Fortinet black logo

Administration Guide

Configuring a protection profile for an out-of-band topology or asynchronous mode of operation

Configuring a protection profile for an out-of-band topology or asynchronous mode of operation

Offline Protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Offline Protection profiles contain only the features that are supported in out-of-band topologies and asynchronous inspection, which are used with operation modes such as Transparent Inspection and Offline Protection.

Offline Protection profiles’ primary purpose is to detect attacks. Depending on the routing and network load, due to limitations inherent to out-of-band topologies and asynchronous inspection, FortiWeb may not be able to reliably block all of the attacks it detects, even if you have configured FortiWeb with an Action setting of Alert & Deny.

Offline Protection profiles only include features that do not require an inline network topology. You can configure them at any time, but a policy cannot apply an Offline Protection profile if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior.
To configure an Offline Protection profile
  1. Before configuring an Offline Protection profile, first configure any of the following that you want to include in the profile:
  • Go to Policy > Web Protection Profileand select the Offline Protection Profile tab.
  • To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  • Click Create New.
  • Predefined profiles cannot be edited, but they can be viewed and cloned.

  • Configure these settings:
  • Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Session Management

    Enable to use your web application’s session IDs in order for FortiWeb to be able to track the state of web applications across multiple requests. Also configure Session Timeout.

    Note: When FortiWeb is deployed in an offline topology or asynchronous operation mode, this feature requires that your web applications have session IDs in their URL. For details, see HTTP sessions & security and Supported features in each operation mode.

    Note: Enabling this option is required if:

    • You select features requiring session cookies, such as Hidden Fields Protection Rule
    • You want to include this profile’s traffic in the traffic log.
    Session Timeout

    Type the HTTP session timeout in seconds.

    After this time elapses during which there were no more subsequent requests, after which the FortiWeb appliance will regard the next request as the start of a new HTTP session.

    This option appears only if Session Management is enabled. The default is 1200 (20 minutes). The valid range is from 20 to 3,600 seconds.

    X-Forwarded-For

    Select the X-Forwarded-For: and X-Real-IP: HTTP header settings to use, if any. For details, see Defining your proxies, clients, & X-headers.

    Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP.

    Session Key

    Type the name of the session ID, if any, that your web application uses in the URL to identify each session.

    By default, FortiWeb tracks some common session ID names: ASPSESSIONID, PHPSESSIONID, and JSESSIONID. Configure this field if your web application uses a custom or uncommon session ID. In those cases, you do not need to configure this setting.

    For example, in the following URL, a web application identifies its sessions using a parameter with the name mysession:

    page.php?mysession=123ABC&user=user1

    In that case, you must configure Session Key to be mysession so that FortiWeb will be able to recognize the session ID, 123ABC, and apply features that require sessions in order to function.

    This option appears only if Session Management is enabled.

    Signatures

    Select the name of the signature set, if any, that FortiWeb applies to matching requests.

    Attack log messages for this feature vary by which type of attack was detected. For a list, see Blocking known attacks & data leaks.

    Enable AMF3 Protocol Detection

    Enable to scan requests that use action message format 3.0 (AMF3) for:

    • Cross-site scripting (XSS) attacks
    • SQL injection attacks
    • Common exploits

    and other attack signatures that you have enabled in Signatures.

    AMF3 is a binary format that can be used by Adobe Flash/Flex clients to send input to server-side software.

    Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb appliance to be unable to scan AMF3 requests for attacks.

    Custom Policy

    Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that is applied to matching requests. For details, see Combination access control & rate limiting.

    Attack log messages contain Advanced Protection Violation when this feature detects a violation.

    Padding Oracle Protection

    Select the name of padding oracle protection rule, if any, that will be applied to matching requests. For details, see Defeating cipher padding attacks on individually encrypted inputs.

    Attack log messages contain Padding Oracle Attack when this feature detects a violation.

    Parameter Validation Rule

    Select the name of the HTTP parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”).

    Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

    Hidden Fields Protection Rule

    Select the name of a hidden fields group, if any, that will be applied to matching requests. For details, see Preventing tampering with hidden inputs.

    Attack log messages contain Hidden Field Manipulation when this feature detects hidden input tampering.

    This option appears only if Session Management is enabled.

    File Upload Restriction Policy

    Select an existing file upload restriction policy, if any, that will be applied to matching requests. For details, see Limiting file uploads.

    Attack log messages contain Illegal file size when this feature detects an excessively large upload.

    HTTP Protocol Constraints

    Select the name of an HTTP protocol constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints.

    Attack log messages for this feature vary by which type of attack was detected. For a list, see HTTP/HTTPS protocol constraints.

    URL Access Policy

    Select the name of the URL access policy, if any, that will be applied to matching requests. For details, see Restricting access to specific URLs.

    Attack log messages contain URL Access Violation when this feature detects a request that violates this policy.

    Allow Request Method Policy

    Select an existing allowed method policy, if any, that will be applied to matching requests. For details, see Specifying allowed HTTP methods.

    Attack log messages contain HTTP Method Violation when this feature detects a non-allowed HTTP request method.

    Brute Force Login

    Select the name of a brute force login attack profile, if any, that will be applied to matching requests. For details, see Preventing brute force logins.

    Attack log messages contain Brute Force Login Violation when this feature detects a brute force login attack.

    IP List Policy

    Select the name of a client black list or white list, if any, that will be applied to matching requests. For details, see Blacklisting & whitelisting clients using a source IP or source IP range.

    Attack log messages contain Blacklisted IP blocked when this feature detects a blacklisted source IP address.

    Geo IP Select the name of a geographically-based client black list, if any, that will be applied to matching requests. For details, see Blacklisting & whitelisting countries & regions.
    XML Protection Select the name of an existing XML protection policy. For details, see Configuring XML protection.
    JSON Protection Select the name of an existing JSON protection policy. For details, see Configuring JSON protection.
    OpenAPI Validation Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation.

    Mobile Application Identification

    Enable to configure the JWT token secret and token header to verify a request from a mobile application.

    Refer to Approov doc for how to get the token.

    For details, see Configuring mobile API protection.

    Note: You need to enable Mobile Application Identification first from System > Config > Feature Visibility.

    Token Secret

    Enter the token secret that you have got from Approov.

    Available only when Configuring a protection profile for an out-of-band topology or asynchronous mode of operation is enabled.

    Token Header

    Specify the header where the token is carried.

    Available only when Configuring a protection profile for an out-of-band topology or asynchronous mode of operation is enabled.

    Mobile API Protection

    Select the name of an existing API protection policy. For details, see Configuring mobile API protection.

    Available only when Configuring a protection profile for an out-of-band topology or asynchronous mode of operation is enabled.

    IP Reputation Enable to apply IP reputation-based blacklisting. For details, see Blacklisting source IPs with poor reputation.
    Allow Known Search Engines

    Enable to exempt popular search engines’ spiders from DoS sensors, brute force login sensors, HTTP protocol constraints, and combination rate & access control (called “advanced protection” and “custom policies” in the web UI).

    This option improves access for search engines. Rapid access rates, unusual HTTP usage, and other characteristics that may be abnormal for web browsers are often normal with search engines. If you block them, your websites’ rankings and visibility may be affected.

    By default, this option allows all popular predefined search engines. To specify which search engines will be exempt, click the Details link. A new frame will appear on the right side of the protection profile. Enable or disable each search engine, then click Apply. See also Blacklisting content scrapers, search engines, web crawlers, & other robots.

    File Uncompress Rule Select the name of a file decompression policy, if any, that will be applied to matching requests. For details, see Compression.
    User Tracking Select the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking users.
    Data Analytics

    Enable to gather hit, attack, and traffic volume statistics for each server policy that includes this profile. For details, see Reports and Reports.

    Note: This option cannot be enabled until you have uploaded a geography-to-IP mapping database. For details, see Reports.

    To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.

  • Click OK.
  • To apply the Offline Protection profile, select it in a policy. For details, see Configuring an HTTP server policy.
  • See also

    Configuring a protection profile for an out-of-band topology or asynchronous mode of operation

    Offline Protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Offline Protection profiles contain only the features that are supported in out-of-band topologies and asynchronous inspection, which are used with operation modes such as Transparent Inspection and Offline Protection.

    Offline Protection profiles’ primary purpose is to detect attacks. Depending on the routing and network load, due to limitations inherent to out-of-band topologies and asynchronous inspection, FortiWeb may not be able to reliably block all of the attacks it detects, even if you have configured FortiWeb with an Action setting of Alert & Deny.

    Offline Protection profiles only include features that do not require an inline network topology. You can configure them at any time, but a policy cannot apply an Offline Protection profile if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior.
    To configure an Offline Protection profile
    1. Before configuring an Offline Protection profile, first configure any of the following that you want to include in the profile:
  • Go to Policy > Web Protection Profileand select the Offline Protection Profile tab.
  • To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  • Click Create New.
  • Predefined profiles cannot be edited, but they can be viewed and cloned.

  • Configure these settings:
  • Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Session Management

    Enable to use your web application’s session IDs in order for FortiWeb to be able to track the state of web applications across multiple requests. Also configure Session Timeout.

    Note: When FortiWeb is deployed in an offline topology or asynchronous operation mode, this feature requires that your web applications have session IDs in their URL. For details, see HTTP sessions & security and Supported features in each operation mode.

    Note: Enabling this option is required if:

    • You select features requiring session cookies, such as Hidden Fields Protection Rule
    • You want to include this profile’s traffic in the traffic log.
    Session Timeout

    Type the HTTP session timeout in seconds.

    After this time elapses during which there were no more subsequent requests, after which the FortiWeb appliance will regard the next request as the start of a new HTTP session.

    This option appears only if Session Management is enabled. The default is 1200 (20 minutes). The valid range is from 20 to 3,600 seconds.

    X-Forwarded-For

    Select the X-Forwarded-For: and X-Real-IP: HTTP header settings to use, if any. For details, see Defining your proxies, clients, & X-headers.

    Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP.

    Session Key

    Type the name of the session ID, if any, that your web application uses in the URL to identify each session.

    By default, FortiWeb tracks some common session ID names: ASPSESSIONID, PHPSESSIONID, and JSESSIONID. Configure this field if your web application uses a custom or uncommon session ID. In those cases, you do not need to configure this setting.

    For example, in the following URL, a web application identifies its sessions using a parameter with the name mysession:

    page.php?mysession=123ABC&user=user1

    In that case, you must configure Session Key to be mysession so that FortiWeb will be able to recognize the session ID, 123ABC, and apply features that require sessions in order to function.

    This option appears only if Session Management is enabled.

    Signatures

    Select the name of the signature set, if any, that FortiWeb applies to matching requests.

    Attack log messages for this feature vary by which type of attack was detected. For a list, see Blocking known attacks & data leaks.

    Enable AMF3 Protocol Detection

    Enable to scan requests that use action message format 3.0 (AMF3) for:

    • Cross-site scripting (XSS) attacks
    • SQL injection attacks
    • Common exploits

    and other attack signatures that you have enabled in Signatures.

    AMF3 is a binary format that can be used by Adobe Flash/Flex clients to send input to server-side software.

    Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb appliance to be unable to scan AMF3 requests for attacks.

    Custom Policy

    Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that is applied to matching requests. For details, see Combination access control & rate limiting.

    Attack log messages contain Advanced Protection Violation when this feature detects a violation.

    Padding Oracle Protection

    Select the name of padding oracle protection rule, if any, that will be applied to matching requests. For details, see Defeating cipher padding attacks on individually encrypted inputs.

    Attack log messages contain Padding Oracle Attack when this feature detects a violation.

    Parameter Validation Rule

    Select the name of the HTTP parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”).

    Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

    Hidden Fields Protection Rule

    Select the name of a hidden fields group, if any, that will be applied to matching requests. For details, see Preventing tampering with hidden inputs.

    Attack log messages contain Hidden Field Manipulation when this feature detects hidden input tampering.

    This option appears only if Session Management is enabled.

    File Upload Restriction Policy

    Select an existing file upload restriction policy, if any, that will be applied to matching requests. For details, see Limiting file uploads.

    Attack log messages contain Illegal file size when this feature detects an excessively large upload.

    HTTP Protocol Constraints

    Select the name of an HTTP protocol constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints.

    Attack log messages for this feature vary by which type of attack was detected. For a list, see HTTP/HTTPS protocol constraints.

    URL Access Policy

    Select the name of the URL access policy, if any, that will be applied to matching requests. For details, see Restricting access to specific URLs.

    Attack log messages contain URL Access Violation when this feature detects a request that violates this policy.

    Allow Request Method Policy

    Select an existing allowed method policy, if any, that will be applied to matching requests. For details, see Specifying allowed HTTP methods.

    Attack log messages contain HTTP Method Violation when this feature detects a non-allowed HTTP request method.

    Brute Force Login

    Select the name of a brute force login attack profile, if any, that will be applied to matching requests. For details, see Preventing brute force logins.

    Attack log messages contain Brute Force Login Violation when this feature detects a brute force login attack.

    IP List Policy

    Select the name of a client black list or white list, if any, that will be applied to matching requests. For details, see Blacklisting & whitelisting clients using a source IP or source IP range.

    Attack log messages contain Blacklisted IP blocked when this feature detects a blacklisted source IP address.

    Geo IP Select the name of a geographically-based client black list, if any, that will be applied to matching requests. For details, see Blacklisting & whitelisting countries & regions.
    XML Protection Select the name of an existing XML protection policy. For details, see Configuring XML protection.
    JSON Protection Select the name of an existing JSON protection policy. For details, see Configuring JSON protection.
    OpenAPI Validation Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation.

    Mobile Application Identification

    Enable to configure the JWT token secret and token header to verify a request from a mobile application.

    Refer to Approov doc for how to get the token.

    For details, see Configuring mobile API protection.

    Note: You need to enable Mobile Application Identification first from System > Config > Feature Visibility.

    Token Secret

    Enter the token secret that you have got from Approov.

    Available only when Configuring a protection profile for an out-of-band topology or asynchronous mode of operation is enabled.

    Token Header

    Specify the header where the token is carried.

    Available only when Configuring a protection profile for an out-of-band topology or asynchronous mode of operation is enabled.

    Mobile API Protection

    Select the name of an existing API protection policy. For details, see Configuring mobile API protection.

    Available only when Configuring a protection profile for an out-of-band topology or asynchronous mode of operation is enabled.

    IP Reputation Enable to apply IP reputation-based blacklisting. For details, see Blacklisting source IPs with poor reputation.
    Allow Known Search Engines

    Enable to exempt popular search engines’ spiders from DoS sensors, brute force login sensors, HTTP protocol constraints, and combination rate & access control (called “advanced protection” and “custom policies” in the web UI).

    This option improves access for search engines. Rapid access rates, unusual HTTP usage, and other characteristics that may be abnormal for web browsers are often normal with search engines. If you block them, your websites’ rankings and visibility may be affected.

    By default, this option allows all popular predefined search engines. To specify which search engines will be exempt, click the Details link. A new frame will appear on the right side of the protection profile. Enable or disable each search engine, then click Apply. See also Blacklisting content scrapers, search engines, web crawlers, & other robots.

    File Uncompress Rule Select the name of a file decompression policy, if any, that will be applied to matching requests. For details, see Compression.
    User Tracking Select the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking users.
    Data Analytics

    Enable to gather hit, attack, and traffic volume statistics for each server policy that includes this profile. For details, see Reports and Reports.

    Note: This option cannot be enabled until you have uploaded a geography-to-IP mapping database. For details, see Reports.

    To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.

  • Click OK.
  • To apply the Offline Protection profile, select it in a policy. For details, see Configuring an HTTP server policy.
  • See also