Administration Guide

Introduction
What's new
Key concepts
- Workflow
- Sequence of scans
- IPv6 support
- Solutions for specific web attacks
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Appliance vs. VMware
- Registering your FortiWeb
- Planning the network topology
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Protected web servers vs. allowed/protected host names
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring the allow list at server policy level
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
  - Supported cipher suites - for connections between FortiWeb and the clients
  - Supported cipher suites - for connection between FortiWeb and back-end servers
- CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- Configuring OCSP stapling
Users
- Authentication styles
- Offloading HTTP authentication & authorization
- Creating reCAPTCHA servers
- OAuth Authorization
Application delivery
- Rewriting & redirecting
- Compression
- Site Publishing (Single sign-on)
- Caching
  - What can be cached?
- Acceleration
- Scripting
Web protection
- Blocking known attacks
- Advanced protection
- Cookie security
- Input validation
- Protocol constraints
  - HTTP/HTTPS protocol constraints
  - WebSocket Protocol
- Access control
- ML Based Anomaly Detection
  - Viewing domain data
  - Viewing anomaly detection log
- Anti-defacement
Zero Trust Network Access (ZTNA)
- Configuring FortiClient EMS Connector for ZTNA
- Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- Referencing ZTNA profile in a server policy
- ZTNA troubleshooting and debugging
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
- Configuring ML Based Bot Detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
- Exception Policy
API Protection
- Configuring JSON protection
- Configuring XML protection
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
- Configuring ML Based API Protection policy
  - Viewing API Protection domain data
  - Editing and viewing machine learning models for API paths
DoS protection
- DoS prevention
- Preventing slow and low attacks
IP Protection
- GEO IP - Blocklisting & whitelisting countries & regions
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- IP Reputation - Blocklisting source IPs with poor reputation
- Creating IP groups
Tracking
Compliance
- Authorization
- Preventing data leaks
- Vulnerability scans
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring machine-learning URL replacer policy
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
Dashboard
- Status dashboard
- Monitors
Log&Report
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- FortiGuard updates
- Analyzing attack logs in FortiWeb Cloud Threat Analytics
Security Fabric
- External connectors
- Fabric Connector: Single Sign On with FortiGate
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Introduction
- Troubleshooting outline
- Diagnosing server-policy connectivity issues
- Diagnosing system issues
- Diagnose software function issues
- Diagnose hardware issues
- System tools & diagnose commands
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses

Home FortiWeb 7.2.10 Administration Guide

7.2.10

Creating an FTP file check rule

You can create FTP file check rules so that FortiWeb places restrictions on uploading or downloading files and scans files that clients attempt to upload to or download from your server(s). When configured, FortiWeb can also send files to FortiSandbox for analysis and perform an antivirus scan.

For details about applying an FTP file check rule to an FTP server policy, see Configuring an FTP security inline profile.

To create an FTP file check rule

If FTP security isn't enabled in Feature Visibility, you must enable it before you can create an FTP file check rule. To enable FTP security, go to System > Config > Feature Visibility and enable FTP Security.

Go to FTP Security > FTP File Security.

To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

Click Create New.
Configure these settings:

Name	Enter a unique name that can be referenced in other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.
Action	Select which action FortiWeb will take when it detects a violation of the rule: Alert—Accept the connection and generate an alert email and/or log message. Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message. Deny (no log)—Block the request (or reset the connection). Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period. The default value is Alert & Deny. Note: This setting will be ignored if Monitor Mode is enabled in a server policy. Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.
Block Period	Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the rule. The valid range is 1–3,600 seconds (1 hour). See also Blocked IPs. This setting is available only if Action is set to Period Block.
Severity	When rule violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs a violation of the rule: Informative Low Medium High The default value is Medium.
Trigger Action	Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
File Check Direction	Select one of the following: Uploading—FortiWeb applies the rule to files being uploaded to your server(s). Downloading—FortiWeb applies the rule to files being downloaded from your server(s). Both—FortiWeb applies the rule to files being either downloaded from or uploaded to your server(s).
AntiVirus Scan	Enable so that FortiWeb performs an antivirus scan on files that match the File Check Direction.
Send Files to FortiSandbox	Enable so that FortiWeb sends files to FortiSandbox that match the File Check Direction. Also specify the FortiSandbox settings for your FortiWeb. For details, see To configure a FortiSandbox connection. FortiSandbox evaluates the file and returns the results to FortiWeb. If AntiVirus Scan is enabled and FortiWeb detects a virus, it does not send the file to FortiSandbox.
Send Files to ICAP Server	Enable so that FortiWeb sends files to ICAP server that matches the File Check Direction. Also specify the ICAP server settings for your FortiWeb. For details, see Limiting file uploads. ICAP server detects the file and returns the results to FortiWeb. If AntiVirus Scan is enabled and FortiWeb detects a virus, it does not send the file to ICAP server.

Click OK.