Fortinet white logo
Fortinet white logo

Administration Guide

Configuring an HTTP server policy

Configuring an HTTP server policy

Configure HTTP server policies by combining your rules, profiles, and sub-policies.

Server policies:

  • Block or allow connections
  • Apply a protection profile that specifies how FortiWeb scans or processes the HTTP/HTTPS requests that it allows
  • Route or let pass traffic to destination web servers

Until you configure and enable at least one policy, FortiWeb will, by default:

  • when in Reverse Proxy mode, deny all traffic.
  • when in other operation modes, allow all traffic.

Server policy behavior and supported features vary by operation mode. For details, see How operation mode affects server policy behavior. It also varies by whether or not the policy uses IPv6 addresses.

To achieve more complex policy behaviors and routing, you can chain multiple policies together. For details, see Defining your web servers.

Do not configure policies you will not use. FortiWeb allocates memory with each server policy, regardless of whether it is actually in active use. Configuring extra policies unnecessarily consumes memory and decreases performance.

Certain server policy options are only available in CLI. You might not want to skip them because they may be useful for some cases. For example, to mitigate low&slow attacks, you can set HTTP-header-timeout and tcp-recv-timeout to specify the timeout for the HTTP header and TCP request sent from clients.

For a full set of the server policy options, see config server-policy policy in FortiWeb CLI Reference Guide.

FortiWeb will drop all the existing sessions if you change the configuration of the following settings:

  • Traffic Mirror

  • Syn Cookie

  • Client Real IP

  • HTTP, HTTPS, and HTTP/3 services

  • The Virtual IP addresses referenced by the Virtual Server in this server policy

  • client-timeout in config server-policy policy

If a policy has any virtual servers or a server pool members with IPv6 addresses, it does not apply features that do not yet support IPv6, even if they are selected.
To configure a policy
  1. Before you configure a policy, you usually should first configure any of the following that you must, or want to, include in the policy:
  2. Alternatively, you can create missing components on-the-fly while configuring the policy, without leaving the page. To do this, select Create New from each policy component’s drop-down menu.

    However, when creating many components, you can save time by leaving the policy page, going to the other menu areas, and creating similar profiles by cloning, then modifying each clone.

    Generally speaking, because policies tie other components together and apply them to client’s connections with your web servers, they should be configured last. For details, see Workflow.

  • Go to Policy > Server Policy.

    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

    Server Policy involves configuration of Tags, Traffic Log, and Machine Learning, so it requires not only Read Only or Read Write permission of Server Policy Configuration, but also the permissions of System Configuration, Log & Report, and Machine Learning Configuration to read or edit an existing server policy or create a new server policy.
  • Click Create New.
  • Configure the following settings.
  • The operation mode and Deployment Mode value determine which options are available.

    Network Configuration

    Policy Name Type a name that can be referenced by other parts of the configuration.
    Deployment Mode

    Select the method of distribution that the FortiWeb appliance uses when it accepts connections for this policy.

    The deployment modes that are available depend on the types of network topologies that the current operation mode supports.

    • Single Server/Server Balance—Forwards connections to a server pool. Depending on the pool configuration, FortiWeb either forwards connections to a single physical server or domain server or distributes the connection among the pool members. Also configure a Server Pool . This option is available only in Reverse Proxy mode.
    • HTTP Content Routing—Use HTTP content routing to route HTTP requests to a specific server pool. This option is available only in Reverse Proxy mode.

    Note: When HTTP Content Routing is selected, FortiWeb can handle HTTP/2 client requests, but traffic from FortiWeb to the server(s) must use HTTP, so the HTTP/2 setting in a server pool configuration would have to remain disabled. For details, see Defining your web servers.

    • Offline Protection—Allow connections to pass through the FortiWeb appliance, and apply an Offline Protection profile. Also configure a Server Pool . This option is available only in Offline Protection mode.
    • Transparent Servers—Allow connections to pass through the FortiWeb appliance, and apply a protection profile. Also configure a Server Pool . This option is available only in True Transparent Proxy or Transparent Inspection mode.
    • WCCP ServersFortiWeb will act as a Web Cache Communication Protocol (WCCP) client that receives traffic from a FortiGate configured as a WCCP server. Also configure a Server Pool . This option is available only in WCCP mode.

    Virtual Server

    or

    Data Capture Port

    or

    V-zone

    Select the name of a virtual server, data capture (listening) network interface, or v-zone (bridge) according to the operation mode:

    The name and purpose of these settings varies by operation mode:

    • Virtual Server—Identifies the IP address and network interface of incoming traffic that FortiWeb routes and that the policy applies a profile to. This option is available only in Reverse Proxy mode.

    • Data Capture Port—Identifies the network interface of incoming traffic that the policy applies a profile to. The IP address is ignored. This option is available only in Offline Protection mode.

      If your FortiWeb model uses Data Plane Development Kit (DPDK) for packet processing (e.g., models 3000E, 3010E and 4000E), this option has the following limitations:

      • Only physical interfaces can be data capture ports. These models do not support VLAN subinterfaces or link aggregate interfaces as data capture ports.
      • You cannot edit the interface after you set it as a data capture port. If you need to configure the maximum transmission unit (MTU) for the interface (using the config system interface and config system v-zone CLI commands), do it before you select the interface as a data capture port.
    • V-zone—Identifies the network interface of the incoming traffic that the policy applies a profile to. This option is available in True Transparent Proxy and Transparent Inspection mode.
    HTTP Content Routing

    To specify HTTP content routing policies and options that this policy uses, click Add, then complete the following settings for each entry, or click Edit to edit an existing entry:

    • HTTP Content Routing Policy Name—The name of the policy.
    • Inherit Web Protection Profile—Specify whether FortiWeb applies the web protection profile for the server policy to connections that match the routing policy.
    • Web Protection Profile—Select the profile to apply to connections that match the routing policy. For details, see Configuring a protection profile for inline topologies.

      Note: FortiWeb does not block clients with source IP addresses designated as a trusted IP. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1.

    • Default—Specifies whether FortiWeb applies the specified protection profile to any traffic that does not match any HTTP content routing policy in the list.

    You can specify up to 256 HTTP content routing policies in each server policy.

    This option is available only in Reverse Proxy mode and when the Deployment Mode is HTTP Content Routing.

    Match Once

    Enable to forward subsequent requests from an identified client connection to the same server pool as the initial connection from the client.

    This option allows FortiWeb to improve its performance by skipping the process of matching HTTP header content to content routing policies for connections it has already evaluated and routed.

    This option is available only in Reverse Proxy mode and when the Deployment Mode is HTTP Content Routing.

    Server Pool

    Select the server pool whose members receive the connections. A server pool can contain a single physical server or domain server. For details, see Creating an HTTP server pool.

    This option is available only if the Deployment Mode is Single Server/Server Pool, Offline Protection, Transparent Server, or WCCP Servers.

    Caution: Multiple virtual servers/policies can forward traffic to the same server pool. If you do this, consider the total maximum load of connections that all virtual servers forward to your server pool. This configuration can multiply traffic forwarded to your server pool, which can overload them and cause dropped connections.

    Protected Hostnames

    Select a protected host names group to allow or reject connections based upon whether the Host: field in the HTTP header is empty or does or does not match the protected host names group. For details, see Defining your protected/allowed HTTP “Host:” header names.

    If you do not select a protected host names group, FortiWeb accepts or blocks requests based on other criteria in the policy or protection profile, but will not accept or block requests based on the Host: field in the HTTP header.

    Attack log messages contain HTTP Host Violation when this feature detects a hostname that is not allowed..

    Caution: Unlike HTTP 1.1, HTTP 1.0 does not require the Host: field. The FortiWeb appliance does not block HTTP 1.0 requests because they do not have this field, regardless of whether or not you have selected a protected host names group.

    Client Real IP

    By default, when the operation mode is Reverse Proxy, the source IP for connections between FortiWeb and back-end servers is the address of a FortiWeb network interface.

    If you enable Client Real IP, FortiWeb will use the source IP address of the client that originated the request when it connects to a back-end server on behalf of that client. This option is available only in Reverse Proxy mode.

    • If you set the server's IP address as the source address in a policy route, it is recommended that you do not enable Client Real IP, otherwise it may cause your application inaccessible.
    • If an IPv6 virtual IP is used in this server policy, and the real server's IP address is IPv4, then Client Real IP shouldn't be enabled.

    • Client Real IP is not supported if the back-end server uses domain instead of IP address. Do not enable Client Real IP in this case.

    Note: To ensure FortiWeb receives the server's response when you enable Client Real IP, configure FortiWeb as the server’s gateway.

    The port of the client IP is used when Client Real IP is enabled. If you want to use a random port, run the following command:

    config server-policy policy

    edit <policy_name>

    set client-real-ip enable

    set client-real-ip-random-port enable

    end

    end

    It recommend to enable random port if the following configurations are set, otherwise it may lead to traffic disruption:

    • Deployment Mode is HTTP Content Routing, and;

    • Match Once is disabled, and;

    • Client Real IP is enabled, and;

    • IP/IP Range is not specified.

    IP/IP Range

    Specify an IP address or address range to directly connect to the back-end server.

    If no IP address or address range is specified when Client Real IP is enabled, FortiWeb will use the client IP address to connect to the back-end server.

    Available only when Client Real IP is enabled.

    Blocking Port

    Select which network interface FortiWeb uses to send TCP RST (connection reset) packets when it attempts to block the request or connection after it detects traffic that violates a policy. For details on blocking behavior, see Topology for Offline Protection mode.

    This option is available only in Offline Protection mode.

    HTTP Service

    Select the custom or predefined service that defines the TCP port number where the virtual server receives HTTP traffic.

    This option is available only in Reverse Proxy mode.

    HTTPS Service

    Select the custom or predefined service that defines the TCP port number where the virtual server receives HTTPS traffic. Also configure Configuring an HTTP server policy.

    Enable if requests from clients to the FortiWeb appliance or back-end servers use SSL or TLS. See also Supported cipher suites & protocol versions.

    When enabled, the FortiWeb appliance handles SSL negotiations and encryption and decryption, instead of the web servers, also known as SSL offloading. For details, see Offloading vs. inspection.

    Connections between the client and the FortiWeb appliance are encrypted. The server pool configuration specifies whether connections between the FortiWeb appliance and each web server are encrypted.

    This option is available only in Reverse Proxy mode. For other operation modes, use the server pool configuration to enable SSL inspection. For details, see Creating an HTTP server pool.

    Caution: If you do not enable an HTTPS option and provide a certificate for HTTPS connections, FortiWeb cannot decrypt connections and scan content in the HTTP body.

    Tip: FortiWeb appliances contain specialized hardware to accelerate SSL processing. Offloading SSL/TLS processing can improve the performance of secure HTTP (HTTPS) connections.

    HTTP/3 Service

    Select the custom or predefined service that defines the UDP port number where the virtual server receives HTTP/3 traffic.

    Please note that enabling HTTP/3 Service requires TLS 1.3 to be enabled under SSL Connection Settings from the Advanced SSL settings in the server policy.

    HTTP/3 Service Limitations:

    • Scope of Support

      HTTP/3 service is supported only for connections between the client and FortiWeb. Connections with the back-end server currently do not support HTTP/3.

    • Security Modules Supporting HTTP/3

      • Client Management

      • Signature

      • HTTP Protocol Constraints

      • X-Forwarded-For

      • HTTP Header Security

      • SQL/XSS Syntax Based Detection

      • Allow Method

      • URL Access

      • CORS Protection

      • XML Protection

      • JSON Protection

      • GraphQL Protection

      • OpenAPI Validation

      • DLP (Data Loss Prevention)

      • File Upload

      • Site Publish

      • User Tracking

    • Security modules not supporting HTTP/3 traffic

      • Advanced Bot Protection

      • Quarantined IP

      • Biometric based Bot Detection

      • Web Socket

      • ML based Bot Detection

      • ADFS Proxy

      • TCP Flood Prevention

      • Malicious IPs

      • gRPC Portocol Security

      • LUA Scripts

    • Operational Mode

      HTTP/3 is available only in Reverse Proxy mode.

    • Configuration Constraints

      If either of the following options is enabled in server policy, the HTTP/3 connections will hang due to certificate verification error.

      • Advanced SSL settings > Certificate Verification for HTTPS

      • SNI Policy with Certificate Verify selected.

    HTTP/2

    Enable FortiWeb to negotiate HTTP/2 with clients via SSL ALPN (Application-Layer Protocol Negotiation) during the SSL handshake if the client's browser supports the HTTP/2 protocol. If HTTP/2 is enabled, FortiWeb will recognize HTTP/2 traffic and apply the security services to it.

    Note: This option is available only if the Deployment Mode is Single Server/Server Pool or HTTP Content Routingand HTTPS Service is configured correctly. This is because FortiWeb supports HTTP/2 only for HTTPS connections. Please keep in mind that if the Deployment Mode is HTTP Content Routing, client requests can use HTTP/2, but traffic between FortiWeb and the server(s) must use HTTP, so the HTTP/2 setting in a server pool configuration would have to remain disabled. For details, see Defining your web servers.

    To configure HTTP/2 in True Transparent Proxy mode, see HTTP/2 support.

    Certificate Type / Certificate

    Local: Select the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Protected Hostnames. For details, see How to offload or inspect HTTPS.

    Multi-certificate: Select the local server certificate created in Server Objects > Certificates > Local > Multi-certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Protected Hostnames. For details, see How to offload or inspect HTTPS.

    Letsencrypt: Select the Letsencrypt certificate you have created. See How to offload or inspect HTTPSLet's Encrypt certificates

    Please note that if you select Letsencrypt certificate, and also enable Redirect HTTP to HTTPS, make sure to add both domain.com and domain.com:443 as the accepted hosts in Protected Hostnames settings (see Defining your protected/allowed HTTP “Host:” header names).

    If Enable Server Name Indication (SNI) is selected, FortiWeb uses a Server Name Indication (SNI) configuration instead of or in addition to this server certificate.

    Available only if you specify a value for HTTPS Service.

    Certificate Intermediate Group

    Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to clients. An intermediate CA can complete the signing chain and validate the server certificate’s CA signature.

    Configure this option when clients receive certificate warnings that an intermediary CA has signed the server certificate specified by the selected Certificate, not a root CA or other CA currently trusted by the client directly.

    Alternatively, you can include the entire signing chain in the server certificate itself before you upload it to FortiWeb. For details, see How to offload or inspect HTTPS and How to offload or inspect HTTPS.

    Available only if you specify a value for HTTPS Service.

    Show/Hide advanced SSL settings

    Click to show or hide the settings that allow you to specify a Server Name Indication (SNI) configuration, increase security by disabling specific versions of TLS and SSL for this policy, and other advanced SSL settings.

    For example, if FortiWeb can use a single certificate to decrypt and encrypt traffic for all the websites that reside on the servers in a pool, you may not have to set any advanced SSL settings.

    Available only if you specify a value for HTTPS Service.

    Certificate Settings

    Certificate Verification—Select the name of a certificate verifier, if any, that FortiWeb uses to validate an HTTP client’s personal certificate.

    Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website (PKI authentication). If a User Tracking Policy or Site Publish rule fails to track a user, FortiWeb will attempt to track a user with his or her email address provided in the client certificate via Certificate Verification.

    You can require clients to present a certificate instead of, or in addition to, HTTP authentication. For details, see Offloading HTTP authentication & authorization.

    Available only if you specify a value for HTTPS Service.

    For True Transparent Proxy mode, configure this setting in the server pool configuration instead. For details, see Certificate Verification.

    Note: The client must support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.

    If you select Enable Server Name Indication (SNI) and the domain in the client request matches an entry in the specified SNI policy, FortiWeb uses the SNI configuration to determine which certificate verifier to use instead.

    If you do not select a verifier, clients are not required to present a personal certificate. For details, see How to apply PKI client authentication (personal certificates).

    Enable Server Name Indication(SNI)—Select to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by the Configuring an HTTP server policy.

    The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see How to offload or inspect HTTPS.

    If you specify both an SNI configuration and Configuring an HTTP server policy, FortiWeb uses the certificate specified by Configuring an HTTP server policy when the requested domain does not match a value in the SNI configuration.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    Enable Strict SNI—Select so that FortiWeb will ignore the Certificate when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the SNI configuration.

    Available only if Enable Server Name Indication (SNI) is selected.

    SNI Policy—Select the Server Name Indication (SNI) configuration that determines which certificate FortiWeb presents on behalf of the members of a server pool.

    Available only if Enable Server Name Indication (SNI) is selected.

    Enable URL Based Client Certificate—Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate.

    Please note that if you use URL-based Client Certificate, do not select TLS 1.3 in SSL Connection Settings > Supported SSL Protocols, because FortiWeb does not support URL-Based Certificate Authentication with TLS1.3 even with PHA enabled on Client-Side.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    Note: This function is not supported for HTTP/2 communication between the Client and this back-end web server.

    URL Based Client Certificate Group—Specifies the URL-based client certificate group that determines whether a client is required to present a personal certificate.

    If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate.

    For information on creating a group, see Use URLs to determine whether a client is required to present a certificate.

    Available only if Enable URL Based Client Certificate is selected.

    Max HTTP Request Length—Specifies the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group.

    FortiWeb blocks any matching requests that exceed the specified size.

    This setting prevents a request from exceeding the maximum buffer size.

    Available only if Enable URL Based Client Certificate is selected.

    SSL Connection Settings

    Enable SSL Ciphers Group: If enabled, select the cipher group you have created in Server Objects > SSL Ciphers. It's recommended to create a cipher group so that you can re-use the group settings across server policies and server pools.

    Supported SSL Protocols—Specify which versions of the SSL or TLS cryptographic protocols clients can use to connect securely to the FortiWeb appliance.

    TLS protocol changes a lot since version 1.3, including the handshake algorithm, the supported ciphers and certificates. Make sure you understand how it works before enabling TLS 1.3.

    Note: O-RTT in TLS 1.3 is disabled by default. You can use the following command to enable it:

    config server-policy setting

    set tls13-early-data-mode enable

    end

    For the supported ciphers of each TLS version, see Supported cipher suites & protocol versions.

    SSL/TLS Encryption Level—Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security or customized security configuration.

    If you select Customized, you can select a cipher and then use the arrow keys to move it to the appropriate list.

    For details, see Supported cipher suites & protocol versions.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    RFC-9719 Comply—Enable to apply cipher suites that comply with RFC-9719.

    Supported Group—Select the RFC-9719 ciphers to be supported. The Supported Group is Elliptic Curve Parameters, while SSL/TLS negotiation could choose different Elliptic Curve algorithms, so please make sure to choose the corresponding ciphers in SSL/TLS Encryption Level.

    • At least one FFDHE group should be selected.

    • At least one DHE cipher should be added.

      Due to design limitation, you need to select Customized in SSL/TLS Encryption Level and make sure to include at least one DHE cipher in the selected list. Using High or Medium together with RFC-9719 will lead to unexpected error. We will fix it in the future release.

    The system will return error if any of the above two conditions is not met.

    Please note RFC7919 does not comply with TLS 1.3, so if you have only enabled TLS 1.3 for SSL Protocols, then RFC7919 will not take effect even if it's enabled. To apply both TLS 1.3 and RFC7919, it's recommended to enable a non-TLS 1.3 protocol, then select at least one DHE cipher.

    Disable Client-Initiated SSL Renegotiation—Select to configure FortiWeb to ignore requests from clients to renegotiate TLS or SSL.

    Protect against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    HTTPS Header Insertion

    Client Certificate Forwarding—Enable to configure FortiWeb to include the X.509 personal certificate presented by the client during the SSL/TLS handshake, if any, in an X-Client-Cert: HTTP header when it forwards the traffic to the protected web server.

    FortiWeb still validates the client certificate itself, but this forwarding action can be useful if the web server requires the client certificate for server-side identity-based functionality

    Note: It is necessary to set Certificate Verification to make this option effective.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    Custom Header of CCF Subject—Enter a custom subject header that will be inserted in the X.509 personal certificate presented by the client during the SSL/TLS handshake.

    Available only if Client Certificate Forwarding is selected.

    Custom Header of CCF Certificate—Enter a custom certificate header that will be inserted in the X.509 personal certificate presented by the client during the SSL/TLS handshake.

    Available only if Client Certificate Forwarding is selected.

    Add HSTS Header—Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply. For example:

    Strict-Transport-Security: max-age=31536000;includeSubDomains;preload

    This header forces clients to use HTTPS for subsequent visits to this domain. If the certificate is invalid, the client’s web browser receives a fatal connection error and does not display a dialog that allows the user to override the certificate mismatch error and continue.

    Please note that you must select a web protection profile in the server policy otherwise the HSTS header can't be successfully inserted.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    Max. Age—Specify the time to live in seconds for the HSTS header.

    Available only if Add HSTS Header is selected.

    Include Sub Domains—Enable to add includeSubDomains header.

    Available only if Add HSTS Header is selected.

    Preload—Enable to add Preload header.

    Available only if Add HSTS Header is selected.

    Add HPKP Header—Select an HPKP profile, if any, to use to verify certificates when clients attempt to access a server.

    HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates. For details, see HTTP Public Key Pinning.

    Available only if you specify a value for HTTPS Service.

    Redirect HTTP to HTTPS

    Enable to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters. If you select this option, ensure to configure HTTPS Service.

    This option can replace redirection functionality that you create using URL rewriting rules. For details, see Example: HTTP-to-HTTPS redirect.

    This option is available only in Reverse Proxy mode.

    Redirect Naked Domain

    Enable to redirect naked domain requests to “www” domain requests.

    This option is available only in Reverse Proxy mode.

    Traffic Mirror

    Enable to mirror all traffic to the third party devices per the traffic mirror policy.

    Traffic Mirror Policy

    Select the traffic mirror policy you have created to determine which policy to apply to the connection.

    Traffic Mirror Type

    For True Transparent Proxy mode, only Client Side type is available, which only allows traffic from client side to be sent to IPS/IDS devices.

    For Reverse Proxy mode:

    • Client Side—only allow traffic from client side to be sent to IPS/IDS devices.
    • Server Side—only allow traffic from server side to be sent to IPS/IDS devices.
    • Client and Server—allow traffic from both client and server sides to be sent to IPS/IDS devices.

    Application Delivery

    Proxy Protocol

    Enable this option when proxy servers or load balancers are installed before FortiWeb, for example, when a load balancer with proxy protocol enabled is deployed before FortiWeb-VM on AWS.

    When Proxy Protocol is enabled, FortiWeb can receive client connection information in the proxy protocol package passed through proxy servers and load balancers.

    Retry On

    Enable to configure whether to retry a failed TCP connection or HTTP request in Reverse Proxy mode.

    A TCP connection failure retry can help when the back-end server is unreachable unexpectedly, FortiWeb will reconnect the single server or switch to another one according to the load balance algorithm when more than one back-end server is available in the server pool.

    An HTTP layer retry can help when the back-end server can be connected but it returns certain failure response codes, such as 404, 408, 500, 501, 502, 503, and 504. FortiWeb will reconnect the single server or switch to another one according to the load balance algorithm when more than one back-end server is available in the server pool.

    Please note if you have applied a session persistence configuration to the server pool which specifies FortiWeb to forward subsequent packets to the back-end server based on source IP or session ID, FortiWeb will adhere to this configuration to retry the connection with the same back-end server instead of switching to another one.

    Retry On TCP Connection Failure

    Enable to configure the retry times in case of any TCP connection failure.

    Retry Times On Connection Failure

    Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5.

    Retry On Cache Size

    Enter a cache size limit for the HTTP request packet.
    HTTP failure retry will take effect once the request packet size is smaller than this defined size.

    TCP connection failure retry will take effect once the HTTP request packet size in TCP connection is smaller than this defined size.

    Retry On HTTP Failure

    Enable to configure the retry times and failure response code in case of any TCP connection failure.

    Retry Times On HTTP Failure

    Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5.

    Retry On HTTP Return Code

    Select the failure return code when pserver can be connected to determine enabling HTTP failure retry.

    Web Cache

    Enable to create a web cache policy to allow FortiWeb to cache responses from your servers.

    Comments Type a description or other comment. The description can be up to 999 characters long.

    Scripting

    Scripting

    Enable to use Lua scripts to perform actions that are not currently supported by the built-in feature set. You can use Lua scripts to write simple, network aware pieces of code that will influence network traffic in a variety of ways. By using the scripts, you can customize FortiWeb's features by granularly controlling the traffic flow or even the contents of given sessions or packets.

    For more information, see Script Reference Guide.

    Scripting List

    Select the scripts to run.

    Security Configuration

    Monitor Mode

    Enable to override any actions included in the profiles. Instead, FortiWeb will accept all requests and generate an alert email and/or log message for all policy violations.

    This setting does not affect any rewriting or redirection actions in the protection profiles, including the action to remove poisoned cookies.

    Note: Logging and/or alert email occur only if you enable and configure them. For details, see Logging and Alert email.

    Syn Cookie

    Enable to prevent TCP SYN floods. Also configure Half Open Threshold.

    For details, see Preventing a TCP SYN flood.

    This option is available only in Reverse Proxy, True Transparent Proxy, and WCCP mode.

    ZTNA Profile

    Select the ZTNA profile you have created. For details, see Zero Trust Network Access (ZTNA)

    This option is available only when:

    • HTTPS service is selected.

    • Operation mode is Reverse Proxy.

    Half Open Threshold

    Type the TCP SYN cookie threshold in packets per second. Also configure Syn Cookie.

    Available only when the operating mode is Reverse Proxy, True Transparent Proxy, or WCCP.

    Web Protection Profile

    Select the profile to apply to the connections that this policy accepts, or select Create New to add a new profile in a pop-up window, without leaving the current page.

    For details on specific protection profiles, see one of the following topics:

    Note: The current operation mode determines which profiles are available. For details, see How operation mode affects server policy behavior.

    Note:FortiWeb does not block clients with source IP addresses designated as a trusted IP. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1.

    If the Deployment Mode is set to HTTP Content Routing, this option is effective when you create the list of content routing policies.

    Allow List

    Select the server policy based allow list. If a request matches the conditions in this allow list, it will be directly forwarded to the back-end server without further security scan.

    If the server policy based allow list is referenced, the global allow list will be disabled for this policy.

    If you leave this field empty, the system will use the global allow list for this server policy.

    For how to create allow list at the server policy level, see Configuring the allow list at server policy level.

    Replacement Message

    Select the replacement message to apply to the policy.

    View Profile Details

    Click to display the settings of the current profile without leaving the current page. When viewing a profile, you can also modify its settings from here.

    To return to the policy settings, click Back to Policy Settings.

    URL Case Sensitivity

    Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests, such as IP list rules.

    For example, when this option is enabled, an HTTP request involving http://www.Example.com/ would not match profile features that specify http://www.example.com (difference is lower case “e”).

    Log Config

    Enable Traffic Log

    Enable to generate traffic log for traffic that is on this server policy. Disable to stop generating traffic log for this server policy. This field is available only when traffic log is enabled from CLI config log traffic-log, which is the global switch for traffic logs.

    • If the status is set to disable in config log traffic-log, the system won't generate traffic log even if you have enabled it in Server Policy.

    • If traffic log is:

      • Enabled in config log traffic-log,

      • Enabled in server policy A,

      • Disabled in server policy B,

      then the system will only generate traffic log for server policy A.

    Machine Learning

    Anomaly Detection

    Click Create to create an anomaly detection policy. See Enabling machine learning policy for details.

    Bot Detection

    Click Create to create a bot detection policy. See Enabling machine learning policy for details.

    Tags

    Tags

    Click the Add icon to select the tags you want to attach to this server policy. This helps in labeling server policy for future usage such as sorting, filtering and acknowledging policies.

    The tags are created in System > Tags. You can also click Create to create new tags.

  • Click OK.
  • The server policy is displayed in the list on Policy > Server Policy. Initially, it is enabled. For details on disabling a policy without deleting it, see Enabling or disabling a policy.

    Legitimate traffic should now be able to flow, while policy-violating traffic (that is, traffic that is prohibited by the settings in your policy or protection profile) may be blocked, depending on your Action settings for the rule that the traffic has violated.

    allowlisted items are not included in policy enforcement. For details, see "Configuring the global object allow list" on page 1.

  • To verify the policy, test it by forming connections between legitimate clients and servers at various points within your network topology. Also attempt to send traffic that violates your policy, and should be logged, modified, or blocked.
  • If you have another FortiWeb appliance, you can use its web vulnerability scanner to verify that your policy is blocking attacks as you expect. For details, see Vulnerability scans.

    If a connection fails, you can use tools included in the firmware to determine whether the problem is local to the appliance or elsewhere on the network. For details, see Troubleshooting and Reducing false positives. Also consider troubleshooting recommendations included with each feature’s instructions.

    See also

    HTTP pipelining

    For clients that support HTTP 1.1, FortiWeb accelerates transactions by bundling them inside the same TCP connection, instead of waiting for a response before sending/receiving the next request. This can increase performance when pages containing many images, scripts, and other auxiliary files are all hosted on the same domain, and therefore logically could use the same connection.

    Many browsers used on smart phones prefer to pipeline their HTTP requests.

    When FortiWeb is operating in Reverse Proxy or True Transparent Proxy mode, it can automatically use HTTP pipelining for requests with the following characteristics:

    • HTTP version is 1.1
    • The Connection general-header field does not include the "close" option (for example, Connection: close)
    • The HTTP method is GET or HEAD

    Although it is enabled by default, you can use a CLI command to disable or re-enable HTTP pipelining for a specific server policy.

    To disable or enable HTTP pipelining
    1. Connect to the CLI.
    2. In each policy that requires it, enter these commands:

      config server-policy policy

      edit <policy_name>

      set HTTP-pipeline {enable | disable}

      next

      end

    For details, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    See also

    Multiplexing client connections

    By default, FortiWeb establishes a connection with the server for each client that makes a request to the server. When a client makes a request, FortiWeb creates a connection to the server for that client's request. If a second client makes a request, FortiWeb creates another connection to the server for the second client's request.

    You can configure multiplexing so that FortiWeb uses a single connection to a server for requests from multiple clients. If multiplexing is configured, when a client makes a request, FortiWeb establishes a connection to the server for that client's request. Once the request has been completed, FortiWeb caches the connection. If a second client then makes a request to the server, FortiWeb uses the cached connection for the second client's request. You can configure the circumstances in which FortiWeb caches a server connection and reuses it for requests from other clients.

    To configure multiplexing
    1. Connect to the CLI.
    2. In each policy that requires it, enter these commands:

    config server-policy server-pool

    edit <server_pool_name>

    set HTTP-reuse {aggressive | always | never | safe}

    set reuse-conn-idle-time <int>

    set reuse-conn-max-count <int>

    set reuse-conn-max-request <int>

    set reuse-conn-total-time <int>

    next

    end

    For details, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Enabling or disabling a policy

    You can individually enable and disable policies.

    When the operation mode is Reverse Proxy, disabling a policy could block traffic if no remaining active policies match that traffic. When no policies exist or none are enabled, the FortiWeb appliance blocks all HTTP/HTTPS traffic.

    Even if you disable a server policy, it still consumes memory (RAM). If you do not plan to use the policy for some time, consider deleting it instead.

    To enable or disable a policy
    1. Go to Policy > Server Policy.
    2. In the row corresponding to the policy that you want to enable, click the switch on in the Enable column.
    3. In the row corresponding to the policy that you want to disable, click the switch off in the Enable column.

    Configuring an HTTP server policy

    Configuring an HTTP server policy

    Configure HTTP server policies by combining your rules, profiles, and sub-policies.

    Server policies:

    • Block or allow connections
    • Apply a protection profile that specifies how FortiWeb scans or processes the HTTP/HTTPS requests that it allows
    • Route or let pass traffic to destination web servers

    Until you configure and enable at least one policy, FortiWeb will, by default:

    • when in Reverse Proxy mode, deny all traffic.
    • when in other operation modes, allow all traffic.

    Server policy behavior and supported features vary by operation mode. For details, see How operation mode affects server policy behavior. It also varies by whether or not the policy uses IPv6 addresses.

    To achieve more complex policy behaviors and routing, you can chain multiple policies together. For details, see Defining your web servers.

    Do not configure policies you will not use. FortiWeb allocates memory with each server policy, regardless of whether it is actually in active use. Configuring extra policies unnecessarily consumes memory and decreases performance.

    Certain server policy options are only available in CLI. You might not want to skip them because they may be useful for some cases. For example, to mitigate low&slow attacks, you can set HTTP-header-timeout and tcp-recv-timeout to specify the timeout for the HTTP header and TCP request sent from clients.

    For a full set of the server policy options, see config server-policy policy in FortiWeb CLI Reference Guide.

    FortiWeb will drop all the existing sessions if you change the configuration of the following settings:

    • Traffic Mirror

    • Syn Cookie

    • Client Real IP

    • HTTP, HTTPS, and HTTP/3 services

    • The Virtual IP addresses referenced by the Virtual Server in this server policy

    • client-timeout in config server-policy policy

    If a policy has any virtual servers or a server pool members with IPv6 addresses, it does not apply features that do not yet support IPv6, even if they are selected.
    To configure a policy
    1. Before you configure a policy, you usually should first configure any of the following that you must, or want to, include in the policy:
    2. Alternatively, you can create missing components on-the-fly while configuring the policy, without leaving the page. To do this, select Create New from each policy component’s drop-down menu.

      However, when creating many components, you can save time by leaving the policy page, going to the other menu areas, and creating similar profiles by cloning, then modifying each clone.

      Generally speaking, because policies tie other components together and apply them to client’s connections with your web servers, they should be configured last. For details, see Workflow.

  • Go to Policy > Server Policy.

    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

    Server Policy involves configuration of Tags, Traffic Log, and Machine Learning, so it requires not only Read Only or Read Write permission of Server Policy Configuration, but also the permissions of System Configuration, Log & Report, and Machine Learning Configuration to read or edit an existing server policy or create a new server policy.
  • Click Create New.
  • Configure the following settings.
  • The operation mode and Deployment Mode value determine which options are available.

    Network Configuration

    Policy Name Type a name that can be referenced by other parts of the configuration.
    Deployment Mode

    Select the method of distribution that the FortiWeb appliance uses when it accepts connections for this policy.

    The deployment modes that are available depend on the types of network topologies that the current operation mode supports.

    • Single Server/Server Balance—Forwards connections to a server pool. Depending on the pool configuration, FortiWeb either forwards connections to a single physical server or domain server or distributes the connection among the pool members. Also configure a Server Pool . This option is available only in Reverse Proxy mode.
    • HTTP Content Routing—Use HTTP content routing to route HTTP requests to a specific server pool. This option is available only in Reverse Proxy mode.

    Note: When HTTP Content Routing is selected, FortiWeb can handle HTTP/2 client requests, but traffic from FortiWeb to the server(s) must use HTTP, so the HTTP/2 setting in a server pool configuration would have to remain disabled. For details, see Defining your web servers.

    • Offline Protection—Allow connections to pass through the FortiWeb appliance, and apply an Offline Protection profile. Also configure a Server Pool . This option is available only in Offline Protection mode.
    • Transparent Servers—Allow connections to pass through the FortiWeb appliance, and apply a protection profile. Also configure a Server Pool . This option is available only in True Transparent Proxy or Transparent Inspection mode.
    • WCCP ServersFortiWeb will act as a Web Cache Communication Protocol (WCCP) client that receives traffic from a FortiGate configured as a WCCP server. Also configure a Server Pool . This option is available only in WCCP mode.

    Virtual Server

    or

    Data Capture Port

    or

    V-zone

    Select the name of a virtual server, data capture (listening) network interface, or v-zone (bridge) according to the operation mode:

    The name and purpose of these settings varies by operation mode:

    • Virtual Server—Identifies the IP address and network interface of incoming traffic that FortiWeb routes and that the policy applies a profile to. This option is available only in Reverse Proxy mode.

    • Data Capture Port—Identifies the network interface of incoming traffic that the policy applies a profile to. The IP address is ignored. This option is available only in Offline Protection mode.

      If your FortiWeb model uses Data Plane Development Kit (DPDK) for packet processing (e.g., models 3000E, 3010E and 4000E), this option has the following limitations:

      • Only physical interfaces can be data capture ports. These models do not support VLAN subinterfaces or link aggregate interfaces as data capture ports.
      • You cannot edit the interface after you set it as a data capture port. If you need to configure the maximum transmission unit (MTU) for the interface (using the config system interface and config system v-zone CLI commands), do it before you select the interface as a data capture port.
    • V-zone—Identifies the network interface of the incoming traffic that the policy applies a profile to. This option is available in True Transparent Proxy and Transparent Inspection mode.
    HTTP Content Routing

    To specify HTTP content routing policies and options that this policy uses, click Add, then complete the following settings for each entry, or click Edit to edit an existing entry:

    • HTTP Content Routing Policy Name—The name of the policy.
    • Inherit Web Protection Profile—Specify whether FortiWeb applies the web protection profile for the server policy to connections that match the routing policy.
    • Web Protection Profile—Select the profile to apply to connections that match the routing policy. For details, see Configuring a protection profile for inline topologies.

      Note: FortiWeb does not block clients with source IP addresses designated as a trusted IP. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1.

    • Default—Specifies whether FortiWeb applies the specified protection profile to any traffic that does not match any HTTP content routing policy in the list.

    You can specify up to 256 HTTP content routing policies in each server policy.

    This option is available only in Reverse Proxy mode and when the Deployment Mode is HTTP Content Routing.

    Match Once

    Enable to forward subsequent requests from an identified client connection to the same server pool as the initial connection from the client.

    This option allows FortiWeb to improve its performance by skipping the process of matching HTTP header content to content routing policies for connections it has already evaluated and routed.

    This option is available only in Reverse Proxy mode and when the Deployment Mode is HTTP Content Routing.

    Server Pool

    Select the server pool whose members receive the connections. A server pool can contain a single physical server or domain server. For details, see Creating an HTTP server pool.

    This option is available only if the Deployment Mode is Single Server/Server Pool, Offline Protection, Transparent Server, or WCCP Servers.

    Caution: Multiple virtual servers/policies can forward traffic to the same server pool. If you do this, consider the total maximum load of connections that all virtual servers forward to your server pool. This configuration can multiply traffic forwarded to your server pool, which can overload them and cause dropped connections.

    Protected Hostnames

    Select a protected host names group to allow or reject connections based upon whether the Host: field in the HTTP header is empty or does or does not match the protected host names group. For details, see Defining your protected/allowed HTTP “Host:” header names.

    If you do not select a protected host names group, FortiWeb accepts or blocks requests based on other criteria in the policy or protection profile, but will not accept or block requests based on the Host: field in the HTTP header.

    Attack log messages contain HTTP Host Violation when this feature detects a hostname that is not allowed..

    Caution: Unlike HTTP 1.1, HTTP 1.0 does not require the Host: field. The FortiWeb appliance does not block HTTP 1.0 requests because they do not have this field, regardless of whether or not you have selected a protected host names group.

    Client Real IP

    By default, when the operation mode is Reverse Proxy, the source IP for connections between FortiWeb and back-end servers is the address of a FortiWeb network interface.

    If you enable Client Real IP, FortiWeb will use the source IP address of the client that originated the request when it connects to a back-end server on behalf of that client. This option is available only in Reverse Proxy mode.

    • If you set the server's IP address as the source address in a policy route, it is recommended that you do not enable Client Real IP, otherwise it may cause your application inaccessible.
    • If an IPv6 virtual IP is used in this server policy, and the real server's IP address is IPv4, then Client Real IP shouldn't be enabled.

    • Client Real IP is not supported if the back-end server uses domain instead of IP address. Do not enable Client Real IP in this case.

    Note: To ensure FortiWeb receives the server's response when you enable Client Real IP, configure FortiWeb as the server’s gateway.

    The port of the client IP is used when Client Real IP is enabled. If you want to use a random port, run the following command:

    config server-policy policy

    edit <policy_name>

    set client-real-ip enable

    set client-real-ip-random-port enable

    end

    end

    It recommend to enable random port if the following configurations are set, otherwise it may lead to traffic disruption:

    • Deployment Mode is HTTP Content Routing, and;

    • Match Once is disabled, and;

    • Client Real IP is enabled, and;

    • IP/IP Range is not specified.

    IP/IP Range

    Specify an IP address or address range to directly connect to the back-end server.

    If no IP address or address range is specified when Client Real IP is enabled, FortiWeb will use the client IP address to connect to the back-end server.

    Available only when Client Real IP is enabled.

    Blocking Port

    Select which network interface FortiWeb uses to send TCP RST (connection reset) packets when it attempts to block the request or connection after it detects traffic that violates a policy. For details on blocking behavior, see Topology for Offline Protection mode.

    This option is available only in Offline Protection mode.

    HTTP Service

    Select the custom or predefined service that defines the TCP port number where the virtual server receives HTTP traffic.

    This option is available only in Reverse Proxy mode.

    HTTPS Service

    Select the custom or predefined service that defines the TCP port number where the virtual server receives HTTPS traffic. Also configure Configuring an HTTP server policy.

    Enable if requests from clients to the FortiWeb appliance or back-end servers use SSL or TLS. See also Supported cipher suites & protocol versions.

    When enabled, the FortiWeb appliance handles SSL negotiations and encryption and decryption, instead of the web servers, also known as SSL offloading. For details, see Offloading vs. inspection.

    Connections between the client and the FortiWeb appliance are encrypted. The server pool configuration specifies whether connections between the FortiWeb appliance and each web server are encrypted.

    This option is available only in Reverse Proxy mode. For other operation modes, use the server pool configuration to enable SSL inspection. For details, see Creating an HTTP server pool.

    Caution: If you do not enable an HTTPS option and provide a certificate for HTTPS connections, FortiWeb cannot decrypt connections and scan content in the HTTP body.

    Tip: FortiWeb appliances contain specialized hardware to accelerate SSL processing. Offloading SSL/TLS processing can improve the performance of secure HTTP (HTTPS) connections.

    HTTP/3 Service

    Select the custom or predefined service that defines the UDP port number where the virtual server receives HTTP/3 traffic.

    Please note that enabling HTTP/3 Service requires TLS 1.3 to be enabled under SSL Connection Settings from the Advanced SSL settings in the server policy.

    HTTP/3 Service Limitations:

    • Scope of Support

      HTTP/3 service is supported only for connections between the client and FortiWeb. Connections with the back-end server currently do not support HTTP/3.

    • Security Modules Supporting HTTP/3

      • Client Management

      • Signature

      • HTTP Protocol Constraints

      • X-Forwarded-For

      • HTTP Header Security

      • SQL/XSS Syntax Based Detection

      • Allow Method

      • URL Access

      • CORS Protection

      • XML Protection

      • JSON Protection

      • GraphQL Protection

      • OpenAPI Validation

      • DLP (Data Loss Prevention)

      • File Upload

      • Site Publish

      • User Tracking

    • Security modules not supporting HTTP/3 traffic

      • Advanced Bot Protection

      • Quarantined IP

      • Biometric based Bot Detection

      • Web Socket

      • ML based Bot Detection

      • ADFS Proxy

      • TCP Flood Prevention

      • Malicious IPs

      • gRPC Portocol Security

      • LUA Scripts

    • Operational Mode

      HTTP/3 is available only in Reverse Proxy mode.

    • Configuration Constraints

      If either of the following options is enabled in server policy, the HTTP/3 connections will hang due to certificate verification error.

      • Advanced SSL settings > Certificate Verification for HTTPS

      • SNI Policy with Certificate Verify selected.

    HTTP/2

    Enable FortiWeb to negotiate HTTP/2 with clients via SSL ALPN (Application-Layer Protocol Negotiation) during the SSL handshake if the client's browser supports the HTTP/2 protocol. If HTTP/2 is enabled, FortiWeb will recognize HTTP/2 traffic and apply the security services to it.

    Note: This option is available only if the Deployment Mode is Single Server/Server Pool or HTTP Content Routingand HTTPS Service is configured correctly. This is because FortiWeb supports HTTP/2 only for HTTPS connections. Please keep in mind that if the Deployment Mode is HTTP Content Routing, client requests can use HTTP/2, but traffic between FortiWeb and the server(s) must use HTTP, so the HTTP/2 setting in a server pool configuration would have to remain disabled. For details, see Defining your web servers.

    To configure HTTP/2 in True Transparent Proxy mode, see HTTP/2 support.

    Certificate Type / Certificate

    Local: Select the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Protected Hostnames. For details, see How to offload or inspect HTTPS.

    Multi-certificate: Select the local server certificate created in Server Objects > Certificates > Local > Multi-certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections for the website specified by Protected Hostnames. For details, see How to offload or inspect HTTPS.

    Letsencrypt: Select the Letsencrypt certificate you have created. See How to offload or inspect HTTPSLet's Encrypt certificates

    Please note that if you select Letsencrypt certificate, and also enable Redirect HTTP to HTTPS, make sure to add both domain.com and domain.com:443 as the accepted hosts in Protected Hostnames settings (see Defining your protected/allowed HTTP “Host:” header names).

    If Enable Server Name Indication (SNI) is selected, FortiWeb uses a Server Name Indication (SNI) configuration instead of or in addition to this server certificate.

    Available only if you specify a value for HTTPS Service.

    Certificate Intermediate Group

    Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to clients. An intermediate CA can complete the signing chain and validate the server certificate’s CA signature.

    Configure this option when clients receive certificate warnings that an intermediary CA has signed the server certificate specified by the selected Certificate, not a root CA or other CA currently trusted by the client directly.

    Alternatively, you can include the entire signing chain in the server certificate itself before you upload it to FortiWeb. For details, see How to offload or inspect HTTPS and How to offload or inspect HTTPS.

    Available only if you specify a value for HTTPS Service.

    Show/Hide advanced SSL settings

    Click to show or hide the settings that allow you to specify a Server Name Indication (SNI) configuration, increase security by disabling specific versions of TLS and SSL for this policy, and other advanced SSL settings.

    For example, if FortiWeb can use a single certificate to decrypt and encrypt traffic for all the websites that reside on the servers in a pool, you may not have to set any advanced SSL settings.

    Available only if you specify a value for HTTPS Service.

    Certificate Settings

    Certificate Verification—Select the name of a certificate verifier, if any, that FortiWeb uses to validate an HTTP client’s personal certificate.

    Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the website (PKI authentication). If a User Tracking Policy or Site Publish rule fails to track a user, FortiWeb will attempt to track a user with his or her email address provided in the client certificate via Certificate Verification.

    You can require clients to present a certificate instead of, or in addition to, HTTP authentication. For details, see Offloading HTTP authentication & authorization.

    Available only if you specify a value for HTTPS Service.

    For True Transparent Proxy mode, configure this setting in the server pool configuration instead. For details, see Certificate Verification.

    Note: The client must support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.

    If you select Enable Server Name Indication (SNI) and the domain in the client request matches an entry in the specified SNI policy, FortiWeb uses the SNI configuration to determine which certificate verifier to use instead.

    If you do not select a verifier, clients are not required to present a personal certificate. For details, see How to apply PKI client authentication (personal certificates).

    Enable Server Name Indication(SNI)—Select to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate specified by the Configuring an HTTP server policy.

    The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see How to offload or inspect HTTPS.

    If you specify both an SNI configuration and Configuring an HTTP server policy, FortiWeb uses the certificate specified by Configuring an HTTP server policy when the requested domain does not match a value in the SNI configuration.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    Enable Strict SNI—Select so that FortiWeb will ignore the Certificate when it determines which certificate to present on behalf of server pool members, even if the domain in a client request does not match a value in the SNI configuration.

    Available only if Enable Server Name Indication (SNI) is selected.

    SNI Policy—Select the Server Name Indication (SNI) configuration that determines which certificate FortiWeb presents on behalf of the members of a server pool.

    Available only if Enable Server Name Indication (SNI) is selected.

    Enable URL Based Client Certificate—Specifies whether FortiWeb uses a URL-based client certificate group to determine whether a client is required to present a personal certificate.

    Please note that if you use URL-based Client Certificate, do not select TLS 1.3 in SSL Connection Settings > Supported SSL Protocols, because FortiWeb does not support URL-Based Certificate Authentication with TLS1.3 even with PHA enabled on Client-Side.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    Note: This function is not supported for HTTP/2 communication between the Client and this back-end web server.

    URL Based Client Certificate Group—Specifies the URL-based client certificate group that determines whether a client is required to present a personal certificate.

    If the URL the client requests does not match an entry in the group, the client is not required to present a personal certificate.

    For information on creating a group, see Use URLs to determine whether a client is required to present a certificate.

    Available only if Enable URL Based Client Certificate is selected.

    Max HTTP Request Length—Specifies the maximum allowed length for an HTTP request with a URL that matches an entry in the URL-based client certificate group.

    FortiWeb blocks any matching requests that exceed the specified size.

    This setting prevents a request from exceeding the maximum buffer size.

    Available only if Enable URL Based Client Certificate is selected.

    SSL Connection Settings

    Enable SSL Ciphers Group: If enabled, select the cipher group you have created in Server Objects > SSL Ciphers. It's recommended to create a cipher group so that you can re-use the group settings across server policies and server pools.

    Supported SSL Protocols—Specify which versions of the SSL or TLS cryptographic protocols clients can use to connect securely to the FortiWeb appliance.

    TLS protocol changes a lot since version 1.3, including the handshake algorithm, the supported ciphers and certificates. Make sure you understand how it works before enabling TLS 1.3.

    Note: O-RTT in TLS 1.3 is disabled by default. You can use the following command to enable it:

    config server-policy setting

    set tls13-early-data-mode enable

    end

    For the supported ciphers of each TLS version, see Supported cipher suites & protocol versions.

    SSL/TLS Encryption Level—Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security or customized security configuration.

    If you select Customized, you can select a cipher and then use the arrow keys to move it to the appropriate list.

    For details, see Supported cipher suites & protocol versions.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    RFC-9719 Comply—Enable to apply cipher suites that comply with RFC-9719.

    Supported Group—Select the RFC-9719 ciphers to be supported. The Supported Group is Elliptic Curve Parameters, while SSL/TLS negotiation could choose different Elliptic Curve algorithms, so please make sure to choose the corresponding ciphers in SSL/TLS Encryption Level.

    • At least one FFDHE group should be selected.

    • At least one DHE cipher should be added.

      Due to design limitation, you need to select Customized in SSL/TLS Encryption Level and make sure to include at least one DHE cipher in the selected list. Using High or Medium together with RFC-9719 will lead to unexpected error. We will fix it in the future release.

    The system will return error if any of the above two conditions is not met.

    Please note RFC7919 does not comply with TLS 1.3, so if you have only enabled TLS 1.3 for SSL Protocols, then RFC7919 will not take effect even if it's enabled. To apply both TLS 1.3 and RFC7919, it's recommended to enable a non-TLS 1.3 protocol, then select at least one DHE cipher.

    Disable Client-Initiated SSL Renegotiation—Select to configure FortiWeb to ignore requests from clients to renegotiate TLS or SSL.

    Protect against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    HTTPS Header Insertion

    Client Certificate Forwarding—Enable to configure FortiWeb to include the X.509 personal certificate presented by the client during the SSL/TLS handshake, if any, in an X-Client-Cert: HTTP header when it forwards the traffic to the protected web server.

    FortiWeb still validates the client certificate itself, but this forwarding action can be useful if the web server requires the client certificate for server-side identity-based functionality

    Note: It is necessary to set Certificate Verification to make this option effective.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    Custom Header of CCF Subject—Enter a custom subject header that will be inserted in the X.509 personal certificate presented by the client during the SSL/TLS handshake.

    Available only if Client Certificate Forwarding is selected.

    Custom Header of CCF Certificate—Enter a custom certificate header that will be inserted in the X.509 personal certificate presented by the client during the SSL/TLS handshake.

    Available only if Client Certificate Forwarding is selected.

    Add HSTS Header—Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply. For example:

    Strict-Transport-Security: max-age=31536000;includeSubDomains;preload

    This header forces clients to use HTTPS for subsequent visits to this domain. If the certificate is invalid, the client’s web browser receives a fatal connection error and does not display a dialog that allows the user to override the certificate mismatch error and continue.

    Please note that you must select a web protection profile in the server policy otherwise the HSTS header can't be successfully inserted.

    Available only if you specify a value for HTTPS Service and select Show advanced SSL settings.

    Max. Age—Specify the time to live in seconds for the HSTS header.

    Available only if Add HSTS Header is selected.

    Include Sub Domains—Enable to add includeSubDomains header.

    Available only if Add HSTS Header is selected.

    Preload—Enable to add Preload header.

    Available only if Add HSTS Header is selected.

    Add HPKP Header—Select an HPKP profile, if any, to use to verify certificates when clients attempt to access a server.

    HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks with forged certificates. For details, see HTTP Public Key Pinning.

    Available only if you specify a value for HTTPS Service.

    Redirect HTTP to HTTPS

    Enable to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters. If you select this option, ensure to configure HTTPS Service.

    This option can replace redirection functionality that you create using URL rewriting rules. For details, see Example: HTTP-to-HTTPS redirect.

    This option is available only in Reverse Proxy mode.

    Redirect Naked Domain

    Enable to redirect naked domain requests to “www” domain requests.

    This option is available only in Reverse Proxy mode.

    Traffic Mirror

    Enable to mirror all traffic to the third party devices per the traffic mirror policy.

    Traffic Mirror Policy

    Select the traffic mirror policy you have created to determine which policy to apply to the connection.

    Traffic Mirror Type

    For True Transparent Proxy mode, only Client Side type is available, which only allows traffic from client side to be sent to IPS/IDS devices.

    For Reverse Proxy mode:

    • Client Side—only allow traffic from client side to be sent to IPS/IDS devices.
    • Server Side—only allow traffic from server side to be sent to IPS/IDS devices.
    • Client and Server—allow traffic from both client and server sides to be sent to IPS/IDS devices.

    Application Delivery

    Proxy Protocol

    Enable this option when proxy servers or load balancers are installed before FortiWeb, for example, when a load balancer with proxy protocol enabled is deployed before FortiWeb-VM on AWS.

    When Proxy Protocol is enabled, FortiWeb can receive client connection information in the proxy protocol package passed through proxy servers and load balancers.

    Retry On

    Enable to configure whether to retry a failed TCP connection or HTTP request in Reverse Proxy mode.

    A TCP connection failure retry can help when the back-end server is unreachable unexpectedly, FortiWeb will reconnect the single server or switch to another one according to the load balance algorithm when more than one back-end server is available in the server pool.

    An HTTP layer retry can help when the back-end server can be connected but it returns certain failure response codes, such as 404, 408, 500, 501, 502, 503, and 504. FortiWeb will reconnect the single server or switch to another one according to the load balance algorithm when more than one back-end server is available in the server pool.

    Please note if you have applied a session persistence configuration to the server pool which specifies FortiWeb to forward subsequent packets to the back-end server based on source IP or session ID, FortiWeb will adhere to this configuration to retry the connection with the same back-end server instead of switching to another one.

    Retry On TCP Connection Failure

    Enable to configure the retry times in case of any TCP connection failure.

    Retry Times On Connection Failure

    Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5.

    Retry On Cache Size

    Enter a cache size limit for the HTTP request packet.
    HTTP failure retry will take effect once the request packet size is smaller than this defined size.

    TCP connection failure retry will take effect once the HTTP request packet size in TCP connection is smaller than this defined size.

    Retry On HTTP Failure

    Enable to configure the retry times and failure response code in case of any TCP connection failure.

    Retry Times On HTTP Failure

    Enter the retry times when FortiWeb reconnects the single server or switch to the other pserver. The valid range is 1-5.

    Retry On HTTP Return Code

    Select the failure return code when pserver can be connected to determine enabling HTTP failure retry.

    Web Cache

    Enable to create a web cache policy to allow FortiWeb to cache responses from your servers.

    Comments Type a description or other comment. The description can be up to 999 characters long.

    Scripting

    Scripting

    Enable to use Lua scripts to perform actions that are not currently supported by the built-in feature set. You can use Lua scripts to write simple, network aware pieces of code that will influence network traffic in a variety of ways. By using the scripts, you can customize FortiWeb's features by granularly controlling the traffic flow or even the contents of given sessions or packets.

    For more information, see Script Reference Guide.

    Scripting List

    Select the scripts to run.

    Security Configuration

    Monitor Mode

    Enable to override any actions included in the profiles. Instead, FortiWeb will accept all requests and generate an alert email and/or log message for all policy violations.

    This setting does not affect any rewriting or redirection actions in the protection profiles, including the action to remove poisoned cookies.

    Note: Logging and/or alert email occur only if you enable and configure them. For details, see Logging and Alert email.

    Syn Cookie

    Enable to prevent TCP SYN floods. Also configure Half Open Threshold.

    For details, see Preventing a TCP SYN flood.

    This option is available only in Reverse Proxy, True Transparent Proxy, and WCCP mode.

    ZTNA Profile

    Select the ZTNA profile you have created. For details, see Zero Trust Network Access (ZTNA)

    This option is available only when:

    • HTTPS service is selected.

    • Operation mode is Reverse Proxy.

    Half Open Threshold

    Type the TCP SYN cookie threshold in packets per second. Also configure Syn Cookie.

    Available only when the operating mode is Reverse Proxy, True Transparent Proxy, or WCCP.

    Web Protection Profile

    Select the profile to apply to the connections that this policy accepts, or select Create New to add a new profile in a pop-up window, without leaving the current page.

    For details on specific protection profiles, see one of the following topics:

    Note: The current operation mode determines which profiles are available. For details, see How operation mode affects server policy behavior.

    Note:FortiWeb does not block clients with source IP addresses designated as a trusted IP. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1.

    If the Deployment Mode is set to HTTP Content Routing, this option is effective when you create the list of content routing policies.

    Allow List

    Select the server policy based allow list. If a request matches the conditions in this allow list, it will be directly forwarded to the back-end server without further security scan.

    If the server policy based allow list is referenced, the global allow list will be disabled for this policy.

    If you leave this field empty, the system will use the global allow list for this server policy.

    For how to create allow list at the server policy level, see Configuring the allow list at server policy level.

    Replacement Message

    Select the replacement message to apply to the policy.

    View Profile Details

    Click to display the settings of the current profile without leaving the current page. When viewing a profile, you can also modify its settings from here.

    To return to the policy settings, click Back to Policy Settings.

    URL Case Sensitivity

    Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests, such as IP list rules.

    For example, when this option is enabled, an HTTP request involving http://www.Example.com/ would not match profile features that specify http://www.example.com (difference is lower case “e”).

    Log Config

    Enable Traffic Log

    Enable to generate traffic log for traffic that is on this server policy. Disable to stop generating traffic log for this server policy. This field is available only when traffic log is enabled from CLI config log traffic-log, which is the global switch for traffic logs.

    • If the status is set to disable in config log traffic-log, the system won't generate traffic log even if you have enabled it in Server Policy.

    • If traffic log is:

      • Enabled in config log traffic-log,

      • Enabled in server policy A,

      • Disabled in server policy B,

      then the system will only generate traffic log for server policy A.

    Machine Learning

    Anomaly Detection

    Click Create to create an anomaly detection policy. See Enabling machine learning policy for details.

    Bot Detection

    Click Create to create a bot detection policy. See Enabling machine learning policy for details.

    Tags

    Tags

    Click the Add icon to select the tags you want to attach to this server policy. This helps in labeling server policy for future usage such as sorting, filtering and acknowledging policies.

    The tags are created in System > Tags. You can also click Create to create new tags.

  • Click OK.
  • The server policy is displayed in the list on Policy > Server Policy. Initially, it is enabled. For details on disabling a policy without deleting it, see Enabling or disabling a policy.

    Legitimate traffic should now be able to flow, while policy-violating traffic (that is, traffic that is prohibited by the settings in your policy or protection profile) may be blocked, depending on your Action settings for the rule that the traffic has violated.

    allowlisted items are not included in policy enforcement. For details, see "Configuring the global object allow list" on page 1.

  • To verify the policy, test it by forming connections between legitimate clients and servers at various points within your network topology. Also attempt to send traffic that violates your policy, and should be logged, modified, or blocked.
  • If you have another FortiWeb appliance, you can use its web vulnerability scanner to verify that your policy is blocking attacks as you expect. For details, see Vulnerability scans.

    If a connection fails, you can use tools included in the firmware to determine whether the problem is local to the appliance or elsewhere on the network. For details, see Troubleshooting and Reducing false positives. Also consider troubleshooting recommendations included with each feature’s instructions.

    See also

    HTTP pipelining

    For clients that support HTTP 1.1, FortiWeb accelerates transactions by bundling them inside the same TCP connection, instead of waiting for a response before sending/receiving the next request. This can increase performance when pages containing many images, scripts, and other auxiliary files are all hosted on the same domain, and therefore logically could use the same connection.

    Many browsers used on smart phones prefer to pipeline their HTTP requests.

    When FortiWeb is operating in Reverse Proxy or True Transparent Proxy mode, it can automatically use HTTP pipelining for requests with the following characteristics:

    • HTTP version is 1.1
    • The Connection general-header field does not include the "close" option (for example, Connection: close)
    • The HTTP method is GET or HEAD

    Although it is enabled by default, you can use a CLI command to disable or re-enable HTTP pipelining for a specific server policy.

    To disable or enable HTTP pipelining
    1. Connect to the CLI.
    2. In each policy that requires it, enter these commands:

      config server-policy policy

      edit <policy_name>

      set HTTP-pipeline {enable | disable}

      next

      end

    For details, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    See also

    Multiplexing client connections

    By default, FortiWeb establishes a connection with the server for each client that makes a request to the server. When a client makes a request, FortiWeb creates a connection to the server for that client's request. If a second client makes a request, FortiWeb creates another connection to the server for the second client's request.

    You can configure multiplexing so that FortiWeb uses a single connection to a server for requests from multiple clients. If multiplexing is configured, when a client makes a request, FortiWeb establishes a connection to the server for that client's request. Once the request has been completed, FortiWeb caches the connection. If a second client then makes a request to the server, FortiWeb uses the cached connection for the second client's request. You can configure the circumstances in which FortiWeb caches a server connection and reuses it for requests from other clients.

    To configure multiplexing
    1. Connect to the CLI.
    2. In each policy that requires it, enter these commands:

    config server-policy server-pool

    edit <server_pool_name>

    set HTTP-reuse {aggressive | always | never | safe}

    set reuse-conn-idle-time <int>

    set reuse-conn-max-count <int>

    set reuse-conn-max-request <int>

    set reuse-conn-total-time <int>

    next

    end

    For details, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Enabling or disabling a policy

    You can individually enable and disable policies.

    When the operation mode is Reverse Proxy, disabling a policy could block traffic if no remaining active policies match that traffic. When no policies exist or none are enabled, the FortiWeb appliance blocks all HTTP/HTTPS traffic.

    Even if you disable a server policy, it still consumes memory (RAM). If you do not plan to use the policy for some time, consider deleting it instead.

    To enable or disable a policy
    1. Go to Policy > Server Policy.
    2. In the row corresponding to the policy that you want to enable, click the switch on in the Enable column.
    3. In the row corresponding to the policy that you want to disable, click the switch off in the Enable column.