Fortinet 5.0 Patch 6 User manual

Courtney Schwartz

Contributors:

George Csaba

Martijn Duijm

Patricia Siertsema

Idan Soen

Shiji Li

Qin Lu

Atsunobu Shiiya

Hao Xu

Shiqiang Xu

Forrest Zhang

W

EB

A

PPLICATION

F

IREWALL

FortiWeb

™

5.0 Patch 6

Administration Guide

trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other

product or company names may be trademarks of their respective owners. Performance metrics

contained herein were attained in internal lab tests under ideal conditions, and performance may vary.

Network variables, different network environments and other conditions may affect performance results.

Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties,

whether express or implied, except to the extent Fortinet enters a binding written contract, signed by

Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will

perform according to the performance metrics herein. For absolute clarity, any such warranty will be

limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in

full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this

publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation http://help.fortinet.com

Knowledge Base http://kb.fortinet.com

Forums https://support.fortinet.com/forum

Customer Service & Support https://support.fortinet.com

Training http://training.fortinet.com

FortiGuard Threat Research & Response http://www.fortiguard.com

License http://www.fortinet.com/doc/legal/EULA.pdf

Document Feedback Email: techdocs@fortinet.com

FortiWeb 5.0 Patch 6 Administration Guide

February 19, 2014

2nd Edition

Fortinet 3 FortiWeb 5.0 Patch 6 Administration Guide

Table of contents

Introduction..................................................................................................... 13

Benefits.................................................................................................................. 13

Architecture ........................................................................................................... 14

Scope..................................................................................................................... 14

What’s new...................................................................................................... 16

Documentation enhancements.............................................................................. 21

Key concepts .................................................................................................. 22

Workflow................................................................................................................ 22

Sequence of scans ................................................................................................ 23

Solutions for specific web attacks......................................................................... 27

HTTP/HTTPS threats ....................................................................................... 27

DoS attacks ..................................................................................................... 32

HTTP sessions & security ...................................................................................... 34

FortiWeb sessions vs. web application sessions ............................................ 37

Sessions & FortiWeb HA.................................................................................. 39

Example: Magento & FortiWeb sessions during failover ........................... 39

HA heartbeat & synchronization ............................................................................ 40

Data that is not synchronized by HA ............................................................... 41

Configuration settings that are not synchronized by HA................................. 42

How HA chooses the active appliance ............................................................ 44

How to use the web UI .......................................................................................... 45

System requirements....................................................................................... 45

URL for access ................................................................................................ 45

Workflow.......................................................................................................... 46

Permissions...................................................................................................... 47

Trusted hosts ............................................................................................. 51

Maximum concurrent administrator sessions.................................................. 51

Global web UI & CLI settings........................................................................... 51

Buttons, menus, & the displays ....................................................................... 55

Deleting entries .......................................................................................... 57

Renaming entries ....................................................................................... 58

Shutdown............................................................................................................... 58

How to set up your FortiWeb......................................................................... 60

Appliance vs. VMware ........................................................................................... 60

Registering your FortiWeb ..................................................................................... 60

FortinetFortinet 4 FortiWeb 5.0 Patch 6 Administration Guide

Planning the network topology.............................................................................. 61

How to choose the operation mode ................................................................ 61

Supported features in each operation mode ............................................. 62

Matching topology with operation mode & HA mode................................ 63

Topology for reverse proxy mode.................................................................... 63

Topology for either of the transparent modes ................................................. 65

Topology for offline protection mode .............................................................. 67

Topologies for high availability (HA) clustering ................................................ 68

Connecting to the web UI or CLI ........................................................................... 71

Connecting to the web UI................................................................................ 72

Connecting to the CLI...................................................................................... 74

Updating the firmware ........................................................................................... 77

Testing new firmware before installing it ......................................................... 77

Installing firmware............................................................................................ 79

Updating firmware on an HA pair............................................................... 83

Installing alternate firmware............................................................................. 84

Booting from the alternate partition........................................................... 87

Changing the “admin” account password............................................................. 90

Setting the system time & date.............................................................................. 91

Setting the operation mode ................................................................................... 94

Configuring a high availability (HA) FortiWeb cluster............................................. 97

Replicating the configuration without FortiWeb HA (external HA)................. 107

Configuring the network settings......................................................................... 111

Network interface or bridge? ......................................................................... 111

Configuring the network interfaces.......................................................... 113

Adding VLAN subinterfaces ............................................................... 117

Link aggregation ...................................................................................... 120

Configuring a bridge (V-zone) .................................................................. 122

Adding a gateway .......................................................................................... 125

Configuring DNS settings .............................................................................. 130

Connecting to FortiGuard services...................................................................... 134

Choosing the virus signature database & decompression buffer.................. 138

Accessing FortiGuard via a web proxy.......................................................... 140

How often does Fortinet provide FortiGuard updates for FortiWeb?............ 140

Scheduling automatic signature updates ...................................................... 141

Manually initiating update requests ............................................................... 144

Uploading signature & geography-to-IP updates.......................................... 146

Configuring basic policies ................................................................................... 148

Example 1: Configuring a policy for HTTP via auto-learning......................... 148

Example 2: Configuring a policy for HTTPS .................................................. 149

Example 3: Configuring a policy for load balancing ...................................... 150

FortinetFortinet 5 FortiWeb 5.0 Patch 6 Administration Guide

Auto-learning ....................................................................................................... 151

How to adapt auto-learning to dynamic URLs & unusual parameters .......... 151

Configuring URL interpreters ................................................................... 152

Example: URL interpreter for a JSP application ................................ 156

Example: URL interpreter for Microsoft Outlook Web App 2007....... 156

Example: URL interpreter for WordPress........................................... 160

Grouping URL interpreters....................................................................... 165

Recognizing data types ................................................................................. 166

Predefined data types.............................................................................. 166

Grouping predefined data types .............................................................. 170

Recognizing suspicious requests .................................................................. 171

Predefined suspicious request URLs....................................................... 172

Configuring custom suspicious request URLs ........................................ 173

Grouping custom suspicious request URLs ............................................ 174

Grouping all suspicious request URLs..................................................... 175

Configuring an auto-learning profile .............................................................. 177

Running auto-learning.................................................................................... 180

Pausing auto-learning for a URL.................................................................... 181

Viewing auto-learning reports........................................................................ 182

Using the report navigation pane............................................................. 183

Using the report display pane.................................................................. 186

Overview tab ...................................................................................... 186

Attacks tab......................................................................................... 188

About the attack count....................................................................... 191

Visits tab............................................................................................. 191

Parameters tab................................................................................... 194

Cookies tab........................................................................................ 195

Generating a profile from auto-learning data................................................. 196

Transitioning out of the auto-learning phase................................................. 199

Removing old auto-learning data................................................................... 200

Testing your installation....................................................................................... 201

Reducing false positives................................................................................ 202

Testing for vulnerabilities & exposure............................................................ 203

Expanding the initial configuration................................................................. 203

Switching out of offline protection mode............................................................. 205

Backups......................................................................................................... 206

Restoring a previous configuration...................................................................... 210

Administrators .............................................................................................. 212

Configuring access profiles ................................................................................. 216

Grouping remote authentication queries for administrators................................ 218

Changing an administrator’s password............................................................... 219

FortinetFortinet 6 FortiWeb 5.0 Patch 6 Administration Guide

Users.............................................................................................................. 221

Authentication styles............................................................................................ 221

Via the “Authorization:” header in the HTTP/HTTPS protocol....................... 221

Via forms embedded in the HTML................................................................. 222

Via a personal certificate................................................................................ 224

Offloading HTTP authentication & authorization ................................................. 225

Configuring local end-user accounts............................................................. 227

Configuring queries for remote end-user accounts....................................... 228

Configuring LDAP queries........................................................................ 228

Configuring RADIUS queries.................................................................... 233

Configuring NTLM queries....................................................................... 235

Grouping users .............................................................................................. 236

Applying user groups to an authorization realm ............................................ 238

Grouping authorization rules.................................................................... 240

Single sign-on (SSO)............................................................................................ 243

Example: Enforcing complex passwords ............................................................ 247

Defining your web servers & load balancers ............................................. 248

Protected web servers vs. protected/allowed host names ................................. 248

Defining your protected/allowed HTTP “Host:” header names........................... 249

Defining your web servers ................................................................................... 251

Defining your web server by its IP address ................................................... 251

Defining your web server by its DNS domain name ...................................... 253

Configuring server up/down checks.............................................................. 254

Grouping your web servers into server farms................................................ 256

Routing based upon URL or “Host:” name.............................................. 262

Example: Routing according to URL/path ............................................... 265

Example: Routing according to the HTTP “Host:” field........................... 265

Defining your proxies, clients, & X-headers......................................................... 266

Indicating the original client’s IP to back-end web servers ........................... 267

Indicating to back-end web servers that the client’s request was HTTPS.... 269

Blocking the attacker’s IP, not your load balancer........................................ 269

Configuring virtual servers on your FortiWeb ...................................................... 272

Defining your network services............................................................................ 274

Defining custom services............................................................................... 274

Predefined services ....................................................................................... 275

Enabling or disabling traffic forwarding to your servers ...................................... 275

Secure connections (SSL/TLS) ................................................................... 277

Offloading vs. inspection ..................................................................................... 277

Supported cipher suites & protocol versions ...................................................... 279

Uploading trusted CAs’ certificates..................................................................... 280

Grouping trusted CAs’ certificates ................................................................ 282

FortinetFortinet 7 FortiWeb 5.0 Patch 6 Administration Guide

How to offload or inspect HTTPS........................................................................ 283

Generating a certificate signing request........................................................ 285

Uploading a server certificate........................................................................ 289

Supplementing a server certificate with its signing chain........................ 291

How to apply PKI client authentication (personal certificates) ............................ 293

Example: Generating & downloading a personal certificate from

Microsoft Windows 2003 Server ................................................................. 297

Example: Downloading the CA’s certificate from

Microsoft Windows 2003 Server ................................................................. 306

Example: Importing the personal certificate & private key to a client’s trust store

on Microsoft Windows 7.............................................................................. 307

Uploading the CA’s certificate to FortiWeb’s trusted CA store..................... 315

Configuring FortiWeb to validate client certificates....................................... 316

Revoking certificates ........................................................................................... 318

Revoking certificates by OCSP query............................................................ 319

How to export/back up certificates & private keys.............................................. 320

Access control.............................................................................................. 321

Restricting access to specific URLs.................................................................... 321

Grouping access rules per combination of URL & “Host:”............................ 324

Combination access control & rate limiting......................................................... 325

Blacklisting & whitelisting clients......................................................................... 329

Blacklisting source IPs with poor reputation ................................................. 329

Blacklisting countries & regions..................................................................... 331

Blacklisting & whitelisting clients individually by source IP ........................... 335

Blacklisting content scrapers, search engines, web crawlers, & other robots.....

337

Rate limiting .................................................................................................. 338

DoS prevention .................................................................................................... 338

Configuring application-layer DoS protection ............................................... 338

Limiting the total HTTP request rate from an IP ...................................... 339

Example: HTTP request rate limit per IP............................................ 344

Limiting TCP connections per IP address by session cookie.................. 344

Example: TCP connection per session limit ...................................... 347

Preventing an HTTP request flood........................................................... 347

Example: HTTP request flood prevention .......................................... 351

Configuring network-layer DoS protection .................................................... 351

Limiting TCP connections per IP address ............................................... 351

Example: TCP flood prevention ......................................................... 354

Preventing a TCP SYN flood.................................................................... 354

Grouping DoS protection rules ...................................................................... 355

Preventing automated requests........................................................................... 357

Example: Preventing email directory harvesting............................................ 360

Configuring browser enforcement exceptions............................................... 361

Preventing brute force logins............................................................................... 362

FortinetFortinet 8 FortiWeb 5.0 Patch 6 Administration Guide

Rewriting & redirecting ................................................................................ 367

Example: HTTP-to-HTTPS redirect ..................................................................... 373

Example: Full host name/URL translation ........................................................... 376

Example: Sanitizing poisoned HTML................................................................... 380

Example: Inserting & deleting body text.............................................................. 382

Example: Rewriting URLs using regular expressions.......................................... 383

Example: Rewriting URLs using variables ........................................................... 384

Grouping rewriting & redirection rules ................................................................. 385

Blocking known attacks & data leaks ........................................................ 387

Configuring action overrides or exceptions to data leak & attack detection signa-

tures................................................................................................................... 398

Finding signatures that are disabled or “Alert Only”...................................... 401

Defining custom data leak & attack signatures ................................................... 401

Example: ASP .Net version & other multiple server detail leaks.................... 406

Example: Zero-day XSS................................................................................. 407

Example: Local file inclusion fingerprinting via Joomla ................................. 409

Enforcing page order that follows application logic ............................................ 411

Specifying URLs allowed to initiate sessions ...................................................... 415

Preventing zero-day attacks ....................................................................... 421

Validating parameters (“input rules”) ................................................................... 421

Bulk changes to input validation rules........................................................... 428

Defining custom data types........................................................................... 429

Preventing tampering with hidden inputs ............................................................ 430

Specifying allowed HTTP methods...................................................................... 436

Configuring allowed method exceptions ....................................................... 438

HTTP/HTTPS protocol constraints ...................................................................... 440

Configuring HTTP protocol constraint exceptions ........................................ 446

Limiting file uploads ..................................................................................... 451

Compression & decompression.................................................................. 456

Configuring compression/decompression exemptions....................................... 456

Configuring compression offloading.................................................................... 457

Configuring decompression to enable scanning & rewriting............................... 460

Policies .......................................................................................................... 463

How operation mode affects server policy behavior ........................................... 463

Configuring the global object white list ............................................................... 464

Uploading a custom error page........................................................................... 467

Configuring a protection profile for inline topologies........................................... 468

Configuring a protection profile for an out-of-band topology or asynchronous mode

of operation ....................................................................................................... 477

FortinetFortinet 9 FortiWeb 5.0 Patch 6 Administration Guide

Configuring a server policy .................................................................................. 483

Enabling or disabling a policy........................................................................ 497

Anti-defacement........................................................................................... 498

Reverting a defaced web site .............................................................................. 503

Compliance ................................................................................................... 504

Database security ................................................................................................ 504

Authorization........................................................................................................ 504

Preventing data leaks .......................................................................................... 504

Vulnerability scans ............................................................................................... 505

Preparing for the vulnerability scan ............................................................... 506

Live web sites .......................................................................................... 506

Network accessibility ............................................................................... 506

Traffic load & scheduling.......................................................................... 506

Scheduling web vulnerability scans............................................................... 507

Configuring vulnerability scan settings.......................................................... 508

Running vulnerability scans ........................................................................... 513

Manually starting & stopping a vulnerability scan.......................................... 515

Viewing vulnerability scan reports ................................................................. 516

Scan report contents ............................................................................... 516

Downloading vulnerability scan reports......................................................... 517

Advanced/optional system settings ........................................................... 519

Changing the FortiWeb appliance’s host name................................................... 519

Fail-to-wire for power loss/reboots ..................................................................... 520

Advanced settings ............................................................................................... 521

Example: Setting a separate rate limit for shared Internet connections........ 523

Monitoring your system ............................................................................... 525

The dashboard..................................................................................................... 525

System Information widget............................................................................ 528

FortiGuard Information widget....................................................................... 530

CLI Console widget........................................................................................ 534

System Resources widget ............................................................................. 536

Attack Log Console widget............................................................................ 536

Real Time Monitor widget.............................................................................. 537

Event Log Console widget............................................................................. 538

Server Status widget...................................................................................... 538

Policy Sessions widget .................................................................................. 540

Operation widget ........................................................................................... 540

RAID level & disk statuses ................................................................................... 541

FortinetFortinet 10 FortiWeb 5.0 Patch 6 Administration Guide

Logging................................................................................................................ 542

About logs & logging...................................................................................... 543

Log types ................................................................................................. 543

Log severity levels.................................................................................... 544

Log rate limits .......................................................................................... 544

Configuring logging........................................................................................ 545

Enabling log types, packet payload retention, & resource shortage alerts ....

546

Configuring log destinations .................................................................... 549

Obscuring sensitive data in the logs........................................................ 552

Configuring Syslog settings ..................................................................... 554

Configuring FortiAnalyzer policies ........................................................... 555

Configuring triggers ................................................................................. 557

Viewing log messages ................................................................................... 557

Viewing a single log message as a table ................................................. 562

Viewing packet payloads ......................................................................... 563

Switching between Raw & Formatted log views...................................... 564

Displaying & arranging log columns......................................................... 566

Filtering log messages ............................................................................. 567

Downloading log messages..................................................................... 569

Deleting log files....................................................................................... 571

Coalescing similar attack log messages.................................................. 572

Searching attack logs .............................................................................. 573

Alert email ............................................................................................................ 576

Configuring email settings ............................................................................. 576

Configuring alert email for event logs ............................................................ 578

SNMP traps & queries ......................................................................................... 580

Configuring an SNMP community ................................................................. 581

MIB support ................................................................................................... 586

Reports ................................................................................................................ 586

Customizing the report’s headers, footers, & logo ........................................ 589

Restricting the report’s scope ....................................................................... 590

Choosing the type & format of a report profile .............................................. 592

Scheduling reports......................................................................................... 595

Selecting the report’s file type & email delivery............................................. 595

Viewing & downloading generated reports.................................................... 597

Data analytics ................................................................................................ 598

Configuring policies to gather data.......................................................... 598

Updating data analytics definitions.......................................................... 598

Viewing web site statistics....................................................................... 599

Filtering the data analytics report....................................................... 603

Bot analysis.................................................................................................... 605

Monitoring currently blocked IPs......................................................................... 606

FortiGuard updates.............................................................................................. 606

Vulnerability scans ............................................................................................... 607

FortinetFortinet 11 FortiWeb 5.0 Patch 6 Administration Guide

Fine-tuning & best practices ....................................................................... 608

Hardening security............................................................................................... 608

Topology ........................................................................................................ 608

Administrator access ..................................................................................... 609

User access ................................................................................................... 611

Signatures & patches..................................................................................... 612

Buffer hardening ............................................................................................ 612

Enforcing valid, applicable HTTP................................................................... 614

Sanitizing HTML application inputs ............................................................... 614

Improving performance ....................................................................................... 614

System performance...................................................................................... 614

Antivirus performance.................................................................................... 615

Regular expression performance tips............................................................ 615

Logging performance..................................................................................... 617

Report performance....................................................................................... 618

Auto-learning performance............................................................................ 619

Vulnerability scan performance ..................................................................... 623

Packet capture performance ......................................................................... 623

Improving fault tolerance ..................................................................................... 623

Alerting the SNMP manager when HA switches the primary appliance........ 624

Reducing false positives...................................................................................... 624

Regular backups.................................................................................................. 628

Downloading logs in RAM before shutdown or reboot ....................................... 629

Troubleshooting ........................................................................................... 630

Tools .................................................................................................................... 630

Ping & traceroute ........................................................................................... 630

Log messages................................................................................................ 631

Diff.................................................................................................................. 632

Packet capture............................................................................................... 633

Diagnostic commands in the CLI................................................................... 638

How to troubleshoot ............................................................................................ 638

Establishing a system baseline...................................................................... 638

Determining the source of the problem ......................................................... 639

Planning & access privileges ......................................................................... 640

FortinetFortinet 12 FortiWeb 5.0 Patch 6 Administration Guide

Solutions by issue type........................................................................................ 640

Connectivity issues........................................................................................ 641

Checking hardware connections ............................................................. 641

Examining the ARP table ......................................................................... 642

Checking routing...................................................................................... 642

Testing for connectivity with ping ...................................................... 644

Testing routes & latency with traceroute ........................................... 648

Examining the routing table ..................................................................... 651

Checking port assignments ..................................................................... 652

Performing a packet trace........................................................................ 652

Debugging the packet processing flow ................................................... 653

Checking the SSL/TLS handshake & encryption..................................... 653

Resource issues............................................................................................. 654

Killing system-intensive processes.......................................................... 654

Monitoring traffic load.............................................................................. 654

Preparing for attacks................................................................................ 655

Login issues ................................................................................................... 655

Checking user authentication policies ..................................................... 655

When an administrator account cannot log in from a specific IP ............ 656

Remote authentication query failures ...................................................... 656

Resetting passwords ............................................................................... 656

Data storage issues ....................................................................................... 657

Bootup issues ................................................................................................ 658

Hard disk corruption or failure ................................................................. 658

Power supply failure................................................................................. 660

Resetting the configuration.................................................................................. 662

Restoring firmware (“clean install”)...................................................................... 663

Appendix A: Port numbers........................................................................... 666

Appendix B: Maximum configuration values ............................................. 669

Maximum values on FortiWeb-VM ...................................................................... 669

Appendix C: Supported RFCs, W3C, & IEEE standards............................ 671

RFCs .................................................................................................................... 671

W3C standards .................................................................................................... 671

IEEE standards .................................................................................................... 672

Appendix D: Regular expressions............................................................... 673

Regular expression syntax................................................................................... 673

What are back-references? ........................................................................... 678

Cookbook regular expressions............................................................................ 680

Language support................................................................................................ 682

Index .............................................................................................................. 684

Fortinet 13 FortiWeb 5.0 Patch 6 Administration Guide

Introduction

Welcome, and thank you for selecting Fortinet products for your network.

FortiWeb hardware and FortiWeb-VM virtual appliance models are available that are suitable for

medium and lar

ge enterprises, as well as service providers.

Benefits

FortiWeb is designed specifically to protect web servers.

FortiWeb web application firewalls (WAF)

provide specialized application layer threat detection

and protection for HTTP or HTTPS services such as:

• Apache Tomcat

•ngi

nx

•Microsoft IIS

• JBoss

•IBM Lotus Domino

• Microsoft SharePoint

• Microsoft Outlook Web App (OWA)

• RPC and ActiveSync for Microsoft Exchange Server

• Joomla

•WordPress

• and many others

FortiWeb’s integrated web-specific

vulnerability scanner can drastically r

educes challenges

associated with protecting regulated and confidential data by detecting your exposure to the

latest threats, especially the OWASP Top 10.

In addition, FortiWeb’s HTTP firewall and denial-of-service (DoS) attack-prevention protect your

Inter

net-facing web-based applications from attack and data theft. Using advanced techniques

to provide bidirectional protection against sophisticated threats like SQL injection and

cross-site scripting (XSS), FortiWeb helps you prevent identity theft, financial fraud, and

corporate espionage. FortiWeb delivers the technology you need to monitor and enforce

government regulations, industry best practices, and internal security policies, including

firewalling and patching requirements from PCI DSS.

FortiWeb’s application-aware firewalling and load balancing engine can:

• Secure HTTP applications that are often gateways into valuable databases

•

Pr

event and reverse defacement

• Improve application stability

• Monitor servers for downtime & connection load

• Reduces response times

• Accelerate SSL/TLS *

• Accelerate compression/decompression

• Rewrite content on the fly

Fortinet 14 FortiWeb 5.0 Patch 6 Administration Guide

* On VM models, acceleration is due to offloading the cryptography burden from the back-end

server. On hardware models, cryptography is also hardware-accelerated via ASIC chips.

FortiWeb significantly reduces deployment costs by consolidating WAF, hardware acceleration,

load balancing, and vulnerability s

canning into a single device with no per-user pricing. Those

features drastically reduce the time required to protect your regulated, Internet-facing data and

eases the challenges associated with policy enforcement and regulatory compliance.

Architecture

Figure 1: Basic topology

FortiWeb can be deployed in a one-arm topology, but is more commonly positioned inline to

intercept all incoming clients’ connections and redistribute them to your servers. FortiWeb has

TCP- and HTTP-specific firewalling capability. Because it is not designed to provide security to

non-HTTP applications, it should be deployed behind a firewall such as FortiGate that focuses

on security for other protocols that may be forwarded to your back-end servers, such as FTP

and SSH.

Once the appliance is deployed, you can configure FortiWeb via its web UI and CLI, from a web

br

ow

ser and terminal emulator on your management computer.

Scope

This document describes how to set up your FortiWeb appliance. For both the hardware and

virtual appliance versions of FortiWeb, it describes how to complete first-time system

deployment, including planning the network topology.

It also describes how to use the web user interface (web UI), and contains

lists of default utilized

port numbers, configuration limits, and supported standards.

This document assumes, if you have inst

alled the virtual appliance version (FortiWeb-VM), that

you have already followed the instructions in the FortiWeb-VM Install Guide.

Fortinet 15 FortiWeb 5.0 Patch 6 Administration Guide

After completing “How to set up your FortiWeb” on page 60:

• You will have administrative access to the

web UI and/or CLI.

• You will have completed firmware updates, if any.

• The system time, DNS settings, administrator password, and network interfaces will be

configured.

• You will have set the operation mode.

• You will have configured basic logging.

• You will have created at least one server policy.

• You may have completed at least one phase of auto-learning to jump-start your

configuration.

Once that basic installation is complete, you can use the rest of this document to use the

web UI to:

• Update the FortiWeb appliance.

•

Rec

onfigure features.

• Use advanced features, such as anti-defacement.

• Diagnose problems.

This document does no

t pro

vide a reference for the command line interface (CLI). For that

information, see the FortiWeb CLI Reference.

This document is intended for administrators, not end users. If you a

re accessing a web site

protected by FortiWeb, please contact your system administrator.

Fortinet 16 FortiWeb 5.0 Patch 6 Administration Guide

What’s new

The list below contains features new or changed since FortiWeb 5.0. For upgrade information,

see the Release Notes available with the firmware and “Updating the firmware” on page 77.

FortiWeb 5.0 Patch 6

• No ne

w features. Bug fixes only.

FortiWeb 5.0 Patch 5

• RADIUS vendor-specific attributes for access profiles — If your administrator accounts

authenticate via a RADIUS query, you can assign their access profile using RFC 2548

Microsoft Vendor-specific RADIUS Attributes. See Access Profile in “Administrators” on

page 212 and “Configuring RADIUS queries” on page 233.

FortiWeb 5.0 Patch 4

• Bulk edits for parameter validation rules — Rather than individually editing each rule, you

can now replace the Action, Trigger Policy, and/or Severity of multiple rules simultaneously.

See “Bulk changes to input validation rules” on page 428.

• Namibian time zone support — System time and date settings now support the Namibian

time zone. See “Setting the system time & date” on page 91.

FortiWeb 5.0 Patch 3

• No new features. Bug fixes only.

FortiWeb 5.0 Patch 2

• Hidden fields protection for HTTPS — You can now use the Fetch URL dialog in the GUI to

help you tamper-proof hidden inputs in HTTPS requests. See “Preventing tampering with

hidden inputs” on page 430.

• Indicating original service to back-end servers— When offloading SSL/TLS, you can now

use an HTTP X-header to indicate to back-end web servers that the original client’s request

was, in fact, encrypted. See “Indicating to back-end web servers that the client’s request

was HTTPS” on page 269.

• More Microsoft file types for file upload restrictions — There are now signatures

specifically for Microsoft Office Open XML file types such as .docx. See “Limiting file

uploads” on page 451.

• Per CPU SNMP queries— You can now monitor the usage of each CPU in multi-CPU

appliances. See “MIB support” on page 586.

• NMI and COMlog support — FortiWeb 3000D, 3000DFsx, and 4000D models that have

NMI buttons now have firmware support. This can be useful for carriers that require

extensive debugging capabilities. See your model’s QuickStart Guide and the FortiWeb NMI

& COMlog Technical Note.

• RAM-only traffic log support — To reduce wear and tear on your hard disks when you

require traffic logs, you can now disable hard disk storage of traffic logs and use RAM only.

See the FortiWeb CLI Reference.

Fortinet 17 FortiWeb 5.0 Patch 6 Administration Guide

FortiWeb 5.0 Patch 1

• Site publishing— You can now easily publish Microsoft Outlook Web Access (OWA),

SharePoint, Lync and other web applications. FortiWeb streamlines access to the

applications by providing offloaded authentication with optional single sign-on (SSO)

functionality. See Site Publish and “Single sign-on (SSO)” on page 243.

• “Alert Only” action for individual signatures — To provide better flexibility, you can now

choose an Alert Only action for individual attack signatures. When configuring a protection

profile, save it, then return to it and click the Advanced Mode button. Select a signature

category from the menu. When individual signatures appear in the pane on the right, click

the signature’s row to select it, then mark the Alert Only check box in the Signature tab. See

“Configuring action overrides or exceptions to data leak & attack detection signatures” on

page 398.

• Attack signature filters — In the Advanced mode while configuring attack signatures, in the

bottom of the navigation tree on the left, new categories have been added that display

individual signatures that have been disabled, or whose Alert Only check box is marked.

Previously, the Search item in the tree only enabled you to search for signature IDs. See

“Finding signatures that are disabled or “Alert Only”” on page 401.

• Custom global white list objects— You can now add your own URLs, parameters, and

cookies that you don’t want FortiWeb to inspect. Previously, you could only white list

predefined objects. See “Configuring the global object white list” on page 464.

• Advanced/combination access control rule enhancement— When configuring HTTP

header conditions for combination access control rules, regular expressions are now

supported. See “Combination access control & rate limiting” on page 325.

• Performance enhancements— Memory utilization and other performance enhancements

have been made. For example, the antivirus database now loads into memory only while

antivirus is enabled in a policy.

• New geo-to-IP database format supported

FortiWeb 5.0

• FortiWeb 3000D, 3000DFsx, and 4000D support — All three models support SSL/TLS

acceleration with CP8 ASIC chips and have bypass/fail-to-wire port pairs. For hardware

details, see your model’s QuickStart Guide and “Fail-to-wire for power loss/reboots” on

page 520. For specifications of maximum supported objects, see “Appendix B: Maximum

configuration values” on page 669.

• Password recovery — If you have forgotten the password, but have physical access to your

FortiWeb, you can now reset the password for the admin administrator account. See

“Resetting passwords” on page 656.

Back up all parts of the configuration and data before updating the firmware to FortiWeb 5.0.

Some backup types do not include the full configuration. For full backup instructions, see

“Backups” on page 206.

FortiWeb 5.0 configuration files are not compatible with previous firmware versions. Many

fundamental changes have been made to its configuration file structure. If you later decide to

downgrade to FortiWeb 4.4.7 or earlier, your FortiWeb appliance will lose its configuration.

To restore the configuration, you will need a backup that is compatible with the older

firmware.

Fortinet 18 FortiWeb 5.0 Patch 6 Administration Guide

• IPv6 support— If FortiWeb is operating in reverse proxy mode, the following features now

support IPv6-to-IPv6 forwarding, as well as NAT64, to support environments where legacy

back-end equipment only supports IPv4.

• IP/Netmask for all types of network interfaces, DNS settings, and Gateway and

Destination IP/Mask for IP-layer static routes

• Virtual Server/V-zone

• Physical Server/Domain Server/Server Farm

• Server Health Check

• Protected Servers

• Session Management

• Cookie Poisoning Detection

• Signatures

• Custom Access

• Parameter Validation

• Hidden Fields Protection

• File Upload Restriction

• HTTP Protocol Constraints

• Brute Force Login

• URL Access

• Page Access (page order)

• Start Pages

• Allow Method

• IP List (manual, individual IP blacklisting/whitelisting)

• File Compress/File Uncompress

• Auto-learning

• Vulnerability scans

• Global white list objects

• Chunk decoding

• FortiGuard server IP overrides

These are not yet supported:

If a policy has any virtual servers, server farms, physical servers, or domain servers with IPv6

addresses, it will not apply these features, even if they are selected.

Fortinet 19 FortiWeb 5.0 Patch 6 Administration Guide

• X-Forwarded-For

• Shared IP

• Policy bypasses for known search engines

• Geo IP

• DoS Protection

• IP Reputation

• URL Rewriting (also redirection)

• HTTP Authentication and LDAP, RADIUS, and NTLM profiles

• Data Analytics

• Log-based reports

• Alert email

• Syslog and FortiAnalyzer IP addresses

•NTP

• FTP immediate/scheduled

• OCSP/SCEP

•Anti-defacement

• HA/Configuration sync

• exec restore

• exec backup

• exec traceroute

• exec telnet

• Challenge action for application-level anti-DoS — Rather than simply blocking all clients

that exceed your rate limit or trigger other DoS sensors, you can now choose to test the

client first — to return a web page that uses a script to assess whether the client is a web

browser or an automated tool favored by attackers. In this way, you can allow higher rate

limits for people than automated tools. See “Limiting the total HTTP request rate from an IP”

on page 339 and “Preventing an HTTP request flood” on page 347.

• Search engine access improved — You can now allow known search engines such as

Google, Yahoo!, Baidu and Bing to be exempt from DoS sensors, brute force login sensors,

HTTP protocol constraints, and combination rate & access control (called “advanced

protection” and “custom policies” in the web UI). See Allow Known Search Engines in

“Configuring a protection profile for inline topologies” on page 468 or “Configuring a

protection profile for an out-of-band topology or asynchronous mode of operation” on

page 477.

• Robot control simplified — Control of known malicious automated tools has been

simplified, and custom robot definitions removed. See Bad Robot in “Blocking known

attacks & data leaks” on page 387.

• Robot monitoring report — To monitor search engines that may be abusing access, you

can monitor throughput and transactions per second for each crawler from your GUI’s

reports area. See “Bot analysis” on page 605.

• Dynamic rate threshold in Real Time Monitor widget — The Policy Summary widget has

been renamed, and now scales its graph dynamically to best show you differences based

upon your normal levels of traffic. See “Real Time Monitor widget” on page 537.

• HTTP status code customization — To prevent WAF fingerprinting that can be a precursor

for evasive APT attackers, you can now modify the return codes such as 200 OK that

Fortinet 20 FortiWeb 5.0 Patch 6 Administration Guide

FortiWeb returns to clients when blocking violation traffic. See Error Page Return Code in

“Configuring a server policy” on page 483.

• Seamless FortiWeb-VM vCPU license upgrades— Now you can increase the capacity of

FortiWeb-VM to 2, 4, or 8 vCPUs without first invalidating the license. Previously, a new

license could be uploaded only while the current license was invalid, thereby temporarily

interrupting service. See the FortiWeb-VM Install Guide.

• Maximum physical servers increased — FortiWeb now supports up to 255 physical

servers. Previously only 128 were possible. See “Defining your web server by its IP address”

on page 251.

• Maximum input validation rules increased — FortiWeb now supports up to 1,024

parameters in the URL validation rule. See “Validating parameters (“input rules”)” on

page 421.

• Erasure without alerts — A very high volume of attack logs, alert email, and that can be

generated while blocking information disclosure when many protected web servers are

misconfigured. To prevent this and allow you to focus on severe attacks, you can now

choose to erase server information such as X-Powered-By: without generating any log

messages. See Action in “Blocking known attacks & data leaks” on page 387.

• Support for subnets in URL access rules & manual blacklists/white lists— When

specifying which source IP addresses are allowed to access your web apps, you can now

specify multiple IP addresses by entering a subnet, rather than creating many individual

rules. See “Restricting access to specific URLs” on page 321 and “Blacklisting & whitelisting

clients individually by source IP” on page 335.

• RADIUS realm support— RADIUS accounts on servers that require the realm (e.g.

[email protected] or [email protected]) are now supported. No change to the

FortiWeb configuration is required for end-user accounts. For administrators, modify the

Administrator setting to include the realm name (e.g. @example.com).

• Fail-to-wire during reboot/shutdown— Previously, fail-to-wire only engaged during

unexpected power loss, without a graceful shutdown. See “Fail-to-wire for power

loss/reboots” on page 520.

• Threshold for shared IPs configurable — Previously, shared IP analysis was not

configurable. See “Shared IP” on page 522.

• Reports like FortiGate 5.0 — Reports have been updated, and now reflect the same styles

also found in FortiGate 5.0 firewalls. See “Reports” on page 586.

• Debugging commands on HA standby — You can now use the active FortiWeb HA

appliance’s CLI to send diagnose debug commands through the HA link to the standby.

Previously, you could only connect to standby appliances through the local console, or by

triggering a failover so that the standby became active — network connectivity was only

possible with the active appliance. See the FortiWeb CLI Reference.

• XML protection profiles removed

— For protection against XML-related attacks,

cu

stome

rs should now use the Illegal XML Format setting (see “Configuring a protection

profile for inline topologies” on page 468 or “Configuring a protection profile for an

out-of-band topology or asynchronous mode of operation” on page 477). Legacy

configuration data related to XML protection profiles from FortiWeb 4.0 MR4 Patch 6 or

previous versions of the firmware will be deleted during upgrade.

If your back-end web servers require extensive protection for a vulnerable XML parser, you

should add 3

rd

-party XML protection to your security architecture. Unlike XML protection

profiles in previous versions of FortiWeb, Illegal XML Format does not scan for conformity

with the document object model (DOM)/DTD/W3C Schema, recursive payloads, Schema

poisoning, or other advanced XML attacks. Failure to provide adequate XML protection

could allow attackers to penetrate your network.

Page is loading ...

Fortinet 5.0 Patch 6 User manual

Fortinet 5.0 Patch 6 User manual

Related papers

Other documents