring a server policy
    Bridge (v-zone)

    Ensure the v-zone is configured using the correct FortiWeb ports.

    In the list of network interfaces (Global > System > Network > Interface), the Status column identifies interfaces that are members of a v-zone.

    To ensure that the bridge is forwarding traffic, in the list of v-zones, under Interface, look for the status “forwarding” following the names of the ports.

    Configuring a bridge (V-zone)
    VLANs (if used) Make sure that the VLAN is associated with the correct physical port (Interface setting). Adding VLAN subinterfaces
    Network interfaces Use sniffing (packet capture) to ensure that you can see traffic on both inbound and outbound network interfaces.

    Configuring the network interfaces

    How can I sniff FortiWeb packets (packet capture)? (overview) or Packet capture

    Web server Ensure that the web server is up and running by testing it without FortiWeb on the network. Checking routing

    Why do I see HTTP traffic in the logs but not HTTPS traffic?

    Use the following steps to troubleshoot HTTPS traffic logging:

    1. Ensure FortiWeb has the certificates it needs to offload or inspect HTTPS.
    2. For details, see How to offload or inspect HTTPS.

    3. Use sniffing (packet capture) to look for errors in HTTPS traffic.
    4. For details, see How can I sniff FortiWeb packets (packet capture)? (overview) or Packet capture.

    How do I store traffic log messages on the appliance hard disk?

    You can configure FortiWeb to store traffic log messages on its hard disk.

    In most environments, and especially environments with high traffic volume, enabling this option for long periods of time can cause the hard disk to fail prematurely. Do not enable it unless it is necessary and disable it as soon as you no longer need it.

    For information on configuring logging to the hard disk using the web UI, see Configuring logging.

    To enable logging to the hard disk via the CLI, log in using an account with either w or rw permission to the loggrp area and enter the following commands:

    config log traffic-log

    set disk-log enable


    Use the following commands to verify the new configuration:

    get log traffic-log


    A response that is similar to the following message is displayed:

    status : enable

    packet-log : enable

    disk-log : enable


    Alternatively, use the following command to display a sampling of traffic log messages:

    diagnose log tlog show


    A response that is similar to the following message is displayed:

    Total time span is 39.252285 seconds

    Time spent on waiting is 13.454448 seconds

    Time spent on preprocessing is 3.563218 seconds

    traffic log processed: 69664


    where:

    • Total time span is the total amount of time of the logd process handle logs (that is, receiving messages from other process, filtering messages, outputting in standard format, writing the logs to the local database, and so on)
    • Time spent on waiting is the amount of time of the logd process waited to receive messages from other processes
    • Time spent on preprocessing is the amount of time the logd process spent filtering and format i ng messages
    • traffic log processed is the total number of logs that the logd process handled in this cycle

    For more information about the config log traffic-log and diagnose log tlog show commands, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Why is the most recent log message not displayed in the Aggregated Attack log?

    If recent log messages do not appear in the Aggregated Attack log as expected, complete the following troubleshooting steps:

    1. Use the dashboard to see if the appliance is busy.
    2. When FortiWeb generates an attack log, the appliance writes it to and reads it from the hard disk and then updates the logging database.

      The process that retrieves Aggregated Attack log information from the database (indexd) has a lower priority than the processes that analyze and direct traffic. Therefore, increased demand for FortiWeb processing resources (for example, when traffic levels increase) can delay updates to the log.

    3. Rebuild the logging database.
    4. Events such as a power outage can corrupt the logging database. Use the following command to rebuild it:

      exec db rebuild

      This command deletes and rebuilds the database. It does not delete any logs on the hard disk and no log information is lost.

    How can I sniff FortiWeb packets (packet capture)?

    Use the diagnose network sniffer command to perform a packet trace on one or more interfaces.

    For example, the following command captures TCP port 80 traffic arriving at or departing from 192.168.1.1, for all network interfaces. The value 3 specifies the verbosity level (3captures the most detail):

    diagnose network sniffer any 'tcp and port 80 and host 192.168.1.1' 3


    For instructions on using this command and its output, see Packet capture.

    The following steps are an overview of the process:

    1. Use a terminal emulator such as SecureCRT or Putty, connect to the appliance via SSH or Telnet, run the sniffer command, and save the output to a file (for example, detail_output.log).
    2. A terminal emulator is required because the console is too slow for this task and cannot display all of the output.

    3. Install a Perl interpreter and Wireshark (or equivalent application) on your PC.
    4. To convert the packet capture command to a format that Wireshark can use, run the following command:

      perl ./fgt2eth.pl -in detail_ouput.log -out converted.cap

      (You can run the Perl script in Windows or Linux.)

      To download fgt2eth.pl, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer (http://kb.fortinet.com/kb/documentLink.do?externalId=11186).

      The fgt2eth.pl script is provided as-is, without any implied warranty or technical support.

    How do I trace packet flow in FortiWeb?

    Use the following steps to use the console to view packet flow information for a specified client IP when it accesses a virtual server IP:

    1. Using the CLI, use the following command to turn on debug log output:
    2. diagnose debug enable


    3. Use a command similar to the following to limit the debug logs to those that match a specific client IP address:
    4. diagnose debug flow filter client-ip 172.22.6.232


    5. Use the following command to include details from each module that processes the packet:
    6. diagnose debug flow filter module-detail status on


    7. Use the following command to start the flow trace:
    8. diagnose debug flow trace start


      The following output is an example of the results of these commands:

      Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:4, Process error:0, Action:ACCEPT

      Module name:WAF_IP_INTELLIGENCE, Execution:3, Process error:6, Action:ACCEPT

      Module name:WAF_KNOWN_ENGINES, Execution:4, Process error:0, Action:ACCEPT

      Module name:HSTS_HEADER_PROCESS, Execution:4, Process error:5, Action:ACCEPT

      Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:2, Action:ACCEPT

      Module name:WAF_CLIENT_MANAGEMENT, Execution:4, Process error:0, Action:ACCEPT

      Module name:WAF_HTTP_DOS_HTTP_FLOOD, Execution:4, Process error:0, Action:ACCEPT

      Module name:WAF_HTTP_DOS_MALICIOUS_IP, Execution:4, Process error:8, Action:ACCEPT

      Module name:HTTP_ACCLIMIT_LIMIT, Execution:4, Process error:-1, Action:ACCEPT

      Module name:WAF_GLOBAL_ALLOW_LIST, Execution:4, Process error:-1, Action:ACCEPT

      Module name:WAF_GLOBAL_ALLOW_LIST, Execution:4, Process error:-1, Action:ACCEPT

      Module name:WAF_URL_ACCESS_POLICY, Execution:4, Process error:8, Action:ACCEPT

      Module name:HTTP_CONSTRAINTS, Execution:4, Process error:2, Action:ACCEPT

      Module name:WAF_COOKIE_POISON, Execution:4, Process error:0, Action:ACCEPT

      Module name:WAF_CUSTOM_ACCESS_POLICY, Execution:4, Process error:6, Action:ACCEPT

      Module name:WAF_HTTP_STATISTIC, Execution:4, Process error:0, Action:ACCEPT


      For additional information on these commands (for example, to specify debug logs for a specific flow direction), see the FortiWeb CLI Reference:

      https://docs.fortinet.com/product/fortiweb/

    Why is the number of cookies reported in my attack log message different from the number of cookies that message detail displays?

    When FortiWeb generates an attack log message because a request exceeds the maximum number of cookies it permits, the message value includes the number of cookies found in the request. In addition, the message details include the actual cookie values.

    For performance reasons, FortiWeb limits the size of the attack log message. If the amount of cookie value information exceeds the limit for cookies in the attack log, the appliance displays only some of the cookies the message detail.

    Why does the attack log message display the virtual server IP address as the destination IP instead of the IP address of the back-end server that was the target of the attack?

    In some cases, FortiWeb blocks attacks before the packet is routed to a server pool member. When this happens, the destination IP is the virtual server IP.

    How do I detect which cipher suite is used for HTTPS connections?

    Use sniffing (packet capture) to capture SSL/ TLS traffic and view the “Server hello” message, which includes cipher suite information.

    For more HTTPS troubleshooting information, see Supported cipher suites & protocol versions and Checking the SSL/TLS handshake & encryption.

    How can I strengthen my SSL configuration?

    The following configuration changes can make SSL more effective in preventing attacks and can improve your website's score for third-party testing tools (for example, the SSL server test provided by Qualys SSL Labs).

    Which configuration changes you make depends on your environment. For example, some older clients do not support SHA256.

    • For your website certificate, do the following:
      • If it uses the SHA1 hashtag function, replace it with one that uses SHA256.
      • Ensure that its key size is 2048-bit.
    • For the server policy (Reverse Proxy mode) or server pool member configuration (True Transparent Proxy mode), specify the following values in the advanced SSL settings:
      • Select Add HSTS Header, and then for Max. Age, enter 15552000.
      • For SSL/TLS Encryption Level, select High.
      • Select Disable Client-Initiated SSL Renegotiation.

        For details, see Configuring a server policy.
    • Use the following CLI command to set the Diffie-Hellman key exchange parameters to 2048 or greater:

    config system global

    set dh-params 2048


    The command is available in FortiWeb 5.3.6 and higher only. For additional information on using CLI commands, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Why can’t a browser connect securely to my back-end server?

    If a browser cannot communicate with a back-end server using SSL or TLS, use the following troubleshooting steps to resolve the problem:

    1. Without connecting via FortiWeb, ensure that you can access the server using HTTPS.
    2. Ensure that your browser supports HTTP Strict Transport Security (HSTS). For example, following web page provides compatibility tables for various web browser versions:
    3. http://caniuse.com/stricttransportsecurity

    4. Ensure that the FortiWeb response includes the strict transport security header.
    5. To add this header, select Add HSTS Header in the server policy or server pool configuration. For details, see Configuring a server policy or Creating an HTTP server pool.

    6. Use the following cEnsure that the server certificate is trusted:
    • If the certificate is signed by intermediate certificate authority (CA), the intermediate CA is signed by a root CA.
    • The root CA is listed in your browser’s store of trusted certificates.
    • The domain name or IP address is consistent with the certificate subject.

    For details, see How to offload or inspect HTTPS.

    How do I use performance tests to determine maximum performance?

    Use these performance tests and the dashboard's System Resources widget to determine where the appliance reaches its maximum capacity (bottleneck):

    Requests per second (RPS), connections per second (CPS) Rate of requests or connections maintains CPU Usage at 100%
    Concurrent connections Number of connections maintains Memory Usage at 90%
    Throughput test Throughput maintains the value of CPU Usage at 100%. (A pair of gigabit ports provide bandwidth of up to 2 Gbps.)

    If your CPU and memory values do not reach the specified values, adjust your client and server test configuration until you can determine maximum performance.

    How can I measure the memory usage of individual processes?

    The diagnose policy command allows you to view the memory usage associated with all server policies or a specific policy. For example:

    diagnose policy memory all

    The diagnose hardware mem command allows you to display the usage statistics of ephemeral memory (RAM), including swap pages and shared memory (Shmem). For example, to display total memory usage:

    diagnose hardware mem list

    For additional information on these commands, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    How do I reformat the boot device (flash drive) when I restore or upgrade the firmware?

    Follow the instructions provided in Restoring firmware (“clean install”).

    For If the firmware version requires that you first format the boot device before installing firmware, type F. Format the boot disk before continuing., type F to format the boot device (flash drive), and then enter Y to confirm your selection.

    After a few minutes, the reformatting process is complete. Continue with the instructions for retrieving the firmware image from the TFTP server.

    During the system boot, Fortinet highly recommends that you verify the disk integrity. To perform this task, when the prompt Press [enter] key for disk integrity verification is displayed, press Enter.

    After the firmware restore is complete, use the get system status CLI command to verify the system version. For additional information on using the CLI, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    How do I set up RAID for a replacement hard disk?

    The procedures applies to all models except 100D, 400B, 400C, and 400D.

    1. Power off the FortiWeb.
    2. Remove the hard disk from FortiWeb and install the new hard disk.
    3. Power on the FortiWeb.
    4. Use the following command to initialize RAID:
    5. execute create-raid level raid1

    6. Enter y to confirm the initialization.
    7. FortiWeb reboots and starts the RAID initialization. The process can take a few hours to complete.

    8. Use the following command to check the RAID status:
    9. diagnose hardware raid list

      If the process is successful, a message similar to the following is displayed:

      level size(M) disk-number

      raid1 1877665 0(OK),1(OK),2(Not Present),3(Not Present)

      edited on: 2016-01-25 00:48

      If FortiWeb is unable to write log messages to the disk, a message similar to the following is displayed:

      level size(M) disk-number

      raid1 1877665 0(Not Present),1(Not Present),2(Not Present),3(Not Present)

    For additional information on using these CLI commands, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Frequently asked questions

    Frequently asked questions

    Administration

    How do I recover the password of the admin account?
    What is the maximum number of ADOMs I can create?
    How do I upload and validate a license for FortiWeb-VM?
    How do I troubleshoot a high availability (HA) problem?

    FortiGuard

    Why did the FortiGuard service update fail?

    Access control and rewriting

    Why is URL rewriting not working?
    How do I create a custom signature that erases response packet content?
    How do I reduce false positives and false negatives?
    Why is FortiWeb not forwarding non-HTTP traffic (for example, RDP, FTP) to back-end servers even though set ip-forward is enabled?
    How do I prevent cross-site request forgery (CSRF or XSRF) with a custom rule?
    Why does my Advanced Protection rule that has both Signature Violation and HTTP Response Code filters not detect any violations?
    What's the difference between the Packet Interval Timeout and Transaction Timeout filters in an Advanced Protection rule?
    What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?
    Why is the Signature Violation filter I added to my Advanced Protection custom rule not working?
    Why don't my back-end servers receive the virtual server IP address as the source IP?

    Logging and packet capture

    Why do I not see HTTP traffic in the logs?
    Why do I see HTTP traffic in the logs but not HTTPS traffic?
    How do I store traffic log messages on the appliance hard disk?
    Why is the most recent log message not displayed in the Aggregated Attack log?
    How can I sniff FortiWeb packets (packet capture)?
    How do I trace packet flow in FortiWeb?
    Why is the number of cookies reported in my attack log message different from the number of cookies that message detail displays?
    Why does the attack log message display the virtual server IP address as the destination IP instead of the IP address of the back-end server that was the target of the attack?

    Security

    How do I detect which cipher suite is used for HTTPS connections?
    How can I strengthen my SSL configuration?
    Why can’t a browser connect securely to my back-end server?

    Performance

    How do I use performance tests to determine maximum performance?
    How can I measure the memory usage of individual processes?

    IPMI (FortiWeb 3000E and 4000E only)

    Frequently asked questions

    Upgrade

    How do I reformat the boot device (flash drive) when I restore or upgrade the firmware?
    How do I set up RAID for a replacement hard disk?

    How do I recover the password of the admin account?

    If you forget the password of the admin administrator, you cannot recover it.

    However, you can use the local console to reset the password. For details, see Resetting passwords.

    Alternatively, you can reset the FortiWeb appliance to its default state (including the default administrator account and password) by restoring the firmware. For details, see Restoring firmware (“clean install”).

    What is the maximum number of ADOMs I can create?

    The maximum number of Administrative domains (ADOMs) you can define depends on the appliance model and, in the case of virtual appliances, the amount of vRAM allocated to FortiWeb.

    For details, see Per appliance configuration maximums - ADOMs, server policies, Virtual IPs, server objects, and domains in ML policies.

    How do I upload and validate a license for FortiWeb-VM?

    FortiWeb-VM includes a free 15-day trial license that includes all features except:

    • High availability (HA)
    • FortiGuard updates
    • Technical support

    Once the trial expires, most functionality is disabled. You need to purchase a license to continue using FortiWeb-VM.

    When you purchase a license for FortiWeb-VM, Fortinet Customer Service & Support (https://support.fortinet.com) provides a license file that you can use to convert the trial license to a permanent, paid license.

    You can upload the license via the web UI. The uploading process does not interrupt traffic or trigger an appliance reboot.

    FortiWeb-VM requires an Internet connection to periodically re-validate its license. It cannot be evaluated in offline, closed network environments. If FortiWeb-VM cannot contact Fortinet’s FDN for 24 hours, it locks access to the web UI and CLI.

    For detailed instructions for accessing the web UI and uploading the license, see the FortiWeb-VM Install Guide:

    http://docs.fortinet.com/fortiweb/hardware

    To upload the license
    1. Go to the FortiWeb-VM web UI.
    2. For hypervisor deployments, the URL is the default IP address of port1 of the virtual appliance, such as https://192.168.1.99/.

      For FortiWeb-VM deployed on AWS, the URL is the public DNS address displayed in the instance information for the appliance in your AWS console.

    3. Log in to the web UI as the admin user.
    4. For hypervisor deployments, by default, the admin user does not use a password.

      For AWS deployments, by default, the password is the AWS instance ID.

    5. Go to System > Status > Status. The FortiGuard Information widget contains the link you use to upload a license file.
    6. Click Update.
    7. Browse to the license file (.lic) you downloaded earlier from Fortinet, then click OK.
    8. FortiWeb connects to Fortinet to validate its license. In most cases, the process is complete within a few seconds. A message appears:

      License has been uploaded. Please wait for authentication with registration servers.

    9. In the message box, click Refresh.
    10. If you uploaded a valid license, the following message is displayed:

      License has been successfully authenticated with registration servers.

      The web UI logs you out. The login dialog reappears.

    11. Log in again.
    12. To verify that the license was uploaded successfully, log in to the web UI again, then view the FortiGuard Information widget. The VM License row should say Valid.
    13. Also view the System Information widget. The Serial Number row should have a number that indicates the maximum number of vCPUs that can be allocated according to the FortiWeb-VM software license, such as FVVM020000003619 (where “VM02” indicates a limit of 2 vCPUs).

    How do I troubleshoot a high availability (HA) problem?

    If a high availability (HA) cluster is not behaving as expected, use the following troubleshooting steps to help find the source of the problem:

    1. Ensure the physical connections are correct:
    • Ensure that the physical interfaces that FortiWeb monitors to check the status of appliances in the cluster (Port Monitor in HA configuration) are in the same subnet.
    • Ensure that the HA heartbeat link ports are connected through crossover cables. Although the feature works if you use switches make the connection, Fortinet recommends a direct connection.
  • Ensure the following HA configuration is correct:
    • Ensure that the cluster members have the same Group ID value, and that no other HA cluster uses this value.
    • Specify different Device Priority values for each member of the cluster and select the Override option. This configuration ensures that the higher priority appliance (the one with the lowest value) is maintained is the primary as often as possible.
  • Use the following commands to collect information about the HA cluster:

    get system status

    get global system status (if ADOMs are enabled)

    Displays information about current HA cluster members, including:

    • HA mode
    • HA Status
    • Serial number
    • Priority
    • HA role

    Helps confirm if the 2 appliances are part of the same cluster and which one is the primary.

    execute ha md5sum

    Retrieves the CLI system configuration MD5 from the 2 appliances in a HA cluster.

    Helps confirm whether HA configuration is synchronized.

    execute ha disconnectRun on primary appliance to disconnect secondary without disconnecting cables. You can then connect to the secondary as if it were a standalone appliance for troubleshooting purposes.
    execute ha manage

    If the Override option is selected, you can run this command on the primary appliance to assign a higher priority to the secondary appliance, which manually triggers a HA failover.

    You specify the serial number of the secondary appliance and the new priority. For example:

    execute ha manage FV-1KC3R11111111 1

    execute ha synchronize config

    execute ha synchronize irdb

    execute ha synchronize waf

    Manually triggers configuration synchronization:

    • config—Only the core CLI configuration file (fwb_system.conf) and auxiliary files such as X.509 certificates.
    • irdb—Only the IP Reputation Database (IRDB).
    • waf—Entire configuration, including CLI configuration, system files, and databases.

    Also refreshes the md5sum value, which you use to confirm synchronization status.

    execute ha synchronize avupd

    execute ha synchronize geodb

    Manually triggers synchronization of a database file:

    • avupd—The FortiGuard Antivirus service package.
    • geodb—The geography-to-IP address mappings.

    You can only trigger this type of synchronization manually.

    execute ha synchronize start

    execute ha synchronize stop

    Use to stop or start synchronization during debugging.
    diagnose debug application hasync 1

    Configures the debug logs for HA synchronization to display messages about the automatic configuration synchronization process, commands that failed, and the full configuration synchronization process.

    Run on both members of the HA cluster to confirm configuration synchronization and communication between the appliances.

    Alternatively, use the following command to configure HA synchronization debug logs to display all messages:

    diagnose debug application hasync -1

    Before you run this command, run the following commands to turn on debug log output and enable timestamps:

    diagnose debug enable

    diagnose debug console timestamp enable

    diagnose debug application hatalk 1

    Configures the debug logs for HA heartbeat links to display messages about the heartbeat signal, HA failover, and the uptime of the members of the HA cluster.

    Alternatively, use the following command to configure HA heartbeat debug logs to display all messages:

    diagnose debug application hatalk -1

    Before you run this command, run the following commands to turn on debug log output and enable timestamps:

    diagnose debug enable

    diagnose debug console timestamp enable

  • If your HA cluster is deployed in a custom environment, following commands provide useful information for troubleshooting (run on both members of the cluster):
  • get system status

    diagnose debug application hatalk 1

    diagnose debug application hasync 1

    execute ha sync waf

    execute ha md5sum

    For detailed information about these commands, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    For detailed information about HA topology and configuration, see HA heartbeat and FortiWeb high availability (HA) .

    How do I upload a file to or download a file from FortiWeb?

    To upload a file
    1. To enable the file uploading and downloading functionality, use the CLI to enter the following commands:
    2. config system settings

      set enable-file-upload enable

      end

    3. In the web UI, go to System > Maintenance > Backup & Restore, and select the Backup & Restore tab.
    4. At the bottom of the page, under GUI File Download/Upload, click Upload to navigate to a file and select it, and then click Upload to copy it to FortiWeb.

      When the upload is complete, the file is displayed in the File Name list.

    5. To maintain security, use the following CLI commands to disable the file uploading functionality:
    6. config system settings

      set enable-file-upload disable

      end

    To download a file
    1. To enable the file uploading and downloading functionality, use the CLI to enter the following commands:
    2. config system settings

      set enable-file-upload enable

      end

    3. In the web UI, go to System > Maintenance > Backup & Restore, and select the Backup & Restore tab.
    4. At the bottom of the page, under GUI File Download/Upload, click the download icon for the file you want to download.
    5. To maintain security, use the following CLI commands to disable the file uploading functionality:
    6. config system settings

      set enable-file-upload disable

      end

    Why did the FortiGuard service update fail?

    If your automatic FortiGuard service update is not successful, complete the following troubleshooting steps:

    1. Ensure that your firewall rules allow FortiWeb to access the Internet via TCP port 443.
    2. This is the port that FortiWeb uses to poll for and download FortiGuard service updates from the FortiGuard Distribution Network (FDN).

    3. Ensure FortiWeb can communicate with the DNS server.
    4. When it performs the initial FortiGuard service update, FortiWeb requires access to the DNS server to resolve the domain name fds.fortinet.com to the appropriate host name.

    5. Because the size of the virus signature database exceeds 200MB, an unstable network can interrupt the TCP session that downloads the database. If the download fails for this reason, obtain the latest version of the virus signature database from support.fortinet.com and perform the update manually. For details, see Uploading signature & geography-to-IP updates.
    6. FortiWeb resumes automatic updates of the database at the next scheduled time.

    7. If the previous steps do not solve the problem, use the following commands to obtain additional information:
    8. diagnose debug enable

      diagnose debug application fds 7

      If you need to contact Fortinet Technical Support for assistance, provide the output of these diagnose debug commands and a configuration file.

      For more information about these commands, see the FortiWeb CLI Reference:

      https://docs.fortinet.com/product/fortiweb/

      For additional methods for verifying FortiGuard connectivity, see Connecting to FortiGuard services.

    Why is URL rewriting not working?

    If FortiWeb is not rewriting URLs as expected, complete the following troubleshooting steps:

    1. Ensure the value of Action Type is correct.
    2. Request Action rewrites HTTP requests from clients, and Response Action rewrites responses to clients from the web server.

    3. Ensure that you have added items to the URL Rewriting Condition Table.
    4. If one of your conditions uses a regular expression, ensure that the expression is valid. Click the >> (double arrow) button beside the Regular Expression field to test the value.
    5. For an online guide for regular expressions, go to:

      http://www.regular-expressions.info/reference.html

      For an online library of regular expressions, go to:

      http://regexlib.com

    6. Go to System > Config > Advanced and adjust the value of Maximum Body Cache Size.
    7. URL body rewriting does not work when the page is larger than the cache buffer size. The default size is 64KB.

      To adjust the buffer using the CLI, use a command like the following example:

      config global

      config sys advanced

      set max-cache-size 1024

      end

      end

    8. Ensure that FortiWeb supports the page’s Content-Type, which specifies its MIME type. FortiWeb supports the following Content-Type values only:
    • text/html
    • text/plain
    • text/javascript
    • application/xml
    • text/xml
    • application/javascript
    • application/soap+xml
    • application/x-javascript
    • application/json
    • application/rss+xml

    How do I create a custom signature that erases response packet content?

    1. Create a custom signature rule that includes the following values:
      DirectionResponse
      ExpressionEither a simple string or a regular expression that matches the response to erase.
      Action

      Alert & Erase

      The erase action replaces the content specified by Expression with xxx.

    2. Add an appropriate target:
    • RESPONSE_BODY

    • RESPONSE_HEADER
    • RESPONSE_STATUS

      The RESPONSE_STATUS is not erased in the raw packet.

    If the target is RESPONSE_HEADER or RESPONSE_STATUS, the body of the response is still displayed.

  • Add the rule to a custom signature group, and then add the group to a signature policy that you can add to an inline or Offline Protection profile.
  • For detailed custom signature creation instructions, see Defining custom data leak & attack signatures.

    How do I reduce false positives and false negatives?

    If FortiWeb is identifying legitimate requests as attacks (false positives), complete the following troubleshooting steps:

    1. If your web protection profile uses a signature policy in which the extended version of a signature set is enabled (for example, Cross Site Scripting), disable it.
    2. The extended signature sets detect a wider range of attacks but are also more likely to generate false positives.

      For details, see Blocking known attacks .

    3. Specify the appropriate URL as an exception in the signature configuration. To create this exception, click either the Exception link in the Message field of the attack log item or Advanced Mode in the Edit Signature Policy dialog box.
    4. For details, see Configuring action overrides or exceptions to data leak & attack detection signatures.

    5. If the configuration changes do not solve the problem, capture the packet that FortiWeb has incorrectly identified as an attack and contact Fortinet Technical Support for assistance.
    6. Fortinet can resolve the issue by modifying the attack signature.

    If FortiWeb is identifying attacks as legitimate requests (false negatives), complete the following troubleshooting steps:

    1. Use the Advanced Mode option to ensure that the signature policy that your web protection profile uses has the following configuration:
    • All the appropriate signatures are enabled.
    • The enabled signatures do not have exceptions that permit the attack packets.
  • If your signature configuration is correct, capture the packet that FortiWeb did not identify as an attack and contact Fortinet Technical Support for assistance.
  • Fortinet can resolve the issue by adding an attack signature. In the meantime, you can resolve the problem by creating a custom signature. For details, see Defining custom data leak & attack signatures.

    For additional information about reducing false positives, see Reducing false positives.

    Why is FortiWeb not forwarding non-HTTP traffic (for example, RDP, FTP) to back-end servers even though set ip-forward is enabled?

    The config router setting command allows you to change how FortiWeb handles non-HTTP/HTTPS traffic when it is operating in Reverse Proxy mode.

    When the setting ip-forward is enabled, for any non-HTTP/HTTPS traffic with a destination other than a FortiWeb virtual server (for example, a back-end server), FortiWeb acts as a router and forwards it based in its destination address.

    However, any non-HTTP/HTTPS traffic destined for a virtual server on the appliance is dropped.

    Therefore, if you require clients need to reach a back-end server using FTP or another non-HTTP/HTTPS protocol, ensure the client uses the back-end server's IP address.

    For more detailed information about this setting and a configuration that avoids this problem, see the “Router setting” topic in the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    How do I prevent cross-site request forgery (CSRF or XSRF) with a custom rule?

    A cross-site request forgery attack takes advantage of the trust that a site has in a client’s browser to execute unwanted actions on a web application.

    To add an advanced access control rule that detects cross-site request forgery (CSRF)
    1. Go to Web Protection > Advanced Protection > Custom Policy, and select the Custom Rule tab.
    2. Click Create New.
    3. Configure the action and trigger settings for the rule.
    4. For detailed information on these settings, see Custom Policy.

    5. Click Create New to add a rule entry.
    6. For Filter Type, select HTTP Header, and then click OK.
    7. Configure these settings:
      Header NameReferer
      Header Value TypeRegular Expression
      Header Value

      A regular expression that matches the address of your website.

      For example, if your website is http://211.24.155.103/, use the following expression:

      ^http://211\.24\.155\.103.*

    8. Click OK to save the rule entry, and then click OK to save the rule.
    9. Go to Web Protection > Advanced Protection > Custom Policy, and select the Custom Policy tab to group the custom rule into a policy.
    10. For details about creating policies, see Custom Policy.

    11. To apply the policy, select it as the Custom Policy in a protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
    12. Attack log messages contain Custom Access Violation when this feature detects an unauthorized access attempt.

    Why does my Advanced Protection rule that has both Signature Violation and HTTP Response Code filters not detect any violations?

    When you use Web Protection > Advanced Protection > Custom Policy > the Custom Rule tab to create a custom rule, FortiWeb links items in the list of filters with an AND operator. It uses the rule to evaluate both requests and responses. When the rule has both a Signature Violation and a HTTP Response Code filter, a malicious request violates the signature filter and the corresponding response matches the response code filter. But neither the request nor the response can violate both filters at the same time to generate a match.

    To solve this problem, create a separate custom rule for each type of filter. For details, see Custom Policy.

    What's the difference between the Packet Interval Timeout and Transaction Timeout filters in an Advanced Protection rule?

    Both Packet Interval Timeout and Transaction Timeout protect against DoS attacks. In most cases, the attacks are some form of slow HTTP attack.

    Packet Interval Timeout evaluates the time period between packets that arrive from either the client or server (request or response packets). If the time exceeds the maximum the timeout specifies, FortiWeb takes the action specified in the rule.

    However, other types of slow attacks can keep the server occupied and still maintain a minimal data flow. For example, if an attack sends a byte of data per second, it can continue a GET request indefinitely but stay within the Packet Interval Timeout.

    The Transaction Timeout evaluates the time period for a transaction—a GET or POST request and its complete reply. In most cases, a transaction lasts no longer than a few milliseconds or, for slower applications, a few seconds.

    To detect the widest range of attacks, specify both Packet Interval Timeout and Transaction Timeout filters when you create an Advanced Protection rule.

    For details, see Custom Policy.

    What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?

    The waf custom-access rule command allows you to configure custom access rules, which can include Signature Violation filters. When you configure the signature-class option, use one of the following IDs to specify the category of signature to match:

    Cross Site Scripting 01000000
    Cross Site Scripting (Extended) 02000000
    SQL Injection 03000000
    SQL Injection (Extended) 04000000
    Generic Attacks 05000000
    Generic Attacks (Extended) 06000000
    Known Exploits 09000000

    For example, the following command creates a custom rule that detects SQL injection attacks, such as blind SQL injection:

    config waf custom-access rule

    edit "sql-inject"

    set action block-period

    set severity High

    set trigger "notification-servers1"

    config signature-class

    edit 03000000

    set status enable

    next

    end

    next

    end

    config waf custom-access policy

    edit "sql-inject-policy"

    config rule

    edit 1

    set rule-name "sql-inject"

    next

    end

    next

    end

    For more information on the waf custom-access rule command, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Why is the Signature Violation filter I added to my Advanced Protection custom rule not working?

    To add a Signature Violation filter to an Advanced Protection custom rule, you select Signature Violation as the filter type.

    However, for the filter to work, the following configuration steps are also required:

    • In the Edit Custom Rule dialog box, select at least one signature category. By default, no categories are selected. When you select a category, FortiWeb prompts you to enable all or some of the signatures in the category.
    • Ensure that the signatures that correspond to the categories you selected in the rule are enabled in the signature policy (Web Protection > Known Attacks > Signatures).

    You select the custom policy that contains the rule and corresponding signature set when you create a protection profile.

    For details, see Custom Policy and Blocking known attacks .

    Why don't my back-end servers receive the virtual server IP address as the source IP?

    When the operation mode is Reverse Proxy, the server pool members receive the IP address of the FortiWeb interface the connection uses. If the back-end servers need to know the IP address of the client where the request originated, configure a X-Forwarded-For rule for the appropriate profile. For details, see Defining your proxies, clients, & X-headers.

    Why do I not see HTTP traffic in the logs?

    Successful HTTP traffic logging depends on both FortiWeb configuration and the configuration of other network devices. If you do not see HTTP traffic in the traffic log, ensure that the configuration described in the following tables is correct.

    Reverse Proxy mode
    Configuration What to look for See
    Logging

    Ensure logging is enabled and configured.

    By default, logging is not enabled.

    Configuring logging
    Servers Ensure that the IP address of your physical server and the IP address of your virtual server are correct.

    Defining your web servers

    Configuring virtual servers on your FortiWeb

    Server policy Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as members of a server pool). Configuring a server policy
    Network interfaces

    Go to System > Network > Interface and ensure the ports for inbound and outbound traffic are up.

    Use sniffing (packet capture) to ensure that you can see traffic on both inbound and outbound network interfaces.

    Ensure that the network interfaces are configured with the correct IP addresses. In a typical configuration, port1 is configured for management (web UI access) and the remaining ports associated with the required subnets.

    Configuring the network interfaces

    How can I sniff FortiWeb packets (packet capture)? (overview) or Packet capture

    VLANs (if used) Make sure that the VLAN is associated with the correct physical port (Interface setting). Adding VLAN subinterfaces
    Firewalls & routers Communications between the FortiWeb appliance, clients, protected web servers, and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers. Appendix A: Port numbers
    Load balancers If the load balancer is in front of FortiWeb, the physical IP addresses on it are the FortiWeb virtual IP addresses. If the Load Balancer is behind the FortiWeb, the FortiWeb physical server is the virtual IP for the load balancer's virtual IP. External load balancers: before or after?
    Web server Ensure that the web server is up and running by testing it without FortiWeb on the network. Checking routing
    Transparent modes
    Configuration What to look for See
    Logging

    Ensure logging is enabled and configured.

    By default, logging is not enabled.

    Configuring logging
    Server/server pool Ensure that the configuration for the physical server in the server pool contains the correct IP address.

    Defining your web servers

    Creating an HTTP server pool

    Server policy Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as a member of a server pool). Configuring a server policy
    Bridge (v-zone)

    Ensure the v-zone is configured using the correct FortiWeb ports.

    In the list of network interfaces (Global > System > Network > Interface), the Status column identifies interfaces that are members of a v-zone.

    To ensure that the bridge is forwarding traffic, in the list of v-zones, under Interface, look for the status “forwarding” following the names of the ports.

    Configuring a bridge (V-zone)
    VLANs (if used) Make sure that the VLAN is associated with the correct physical port (Interface setting). Adding VLAN subinterfaces
    Firewalls & routers Communications between the FortiWeb appliance, clients, protected web servers, and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers. Appendix A: Port numbers
    Web server Ensure that the web server is up and running by testing it without FortiWeb on the network. Checking routing
    Offline mode
    Configuration What to look for See
    Logging

    Ensure logging is enabled and configured.

    By default, logging is not enabled.

    Configuring logging
    Server/server pool Ensure that the configuration for the physical server in the server pool contains the correct IP address.

    Defining your web servers

    Creating an HTTP server pool

    Server policy Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as members of a server pool). Configuring a server policy
    Bridge (v-zone)

    Ensure the v-zone is configured using the correct FortiWeb ports.

    In the list of network interfaces (Global > System > Network > Interface), the Status column identifies interfaces that are members of a v-zone.

    To ensure that the bridge is forwarding traffic, in the list of v-zones, under Interface, look for the status “forwarding” following the names of the ports.

    Configuring a bridge (V-zone)
    VLANs (if used) Make sure that the VLAN is associated with the correct physical port (Interface setting). Adding VLAN subinterfaces
    Network interfaces Use sniffing (packet capture) to ensure that you can see traffic on both inbound and outbound network interfaces.

    Configuring the network interfaces

    How can I sniff FortiWeb packets (packet capture)? (overview) or Packet capture

    Web server Ensure that the web server is up and running by testing it without FortiWeb on the network. Checking routing

    Why do I see HTTP traffic in the logs but not HTTPS traffic?

    Use the following steps to troubleshoot HTTPS traffic logging:

    1. Ensure FortiWeb has the certificates it needs to offload or inspect HTTPS.
    2. For details, see How to offload or inspect HTTPS.

    3. Use sniffing (packet capture) to look for errors in HTTPS traffic.
    4. For details, see How can I sniff FortiWeb packets (packet capture)? (overview) or Packet capture.

    How do I store traffic log messages on the appliance hard disk?

    You can configure FortiWeb to store traffic log messages on its hard disk.

    In most environments, and especially environments with high traffic volume, enabling this option for long periods of time can cause the hard disk to fail prematurely. Do not enable it unless it is necessary and disable it as soon as you no longer need it.

    For information on configuring logging to the hard disk using the web UI, see Configuring logging.

    To enable logging to the hard disk via the CLI, log in using an account with either w or rw permission to the loggrp area and enter the following commands:

    config log traffic-log

    set disk-log enable


    Use the following commands to verify the new configuration:

    get log traffic-log


    A response that is similar to the following message is displayed:

    status : enable

    packet-log : enable

    disk-log : enable


    Alternatively, use the following command to display a sampling of traffic log messages:

    diagnose log tlog show


    A response that is similar to the following message is displayed:

    Total time span is 39.252285 seconds

    Time spent on waiting is 13.454448 seconds

    Time spent on preprocessing is 3.563218 seconds

    traffic log processed: 69664


    where:

    • Total time span is the total amount of time of the logd process handle logs (that is, receiving messages from other process, filtering messages, outputting in standard format, writing the logs to the local database, and so on)
    • Time spent on waiting is the amount of time of the logd process waited to receive messages from other processes
    • Time spent on preprocessing is the amount of time the logd process spent filtering and format i ng messages
    • traffic log processed is the total number of logs that the logd process handled in this cycle

    For more information about the config log traffic-log and diagnose log tlog show commands, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Why is the most recent log message not displayed in the Aggregated Attack log?

    If recent log messages do not appear in the Aggregated Attack log as expected, complete the following troubleshooting steps:

    1. Use the dashboard to see if the appliance is busy.
    2. When FortiWeb generates an attack log, the appliance writes it to and reads it from the hard disk and then updates the logging database.

      The process that retrieves Aggregated Attack log information from the database (indexd) has a lower priority than the processes that analyze and direct traffic. Therefore, increased demand for FortiWeb processing resources (for example, when traffic levels increase) can delay updates to the log.

    3. Rebuild the logging database.
    4. Events such as a power outage can corrupt the logging database. Use the following command to rebuild it:

      exec db rebuild

      This command deletes and rebuilds the database. It does not delete any logs on the hard disk and no log information is lost.

    How can I sniff FortiWeb packets (packet capture)?

    Use the diagnose network sniffer command to perform a packet trace on one or more interfaces.

    For example, the following command captures TCP port 80 traffic arriving at or departing from 192.168.1.1, for all network interfaces. The value 3 specifies the verbosity level (3captures the most detail):

    diagnose network sniffer any 'tcp and port 80 and host 192.168.1.1' 3


    For instructions on using this command and its output, see Packet capture.

    The following steps are an overview of the process:

    1. Use a terminal emulator such as SecureCRT or Putty, connect to the appliance via SSH or Telnet, run the sniffer command, and save the output to a file (for example, detail_output.log).
    2. A terminal emulator is required because the console is too slow for this task and cannot display all of the output.

    3. Install a Perl interpreter and Wireshark (or equivalent application) on your PC.
    4. To convert the packet capture command to a format that Wireshark can use, run the following command:

      perl ./fgt2eth.pl -in detail_ouput.log -out converted.cap

      (You can run the Perl script in Windows or Linux.)

      To download fgt2eth.pl, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer (http://kb.fortinet.com/kb/documentLink.do?externalId=11186).

      The fgt2eth.pl script is provided as-is, without any implied warranty or technical support.

    How do I trace packet flow in FortiWeb?

    Use the following steps to use the console to view packet flow information for a specified client IP when it accesses a virtual server IP:

    1. Using the CLI, use the following command to turn on debug log output:
    2. diagnose debug enable


    3. Use a command similar to the following to limit the debug logs to those that match a specific client IP address:
    4. diagnose debug flow filter client-ip 172.22.6.232


    5. Use the following command to include details from each module that processes the packet:
    6. diagnose debug flow filter module-detail status on


    7. Use the following command to start the flow trace:
    8. diagnose debug flow trace start


      The following output is an example of the results of these commands:

      Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:4, Process error:0, Action:ACCEPT

      Module name:WAF_IP_INTELLIGENCE, Execution:3, Process error:6, Action:ACCEPT

      Module name:WAF_KNOWN_ENGINES, Execution:4, Process error:0, Action:ACCEPT

      Module name:HSTS_HEADER_PROCESS, Execution:4, Process error:5, Action:ACCEPT

      Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:2, Action:ACCEPT

      Module name:WAF_CLIENT_MANAGEMENT, Execution:4, Process error:0, Action:ACCEPT

      Module name:WAF_HTTP_DOS_HTTP_FLOOD, Execution:4, Process error:0, Action:ACCEPT

      Module name:WAF_HTTP_DOS_MALICIOUS_IP, Execution:4, Process error:8, Action:ACCEPT

      Module name:HTTP_ACCLIMIT_LIMIT, Execution:4, Process error:-1, Action:ACCEPT

      Module name:WAF_GLOBAL_ALLOW_LIST, Execution:4, Process error:-1, Action:ACCEPT

      Module name:WAF_GLOBAL_ALLOW_LIST, Execution:4, Process error:-1, Action:ACCEPT

      Module name:WAF_URL_ACCESS_POLICY, Execution:4, Process error:8, Action:ACCEPT

      Module name:HTTP_CONSTRAINTS, Execution:4, Process error:2, Action:ACCEPT

      Module name:WAF_COOKIE_POISON, Execution:4, Process error:0, Action:ACCEPT

      Module name:WAF_CUSTOM_ACCESS_POLICY, Execution:4, Process error:6, Action:ACCEPT

      Module name:WAF_HTTP_STATISTIC, Execution:4, Process error:0, Action:ACCEPT


      For additional information on these commands (for example, to specify debug logs for a specific flow direction), see the FortiWeb CLI Reference:

      https://docs.fortinet.com/product/fortiweb/

    Why is the number of cookies reported in my attack log message different from the number of cookies that message detail displays?

    When FortiWeb generates an attack log message because a request exceeds the maximum number of cookies it permits, the message value includes the number of cookies found in the request. In addition, the message details include the actual cookie values.

    For performance reasons, FortiWeb limits the size of the attack log message. If the amount of cookie value information exceeds the limit for cookies in the attack log, the appliance displays only some of the cookies the message detail.

    Why does the attack log message display the virtual server IP address as the destination IP instead of the IP address of the back-end server that was the target of the attack?

    In some cases, FortiWeb blocks attacks before the packet is routed to a server pool member. When this happens, the destination IP is the virtual server IP.

    How do I detect which cipher suite is used for HTTPS connections?

    Use sniffing (packet capture) to capture SSL/ TLS traffic and view the “Server hello” message, which includes cipher suite information.

    For more HTTPS troubleshooting information, see Supported cipher suites & protocol versions and Checking the SSL/TLS handshake & encryption.

    How can I strengthen my SSL configuration?

    The following configuration changes can make SSL more effective in preventing attacks and can improve your website's score for third-party testing tools (for example, the SSL server test provided by Qualys SSL Labs).

    Which configuration changes you make depends on your environment. For example, some older clients do not support SHA256.

    • For your website certificate, do the following:
      • If it uses the SHA1 hashtag function, replace it with one that uses SHA256.
      • Ensure that its key size is 2048-bit.
    • For the server policy (Reverse Proxy mode) or server pool member configuration (True Transparent Proxy mode), specify the following values in the advanced SSL settings:
      • Select Add HSTS Header, and then for Max. Age, enter 15552000.
      • For SSL/TLS Encryption Level, select High.
      • Select Disable Client-Initiated SSL Renegotiation.

        For details, see Configuring a server policy.
    • Use the following CLI command to set the Diffie-Hellman key exchange parameters to 2048 or greater:

    config system global

    set dh-params 2048


    The command is available in FortiWeb 5.3.6 and higher only. For additional information on using CLI commands, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Why can’t a browser connect securely to my back-end server?

    If a browser cannot communicate with a back-end server using SSL or TLS, use the following troubleshooting steps to resolve the problem:

    1. Without connecting via FortiWeb, ensure that you can access the server using HTTPS.
    2. Ensure that your browser supports HTTP Strict Transport Security (HSTS). For example, following web page provides compatibility tables for various web browser versions:
    3. http://caniuse.com/stricttransportsecurity

    4. Ensure that the FortiWeb response includes the strict transport security header.
    5. To add this header, select Add HSTS Header in the server policy or server pool configuration. For details, see Configuring a server policy or Creating an HTTP server pool.

    6. Use the following cEnsure that the server certificate is trusted:
    • If the certificate is signed by intermediate certificate authority (CA), the intermediate CA is signed by a root CA.
    • The root CA is listed in your browser’s store of trusted certificates.
    • The domain name or IP address is consistent with the certificate subject.

    For details, see How to offload or inspect HTTPS.

    How do I use performance tests to determine maximum performance?

    Use these performance tests and the dashboard's System Resources widget to determine where the appliance reaches its maximum capacity (bottleneck):

    Requests per second (RPS), connections per second (CPS) Rate of requests or connections maintains CPU Usage at 100%
    Concurrent connections Number of connections maintains Memory Usage at 90%
    Throughput test Throughput maintains the value of CPU Usage at 100%. (A pair of gigabit ports provide bandwidth of up to 2 Gbps.)

    If your CPU and memory values do not reach the specified values, adjust your client and server test configuration until you can determine maximum performance.

    How can I measure the memory usage of individual processes?

    The diagnose policy command allows you to view the memory usage associated with all server policies or a specific policy. For example:

    diagnose policy memory all

    The diagnose hardware mem command allows you to display the usage statistics of ephemeral memory (RAM), including swap pages and shared memory (Shmem). For example, to display total memory usage:

    diagnose hardware mem list

    For additional information on these commands, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    How do I reformat the boot device (flash drive) when I restore or upgrade the firmware?

    Follow the instructions provided in Restoring firmware (“clean install”).

    For If the firmware version requires that you first format the boot device before installing firmware, type F. Format the boot disk before continuing., type F to format the boot device (flash drive), and then enter Y to confirm your selection.

    After a few minutes, the reformatting process is complete. Continue with the instructions for retrieving the firmware image from the TFTP server.

    During the system boot, Fortinet highly recommends that you verify the disk integrity. To perform this task, when the prompt Press [enter] key for disk integrity verification is displayed, press Enter.

    After the firmware restore is complete, use the get system status CLI command to verify the system version. For additional information on using the CLI, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    How do I set up RAID for a replacement hard disk?

    The procedures applies to all models except 100D, 400B, 400C, and 400D.

    1. Power off the FortiWeb.
    2. Remove the hard disk from FortiWeb and install the new hard disk.
    3. Power on the FortiWeb.
    4. Use the following command to initialize RAID:
    5. execute create-raid level raid1

    6. Enter y to confirm the initialization.
    7. FortiWeb reboots and starts the RAID initialization. The process can take a few hours to complete.

    8. Use the following command to check the RAID status:
    9. diagnose hardware raid list

      If the process is successful, a message similar to the following is displayed:

      level size(M) disk-number

      raid1 1877665 0(OK),1(OK),2(Not Present),3(Not Present)

      edited on: 2016-01-25 00:48

      If FortiWeb is unable to write log messages to the disk, a message similar to the following is displayed:

      level size(M) disk-number

      raid1 1877665 0(Not Present),1(Not Present),2(Not Present),3(Not Present)

    For additional information on using these CLI commands, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/