Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
Offline Protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Offline Protection profiles contain only the features that are supported in out-of-band topologies and asynchronous inspection, which are used with operation modes Transparent Inspection and Offline Protection.
When the operation mode is changed to Reverse Proxy, True Transparent Proxy, or WCCP, the Offline Protection tab will be hidden.
Offline Protection profiles’ primary purpose is to detect attacks. Depending on the routing and network load, due to limitations inherent to out-of-band topologies and asynchronous inspection, FortiWeb may not be able to reliably block all of the attacks it detects, even if you have configured FortiWeb with an Action setting of Alert & Deny.
Offline Protection profiles only include features that do not require an inline network topology. You can configure them at any time, but a policy cannot apply an Offline Protection profile if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior. |
To configure an Offline Protection profile
- Before configuring an Offline Protection profile, first configure any of the following that you want to include in the profile:
- a client management policy (see Client management)
- a signature set (see Blocking known attacks )
- a HTTP protocol constraints profile (see HTTP/HTTPS protocol constraints)
- an
X-Forwarded-For:
or other X-header rule (see Defining your proxies, clients, & X-headers) - a custom policy (see Custom Policy)
- an oracle padding protection rule (see Defeating cipher padding attacks on individually encrypted inputs)
- a SQL/XSS syntax based detection policy (see Syntax-based SQL/XSS injection detection)
- a parameter validation policy (see Validating parameters (“input rules”))
- a hidden field protection rule (see Preventing tampering with hidden inputs)
- a file security policy (see Limiting file uploads)
- a web shell detection policy (see Web Shell Detection
- a URL access policy (see Restricting access to specific URLs)
- an allowed method policy (see Specifying allowed HTTP methods)
- an XML protection policy (see Configuring XML protection)
- a JSON protection policy (see Configuring JSON protection)
- an OpenAPI validation policy (see OpenAPI Validation)
- an IP reputation policy (see "blocklisting source IPs with poor reputation" on page 1)
- an IP list policy (see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1)
- a Geo IP policy (see "blocklisting & allowlisting countries & regions" on page 1)
- a user tracking policy (see Tracking)
- a trigger if you plan to use policy-wide log and alert settings (see Viewing log messages)
- Go to Policy > Web Protection Profile and select the Offline Protection Profile tab.
- Click Create New.
- Configure these settings:
Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters. Client Management Enable to track a client by the inserted cookie, or source IP when cookie is prohibited.
For details, see Client management.Session Key Type the cookie value, if any, that FortiWeb uses to track the client.
By default, FortiWeb tracks three cookie names:
ASPSESSIONID
,PHPSESSIONID
, andJSESSIONID
.Configure this field if your web application uses a custom or uncommon cookie.
This option appears only if Client Management is enabled.
Signatures Select the name of the signature set you have configured in Web Protection > Known Attacks, if any, that will be applied to matching requests.
Enable AMF3, XML, or JSON Protocol Detection if applicable.
Attack log messages for this feature vary by which type of attack was detected. For a list, see Blocking known attacks .
HTTP Protocol Constraints Select the name of an HTTP parameter constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints.
Attack log messages for this feature vary by which type of constraint was violated.
X-Forwarded-For Select the
X-Forwarded-For:
andX-Real-IP:
HTTP header settings to use, if any. For details, see Defining your proxies, clients, & X-headers.Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP.
Custom Policy Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that will be applied to matching requests. For details, see Custom Policy.
Attack log messages contain
Custom Access Violation
when this feature detects a violation.Padding Oracle Protection Select the name of padding oracle protection rule, if any, that will be applied to matching requests. For details, see Defeating cipher padding attacks on individually encrypted inputs.
Attack log messages contain
Padding Oracle Attack
when this feature detects a violation.SQL/XSS Syntax Based Detection
Select the name of a SQL/XSS syntax based detection policy if any, that will be applied to matching requests. For details, see Syntax-based SQL/XSS injection detection.
Parameter Validation Select the name of the parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”).
Attack log messages contain
Parameter Validation Violation
when this feature detects a parameter rule violation.Hidden Fields Protection Select the name of the hidden fields protection rule, if any, to use to protect hidden fields on your website. For details, see Preventing tampering with hidden inputs.
Attack log messages contain
Hidden Field Manipulation
when this feature detects tampering.This option appears only when Configuring a protection profile for an out-of-band topology or asynchronous mode of operation is enabled.
File Security Select an existing file security policy, if any, that will be applied to matching HTTP requests. For details, see Limiting file uploads.
Attack log messages contain
Illegal File Size
when this feature detects an excessively large upload.Enable AMF3 Protocol Detection Enable to scan requests that use action message format 3.0 (AMF3) for:
- Cross-site scripting (XSS) attacks
- SQL injection attacks
- Common exploits
and other attack signatures that you have enabled in Signatures.
AMF3 is a binary format that can be used by Adobe Flash/Flex clients to send input to server-side software.
Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb appliance to be unable to scan AMF3 requests for attacks.
URL Access Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. For details, see Restricting access to specific URLs.
Attack log messages contain
URL Access Violation
when this feature detects a URL matched by this policy.Allow Method Select an existing allow method policy, if any, that will be applied to matching HTTP requests. For details, see Specifying allowed HTTP methods.
Attack log messages contain
HTTP Method Violation
when this feature detects a non-allowed HTTP request method.XML Protection
Select the name of an existing XML protection policy. For details, see Configuring XML protection. JSON Protection
Select the name of an existing JSON protection policy. For details, see Configuring JSON protection. OpenAPI Protection
Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation. Enable to configure the JWT token secret and token header to verify a request from a mobile application.
Refer to Approov doc for how to get the token.
For details, see Configuring mobile API protection.Note: You need to enable Mobile Application Identification first from System > Config > Feature Visibility.
Token Secret
Enter the token secret that you have got from Approov.
Available only when Mobile Application Identification is enabled.
Token Header
Specify the header where the token is carried.
Available only when Mobile Application Identification is enabled.
Mobile API Protection
Select the name of an existing API protection policy. For details, see Configuring mobile API protection.
IP Reputation Enable to apply IP reputation intelligence. For details, see "blocklisting source IPs with poor reputation" on page 1. IP List Select the name of a client allow list or block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1. Geo IP Select the name of a geographically-based client block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting countries & regions" on page 1. User Tracking Select the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking. - Click OK.
- To apply the Offline Protection profile, select it in a policy. For details, see Configuring a server policy.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
Predefined profiles cannot be edited, but they can be viewed and cloned.
To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.