FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Introduction
Product knowledge resource
- Documentation
- Videos
New Features in 8.0.x releases
- FortiAI
  - Analyze Individual Attack Logs with FortiAI (8.0.1)
  - FortiAI Integration (8.0.0)
- WAF features
- Server Policy
  - Replacement Message Support at HTTP Content Routing Policy Level (8.0.0)
  - Support for Lua Scripting with HTTP/3 (8.0.0)
- Application Delivery
- System
- Log, FortiView, and Debug
- High Availability
  - Manual HA Failover Trigger Support (8.0.0)
- Documentation enhancement
Key concepts
- Key Components of FortiWeb
- Sequence of scans
- FortiWeb's role and placement in network topology
- Operation modes
- High Availability (HA)
- Solutions for specific web attacks
- IPv6 support
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Workflow
- Appliance vs. VMware
- Registering your FortiWeb
- Supported features in each operation mode
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
FortiAI
- Enabling Administrator Access to FortiAI
- Using FortiAI
- FortiAI Tokens
- FortiAI Data Privacy
- FortiAI Example Tasks
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring the allow list at server policy level
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
  - Supported cipher suites - for connections between FortiWeb and the clients
  - Supported cipher suites - for connection between FortiWeb and back-end servers
- CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- OCSP-Based certificate revocation check
Users
- Authentication styles
- Offloading HTTP authentication and authorization
- Creating reCAPTCHA servers
Application delivery
- Rewriting & redirecting
- Compression
- Site Publishing (Single sign-on)
- Caching
  - What can be cached?
- Acceleration
- Scripting
- Waiting room
  - Customizing waiting room display page
Web protection
- Known Attacks
- Advanced protection
- Client Side Security
- Data Loss Prevention
- Input validation
- Protocol constraints
- Access control
  - Restricting access based on specific URLs
  - Specifying allowed HTTP methods
- ML Based Anomaly Detection
  - Viewing domain data
  - Viewing anomaly detection log
- Web Anti-Defacement
Zero Trust Network Access (ZTNA)
- Configuring FortiClient EMS Connector for ZTNA
- Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- Referencing ZTNA profile in a server policy
- ZTNA troubleshooting and debugging
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
- Configuring ML Based Bot Detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
- Configuring Advanced Bot Protection policy
- Exception Policy
API Protection
- Configuring JSON protection
- Configuring XML protection
- Configuring GraphQL protection
  - Creating GraphQL protection rules
  - Creating GraphQL protection policy
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
- Configuring ML Based API Protection policy
DoS protection
- DoS prevention
- Preventing slow and low attacks
- Exception Policy
IP Protection
- GEO IP - Blocklisting & whitelisting countries & regions
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- IP Reputation - Blocklisting source IPs with poor reputation
- Creating IP groups
Tracking
- Compliance
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring machine-learning URL replacer policy
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
Dashboard
- Status dashboard
- Monitors
Log&Report
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- FortiGuard updates
- Analyzing attack logs in FortiWeb Cloud Threat Analytics
Security Fabric
- Fabric Connectors
  - FortiGSLB
  - Single Sign On (SSO)
    - FortiGate SSO
    - Single Sign On with Azure
- External connectors
- Automation
Ingress Controller
Security Operations Center-as-a-Service (SOCaaS)
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Introduction
- Troubleshooting outline
- Diagnosing server-policy connectivity issues
- Diagnosing system issues
- Diagnose software function issues
- Diagnose hardware issues
- System tools & diagnose commands
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses
Appendix G: Supported image versions for EOS models

Home FortiWeb 8.0.2 Administration Guide

8.0.2

WAF Solutions against OWASP Top 10 API Security Risks

Modern applications increasingly rely on APIs (Application Programming Interfaces) to enable seamless integration and data exchange. However, APIs also introduce new security challenges that attackers exploit to gain unauthorized access, manipulate data, or disrupt services.

The OWASP API Security Top 10 outlines the most critical API vulnerabilities, and FortiWeb provides comprehensive protection by enforcing strict security policies, real-time threat detection, and AI-driven traffic analysis.

Broken Object Level Authorization (BOLA)

BOLA is a common API vulnerability where unauthorized users can access or modify objects they should not have permissions for. This can lead to data breaches, privilege escalation, or unauthorized data modifications.

FortiWeb mitigates this risk by enforcing strong authentication and role-based access controls (RBAC) at the API gateway, ensuring that only authorized users can access specific API resources.

For the related use case, see Account Takeover & Data Manipulation in a Banking API.
Broken User Authentication

APIs often require authentication mechanisms to verify user identities, but weak or misconfigured authentication can allow attackers to compromise user accounts.

FortiWeb enhances API authentication security by supporting OAuth 2.0, API keys, JWT validation, and Multi-Factor Authentication (MFA). These mechanisms help prevent unauthorized access and account takeover attacks.

For the related use case, see Account Takeover & Data Manipulation in a Banking API.
Excessive Data Exposure

Many APIs return more data than necessary, increasing the risk of data leaks and exposure of sensitive information such as personally identifiable information (PII).

FortiWeb’s Data Loss Prevention (DLP) capabilities analyze API responses and block the transmission of unnecessary or sensitive data, ensuring compliance with data protection regulations like GDPR and PCI-DSS.

For the related use case, see Ensure API schema compliance and threat prevention in a government digital services portal.
Lack of Resources & Rate Limiting

Without proper rate limiting, APIs are vulnerable to abuse, such as denial-of-service (DoS) attacks, brute force attempts, and excessive API calls that degrade performance.

FortiWeb prevents API abuse by implementing rate limiting, IP reputation filtering, and anomaly detection, ensuring fair usage and mitigating automated attack attempts.

For the related use case, see Account Takeover & Data Manipulation in a Banking API.
Broken Function Level Authorization

This vulnerability arises when API functions expose endpoints without properly enforcing user authorization. Attackers can exploit it to perform unauthorized actions such as modifying user settings or escalating privileges.

FortiWeb enforces function-level authorization by integrating RBAC policies and access control mechanisms that restrict API functions to the appropriate users and roles.

For the related use case, see Account Takeover & Data Manipulation in a Banking API.
Mass Assignment

Mass assignment vulnerabilities occur when attackers manipulate API requests to update unintended object properties. This can lead to unauthorized modifications of security settings, user privileges, or sensitive data fields.

FortiWeb mitigates this risk by implementing strict schema validation and enforcing input sanitization policies to prevent unintended data modifications.

For the related use case, see Ensure API schema compliance and threat prevention in a government digital services portal.
Security Misconfiguration

APIs often have misconfigured security settings, such as exposed debug endpoints, overly permissive CORS (Cross-Origin Resource Sharing) rules, or missing security headers.

FortiWeb prevents access to sensitive or undocumented API endpoints by enforcing URL access policies and using machine learning with OpenAPI integration to block unexpected requests outside approved API definitions.

For the related use case, see Account Takeover & Data Manipulation in a Banking API.
Injection Attacks (SQLi, XSS, Command Injection, etc.)

APIs are vulnerable to injection attacks, where attackers insert malicious code into API requests to execute unintended commands or extract data.

FortiWeb’s AI-powered WAF (Web Application Firewall) detects and blocks SQL injection (SQLi), cross-site scripting (XSS), command injection, and other API-based exploits, ensuring that only safe and validated API requests are processed.

For the related use case, see Ensure API schema compliance and threat prevention in a government digital services portal.
Improper Asset Management

Exposed or outdated APIs can introduce security risks, as attackers may discover deprecated or vulnerable endpoints that should no longer be accessible.

FortiWeb enhances API security posture by enabling API discovery, version control enforcement, and automated deprecation management, ensuring that only secure and actively maintained APIs are available.

For the related use case, see Ensure API schema compliance and threat prevention in a government digital services portal.
Insufficient Logging & Monitoring

A lack of monitoring makes it difficult to detect API abuse, unauthorized access, or suspicious activities in real time.

FortiWeb provides comprehensive API traffic logging, SIEM integration, and real-time alerts, allowing security teams to detect, analyze, and respond to API-related threats proactively.

For the related use case, see Security Logging and Monitoring Failures.

Watch the following videos on FortiWeb's API Protection features: