Administration Guide

Introduction
What's new
Key concepts
- Workflow
- Sequence of scans
- IPv6 support
- Solutions for specific web attacks
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Appliance vs. VMware
- Registering your FortiWeb
- Planning the network topology
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Protected web servers vs. allowed/protected host names
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
- CA certificates
  - Importing CA certificate files locally
  - Let's Encrypt certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- Configuring OCSP stapling
Users
- Authentication styles
- Offloading HTTP authentication & authorization
- Site Publishing (Single sign-on)
- Using Kerberos authentication delegation
- Offloaded authentication and optional SSO configuration
- Creating an Active Directory (AD) user for FortiWeb
- Example: Enforcing complex passwords
- Tracking users
- Creating reCAPTCHA servers
Application delivery
- Rewriting & redirecting
- Compression
- Caching
  - What can be cached?
- Acceleration
Web protection
- Blocking known attacks
- Advanced protection
- Cookie security
- Input validation
- Protocol constraints
  - HTTP/HTTPS protocol constraints
  - WebSocket Protocol
- Access control
- Anti-defacement
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
Protection for APIs
- Configuring JSON protection
- Configuring XML protection
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
DoS protection
- DoS prevention
- Preventing slow and low attacks
Machine learning
- Enabling machine learning policy
- Configuring anomaly detection policy
- Configuring bot detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
Compliance
- Authorization
- Preventing data leaks
- Vulnerability scans
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
FortiView
- Topology
- Security
- Traffic
- Sessions
Monitoring your system
- Status dashboard
- Policy Status dashboard
- RAID level & disk statuses
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- Monitoring currently blocked IPs
- Monitoring currently tracked clients
- FortiGuard updates
- Vulnerability scans
Security Fabric
- External connectors
- Fabric Connector: Single Sign On with FortiGate
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Frequently asked questions
- Tools
- How to troubleshoot
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses

Home FortiWeb 6.4.0 Administration Guide

6.4.0

What's new

Security Fabric - Single Sign On with FortiGate

The Security Fabric integration has been enhanced. New Fabric connectors tab is added. You can now use SSO to log in to FortiWeb directly from FortiGate.

For more information, see Fabric Connector: Single Sign On with FortiGate.

Machine Learning Anomaly Detection enhancement

Anomaly Detection in Machine Learning is enhanced to simplify the configuration and refine the process of model refreshing. Sample Collection mode and Parameter Model Update have been removed and are now fully automated.

For more information, see Configuring anomaly detection policy.

Web Shell Detection

The Trojan detection in File Security is upgraded to a separate tab named Web Shell Detection. This feature becomes more powerful as it not only detects known web shells but also performs fuzzy hash based web shell detection.

For more information, see Web Shell Detection.

Let's Encrypt certificate support

Integration with Let’s Encrypt is now supported, allowing to automatically generate server certificates alleviating the need to upload private certificates.

For more information, see Let's Encrypt certificates.

AWS and Azure External Connectors

You can configure External Connectors to authorize FortiWeb to access your public cloud resources on AWS and Azure in order to automatically obtain and dynamically update the IP addresses of the back-end servers.

For more information, see AWS Connector and Azure Connector.

reCAPTCHA support

reCAPTCHA for bot detection is now available. It's integrated into features such as Dos Protect and Bot Mitigation to confirm whether the client is a bot or not.

For more information, see Creating reCAPTCHA servers.

SQL/XSS Syntax Based Detection enhancement

Additional scan targets have been added to SQL/XSS Syntax Based Detection. "User-Agent", "Referer", and all other HTTP headers are now supported in addition to the existing "Parameter Name", "Parameter Value" and "Request Cookie".

For more information, see Syntax-based SQL/XSS injection detection.

Predefined policies in SQL/XSS Syntax Based Detection

Predefined SQL/XSS Syntax Based Detection policies are added so that you can quickly apply them in a web protection profile.

NTLM Authentication support in Site Publish rule

FortiWeb now supports authenticating clients by NTLM in HTTP. In Site Publish rule, you can select NTLM Authentication for Client Authentication Method, then select Kerberos Constrained Delegation for Authentication Delegation.

For more information, see Client Authentication Method in Offloaded authentication and optional SSO configuration.

New RADIUS authorization support for client certificate authentication

New options are added in Site Publish rule to support extracting username from the client certificate and send it to the RADIUS server for an additional authorization step.

For more information, see Authentication Delegation in Offloaded authentication and optional SSO configuration.

HTTP header append

The Referer-policy and Feature-Policy headers are now supported in HTTP Header Security.

For more information, see HTTP Security Headers.

HTTP header rewrite

It's now supported to rewrite HTTP headers in response packets by defining the HTTP Header Insertion and HTTP Header Removal list in URL Rewriting rule.

For more information, see Rewriting & redirecting.

Base64 decoding in payload

FortiWeb now supports decoding base64 payloads in parameters.

For more information, see Advanced Decoding.

UTF-16 JS decoding in payload

FortiWeb now supports UTF-16 JS payload decoding.

OpenAPI enhancement

The OpenAPI Validation feature is enhanced to support the security mechanism in OpenAPI 3.0.x specifications.

Health check in TTP mode

FortiWeb now supports executing health check to the back-end server in TTP mode. An exception is when FortiWeb is deployed in active-active standard HA mode.

For more information, see Defining your web servers.

FortiWeb admin interface web server certificate enhancement

You can now import an intermediate certificate for the FortiWeb admin interface.

For more information, see To upload the intermediate CA for the administrator.

7-day threats data in FortiView

FortiWeb now displays 7-day threats data in FortiView on 3000E and 4000E.

Additional events monitored by SNMP traps and OIDs

FortiWeb now allows you to monitor the following events by SNMP traps and OIDs.

Events monitored by SNMP OIDs: Virtual Server Object status, Server-Pool object status, Server Policy status, and Policy/Virtual Server traffic.
Events monitored by SNMP traps: Policy LDAP auth failure and Policy RADIUS auth failure.

Maximum configuration number increased on FortiWeb-VM

For FortiWeb-VM, its maximums for server policy, server pool, pool member, and virtual server are all increased to 1024 if the memory is larger than 64 GB; The maximums for all types of certificates are lifted to 1024 as well.

Administrator trusted host maximum increased

The maximum of trusted host per Administrator (configured in Admin > Administrator) is increased from 3 to 10.

Cookieless cache in Site Publish rule

The cookieless-cache CLI option is added for cookieless authentication in the Site Publish rule to allow flexible setting of the cache timeout value. When it's set to 0, FortiWeb will send authentication requests to the authentication server every time the user logs in.

For more information, see cookieless-cache in waf site-publish-helper rule.