DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Introduction
Product knowledge resource
- Documentation
- Videos
New Features in 7.6.x releases
- WAF features
- Server Objects
- Server Policy
- Authentication
- Network
  - Support for MANA Network in Azure (7.6.3)
  - Warning message upon port exhaustion (7.6.0)
- System
- Log, FortiView, and Debug
- High Availability
- Security Fabric
  - STIX/TAXII Support for IP Address Connector (7.6.4)
  - Security Fabric: Automation (7.6.0)
- Ingress Controller enhancements (7.6.0)
- Disk expansion (7.6.2)
Key concepts
- Key Components of FortiWeb
- Sequence of scans
- FortiWeb's role and placement in network topology
- Operation modes
- High Availability (HA)
- Solutions for specific web attacks
- IPv6 support
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Workflow
- Appliance vs. VMware
- Registering your FortiWeb
- Supported features in each operation mode
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring the allow list at server policy level
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
  - Supported cipher suites - for connections between FortiWeb and the clients
  - Supported cipher suites - for connection between FortiWeb and back-end servers
- CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- OCSP-Based certificate revocation check
Users
- Authentication styles
- Offloading HTTP authentication and authorization
- Creating reCAPTCHA servers
Application delivery
- Rewriting & redirecting
- Compression
- Site Publishing (Single sign-on)
- Caching
  - What can be cached?
- Acceleration
- Scripting
- Waiting room
  - Customizing waiting room display page
Web protection
- Blocking known attacks
- Advanced protection
- Data Loss Prevention
- Cookie security
- Input validation
- Protocol constraints
- Access control
- ML Based Anomaly Detection
  - Viewing domain data
  - Viewing anomaly detection log
- Anti-defacement
Zero Trust Network Access (ZTNA)
- Configuring FortiClient EMS Connector for ZTNA
- Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- Referencing ZTNA profile in a server policy
- ZTNA troubleshooting and debugging
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
- Configuring ML Based Bot Detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
- Configuring Advanced Bot Protection policy
- Exception Policy
API Protection
- Configuring JSON protection
- Configuring XML protection
- Configuring GraphQL protection
  - Creating GraphQL protection rules
  - Creating GraphQL protection policy
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
- Configuring ML Based API Protection policy
DoS protection
- DoS prevention
- Preventing slow and low attacks
- Exception Policy
IP Protection
- GEO IP - Blocklisting & whitelisting countries & regions
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- IP Reputation - Blocklisting source IPs with poor reputation
- Creating IP groups
Tracking
- Compliance
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring machine-learning URL replacer policy
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
Dashboard
- Status dashboard
- Monitors
Log&Report
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- FortiGuard updates
- Analyzing attack logs in FortiWeb Cloud Threat Analytics
Security Fabric
- Fabric Connectors
  - FortiGSLB
  - Single Sign On (SSO)
    - FortiGate SSO
    - Single Sign On with Azure
- External connectors
- Automation
Ingress Controller
Security Operations Center-as-a-Service (SOCaaS)
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Introduction
- Troubleshooting outline
- Diagnosing server-policy connectivity issues
- Diagnosing system issues
- Diagnose software function issues
- Diagnose hardware issues
- System tools & diagnose commands
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses
Appendix G: Supported image versions for EOS models

Home FortiWeb 7.6.5 Administration Guide

7.6.5

Managing API users

You can define API users to restrict access to APIs based on API keys.

Creating API users

Go to API Gateway > API User, and select the API User tab.
Click Create New.

Configure these settings:

Name	Enter a name that identifies the user.
Email	Type the email address of the user that is used for contact purpose.
Comments	Optionally, enter a description or comments for the user.
Type	Standard Once the API user is created successfully, an API key and UUID are automatically assigned to this user by FortiWeb. In cases such as the key is stolen or lost, you click the Refresh button to refresh the key. Dynamic FortiWeb adopts RSA algorithm to generate token. It uses public key to encode, and private key to decode a random string with minimum length 64. You need to enter the RSA key for dynamic key. JWT JSON Web Token (JWT) is an open standard (RFC 7519) that defines a way for transmitting information –like authentication and authorization facts– between two parties: an issuer and an audience. For the JWT key, you need to enter the value for the required fields so that FortiWeb can communicate with the JWT server to validate the key. For how to get the API key, see "Retrieve the API key for the user".
RSA Key	Enter the RSA key (Private key) of the user. Available only if the Type is Dynamic.
Restrict Access IPs	Restrict this API key so that it may only be used from the specified IP addresses. Both single IP addresses or IP ranges are supported. You can enter multiple IP addresses by adding .
Restrict HTTP Referers	Restrict this API key so that it may only be used when the specified URLs are present in the Referer HTTP header. This can be used to prevent an API key from being reused on other client-side web applications that don’t match this URL (but note that this does not prevent server-side reuse where the referer could be forged). Now only full URL such as `https://example.com/foo` is supported. You can enter multiple referers by adding .

Click OK.
You can continue creating multiple API users.
Once the API user is created successfully, an API key and UUID are automatically assigned to this user by FortiWeb. The API key and UUID can not be changed, while you can append IP or HTTP referer restrictions for this user. Refer to the following steps to get the API key for this user.

Retrieve the API key for the user

After the user is created, you need to perform the following steps to retrieve the API key.

Go to API Gateway > API User, and select the API User tab.
Select the user you just created.
Click Edit.
You can see the API key generated for this user in the API Key field.
Copy the key and securely share the Key with the API User.

When the API user makes API request to your application, it must carry the API key in requests, such as: API_Key: xxxx-xxxx-xxxx.

Special note for Dynamic Key

For API users configured with a dynamic key, each API request to your application must include both the API Key and Dynamic Key.

API Key: This is the API key generated by FortiWeb. Refer to the earlier steps for how to obtain it.

When an API request is received, FortiWeb validates the API key to ensure it is legitimate. In the API Gateway rule, you can specify where the API key is located (e.g., header, parameter) and define the name of the field FortiWeb should look for.
Dynamic Key: You are responsible for generating the token of this key. Below are the steps for your reference.

When an API request is received, FortiWeb also validates the Dynamic key to ensure it is legitimate. It will look for the dynamic_key field in the request.

To generate the token of the dynamic key:

We assume that you have already generated a RSA key pair:
- Private Key: It will be used to decrypt tokens provided by the user. This should have already been entered in FortiWeb in the RSA Key field when creating the Dynamic API user.
- Public Key: You will need it to generate the token in the following step.
Use the following method to generate the token:
- KeyP: Your RSA public key
- Num: A random number
- email: The user's email address (must match the email entered in FortiWeb when creating this API user)
Copy the generated token. Then, provide both the API key and token to the user.

Creating API user group

You can assign API users to a certain group which defines the specific permissions of the group users can perform.

Go to API Gateway > API User, and select the API User Group tab.
Click Create New.
In Name, type a name that can be referenced by other parts of the configuration.
Click OK.
Click Create New.
For API User, select the created API user from the drop-down list.
Click OK.
You can continue adding more API users to the group.