Fortinet black logo

Administration Guide

Configuring a protection profile for an out-of-band topology or asynchronous mode of operation

Configuring a protection profile for an out-of-band topology or asynchronous mode of operation

Offline Protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Offline Protection profiles contain only the features that are supported in out-of-band topologies and asynchronous inspection, which are used with operation modes Transparent Inspection and Offline Protection.

When the operation mode is changed to Reverse Proxy, True Transparent Proxy, or WCCP, the Offline Protection tab will be hidden.

Offline Protection profiles’ primary purpose is to detect attacks. Depending on the routing and network load, due to limitations inherent to out-of-band topologies and asynchronous inspection, FortiWeb may not be able to reliably block all of the attacks it detects, even if you have configured FortiWeb with an Action setting of Alert & Deny.

Offline Protection profiles only include features that do not require an inline network topology. You can configure them at any time, but a policy cannot apply an Offline Protection profile if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior.
To configure an Offline Protection profile
  1. Before configuring an Offline Protection profile, first configure any of the following that you want to include in the profile:
  2. Go to Policy > Web Protection Profile and select the Offline Protection Profile tab.
  3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  4. Click Create New.
  5. Predefined profiles cannot be edited, but they can be viewed and cloned.

  6. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Client Management

    Enable to track a client by the inserted cookie, or source IP when cookie is prohibited.
    For details, see Client management.

    Session Key

    Type the cookie value, if any, that FortiWeb uses to track the client.

    By default, FortiWeb tracks three cookie names: ASPSESSIONID, PHPSESSIONID, and JSESSIONID.

    Configure this field if your web application uses a custom or uncommon cookie.

    This option appears only if Client Management is enabled.

    Signatures

    Select the name of the signature set you have configured in Web Protection > Known Attacks, if any, that will be applied to matching requests.

    Enable AMF3, XML, or JSON Protocol Detection if applicable.

    Attack log messages for this feature vary by which type of attack was detected. For a list, see Blocking known attacks .

    HTTP Protocol Constraints

    Select the name of an HTTP parameter constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints.

    Attack log messages for this feature vary by which type of constraint was violated.

    X-Forwarded-For

    Select the X-Forwarded-For: and X-Real-IP: HTTP header settings to use, if any. For details, see Defining your proxies, clients, & X-headers.

    Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP.

    Custom Policy

    Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that will be applied to matching requests. For details, see Custom Policy.

    Attack log messages contain Custom Access Violation when this feature detects a violation.

    Padding Oracle Protection

    Select the name of padding oracle protection rule, if any, that will be applied to matching requests. For details, see Defeating cipher padding attacks on individually encrypted inputs.

    Attack log messages contain Padding Oracle Attack when this feature detects a violation.

    SQL/XSS Syntax Based Detection

    Select the name of a SQL/XSS syntax based detection policy if any, that will be applied to matching requests. For details, see Syntax-based SQL/XSS injection detection.

    Parameter Validation

    Select the name of the parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”).

    Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

    Hidden Fields Protection

    Select the name of the hidden fields protection rule, if any, to use to protect hidden fields on your website. For details, see Preventing tampering with hidden inputs.

    Attack log messages contain Hidden Field Manipulation when this feature detects tampering.

    This option appears only when Configuring a protection profile for an out-of-band topology or asynchronous mode of operation is enabled.

    File Security

    Select an existing file security policy, if any, that will be applied to matching HTTP requests. For details, see Limiting file uploads.

    Attack log messages contain Illegal File Size when this feature detects an excessively large upload.

    Enable AMF3 Protocol Detection

    Enable to scan requests that use action message format 3.0 (AMF3) for:

    • Cross-site scripting (XSS) attacks
    • SQL injection attacks
    • Common exploits

    and other attack signatures that you have enabled in Signatures.

    AMF3 is a binary format that can be used by Adobe Flash/Flex clients to send input to server-side software.

    Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb appliance to be unable to scan AMF3 requests for attacks.

    URL Access

    Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. For details, see Restricting access to specific URLs.

    Attack log messages contain URL Access Violation when this feature detects a URL matched by this policy.

    Allow Method

    Select an existing allow method policy, if any, that will be applied to matching HTTP requests. For details, see Specifying allowed HTTP methods.

    Attack log messages contain HTTP Method Violation when this feature detects a non-allowed HTTP request method.

    XML Protection

    Select the name of an existing XML protection policy. For details, see Configuring XML protection.

    JSON Protection

    Select the name of an existing JSON protection policy. For details, see Configuring JSON protection.

    OpenAPI Protection

    Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation.

    Mobile Application Identification

    Enable to configure the JWT token secret and token header to verify a request from a mobile application.

    Refer to Approov doc for how to get the token.

    For details, see Configuring mobile API protection.

    Note: You need to enable Mobile Application Identification first from System > Config > Feature Visibility.

    Token Secret

    Enter the token secret that you have got from Approov.

    Available only when Mobile Application Identification is enabled.

    Token Header

    Specify the header where the token is carried.

    Available only when Mobile Application Identification is enabled.

    Mobile API Protection

    Select the name of an existing API protection policy. For details, see Configuring mobile API protection.

    IP ReputationEnable to apply IP reputation intelligence. For details, see "blocklisting source IPs with poor reputation" on page 1.
    IP ListSelect the name of a client allow list or block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1.
    Geo IPSelect the name of a geographically-based client block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting countries & regions" on page 1.
    User TrackingSelect the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking.
  7. To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.

  8. Click OK.
  9. To apply the Offline Protection profile, select it in a policy. For details, see Configuring a server policy.
See also

Configuring a protection profile for an out-of-band topology or asynchronous mode of operation

Offline Protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be applied by a policy. Offline Protection profiles contain only the features that are supported in out-of-band topologies and asynchronous inspection, which are used with operation modes Transparent Inspection and Offline Protection.

When the operation mode is changed to Reverse Proxy, True Transparent Proxy, or WCCP, the Offline Protection tab will be hidden.

Offline Protection profiles’ primary purpose is to detect attacks. Depending on the routing and network load, due to limitations inherent to out-of-band topologies and asynchronous inspection, FortiWeb may not be able to reliably block all of the attacks it detects, even if you have configured FortiWeb with an Action setting of Alert & Deny.

Offline Protection profiles only include features that do not require an inline network topology. You can configure them at any time, but a policy cannot apply an Offline Protection profile if the FortiWeb appliance is operating in a mode that does not support them. For details, see How operation mode affects server policy behavior.
To configure an Offline Protection profile
  1. Before configuring an Offline Protection profile, first configure any of the following that you want to include in the profile:
  2. Go to Policy > Web Protection Profile and select the Offline Protection Profile tab.
  3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  4. Click Create New.
  5. Predefined profiles cannot be edited, but they can be viewed and cloned.

  6. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Client Management

    Enable to track a client by the inserted cookie, or source IP when cookie is prohibited.
    For details, see Client management.

    Session Key

    Type the cookie value, if any, that FortiWeb uses to track the client.

    By default, FortiWeb tracks three cookie names: ASPSESSIONID, PHPSESSIONID, and JSESSIONID.

    Configure this field if your web application uses a custom or uncommon cookie.

    This option appears only if Client Management is enabled.

    Signatures

    Select the name of the signature set you have configured in Web Protection > Known Attacks, if any, that will be applied to matching requests.

    Enable AMF3, XML, or JSON Protocol Detection if applicable.

    Attack log messages for this feature vary by which type of attack was detected. For a list, see Blocking known attacks .

    HTTP Protocol Constraints

    Select the name of an HTTP parameter constraint, if any, that will be applied to matching requests. For details, see HTTP/HTTPS protocol constraints.

    Attack log messages for this feature vary by which type of constraint was violated.

    X-Forwarded-For

    Select the X-Forwarded-For: and X-Real-IP: HTTP header settings to use, if any. For details, see Defining your proxies, clients, & X-headers.

    Note: Configuring this option is required if the true IP address of the client is hidden from FortiWeb because a load balancer or other web proxy is deployed in front. In that case, you must configure an X-header rule so that FortiWeb will block only requests related to the original client. Otherwise, it may block all requests whenever any attack occurs, since all requests will appear to originate from the proxy’s IP.

    Custom Policy

    Select the name of a combination source IP, rate limit, HTTP header, and URL access policy, if any, that will be applied to matching requests. For details, see Custom Policy.

    Attack log messages contain Custom Access Violation when this feature detects a violation.

    Padding Oracle Protection

    Select the name of padding oracle protection rule, if any, that will be applied to matching requests. For details, see Defeating cipher padding attacks on individually encrypted inputs.

    Attack log messages contain Padding Oracle Attack when this feature detects a violation.

    SQL/XSS Syntax Based Detection

    Select the name of a SQL/XSS syntax based detection policy if any, that will be applied to matching requests. For details, see Syntax-based SQL/XSS injection detection.

    Parameter Validation

    Select the name of the parameter validation rule, if any, that will be applied to matching requests. For details, see Validating parameters (“input rules”).

    Attack log messages contain Parameter Validation Violation when this feature detects a parameter rule violation.

    Hidden Fields Protection

    Select the name of the hidden fields protection rule, if any, to use to protect hidden fields on your website. For details, see Preventing tampering with hidden inputs.

    Attack log messages contain Hidden Field Manipulation when this feature detects tampering.

    This option appears only when Configuring a protection profile for an out-of-band topology or asynchronous mode of operation is enabled.

    File Security

    Select an existing file security policy, if any, that will be applied to matching HTTP requests. For details, see Limiting file uploads.

    Attack log messages contain Illegal File Size when this feature detects an excessively large upload.

    Enable AMF3 Protocol Detection

    Enable to scan requests that use action message format 3.0 (AMF3) for:

    • Cross-site scripting (XSS) attacks
    • SQL injection attacks
    • Common exploits

    and other attack signatures that you have enabled in Signatures.

    AMF3 is a binary format that can be used by Adobe Flash/Flex clients to send input to server-side software.

    Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will cause the FortiWeb appliance to be unable to scan AMF3 requests for attacks.

    URL Access

    Select the name of the URL access policy, if any, that will be applied to matching HTTP requests. For details, see Restricting access to specific URLs.

    Attack log messages contain URL Access Violation when this feature detects a URL matched by this policy.

    Allow Method

    Select an existing allow method policy, if any, that will be applied to matching HTTP requests. For details, see Specifying allowed HTTP methods.

    Attack log messages contain HTTP Method Violation when this feature detects a non-allowed HTTP request method.

    XML Protection

    Select the name of an existing XML protection policy. For details, see Configuring XML protection.

    JSON Protection

    Select the name of an existing JSON protection policy. For details, see Configuring JSON protection.

    OpenAPI Protection

    Select the name of an existing OpenAPI protection policy. For details, see OpenAPI Validation.

    Mobile Application Identification

    Enable to configure the JWT token secret and token header to verify a request from a mobile application.

    Refer to Approov doc for how to get the token.

    For details, see Configuring mobile API protection.

    Note: You need to enable Mobile Application Identification first from System > Config > Feature Visibility.

    Token Secret

    Enter the token secret that you have got from Approov.

    Available only when Mobile Application Identification is enabled.

    Token Header

    Specify the header where the token is carried.

    Available only when Mobile Application Identification is enabled.

    Mobile API Protection

    Select the name of an existing API protection policy. For details, see Configuring mobile API protection.

    IP ReputationEnable to apply IP reputation intelligence. For details, see "blocklisting source IPs with poor reputation" on page 1.
    IP ListSelect the name of a client allow list or block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1.
    Geo IPSelect the name of a geographically-based client block list, if any, that will be applied to matching requests. For details, see "blocklisting & allowlisting countries & regions" on page 1.
    User TrackingSelect the name of a user tracking policy, if any, to use for matching requests. For details, see Tracking.
  7. To view or modify a component without leaving the page, next to the drop-down menu where you have selected the component, click Detail.

  8. Click OK.
  9. To apply the Offline Protection profile, select it in a policy. For details, see Configuring a server policy.
See also