FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Introduction
Product knowledge resource
- Documentation
- Videos
New Features in 7.6.x releases
- WAF features
- Server Objects
- Server Policy
- Authentication
- Network
  - Support for MANA Network in Azure (7.6.3)
  - Warning message upon port exhaustion (7.6.0)
- System
- Log, FortiView, and Debug
- High Availability
- Security Fabric
  - STIX/TAXII Support for IP Address Connector (7.6.4)
  - Security Fabric: Automation (7.6.0)
- Ingress Controller enhancements (7.6.0)
- Disk expansion (7.6.2)
Key concepts
- Key Components of FortiWeb
- Sequence of scans
- FortiWeb's role and placement in network topology
- Operation modes
- High Availability (HA)
- Solutions for specific web attacks
- IPv6 support
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Workflow
- Appliance vs. VMware
- Registering your FortiWeb
- Supported features in each operation mode
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring the allow list at server policy level
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
  - Supported cipher suites - for connections between FortiWeb and the clients
  - Supported cipher suites - for connection between FortiWeb and back-end servers
- CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- OCSP-Based certificate revocation check
Users
- Authentication styles
- Offloading HTTP authentication and authorization
- Creating reCAPTCHA servers
Application delivery
- Rewriting & redirecting
- Compression
- Site Publishing (Single sign-on)
- Caching
  - What can be cached?
- Acceleration
- Scripting
- Waiting room
  - Customizing waiting room display page
Web protection
- Blocking known attacks
- Advanced protection
- Data Loss Prevention
- Cookie security
- Input validation
- Protocol constraints
- Access control
- ML Based Anomaly Detection
  - Viewing domain data
  - Viewing anomaly detection log
- Anti-defacement
Zero Trust Network Access (ZTNA)
- Configuring FortiClient EMS Connector for ZTNA
- Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- Referencing ZTNA profile in a server policy
- ZTNA troubleshooting and debugging
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
- Configuring ML Based Bot Detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
- Configuring Advanced Bot Protection policy
- Exception Policy
API Protection
- Configuring JSON protection
- Configuring XML protection
- Configuring GraphQL protection
  - Creating GraphQL protection rules
  - Creating GraphQL protection policy
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
- Configuring ML Based API Protection policy
DoS protection
- DoS prevention
- Preventing slow and low attacks
- Exception Policy
IP Protection
- GEO IP - Blocklisting & whitelisting countries & regions
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- IP Reputation - Blocklisting source IPs with poor reputation
- Creating IP groups
Tracking
- Compliance
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring machine-learning URL replacer policy
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
Dashboard
- Status dashboard
- Monitors
Log&Report
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- FortiGuard updates
- Analyzing attack logs in FortiWeb Cloud Threat Analytics
Security Fabric
- Fabric Connectors
  - FortiGSLB
  - Single Sign On (SSO)
    - FortiGate SSO
    - Single Sign On with Azure
- External connectors
- Automation
Ingress Controller
Security Operations Center-as-a-Service (SOCaaS)
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Introduction
- Troubleshooting outline
- Diagnosing server-policy connectivity issues
- Diagnosing system issues
- Diagnose software function issues
- Diagnose hardware issues
- System tools & diagnose commands
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses
Appendix G: Supported image versions for EOS models

Home FortiWeb 7.6.6 Administration Guide

7.6.6

Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS

FortiWeb uses admin local certificates to establish secure HTTPS connections when an administrator accesses FortiWeb GUI. When the administrator opens the FortiWeb interface in their web browser, FortiWeb will present this certificate to authenticate itself. This process ensures that the browser can trust FortiWeb and that the communication between the browser and FortiWeb is encrypted, preventing unauthorized access or interception of data during the session.

Previously, it's only allowed to upload a pre-generated Admin local certificate to FortiWeb. Starting from 7.6.1, you can generate an admin local certificate signing request (CSR) in FortiWeb, then use either of the following enrollment methods to get a signed admin certificate.

File based enrollment: Submit the CSR file to a certificate authority (CA) for signing. Once signed, upload the certificate to FortiWeb.
SCEP enrollment: FortiWeb automatically uses HTTP to submit the certificate issuing request to the SCEP server, which will validate and sign the certificate.

SCEP is Primarily used within organizations to automate the distribution and management of certificates for internal devices. It's commonly used for securing internal resources such as VPNs, Wi-Fi access, and device authentication. SCEP is focused on managing certificates in private, enterprise settings, typically through an organization's internal Public Key Infrastructure (PKI).

If you are not using a commercial CA whose root certificate is already installed by default on web browsers, you need to download the root certificate or intermediate certificate that signed the admin certificate, then install it on all computers that will be connecting to FortiWeb's GUI. If you do not install these, those computers may not trust your new certificate.

Refer to the following section for steps of configuring certificate for FortiWeb GUI access.

Go to System > Admin > Certificates.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
Select the Admin Cert Local tab.
Click Generate.
Configure these settings to complete the certificate signing request:

Certification Name		Enter a unique name for the certificate request, such as `www.fortinet.com`. This can be the name of the FortiWeb appliance.
Subject Information		Includes information that the certificate is required to contain in order to uniquely identify the FortiWeb appliance. This area varies depending on the Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS selection.
	ID Type	Select the type of identifier to use in the certificate to identify the FortiWeb appliance: Host IP—Select if the FortiWeb appliance has a static IP address and enter the public IP address of the FortiWeb appliance in the IP field. If the FortiWeb appliance does not have a public IP address, use E-mail or Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS instead. Domain Name—Select if the FortiWeb appliance has a static IP address and subscribes to a dynamic DNS service. Enter the FQDN of the FortiWeb appliance, such as `www.example.com`, in the Domain Name field. Do not include the protocol specification (http://) or any port number or path names. E-Mail—Select and enter the email address of the owner of the FortiWeb appliance in the e-mail field. Use this if the appliance does not require either a static IP address or a domain name. The type you should select varies by whether or not your FortiWeb appliance has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate. For example, if your FortiWeb appliance has both a static IP address and a domain name, but the local certificate is primarily used for HTTPS connections to the web UI via the domain name, it’s better to generate a certificate based on the domain name instead of the IP address. If the administrator attempts to access the GUI using the IP address, a certificate mismatch warning may occur because the certificate was issued for the domain name. Depending on your choice for ID Type, related options appear.
	IP	Type the static IP address of the FortiWeb appliance, such as `192.0.2.123`. The IP address should be one that is accessible to the administrator. Typically, this will either be a public IP address accessible over the Internet or a private IP address that is reachable within the administrator's private network. This option appears only if Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS is Host IP.
	Domain Name	Type the fully qualified domain name (FQDN) of the FortiWeb appliance, such as `www.example.com`. The domain name must resolve to the static IP address of the FortiWeb appliance . For details, see Configuring the network interfaces. This option appears only if Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS is Domain Name.
	E-mail	Type the email address of the owner of the FortiWeb appliance, such as `admin@example.com`. This option appears only if Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS is E-Mail.
Optional Information		Includes information that you may include in the certificate, but which is not required.
	Organization unit	Type the name of your organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field.
	Organization	Type the legal name of your organization. This is optional.
	Locality(City)	Type the name of the city or town where the FortiWeb appliance is located. This is optional.
	State/Province	Type the name of the state or province where the FortiWeb appliance is located. This is optional.
	Country/Region	Select the name of the country where the FortiWeb appliance is located. This is optional.
	e-mail	Type an email address that may be used for contact purposes, such as `admin@example.com`. This is optional.
	Subject Alternative Names	Type the Subject Alternative Names to specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single TLS certificate
Key Type		Displays the type of algorithm used to generate the key. This option cannot be changed, but appears in order to indicate that only RSA is currently supported.
Key Size		Select a secure key size of 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.
Digest Algorithm		Select whether to use SHA1 or SHA256 algorithm to generate the certificate signing request (CSR).
Enrollment Method		Select either: File Based—You must manually download and submit the resulting certificate request file to a certificate authority (CA) for signing. Once signed, upload the local certificate. Online SCEP—The FortiWeb appliance will automatically use HTTP to submit the request to the simple certificate enrollment protocol (SCEP) server of a CA, which will validate and sign the certificate. For this selection, two options appear. Enter the CA Server URL and the Challenge Password.

Click OK.

The FortiWeb appliance creates a private and public key pair. The generated request includes the public key of the FortiWeb appliance and information such as the FortiWeb appliance’s IP address, domain name, or email address. The FortiWeb appliance’s private key remains confidential on the FortiWeb appliance. The Status column of the entry is PENDING.

If you have selected the Online SCEP enrollment method, FortiWeb will automatically retrieve certificate from the specified CA Server URL. When administrators visit FortiWeb's GUI, FortiWeb will present this certificate to authenticate itself.

If you have selected the File Based enrollment method, you need to perform the following steps to sign the CSR at a CA authority, then upload the signed certificate to FortiWeb.

Select the CSR that has been generated by FortiWeb.
Click Download.

Standard dialogs appear with buttons to save the file at a location you select. Your web browser downloads the certificate request .csr file. Time required varies by the size of the file and the speed of your network connection.

Upload the CSR to your CA.

After you submit the request to a CA, the CA will verify the information in the certificate, give it a serial number, an expiration date, and sign it with the public key of the CA.

When you receive the signed certificate from the CA, click Import in the Admin Cert Local tab to upload the certificate.