FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Introduction
Product knowledge resource
- Documentation
- Videos
New Features in 8.0.x releases
- FortiAI Integration (8.0.0)
- WAF features
- Server Policy
  - Replacement Message Support at HTTP Content Routing Policy Level (8.0.0)
  - Support for Lua Scripting with HTTP/3 (8.0.0)
- Application Delivery
- System
- Log, FortiView, and Debug
- High Availability
  - Manual HA Failover Trigger Support (8.0.0)
- Documentation enhancement
Key concepts
- Key Components of FortiWeb
- Sequence of scans
- FortiWeb's role and placement in network topology
- Operation modes
- High Availability (HA)
- Solutions for specific web attacks
- IPv6 support
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Workflow
- Appliance vs. VMware
- Registering your FortiWeb
- Supported features in each operation mode
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
FortiAI
- Enabling Administrator Access to FortiAI
- Using FortiAI
- FortiAI Tokens
- FortiAI Data Privacy
- FortiAI Example Tasks
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring the allow list at server policy level
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
  - Supported cipher suites - for connections between FortiWeb and the clients
  - Supported cipher suites - for connection between FortiWeb and back-end servers
- CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- OCSP-Based certificate revocation check
Users
- Authentication styles
- Offloading HTTP authentication and authorization
- Creating reCAPTCHA servers
Application delivery
- Rewriting & redirecting
- Compression
- Site Publishing (Single sign-on)
- Caching
  - What can be cached?
- Acceleration
- Scripting
- Waiting room
  - Customizing waiting room display page
Web protection
- Known Attacks
- Advanced protection
- Client Side Security
- Data Loss Prevention
- Input validation
- Protocol constraints
- Access control
  - Restricting access based on specific URLs
  - Specifying allowed HTTP methods
- ML Based Anomaly Detection
  - Viewing domain data
  - Viewing anomaly detection log
- Web Anti-Defacement
Zero Trust Network Access (ZTNA)
- Configuring FortiClient EMS Connector for ZTNA
- Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- Referencing ZTNA profile in a server policy
- ZTNA troubleshooting and debugging
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
- Configuring ML Based Bot Detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
- Configuring Advanced Bot Protection policy
- Exception Policy
API Protection
- Configuring JSON protection
- Configuring XML protection
- Configuring GraphQL protection
  - Creating GraphQL protection rules
  - Creating GraphQL protection policy
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
- Configuring ML Based API Protection policy
DoS protection
- DoS prevention
- Preventing slow and low attacks
- Exception Policy
IP Protection
- GEO IP - Blocklisting & whitelisting countries & regions
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- IP Reputation - Blocklisting source IPs with poor reputation
- Creating IP groups
Tracking
- Compliance
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring machine-learning URL replacer policy
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
Dashboard
- Status dashboard
- Monitors
Log&Report
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- FortiGuard updates
- Analyzing attack logs in FortiWeb Cloud Threat Analytics
Security Fabric
- Fabric Connectors
  - FortiGSLB
  - Single Sign On (SSO)
    - FortiGate SSO
    - Single Sign On with Azure
- External connectors
- Automation
Ingress Controller
Security Operations Center-as-a-Service (SOCaaS)
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Introduction
- Troubleshooting outline
- Diagnosing server-policy connectivity issues
- Diagnosing system issues
- Diagnose software function issues
- Diagnose hardware issues
- System tools & diagnose commands
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses
Appendix G: Supported image versions for EOS models

Home FortiWeb 8.0.0 Administration Guide

8.0.0

Preventing slow and low attacks

A low and slow attack is a type of DoS attack that sends a small stream of traffic at a very slow rate. It targets application and server resources and is difficult to distinguish from normal traffic. The most popular attack tools include Slowloris and R.U.D.Y. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

FortiWeb can detect slow and low attacks and generate attack logs for you to trace the source.

Configuring protection rules for slow and low attacks

You can configure FortiWeb to prevent the long-lasting HTTP transactions.

Go to Bot Mitigation > Threshold Based Detection.
Click Create New.
For Name, enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.
For Tracking by, select one of the following options to define how FortiWeb counts occurrences for each detection module:
- Client IP — Tracks requests by the source IP address. This is suitable when client identity is not available or when cookies are disabled.
- Client ID — Tracks requests using the Client Management cookie, allowing FortiWeb to associate behavior with individual clients across sessions and IP changes. If this option is selected and the associated protection profile has not enabled Client Management, a prompt will appear.
  When Client ID is selected, detection modules offer Client ID Block Period actions in place of standard IP-based block actions.
Note:
- Slow Header Attack does not support tracking by Client ID due to its detection being performed at the TCP layer before full HTTP headers are available. Even when Tracking by is set to Client ID, FortiWeb uses Client IP for occurrence tracking in this case.
- If you change Tracking by from Client ID to Client IP, any existing Client ID Block Period actions in the configuration must be manually updated.

Configure the slow attack detection settings:

Slow Attack Detection
HTTP Transaction Timeout	Specify a timeout value, in seconds, for the HTTP transaction. The default value is 60.
Packet Interval Timeout	Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets). The default value is 10.
Occurrence	Define the frequency that FortiWeb detects slow attack activities. The default value is 5.
Within (Seconds)	Specify the time period, in seconds, during which FortiWeb detects slow attack activities. The default value is 100.
Action	Select which action FortiWeb will take when it detects slow attack activities: Alert—Accept the connection and generate an alert email and/or log message. Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message. Deny (no log)—Block the request (or reset the connection). Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block. Client ID Block Period—Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy. Also configure Period Block. When a Slow Header Attack is detected, FortiWeb automatically falls back to Client IP for occurrence tracking. If the configured action is Client ID Block Period, it will be enforced as an IP-based Period Block instead. The default value is Alert.
Period Block	Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects slow attack activities. The valid range is 1–3,600 seconds (1 hour). This setting is available only if Action is set to Period Block or Client ID Block Period.
Severity	When policy violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level FortiWeb will use when it logs slow attack activities: Informative Low Medium High The default value is Medium.
Trigger Policy	Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about slow attack activities. For details, see Viewing log messages.

Click OK.

See information on the threshold based detection rule, see Configuring threshold based detection.

In addition to the configurations in the threshold based detection rule, the following two commands in server-policy policy are also useful to prevent slow and low attacks that periodically add HTTP headers to a request.

config server-policy policy

edit "<policy_name>"

set HTTP-header-timeout <seconds_int>

set tcp-recv-timeout <seconds_int>

end

Variable	Description	Default
HTTP-header-timeout <seconds_int>	The amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. FortiWeb closes the connection if the HTTP request is timeout. The valid range is 0–1200. A value of 0 means that there is no timeout.	0
tcp-recv-timeout <seconds_int>	The amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. FortiWeb closes the connection if the TCP request is timeout. The valid range is 0–300. A value of 0 means that there is no timeout.	0