DOCUMENT LIBRARY
DOCUMENT LIBRARY
Products
Best Practices
Hardware Guides
Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
Hybrid Mesh Firewall
FortiGate/ FortiOS
FortiGate-5000
/
6000
/
7000
NOC Management
FortiManager
/
FortiManager Cloud
Managed Fortigate Service
LAN
FortiSwitch
FortiAP / FortiWiFi
FortiEdge Cloud
FortiNAC-F
WAN
Secure SD-WAN
FortiExtender
More >>
Unified SASE
Single Vendor SASE
FortiSASE
Secure SD-WAN
Zero Trust Network Access (ZTNA)
FortiProxy
FortiMonitor
Cloud Network Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiGate CNF
FortiFlex
Lacework FortiCNAPP
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Web Application / API Protection
FortiWeb
FortiADC
FortiDAST
More >>
Security Operations
Security Operations Automation
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
SOC-as-a-Service (SOCaaS)
Identity
FortiAuthenticator
FortiTrust Identity
FortiPAM
Early Detection & Prevention
FortiSandbox
/
FortiSandbox Cloud
FortiNDR
FortiDeceptor
FortiRecon
More >>
Secure Networking
Hybrid Mesh Firewall
FortiGate/ FortiOS
FortiGate-5000
/
6000
/
7000
NOC Management
FortiManager
/
FortiManager Cloud
Managed Fortigate Service
FortiAIOps
LAN
FortiSwitch
FortiAP / FortiWiFi
FortiAP-U Series
FortiEdge Cloud
FortiNAC-F
WAN
Secure SD-WAN
FortiExtender
Communication & Surveillance
FortiVoice
/
FortiVoice Cloud
FortiFone
FortiCamera
FortiRecorder
FortiCentral
Unified SASE
Single Vendor SASE
FortiSASE
Secure SD-WAN
Zero Trust Network Access (ZTNA)
FortiProxy
FortiMonitor
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Cloud Network Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiGate CNF
FortiFlex
Cloud-Native Security
Lacework FortiCNAPP
FortiDevSec
Web Application / API Protection
FortiWeb
FortiADC
FortiDAST
Security Operations
Security Operations Automation
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
Endpoint
FortiClient
/
FortiClient Cloud
FortiEDR/XDR
Data Protection
FortiDLP
FortiDLP Agent
FortiDLP Policies
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken
/
FortiToken Cloud
FortiPAM
Email
FortiMail
FortiPhish
Early Detection & Prevention
FortiSandbox
/
FortiSandbox Cloud
FortiNDR
FortiDeceptor
FortiRecon
Expert Services
SOC-as-a-Service (SOCaaS)
Edge Firewall
FortiGate/FortiOS
FortiGate-5000
/
6000
/
7000
FortiGate Public Cloud
FortiGate Private Cloud
Orchestration & management
FortiManager
/
FortiManager Cloud
FortiAnalyzer
/
FortiAnalyzer Cloud
Overlay-as-a-Service
SD Branch
FortiSwitch
FortiAP / FortiWiFi
FortiExtender
/
FortiExtender Cloud
Application Delivery
FortiADC
/
FortiGSLB
Single Vendor SASE
FortiSASE
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Secure Private Access
Secure SD-WAN
Zero Trust Network Access (ZTNA)
Thin Edge
FortiGate/ FortiOS
FortiAP / FortiWiFi
FortiExtender
/
FortiExtender Cloud
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Application Gateway
FortiGate/ FortiOS
FortiProxy
FortiADC
/
FortiGSLB
Enterprise Asset Management
FortiClient EMS
Endpoint Agent
FortiClient
/
FortiClient Cloud
Agentless Security Posture
FortiNAC-F
FortiSIEM
/
FortiSIEM Cloud
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Wireless
FortiAP / FortiWiFi
FortiAP-U Series
FortiGate Cloud
Switching
FortiSwitch
FortiEdge Cloud
FortiNAC-F
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Privilege Acccess Management
FortiPAM
Next Generation Firewall
FortiGate / FortiOS
FortiGate-5000
/
6000
/
7000
FortiGate Public Cloud
FortiGate Private Cloud
Orchestration & management
FortiManager
/
FortiManager Cloud
FortiAnalyzer
/
FortiAnalyzer Cloud
Expert Services
SOC-as-a-Service (SOCaaS)
Managed Fortigate Service
All
FortiADC Public Cloud
FortiAnalyzer Public Cloud
FortiAuthenticator Public Cloud
FortiDeceptor Public Cloud
FortiGate Public Cloud
FortiIsolator Public Cloud
FortiManager Public Cloud
FortiNDR Public Cloud
FortiPAM Public Cloud
FortiPortal Public Cloud
FortiProxy Public Cloud
FortiSandbox Public Cloud
FortiTester Public Cloud
FortiVoice Public Cloud
FortiWeb Manager Public Cloud
FortiWeb Public Cloud
All
FortiADC Private Cloud
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Private Cloud
FortiAuthenticator Private Cloud
FortiDeceptor Private Cloud
FortiGate Private Cloud
FortiManager Private Cloud
FortiNDR Private Cloud
FortiPAM Private Cloud
FortiProxy Private Cloud
FortiSandbox Private Cloud
FortiTester Private Cloud
FortiVoice Private Cloud
FortiWeb Manager Private Cloud
FortiWeb Private Cloud
Account Management
FortiCloud Services
SAAS Management
FortiGate Cloud
FortiEdge Cloud
FortiEdge Cloud
FortiExtender Cloud
FortiPresence Cloud
FortiToken Cloud
FortiTrust Identity
FortiZTP
FortiCamera Cloud
SAAS Application Security
FortiWeb Cloud
FortiGSLB
FortiCASB
FortiCNP
FortiInsight
FortiPhish
FortiGate CNF
Managed Services
SOC-as-a-Service (SOCaaS)
Managed Fortigate Service
Platform as a service (PAAS)
FortiSASE
FortiAnalyzer Cloud
FortiManager Cloud
FortiClient Cloud
FortiSandbox Cloud
FortiMail Cloud
FortiSOAR Cloud
Other SAAS Services
Overlay-as-a-Service
FortiRecon
FortiConverter
ForiIPAM
FortiFlex
FortiCare Elite
4D Resources
Solution Hubs
Define, design, deploy, demo
4D Pillars
Secure SD-WAN
Zero Trust Network Access
Wireless
Switching
Secure Access Service Edge
Identity and Access Management
Next Generation Firewall
Curated Links by Solution
Cloud
FortiCloud
Public & Private Cloud
Popular Solutions
Secure SD-WAN
Zero Trust Network Access
Secure Access
Security Fabric
Tele-Working
Multi-Factor Authentication
FortiASIC
Operational Technology
MSSP
Next Generation Firewall
FortiAnalyzer
FortiAnalyzer Big-Data
FortiADC
FortiAP / FortiWiFi
FortiAP U-Series
FortiAuthenticator
FortiCache
FortiCarrier
FortiController
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiExtender
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiHypervisor
FortiIsolator
FortiMail
FortiManager
FortiNAC
FortiNDR
FortiProxy
FortiRecorder
FortiGate
FortiRPS
FortiSandbox
FortiSIEM
FortiSwitch
FortiTester
FortiToken
FortiVoice
FortiWAN
FortiWeb
FortiWLC
FortiWLM
AscenLink
AV Engine
AWS Firewall Rules
Container FortiOS
FortiADC
FortiADC E Series
FortiADC Manager
FortiADC Private Cloud
FortiADC Public Cloud
FortiAIOps
FortiAnalyzer
FortiAnalyzer BigData
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Cloud
FortiAnalyzer Private Cloud
FortiAnalyzer Public Cloud
FortiAP / FortiWiFi
FortiAP-U Series
FortiAuthenticator
FortiAuthenticator Private Cloud
FortiAuthenticator Public Cloud
FortiAuthProxy
FortiBalancer
FortiBranchSASE
FortiBridge
FortiCache
FortiCamera
FortiCamera Cloud
FortiCare Elite
FortiCarrier
FortiCASB
FortiCentral
FortiClient
FortiClient Cloud
FortiCloud Services
FortiCNP
FortiConnect
FortiController
FortiConverter Service
FortiConverter Tool
FortiCore
FortiCSPM
FortiCWP
FortiDAST
FortiDB
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiDeceptor DaaS
FortiDeceptor Private Cloud
FortiDeceptor Public Cloud
FortiDevSec
FortiDLP
FortiDLP Agent
FortiDLP Policies
FortiDNS
FortiEdge Cloud
FortiEDR/XDR
FortiEndpoint
FortiExplorer
FortiExplorer Go
FortiExtender
FortiFlex
FortiFone
FortiGate / FortiOS
FortiGate Cloud
FortiGate CNF
FortiGate Private Cloud
FortiGate Public Cloud
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiGate-as-a-Service
FortiGSLB
FortiGuard Advanced Bot Protection
FortiGuest
FortiHypervisor
FortiInsight
FortiInsight Cloud
FortiIPAM
FortiIsolator
FortiIsolator Public Cloud
FortiLAN Cloud
FortiMail
FortiMail Cloud
FortiManager
FortiManager Cloud
FortiManager Private Cloud
FortiManager Public Cloud
FortiMonitor
FortiNAC
FortiNAC-F
FortiNDR
FortiNDR (on-premise) Private Cloud
FortiNDR (on-premise) Public Cloud
FortiNDR Cloud
FortiNDR Cloud Sensors
FortiPAM
FortiPAM Private Cloud
FortiPAM Public Cloud
FortiPhish
FortiPlanner
FortiPolicy
FortiPortal
FortiPortal Public Cloud
FortiPresence
FortiPresence VM
FortiProxy
FortiProxy Private Cloud
FortiProxy Public Cloud
FortiRecon
FortiRecorder
FortiRPS
FortiSandbox
FortiSandbox Cloud
FortiSandbox Private Cloud
FortiSandbox Public Cloud
FortiSASE
FortiScanner
FortiSIEM
FortiSIEM Cloud
FortiSOAR
FortiSOAR Cloud
FortiSRA
FortiSwitch
FortiSwitch Manager
FortiTap
FortiTester
FortiTester Private Cloud
FortiTester Public Cloud
FortiToken
FortiToken Cloud
FortiTrust Identity
FortiVoice
FortiVoice Cloud
FortiVoice Private Cloud
FortiVoice Public Cloud
FortiWAN
FortiWAN Controller
FortiWeb
FortiWeb Cloud
FortiWeb Manager Private Cloud
FortiWeb Manager Public Cloud
FortiWeb Private Cloud
FortiWeb Public Cloud
FortiWLM
FortiZTP
IPS Engine
Lacework FortiCNAPP
Managed FortiGate Service
Overlay-as-a-Service
Security Awareness and Training
SOCaaS
Wireless Controller
Search documents and hardware ...
Administration Guide
Introduction
What's new
Key concepts
Workflow
Sequence of scans
IPv6 support
Solutions for specific web attacks
HTTP/2 support
HTTP sessions & security
FortiWeb high availability (HA)
Administrative domains (ADOMs)
How to use the web UI
Shutdown
How to set up your FortiWeb
Appliance vs. VMware
Registering your FortiWeb
Planning the network topology
Connecting to the web UI or CLI
Updating the firmware
Changing the “admin” account password
Setting the system time & date
Setting the operation mode
Feature visibility
Configuring High Availability (HA) basic settings
HA heartbeat & active node election
Synchronization
Replicating the configuration without FortiWeb HA (external HA)
Configuring the network settings
Configuring DNS settings
Configuring HA settings specifically for active-passive and standard active-active modes
Configuring HA settings specifically for high volume active-active mode
Defining your web servers & load balancers
Protected web servers vs. allowed/protected host names
Defining your protected/allowed HTTP “Host:” header names
Defining your web servers
Defining your proxies, clients, & X-headers
Defining your network services
Configuring virtual servers on your FortiWeb
Enabling or disabling traffic forwarding to your servers
Configuring FortiWeb to receive traffic via WCCP
Configuring basic policies
Testing your installation
Switching out of Offline Protection mode
Policies
How operation mode affects server policy behavior
Configuring the global object allow list
Configuring the allow list at server policy level
Configuring a protection profile for inline topologies
Generating a protection profile using scanner reports
Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
Configuring client management
Configuring an HTTP server policy
Configuring traffic mirror
ADFS Proxy
Configuring FortiWeb as an ADFS proxy
Configuring a virtual server
Creating an ADFS server pool
Uploading trusted CA certificates
Creating an ADFS server policy
Troubleshooting
Configuring FTP security
Creating an FTP command restriction rule
Creating an FTP file check rule
Configuring an FTP security inline profile
Creating an FTP server pool
Creating an FTP server policy
Secure connections (SSL/TLS)
Offloading vs. inspection
Supported cipher suites & protocol versions
CA certificates
How to offload or inspect HTTPS
Local certificates
Let's Encrypt certificates
Using session keys provided by an HSM
Generating a certificate signing request
Uploading a server certificate
Forcing clients to use HTTPS
HTTP Public Key Pinning
How to apply PKI client authentication (personal certificates)
Seamless PKI integration
Revoking certificates
How to export/back up certificates & private keys
How to change FortiWeb's default certificate
Configuring OCSP stapling
Users
Authentication styles
Offloading HTTP authentication & authorization
Creating reCAPTCHA servers
OAuth Authorization
Application delivery
Rewriting & redirecting
Compression
Site Publishing (Single sign-on)
Offloaded authentication and optional SSO configuration
Creating an Active Directory (AD) user for FortiWeb - Keytab File
Using Kerberos authentication delegation
Using Form Based Delegation
Caching
What can be cached?
Acceleration
Scripting
Web protection
Blocking known attacks
Connecting to FortiGuard services
Receiving quarantined source IP addresses from FortiGate
False Positive Mitigation for SQL Injection signatures
Configuring action overrides or exceptions to data leak & attack detection signatures
Defining custom data leak & attack signatures
Defeating cipher padding attacks on individually encrypted inputs
Advanced protection
Custom Policy
Defeating cross-site request forgery (CSRF) attacks
HTTP Security Headers
Protection for Man-in-the-Browser (MiTB) attacks
Creating Man in the Browser (MiTB) Protection Rule
Creating an MiTB protection rule
Protecting the standard user input field
Protecting the passwords
Adding allow list for the AJAX Request
Creating Man in the Browser (MiTB) Protection Policy
URL encryption
Link cloaking
Syntax-based SQL/XSS injection detection
Cookie security
Input validation
Validating parameters (“input rules”)
Preventing tampering with hidden inputs
Limiting file uploads
Web Shell Detection
Protocol constraints
HTTP/HTTPS protocol constraints
WebSocket Protocol
Access control
Restricting access based on specific URLs
Cross-Origin Resource Sharing (CORS) protection
Specifying allowed HTTP methods
ML Based Anomaly Detection
Viewing domain data
Overview
Tree View
Parameter View
Viewing anomaly detection log
Anti-defacement
Zero Trust Network Access (ZTNA)
Configuring FortiClient EMS Connector for ZTNA
Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
Configuring a ZTNA Profile
Referencing ZTNA profile in a server policy
ZTNA troubleshooting and debugging
Bot mitigation
Configuring threshold based detection
Configuring biometrics based detection
Configuring bot deception
Configuring known bots
Configuring bot mitigation policy
Configuring ML Based Bot Detection policy
Viewing bot detection model status
Viewing the bot detection violations
Exception Policy
API Protection
Configuring JSON protection
Importing JSON schema files
Creating JSON protection rules
Creating JSON protection policy
Configuring XML protection
Importing XML schema files
Creating XML protection rules
Creating XML protection policies
Importing WSDL files
Configuring exempted URLs
Configuring attack logs to retain packet payloads for XML protection
Creating WS-Security rules
OpenAPI Validation
Use cases
Creating OpenAPI files
Creating OpenAPI validation policies
Configuring mobile API protection
API gateway
Managing API users
Configuring API gateway policy
Configuring API gateway rules
Configuring ML Based API Protection policy
Viewing API Protection domain data
Editing and viewing machine learning models for API paths
DoS protection
DoS prevention
Preventing slow and low attacks
IP Protection
GEO IP - Blocklisting & whitelisting countries & regions
IP List - Blocklisting & whitelisting clients using a source IP or source IP range
IP Reputation - Blocklisting source IPs with poor reputation
Creating IP groups
Tracking
Compliance
Authorization
Preventing data leaks
Vulnerability scans
Administrators
Configuring access profiles
Grouping remote authentication queries and certificates for administrators
Changing an administrator’s password
Certificate-based Web UI login
Advanced/optional system settings
Changing the FortiWeb appliance’s host name
Fail-to-wire for power loss/reboots
Customizing error and authentication pages (replacement messages)
Configuring machine-learning URL replacer policy
Configuring the integrated firewall
Network address translation (NAT)
Advanced settings
Backup & restore
Dashboard
FortiView
Topology
Security
Traffic
Sessions
Monitoring your system
Logging
Analyzing attack logs in FortiWeb Cloud Threat Analytics
Alert email
SNMP traps & queries
Reports
Debug log
Monitoring currently blocked IPs
Monitoring currently tracked clients
FortiGuard updates
Vulnerability scans
Security Fabric
External connectors
AWS Connector
Azure Connector
OCI Connector
Fabric Connector: Single Sign On with FortiGate
Fine-tuning & best practices
Hardening security
Improving performance
Improving fault tolerance
Reducing false positives
Regular backups
Downloading logs in RAM before shutdown or reboot
Troubleshooting
Introduction
Troubleshooting outline
Diagnosing server-policy connectivity issues
Diagnosing Network Connectivity Issues
Checking hardware connections
Examining the ARP table
Checking routing
Examining the routing table
Checking port assignments
Performing a packet trace
Debugging the packet processing flow
Diagnosing server-policy access issues
Server-policy access failure
Server policy intermittently inaccessible
Server-policy outage
Checking backend server status & issues
Diagnosing debug flow
Error codes displayed when visiting server policy
Visiting Server-Policy Has Long Response Time
Checking Attack/Traffic/Event logs
FAQ
How to check attack logs in FortiWeb
How to check traffic logs in FortiWeb
Forwarding non-HTTP/HTTPS traffic
Diagnosing system issues
System boot-up issues
Hard disk corruption or failure
Power supply failure
System login & authentication issues
FAQ
Login common issues
WebUI authentication issues
Certificate-based WebUI login failure
Resetting passwords
SAML SSO Login issues
System license issues
Firmware upgrade failures
DB version&update info
Cryptographic Key
Resetting the configuration
Restoring firmware (“clean install”)
Checking System Resource Issues
Checking CPU information&Issues
Checking memory usage
Diagnosing memory leak issues
Diagnosing kernel memory leak issues
Checking disk information & issues
Retrieving system&debug logs
Retrieving system logs in backend system
Customizing and downloading debug logs
Diagnose Crash & Coredump issues
Common troubleshooting steps
Checking core files and basic coredump information
Collecting core/coredump files and logs
What to do when coredump files are truncated or damaged
Diagnose memory violation issues
Diagnose software function issues
Server policy
FAQ
SSL/TLS
FAQ
Diagnosing SSL/TLS handshake failures
Decrypting SSL packets to analyze traffic issues
Enabling diagnose debug flow to retrieve TLS Pre-master secrets
Decrypting TLS 1.2/1.1/1.0 Traffic
Decrypting TLS 1.3 Traffic
An alternative way to decrypt TLS traffic on Windows PC
Application Delivery - URL Rewriting
Application Delivery - Site Publish
FAQ
Troubleshoot Site-Publish Issues
Application Delivery - Caching
FAQ
Troubleshoot for caching issues
Application Delivery - Lua Script
FAQ
Web Protection - General Issues
FAQ
Web Protection - Known Attack
FAQ
Web Protection - Advanced Protection
FAQ
Web Protection - Input Validation
FAQ
Web Protection - Bot Mitigation
FAQ
Web Protection - API Protection
FAQ
Web Protection - IP Protection
FAQ
Machine Learning - Anomaly Detection
FAQ
Machine learning trouble-shooting
ZTNA troubleshooting and debugging
HA issues
FAQ
HA trouble-shooting
Log&Report issues
Common troubleshooting methods for issues that Logs cannot be displayed on GUI
Step-by-step troubleshooting for log display on FortiWeb GUI failures
Logs cannot be displayed on FortiAnalyzer
Replacement message
FAQ
Diagnose hardware issues
Using diagnose commands
Diagnosing Power Supply issues
Diagnosing hard disk issues
Diagnosing SSL Card issues
Diagnosing NIC issues
System tools & diagnose commands
Diagnostic Commands
Execute Commands
Ping & Traceroute
Packet capture
Packet capture via CLI command
Packet capture via Web UI
Diff
Run backend-shell commands
Upload a file to or download a file from FortiWeb
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses
Home
FortiWeb 7.2.2
Administration Guide
7.2.2
7.6.1
7.6.0
7.4.5
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.10
7.0.9
7.0.8
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.2
6.4.1
6.4.0
6.3.23
6.3.19
6.3.18
6.3.17
6.3.16
6.3.15
6.3.14
6.3.13
6.3.11
6.3.10
6.3.9
6.3.7
6.3.6
6.3.5
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.2
6.1.1
5.7.0
5.6.1
5.6.0
5.6.0
Application Delivery - Site Publish
Application Delivery - Site Publish
Previous
Next
Application Delivery - Site Publish
Application Delivery - Site Publish
Previous
Next
Home
Product Pillars
Network Security
Network Security
FortiGate / FortiOS
FortiGate 5000
FortiGate 6000
FortiGate 7000
FortiProxy
NOC & SOC Management
FortiManager
FortiManager Cloud
FortiAnalyzer
FortiAnalyzer Cloud
FortiMonitor
FortiGate Cloud
Enterprise Networking
Secure SD-WAN
FortiLAN Cloud
FortiSwitch
FortiAP / FortiWiFi
FortiAP-U Series
FortiNAC-F
FortiExtender
FortiExtender Cloud
FortiAIOps
Business Communications
FortiFone
FortiVoice
FortiVoice Cloud
FortiRecorder
FortiCamera
Zero Trust Access
ZTNA
Zero Trust Network Access
FortiClient EMS
SASE
FortiSASE
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Cloud Security
Hybrid Cloud Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiFlex
Cloud Native Protection
FortiCNP
FortiDevSec
Web Application / API Protection
FortiWeb
FortiWeb Cloud
FortiADC
FortiGSLB
FortiGuard ABP
SAAS Security
FortiMail
FortiMail Cloud
FortiCASB
Security Operations
SOC Platform
FortiAnalyzer
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
FortiPhish
Advanced Threat Protection
FortiSandbox
FortiSandbox Cloud
FortiNDR
FortiNDR Cloud
FortiDeceptor
FortiInsight
FortiInsight Cloud
FortiIsolator
Endpoint Security
FortiClient
FortiClient Cloud
FortiEDR
Best Practices
Solution Hubs
Cloud
FortiCloud
Public & Private Cloud
Popular Solutions
Secure SD-WAN
Zero Trust Network Access
Secure Access
Next Generation Firewall
Security Fabric
Tele-Working
Multi-Factor Authentication
FortiASIC
Operational Technology
MSSP
4-D Resources
Secure SD-WAN
Zero Trust Network Access
Wireless
Switching
Secure Access Service Edge
Identity and Access Management
Next Generation Firewall
Hardware Guides
FortiAnalyzer
FortiAnalyzer Big-Data
FortiADC
FortiAP / FortiWiFi
FortiAP U-Series
FortiAuthenticator
FortiCache
FortiCarrier
FortiController
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiExtender
FortiGate
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiHypervisor
FortiIsolator
FortiMail
FortiManager
FortiNAC
FortiNDR
FortiProxy
FortiRecorder
FortiRPS
FortiSandbox
FortiSIEM
FortiSwitch
FortiTester
FortiToken
FortiVoice
FortiWAN
FortiWeb
FortiWLC
FortiWLM
Product A-Z
AscenLink
AV Engine
AWS Firewall Rules
Container FortiOS
FortiADC
FortiADC E Series
FortiADC Manager
FortiADC Private Cloud
FortiADC Public Cloud
FortiAIOps
FortiAnalyzer
FortiAnalyzer BigData
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Cloud
FortiAnalyzer Private Cloud
FortiAnalyzer Public Cloud
FortiAP / FortiWiFi
FortiAP-U Series
FortiAuthenticator
FortiAuthenticator Private Cloud
FortiAuthenticator Public Cloud
FortiAuthProxy
FortiBalancer
FortiBranchSASE
FortiBridge
FortiCache
FortiCamera
FortiCamera Cloud
FortiCare Elite
FortiCarrier
FortiCASB
FortiCentral
FortiClient
FortiClient Cloud
FortiCloud Services
FortiCNP
FortiConnect
FortiController
FortiConverter Service
FortiConverter Tool
FortiCore
FortiCSPM
FortiCWP
FortiDAST
FortiDB
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiDeceptor DaaS
FortiDeceptor Private Cloud
FortiDeceptor Public Cloud
FortiDevSec
FortiDLP
FortiDLP Agent
FortiDLP Policies
FortiDNS
FortiEdge Cloud
FortiEDR/XDR
FortiEndpoint
FortiExplorer
FortiExplorer Go
FortiExtender
FortiFlex
FortiFone
FortiGate / FortiOS
FortiGate Cloud
FortiGate CNF
FortiGate Private Cloud
FortiGate Public Cloud
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiGate-as-a-Service
FortiGSLB
FortiGuard Advanced Bot Protection
FortiGuest
FortiHypervisor
FortiInsight
FortiInsight Cloud
FortiIPAM
FortiIsolator
FortiIsolator Public Cloud
FortiLAN Cloud
FortiMail
FortiMail Cloud
FortiManager
FortiManager Cloud
FortiManager Private Cloud
FortiManager Public Cloud
FortiMonitor
FortiNAC
FortiNAC-F
FortiNDR
FortiNDR (on-premise) Private Cloud
FortiNDR (on-premise) Public Cloud
FortiNDR Cloud
FortiNDR Cloud Sensors
FortiPAM
FortiPAM Private Cloud
FortiPAM Public Cloud
FortiPhish
FortiPlanner
FortiPolicy
FortiPortal
FortiPortal Public Cloud
FortiPresence
FortiPresence VM
FortiProxy
FortiProxy Private Cloud
FortiProxy Public Cloud
FortiRecon
FortiRecorder
FortiRPS
FortiSandbox
FortiSandbox Cloud
FortiSandbox Private Cloud
FortiSandbox Public Cloud
FortiSASE
FortiScanner
FortiSIEM
FortiSIEM Cloud
FortiSOAR
FortiSOAR Cloud
FortiSRA
FortiSwitch
FortiSwitch Manager
FortiTap
FortiTester
FortiTester Private Cloud
FortiTester Public Cloud
FortiToken
FortiToken Cloud
FortiTrust Identity
FortiVoice
FortiVoice Cloud
FortiVoice Private Cloud
FortiVoice Public Cloud
FortiWAN
FortiWAN Controller
FortiWeb
FortiWeb Cloud
FortiWeb Manager Private Cloud
FortiWeb Manager Public Cloud
FortiWeb Private Cloud
FortiWeb Public Cloud
FortiWLM
FortiZTP
IPS Engine
Lacework FortiCNAPP
Managed FortiGate Service
Overlay-as-a-Service
Security Awareness and Training
SOCaaS
Wireless Controller
Ordering Guides
Download PDF
Table of Contents
Introduction
What's new
Key concepts
Workflow
Sequence of scans
IPv6 support
Solutions for specific web attacks
HTTP/2 support
HTTP sessions & security
FortiWeb high availability (HA)
Administrative domains (ADOMs)
How to use the web UI
Shutdown
How to set up your FortiWeb
Appliance vs. VMware
Registering your FortiWeb
Planning the network topology
Connecting to the web UI or CLI
Updating the firmware
Changing the “admin” account password
Setting the system time & date
Setting the operation mode
Feature visibility
Configuring High Availability (HA) basic settings
HA heartbeat & active node election
Synchronization
Replicating the configuration without FortiWeb HA (external HA)
Configuring the network settings
Configuring DNS settings
Configuring HA settings specifically for active-passive and standard active-active modes
Configuring HA settings specifically for high volume active-active mode
Defining your web servers & load balancers
Protected web servers vs. allowed/protected host names
Defining your protected/allowed HTTP “Host:” header names
Defining your web servers
Defining your proxies, clients, & X-headers
Defining your network services
Configuring virtual servers on your FortiWeb
Enabling or disabling traffic forwarding to your servers
Configuring FortiWeb to receive traffic via WCCP
Configuring basic policies
Testing your installation
Switching out of Offline Protection mode
Policies
How operation mode affects server policy behavior
Configuring the global object allow list
Configuring the allow list at server policy level
Configuring a protection profile for inline topologies
Generating a protection profile using scanner reports
Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
Configuring client management
Configuring an HTTP server policy
Configuring traffic mirror
ADFS Proxy
Configuring FortiWeb as an ADFS proxy
Configuring a virtual server
Creating an ADFS server pool
Uploading trusted CA certificates
Creating an ADFS server policy
Troubleshooting
Configuring FTP security
Creating an FTP command restriction rule
Creating an FTP file check rule
Configuring an FTP security inline profile
Creating an FTP server pool
Creating an FTP server policy
Secure connections (SSL/TLS)
Offloading vs. inspection
Supported cipher suites & protocol versions
CA certificates
How to offload or inspect HTTPS
Local certificates
Let's Encrypt certificates
Using session keys provided by an HSM
Generating a certificate signing request
Uploading a server certificate
Forcing clients to use HTTPS
HTTP Public Key Pinning
How to apply PKI client authentication (personal certificates)
Seamless PKI integration
Revoking certificates
How to export/back up certificates & private keys
How to change FortiWeb's default certificate
Configuring OCSP stapling
Users
Authentication styles
Offloading HTTP authentication & authorization
Creating reCAPTCHA servers
OAuth Authorization
Application delivery
Rewriting & redirecting
Compression
Site Publishing (Single sign-on)
Offloaded authentication and optional SSO configuration
Creating an Active Directory (AD) user for FortiWeb - Keytab File
Using Kerberos authentication delegation
Using Form Based Delegation
Caching
What can be cached?
Acceleration
Scripting
Web protection
Blocking known attacks
Connecting to FortiGuard services
Receiving quarantined source IP addresses from FortiGate
False Positive Mitigation for SQL Injection signatures
Configuring action overrides or exceptions to data leak & attack detection signatures
Defining custom data leak & attack signatures
Defeating cipher padding attacks on individually encrypted inputs
Advanced protection
Custom Policy
Defeating cross-site request forgery (CSRF) attacks
HTTP Security Headers
Protection for Man-in-the-Browser (MiTB) attacks
Creating Man in the Browser (MiTB) Protection Rule
Creating an MiTB protection rule
Protecting the standard user input field
Protecting the passwords
Adding allow list for the AJAX Request
Creating Man in the Browser (MiTB) Protection Policy
URL encryption
Link cloaking
Syntax-based SQL/XSS injection detection
Cookie security
Input validation
Validating parameters (“input rules”)
Preventing tampering with hidden inputs
Limiting file uploads
Web Shell Detection
Protocol constraints
HTTP/HTTPS protocol constraints
WebSocket Protocol
Access control
Restricting access based on specific URLs
Cross-Origin Resource Sharing (CORS) protection
Specifying allowed HTTP methods
ML Based Anomaly Detection
Viewing domain data
Overview
Tree View
Parameter View
Viewing anomaly detection log
Anti-defacement
Zero Trust Network Access (ZTNA)
Configuring FortiClient EMS Connector for ZTNA
Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
Configuring a ZTNA Profile
Referencing ZTNA profile in a server policy
ZTNA troubleshooting and debugging
Bot mitigation
Configuring threshold based detection
Configuring biometrics based detection
Configuring bot deception
Configuring known bots
Configuring bot mitigation policy
Configuring ML Based Bot Detection policy
Viewing bot detection model status
Viewing the bot detection violations
Exception Policy
API Protection
Configuring JSON protection
Importing JSON schema files
Creating JSON protection rules
Creating JSON protection policy
Configuring XML protection
Importing XML schema files
Creating XML protection rules
Creating XML protection policies
Importing WSDL files
Configuring exempted URLs
Configuring attack logs to retain packet payloads for XML protection
Creating WS-Security rules
OpenAPI Validation
Use cases
Creating OpenAPI files
Creating OpenAPI validation policies
Configuring mobile API protection
API gateway
Managing API users
Configuring API gateway policy
Configuring API gateway rules
Configuring ML Based API Protection policy
Viewing API Protection domain data
Editing and viewing machine learning models for API paths
DoS protection
DoS prevention
Preventing slow and low attacks
IP Protection
GEO IP - Blocklisting & whitelisting countries & regions
IP List - Blocklisting & whitelisting clients using a source IP or source IP range
IP Reputation - Blocklisting source IPs with poor reputation
Creating IP groups
Tracking
Compliance
Authorization
Preventing data leaks
Vulnerability scans
Administrators
Configuring access profiles
Grouping remote authentication queries and certificates for administrators
Changing an administrator’s password
Certificate-based Web UI login
Advanced/optional system settings
Changing the FortiWeb appliance’s host name
Fail-to-wire for power loss/reboots
Customizing error and authentication pages (replacement messages)
Configuring machine-learning URL replacer policy
Configuring the integrated firewall
Network address translation (NAT)
Advanced settings
Backup & restore
Dashboard
FortiView
Topology
Security
Traffic
Sessions
Monitoring your system
Logging
Analyzing attack logs in FortiWeb Cloud Threat Analytics
Alert email
SNMP traps & queries
Reports
Debug log
Monitoring currently blocked IPs
Monitoring currently tracked clients
FortiGuard updates
Vulnerability scans
Security Fabric
External connectors
AWS Connector
Azure Connector
OCI Connector
Fabric Connector: Single Sign On with FortiGate
Fine-tuning & best practices
Hardening security
Improving performance
Improving fault tolerance
Reducing false positives
Regular backups
Downloading logs in RAM before shutdown or reboot
Troubleshooting
Introduction
Troubleshooting outline
Diagnosing server-policy connectivity issues
Diagnosing Network Connectivity Issues
Checking hardware connections
Examining the ARP table
Checking routing
Examining the routing table
Checking port assignments
Performing a packet trace
Debugging the packet processing flow
Diagnosing server-policy access issues
Server-policy access failure
Server policy intermittently inaccessible
Server-policy outage
Checking backend server status & issues
Diagnosing debug flow
Error codes displayed when visiting server policy
Visiting Server-Policy Has Long Response Time
Checking Attack/Traffic/Event logs
FAQ
How to check attack logs in FortiWeb
How to check traffic logs in FortiWeb
Forwarding non-HTTP/HTTPS traffic
Diagnosing system issues
System boot-up issues
Hard disk corruption or failure
Power supply failure
System login & authentication issues
FAQ
Login common issues
WebUI authentication issues
Certificate-based WebUI login failure
Resetting passwords
SAML SSO Login issues
System license issues
Firmware upgrade failures
DB version&update info
Cryptographic Key
Resetting the configuration
Restoring firmware (“clean install”)
Checking System Resource Issues
Checking CPU information&Issues
Checking memory usage
Diagnosing memory leak issues
Diagnosing kernel memory leak issues
Checking disk information & issues
Retrieving system&debug logs
Retrieving system logs in backend system
Customizing and downloading debug logs
Diagnose Crash & Coredump issues
Common troubleshooting steps
Checking core files and basic coredump information
Collecting core/coredump files and logs
What to do when coredump files are truncated or damaged
Diagnose memory violation issues
Diagnose software function issues
Server policy
FAQ
SSL/TLS
FAQ
Diagnosing SSL/TLS handshake failures
Decrypting SSL packets to analyze traffic issues
Enabling diagnose debug flow to retrieve TLS Pre-master secrets
Decrypting TLS 1.2/1.1/1.0 Traffic
Decrypting TLS 1.3 Traffic
An alternative way to decrypt TLS traffic on Windows PC
Application Delivery - URL Rewriting
Application Delivery - Site Publish
FAQ
Troubleshoot Site-Publish Issues
Application Delivery - Caching
FAQ
Troubleshoot for caching issues
Application Delivery - Lua Script
FAQ
Web Protection - General Issues
FAQ
Web Protection - Known Attack
FAQ
Web Protection - Advanced Protection
FAQ
Web Protection - Input Validation
FAQ
Web Protection - Bot Mitigation
FAQ
Web Protection - API Protection
FAQ
Web Protection - IP Protection
FAQ
Machine Learning - Anomaly Detection
FAQ
Machine learning trouble-shooting
ZTNA troubleshooting and debugging
HA issues
FAQ
HA trouble-shooting
Log&Report issues
Common troubleshooting methods for issues that Logs cannot be displayed on GUI
Step-by-step troubleshooting for log display on FortiWeb GUI failures
Logs cannot be displayed on FortiAnalyzer
Replacement message
FAQ
Diagnose hardware issues
Using diagnose commands
Diagnosing Power Supply issues
Diagnosing hard disk issues
Diagnosing SSL Card issues
Diagnosing NIC issues
System tools & diagnose commands
Diagnostic Commands
Execute Commands
Ping & Traceroute
Packet capture
Packet capture via CLI command
Packet capture via Web UI
Diff
Run backend-shell commands
Upload a file to or download a file from FortiWeb
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses