Administration Guide

Introduction
What's new
Key concepts
- Workflow
- Sequence of scans
- IPv6 support
- Solutions for specific web attacks
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Appliance vs. VMware
- Registering your FortiWeb
- Planning the network topology
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring the allow list at server policy level
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
  - Supported cipher suites - for connections between FortiWeb and the clients
  - Supported cipher suites - for connection between FortiWeb and back-end servers
- CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- Configuring OCSP stapling
Users
- Authentication styles
- Offloading HTTP authentication & authorization
- Creating reCAPTCHA servers
Application delivery
- Rewriting & redirecting
- Compression
- Site Publishing (Single sign-on)
- Caching
  - What can be cached?
- Acceleration
- Scripting
- Waiting room
Web protection
- Blocking known attacks
- Advanced protection
- Cookie security
- Input validation
- Protocol constraints
- Access control
- ML Based Anomaly Detection
  - Viewing domain data
  - Viewing anomaly detection log
- Anti-defacement
- Data Loss Prevention
Zero Trust Network Access (ZTNA)
- Configuring FortiClient EMS Connector for ZTNA
- Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- Referencing ZTNA profile in a server policy
- ZTNA troubleshooting and debugging
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
- Configuring ML Based Bot Detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
- Configuring Advanced Bot Protection policy
- Exception Policy
API Protection
- Configuring JSON protection
- Configuring XML protection
- Configuring GraphQL protection
  - Creating GraphQL protection rules
  - Creating GraphQL protection policy
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
- Configuring ML Based API Protection policy
  - Viewing API Protection domain data
  - Editing and viewing machine learning models for API paths
DoS protection
- DoS prevention
- Preventing slow and low attacks
IP Protection
- GEO IP - Blocklisting & whitelisting countries & regions
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- IP Reputation - Blocklisting source IPs with poor reputation
- Creating IP groups
Tracking
- Compliance
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring machine-learning URL replacer policy
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
Dashboard
- Status dashboard
- Monitors
Log&Report
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- FortiGuard updates
- Analyzing attack logs in FortiWeb Cloud Threat Analytics
Security Fabric
- External connectors
- Fabric Connector: Single Sign On with FortiGate
- Automation
- FortiGSLB
Ingress Controller
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Introduction
- Troubleshooting outline
- Diagnosing server-policy connectivity issues
- Diagnosing system issues
- Diagnose software function issues
- Diagnose hardware issues
- System tools & diagnose commands
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses

Home FortiWeb 7.4.4 Administration Guide

7.4.4

Configuring traffic mirror

In Reverse Proxy and True Transparent Proxy modes, you can configure FortiWeb to send traffic to third party IPS/IDS devices through network interfaces for traffic monitoring.

In Reverse Proxy mode, traffic mirror on both virtual server and real server are supported; while in True Transparent Proxy mode, only traffic mirror of virtual server is supported.

Traffic mirror supports thee topologies of IDS/IPS:

Directly connect to a physical port of FortiWeb;
Connect to FortiWeb by the switch (destination MAC address is required);
Connect to FortiWeb through the network (IDS/IPS operates in server mode).

Accordingly, three modes for traffic mirror are available:

Direct mode
Switch mode
Server mode

Enabling traffic mirror

Before you can begin configuring traffic mirror, you have to enable it. By default, traffic mirror is disabled.

To enable traffic mirror

Go to System > Config > Feature Visibility.

To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see "Permissions" on page 1.

Enable Traffic Mirror.
Click Apply.

Creating a traffic mirror rule

To create a traffic mirror rule

If traffic mirror is not enabled in Feature Visibility, you must enable it before you can create a traffic mirror rule. To enable traffic mirror, go to System > Config > Feature Visibility and enable Traffic Mirror.

Go to Server Objects > Traffic Mirror.

Click Create New.
Enter a name that can be referenced by other parts of the configuration for the policy.
Click OK.
Click Create New.
Configure these settings:

Mode	Three modes are available here: Direct: the mirrored packets are directly sent to IPS/IDS devices. Switch: the mirrored packets are sent to IPS/IDS devices through the switch. Server: the mirrored packets are sent to the designated IP of IPS/IDS devices. With different mode, you need to configure the following respectively.
Interface	For Direct mode, select the FortiWeb port to connect to IPS/IDS device. For Switch mode, select the FortiWeb port to connect to the switch.
Destination Mac	Only for Switch mode, type the MAC of IPS/IDS interface, where the traffic from FortiWeb goes to.
Server IP	Only for Server mode, enter the designated IP of IPS/IDS devices.
Server Port	Only for Server mode, enter the HTTP port that the IPS/IDS devices can listen to.

Click OK.
For a traffic mirror policy, you can set multiple rules.

Configuring a traffic mirror policy

To apply a mirror policy rule to the policy

Go to Policy > Server Policy.
In Network Configuration section, enable Traffic Mirror.

Configure these settings:

Traffic Mirror Policy

Select the traffic mirror policy you have created to determine which policy to apply to the connection.

Traffic Mirror Type

For True Transparent Proxy mode, only Client Side type is available, which only allows traffic from client side to be sent to IPS/IDS devices.
For Reverse Proxy mode:

Client Side:only allow traffic from client side to be sent to IPS/IDS devices.
Server Side: only allow traffic from server side to be sent to IPS/IDS devices.
Client and Server: allow traffic from both client and server sides to be sent to IPS/IDS devices.

Click OK.