FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Introduction
New Features in 7.6.x releases
- WAF features
- Server Objects
- Sever policy
  - Client certificate verification in FTPS connections (7.6.1)
- Authentication
- Network
  - Warning message upon port exhaustion (7.6.0)
- System
- Log, FortiView, and Debug
- High Availability
- Security Fabric: Automation (7.6.0)
- Ingress Controller enhancements (7.6.0)
- Disk expansion (7.6.2)
Key concepts
- Workflow
- Sequence of scans
- IPv6 support
- Solutions for specific web attacks
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Appliance vs. VMware
- Registering your FortiWeb
- Planning the network topology
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring the allow list at server policy level
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
  - Supported cipher suites - for connections between FortiWeb and the clients
  - Supported cipher suites - for connection between FortiWeb and back-end servers
- CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- OCSP-Based certificate revocation check
Users
- Authentication styles
- Offloading HTTP authentication and authorization
- Creating reCAPTCHA servers
Application delivery
- Rewriting & redirecting
- Compression
- Site Publishing (Single sign-on)
- Caching
  - What can be cached?
- Acceleration
- Scripting
- Waiting room
  - Customizing waiting room display page
Web protection
- Blocking known attacks
- Advanced protection
- Cookie security
- Input validation
- Protocol constraints
- Access control
- ML Based Anomaly Detection
  - Viewing domain data
  - Viewing anomaly detection log
- Anti-defacement
- Data Loss Prevention
Zero Trust Network Access (ZTNA)
- Configuring FortiClient EMS Connector for ZTNA
- Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- Referencing ZTNA profile in a server policy
- ZTNA troubleshooting and debugging
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
- Configuring ML Based Bot Detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
- Configuring Advanced Bot Protection policy
- Exception Policy
API Protection
- Configuring JSON protection
- Configuring XML protection
- Configuring GraphQL protection
  - Creating GraphQL protection rules
  - Creating GraphQL protection policy
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
- Configuring ML Based API Protection policy
DoS protection
- DoS prevention
- Preventing slow and low attacks
- Exception Policy
IP Protection
- GEO IP - Blocklisting & whitelisting countries & regions
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- IP Reputation - Blocklisting source IPs with poor reputation
- Creating IP groups
Tracking
- Compliance
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring machine-learning URL replacer policy
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
Dashboard
- Status dashboard
- Monitors
Log&Report
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- FortiGuard updates
- Analyzing attack logs in FortiWeb Cloud Threat Analytics
Security Fabric
- Fabric Connectors
  - FortiGSLB
  - Single Sign On (SSO)
    - FortiGate SSO
    - Single Sign On with Azure
- External connectors
- Automation
Ingress Controller
Security Operations Center-as-a-Service (SOCaaS)
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Introduction
- Troubleshooting outline
- Diagnosing server-policy connectivity issues
- Diagnosing system issues
- Diagnose software function issues
- Diagnose hardware issues
- System tools & diagnose commands
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses
Appendix G: Supported image versions for EOS models

Home FortiWeb 7.6.2 Administration Guide

7.6.2

Let's Encrypt certificates

Instead of uploading CA certificate from your local directory, an easier way is to configure FortiWeb to obtain a certificate from Let's encrypt on behalf of your application.

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge.

Before adding a Let's Encrypt certificate, you must:

You must have changed the DNS entry to map your domain name with FortiWeb's IP address.
You should not block requests from United States in IP Protection > Geo IP Block, otherwise FortiWeb can't retrieve certificates from Let's Encrypt.

To use certificate issued by Let's Encrypt:

To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.

Go to Server Objects > Certificates > Letsencrypt.
Click Create New.
Enter a name for this certificate.
Enter the domain name of your application. FortiWeb will then retrieve the certificate for this domain from Let's encrypt.
- Wildcard is supported when the type is DNS-01. The wildcard only matches with the string within the same domain level, for example, "a.example.com" matches with “*.example.com”, while "a.a.example.com" doesn't.
- It's allowed to add more domain names by creating Subject Alternative Names (SAN). Up to 99 SAN items are supported. Make sure the domain names in the two places do not overlap, for example, "*.wc_letsacme.net" can't be added together with "a.wc_letsacme.net".
Select Type.
- HTTP-01: Let's Encrypt will send HTTP request to FortiWeb for validation.
  When in RP mode, you must select HTTP service and uses port 80 for it in the server policy which uses the Let's Encrypt certificate.
  When in TTP mode, the back-end server which uses Letsencrypt certificate should have port 80 enabled.
  Redirect HTTP to HTTPS should not be enabled when the validation is in process.
- TLS-ALPN: This method allows Let's Encrypt to send HTTPS requests to FortiWeb for validation. You must select HTTPS service in the server policy which uses the Let's Encrypt certificate.
- DNS-01: This method allows Let's Encrypt to do validation through your DNS provider. FortiWeb will generate a TXT record, then you need to add this TXT record to the DNS record. Refer to Fulfilling the DNS-01 challenge.
Select Key Type. RSA algorithm with different key length can be implemented and accepted by the Let’s Encrypt Server. Those key sizes are 2048, 3072, and 4096 bits. Please note that larger keys consume more computing resources, however, achieve better security.
Set the Renew Period.
The certificate expires every 90 days. The Renew Period specified how many days in advance that FortiWeb will renew the certificate from Let’s Encrypt before it expires. For example, if Renew Period is 10 days, then FortiWeb will renew the certificate 10 days before it expires.
Certificates generated by the DNS-01 challenge cannot be renewed automatically. Please manually renew the certificate before it expires.
Click OK.
To add more domains, click Create New to add Subject Alternative Names (SAN).
- Up to 99 SAN items are supported.
- Make sure the domain names do not overlap, for example, "*.wc_letsacme.net" can't be added together with "a.wc_letsacme.net".
- All domain names must point to the same public IP address.
Refer the letsencrypt certificate:
1. When in RP mode, refer it in server policy (see Configuring an HTTP server policy), or refer it through an SNI (see Let's Encrypt certificates) in server policy.
2. When in TTP mode, refer it in back-end server, or refer it through an SNI (see Let's Encrypt certificates) when adding a back-end server. The back-end server should be in the server pool which is referenced in the desired server policy.

FortiWeb obtains an TLS certificate on your behalf from Let’s Encrypt and uses it for the HTTPS connections with the client to encrypt or decrypt the traffic. If FortiWeb fails to obtain the certificate, it will try again every 2 hours until the certificate is successfully obtained.

You can also manually obtain the certificate by clicking the Issue button. FortiWeb will obtain the certificate immediately.

To delete the certificate from FortiWeb, click the Revoke button.

Please note that Let's Encrypt only allows 5 times of certificate obtaining failure per hour for each hostname and account. If the following error message displays, it means you have retrieved the certificate too frequently.

"type": "urn:ietf:params:acme:error:rateLimited",

"detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/"

After the certificate is successfully retrieved, you can refer it in the Server Policy settings.

In HA deployment, only active-passive mode supports Let's Encrypt certificate.

Fulfilling the DNS-01 challenge

The DNS-01 challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name.

After you have saved your Let's Encrypt certificate configuration, the DNS-01 challenge information is generated. With this information, you will configure your Public DNS Service to create the TXT record.

To obtain the TXT record:

Follow the steps in "To use certificate issued by Let's Encrypt:" to create a Let's encrypt certificate using the DNS-01 challenge type. The DNS Content File isn't available to download while you are creating the certificate.
After the certificate is created, go back to the main table, find the certificate you just created, then click the Issue button.
After the Status of the certificate turning into yellow, which means "need user to proceed manually", double click this certificate to enter into the certificate editing page. You will see the DNS Content File is ready to be downloaded. It is a .txt file which contains the TXT record.

To add the record the DNS challenge information to the Public DNS Service:

Add a record and input the challenge information into the corresponding fields.

Name	Enter your domain name prefixed with "_acme-challenge.", for example, " _acme-challenge.www.example.com".
Type	Set the record type as `TXT`.
TTL	Set this to the default value.
Target	Paste the content from your ACME DNS-01 challenge information.

Save the changes.
Let's Encrypt will then query the DNS system for that record to find a match. It's recommended to wait about 20 minutes for the challenge to complete.
Log in to FortiWeb.
Go to Server Objects > Certificates > Letsencrypt.
Find the Let's Encrypt certificate, then click the Issue button. If the Let's Encrypt certificate passes validation, the certificate status will turn into OK.
If it fails, most likely the reason is that your DNS record is not successfully updated with the TXT record. To troubleshoot, please first check with your DNS service to make sure the TXT record is added successfully.

It is recommended to set a longer challenge wait time to allow enough time for the DNS configuration changes to take effect. If the DNS configuration changes has not taken effect at the time Let's Encrypt queries the DNS system for the TXT record, then the validation will fail. Various factors may influence the speed of the DNS (such as the DNS service provider, network speed, network traffic), so the DNS configuration changes may take as long as 20 minutes to take effect.