Response times can often be improved by regular expression tuning, offloading SSL/TLS from your back-end server to your FortiWeb (especially if the model supports hardware acceleration), and/or offloading compression. For performance tips, see the FortiWeb Administration Guide.

If HTTPS traffic is not flowing as you expect or not being inspected, and you have recently enabled HTTPS, typically this is due to a misconfiguration. The error message in the msg field will indicate the appropriate solution:

• No Server Certificate for SSL Connection — FortiWeb does not have the server certificate, so it cannot decode the SSL traffic. To fix this, upload the web server’s certificate to FortiWeb.
• SSL Certificate Key Mismatch — An X.509 server certificate was uploaded to FortiWeb, but its private key did not match the one used by this HTTPS session. To fix this, upload the back-end web server’s current certificate.
• Ephemeral keys cannot be decrypted — Ephemeral Diffie-Hellman key exchange can't be inspected due to the property of perfect forward secrecy, which makes real-time HTTPS inspection impossible. To fix this, disable ephemeral Diffie-Hellman on the back-end web server, and select a different key exchange method.
• Unsupported Cipher for SSL Connection — Either message digest (MAC) authentication failed or the MAC did not exist, or the transaction used an unsupported cipher suite. To fix this, on the back-end web server, disable cipher suites that are not supported by FortiWeb.
• Unmonitored SSL Connection — The HTTPS session was initiated before FortiWeb was deployed or before the server policy was enabled, so FortiWeb could not listen for the key exchange, and therefore cannot decrypt subsequent requests/responses in this HTTPS session. To fix this, on the back-end web server, clear HTTPS sessions and force clients to renegotiate.

If FortiWeb is operating in Reverse Proxy or True Transparent Proxy mode, the traffic was blocked and no attack could have passed through to your protected web servers. No action is required except to make sure that you have uploaded to FortiWeb the correct certificate for all protected web servers.

Otherwise, if your appliance was:

• operating in Offline Protection or Transparent Inspection mode or
• configured only to monitor traffic (e.g. Monitor Mode was enabled or the Action is Alert, not Alert & Deny)

examine the web server to determine whether or not an encrypted attack has passed through. You should also examine your web server’s HTTPS configuration and disable cipher suites and key exchanges that are not supported by FortiWeb so that during negotiation with clients, your web server does not agree to use encryption that FortiWeb cannot scan for attacks.

By the nature of log-only actions, detected attack attempts are logged but not blocked. You may also want to determine if the attack is from a single source IP address or distributed: blocklisting an offending client may help you to efficiently prevent further attack attempts, improving performance, until you can take further action.

By the nature of the network topology for Offline Protection mode (which can potentially cause differences in speeds of the separate routing paths), and asynchronous inspection for Transparent Inspection mode, blocking cannot be guaranteed and some key exchanges are not supported. For details, see the FortiWeb Administration Guide.

Message

(msg)

date=2014-04-11 time=10:16:29 log_id=30000000 msg_id=000000000230 device_id=FVVM00UNLICENSED vd="root" timezone="(GMT-5:00)Eastern Time(US & Canada)" type=traffic subtype="HTTP" pri=notification proto=tcp service=HTTP status=success reason="none" policy="policy1" src=172.20.120.46 src_port=49234 dst=172.20.120.48 dst_port=80 HTTP_request_time=0 HTTP_response_time=0 HTTP_request_bytes=257 HTTP_response_bytes=0 HTTP_method=get HTTP_url="/admin" HTTP_host="172.20.120.48" HTTP_agent="Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)" HTTP_retcode=500 msg="HTTP POST request from 172.20.120.46:49234 to 172.20.120.48:80 " srccountry="United States" content_switch_name="testa" server_pool_name="Auto-ServerFarm"

Message

(msg)

date=2023-10-13 time=13:55:23 log_id=30001000 msg_id=000000041654 device_id=FVVM08TM23001463 vd="root" timezone="(GMT+8:00)Taipei" timezone_dayst="GMTe-8" type=traffic subtype="https" pri=notice proto=tcp service=https/tls1.2 status=success reason=none policy=RL-HTTP-A-44.1.0.2-HCP-AlertDeny original_src=44.1.2.57 src=44.1.2.57 src_port=10000 dst=10.20.128.10 dst_port=8080 http_request_time=0 http_response_time=0 http_request_bytes=1401 http_response_bytes=38734 http_method=get http_url="/admin" http_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" http_retcode=500 msg="HTTPS get request from 44.1.2.57:10000 to 10.20.128.10:8080, clievent(0:0), svrevent(0:0)" original_srccountry="United States" srccountry="United States" content_switch_name="none" server_pool_name="tester-10.20.128.10-11-12-HTTP-8080" http_host="msg.gov.hu" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=3CD3AC15B0B5CE4760A202E0350F82BD6222 cipher_suite="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"

Level

(pri)

date=2023-08-13 time=17:53:05 log_id=30002000 msg_id=000000761559 device_id=FVVM02TM22001887 eventtime=1691920385711464343 vd="root" timezone="(GMT+8:00)Taipei" timezone_dayst="GMTe-8" type=traffic subtype="ftp" pri=notice proto=tcp service=ftps status=success reason=none policy="ftp" original_src=44.5.1.40 src=44.5.1.40 src_port=37708 dst=172.23.132.39 dst_port=21 http_request_time=0 http_response_time=0 http_request_bytes=0 http_response_bytes=143 http_method=OTHERS http_url="none" http_agent="none" http_retcode=220 msg="FTPS OTHERS from 44.5.1.40:37708 to 172.23.132.39:21" original_srccountry="Sweden" srccountry="Sweden" content_switch_name="none" server_pool_name="ftp-172.23.132.39" http_host="none" user_name="Unknown" http_refer="none" http_version="Unknown" dev_id=none cipher_suite="none" x509_cert_subject="none"