Administration Guide

Introduction
New Features in 7.6.x releases
- WAF features
- Server Objects
- Authentication
- Network
  - Warning message upon port exhaustion (7.6.0)
- System
- Log, FortiView, and Debug
- High Availability
- Maximum value changes (7.6.1)
- Security Fabric: Automation (7.6.0)
- Ingress Controller enhancements (7.6.0)
Key concepts
- Workflow
- Sequence of scans
- IPv6 support
- Solutions for specific web attacks
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Appliance vs. VMware
- Registering your FortiWeb
- Planning the network topology
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring the allow list at server policy level
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
  - Supported cipher suites - for connections between FortiWeb and the clients
  - Supported cipher suites - for connection between FortiWeb and back-end servers
- CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- OCSP-Based certificate revocation check
Users
- Authentication styles
- Offloading HTTP authentication & authorization
- Creating reCAPTCHA servers
Application delivery
- Rewriting & redirecting
- Compression
- Site Publishing (Single sign-on)
- Caching
  - What can be cached?
- Acceleration
- Scripting
- Waiting room
  - Customizing waiting room display page
Web protection
- Blocking known attacks
- Advanced protection
- Cookie security
- Input validation
- Protocol constraints
- Access control
- ML Based Anomaly Detection
  - Viewing domain data
  - Viewing anomaly detection log
- Anti-defacement
- Data Loss Prevention
Zero Trust Network Access (ZTNA)
- Configuring FortiClient EMS Connector for ZTNA
- Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- Referencing ZTNA profile in a server policy
- ZTNA troubleshooting and debugging
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
- Configuring ML Based Bot Detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
- Configuring Advanced Bot Protection policy
- Exception Policy
API Protection
- Configuring JSON protection
- Configuring XML protection
- Configuring GraphQL protection
  - Creating GraphQL protection rules
  - Creating GraphQL protection policy
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
- Configuring ML Based API Protection policy
DoS protection
- DoS prevention
- Preventing slow and low attacks
- Exception Policy
IP Protection
- GEO IP - Blocklisting & whitelisting countries & regions
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- IP Reputation - Blocklisting source IPs with poor reputation
- Creating IP groups
Tracking
- Compliance
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring machine-learning URL replacer policy
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
Dashboard
- Status dashboard
- Monitors
Log&Report
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- FortiGuard updates
- Analyzing attack logs in FortiWeb Cloud Threat Analytics
Security Fabric
- Fabric Connectors
  - FortiGSLB
  - Single Sign On (SSO)
    - FortiGate SSO
    - Single Sign On with Azure
- External connectors
- Automation
Ingress Controller
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Introduction
- Troubleshooting outline
- Diagnosing server-policy connectivity issues
- Diagnosing system issues
- Diagnose software function issues
- Diagnose hardware issues
- System tools & diagnose commands
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses
Appendix G: Supported image versions for EOS models

Home FortiWeb 7.6.1 Administration Guide

7.6.1

Scanning for sensitive data leakage in API endpoints (7.6.1)

The ML-based API Protection module now supports the scanning sensitive data leakage in API endpoints. This new enhancement adds another layer of identification and visibility into potential exposure of sensitive information in API requests and responses.

This feature has two key components:

Built-in Sensitive Data Detection: FortiWeb scans API requests and responses for specific data types, including personal data, files, and more, providing instant detection and highlighting of sensitive information.
Integration with FortiGuard Data Loss Prevention (DLP) Service: With ML-based API Protection integrating with FortiGuard’s extensive, customizable database of over 500 predefined data patterns and policies, it simplifies DLP deployment and enhances API protection. The FortiGuard DLP service database is continuously updated to incorporate the latest in network security intelligence, ensuring up-to-date data protection. Note that the DLP service scan is applied to API responses only.

This requires subscription to FortiGuard DLP service (part of the FortiWeb Enterprise Bundle).

Enabling the FortiGuard DLP service

The FortiGuard DLP service is already supported by the Data Loss Prevention module. If you have enabled the FortiGuard DLP service within this module, no further action is needed.

If not, you can contact Fortinet sales team to purchase a separate FortiGuard DLP service license, or a bundled license which combines the FortiGuard DLP service and FortiGuard Advanced Bot Protection service.

Update FortiGuard DLP database

Register your license at the Fortinet Customer Service & Support website: https://support.fortinet.com. For information on how to register, see this article.
Log in to FortiWeb. Go to System > Config > FortiGuard. Check the status of the FortiGuard DLP service license.
The system will automatically update the DLP database from FortiGuard. If it's not up-to-date, click Update Now under the FortiWeb Update Service Options section on the System > Config > FortiGuard page, or you can run the following command.
# execute update dldb

The following command is for enabling or disabling FortiGuard DLP service database update. It's by default enabled.

config system fortiguard

set update-dldb {enable | disable}

end

How does the DLP service work in ML-based API Protection

FortiWeb automatically scans API responses for Data Loss Prevention (DLP) violations. This process runs automatically and does not require any DLP configuration within the ML-based API protection settings.

The DLP service scans for the following data types (including but not limited to) in API response.

If a DLP violation is detected on a specific API path, FortiWeb highlights the corresponding warnings in orange for easy identification.

In addition to the DLP service, the ML-based API Protection feature has its own sensitive data type scan for both API request and response. It scans for the following data types:

Address: Country/region, zip code.
Automotive: Vehicle Identification Number.
Financial info: Credit card number.
Personal info: Phone number, email address, passport number, Social Security Number (SSN), and driver license number.
Internet: Host name, IPv4, and IPv6 addresses.
File: Image file.
Time: Date.
ID: UUID

When any of these data types are detected in an API request or response, FortiWeb highlights them in blue for quick identification.