Administration Guide

Introduction
What's new
Key concepts
- Workflow
- Sequence of scans
- IPv6 support
- Solutions for specific web attacks
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Appliance vs. VMware
- Registering your FortiWeb
- Planning the network topology
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring the allow list at server policy level
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
  - Supported cipher suites - for connections between FortiWeb and the clients
  - Supported cipher suites - for connection between FortiWeb and back-end servers
- CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- Configuring OCSP stapling
Users
- Authentication styles
- Offloading HTTP authentication & authorization
- Creating reCAPTCHA servers
Application delivery
- Rewriting & redirecting
- Compression
- Site Publishing (Single sign-on)
- Caching
  - What can be cached?
- Acceleration
- Scripting
- Waiting room
Web protection
- Blocking known attacks
- Advanced protection
- Cookie security
- Input validation
- Protocol constraints
- Access control
- ML Based Anomaly Detection
  - Viewing domain data
  - Viewing anomaly detection log
- Anti-defacement
Zero Trust Network Access (ZTNA)
- Configuring FortiClient EMS Connector for ZTNA
- Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- Referencing ZTNA profile in a server policy
- ZTNA troubleshooting and debugging
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
- Configuring ML Based Bot Detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
- Configuring Advanced Bot Protection policy
- Exception Policy
API Protection
- Configuring JSON protection
- Configuring XML protection
- Configuring GraphQL protection
  - Creating GraphQL protection rules
  - Creating GraphQL protection policy
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
- Configuring ML Based API Protection policy
  - Viewing API Protection domain data
  - Editing and viewing machine learning models for API paths
DoS protection
- DoS prevention
- Preventing slow and low attacks
IP Protection
- GEO IP - Blocklisting & whitelisting countries & regions
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- IP Reputation - Blocklisting source IPs with poor reputation
- Creating IP groups
Tracking
- Compliance
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring machine-learning URL replacer policy
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
Dashboard
- Status dashboard
- Monitors
Log&Report
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- FortiGuard updates
- Analyzing attack logs in FortiWeb Cloud Threat Analytics
Security Fabric
- External connectors
- Fabric Connector: Single Sign On with FortiGate
- Automation
Ingress Controller
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Introduction
- Troubleshooting outline
- Diagnosing server-policy connectivity issues
- Diagnosing system issues
- Diagnose software function issues
- Diagnose hardware issues
- System tools & diagnose commands
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses

Home FortiWeb 7.4.1 Administration Guide

7.4.1

What's new

ML based API Protection - Schema and Threat Protection

A new protection layer called “Threat Protection” has been added to the ML based API Protection module. It learns parameter value patterns from the API requests body and builds mathematical models to screen out abnormal requests that are deemed malicious.

For more information, see Configuring ML Based API Protection policy.

GraphQL Protection

Protection for GraphQL is introduced in this release. It safeguards GraphQL APIs from malicious queries, signature attacks, and excessive resource consumption, ensuring their secure and efficient operation.

For more information, see Configuring GraphQL protection.

Waiting Room

A new Waiting Room capability is introduced in this release under Application Delivery. It controls visitor traffic using a virtual holding space and queuing First-In/First-Out system.

For more information, see Waiting room.

Advanced Bot Protection policy

FortiGuard Advanced Bot Protection is a SaaS (Software as a Service) solution which builds up a machine learning model to protect against a wide range of threats, including Data harvesting, Credential stuffing attacks, Account takeover attempts, and DDoS attacks

FortiWeb can now integrate with FortiGuard Advanced Bot Protection to leverage its powerful bot detection feature to identify any malicious bot behavior and take appropriate actions.

For more information, see Configuring Advanced Bot Protection policy.

XSW detection

FortiWeb can now detect XML Signature Wrapping (XSW), a technique that enables a malicious client to manipulate or forge a digitally signed document without invalidating the included signature.

For more information, see Creating XSW Detection rules.

DTD validation for XML requests

FortiWeb now supports the utilization of a Document Type Definition (DTD) file to establish restrictions for XML requests.

For more information, see Importing XML DTD files.

External IP Address Auto-Retrieval

In IP Protection > IP List, you now have the option to not only manually specify IP addresses to trust or block but also configure the system to automatically retrieve the IP list from an external HTTP/HTTPS server.

For more information, see IP Address Connector.

Signature Enhancements

We now offer support for utilizing hyperscan to identify personally identifiable information within the response body. To use this feature, simply enable personally-identifiable-information-hyperscan-mode in config waf signature.

Additionally, the signature details now include information about the main category, sub-category, and sensitivity level.

Biometric-based bot detection enhancements

The biometric-based bot detection has been refined to enhance the accuracy of trait collection and URL record logging in attack logs. Traits are now weighted in a more effective manner, improving the efficiency of bot screening while minimizing false positives.

For more information, see Configuring biometrics based detection.

reCAPTCHA v3 support

reCAPTCHA v3 has been integrated in FortiWeb to facilitate bot confirmation. It returns a score for each request without user friction, offering a more flexible configuration and user-friendly experience.

HTTP/2 RST Stream check in HTTP Protocol Constraints

Checking for HTTP/2 RST Stream occurrences and frequency within an HTTP/2 connection is now supported. To set this up, go to Web Protection > Protocol > HTTP > HTTP Protocol Constraints and find the HTTP Request items.

For more information, see HTTP/HTTPS protocol constraints.

Permission-policy in HTTP Header Security

The feature-policy has been updated to permission-policy in alignment with the industry standard. Upgrading is seamless with just one click, and syntax errors can be easily validated.

For more information, see HTTP Security Headers.

Multiple SAML servers in Site Publish

Previously, FortiWeb only supported a single SAML server in Site Publish. Now, it has been upgraded to accommodate multiple SAML servers.

For more information, see Configuring a Security Assertion Markup Language (SAML) server pool.

Cached items search enhancement

In Application Delivery > Caching, we offer the capability to list all cached items associated with a specified URL. Furthermore, you can fine-tune your search by applying keywords to filter the results as needed.

For more information, see Caching.

IP Conflict prompt in event log

If the IP addresses configured on the FortiWeb (including the VIP or network interface IP addresses) conflict with the IP addresses of other devices in the same subnet, an IP conflict event will be recorded in the event log, for instance:

msg="Detect MAC address 08:35:71:fb:f4:cc claims to have our IP 13.0.0.1.

Log type setting for storing or sending logs

You can now choose your preferred log types in the Log & Report > Log Config > Global Log Settings. This allows you to select one or multiple of the three log types (attack log, event log, traffic log) for local storage or forwarding to external log servers.

For more information, see Logging.

Email attachments compression in Email Policy

In this release, we have reinstated the email attachments compression for the alert email policy. With the compression function enabled, event logs and alerts will be attached to the emails in ZIP format; otherwise, they will be attached in TXT format.

For more information, see attach-compress in log email-policy.

HTTP/2 window size limit raised

It is now possible to customize the window size, determining the amount of data in bytes that FortiWeb is willing to receive at any given time, for both the server and client sides of HTTP/2 connections. The valid range is 65,535-2,147,483,647 bytes.

For more information, see http2-window-size in server-policy-server-pool and server-policy-policy.