Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.4.0 Administration Guide
    7.4.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Configuring a protection profile for an out-of-band topology or asynchronous mode of operation

    Configuring a protection profile for an out-of-band topology or asynchronous mode of operation

    Offline Protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Offline Protection profiles contain only the features that are supported in out-of-band topologies and asynchronous inspection, which are used with operation modes Transparent Inspection and Offline Protection.

    When the operation mode is changed to Reverse Proxy, True Transparent Proxy, or WCCP, the Offline Protection tab will be hidden.

    Offline Protection profiles’ primary purpose is to detect attacks. Depending on the routing and network load, due to limitations inherent to out-of-band topologies and asynchronous inspection, FortiWeb may not be able to reliably block all of the attacks it detects, even if you have configured FortiWeb with an Action setting of Alert & Deny.

    Offline Protection profiles only include features that do not require an inline network topology. You can configure them at any time, but a policy cannot apply an Offline Protection profile if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior.
    To configure an Offline Protection profile
    1. Before configuring an Offline Protection profile, first configure any of the following that you want to include in the profile:
    2. Go to Policy > Web Protection Profile and select the Offline Protection Profile tab.

      3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

    3. Click Create New.

      4. Predefined profiles cannot be edited, but they can be viewed and cloned.

    4. Configure these settings:
      NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
      Client Management

      Enable to track a client by the inserted cookie, or source IP when cookie is prohibited.
      For details, see Client management.

      Threat Score Profile

      Select the Threat Score Profile so that FortiWeb can take action on IPs or clients when their threat score accumulates to a certain value.

      If you leave it blank, the system will use the Global Configuration in Client Management.

      This option is available only when Client Management is enabled.

      Session Key

      Type the cookie value, if any, that FortiWeb uses to track the client.

      By default, FortiWeb tracks three cookie names: ASPSESSIONID, PHPSESSIONID, and JSESSIONID.

      Configure this field if your web application uses a custom or uncommon cookie.

      This option appears only if Client Management is enabled.

      Signatures

      Select the name of the signature set you have configured in Web Protection > Known Attacks, if any, that will be applied to matching requests.

      Enable AMF3, XML, or JSON Protocol Detection if applicable.

      Attack log messages for this feature vary by which type of attack was detected. For a list, see Blocking known attacks .

      HTTP Protocol Constraints

      Select the name of an HTTP parameter constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints.

      Attack log messages for this feature vary by which type of constraint was violated.

      X-Forwarded-For

      Select the X-Forwarded-For: and X-Real-IP: HTTP header settings to use, if any. For details, see Defining your proxies, clients, & X-headers.

      Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP.

      Custom Policy

      Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that will be applied to matching requests. For details, see Custom Policy.

      Attack log messages contain Custom Access Violation when this feature detects a violation.

      Padding Oracle Protection

      Select the name of padding oracle protection rule, if any, that will be applied to matching requests. For details, see Defeating cipher padding attacks on individually encrypted inputs.

      Attack log messages contain Padding Oracle Attack when this feature detects a violation.

      SQL/XSS Syntax Based Detection

      Select the name of a SQL/XSS syntax based detection policy if any, that will be applied to matching requests. For details, see Syntax-based SQL/XSS injection detection.

      Parameter Validation

      Select the name of the parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”).

      Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

      Hidden Fields Protection

      Select the name of the hidden fields protection rule, if any, to use to protect hidden fields on your website. For details, see Preventing tampering with hidden inputs.

      Attack log messages contain Hidden Field Manipulation when this feature detects tampering.

      This option appears only when Session Management is enabled.

      File Security

      Select an existing file security policy, if any, that will be applied to matching HTTP requests. For details, see Limiting file uploads.

      Attack log messages contain Illegal File Size when this feature detects an excessively large upload.

      Enable AMF3 Protocol Detection

      Enable to scan requests that use action message format 3.0 (AMF3) for:

      • Cross-site scripting (XSS) attacks
      • SQL injection attacks
      • Common exploits

      and other attack signatures that you have enabled in Signatures.

      AMF3 is a binary format that can be used by Adobe Flash/Flex clients to send input to server-side software.

      Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb appliance to be unable to scan AMF3 requests for attacks.

      URL Access

      Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. For details, see Restricting access based on specific URLs.

      Attack log messages contain URL Access Violation when this feature detects a URL matched by this policy.

      Allow Method

      Select an existing allow method policy, if any, that will be applied to matching HTTP requests. For details, see Specifying allowed HTTP methods.

      Attack log messages contain HTTP Method Violation when this feature detects a non-allowed HTTP request method.

      XML Protection

      		Select the name of an existing XML protection policy. For details, see Configuring XML protection.

      JSON Protection

      		Select the name of an existing JSON protection policy. For details, see Configuring JSON protection.

      OpenAPI Protection

      		Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation.

      Mobile Application Identification

      Enable to configure the JWT token secret and token header to verify a request from a mobile application.

      Refer to Approov doc for how to get the token.

      For details, see Configuring mobile API protection.

      Note: You need to enable Mobile Application Identification first from System > Config > Feature Visibility.

      Token Secret

      Enter the token secret that you have got from Approov.

      Available only when Mobile Application Identification is enabled.

      Token Header

      Specify the header where the token is carried.

      Available only when Mobile Application Identification is enabled.

      Mobile API Protection

      Select the name of an existing API protection policy. For details, see Configuring mobile API protection.

      IP ReputationEnable to apply IP reputation intelligence. For details, see "blocklisting source IPs with poor reputation" on page 1.
      IP ListSelect the name of a client allow list or block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1.
      Geo IPSelect the name of a geographically-based client block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting countries & regions" on page 1.
      User TrackingSelect the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking.

      5. To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.

    5. Click OK.
    6. To apply the Offline Protection profile, select it in a policy. For details, see Configuring an HTTP server policy.
    See also
    Previous
    Next

    Configuring a protection profile for an out-of-band topology or asynchronous mode of operation

    Configuring a protection profile for an out-of-band topology or asynchronous mode of operation

    Offline Protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Offline Protection profiles contain only the features that are supported in out-of-band topologies and asynchronous inspection, which are used with operation modes Transparent Inspection and Offline Protection.

    When the operation mode is changed to Reverse Proxy, True Transparent Proxy, or WCCP, the Offline Protection tab will be hidden.

    Offline Protection profiles’ primary purpose is to detect attacks. Depending on the routing and network load, due to limitations inherent to out-of-band topologies and asynchronous inspection, FortiWeb may not be able to reliably block all of the attacks it detects, even if you have configured FortiWeb with an Action setting of Alert & Deny.

    Offline Protection profiles only include features that do not require an inline network topology. You can configure them at any time, but a policy cannot apply an Offline Protection profile if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior.
    To configure an Offline Protection profile
    1. Before configuring an Offline Protection profile, first configure any of the following that you want to include in the profile:
    2. Go to Policy > Web Protection Profile and select the Offline Protection Profile tab.

      3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

    3. Click Create New.

      4. Predefined profiles cannot be edited, but they can be viewed and cloned.

    4. Configure these settings:
      NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
      Client Management

      Enable to track a client by the inserted cookie, or source IP when cookie is prohibited.
      For details, see Client management.

      Threat Score Profile

      Select the Threat Score Profile so that FortiWeb can take action on IPs or clients when their threat score accumulates to a certain value.

      If you leave it blank, the system will use the Global Configuration in Client Management.

      This option is available only when Client Management is enabled.

      Session Key

      Type the cookie value, if any, that FortiWeb uses to track the client.

      By default, FortiWeb tracks three cookie names: ASPSESSIONID, PHPSESSIONID, and JSESSIONID.

      Configure this field if your web application uses a custom or uncommon cookie.

      This option appears only if Client Management is enabled.

      Signatures

      Select the name of the signature set you have configured in Web Protection > Known Attacks, if any, that will be applied to matching requests.

      Enable AMF3, XML, or JSON Protocol Detection if applicable.

      Attack log messages for this feature vary by which type of attack was detected. For a list, see Blocking known attacks .

      HTTP Protocol Constraints

      Select the name of an HTTP parameter constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints.

      Attack log messages for this feature vary by which type of constraint was violated.

      X-Forwarded-For

      Select the X-Forwarded-For: and X-Real-IP: HTTP header settings to use, if any. For details, see Defining your proxies, clients, & X-headers.

      Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP.

      Custom Policy

      Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that will be applied to matching requests. For details, see Custom Policy.

      Attack log messages contain Custom Access Violation when this feature detects a violation.

      Padding Oracle Protection

      Select the name of padding oracle protection rule, if any, that will be applied to matching requests. For details, see Defeating cipher padding attacks on individually encrypted inputs.

      Attack log messages contain Padding Oracle Attack when this feature detects a violation.

      SQL/XSS Syntax Based Detection

      Select the name of a SQL/XSS syntax based detection policy if any, that will be applied to matching requests. For details, see Syntax-based SQL/XSS injection detection.

      Parameter Validation

      Select the name of the parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”).

      Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

      Hidden Fields Protection

      Select the name of the hidden fields protection rule, if any, to use to protect hidden fields on your website. For details, see Preventing tampering with hidden inputs.

      Attack log messages contain Hidden Field Manipulation when this feature detects tampering.

      This option appears only when Session Management is enabled.

      File Security

      Select an existing file security policy, if any, that will be applied to matching HTTP requests. For details, see Limiting file uploads.

      Attack log messages contain Illegal File Size when this feature detects an excessively large upload.

      Enable AMF3 Protocol Detection

      Enable to scan requests that use action message format 3.0 (AMF3) for:

      • Cross-site scripting (XSS) attacks
      • SQL injection attacks
      • Common exploits

      and other attack signatures that you have enabled in Signatures.

      AMF3 is a binary format that can be used by Adobe Flash/Flex clients to send input to server-side software.

      Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb appliance to be unable to scan AMF3 requests for attacks.

      URL Access

      Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. For details, see Restricting access based on specific URLs.

      Attack log messages contain URL Access Violation when this feature detects a URL matched by this policy.

      Allow Method

      Select an existing allow method policy, if any, that will be applied to matching HTTP requests. For details, see Specifying allowed HTTP methods.

      Attack log messages contain HTTP Method Violation when this feature detects a non-allowed HTTP request method.

      XML Protection

      		Select the name of an existing XML protection policy. For details, see Configuring XML protection.

      JSON Protection

      		Select the name of an existing JSON protection policy. For details, see Configuring JSON protection.

      OpenAPI Protection

      		Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation.

      Mobile Application Identification

      Enable to configure the JWT token secret and token header to verify a request from a mobile application.

      Refer to Approov doc for how to get the token.

      For details, see Configuring mobile API protection.

      Note: You need to enable Mobile Application Identification first from System > Config > Feature Visibility.

      Token Secret

      Enter the token secret that you have got from Approov.

      Available only when Mobile Application Identification is enabled.

      Token Header

      Specify the header where the token is carried.

      Available only when Mobile Application Identification is enabled.

      Mobile API Protection

      Select the name of an existing API protection policy. For details, see Configuring mobile API protection.

      IP ReputationEnable to apply IP reputation intelligence. For details, see "blocklisting source IPs with poor reputation" on page 1.
      IP ListSelect the name of a client allow list or block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1.
      Geo IPSelect the name of a geographically-based client block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting countries & regions" on page 1.
      User TrackingSelect the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking.

      5. To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.

    5. Click OK.
    6. To apply the Offline Protection profile, select it in a policy. For details, see Configuring an HTTP server policy.
    See also
    Previous
    Next