Fortinet black logo

Administration Guide

Generating a protection profile using scanner reports

Generating a protection profile using scanner reports

Instead of creating a protection profile from scratch, you can use XML-format reports from FortiWeb Scanner or third-party web vulnerability scanners to automatically generate FortiWeb protection profiles that contain rules and policies that are appropriate for your environment.

For example, if the scanner report detects an SQL injection vulnerability, FortiWeb can automatically create a custom access control rule that matches the appropriate URL, parameter, and signature. It adds the generated rule to either an existing protection profile or a new one.

You can generate rules for all vulnerabilities in the report when you import it. Alternatively, you can manually select which vulnerabilities to create rules for after you import the report. When you automatically create rules, you can select which ADOM to add the generated rules to.

Depending on the contents of the report, FortiWeb generates rules of the following types:

WhiteHat Sentinel scanner report requirements

To allow FortiWeb to generate rules using a WhiteHat Sentinel scanner report, ensure that the parameters “display_vulnerabilities” and “display_description” are enabled when you run the scan.

You can upload a WhiteHat Sentinel scanner report using either a report file you have downloaded manually or directly import the file from the WhiteHat portal using the RESTful API. Importing a scanner file from the WhiteHat portal requires the API key and application name that WhiteHat provides.

To retrieve the WhiteHat API key and application name
  1. Go to the following location and log in:
  2. https://source.whitehatsec.com/summary.html#dashboard

  3. In the top right corner, click My Profile.
  4. Click View My API Key and enter your password.
  5. Your API key is displayed. For example:

  6. To view the application name, navigate to the Assets tab. The application name is the NAME value. For example:

Telefónica FAAST scanner report requirements

You can upload a Telefónica FAAST scanner report using either a report file you have downloaded manually or directly import the file from the Telefónica FAAST portal using the RESTful API. Importing a scanner file from the Telefónica FAAST portal requires the API key that Telefónica FAAST provides. One Telefónica FAAST scanner account can apply for an API key.

To apply for a Telefónica FAAST API key
  1. Go to the following location and log in:
  2. https://cybersecurity.telefonica.com/vulnerabilities/es/api_docs

  3. In the session : Authentication page, please select POST > api/session for the method, and fill in the blanks for username and password. Then click Try it out.
  4. The API key will be gave in the Response Body if the username and password are authorized.

HP WebInspect scanner report requirements

To generate rules from HP WebInspect, when you export the report, for the Details option, select either Full or Vulnerabilities.

To import a scanner report
  1. Go to Web Vulnerability Scan > Scanner Integration > Scanner Integration.
  2. A list of imported reports is displayed.

  3. Click Scanner File Import.
  4. Configure these settings:
  5. Scanner Type Select the type of scanner report you want to import.
    • Acunetix
    • IBM AppScan Standard
    • WhiteHat
    • HP WebInspect
    • Qualys
    • Telefonica FAAST
    • ImmuniWeb
    • FortiWeb Scanner
    Some types of reports have specific requirements. For details, see WhiteHat Sentinel scanner report requirements, Telefónica FAAST scanner report requirements and HP WebInspect scanner report requirements.
    Method

    If Scanner Type is WhiteHat, specify whether to import an XML file you have downloaded manually or retrieve a report from the WhiteHat portal using the REST API.

    If Scanner Type is Telefonica FAAST, specify whether to import an XML file you have downloaded manually or retrieve a report from the Telefónica FAAST portal using the REST API.

    API Key

    If Scanner Type is WhiteHat and Method is REST API, enter the API Key that WhiteHat provides. For details, see WhiteHat Sentinel scanner report requirements.

    If Scanner Type is Telefonica FAAST and Method is REST API, enter the API Key that Telefónica FAAST provides. For details, see WhiteHat Sentinel scanner report requirements.

    Application Name If Scanner Type is WhiteHat and Method is REST API, enter the application name that WhiteHat provides. For details, see WhiteHat Sentinel scanner report requirements.
    Upload File Allows you to navigate to and select a scanner report file to upload. Currently, you can upload XML-format files only.
    Generate FortiWeb Rules Automatically Specifies whether FortiWeb generates a corresponding rule for each reported vulnerability when it imports the scanner report.
    ADOM Name

    Select the ADOM that FortiWeb adds the generated rules to.

    Available only if Generate FortiWeb Rules Automatically is enabled.

    Profile Type Specifies whether FortiWeb adds the generated rules to an inline or Offline Protection profile.

    Available only if Generate FortiWeb Rules Automatically is enabled.
    Merge the Report to Existing Rule Specifies whether FortiWeb adds the generated rules to an existing protection profile or creates a new profile for them.

    Available only if Generate FortiWeb Rules Automatically is enabled.
    Rule Name Specifies the name of the protection profile to add the generated rules to or the name of a new protection profile.

    Available only if Generate FortiWeb Rules Automatically is enabled.
    Action Specifies the action that FortiWeb takes when it detects a vulnerability. You can specify different actions for high-, medium-, and low-level vulnerabilities.

    Alert—Accept the request and generate an alert email and/or log message.

    Deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    Available only if Generate FortiWeb Rules Automatically is enabled.
  6. Click OK.
  7. FortiWeb uploads the file and adds the report contents to the list of imported reports.

  8. If you did not generate rules for all the vulnerabilities, you can create rules for individual vulnerabilities. Select one or more of them, click Mitigate, and then complete the settings in the dialog box.
  9. Use the link in the Profile Name column to view the protection profile that contains a generated rule or policy. The link in the Rule Name column allows you to view the settings for that item.
  10. To remove individual rules but preserve the corresponding vulnerability items in the list, select one or more vulnerabilities, and then click Cancel.
  11. You can use the Mitigate option to re-create the rule later, if needed.

  12. To delete the imported report or an individual vulnerability, select the item to delete, and then click Delete.

FortiWeb prompts you to confirm that you want to delete any rules that are associated with the item. FortiWeb does not delete the protection profile that contains the rules.

Generating a protection profile using scanner reports

Instead of creating a protection profile from scratch, you can use XML-format reports from FortiWeb Scanner or third-party web vulnerability scanners to automatically generate FortiWeb protection profiles that contain rules and policies that are appropriate for your environment.

For example, if the scanner report detects an SQL injection vulnerability, FortiWeb can automatically create a custom access control rule that matches the appropriate URL, parameter, and signature. It adds the generated rule to either an existing protection profile or a new one.

You can generate rules for all vulnerabilities in the report when you import it. Alternatively, you can manually select which vulnerabilities to create rules for after you import the report. When you automatically create rules, you can select which ADOM to add the generated rules to.

Depending on the contents of the report, FortiWeb generates rules of the following types:

WhiteHat Sentinel scanner report requirements

To allow FortiWeb to generate rules using a WhiteHat Sentinel scanner report, ensure that the parameters “display_vulnerabilities” and “display_description” are enabled when you run the scan.

You can upload a WhiteHat Sentinel scanner report using either a report file you have downloaded manually or directly import the file from the WhiteHat portal using the RESTful API. Importing a scanner file from the WhiteHat portal requires the API key and application name that WhiteHat provides.

To retrieve the WhiteHat API key and application name
  1. Go to the following location and log in:
  2. https://source.whitehatsec.com/summary.html#dashboard

  3. In the top right corner, click My Profile.
  4. Click View My API Key and enter your password.
  5. Your API key is displayed. For example:

  6. To view the application name, navigate to the Assets tab. The application name is the NAME value. For example:

Telefónica FAAST scanner report requirements

You can upload a Telefónica FAAST scanner report using either a report file you have downloaded manually or directly import the file from the Telefónica FAAST portal using the RESTful API. Importing a scanner file from the Telefónica FAAST portal requires the API key that Telefónica FAAST provides. One Telefónica FAAST scanner account can apply for an API key.

To apply for a Telefónica FAAST API key
  1. Go to the following location and log in:
  2. https://cybersecurity.telefonica.com/vulnerabilities/es/api_docs

  3. In the session : Authentication page, please select POST > api/session for the method, and fill in the blanks for username and password. Then click Try it out.
  4. The API key will be gave in the Response Body if the username and password are authorized.

HP WebInspect scanner report requirements

To generate rules from HP WebInspect, when you export the report, for the Details option, select either Full or Vulnerabilities.

To import a scanner report
  1. Go to Web Vulnerability Scan > Scanner Integration > Scanner Integration.
  2. A list of imported reports is displayed.

  3. Click Scanner File Import.
  4. Configure these settings:
  5. Scanner Type Select the type of scanner report you want to import.
    • Acunetix
    • IBM AppScan Standard
    • WhiteHat
    • HP WebInspect
    • Qualys
    • Telefonica FAAST
    • ImmuniWeb
    • FortiWeb Scanner
    Some types of reports have specific requirements. For details, see WhiteHat Sentinel scanner report requirements, Telefónica FAAST scanner report requirements and HP WebInspect scanner report requirements.
    Method

    If Scanner Type is WhiteHat, specify whether to import an XML file you have downloaded manually or retrieve a report from the WhiteHat portal using the REST API.

    If Scanner Type is Telefonica FAAST, specify whether to import an XML file you have downloaded manually or retrieve a report from the Telefónica FAAST portal using the REST API.

    API Key

    If Scanner Type is WhiteHat and Method is REST API, enter the API Key that WhiteHat provides. For details, see WhiteHat Sentinel scanner report requirements.

    If Scanner Type is Telefonica FAAST and Method is REST API, enter the API Key that Telefónica FAAST provides. For details, see WhiteHat Sentinel scanner report requirements.

    Application Name If Scanner Type is WhiteHat and Method is REST API, enter the application name that WhiteHat provides. For details, see WhiteHat Sentinel scanner report requirements.
    Upload File Allows you to navigate to and select a scanner report file to upload. Currently, you can upload XML-format files only.
    Generate FortiWeb Rules Automatically Specifies whether FortiWeb generates a corresponding rule for each reported vulnerability when it imports the scanner report.
    ADOM Name

    Select the ADOM that FortiWeb adds the generated rules to.

    Available only if Generate FortiWeb Rules Automatically is enabled.

    Profile Type Specifies whether FortiWeb adds the generated rules to an inline or Offline Protection profile.

    Available only if Generate FortiWeb Rules Automatically is enabled.
    Merge the Report to Existing Rule Specifies whether FortiWeb adds the generated rules to an existing protection profile or creates a new profile for them.

    Available only if Generate FortiWeb Rules Automatically is enabled.
    Rule Name Specifies the name of the protection profile to add the generated rules to or the name of a new protection profile.

    Available only if Generate FortiWeb Rules Automatically is enabled.
    Action Specifies the action that FortiWeb takes when it detects a vulnerability. You can specify different actions for high-, medium-, and low-level vulnerabilities.

    Alert—Accept the request and generate an alert email and/or log message.

    Deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    Available only if Generate FortiWeb Rules Automatically is enabled.
  6. Click OK.
  7. FortiWeb uploads the file and adds the report contents to the list of imported reports.

  8. If you did not generate rules for all the vulnerabilities, you can create rules for individual vulnerabilities. Select one or more of them, click Mitigate, and then complete the settings in the dialog box.
  9. Use the link in the Profile Name column to view the protection profile that contains a generated rule or policy. The link in the Rule Name column allows you to view the settings for that item.
  10. To remove individual rules but preserve the corresponding vulnerability items in the list, select one or more vulnerabilities, and then click Cancel.
  11. You can use the Mitigate option to re-create the rule later, if needed.

  12. To delete the imported report or an individual vulnerability, select the item to delete, and then click Delete.

FortiWeb prompts you to confirm that you want to delete any rules that are associated with the item. FortiWeb does not delete the protection profile that contains the rules.