[PDF] [PDF] FortiWeb Administration Guide Version 402 - ISP Tools

[PDF] FortiWeb Administration Guide - AWS

25 fév 2020 · destination IP instead of the IP address of the back-end server that was the target of 817 FortiWeb Administration Guide Fortinet Technologies 

[PDF] FortiWeb 623 Administration Guide - AWS

30 nov 2020 · 868 Appendix E: How to purchase and renew FortiGuard licenses 870 FortiWeb Administration Guide Fortinet Technologies Inc

[PDF] FortiWeb 58 Administration Guide - Fortinet Knowledge Base

26 avr 2017 · For more information, see the FortiWeb-VM Install Guide FortiWeb 5 5 Patch 3 ○ FortiSandbox Cloud support — You can now configure 

[PDF] FortiWeb AWS Quick Start Guide - Fortinet

A starter guide to getting FortiWeb up and running on AWS The Fortinet FortiWeb Web Application Firewall on AWS provides the specialized, Login: admin

[PDF] FortiWeb Web Application Firewall

Administrators can attach threat levels to any of FortiWeb's WAF protections then set trigger Please see FortiWeb VM Installation Guide for versions supported

[PDF] Deployment Guide of the FortiWeb-VM Virtual Appliance on MCP

For details, see maximum configuration values in the FortiWeb Administration Guide When you place an order for FortiWeb-VM, Fortinet emails a registration 

[PDF] FortiWeb on OCB-FE - Installation and Deployment Guide - Orange

In a typical deployment, the FortiWeb outgoing interface connects to the OCB-FE Load Balancer Once the virtual appliance is deployed, you can configure 

[PDF] FortiWeb Administration Guide Version 402 - ISP Tools

7 avr 2010 · FortiWeb™ Web Application Security Version 4 0 2 Administration Guide 4 Revision 2 http://docs fortinet com/ • Feedback Configuring DoS 

[PDF] Fortinet FortiWeb 56 - Communications Security Establishment

5 déc 2017 · version indiquée du produit, dans la configuration qui a été évaluée FortiWeb Administration Guide, Version 5 6, 9 février 2017 b Common 

[PDF] FortiWeb 52 Patch 3 Administration Guide, 2nd Edition - Home

30 juil 2014 · Once that basic installation is complete, you can use the rest of this document to use the web UI to: Update the FortiWeb appliance

[PDF] fortiweb api protection

[PDF] fortiweb aws

[PDF] fortiweb azure

[PDF] fortiweb cloud

[PDF] fortiweb cloud datasheet

[PDF] fortiweb cookbook

[PDF] fortiweb deployment type

[PDF] fortiweb machine learning

[PDF] fortiweb vm datasheet

[PDF] fortiweb vs fortigate

[PDF] fortiwifi 30e configuration

[PDF] fortiwifi 30e utm

[PDF] fortiwifi 30e utm bundle

[PDF] fortnite download windows

[PDF] fortnite generator

FortiWeb™ Web

Application Security

Version 4.0.2

Administration Guide

FortiWeb™ Web Application Security Administration Guide

Version 4.0.2

Revision 2

7 April 2010

© Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,

diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,

electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of

Fortinet, Inc.

Trademarks

Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,

Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and

FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual

companies and products mentioned herein may be the trademarks of their respective owners.

Regulatory compliance

FCC Class A Part 15 CSA/CUS

CAUTION: Risk of explosion if battery is replaced by incorrect type. Dispose of used batteries according to instructions.

Contents

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

Revision 23

http://docs.fortinet.com/ • Feedback

Contents

Introduction.............................................................................................. 9

Registering your Fortinet product................................................................................. 9

Customer service & technical support ......................................................................... 9

Training.......................................................................................................................... 10

Documentation.............................................................................................................. 10

Scope ............................................................................................................................. 10

Conventions .................................................................................................................. 11

IP addresses............................................................................................................. 11

Cautions, Notes, & Tips............................................................................................ 11

Typographical conventions....................................................................................... 11

Command syntax conventions.................................................................................. 12

Characteristics of XML threats .................................................................................... 14

Characteristics of HTTP threats .................................................................................. 15

What's new ............................................................................................. 19

About the web-based manager............................................................. 21

System requirements.................................................................................................... 21

URL for access.............................................................................................................. 21

Settings.......................................................................................................................... 22

Language support & regular expressions.................................................................. 22

System .................................................................................................... 25

Viewing the system statuses ....................................................................................... 25

System Information widget ....................................................................................... 27

Changing the FortiWeb unit's host name........................................................... 29

System Resources widget........................................................................................ 29

CLI Console widget................................................................................................... 30

Alert Message Console widget................................................................................. 31

Service Status widget............................................................................................... 32

Policy Summary widget ............................................................................................ 33

Configuring the network interfaces............................................................................. 34

About VLANs...................................................................................................... 39

Configuring bridges................................................................................................... 39

Configuring fail-open................................................................................................. 41

Configuring the DNS settings...................................................................................... 42

Configuring high availability (HA) ............................................................................... 42

About the heartbeat and synchronization................................................................. 46

Configuring the SNMP agent ....................................................................................... 47

Configuring an SNMP community............................................................................. 48

Contents

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

4Revision 2

http://docs.fortinet.com/ • Feedback

Configuring DoS protection......................................................................................... 50

Configuring the operation mode ................................................................................. 51

Configuring administrator accounts........................................................................... 53

About trusted hosts................................................................................................... 56

Configuring access profiles....................................................................................... 56

About permissions.................................................................................................... 58

Configuring the web-based manager's global settings ............................................ 60

Managing certificates ................................................................................................... 61

Managing local and server certificates ..................................................................... 62

Generating a certificate signing request............................................................. 63

Downloading a certificate signing request.......................................................... 66

Uploading a certificate........................................................................................ 66

Managing OCSP server certificates.......................................................................... 68

Managing CA certificates.......................................................................................... 68

Grouping CA certificates .................................................................................... 69

Managing certificates for intermediate CAs ....................................................... 70

Grouping certificates for intermediate CAs ........................................................ 71

Managing the certificate revocation list..................................................................... 72

Configuring certificate verification rules.................................................................... 73

Backing up the configuration & installing firmware.................................................. 74

Configuring the time & date......................................................................................... 75

Uploading signature updates....................................................................................... 77

Scheduling signature updates..................................................................................... 78

Router...................................................................................................... 81

Configuring static routes ............................................................................................. 81

User......................................................................................................... 83

Configuring local users................................................................................................ 83

Configuring LDAP user queries................................................................................... 84

Configuring NTLM user queries .................................................................................. 87

Grouping users ............................................................................................................. 88

Server Policy .......................................................................................... 91

Configuring policies ..................................................................................................... 91

Enabling or disabling a policy................................................................................. 101

Configuring virtual servers ........................................................................................ 101

Enabling or disabling a virtual server...................................................................... 103

Configuring physical servers..................................................................................... 103

Enabling or disabling a physical server .................................................................. 105

Grouping physical servers into server farms .......................................................... 106

Configuring server health checks ........................................................................... 109

Contents

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

Revision 25

http://docs.fortinet.com/ • Feedback

Configuring custom services..................................................................................... 111

Viewing the list of predefined services.................................................................... 113

Configuring protected hosts...................................................................................... 113

Grouping the predefined data types ......................................................................... 116

Viewing the list of predefined data types................................................................ 118

Grouping the predefined suspicious URLs.............................................................. 120

Viewing the list of predefined URL rules................................................................. 121

XML Protection..................................................................................... 123

Configuring schedules ............................................................................................... 123

Configuring one-time schedules............................................................................. 123

Configuring recurring schedules............................................................................. 124

Configuring content filter rules ................................................................................. 126

How priority affects content filter rule matching...................................................... 129

Enabling or disabling a content filter rule................................................................ 129

Configuring intrusion prevention rules .................................................................... 130

Enabling or disabling an intrusion prevention rule.................................................. 132

Configuring WSDL content routing groups.............................................................. 133

Managing XML signature and encryption keys........................................................ 135

Uploading a key...................................................................................................... 135

Grouping keys into key management groups......................................................... 136

Managing Schema files .............................................................................................. 138

Enabling or disabling a Schema file........................................................................ 140

Managing WSDL files.................................................................................................. 141

Enabling and disabling operations in a WSDL file.................................................. 142

Grouping WSDL files.............................................................................................. 143

Configuring XML protection profiles......................................................................... 144

Web Protection..................................................................................... 151

Order of execution ...................................................................................................... 151

Configuring input rules .............................................................................................. 152

Grouping input rules into parameter validation rules.............................................. 156

Configuring page order rules..................................................................................... 158

Configuring server protection rules.......................................................................... 161

Configuring server protection exceptions ............................................................... 167

Configuring start pages.............................................................................................. 170

Configuring URL black list rules ............................................................................... 173

Configuring URL white list rules ............................................................................... 175

Blacklisting client IP addresses ................................................................................ 177

Enabling or disabling IP address blacklisting.......................................................... 178

Viewing the top 10 IP black list candidates............................................................. 179

Contents

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

6Revision 2

http://docs.fortinet.com/ • Feedback

Whitelisting client IP addresses ................................................................................ 180

Configuring brute force login attack senso

rs .......................................................... 181

Configuring robot control sensors............................................................................ 184

Viewing the predefined list of well-known robots.................................................... 187

Grouping predefined robots.................................................................................... 188

Grouping custom robots ......................................................................................... 189

Configuring allowed method exceptions.................................................................. 191

Configuring hidden field rules................................................................................... 194

Grouping hidden field rules..................................................................................... 197

Configuring URL rewriting ......................................................................................... 199

Grouping URL rewriting rules ................................................................................. 202

Example: Rewriting URLs using regular expressions............................................. 204

Example: Rewriting URLs using variables.............................................................. 204

Configuring HTTP protocol constraints.................................................................... 205

Configuring HTTP authentication.............................................................................. 207

Configuring authentication rules............................................................................. 208

Grouping authentication rules into authentication policies...................................... 211

Configuring inline web protection profiles............................................................... 213

Configuring offline protection profiles ..................................................................... 219

Configuring auto-learning profiles............................................................................ 223

Auto Learn............................................................................................ 227

Generating an auto-learning profile and its components ....................................... 227

Viewing auto-learning reports ................................................................................... 228

About the attack count............................................................................................ 232

Generating a profile from auto-learning data........................................................... 232

Web Anti-Defacement.......................................................................... 237

Configuring anti-defacement ..................................................................................... 237

About web site backups.......................................................................................... 241

Reverting a web site to a backup revision................................................................ 241

Web Vulnerability Scan ....................................................................... 243

Preparing for the vulnerability scan job ................................................................... 243

Configuring vulnerability scans ................................................................................ 243

Viewing a vulnerability report.................................................................................... 248

Log&Report .......................................................................................... 251

About logging.............................................................................................................. 251

Log types................................................................................................................ 251

Log message severity levels................................................................................... 252

Contents

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

Revision 27

http://docs.fortinet.com/ • Feedback

Configuring logging and alerts.................................................................................. 252

Enabling logging and alerts .................................................................................... 253

Obscuring sensitive data in the logs....................................................................... 255

Configuring logging to the local hard disk............................................................... 256

Configuring logging to memory............................................................................... 258

Configuring logging to a Syslog server or FortiAnalyzer unit.................................. 259

Configuring and testing alerts................................................................................. 260

Viewing log messages................................................................................................ 262

Customizing the log view........................................................................................ 264

Displaying and arranging log columns ............................................................. 265

Filtering log messages ..................................................................................... 266

Grouping similar attack log messages ............................................................. 267

Configuring and generating reports.......................................................................... 268

Configuring a report profile..................................................................................... 269

Configuring the headers, footers, and logo of a report profile.......................... 270 Configuring the time period and log filter of a report profile ............................. 271 Configuring the query selection of a report profile ........................................... 273 Configuring the advanced options of a report profile ....................................... 274

Configuring the schedule of a report profile ..................................................... 274

Configuring the output of a report profile.......................................................... 275

Viewing and downloading reports............................................................................. 277

Installing firmware ............................................................................... 279

Testing new firmware before installing it ................................................................. 279

Installing firmware ...................................................................................................... 281

Installing backup firmware......................................................................................... 283

Restoring firmware ..................................................................................................... 285

Appendix A: Supported RFCs............................................................. 289 Appendix B: Maximum values matrix ................................................ 291 Appendix C: SNMP MIB support......................................................... 293

Index...................................................................................................... 295

Contents

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

8Revision 2

http://docs.fortinet.com/ • Feedback

Introduction Registering your Fortinet product

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

Revision 29

http://docs.fortinet.com/ • Feedback

Introduction

Welcome and thank you for selecting Fortinet products for your network protection. FortiWeb units are designed specifically to protect web servers. Traditional firewalls and unified threat management (UTM) devices often understand the HTTP protocol, but do not understand simple object access protocol (SOAP) and other XML protocols and document types encapsulated within HTTP (RFC 2616). Because they lack in-depth inspection and analysis, traditional firewalls often cannot route connections based upon XML content. Worse still, attackers can bypass traditional firewall protection and cause problems for web servers that host HTML or XML-based services. High performance is also important because XML and SOAP parsing requires relatively high amounts of CPU and memory resources. Traditional firewalls may be devoted to other business critical security functions, unable to meet performance requirements while also performing thorough scanning of XML and other HTTP document requests. FortiWeb units are designed specifically to meet these needs. In addition to providing application content-based routing and in-depth protection for many HTTP/HTTPS- and XML-specific attacks, FortiWeb units contain specialized hardware to accelerate SSL processing, and can thereby enhance both the security and the performance of connections to your web servers. This section introduces you to FortiWeb units and the following topics: •Registering your Fortinet product •Customer service & technical support •Training •Documentation •Scope •Conventions •Characteristics of XML threats •Characteristics of HTTP threats

Registering your Fortinet product

Before you begin, take a moment to register your Fortinet product at the Fortinet Technical

Support web site, https://support.fortinet.com.

Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. For more information, see the Fortinet Knowledge Base article Registration Frequently

Asked Questions.

Customer service & technical support

Fortinet Technical Support provides services designed to make sure that you can install your Fortinet products quickly, configure them easily, and operate them reliably in your network.

TrainingIntroduction

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

10Revision 2

http://docs.fortinet.com/ • Feedback To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article Technical Support

Requirements.

Training

Fortinet Training Services provides classes that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email them at training@fortinet.com.

Documentation

The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes. In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet

Knowledge Base.

Fortinet Tools and Documentation CD

Many Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical

Documentation web site, http://docs.fortinet.com.

Fortinet Knowledge Base

The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this technical document to techdoc@fortinet.com. Scope This document describes how to use the web-based manager of the FortiWeb unit. It assumes you have already successfully installed the FortiWeb unit by following the instructions in the FortiWeb Installation Guide.

At this stage:

• You have administrative access to the web-based manager and/or CLI. • The FortiWeb unit is integrated into your network.

Introduction Conventions

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

Revision 211

http://docs.fortinet.com/ • Feedback • The operation mode has been configured. • The system time, DNS settings, administrator password, and network interfaces have been configured. • Firmware updates have been completed. • Basic policies have been configured. Once that basic installation is complete, you can use this document. This document explains how to use the web-based manager to: • maintain the FortiWeb unit, including backups • reconfigure basic items that were configured during installation • configure advanced features, such as customized protection profiles, logging, and reporting This document does not cover commands for the command line interface (CLI). For information on the CLI, see the FortiWeb CLI Reference.

Conventions

Fortinet technical documentation uses the conventions described below.

IP addresses

To avoid publication of public IP addresses

that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.

Cautions, Notes, & Tips

Fortinet technical documentation uses the following guidance and styles for cautions, notes and tips.

Typographical conventions

Fortinet documentation uses the following typographical conventions: Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. Note: Presents useful information, usually focused on an alternative, optional method, such as a shortcut, to perform a step. Tip: Highlights useful additional information, often tailored to your workplace activity.

ConventionsIntroduction

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

12Revision 2

http://docs.fortinet.com/ • Feedback

Command syntax conventions

The command line interface (CLI) requires that you use valid syntax, and conform to expected input constraints. It will reject invalid commands. Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as , indicate which data types or string patterns are acceptable value input. Table 1: Typographical conventions in Fortinet technical documentation

Convention Example

Button, menu, text box,

field, or check box labelFrom Minimum log level, select Notification.

CLI inputconfig system dns

set primary end

CLI outputFGT-602803030703 # get system settings

comments : (null) opmode : nat EmphasisHTTP connections are not secure and can be intercepted by a third party.

File content

You must authenticate to use this service.

HyperlinkVisit the Fortinet Technical Support web site, https://support.fortinet.com. Keyboard entryType a name for the remote VPN peer or client, such as Central_Office_1.

NavigationGo to VPN > IPSEC > Auto Key (IKE).

PublicationFor details, see the FortiGate Administration Guide.

Table 2: Command syntax notation

ConventionDescription

Square brackets []A non-required word or series of words. For example: [verbose {1 | 2 | 3}]

indicates that you may either omit or type both the verbose word and its accompanying option, such as:

verbose 3

Introduction Conventions

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

Revision 213

http://docs.fortinet.com/ • Feedback

Angle brackets <>A word constrained by data type.To define acceptable input, the angled brackets contain a descriptive name followed by an underscore (_) and suffix that indicates the valid data type. For example:

indicates that you should enter a number of retries, such as 5.

Data types include:

•: A name referring to another part of the configuration, such as policy_A.

•: An index number referring to another part of the configuration, such as 0 for the first static route.

•: A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

•: A fully qualified domain name (FQDN), such as mail.example.com. •: An email address, such as admin@mail.example.com.

•: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet.com/.

•: An IPv4 address, such as 192.168.1.99. •: A dotted decimal IPv4 netmask, such as 255.255.255.0.

•: A dotted decimal IPv4 address and netmask separated by a space, such as 192.168.1.99 255.255.255.0.

•: A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as such as 192.168.1.99/24.

•: A colon(:)-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

•: An IPv6 netmask, such as /96. •: An IPv6 address and netmask separated by a space.

•: A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences. See the FortiWeb CLI Reference.

• : An integer number that is not another data type, such as 15 for the number of minutes.

Curly braces {}A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.

You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].Table 2: Command syntax notation

Characteristics of XML threatsIntroduction

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

14Revision 2

http://docs.fortinet.com/ • Feedback

Characteristics of XML threats

XML messages can be relatively large: many megabytes and thousands of packets. Unstructured matching of elements in those messages is complex and CPU- and memory- intensive. Because of the complexity of XML content, it is often not practical to develop signatures for XML-specific attacks on a traditional firewall or UTM. This leads to "zero day" vulnerabilities before at tacks can be characterized and signatures developed. FortiWeb units understand the XML protocol, and only allows XML operations that you specifically allow. Table 3 lists several XML-related threats and describes how FortiWeb units protect against them.

Options delimited

by vertical bars|Mutually exclusive options. For example:{enable | disable} indicates that you must enter either enable or disable, but must not enter both.

Options delimited

by spacesNon-mutually exclusive options. For example:{http https ping snmp ssh telnet}

indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as:

ping https ssh Note:

To change the options, you must

re-type the entire list. For example, to add snmp to the previous example, you would type: ping https snmp ssh

If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.Table 2: Command syntax notation

Introduction Characteristics of HTTP threats

FortiWeb™ Web Application Security Version 4.0.2 Administration Guide

Revision 215

http://docs.fortinet.com/ • Feedback

Characteristics of HTTP threats

Web applications are increasingly being targeted by exploits such as SQL Injection and Cross-Site Scripting attacks. These attacks aim to compromise the target web server, either to steal information or to post malicious files on a trusted site to further exploit visitors to the site. The types of attacks that web servers are vulnerable to are numerous and varied. FortiWeb units offer several options for preventing web-related attacks. Table 4 lists several Web-related threats and describes how FortiWeb units protect againstquotesdbs_dbs20.pdfusesText_26