Fortinet black logo

Administration Guide

Configuring basic policies

Configuring basic policies

As the last step in the setup sequence, you must configure at least one policy.

Until you configure a policy, by default, FortiWeb will:

  • while in Reverse Proxy mode, deny all traffic (positive security model)
  • while in other operation modes, allow all traffic (negative security model)

Once traffic matches a policy, protection profile rules are applied using a negative security model—that is, traffic that matches a policy is allowed unless it is flagged as disallowed by any of the enabled scans.

Keep in mind:

  • Change policy settings with care. Changes take effect immediately after you click OK.
  • When you change any server policy, you should retest it.
  • FortiWeb appliances apply policies, rules, and scans in a specific order. This decides each outcome. Review the logic of your server policies to make sure they deliver the web protection and features you expect. For details, see Sequence of scans.

This section contains examples to get you started:

Once completed, continue with Testing your installation.

Example 1: Configuring a policy for HTTP

In the simplest scenario, if you want to protect a single, and basic HTTP web server, and FortiWeb is operating as a Reverse Proxy, configure the policy as follows:

To generate profiles and apply them in a policy
  1. Create a virtual server on the FortiWeb appliance (Server Objects > Server > Virtual Server). When used by a policy, it receives traffic from clients.
  2. Define your web server within a Single Server server pool using its IP address or domain name (Server Objects > Server > Server Pool). When used by a policy, a server pool defines the IP address of the web server that FortiWeb forwards accepted client traffic to.
  3. Create a new policy (Policy > Server Policy).
    • In Name, type a unique name for the policy.
    • In Virtual Server or Data Capture Port, select your virtual server.
      If a policy uses any virtual server with IPv6 addresses, FortiWeb does not apply features in the policy that do not yet support IPv6, even if you include them in the policy.
    • In HTTP Service, select the predefined HTTP service.
    • In Server Pool , select your server pool.

    Traffic should now pass through the FortiWeb appliance to your server. If it does not, see Troubleshooting.

  4. From Web Protection Profileselect one of the predefined inline protection profiles.

Example 2: Configuring a policy for HTTPS

If you want to protect a single HTTPS web server, and the FortiWeb appliance is operating in Reverse Proxy mode, configuration is similar to Example 1: Configuring a policy for HTTP. Optionally, you can configure a server policy that includes both an HTTP service and an HTTPS service.

To be able to scan secure traffic, however, you must also configure FortiWeb to decrypt it, and therefore must provide it with the server’s certificate and private key.

To configure an HTTPS policy
  1. Upload a copy of the web server’s certificate (Server Objects > Certificates > Local).
  2. Configure a policy and profiles according to Example 1: Configuring a policy for HTTP.
  3. Modify the server policy (Policy > Server Policy).

Traffic should now pass through the FortiWeb appliance to your server. If it does not, see Troubleshooting.

Example 3: Configuring a policy for load balancing

If you want to protect multiple web servers, configuration is similar to Example 1: Configuring a policy for HTTP.

To distribute load among multiple servers, however, instead of specifying a single physical server in the server pool, you specify a group of servers (server farm or server pool).

This example assumes a basic network topology. If there is another, external proxy or load balancer between clients and your FortiWeb, you may need to define it. For details, see Defining your web servers & load balancers.

Similarly, if there is a proxy or load balancer between FortiWeb and your web servers, you may need to configure your server pool for a single web server (the proxy or load balancer), not a Server Balance pool.

To configure a load-balancing policy
  1. Define multiple web servers by either their IP address or domain name in a Server Balance server pool (Server Objects > Server > Server Pool). When used by a policy, it tells the FortiWeb appliance how to distribute incoming web connections to those destination IP addresses. In the server pool configuration, do the following:
  • For Type, select Round Robin or Weighted Round Robin.
  • For Single Server/Server Balance, select Server Balance.
  • Add your physical and/or domain servers.
  • If you want to distribute connections proportionately to a server’s capabilities instead of evenly, in each Weight, give the numerical weight of the new server when using the weighted round-robin load-balancing algorithm.
  • Configure a policy and profiles according to Example 1: Configuring a policy for HTTP.
  • Traffic should now pass through the FortiWeb appliance and be distributed among your servers. If it does not, see Troubleshooting.

    Configuring basic policies

    As the last step in the setup sequence, you must configure at least one policy.

    Until you configure a policy, by default, FortiWeb will:

    • while in Reverse Proxy mode, deny all traffic (positive security model)
    • while in other operation modes, allow all traffic (negative security model)

    Once traffic matches a policy, protection profile rules are applied using a negative security model—that is, traffic that matches a policy is allowed unless it is flagged as disallowed by any of the enabled scans.

    Keep in mind:

    • Change policy settings with care. Changes take effect immediately after you click OK.
    • When you change any server policy, you should retest it.
    • FortiWeb appliances apply policies, rules, and scans in a specific order. This decides each outcome. Review the logic of your server policies to make sure they deliver the web protection and features you expect. For details, see Sequence of scans.

    This section contains examples to get you started:

    Once completed, continue with Testing your installation.

    Example 1: Configuring a policy for HTTP

    In the simplest scenario, if you want to protect a single, and basic HTTP web server, and FortiWeb is operating as a Reverse Proxy, configure the policy as follows:

    To generate profiles and apply them in a policy
    1. Create a virtual server on the FortiWeb appliance (Server Objects > Server > Virtual Server). When used by a policy, it receives traffic from clients.
    2. Define your web server within a Single Server server pool using its IP address or domain name (Server Objects > Server > Server Pool). When used by a policy, a server pool defines the IP address of the web server that FortiWeb forwards accepted client traffic to.
    3. Create a new policy (Policy > Server Policy).
      • In Name, type a unique name for the policy.
      • In Virtual Server or Data Capture Port, select your virtual server.
        If a policy uses any virtual server with IPv6 addresses, FortiWeb does not apply features in the policy that do not yet support IPv6, even if you include them in the policy.
      • In HTTP Service, select the predefined HTTP service.
      • In Server Pool , select your server pool.

      Traffic should now pass through the FortiWeb appliance to your server. If it does not, see Troubleshooting.

    4. From Web Protection Profileselect one of the predefined inline protection profiles.

    Example 2: Configuring a policy for HTTPS

    If you want to protect a single HTTPS web server, and the FortiWeb appliance is operating in Reverse Proxy mode, configuration is similar to Example 1: Configuring a policy for HTTP. Optionally, you can configure a server policy that includes both an HTTP service and an HTTPS service.

    To be able to scan secure traffic, however, you must also configure FortiWeb to decrypt it, and therefore must provide it with the server’s certificate and private key.

    To configure an HTTPS policy
    1. Upload a copy of the web server’s certificate (Server Objects > Certificates > Local).
    2. Configure a policy and profiles according to Example 1: Configuring a policy for HTTP.
    3. Modify the server policy (Policy > Server Policy).

    Traffic should now pass through the FortiWeb appliance to your server. If it does not, see Troubleshooting.

    Example 3: Configuring a policy for load balancing

    If you want to protect multiple web servers, configuration is similar to Example 1: Configuring a policy for HTTP.

    To distribute load among multiple servers, however, instead of specifying a single physical server in the server pool, you specify a group of servers (server farm or server pool).

    This example assumes a basic network topology. If there is another, external proxy or load balancer between clients and your FortiWeb, you may need to define it. For details, see Defining your web servers & load balancers.

    Similarly, if there is a proxy or load balancer between FortiWeb and your web servers, you may need to configure your server pool for a single web server (the proxy or load balancer), not a Server Balance pool.

    To configure a load-balancing policy
    1. Define multiple web servers by either their IP address or domain name in a Server Balance server pool (Server Objects > Server > Server Pool). When used by a policy, it tells the FortiWeb appliance how to distribute incoming web connections to those destination IP addresses. In the server pool configuration, do the following:
    • For Type, select Round Robin or Weighted Round Robin.
    • For Single Server/Server Balance, select Server Balance.
    • Add your physical and/or domain servers.
    • If you want to distribute connections proportionately to a server’s capabilities instead of evenly, in each Weight, give the numerical weight of the new server when using the weighted round-robin load-balancing algorithm.
  • Configure a policy and profiles according to Example 1: Configuring a policy for HTTP.
  • Traffic should now pass through the FortiWeb appliance and be distributed among your servers. If it does not, see Troubleshooting.