Fortinet black logo

Administration Guide

Creating an ADFS server policy

Creating an ADFS server policy

To configure a policy
  1. Go to System > Config > Feature Visibility, then enable ADFS Policy. Skip this step if it is already enabled.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category.
  2. Go to Policy > Server Policy.
  3. To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category.

  4. Click Create New > Create ADFS policy.
  5. Configure the following settings.
  6. Policy Name Type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.

    Virtual Server

    Select the name of the virtual server you have created.

    Server Pool

    Select the name of the server pool you have created.

    Syn Cookie

    Enable to prevent TCP SYN floods. If this option is enable, the Half Open Threshold below is also required to configure.

    For details, see DoS prevention in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Half Open Threshold

    Type the TCP SYN cookie threshold in packets per second.

    ADFS Certificate Authentication Service Configure this option if the ADFS server requires client certificate for authentication.

    Select the pre-defined service TLSCLIENTPORT if FortiWeb uses service port 49443 to listen to the certification authentication requests.

    To define a custom service, go to Server Objects > Service. For details, see "Defining your network services" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).
    Certificate Verification for Certificate Authentication Select the certificate validation rule you have created.
    HTTPS Service

    Configure this option if the ADFS server requires username and password for authentication.

    Select the pre-defined service HTTPS if FortiWeb uses service port 443 to listen the credential authentication requests.

    To define a custom HTTPS service, go to Server Objects > Service. For details, see "Defining your network services" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Enable Multi-certificate

    Enable this option to allow FortiWeb to use multiple local certificates.

    Certificate

    Select the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured HTTPS connections with the clients.

    Certificate Intermediate Group

    Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to clients. An intermediate CA can complete the signing chain and validate the server certificate’s CA signature.

    Configure this option when clients receive certificate warnings that an intermediary CA has signed the server certificate specified by the selected Certificate, not a root CA or other CA currently trusted by the client directly.

    Alternatively, you can include the entire signing chain in the server certificate itself before you upload it to FortiWeb. For details, see "Uploading a server certificate" and "Supplementing a server certificate with its signing chain" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Web Protection Profile

    Select the profile to apply to the connections that this policy accepts, or select Create New to add a new profile in a pop-up window, without leaving the current page.

    The most suitable protection features to apply to the ADFS policy are Signatures, URL Rewriting, and Site Publish. Using them in the protection profile is sufficient for most of the ADFS protection scenario.

    Replacement Message

    Select the replacement message to apply to the policy.

    Monitor Mode

    Enable to override any actions included in the profiles. Instead, FortiWeb will accept all requests and generate an alert email and/or log message for all policy violations.

    This setting does not affect any rewriting or redirection actions in the protection profiles, including the action to remove poisoned cookies.

    Note: Logging and/or alert email occur only if you enable and configure them. For details, see "Logging" and "Alert email" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    URL Case Sensitivity

    Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests.

    For example, when this option is enabled, an HTTP request involving http://www.Example.com/ would not match profile features that specify http://www.example.com (difference is lower case “e”).

    Comments Type a description or other comment. The description can be up to 999 characters long.
  7. In most cases, the Advanced SSL settings are not necessary for the ADFS server policy. Configure them only if they are indeed suitable for your scenario.
    Certificate Verification for HTTPS Select the certificate validation rule you want to use for HTTPS connections.
    Enable Server Name Indication (SNI)

    Select to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate.

    The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see "Allowing FortiWebto support multiple server certificates" FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    If you specify both an SNI configuration and Certificate, FortiWeb uses the certificate specified by Certificate when the requested domain does not match a value in the SNI configuration.

    Supported SSL Protocols

    Specify which versions of the SSL or TLS cryptographic protocols clients can use to connect securely to the FortiWeb appliance or back-end servers.

    For details, see "Supported cipher suites & protocol versions " in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    SSL/TLS encryption level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security or customized security configuration.

    If you select Customized, you can select a cipher and then use the arrow keys to move it to the appropriate list.
    For details, see "Supported cipher suites & protocol versions " in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Disable Client-Initiated SSL Renegotiation

    Select to configure FortiWeb to ignore requests from clients to renegotiate TLS or SSL.

    Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server.

  8. Click OK.
  9. The server policy is displayed in the list on Policy > Server Policy. Initially, it is enabled.

    Legitimate traffic should now be able to flow, while policy-violating traffic (that is, traffic that is prohibited by the settings in your policy or protection profile) may be blocked, depending on your Action settings for the rule that the traffic has violated.

  10. To verify the policy, test it by forming connections between legitimate clients and servers at various points within your network topology. Also attempt to send traffic that violates your policy, and should be logged, modified, or blocked.
    If ADFS proxy is running, you can find in Log&Report > Event the event logs whose action name is adfsproxy-status-check. If the ADFS proxy is running incorrectly, the Message field will display an error message.

If a connection fails, you can use tools included in the firmware to determine whether the problem is local to the appliance or elsewhere on the network. For details, see "Troubleshooting" and "Reducing false positives" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

Creating an ADFS server policy

To configure a policy
  1. Go to System > Config > Feature Visibility, then enable ADFS Policy. Skip this step if it is already enabled.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category.
  2. Go to Policy > Server Policy.
  3. To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category.

  4. Click Create New > Create ADFS policy.
  5. Configure the following settings.
  6. Policy Name Type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.

    Virtual Server

    Select the name of the virtual server you have created.

    Server Pool

    Select the name of the server pool you have created.

    Syn Cookie

    Enable to prevent TCP SYN floods. If this option is enable, the Half Open Threshold below is also required to configure.

    For details, see DoS prevention in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Half Open Threshold

    Type the TCP SYN cookie threshold in packets per second.

    ADFS Certificate Authentication Service Configure this option if the ADFS server requires client certificate for authentication.

    Select the pre-defined service TLSCLIENTPORT if FortiWeb uses service port 49443 to listen to the certification authentication requests.

    To define a custom service, go to Server Objects > Service. For details, see "Defining your network services" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).
    Certificate Verification for Certificate Authentication Select the certificate validation rule you have created.
    HTTPS Service

    Configure this option if the ADFS server requires username and password for authentication.

    Select the pre-defined service HTTPS if FortiWeb uses service port 443 to listen the credential authentication requests.

    To define a custom HTTPS service, go to Server Objects > Service. For details, see "Defining your network services" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Enable Multi-certificate

    Enable this option to allow FortiWeb to use multiple local certificates.

    Certificate

    Select the server certificate that FortiWeb uses to encrypt or decrypt SSL-secured HTTPS connections with the clients.

    Certificate Intermediate Group

    Select the name of a group of intermediate certificate authority (CA) certificates, if any, that FortiWeb presents to clients. An intermediate CA can complete the signing chain and validate the server certificate’s CA signature.

    Configure this option when clients receive certificate warnings that an intermediary CA has signed the server certificate specified by the selected Certificate, not a root CA or other CA currently trusted by the client directly.

    Alternatively, you can include the entire signing chain in the server certificate itself before you upload it to FortiWeb. For details, see "Uploading a server certificate" and "Supplementing a server certificate with its signing chain" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Web Protection Profile

    Select the profile to apply to the connections that this policy accepts, or select Create New to add a new profile in a pop-up window, without leaving the current page.

    The most suitable protection features to apply to the ADFS policy are Signatures, URL Rewriting, and Site Publish. Using them in the protection profile is sufficient for most of the ADFS protection scenario.

    Replacement Message

    Select the replacement message to apply to the policy.

    Monitor Mode

    Enable to override any actions included in the profiles. Instead, FortiWeb will accept all requests and generate an alert email and/or log message for all policy violations.

    This setting does not affect any rewriting or redirection actions in the protection profiles, including the action to remove poisoned cookies.

    Note: Logging and/or alert email occur only if you enable and configure them. For details, see "Logging" and "Alert email" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    URL Case Sensitivity

    Enable to differentiate uniform resource locators (URLs) according to upper case and lower case letters for features that act upon the URLs in the headers of HTTP requests.

    For example, when this option is enabled, an HTTP request involving http://www.Example.com/ would not match profile features that specify http://www.example.com (difference is lower case “e”).

    Comments Type a description or other comment. The description can be up to 999 characters long.
  7. In most cases, the Advanced SSL settings are not necessary for the ADFS server policy. Configure them only if they are indeed suitable for your scenario.
    Certificate Verification for HTTPS Select the certificate validation rule you want to use for HTTPS connections.
    Enable Server Name Indication (SNI)

    Select to use a Server Name Indication (SNI) configuration instead of or in addition to the server certificate.

    The SNI configuration enables FortiWeb to determine which certificate to present on behalf of the members of a pool based on the domain in the client request. For details, see "Allowing FortiWebto support multiple server certificates" FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    If you specify both an SNI configuration and Certificate, FortiWeb uses the certificate specified by Certificate when the requested domain does not match a value in the SNI configuration.

    Supported SSL Protocols

    Specify which versions of the SSL or TLS cryptographic protocols clients can use to connect securely to the FortiWeb appliance or back-end servers.

    For details, see "Supported cipher suites & protocol versions " in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    SSL/TLS encryption level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security or customized security configuration.

    If you select Customized, you can select a cipher and then use the arrow keys to move it to the appropriate list.
    For details, see "Supported cipher suites & protocol versions " in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Disable Client-Initiated SSL Renegotiation

    Select to configure FortiWeb to ignore requests from clients to renegotiate TLS or SSL.

    Protects against denial-of-service (DoS) attacks that use TLS/SSL renegotiation to overburden the server.

  8. Click OK.
  9. The server policy is displayed in the list on Policy > Server Policy. Initially, it is enabled.

    Legitimate traffic should now be able to flow, while policy-violating traffic (that is, traffic that is prohibited by the settings in your policy or protection profile) may be blocked, depending on your Action settings for the rule that the traffic has violated.

  10. To verify the policy, test it by forming connections between legitimate clients and servers at various points within your network topology. Also attempt to send traffic that violates your policy, and should be logged, modified, or blocked.
    If ADFS proxy is running, you can find in Log&Report > Event the event logs whose action name is adfsproxy-status-check. If the ADFS proxy is running incorrectly, the Message field will display an error message.

If a connection fails, you can use tools included in the firmware to determine whether the problem is local to the appliance or elsewhere on the network. For details, see "Troubleshooting" and "Reducing false positives" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).