Creating an ADFS server policy
To configure a policy
- Go to System > Config > Feature Visibility, then enable ADFS Policy. Skip this step if it is already enabled.
To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category. - Go to Policy > Server Policy.
- Click Create New > Create ADFS policy.
- Configure the following settings.
- In most cases, the Advanced SSL settings are not necessary for the ADFS server policy. Configure them only if they are indeed suitable for your scenario.
Certificate Verification for HTTPS Select the certificate validation rule you want to use for HTTPS connections. Enable Server Name Indication (SNI) Select to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate.
The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see "Allowing FortiWebto support multiple server certificates" FortiWeb Administration Guide (HTTPS://docs.fortinet.com/fortiweb/admin-guides).
If you specify both an SNI configuration and Certificate, FortiWeb uses the certificate specified by Certificate when the requested domain does not match a value in the SNI configuration.
Supported SSL Protocols Specify which versions of the SSL or TLS cryptographic protocols clients can use to connect securely to the FortiWeb appliance or back-end servers.
For details, see "Supported cipher suites & protocol versions " in FortiWeb Administration Guide (HTTPS://docs.fortinet.com/fortiweb/admin-guides).
SSL/TLS encryption level Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security or customized security configuration.
If you select Customized, you can select a cipher and then use the arrow keys to move it to the appropriate list.
For details, see "Supported cipher suites & protocol versions " in FortiWeb Administration Guide (HTTPS://docs.fortinet.com/fortiweb/admin-guides).Disable Client-Initiated SSL Renegotiation Select to configure FortiWeb to ignore requests from clients to renegotiate TLS or SSL.
Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server.
- Click OK.
- To verify the policy, test it by forming connections between legitimate clients and servers at various points within your network topology. Also attempt to send traffic that violates your policy, and should be logged, modified, or blocked.
If ADFS proxy is running, you can find in Log&Report > Event the event logs whose action name is adfsproxy-status-check. If the ADFS proxy is running incorrectly, the Message field will display an error message.
To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category.
Policy Name | Type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters. |
Virtual Server |
Select the name of the virtual server you have created. |
Server Pool |
Select the name of the server pool you have created. |
Syn Cookie |
Enable to prevent TCP For details, see DoS prevention in FortiWeb Administration Guide (HTTPS://docs.fortinet.com/fortiweb/admin-guides). |
Half Open Threshold |
Type the TCP |
ADFS Certificate Authentication Service | Configure this option if the ADFS server requires client certificate for authentication. Select the pre-defined service TLSCLIENTPORT if FortiWeb uses service port 49443 to listen to the certification authentication requests. To define a custom service, go to Server Objects > Service. For details, see "Defining your network services" in FortiWeb Administration Guide (HTTPS://docs.fortinet.com/fortiweb/admin-guides). |
Certificate Verification for Certificate Authentication | Select the certificate validation rule you have created. |
HTTPS Service |
Configure this option if the ADFS server requires username and password for authentication. Select the pre-defined service HTTPS if FortiWeb uses service port 443 to listen the credential authentication requests. To define a custom HTTPS service, go to Server Objects > Service. For details, see "Defining your network services" in FortiWeb Administration Guide (HTTPS://docs.fortinet.com/fortiweb/admin-guides). |
Enable Multi-certificate |
Enable this option to allow FortiWeb to use multiple local certificates. |
Certificate |
Select the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured HTTPS connections with the clients. |
Certificate Intermediate Group |
Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to clients. An intermediate CA can complete the signing chain and validate the server certificate’s CA signature. Configure this option when clients receive certificate warnings that an intermediary CA has signed the server certificate specified by the selected Certificate, not a root CA or other CA currently trusted by the client directly. Alternatively, you can include the entire signing chain in the server certificate itself before you upload it to FortiWeb. For details, see "Uploading a server certificate" and "Supplementing a server certificate with its signing chain" in FortiWeb Administration Guide (HTTPS://docs.fortinet.com/fortiweb/admin-guides). |
Web Protection Profile |
Select the profile to apply to the connections that this policy accepts, or select Create New to add a new profile in a pop-up window, without leaving the current page. |
Replacement Message |
Select the replacement message to apply to the policy. |
Monitor Mode |
Enable to override any actions included in the profiles. Instead, FortiWeb will accept all requests and generate an alert email and/or log message for all policy violations. This setting does not affect any rewriting or redirection actions in the protection profiles, including the action to remove poisoned cookies. Note: Logging and/or alert email occur only if you enable and configure them. For details, see "Logging" and "Alert email" in FortiWeb Administration Guide (HTTPS://docs.fortinet.com/fortiweb/admin-guides). |
URL Case Sensitivity |
Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests. For example, when this option is enabled, an HTTP request involving |
Comments | Type a description or other comment. The description can be up to 999 characters long. |
The server policy is displayed in the list on Policy > Server Policy. Initially, it is enabled.
Legitimate traffic should now be able to flow, while policy-violating traffic (that is, traffic that is prohibited by the settings in your policy or protection profile) may be blocked, depending on your Action settings for the rule that the traffic has violated.
If a connection fails, you can use tools included in the firmware to determine whether the problem is local to the appliance or elsewhere on the network. For details, see "Troubleshooting" and "Reducing false positives" in FortiWeb Administration Guide (HTTPS://docs.fortinet.com/fortiweb/admin-guides).