FortiWeb Web Application Security
FortiWeb WebApplication SecurityVersion 4.0.2Administration Guide
FortiWeb Web Application Security Administration GuideVersion 4.0.2Revision 27 April 2010 Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission ofFortinet, Inc.TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,FortiGate , FortiGate Unified Threat Management System, FortiGuard , FortiGuard-Antispam,FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,Fortinet , FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, andFortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actualcompanies and products mentioned herein may be the trademarks of their respective owners.Regulatory complianceFCC Class A Part 15 CSA/CUSCAUTION: Risk of explosion if battery is replaced by incorrect type.Dispose of used batteries according to instructions.
ContentsContentsIntroduction . 9Registering your Fortinet product. 9Customer service & technical support . 9Training . 10Documentation . 10Scope . 10Conventions . 11IP addresses.Cautions, Notes, & Tips .Typographical conventions .Command syntax conventions.11111112Characteristics of XML threats . 14Characteristics of HTTP threats . 15What’s new . 19About the web-based manager. 21System requirements. 21URL for access . 21Settings . 22Language support & regular expressions . 22System . 25Viewing the system statuses . 25System Information widget .Changing the FortiWeb unit’s host name .System Resources widget .CLI Console widget.Alert Message Console widget .Service Status widget .Policy Summary widget .27292930313233Configuring the network interfaces. 34About VLANs. 39Configuring bridges. 39Configuring fail-open. 41Configuring the DNS settings . 42Configuring high availability (HA) . 42About the heartbeat and synchronization . 46Configuring the SNMP agent . 47Configuring an SNMP community. 48FortiWeb Web Application Security Version 4.0.2 Administration GuideRevision 2http://docs.fortinet.com/ Feedback3
ContentsConfiguring DoS protection . 50Configuring the operation mode . 51Configuring administrator accounts . 53About trusted hosts. 56Configuring access profiles. 56About permissions . 58Configuring the web-based manager’s global settings . 60Managing certificates . 61Managing local and server certificates .Generating a certificate signing request.Downloading a certificate signing request.Uploading a certificate.Managing OCSP server certificates.Managing CA certificates.Grouping CA certificates .Managing certificates for intermediate CAs .Grouping certificates for intermediate CAs .Managing the certificate revocation list.Configuring certificate verification rules .6263666668686970717273Backing up the configuration & installing firmware . 74Configuring the time & date . 75Uploading signature updates. 77Scheduling signature updates. 78Router. 81Configuring static routes . 81User . 83Configuring local users . 83Configuring LDAP user queries. 84Configuring NTLM user queries . 87Grouping users . 88Server Policy . 91Configuring policies . 91Enabling or disabling a policy . 101Configuring virtual servers . 101Enabling or disabling a virtual server. 103Configuring physical servers. 103Enabling or disabling a physical server . 105Grouping physical servers into server farms . 106Configuring server health checks . 1094FortiWeb Web Application Security Version 4.0.2 Administration GuideRevision 2http://docs.fortinet.com/ Feedback
ContentsConfiguring custom services. 111Viewing the list of predefined services. 113Configuring protected hosts. 113Grouping the predefined data types . 116Viewing the list of predefined data types . 118Grouping the predefined suspicious URLs . 120Viewing the list of predefined URL rules. 121XML Protection. 123Configuring schedules . 123Configuring one-time schedules . 123Configuring recurring schedules . 124Configuring content filter rules . 126How priority affects content filter rule matching . 129Enabling or disabling a content filter rule. 129Configuring intrusion prevention rules . 130Enabling or disabling an intrusion prevention rule . 132Configuring WSDL content routing groups. 133Managing XML signature and encryption keys. 135Uploading a key . 135Grouping keys into key management groups . 136Managing Schema files . 138Enabling or disabling a Schema file. 140Managing WSDL files. 141Enabling and disabling operations in a WSDL file . 142Grouping WSDL files . 143Configuring XML protection profiles. 144Web Protection. 151Order of execution . 151Configuring input rules . 152Grouping input rules into parameter validation rules . 156Configuring page order rules. 158Configuring server protection rules. 161Configuring server protection exceptions . 167Configuring start pages. 170Configuring URL black list rules . 173Configuring URL white list rules . 175Blacklisting client IP addresses . 177Enabling or disabling IP address blacklisting. 178Viewing the top 10 IP black list candidates. 179FortiWeb Web Application Security Version 4.0.2 Administration GuideRevision 2http://docs.fortinet.com/ Feedback5
ContentsWhitelisting client IP addresses . 180Configuring brute force login attack sensors . 181Configuring robot control sensors. 184Viewing the predefined list of well-known robots . 187Grouping predefined robots . 188Grouping custom robots . 189Configuring allowed method exceptions. 191Configuring hidden field rules . 194Grouping hidden field rules. 197Configuring URL rewriting . 199Grouping URL rewriting rules . 202Example: Rewriting URLs using regular expressions. 204Example: Rewriting URLs using variables. 204Configuring HTTP protocol constraints. 205Configuring HTTP authentication. 207Configuring authentication rules . 208Grouping authentication rules into authentication policies. 211Configuring inline web protection profiles. 213Configuring offline protection profiles . 219Configuring auto-learning profiles . 223Auto Learn . 227Generating an auto-learning profile and its components . 227Viewing auto-learning reports . 228About the attack count . 232Generating a profile from auto-learning data . 232Web Anti-Defacement . 237Configuring anti-defacement . 237About web site backups. 241Reverting a web site to a backup revision. 241Web Vulnerability Scan . 243Preparing for the vulnerability scan job . 243Configuring vulnerability scans . 243Viewing a vulnerability report . 248Log&Report . 251About logging. 251Log types . 251Log message severity levels. 2526FortiWeb Web Application Security Version 4.0.2 Administration GuideRevision 2http://docs.fortinet.com/ Feedback
ContentsConfiguring logging and alerts. 252Enabling logging and alerts .Obscuring sensitive data in the logs .Configuring logging to the local hard disk.Configuring logging to memory.Configuring logging to a Syslog server or FortiAnalyzer unit.Configuring and testing alerts .253255256258259260Viewing log messages. 262Customizing the log view .Displaying and arranging log columns .Filtering log messages .Grouping similar attack log messages .264265266267Configuring and generating reports. 268Configuring a report profile .Configuring the headers, footers, and logo of a report profile .Configuring the time period and log filter of a report profile .Configuring the query selection of a report profile .Configuring the advanced options of a report profile .Configuring the schedule of a report profile .Configuring the output of a report profile.269270271273274274275Viewing and downloading reports. 277Installing firmware . 279Testing new firmware before installing it . 279Installing firmware . 281Installing backup firmware. 283Restoring firmware . 285Appendix A: Supported RFCs. 289Appendix B: Maximum values matrix . 291Appendix C: SNMP MIB support. 293Index. 295FortiWeb Web Application Security Version 4.0.2 Administration GuideRevision 2http://docs.fortinet.com/ Feedback7
Contents8FortiWeb Web Application Security Version 4.0.2 Administration GuideRevision 2http://docs.fortinet.com/ Feedback
IntroductionRegistering your Fortinet productIntroductionWelcome and thank you for selecting Fortinet products for your network protection.FortiWeb units are designed specifically to protect web servers.Traditional firewalls and unified threat management (UTM) devices often understand theHTTP protocol, but do not understand simple object access protocol (SOAP) and otherXML protocols and document types encapsulated within HTTP (RFC 2616). Because theylack in-depth inspection and analysis, traditional firewalls often cannot route connectionsbased upon XML content. Worse still, attackers can bypass traditional firewall protectionand cause problems for web servers that host HTML or XML-based services.High performance is also important because XML and SOAP parsing requires relativelyhigh amounts of CPU and memory resources. Traditional firewalls may be devoted toother business critical security functions, unable to meet performance requirements whilealso performing thorough scanning of XML and other HTTP document requests.FortiWeb units are designed specifically to meet these needs.In addition to providing application content-based routing and in-depth protection for manyHTTP/HTTPS- and XML-specific attacks, FortiWeb units contain specialized hardware toaccelerate SSL processing, and can thereby enhance both the security and theperformance of connections to your web servers.This section introduces you to FortiWeb units and the following topics: Registering your Fortinet product Customer service & technical support Training Documentation Scope Conventions Characteristics of XML threats Characteristics of HTTP threatsRegistering your Fortinet productBefore you begin, take a moment to register your Fortinet product at the Fortinet TechnicalSupport web site, https://support.fortinet.com.Many Fortinet customer services, such as firmware updates, technical support, andFortiGuard Antivirus and other FortiGuard services, require product registration.For more information, see the Fortinet Knowledge Base article Registration FrequentlyAsked Questions.Customer service & technical supportFortinet Technical Support provides services designed to make sure that you can installyour Fortinet products quickly, configure them easily, and operate them reliably in yournetwork.FortiWeb Web Application Security Version 4.0.2 Administration GuideRevision 2http://docs.fortinet.com/ Feedback9
TrainingIntroductionTo learn about the technical support services that Fortinet provides, visit the FortinetTechnical Support web site at https://support.fortinet.com.You can dramatically improve the time that it takes to resolve your technical support ticketby providing your configuration file, a network diagram, and other specific information. Fora list of required information, see the Fortinet Knowledge Base article Technical SupportRequirements.TrainingFortinet Training Services provides classes that orient you quickly to your new equipment,and certifications to verify your knowledge level. Fortinet provides a variety of trainingprograms to serve the needs of our customers and partners world-wide.To learn about the training services that Fortinet provides, visit the Fortinet TrainingServices web site at http://campus.training.fortinet.com, or email them attraining@fortinet.com.DocumentationThe Fortinet Technical Documentation web site, http://docs.fortinet.com, provides themost up-to-date versions of Fortinet publications, as well as additional technicaldocumentation such as technical notes.In addition to the Fortinet Technical Documentation web site, you can find Fortinettechnical documentation on the Fortinet Tools and Documentation CD, and on the FortinetKnowledge Base.Fortinet Tools and Documentation CDMany Fortinet publications are available on the Fortinet Tools and Documentation CDshipped with your Fortinet product. The documents on this CD are current at shippingtime. For current versions of Fortinet documentation, visit the Fortinet TechnicalDocumentation web site, http://docs.fortinet.com.Fortinet Knowledge BaseThe Fortinet Knowledge Base provides additional Fortinet technical documentation, suchas troubleshooting and how-to-articles, examples, FAQs, technical notes, and more. Visitthe Fortinet Knowledge Base at http://kb.fortinet.com.Comments on Fortinet technical documentationPlease send information about any errors or omissions in this technical document totechdoc@fortinet.com.ScopeThis document describes how to use the web-based manager of the FortiWeb unit. Itassumes you have already successfully installed the FortiWeb unit by following theinstructions in the FortiWeb Installation Guide.At this stage:10 You have administrative access to the web-based manager and/or CLI. The FortiWeb unit is integrated into your network.FortiWeb Web Application Security Version 4.0.2 Administration GuideRevision 2http://docs.fortinet.com/ Feedback
IntroductionConventions The operation mode has been configured. The system time, DNS settings, administrator password, and network interfaces havebeen configured. Firmware updates have been completed. Basic policies have been configured.Once that basic installation is complete, you can use this document. This documentexplains how to use the web-based manager to: maintain the FortiWeb unit, including backups reconfigure basic items that were configured during installation configure advanced features, such as customized protection profiles, logging, andreportingThis document does not cover commands for the command line interface (CLI). Forinformation on the CLI, see the FortiWeb CLI Reference.ConventionsFortinet technical documentation uses the conventions described below.IP addressesTo avoid publication of public IP addresses that belong to Fortinet or any otherorganization, the IP addresses used in Fortinet technical documentation are fictional andfollow the documentation guidelines specific to Fortinet. The addresses used are from theprivate IP address ranges defined in RFC 1918: Address Allocation for Private Internets,available at ns, Notes, & TipsFortinet technical documentation uses the following guidance and styles for cautions,notes and tips.Caution: Warns you about commands or procedures that could have unexpected orundesirable results including loss of data or damage to equipment.Note: Presents useful information, usually focused on an alternative, optional method, suchas a shortcut, to perform a step.Tip: Highlights useful additional information, often tailored to your workplace activity.Typographical conventionsFortinet documentation uses the following typographical conventions:FortiWeb Web Application Security Version 4.0.2 Administration GuideRevision 2http://docs.fortinet.com/ Feedback11
ConventionsIntroductionTable 1: Typographical conventions in Fortinet technical documentationConventionExampleButton, menu, text box, From Minimum log level, select Notification.field, or check box labelCLI inputconfig system dnsset primary address ipv4 endCLI outputFGT-602803030703 # get system settingscomments: (null)opmode: natEmphasisHTTP connections are not secure and can be intercepted bya third party.File content HTML HEAD TITLE FirewallAuthentication /TITLE /HEAD BODY H4 You must authenticate to use thisservice. /H4 HyperlinkVisit the Fortinet Technical Support web site,https://support.fortinet.com.Keyboard entryType a name for the remote VPN peer or client, such asCentral O
Registering your Fortinet product Before you begin, take a moment to register yo ur Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard
Web Application and API Protection FortiWeb is a web application firewall (WAF) that protects . Open Source Xen, VirtualBox, KVM, and Docker platforms. FortiWeb is also available for AWS, Azure, Google Cloud, and Oracle Cloud as a VM, and as WAF as a Service. For more
The FortiWeb Web Application Firewall (WAF) provides nearly 100% protection from even the most sophisticated attacks with: Vulnerability scanning IP reputation, attack signatures, and antivirus powered by FortiGuard . Citrix XenServer, Open Source Xen, and KVM. FortiWeb is also available for Amazon Web Services and Microsoft Azure .
FortiWeb User Tracking FortiWeb monitors users authenticating to web applications and tracks all their subsequent activity. All traffic and attack logs are attached with the username allowing rule enforcement and forensics at the user level. Secured by FortiGuard Fortinet
FortiView. Similar to other Fortinet products such as FortiGate, FortiWeb gives administrators the ability to visualize and drill-down into key elements of FortiWeb such as server/IP configurations, attack and traffic
OWASP Top 10 and more. The FortiWeb product line offers solutions and deployment options across SaaS, VMs, and . FortiWeb is offered as a SaaS-based cloud service, virtual appliance, or as an on-premise appliance: FortiWeb Cloud (SaaS): cloud-native multitenant SaaS-based solution with a global
HP WebInspect, IBM AppScan, Qualys, and WhiteHat to provide dynamic virtual patches to security issues in application environments. Vulnerabilities found by the scanner are quickly and automatically turned into security rules by FortiWeb to protect the application u
interfaces provide additional fail open capability for single box deployments. Centralized Logging and Reporting Centrally manage all logs and reports from multiple FortiWeb gateways with FortiAnalyzer integration. Virtualization Provides a Virtual Appliance for VMware ESX/ESXi, Citrix XenServer, Open Source Xen, and Amazon AWS platforms
FortiWeb 100D, 400D, 400E, 600D, 600E, 1000E, 2000E, 3000E, 3010E, 4000E, VM, and Container Highlights § Machine learning that detects and blocks threats while minimizing false positives § Up to 20 Gbps protected WAF throughput § Bot mitigation § Protection for APIs, including those used to support mobile applications
